THM – Windows Event Logs

Per Wikipedia

Event logs record events taking place in the execution of a system to provide an audit trail that can be used to understand the activity of the system and to diagnose problems. They are essential to understand the activities of complex systems, particularly in applications with little user interaction (such as server applications).

The above would apply for system administrators , IT, desktop engineers, etc… If there is an issue with an endpoint, the event logs would be very useful and could be queried to further investigate what had lead to the issue.

Blue team members the event logs can be used for another reason. “It can also be useful to combine log file entries from multiple sources. This approach, in combination with statistical analysis, may yield correlations between seemingly unrelated events on different servers.“. This is where SIEMs (Security information and event management) would come into play. (what is a SIEM?)


Event Viewer

  • Can be accessed by right clicking the start menu
  • CMD – Wevtutil.exe
  • Powershell – Get-WinEven

Questions:

What is the Event ID for the first event?

Answer: 40961
Context: You will want to look at the very first log even by scrolling down the logs to the very first entry, not the last event which would be todays date

Filter on Event ID 4104. What was the 2nd command executed in the PowerShell session?

Answer: whoami
Context: Select Filter Current Log under Action and Operational on the right side panel, and enter 4104 under the include/exclude event IDs.

What is the Task Category for Event ID 4104?

Answer: Execute a remote command
Context: In the middle Operational panel look at the column Task Category

What is the Task Category for Event ID 800?

Answer: pipeline execution details
Context: Under Applications and Services logs, select Windows Powershell, and you can now proceed to filter by the event ID just like question2


wevtutil.exe

Runs in Powershell, command wevtutil.exe

Questions:

How many log names are in the machine? 

Answer: 1071
Context: You will use el (enum-logs) which will return a list of all log names. In order to calculate the total, you will need to pipe (|) and use Powershell’s Measure-Object. Your command will look like wevtutil.exe el | Measure-Object

What is the definition for the query-events command?

Answer: Read events from an event log, log file or using structured query.
Context: Run the help command (wevtutil.exe /?) to get the command, then run it again specifically for the query-events command (wevtutil.exe qe /?). The first paragraph will be the definition of the command.

What option would you use to provide a path to a log file?

Answer: /lf:true
Context: This is a continuation of the previous question, if you look at the options section, the first one is the log file. You use true since that will be for the <PATH> as per the description.

What is the VALUE for /q?

Answer: xpath query
Context: Still within the help section (wevtutil.exe qe /?) you will find the /q under the options and the description which contains the answer.

What is the log name?

Answer: Application
Context: After running the command provided (wevtutil qe Application /c:3 /rd:true /f:text) the output contains the Logname field.

What is the /rd option for?

Answer: Event read direction
Context: If you look into the help page for qe (wevtutil.exe qe /?) the description for /rd is provided

What is the /c option for?

Answer: Maximum number of events to read
Context: If you look into the help page for qe (wevtutil.exe qe /?) the description for /c is provided


Get-WinEvent

PowerShell cmdlet called Get-WinEvent. Per Microsoft, the Get-WinEvent cmdlet “gets events from event logs and event tracing log files on local and remote computers.”

Tip: For more information on creating Get-WinEvent queries with FilterHashtable – click here

Questions

Execute the command from Example 1 (as is). What are the names of the logs related to OpenSSH?

Answer: OpenSSH/Admin, OpenSSH/Operational
Context: You will want to look at the first example of the Microsoft document here and run the same command (Get-WinEvent -ListLog *). At the botton of the list you should see the OpenSSH entries.

Execute the command from Example 8. Instead of the string *Policy* search for *PowerShell*. What is the name of the 3rd log provider?

Answer: Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager
Context: Similar to the previous question, run the command of example 8 replacing the word Policy with PowerShell (Get-WinEvent -ListProvider *PowerShell*) and take the name of the 3rd log provider.

Execute the command from Example 9. Use Microsoft-Windows-PowerShell as the log provider. How many event ids are displayed for this event provider?

Answer: 192
Context: Same as previous questions, you will want to replace Microsoft-Windows-GroupPolicy with  Microsoft-Windows-PowerShell so your command line looks like (Get-WinEvent -ListProvider Microsoft-windows-powershell).Events | Format-Table Id, Description before hitting enter you will want to pipe Measure-object (see here)

How do you specify the number of events to display?

Answer: -MaxEvents
Context: Take a look at example 13 of the site.

When using the FilterHashtable parameter and filtering by level, what is the value for Informational?

Answer: 4
Context: If look at the last paragraph of the example 19 it states the following “In this example, Get-WinEvent gets all events from the Application log for the last two days except those that have a Level of 4 (Information).”


XPath Queries

See the link below for further context on what XPath is

Using Get-WinEvent and XPath, what is the query to find WLMS events with a System Time of 2020-12-15T01:09:08.940277500Z?

Answer: Get-WinEvent -LogName Application -FilterXpath ‘*/System/provider[@name=”WLMS”] and */System/timecreated[@systemtime=2020-12-15T01:09:08.940277500Z]
Context: Using the XML screenshot example for the WLMS (see below), you can build the query if you follow the XML from top to bottom.

Using Get-WinEvent and XPath, what is the query to find a user named Sam with an Logon Event ID of 4720?

Answer: Get-WinEvent -LogName Security -FilterXpath ‘*/EventData/Data[@Name=”TargetUsername”]=”Sam” and */System/EventID=4720’
Context: You will need to combine 2 queries. one for the user (TargetUsername) and the other for the Event ID (EventID).

Based on the previous query, how many results are returned?

Answer: 2
Context: Once you run the command, you should only received 2 results.

Based on the output from the question #2, what is Message?

Answer: A user account was created
Context: The column “Message” will have the message when the query returns the results.

Still working with Sam as the user, what time was Event ID 4724 recorded? (MM/DD/YYYY H:MM:SS [AM/PM])

Answer: 12/17/2020 1:57:14 pm
Context: Update the query to search for the Event ID 4724 (Get-WinEvent -LogName Security -FilterXpath ‘*/EventData/Data[@Name=”TargetUsername”]=”Sam” and */System/EventID=4724)

What is the Provider Name?

Answer: Microsoft-Windows-Security-Auditing
Context: If you look at the top of the results there is a field ProviderName