Windows Events log for IR/Forensics ,Part 2

Published: 2016-09-20
Last Updated: 2016-09-20 18:06:48 UTC
by Basil Alawi S.Taher (Version: 1)
1 comment(s)

In a previous diary[i] I talked about Windows Events and I gave some examples about some of the most useful events for Forensics/IR. In this diary I will talk about how to use Windows PowerShell to search for events

Get-WinEvent

“The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for Windows (ETW).”[ii]

 

 

And here is some examples

Get-winevent -logname System

 

This command would show everything that in the System events which might be very large and it will show many things that might be not important to our case.

The best way to filter events in get-winevent cmdlet is filterhashtable parameter, Suppose that you are interested only to see the events that’s related to a new service createion (event id 7045 )

Get-WinEvent -FilterHashtable @{logname='system' ; id=7045} | format-list

 

And output would be similar to this

TimeCreated  : 9/16/2016 12:57:58 AM

ProviderName : Service Control Manager

Id           : 7045

Message      : A service was installed in the system.

 

               Service Name:  Meterpreter

               Service File Name:  "C:\Windows\TEMP\hXdIEXeEbqqzDy\metsvc.exe" service

               Service Type:  user mode service

               Service Start Type:  auto start

               Service Account:  LocalSystem

 

TimeCreated  : 9/16/2016 12:56:46 AM

ProviderName : Service Control Manager

Id           : 7045

Message      : A service was installed in the system.

 

               Service Name:  vvgQjBPVHmgKnFfH

               Service File Name:  %SYSTEMROOT%\AmEAdtHt.exe

               Service Type:  user mode service

               Service Start Type:  demand start

               Service Account:  LocalSystem

 

TimeCreated  : 9/16/2016 12:54:14 AM

ProviderName : Service Control Manager

Id           : 7045

Message      : A service was installed in the system.

 

               Service Name:  jJZzbNmqBqTeqzsU

               Service File Name:  %SYSTEMROOT%\bFZwMEQv.exe

               Service Type:  user mode service

               Service Start Type:  demand start

               Service Account:  LocalSystem

 

TimeCreated  : 9/16/2016 12:39:34 AM

ProviderName : Service Control Manager

Id           : 7045

Message      : A service was installed in the system.

 

               Service Name:  zNvHlQahvTqmPpVS

               Service File Name:  %SYSTEMROOT%\cEYBVJNP.exe

               Service Type:  user mode service

               Service Start Type:  demand start

               Service Account:  LocalSystem

 

TimeCreated  : 9/15/2016 9:09:40 PM

ProviderName : Service Control Manager

Id           : 7045

Message      : A service was installed in the system.

 

               Service Name:  vJcYxfCDYUgOZiVb

               Service File Name:  %SYSTEMROOT%\TifTyNVa.exe

               Service Type:  user mode service

               Service Start Type:  demand start

               Service Account:  LocalSystem

 

 

As you can see from the sample the are many services with suspicious name has been installed in the system.

Again we can check our events to see who was logged around that time

Get-WinEvent -FilterHashtable @{logname='security' ; id=4624;starttime=’ 9/15/2016 9:00:00 PM ‘;endtime=’ 9/15/2016 9:09:40 PM’} |

 

And here is the output

TimeCreated  : 9/15/2016 9:09:39 PM

ProviderName : Microsoft-Windows-Security-Auditing

Id           : 4624

Message      : An account was successfully logged on.

 

               Subject:

                   Security ID:        S-1-0-0

                   Account Name:        -

                   Account Domain:        -

                   Logon ID:        0x0

 

               Logon Type:            3

 

               New Logon:

                   Security ID:        S-1-5-21-574956201-2274518538-2668157362-1004

                   Account Name:        test

                   Account Domain:        WIN-CAR8AFQU4IJ

                   Logon ID:        0x112fd1

                   Logon GUID:        {00000000-0000-0000-0000-000000000000}

 

               Process Information:

                   Process ID:        0x0

                   Process Name:        -

 

               Network Information:

                   Workstation Name:    BH5vQpSXNj4EBCBk

                   Source Network Address:    10.10.75.1

                   Source Port:        55165

 

               Detailed Authentication Information:

                   Logon Process:        NtLmSsp

                   Authentication Package:    NTLM

                   Transited Services:    -

                   Package Name (NTLM only):    NTLM V2

                   Key Length:        0

 

From the above output we find out that , there was a user name “test” was logged on at : 9/15/2016 9:09:39 PM via network (Logon Type : 3) and from the IP address 10.10.75.1 .

Now let’s find out when the user “test” was created:

Get-WinEvent -FilterHashtable @{logname='Security' ; ID=4720} | where {$_.message -match "test"} | fl

 

And here is the output

 

TimeCreated  : 8/12/2016 10:06:33 PM

ProviderName : Microsoft-Windows-Security-Auditing

Id           : 4720

Message      : A user account was created.

              

               Subject:

                   Security ID:        S-1-5-21-574956201-2274518538-2668157362-1000

                   Account Name:        Victim

                   Account Domain:        WIN-CAR8AFQU4IJ

                   Logon ID:        0x275eb2

              

               New Account:

                   Security ID:        S-1-5-21-574956201-2274518538-2668157362-1004

                   Account Name:        test

                   Account Domain:        WIN-CAR8AFQU4IJ

              

               Attributes:

                   SAM Account Name:    test

                   Display Name:       

                   User Principal Name:    -

                   Home Directory:       

                   Home Drive:       

                   Script Path:       

                   Profile Path:       

                   User Workstations:   

                   Password Last Set:   

                   Account Expires:        

                   Primary Group ID:    513

                   Allowed To Delegate To:    -

                   Old UAC Value:        0x0

                   New UAC Value:        0x15

                   User Account Control:   

                       Account Disabled

                       'Password Not Required' - Enabled

                       'Normal Account' - Enabled

                   User Parameters:   

                   SID History:        -

                   Logon Hours:        All

              

               Additional Information:

                   Privileges        -

 

Now lets see if there is any other logon attemps via network ,for this task I would use get-eventlog

Get-EventLog -LogName security | where {$_.eventid -eq 4624} | where {$_.replacementstrings[8] -eq 3} | select timegenerated ,@{Name='AccountName';Expression={$_.replacementstrings[5]}},@{Name='IP Address';Expression={$_.replacementstrings[-2]}} | export-csv c:\users\user\type3logon.csv

Get-eventlog store the logon type in a array called replacementstrings , its stored at location [8] the logon type , user name at location 5 and the IP Address in location [-2]

Now lets see what other logon types we have and how many attempts for each

Get-EventLog -LogName security | where {$_.EventID -eq 4624} | Group-Object {$_.Replacementstrings[8]} | select name,count

 

Name                Count

---------               ---------

7                              2

5                            210

2                              29

 

 

 

[i] https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/

Keywords:
1 comment(s)

Comments

Some powershell magic with sysinternals sysmon would be greatly appreciated!

Diary Archives