Windows Events log for IR/Forensics ,Part 2

In a previous diary[i] I talked about Windows Events and I gave some examples about some of the most useful events for Forensics/IR. In this diary I will talk about how to use Windows PowerShell to search for events

Get-WinEvent

“The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for Windows (ETW).”[ii]

And here is some examples

Get-winevent -logname System

This command would show everything that in the System events which might be very large and it will show many things that might be not important to our case.

The best way to filter events in get-winevent cmdlet is filterhashtable parameter, Suppose that you are interested only to see the events that’s related to a new service createion (event id 7045 )

Get-WinEvent -FilterHashtable @{logname='system' ; id=7045} | format-list

And output would be similar to this

TimeCreated : 9/16/2016 12:57:58 AM

ProviderName : Service Control Manager

Id : 7045

Message : A service was installed in the system.

Service Name: Meterpreter

Service File Name: "C:\Windows\TEMP\hXdIEXeEbqqzDy\metsvc.exe" service

Service Type: user mode service

Service Start Type: auto start

Service Account: LocalSystem

TimeCreated : 9/16/2016 12:56:46 AM

ProviderName : Service Control Manager

Id : 7045

Message : A service was installed in the system.

Service Name: vvgQjBPVHmgKnFfH

Service File Name: %SYSTEMROOT%\AmEAdtHt.exe

Service Type: user mode service

Service Start Type: demand start

Service Account: LocalSystem

TimeCreated : 9/16/2016 12:54:14 AM

ProviderName : Service Control Manager

Id : 7045

Message : A service was installed in the system.

Service Name: jJZzbNmqBqTeqzsU

Service File Name: %SYSTEMROOT%\bFZwMEQv.exe

Service Type: user mode service

Service Start Type: demand start

Service Account: LocalSystem

TimeCreated : 9/16/2016 12:39:34 AM

ProviderName : Service Control Manager

Id : 7045

Message : A service was installed in the system.

Service Name: zNvHlQahvTqmPpVS

Service File Name: %SYSTEMROOT%\cEYBVJNP.exe

Service Type: user mode service

Service Start Type: demand start

Service Account: LocalSystem

TimeCreated : 9/15/2016 9:09:40 PM

ProviderName : Service Control Manager

Id : 7045

Message : A service was installed in the system.

Service Name: vJcYxfCDYUgOZiVb

Service File Name: %SYSTEMROOT%\TifTyNVa.exe

Service Type: user mode service

Service Start Type: demand start

Service Account: LocalSystem

As you can see from the sample the are many services with suspicious name has been installed in the system.

Again we can check our events to see who was logged around that time

Get-WinEvent -FilterHashtable @{logname='security' ; id=4624;starttime=’ 9/15/2016 9:00:00 PM ‘;endtime=’ 9/15/2016 9:09:40 PM’} |

And here is the output

TimeCreated : 9/15/2016 9:09:39 PM

ProviderName : Microsoft-Windows-Security-Auditing

Id : 4624

Message : An account was successfully logged on.

Subject:

Security ID: S-1-0-0

Account Name: -

Account Domain: -

Logon ID: 0x0

Logon Type: 3

New Logon:

Security ID: S-1-5-21-574956201-2274518538-2668157362-1004

Account Name: test

Account Domain: WIN-CAR8AFQU4IJ

Logon ID: 0x112fd1

Logon GUID: {00000000-0000-0000-0000-000000000000}

Process Information:

Process ID: 0x0

Process Name: -

Network Information:

Workstation Name: BH5vQpSXNj4EBCBk

Source Network Address: 10.10.75.1

Source Port: 55165

Detailed Authentication Information:

Logon Process: NtLmSsp

Authentication Package: NTLM

Transited Services: -

Package Name (NTLM only): NTLM V2

Key Length: 0

From the above output we find out that , there was a user name “test” was logged on at : 9/15/2016 9:09:39 PM via network (Logon Type : 3) and from the IP address 10.10.75.1 .

Now let’s find out when the user “test” was created:

Get-WinEvent -FilterHashtable @{logname='Security' ; ID=4720} | where {$_.message -match "test"} | fl

And here is the output

TimeCreated : 8/12/2016 10:06:33 PM

ProviderName : Microsoft-Windows-Security-Auditing

Id : 4720

Message : A user account was created.

Subject:

Security ID: S-1-5-21-574956201-2274518538-2668157362-1000

Account Name: Victim

Account Domain: WIN-CAR8AFQU4IJ

Logon ID: 0x275eb2

New Account:

Security ID: S-1-5-21-574956201-2274518538-2668157362-1004

Account Name: test

Account Domain: WIN-CAR8AFQU4IJ

Attributes:

SAM Account Name: test

Display Name:

User Principal Name: -

Home Directory:

Home Drive:

Script Path:

Profile Path:

User Workstations:

Password Last Set:

Account Expires:

Primary Group ID: 513

Allowed To Delegate To: -

Old UAC Value: 0x0

New UAC Value: 0x15

User Account Control:

Account Disabled

'Password Not Required' - Enabled

'Normal Account' - Enabled

User Parameters:

SID History: -

Logon Hours: All

Additional Information:

Privileges -

Now lets see if there is any other logon attemps via network ,for this task I would use get-eventlog

Get-EventLog -LogName security | where {$_.eventid -eq 4624} | where {$_.replacementstrings[8] -eq 3} | select timegenerated ,@{Name='AccountName';Expression={$_.replacementstrings[5]}},@{Name='IP Address';Expression={$_.replacementstrings[-2]}} | export-csv c:\users\user\type3logon.csv

Get-eventlog store the logon type in a array called replacementstrings , its stored at location [8] the logon type , user name at location 5 and the IP Address in location [-2]

Now lets see what other logon types we have and how many attempts for each

Get-EventLog -LogName security | where {$_.EventID -eq 4624} | Group-Object {$_.Replacementstrings[8]} | select name,count

Name Count

--------- ---------

7 2

5 210

2 29

[i] https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/

[ii] https://technet.microsoft.com/en-us/library/hh849682.aspx

Basil