Win Event Logs

Windows Event Logs

The Windows Event Logs are not text files that can be viewed using a text editor. However, the raw data can be translated into XML using the Windows API. The events in these log files are stored in a proprietary binary format with a .evt or .evtx extension. The log files with the .evtx file extension typically reside in C:\Windows\System32\winevt\Logs

Event logs classified into types:

Error An event that indicates a significant problem such as loss of data or loss of functionality. For example, if a service fails to load during startup, an Error event is logged.
Warning An event that is not necessarily significant, but may indicate a possible future problem. For example, when disk space is low, a Warning event is logged. If an application can recover from an event without loss of functionality or data, it can generally classify the event as a Warning event.
Information An event that describes the successful operation of an application, driver, or service. For example, when a network driver loads successfully, it may be appropriate to log an Information event. Note that it is generally inappropriate for a desktop application to log an event each time it starts.
Success Audit An event that records an audited security access attempt that is successful. For example, a user's successful attempt to log on to the system is logged as a Success Audit event.
Failure Audit An event that records an audited security access attempt that fails. For example, if a user tries to access a network drive and fails, the attempt is logged as a Failure Audit event.

There are three main ways of accessing these event logs within a Windows system:

Event Viewer (GUI-based application) -
Wevtutil.exe (command-line tool)
Get-WinEvent (PowerShell cmdlet)

Event Viewer

Event Viewer can be launched by typing eventvwr.msc
To view event logs from another computer, right-click Event Viewer (Local) > Connect to Another Computer.

wevutil.exe

The wevtutil.exe tool "enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs.
PS> C:\Users\Administrator> wevtutil.exe /? Elenco dei comandi/opzioni
Guida ufficiale su wevtutil

Esempi utili:

Per utilizzare wevtutil.exe e ottenere il numero dei nomi dei log, puoi eseguire il seguente comando in PowerShell:

wevtutil el | Measure-Object Questo comando elenca tutti i log disponibili e poi conta il numero di log utilizzando Measure-Object. Il risultato sarà un conteggio dei log presenti nel sistema.

Per utilizzare il comando wevtutil con query-events, puoi usare la seguente sintassi:

wevtutil qe /q:"" /f:text
wevtutil qe Application /q:"*/System[EventID=100]" /f:text (esempio per ottenere gli eventi dal log 'Application' per EventID 100 in formato testo)
wevtutil qe /? help per wevtutil con opzione query
/{lf | logfile}:[true|false] If true, is the full path to a log file.

wevtutil qe Application /c:3 /rd:true /f:text

Application = nome event log, log file
/{c | count}: = Maximum number of events to read.
{rd | reversedirection}:[true|false] = Event read direction. If true, the most recent events are returned first.
/{f | format}:[XML|Text|RenderedXml] = The default value is XML. If Text is specified, prints events in an easy to read text format, rather than in XML format. If RenderedXml, prints events in XML format with rendering information. Note that printing events in Text or RenderedXml formats is slower than printing in XML format.

Get-WinEvent

This is a PowerShell cmdlet called Get-WinEvent. Per Microsoft, the Get-WinEvent cmdlet "gets events from event logs and event tracing log files on local and remote computers." It provides information on event logs and event log providers. Additionally, you can combine numerous events from multiple sources into a single command and filter using XPath queries, structured XML queries, and hash table queries.

Guida ufficiale su Get-WinEvent

Get-WinEvent -ListLog * Get all logs from a computer
Get-WinEvent -ListProvider * Get event log providers and log names
Get-WinEvent -LogName Application | Where-Object { $_.ProviderName -Match 'WLMS' } Log filtering

Torna all'indice!

When working with large event logs, per Microsoft, it's inefficient to send objects down the pipeline to a Where-Object command. The use of the Get-WinEvent cmdlet's FilterHashtable parameter is recommended to filter event logs.

Get-WinEvent -FilterHashtable @{
  LogName='Application' 
  ProviderName='WLMS' 
}

The syntax of a hash table is as follows: @{ = ; [ = ] ...}

Begin the hash table with an @ sign.
Enclose the hash table in braces {}
Enter one or more key-value pairs for the content of the hash table.
Use an equal sign (=) to separate each key from its value.

FilterHashtable per Livello: Livelli evento (syslog / Windows)

1 = Critical
2 = Error
3 = Warning
4 = Information (a volte 4 o 6 a seconda del contesto)
5 = Verbose
6 = Informational (standard syslog)

⚠️ In Windows Event Log, di solito: Level = 4 → Information

Esempio:

Get-WinEvent -FilterHashtable @{
    LogName   = 'Application'
    Level     = 4
    StartTime = (Get-Date).AddDays(-1)
}

The valid Get-WinEvent key/value pairs are as follows:

LogName= String[]
ProviderName= String[]
Path= String[]
Keywords= Long[]
ID= Int32[]
Level= Int32[]
StartTime= DateTime
EndTime= DateTime
UserID= SID
Data= String[]

When building a query with a hash table, Microsoft recommends making the hash table one key-value pair at a time. Event Viewer can provide quick information on what you need to build your hash table.

Get-WinEvent - PS 7.5

Get-WinEvent -ListLog *OpenSSH* elenca i Log con il nome contenuto nella stringa tra gli *
(Get-WinEvent -ListProvider Microsoft-Windows-GroupPolicy).Events | Format-Table Id, Description This command lists the Event Ids that the Microsoft-Windows-GroupPolicy event provider generates along with the event description.
$Date = (Get-Date).AddDays(-2) Get-WinEvent -FilterHashtable @{ LogName='Application'; StartTime=$Date; Id='1003' } The Get-WinEvent cmdlet gets log information. The FilterHashtable parameter is used to filter the output. The LogName key specifies the value as the Application log. The StartTime key uses the value stored in the $Date variable. The Id key uses an Event Id value, 1003.

Esempio: Filter Event log results


    # Using the Where-Object cmdlet:

$Yesterday = (Get-Date) - (New-TimeSpan -Day 1)

Get-WinEvent -LogName 'Windows PowerShell' | Where-Object { $_.TimeCreated -ge $Yesterday }


# Using the FilterHashtable parameter:

$Yesterday = (Get-Date) - (New-TimeSpan -Day 1)

Get-WinEvent -FilterHashtable @{ LogName='Windows PowerShell'; Level=3; StartTime=$Yesterday }


# Using the FilterXML parameter: (<> equivale a < , perchè mi dava errore di visualizzazione)

$xmlQuery = @'

<>QueryList>

  <>Query Id="0" Path="Windows PowerShell">

    <>Select Path="System">*[System[(Level=3) and
        TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]

  <>/Query>

<>/QueryList>

'@
Get-WinEvent -FilterXML $xmlQuery


# Using the FilterXPath parameter:

$XPath = '*[System[Level=3 and TimeCreated[timediff(@SystemTime) &lt;= 86400000]]]' 

Get-WinEvent -LogName 'Windows PowerShell' -FilterXPath $XPath

Torna all'indice!

XPath Queries

The W3C created XPath, or XML Path Language in full, to provide a standard syntax and semantics for addressing parts of an XML document and manipulating strings, numbers, and booleans . The Windows Event Log supports a subset of XPath 1.0

Click on the Details tab and select the XML View radio button.
An XPath event query starts with '*' or 'Event'.
Get-WinEvent -LogName Application -FilterXPath '*'
Get-WinEvent -LogName Application -FilterXPath '*/System/'
Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=100'
Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"]'
Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=101 and */System/Provider[@Name="WLMS"]'
Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="System"'

Nota Bene: Prendendo i dettagli dal file XML, è facile scomporre la struttura e creare qualsiasi query ( ho scritto in sequenza le query per velocizzare la comprensione! )

Esempi:

Get-WinEvent -LogName System | Group-Object Id | Sort-Object Count -Descending Elenca tutti gli Eventi ID presenti nel logname
Get-WinEvent -ListLog * | Select-Object -First 10 LogName I primi 10 "Logname"
Get-WinEvent -LogName Security | Group-Object Id | Sort-Object Count -Descending | Select-Object -First 10 Name, Count (dopo Group-Object non esiste più Id, ma Name (che rappresenta l’Event ID).)
Get-WinEvent -ListLog * | Select-Object LogName | Sort-Object LogName Elenca tutti i Logname disponibili
Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/ TimeCreated[@SystemTime="2020-12-15T01:09:08.940277500Z"]' Elenca log con quel Provider name e data
Get-WinEvent -LogName Security -FilterXPath ‘*/EventData/Data[@Name=”TargetUserName”]=”Sam” and */System/EventID=4720’ Combo di 2 query con event ID e UserName

Get-WinEvent -Path "C:\Users\Administrator\Desktop\merged.evtx" | Where-Object { $_.Id -eq 1102 } Ricerca Event ID = 1102 da file log esterno
Get-WinEvent -Path "C:\Users\Administrator\Desktop\merged.evtx" | Where-Object { $_.ProviderName -eq "EventLog" } Ricerca ProviderName = EventLog da file log esterno
Get-WinEvent -Path "C:\Users\Administrator\Desktop\merged.evtx" | Where-Object { $_.Id -gt 9999 } Ricerca Event ID > 9999 da file log esterno
Get-WinEvent -Path "C:\Logs\Application.evtx" | Where-Object { $_.ProviderName -eq "EventLog" -and $_.Id -gt 9999 } Combo Ricerca Event ID > 9999 + EventLog da file esterno
Get-WinEvent -Path "C:\Logs\Application.evtx" | Where-Object { $_.Id -gt 9999 } | Select-Object TimeCreated, Id, ProviderName, LevelDisplayName Ricerca event id > 9999 da file esterno, con colonne selezionate
Get-WinEvent -LogName Security -MaxEvents 5 | ForEach-Object { $_.ToXml() } Legge i primi 5 elementi del log e ci fa vedere XML
Get-WinEvent -Path "C:\Users\Administrator\Desktop\merged.evtx" | Where-Object { $_.Id -eq 104 -and $_.TimeCreated -eq "3/19/2019 4:34:25 PM"} | ForEach-Object {$_.ToXml()} da log esterno, event id = 104, tempo definito e risultato XML
Get-WinEvent -Path "C:\Users\Administrator\Desktop\merged.evtx" -FilterXPath '*/EventData/Data[@Name="CallerProcessName"]="C:\Windows\System32\net1.exe"' - ricerca da file esterno dato nome del processo

Risorse Utilissime:

Cheat Sheet Ottimo!
Approfondimento su Event Log Monitoring
Event ID Table

Importante

Note: Some events will not be generated by default, and certain features will need to be enabled/configured on the endpoint, such as PowerShell logging. This feature can be enabled via Group Policy or the Registry.

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell

Another feature to enable/configure is Audit Process Creation, which will generate event ID 4688. This will allow command-line process auditing. This setting is NOT enabled in the virtual machine but feel free to enable it and observe the events generated after executing some commands.

Local Computer Policy > Computer Configuration > Administrative Templates > System > Audit Process Creation

Torna all'indice!

Event ID:

Eventi di cancellazione o manomissione dei log

104 - Log di sistema cancellato (non sicurezza) , Source: Event Log
1100 - Il servizio Windows Event Log è stato arrestato
1102 - Event log cleared
1104 - Il log di sicurezza è pieno
1105 - Evento di audit perso

Attività utente / amministrativa sospetta

4624 - Login riuscito
4625 - Login fallito
4648 - Login con credenziali esplicite
4672 - Login con privilegi amministrativi
4634 / 4647 - Logout

PowerShell downgrade attack

è una tecnica in cui un attaccante sfrutta le versioni precedenti di PowerShell per eludere le misure di sicurezza

Ricerca su MITRE: Impair Defenses: Downgrade Attack : ID: T1562.010 , Sub-technique of: T1562 , Tactic: Defense Evasion

Detecting Downgrade Attacks : DET0350

Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Windows Registry Key Modification (DC0063) WinEventLog:Security EventCode=4657

Abuse of PowerShell for Arbitrary Execution Technique Detected: PowerShell | T1059.001 , ID: DET0455

Process Creation (DC0032) WinEventLog:Sysmon EventCode=1
Command Execution (DC0064) WinEventLog:PowerShell EventCode=4103, 4104, 4105, 4106
Process Metadata (DC0034) WinEventLog:PowerShell EventCode=400, 403
Module Load (DC0016) WinEventLog:Sysmon EventCode=7

Process Metadata: Contextual data about a running process, which may include information such as environment variables, image name, user/owner, etc.
WinEventLog:PowerShell EventCode=400, 403

Torna all'indice!