I often have to work with windows log files during incident response and every time it’s a very frustrating experience. Honestly, I think Windows logging system needs a complete rework. Windows logs for the most part completely useless with their cryptic messages, thousands of undocumented events and lack of any easy interface to work with. It always baffle me why you can’t filter or search easily by most interesting fields like Account Name or Source IP in Event Viewer.
So I started to look for a solution to this problem. I wasn’t able to find anything at first and started to develop my own parser based on XML format of logs(which is a mess itself). Half way through I discovered an easier way with Powershell and Logparser.
Powershell way
Turns out powershell have Get-WinEvent cmdlet to work with event logs. However, it still doesn’t allow you to query individual fields, which is what we want. But I figured out a way to do this, which involve converting event log to xml on the fly and leverage powershell pipeline capabilities to parse it. It allows you to leverage all powershell features to work with logs, such as selecting certain fields and aggregating on values. It works and all you need to have is powershell, which is great, but the downside for this is speed – it is a slow process, especially for big files. You also can’t search easily, i.e. display all fields for a particular user.
Take a look at examples:
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #Security log | |
| #============ | |
| #### | |
| #4624 – Logon & Logoff events successful | |
| #4625 – Logon unsucceful | |
| #### | |
| # Get usernames | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "4624"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(5)}| Select –ExpandProperty "#text" –Unique | |
| # Get domains | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "4624"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(6)}| Select –ExpandProperty "#text" –Unique | |
| # Get ips | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "4624"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(18)}| Select –ExpandProperty "#text" –Unique | |
| # Get process name | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "4624"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(17)}| Select –ExpandProperty "#text" –Unique | |
| # Get auth package | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "4624"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(10)}| Select –ExpandProperty "#text" –Unique | |
| # Get workstation name | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "4624"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(11)}| Select –ExpandProperty "#text" –Unique | |
| # Group by examples | |
| # Get usernames | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "4624"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(5)}| Select –ExpandProperty "#text" | group | |
| #### | |
| #4648 – login explicit creds | |
| #### | |
| # Get logins | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "4648"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(5)}| Select –ExpandProperty "#text" –Unique | |
| # Get domains | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "4648"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(6)}| Select –ExpandProperty "#text" –Unique | |
| # get server name | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "4648"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(8)}| Select –ExpandProperty "#text" –Unique | |
| # get process name | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "4648"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(11)}| Select –ExpandProperty "#text" –Unique | |
| #### | |
| # 4776 – The domain controller attempted to validate the credentials for an account(or local computer) | |
| #### | |
| # Get logins | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "4776"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(1)}| Select –ExpandProperty "#text" –Unique | |
| # Get workstation names | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "4776"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(2)}| Select –ExpandProperty "#text" –Unique | |
| #5140 – Network share accessed | |
| #### | |
| # Get domains | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "5140"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(2)}| Select –ExpandProperty "#text" –Unique | |
| # Get usernames | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "5140"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(1)}| Select –ExpandProperty "#text" –Unique | |
| # Get ips | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "5140"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(5)}| Select –ExpandProperty "#text" –Unique | |
| # Get shares | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "5140"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(7)}| Select –ExpandProperty "#text" –Unique | |
| #### | |
| #5145 – A network share object was checked to see whether client can be granted desired access | |
| #5140 – A network share object was accessed | |
| #### | |
| # Get domains | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "5145"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(2)}| Select –ExpandProperty "#text" –Unique | |
| # Get ips | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "5145"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(5)}| Select –ExpandProperty "#text" –Unique | |
| # Get shares | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "5145"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(7)}| Select –ExpandProperty "#text" –Unique | |
| # Get files | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "5145"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(9)}| Select –ExpandProperty "#text" –Unique | |
| #### | |
| # 4663 – An attempt was made to access an object | |
| # 4670 – Permissions on an object were changed | |
| # 4656 – A handle to an object was requested | |
| #### | |
| # Get users | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "4663"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(1)}| Select –ExpandProperty "#text" –Unique | |
| # Get domain | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "4663"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(2)}| Select –ExpandProperty "#text" –Unique | |
| # Get object type | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "4663"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(5)}| Select –ExpandProperty "#text" –Unique | |
| # Get Object Name | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "4663"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(6)}| Select –ExpandProperty "#text" –Unique | |
| # Get process name | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "4663"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(11)}| Select –ExpandProperty "#text" –Unique | |
| #Task Scheduler Log | |
| #================= | |
| #### | |
| # Task-scheduler 100 – task run | |
| # 101 – task failed to run | |
| #### | |
| # Get task names | |
| Get-WinEvent –path .\Microsoft–Windows–TaskScheduler%4Operational.evtx | Where {$_.id -eq "100"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(0)}| Select –ExpandProperty "#text" –Unique | |
| # Get users | |
| Get-WinEvent –path .\Microsoft–Windows–TaskScheduler%4Operational.evtx | Where {$_.id -eq "100"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(1)}| Select –ExpandProperty "#text" –Unique | |
| #### | |
| # Task Scheduler 200 – action run | |
| #### | |
| # Get task names | |
| Get-WinEvent –path .\Microsoft–Windows–TaskScheduler%4Operational.evtx | Where {$_.id -eq "200"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(0)}| Select –ExpandProperty "#text" –Unique | |
| # Get task action | |
| Get-WinEvent –path .\Microsoft–Windows–TaskScheduler%4Operational.evtx | Where {$_.id -eq "200"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(1)}| Select –ExpandProperty "#text" –Unique | |
| #Terminal Services Local Session Log | |
| #================== | |
| #### | |
| # TS 301 – successful login | |
| #### | |
| # Get ips | |
| Get-WinEvent –Path ".\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" | where {$_.id -eq "21"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Address")}| Select –ExpandProperty "#text" –Unique | |
| # Get users | |
| Get-WinEvent –Path ".\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx" | where {$_.id -eq "21"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("User")}| Select –ExpandProperty "#text" –Unique | |
| #Terminal Services Remote Connection Manager | |
| #================ | |
| #### | |
| # 1149 – successful login(not really, unsucceful attempts also logged as successful) | |
| #### | |
| # Get user names | |
| Get-WinEvent –Path ".\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" | where {$_.id -eq "1149"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Param1")} | Select –ExpandProperty "#text" –Unique | |
| # Get domains | |
| Get-WinEvent –Path ".\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" | where {$_.id -eq "1149"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Param2")} | Select –ExpandProperty "#text" –Unique | |
| # Get srcip | |
| Get-WinEvent –Path ".\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx" | where {$_.id -eq "1149"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Param3")} | Select –ExpandProperty "#text" –Unique | |
| #Firewall Log | |
| #=========== | |
| #### | |
| # FW 2004 – new exception rule was added | |
| # 2005 – existing rule modified | |
| #### | |
| # Get Rulenames | |
| Get-WinEvent –Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where {$_.id -eq "2004"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(1)}| Select –ExpandProperty "#text" –Unique | |
| # Get application path | |
| Get-WinEvent –Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where {$_.id -eq "2004"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(3)}| Select –ExpandProperty "#text" –Unique | |
| # Get service name | |
| Get-WinEvent –Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where {$_.id -eq "2004"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(4)}| Select –ExpandProperty "#text" –Unique | |
| # Get modified application | |
| Get-WinEvent –Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where {$_.id -eq "2004"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(22)}| Select –ExpandProperty "#text" –Unique | |
| # Get action | |
| # 3 = allow | |
| Get-WinEvent –Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where {$_.id -eq "2004"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(9)}| Select –ExpandProperty "#text" –Unique | |
| # Get remote port | |
| Get-WinEvent –Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where {$_.id -eq "2004"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(8)} | |
| # get src ips | |
| Get-WinEvent –Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where {$_.id -eq "2004"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(11)} | |
| # get dest ips | |
| Get-WinEvent –Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where {$_.id -eq "2004"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(12)} | |
| # get modifying user | |
| # short sid = SYSTEM | |
| Get-WinEvent –Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where {$_.id -eq "2004"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(21)} | |
| #### | |
| # FW 2006 – rule was deleted | |
| #### | |
| # get rulenames | |
| Get-WinEvent –Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where {$_.id -eq "2006"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(1)} | |
| # get modifying user | |
| Get-WinEvent –Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where {$_.id -eq "2006"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(2)} | |
| # get modifyig application | |
| Get-WinEvent –Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where {$_.id -eq "2006"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(3)} | |
| #### | |
| # FW 2011 – incoming connection was blocked | |
| #### | |
| # get application | |
| Get-WinEvent –Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where {$_.id -eq "2011"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(1)}| Select –ExpandProperty "#text" –Unique | |
| # get port | |
| Get-WinEvent –Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where {$_.id -eq "2011"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(4)}| Select –ExpandProperty "#text" –Unique | |
| # get modifying user | |
| Get-WinEvent –Path ".\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" | where {$_.id -eq "2011"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(6)}| Select –ExpandProperty "#text" –Unique | |
| #### | |
| # FW 5156 | |
| #### | |
| Get-WinEvent –path .\Security.evtx | Where {$_.id -eq "5156"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").ItemOf(0)}| Select –ExpandProperty "#text" –Unique | |
| # System log | |
| # ========== | |
| #### | |
| # 7045 – new service installed in system | |
| #### | |
| # Get service name | |
| Get-WinEvent –Path ".\System.evtx" | where {$_.id -eq "7045"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(0)}| Select –ExpandProperty "#text" –Unique | |
| # Get service path | |
| Get-WinEvent –Path ".\System.evtx" | where {$_.id -eq "7045"} | Foreach {([xml]$_.ToXml()).GetElementsByTagName("Data").itemOf(1)}| Select –ExpandProperty "#text" –Unique |
Logparser way
Then I discovered a tool developed by Microsoft – Logparser.
This tool is so powerful – basically it allows you to use SQL language to query information from various files like XML, CSV and EVTX. I am not sure why, but this tool was abandoned since 2005, nonetheless it still works. It also very fast, with most queries taking seconds to complete. This is what I am using to quickly answer questions like:
-
Who logged into machine?
-
What IP addresses was used for Administrator account?
-
What a specific user did?
-
What firewall rules was created?
Take a look at my examples here(I usually run those from powershell console):
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Logparser | |
| ############### | |
| # Security Log | |
| ############### | |
| # Find Event id | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5038'" | |
| # Show what eventids in event log sorted by count | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT COUNT(*) AS CNT, EventID FROM 'Security.evtx' GROUP BY EventID ORDER BY CNT DESC" | |
| # Eventid 1102 | |
| # Eventlog was cleared | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') as Username, EXTRACT_TOKEN(Strings, 2, '|') AS Workstation FROM 'Security.evtx' WHERE EventID = '1102'" | |
| # Eventid 4624 | |
| # successful logon | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY')" | |
| # Find specific user | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'" | |
| # Find RDP logons | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND LogonType = '10'" | |
| # Find console logons | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND LogonType = '2'" | |
| # Find specific IP | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = '10.1.47.151'" | |
| # look at NTLM based logons | |
| # possible pass-the-hash | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType, EXTRACT_TOKEN(strings, 10, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$'" | |
| # group by NTLM users | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –q:ON –stats:OFF –i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType, EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$' GROUP BY Username, Domain, LogonType, AuthPackage, Workstation, ProcessName, SourceIP ORDER BY CNT DESC" | |
| # group by users | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT EXTRACT_TOKEN(Strings, 5, '|') as Username, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC" | |
| # group by domain | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT EXTRACT_TOKEN(Strings, 6, '|') as Domain, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4624 GROUP BY Domain ORDER BY CNT DESC" | |
| # group by authpackage | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT EXTRACT_TOKEN(Strings, 9, '|') as AuthPackage, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4624 GROUP BY AuthPackage ORDER BY CNT DESC" | |
| # group by LogonType | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT EXTRACT_TOKEN(Strings, 8, '|') as LogonType, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4624 GROUP BY LogonType ORDER BY CNT DESC" | |
| # group by workstation name | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT EXTRACT_TOKEN(Strings, 11, '|') as Workstation, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4624 GROUP BY Workstation ORDER BY CNT DESC" | |
| # group by process name | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT EXTRACT_TOKEN(Strings, 17, '|') as ProcName, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4624 GROUP BY ProcName ORDER BY CNT DESC" | |
| # | |
| # Event id 4625 | |
| # unsuccessful logon | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY')" | |
| # Find specific User | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'" | |
| # Find specific IP | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = '10.1.47.151'" | |
| # check ntlm based attempts | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType, EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$'" | |
| # group by ntlm users | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$' GROUP BY Username, Domain, LogonType, AuthPackage, Workstation, SourceIP ORDER BY CNT DESC" | |
| # group by Username | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username FROM 'Security.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC" | |
| # event id 4634 | |
| # user logoff | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security.evtx' WHERE EventID = 4634 AND Domain NOT IN ('NT AUTHORITY')" | |
| # Event id 4648 | |
| # explicit creds was used | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT timegenerated as date, extract_token(strings, 1, '|') as accountname, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings, 8, '|') as targetserver, extract_token(strings, 9, '|') as extradata, extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as sourceip from 'Security.evtx' WHERE EventID = 4648" | |
| # Search by accountname | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT timegenerated as date, extract_token(strings, 1, '|') as accountname, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings, 8, '|') as targetserver, extract_token(strings, 9, '|') as extradata, extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as sourceip from 'Security.evtx' WHERE EventID = 4648 AND accountname = 'Administrator'" | |
| # Search by usedaccount | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT timegenerated as date, extract_token(strings, 1, '|') as accountname, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings, 8, '|') as targetserver, extract_token(strings, 9, '|') as extradata, extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as sourceip from 'Security.evtx' WHERE EventID = 4648 AND usedaccount = 'Administrator'" | |
| # group by accountname | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT COUNT(*) as CNT, extract_token(strings, 1, '|') as accountname from 'Security.evtx' WHERE EventID = 4648 GROUP BY accountname ORDER BY CNT DESC" | |
| # group by used account | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT COUNT(*) as CNT, extract_token(strings, 5, '|') as usedaccount from 'Security.evtx' WHERE EventID = 4648 GROUP BY usedaccount ORDER BY CNT DESC" | |
| # event id 4657 | |
| # A registry value was modified | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '4657'" | |
| # event id 4663 | |
| # An attempt was made to access an object | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '4663'" | |
| # Event id 4672 | |
| # Admin logon | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' –stats:OFF –i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security.evtx' WHERE EventID = 4672 AND Domain NOT IN ('NT AUTHORITY') | |
| # Find specific user | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security.evtx' WHERE EventID = 4672 AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'" | |
| # group by username | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 1, '|') AS Username, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4672 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC" | |
| # group by domain | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 2, '|') AS Domain, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4672 AND Domain NOT IN ('NT AUTHORITY') GROUP BY Domain ORDER BY CNT DESC" | |
| # event id 4688 | |
| # new process was created | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security.evtx' WHERE EventID = 4688" | |
| # Search by user | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security.evtx' WHERE EventID = 4688 AND Username = 'Administrator'" | |
| # Search by process name | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security.evtx' WHERE EventID = 4688 AND Process LIKE '%rundll32.exe%'" | |
| # group by username | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 1, '|') AS Username FROM 'Security.evtx' WHERE EventID = 4688 GROUP BY Username ORDER BY CNT DESC" | |
| # group by process name | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security.evtx' WHERE EventID = 4688 GROUP BY Process ORDER BY CNT DESC" | |
| # event id 4704 | |
| # A user right was assigned | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '4704'" | |
| # event id 4705 | |
| # A user right was removed | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '4705'" | |
| # event id 4706 | |
| # A new trust was created to a domain | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '4706'" | |
| # event id 4720 | |
| # A user account was created | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') AS createduser, extract_token(strings, 1, '|') AS createddomain, extract_token(strings, 4, '|') as whocreated, extract_token(strings, 5, '|') AS whodomain FROM 'Security.evtx' WHERE EventID = '4720'" | |
| # Event id 4722 | |
| # user account was enabled | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security.evtx' WHERE EventID = 4722" | |
| # event id 4723 | |
| # attempt to change password for the account – user changed his own password | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security.evtx' WHERE EventID = 4723" | |
| # event id 4724 | |
| # attempt to reset user | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security.evtx' WHERE EventID = 4724" | |
| # event id 4725 | |
| # user account was disabled | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security.evtx' WHERE EventID = 4725" | |
| # event id 4726 | |
| # A user account was deleted | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') AS deleteduser, extract_token(strings, 1, '|') AS deleteddomain, extract_token(strings, 4, '|') as whodeleted, extract_token(strings, 5, '|') AS whodomain FROM 'Security.evtx' WHERE EventID = '4726'" | |
| # event id 4727 | |
| # A security-enabled global group was created | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '4727'" | |
| # event id 4728 | |
| # A member was added to a security-enabled global group | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser, extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7, '|') as whodomain FROM 'Security.evtx' WHERE EventID = '4728'" | |
| # event id 4729 | |
| # A member was removed from a security-enabled global group | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser, extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings, 7, '|') as whodomain FROM 'Security.evtx' WHERE EventID = '4729'" | |
| # event id 4730 | |
| # A security-enabled global group was deleted | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '4730'" | |
| # event id 4731 | |
| # A security-enabled local group was created | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as createdgroup, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security.evtx' WHERE EventID = 4731" | |
| # event id 4732 | |
| # A member was added to a security-enabled local group | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser, extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7, '|') as whodomain FROM 'Security.evtx' WHERE EventID = '4732'" | |
| # event id 4733 | |
| # A member was removed from a security-enabled local group | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser, extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings, 7, '|') as whodomain FROM 'Security.evtx' WHERE EventID = '4733'" | |
| # event id 4734 | |
| # A security-enabled local group was deleted | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 2, '|') AS whichgroup, EXTRACT_TOKEN(Strings, 3, '|') AS domaingroup, EXTRACT_TOKEN(Strings, 6, '|') AS who, EXTRACT_TOKEN(Strings, 7, '|') AS workstation FROM 'Security.evtx' WHERE EventID = 4734" | |
| # event id 4738 | |
| # user account was changed | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 1, '|') as user, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as whichaccount, extract_token(strings, 6, '|') as whichdomain FROM 'Security.evtx' WHERE EventID = 4738" | |
| # event id 4740 | |
| # A user account was locked out | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as workstation, extract_token(strings, 4, '|') as wholocked, extract_token(strings, 5, '|') as whodomain FROM 'Security.evtx' WHERE EventID = '4740'" | |
| # event id 4742 | |
| # computer account was changed | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 5, '|') as user, extract_token(strings, 6, '|') as domain, extract_token(strings, 1, '|') as whichaccount, extract_token(strings, 2, '|') as whichdomain FROM 'Security.evtx' WHERE EventID = 4742" | |
| # event id 4754 | |
| # A security-enabled universal group was created | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as createdgroup, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security.evtx' WHERE EventID = 4754" | |
| # event id 4756 | |
| # A member was added to a security-enabled universal group | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser, extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7, '|') as whodomain FROM 'Security.evtx' WHERE EventID = '4756'" | |
| # event id 4757 | |
| # A member was removed from a security-enabled universal group | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser, extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings, 7, '|') as whodomain FROM 'Security.evtx' WHERE EventID = '4757'" | |
| # event id 4758 | |
| # A security-enabled universal group was deleted | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 2, '|') AS whichgroup, EXTRACT_TOKEN(Strings, 3, '|') AS domaingroup, EXTRACT_TOKEN(Strings, 6, '|') AS who, EXTRACT_TOKEN(Strings, 7, '|') AS workstation FROM 'Security.evtx' WHERE EventID = 4758" | |
| # event id 4767 | |
| # A user account was unlocked | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '4767'" | |
| # event id 4768 | |
| # Kerberos TGT was requested | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 7, '|') as cipher, extract_token(strings, 9, '|') as sourceip FROM 'Security.evtx' WHERE EventID = 4768" | |
| # group by user | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT extract_token(strings, 0, '|') as user, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4768 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC" | |
| # group by domain | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT extract_token(strings, 1, '|') as domain, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4768 GROUP BY domain ORDER BY CNT DESC" | |
| # group by cipher | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT extract_token(strings, 7, '|') as cipher, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4768 GROUP BY cipher ORDER BY CNT DESC" | |
| # event id 4769 | |
| # Kerberos Service ticket was requested | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 2, '|') as service, extract_token(strings, 5, '|') as cipher, extract_token(strings, 6, '|') as sourceip FROM 'Security.evtx' WHERE EventID = 4769" | |
| # group by user | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT extract_token(strings, 0, '|') as user, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4769 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC" | |
| # group by domain | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT extract_token(strings, 1, '|') as domain, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4769 GROUP BY domain ORDER BY CNT DESC" | |
| # group by service | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT extract_token(strings, 2, '|') as service, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4769 GROUP BY service ORDER BY CNT DESC" | |
| # group by cipher | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT extract_token(strings, 5, '|') as cipher, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4769 GROUP BY cipher ORDER BY CNT DESC" | |
| # event id 4771 | |
| # kerberos pre-atuhentication failed | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0 , '|') as user, extract_token(strings, 6 , '|') as sourceip FROM 'Security.evtx' WHERE EventID = 4771 AND user NOT LIKE '%$'" | |
| # group by user | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT extract_token(strings, 0, '|') as user, COUNT(user) AS CNT FROM 'Security.evtx' WHERE EventID = 4771 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC" | |
| # event id 4776 | |
| # domain/computer attemped to validate user credentials | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security.evtx' WHERE EventID = 4776 AND Domain NOT IN ('NT AUTHORITY') AND Username NOT LIKE '%$'" | |
| # Search by username | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security.evtx' WHERE EventID = 4776 AND Domain NOT IN ('NT AUTHORITY') AND Username NOT LIKE '%$' AND Username = 'Administrator'" | |
| # group by username | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 1, '|') AS Username, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4776 AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC" | |
| # group by domain | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 2, '|') AS Domain, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4776 GROUP BY Domain ORDER BY CNT DESC" | |
| # event id 4778 | |
| # RDP session reconnected | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date,EXTRACT_TOKEN(Strings, 0, '|') AS Username, EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 4, '|') AS Workstation, EXTRACT_TOKEN(Strings, 5, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4778" | |
| # event id 4779 | |
| # RDP session disconnected | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date,EXTRACT_TOKEN(Strings, 0, '|') AS Username, EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 4, '|') AS Workstation, EXTRACT_TOKEN(Strings, 5, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4779" | |
| # event id 4781 | |
| # User account was renamed | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 0, '|') AS newname, EXTRACT_TOKEN(Strings, 1, '|') AS oldname, EXTRACT_TOKEN(Strings, 2, '|') AS accdomain, EXTRACT_TOKEN(Strings, 5, '|') AS Username, EXTRACT_TOKEN(Strings, 6, '|') AS Domain FROM 'Security.evtx' WHERE EventID = 4781" | |
| # event id 4825 | |
| # RDP Access denied | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 0, '|') AS Username, EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 3, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4825" | |
| # event id 4946 | |
| # new exception was added to firewall | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 2, '|') as rulename FROM 'Security.evtx' WHERE EventID = 4946" | |
| # group by rule name | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select Count(*) as CNT, extract_token(strings, 2, '|') as rulename FROM 'Security.evtx' WHERE EventID = 4946 GROUP BY rulename ORDER BY CNT DESC" | |
| # event id 4948 | |
| # rule was deleted from firewall | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 2, '|') as rulename FROM 'Security.evtx' WHERE EventID = 4948" | |
| # group by rule name | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select Count(*) as CNT, extract_token(strings, 2, '|') as rulename FROM 'Security.evtx' WHERE EventID = 4948 GROUP BY rulename ORDER BY CNT DESC" | |
| # event id 5038 | |
| # Code integrity determined that the image hash of a file is not valid | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5038'" | |
| # event id 5136 | |
| # A directory service object was modified | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 3, '|') AS Username, extract_token(strings, 4, '|') AS Domain, extract_token(strings, 8, '|') AS objectdn, extract_token(strings, 10, '|') AS objectclass, extract_token(strings, 11, '|') AS objectattrib, extract_token(strings, 13, '|') AS attribvalue FROM 'Security.evtx' WHERE EventID = '5136'" | |
| # group by username | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 3, '|') AS Username FROM 'Security.evtx' WHERE EventID = '5136' GROUP BY Username ORDER BY CNT DESC" | |
| # group by domain | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 4, '|') AS Domain FROM 'Security.evtx' WHERE EventID = '5136' GROUP BY Domain ORDER BY CNT DESC" | |
| # group by objectdn | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 8, '|') AS objectdn FROM 'Security.evtx' WHERE EventID = '5136' GROUP BY objectdn ORDER BY CNT DESC" | |
| # group by objectclass | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 10, '|') AS objectclass FROM 'Security.evtx' WHERE EventID = '5136' GROUP BY objectclass ORDER BY CNT DESC" | |
| # group by objectattrib | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 11, '|') AS objectattrib FROM 'Security.evtx' WHERE EventID = '5136' GROUP BY objectattrib ORDER BY CNT DESC" | |
| # group by attribvalue | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 13, '|') AS attribvalue FROM 'Security.evtx' WHERE EventID = '5136' GROUP BY attribvalue ORDER BY CNT DESC" | |
| # event id 5137 | |
| # A directory service object was created | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5137'" | |
| # event id 5138 | |
| # A directory service object was undeleted | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5138'" | |
| # event id 5139 | |
| # A directory service object was moved | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5139'" | |
| # event id 5141 | |
| # A directory service object was deleted | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5141'" | |
| # event id 5140 | |
| # A network share object was accessed | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5140'" | |
| # event id 5142 | |
| # A network share object was added | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5142'" | |
| # event id 5143 | |
| # A network share object was modified | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5143'" | |
| # event id 5144 | |
| # A network share object was deleted | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5144'" | |
| # event id 5145 | |
| # A network share object was checked to see whether client can be granted desired access | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5145'" | |
| # event id 5154 | |
| # The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5154'" | |
| # event id 5155 | |
| # The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5155'" | |
| # event id 5156 | |
| # The Windows Filtering Platform has allowed a connection | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5156'" | |
| # event id 5157 | |
| # The Windows Filtering Platform has blocked a connection | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5157'" | |
| # event id 5158 | |
| # The Windows Filtering Platform has permitted a bind to a local port | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5158'" | |
| # event id 5159 | |
| # The Windows Filtering Platform has blocked a bind to a local port | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5159'" | |
| ############# | |
| # System Log | |
| ############# | |
| # EventID 7045 | |
| # New Service was installed in system | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 0, '|') AS ServiceName, extract_token(strings, 1, '|') AS ServicePath, extract_token(strings, 4, '|') AS ServiceUser FROM System.evtx WHERE EventID = 7045" | |
| # EventID 7036 | |
| # Service actions | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 0, '|') as servicename FROM System.evtx WHERE EventID = 7036" | |
| # group by service name | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 0, '|') as servicename FROM System.evtx WHERE EventID = 7036 GROUP BY servicename ORDER BY CNT DESC" | |
| ##################### | |
| # Task Scheduler Log | |
| ##################### | |
| # EventID 100 | |
| # Task was run | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings,0, '|') as taskname, extract_token(strings, 1, '|') as username FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 100" | |
| # group by taskname | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 100 GROUP BY taskname ORDER BY CNT DESC" | |
| # eventid 200 | |
| # action was executed | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings,0, '|') as taskname, extract_token(strings, 1, '|') as taskaction FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 200" | |
| # group by action | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select extract_token(strings, 1, '|') as taskaction, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 200 GROUP BY taskaction ORDER BY CNT DESC" | |
| # eventid 140 | |
| # user updated a task | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated as Date, extract_token(strings, 0, '|') as taskname, extract_token(strings, 1, '|') as user FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 140" | |
| # group by user | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select extract_token(strings, 1, '|') as user, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 140 GROUP BY user ORDER BY CNT DESC" | |
| # group by taskname | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 140 GROUP BY taskname ORDER BY CNT DESC" | |
| # event id 141 | |
| # user deleted a task | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated as Date, extract_token(strings, 0, '|') as taskname, extract_token(strings, 1, '|') as user FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 141" | |
| # group by user | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select extract_token(strings, 1, '|') as user, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 141 GROUP BY user ORDER BY CNT DESC" | |
| # group by taskname | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 141 GROUP BY taskname ORDER BY CNT DESC" | |
| ####################### | |
| # Windows Firewall Log | |
| ####################### | |
| # EventID 2004 | |
| # New exception rule was added | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 1, '|') as rulename, extract_token(strings, 3, '|') as apppath, extract_token(strings, 22, '|') as changedapp from 'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2004" | |
| # group by apppath | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 3, '|') as apppath from 'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2004 GROUP BY apppath ORDER BY CNT DESC" | |
| # event id 2005 | |
| # rule was changed | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(Strings, 1, '|') as rulename, extract_token(Strings, 3, '|') AS apppath, extract_token(Strings, 4, '|') AS servicename, extract_token(strings, 7, '|') AS localport, extract_token(strings, 22, '|') as modifyingapp from 'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2005" | |
| # group by apppath | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 3, '|') as apppath from 'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2005 GROUP BY apppath ORDER BY CNT DESC" | |
| # group by rulename | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 1, '|') as rulename from 'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2005 GROUP BY rulename ORDER BY CNT DESC" | |
| # group by servicename | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 4, '|') as servicename from 'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2005 GROUP BY servicename ORDER BY CNT DESC" | |
| # group by local port | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 7, '|') as localport from 'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2005 GROUP BY localport ORDER BY CNT DESC" | |
| # group by modifyingapp | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 22, '|') as modifyingapp from 'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2005 GROUP BY modifyingapp ORDER BY CNT DESC" | |
| # event id 2006 | |
| # rule was deleted | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(Strings, 1, '|') as rulename, extract_token(strings, 3, '|') as changedapp from 'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2006" | |
| # group by rulename | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 1, '|') as rulename from 'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2006 GROUP BY rulename ORDER BY CNT DESC" | |
| # group by changedapp | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 3, '|') as changedapp from 'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2006 GROUP BY changedapp ORDER BY CNT DESC" | |
| # EventID 2011 | |
| # Firewall blocked inbound connections to the application, but did not notify the user | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select Timegenerated as date, extract_token(strings, 1, '|') as file, extract_token(strings, 4, '|') as port from 'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2011" | |
| # group by application | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 1, '|') as file from'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2011 GROUP BY file ORDER BY CNT DESC" | |
| ###################### | |
| # RDP LocalSession Log | |
| # Local logins | |
| ###################### | |
| # Event id 21 | |
| # Successful logon | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select timegenerated as Date, extract_token(strings, 0, '|') as user, extract_token(strings, 2, '|') as sourceip FROM 'Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21" | |
| # find specific user | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select timegenerated as Date, extract_token(strings, 0, '|') as user, extract_token(strings, 2, '|') as sourceip FROM 'Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21 AND user LIKE '%Administrator%'" | |
| # group by user | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as user, count(*) as CNT FROM 'Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21 GROUP BY user ORDER BY CNT DESC" | |
| ####################### | |
| # RDP RemoteSession Log | |
| ####################### | |
| # Event ID 1149 | |
| # Successful logon | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select timegenerated as Date, extract_token(strings, 0, '|') as user, extract_token(strings, 2, '|') as sourceip FROM 'Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx' WHERE EventID = 1149" | |
| # group by user | |
| & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as user, count(*) as CNT FROM 'Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx' WHERE EventID = 1149 GROUP BY user ORDER BY CNT DESC" |
DFIR blog 
[…] Coincidently DFIR Blog has also published a post about parsing Windows Event Logs. The post showcases using both PowerShell and Logparser to obtain useful information out of Event Logs. Each method has worked examples and can be used as a sort of cheatsheet. How To Parse Windows Eventlog […]
LikeLike
How do these techniques compare to using EVTXtract (which leverages python-evtx) or Plaso’s timeline analysis tools (i.e., plasm and psort) based on libevt?
What about EMET failures in the event log? Would be neat to see some examples there since you mentioned it in a previous post.
LikeLike
Those tools are basically parsers, so you need to build aggregations and filtering on top of them, unlike Logparser.
As for EMET logs – they are written into Application log and can be queried similar to everything else – just filter on Source EMET.
LikeLike
Inspiring knowledge about what to look for.
There are ways to improve speed in the part where youre using PowerShell.
Using where-object is expensive and Get-WinEvent gives you ways to filter up front like this:
$hash = @{
LogName = ‘Security’
ID = 4624
StartTime = (Get-Date).AddDays(-1)
}
$event = Get-WinEvent -FilterHashtable $hash |select -first 1
Theres also a “Properties” property on the[System.Diagnostics.Eventing.Reader.EventLogRecord] objects you retreive, that let you approach the data you’re looking for:
$event.Properties[5]
$event.Properties[6]
$event.Properties[10]
..
LikeLike
Thanks for your comment.
Didn’t know about .NET API for Eventlog, gonna check it out.
LikeLike
Your welcome.
Btw: To get the value I should have pointet out, that you need to do the following to get af string-value rather than an object;
$event.Properties[5].Value
LikeLike
[…] http://dfir-blog.com/2016/03/13/how-to-parse-windows-eventlog/ […]
LikeLike