In a previous diary[i] I talked about Windows Events and I gave some examples about some of the most useful events for Forensics/IR. In this diary I will talk about how to use Windows PowerShell to search for events Get-WinEvent “The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for Windows (ETW).”[ii]
And here is some examples
This command would show everything that in the System events which might be very large and it will show many things that might be not important to our case. The best way to filter events in get-winevent cmdlet is filterhashtable parameter, Suppose that you are interested only to see the events that’s related to a new service createion (event id 7045 )
And output would be similar to this
As you can see from the sample the are many services with suspicious name has been installed in the system. Again we can check our events to see who was logged around that time
And here is the output
From the above output we find out that , there was a user name “test” was logged on at : 9/15/2016 9:09:39 PM via network (Logon Type : 3) and from the IP address 10.10.75.1 . Now let’s find out when the user “test” was created:
And here is the output
Now lets see if there is any other logon attemps via network ,for this task I would use get-eventlog
Get-eventlog store the logon type in a array called replacementstrings , its stored at location [8] the logon type , user name at location 5 and the IP Address in location [-2] Now lets see what other logon types we have and how many attempts for each
[i] https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/ |
Basil 60 Posts ISC Handler Sep 20th 2016 |
||||||||||
Thread locked Subscribe |
Sep 20th 2016 5 years ago |
||||||||||
Some powershell magic with sysinternals sysmon would be greatly appreciated!
|
Anonymous |
||||||||||
Quote |
Sep 21st 2016 5 years ago |
Sign Up for Free or Log In to start participating in the conversation!