In a previous diary[i] I talked about Windows Events and I gave some examples about some of the most useful events for Forensics/IR. In this diary I will talk about how to use Windows PowerShell to search for events
Get-WinEvent
The Get-WinEvent cmdlet gets events from event logs, including classic logs, such as the System and Application logs, and the event logs that are generated by the Windows Event Log technology introduced in Windows Vista. It also gets events in log files generated by Event Tracing for Windows (ETW).[ii]
">
Get-winevent -logname System
This command would show everything that in the System events which might be very large and it will show many things that might be not important to our case.
The best way to filter events in get-winevent cmdlet is filterhashtable parameter, Suppose that you are interested only to see the events that">
Get-WinEvent -FilterHashtable @{logname=system id=7045} | format-list
">
TimeCreated : 9/16/2016 12:57:58 AM
ProviderName : Service Control Manager
Id : 7045
Message : A service was installed in the system.
Service Name: Meterpreter
Service File Name: C:\Windows\TEMP\hXdIEXeEbqqzDy\metsvc.exe service
Service Type: user mode service
Service Start Type: auto start
Service Account: LocalSystem
TimeCreated : 9/16/2016 12:56:46 AM
ProviderName : Service Control Manager
Id : 7045
Message : A service was installed in the system.
Service Name: vvgQjBPVHmgKnFfH
Service File Name: %SYSTEMROOT%\AmEAdtHt.exe
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
TimeCreated : 9/16/2016 12:54:14 AM
ProviderName : Service Control Manager
Id : 7045
Message : A service was installed in the system.
Service Name: jJZzbNmqBqTeqzsU
Service File Name: %SYSTEMROOT%\bFZwMEQv.exe
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
TimeCreated : 9/16/2016 12:39:34 AM
ProviderName : Service Control Manager
Id : 7045
Message : A service was installed in the system.
Service Name: zNvHlQahvTqmPpVS
Service File Name: %SYSTEMROOT%\cEYBVJNP.exe
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
TimeCreated : 9/15/2016 9:09:40 PM
ProviderName : Service Control Manager
Id : 7045
Message : A service was installed in the system.
Service Name: vJcYxfCDYUgOZiVb
Service File Name: %SYSTEMROOT%\TifTyNVa.exe
Service Type: user mode service
Service Start Type: demand start
Service Account: LocalSystem
">
Get-WinEvent -FilterHashtable @{logname=securitystarttime= 9/15/2016 9:00:00 PM endtime= 9/15/2016 9:09:40 PM} |
">
TimeCreated : 9/15/2016 9:09:39 PM
ProviderName : Microsoft-Windows-Security-Auditing
Id : 4624
Message : An account was successfully logged on.
Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
New Logon:
Security ID: S-1-5-21-574956201-2274518538-2668157362-1004
Account Name: test
Account Domain: WIN-CAR8AFQU4IJ
Logon ID: 0x112fd1
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name: BH5vQpSXNj4EBCBk
Source Network Address: 10.10.75.1
Source Port: 55165
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V2
Key Length: 0
From the above output we find out that , there was a user name test was logged on at : 9/15/2016 9:09:39 PM via network (Logon Type : 3) and from the IP address 10.10.75.1 .
Now lets find out when the user test">
Get-WinEvent -FilterHashtable @{logname=Security ID=4720} | where {$_.message -match test} | fl
And here is the output
">
TimeCreated : 8/12/2016 10:06:33 PM
ProviderName : Microsoft-Windows-Security-Auditing
Id : 4720
Message : A user account was created.
Subject:
Security ID: S-1-5-21-574956201-2274518538-2668157362-1000
Account Name: Victim
Account Domain: WIN-CAR8AFQU4IJ
Logon ID: 0x275eb2
New Account:
Security ID: S-1-5-21-574956201-2274518538-2668157362-1004
Account Name: test
Account Domain: WIN-CAR8AFQU4IJ
Attributes:
SAM Account Name: test
Display Name:
User Principal Name: -
Home Directory:
Home Drive:
Script Path:
Profile Path:
User Workstations:
Password Last Set:
Account Expires:
Primary Group ID: 513
Allowed To Delegate To: -
Old UAC Value: 0x0
New UAC Value: 0x15
User Account Control:
Account Disabled
Password Not Required - Enabled
Normal Account - Enabled
User Parameters:
SID History: -
Logon Hours: All
Additional Information:
Privileges -
">
Get-EventLog -LogName security | where {$_.eventid -eq 4624} | where {$_.replacementstrings[8] -eq 3} | select timegenerated ,@{Name=AccountNameExpression={$_.replacementstrings[5]}},@{Name=IP Address">
Get-EventLog -LogName security | where {$_.EventID -eq 4624} | Group-Object {$_.Replacementstrings[8]} | select name,count
">
Name Count
--------- ---------
7 2
5 210
2 29
[i] https://isc.sans.edu/forums/diary/Windows+Events+log+for+IRForensics+Part+1/21493/