# Windows Event Logs Event Logs are recorded events occurring in the execution of a system. This provided audit trail can be utilized to understand activity and diagnosis of a system. This includes complex systems with little user interaction. \ \ A defender can use event logs to combine entries from multiple sources with statistical analysis to view possible correlations. SIEM's can be used to accomplish this in a large enterprise environment where one can view the logs from all the endpoints, appliances, etc. to query the logs from multiple devices instead of manually connecting to a single device to view its logs. ## Event Viewer The Windows Event Logs are not text files that can be viewed using a text editor. The raw data can be translated into XML using the Windows API. The events in these log files are stored in a proprietary binary format with a .evt or .evtx extension. The log files with the .evtx file extension typically reside in `C:\Windows\System32\winevt\Logs`. ### Elements of a Windows Event Log Event logs are used to troubleshoot incidents and understanding the situation and to remediate. Elements in event logs in Windows systems are: * **System Logs**: Records events associated with the Operating System segments. They may include information about hardware changes, device drivers, system changes, and other activities related to the device. * **Security Logs**: Records events connected to logon and logoff activities on a device. The system's audit policy specifies the events. The logs are an excellent source for analysts to investigate attempted or successful unauthorized activity. * **Application Logs**: Records events related to applications installed on a system. The main pieces of information include application errors, events, and warnings. * **Directory Service Events**: Active Directory changes and activities are recorded in these logs, mainly on domain controllers. * **File Replication Service Events**: Records events associated with Windows Servers during the sharing of Group Policies and logon scripts to domain controllers, from where they may be accessed by the users through the client servers. * **DNS Event Logs**: DNS servers use these logs to record domain events and to map out. * **Custom Logs**: Events are logged by applications that require custom data storage. This allows applications to control the log size or attach other parameters, such as ACLs, for security purposes. Event logs can be classified into types to describe the activity resulting a logged event.

Event type	Description
Error	Indicates a significant problem such as loss of data or functionality.
Warning	May indicate a possible future problem.
Information	Describes successful operation of an application, driver, or service.
Success Audit	Recorded audited security access attempt that is successful.
Failure Audit	Recorded audited security access attempt that fails.

Recorded audited security access attempt that is successful. Three main ways of accessing these event logs within a Windows system: 1. **Event Viewer** (GUI-based application) 2. **Wevtutil.exe** (command-line tool) 3. **Get-WinEvent** (PowerShell cmdlet) ### Event Viewer In any Windows system, the Event Viewer, a **Microsoft Management Console** (**MMC**) snap-in, can be launched by simply right-clicking the Windows icon in the taskbar and selecting Event Viewer. For the savvy sysadmins that use the CLI much of their day, Event Viewer can be launched by typing `eventvwr.msc`. It is a GUI-based application that allows you to interact quickly with and analyze logs. Event Viewer has three panes. 1. The pane on the left provides a hierarchical tree listing of the event log providers. 2. The pane in the middle will display a general overview and summary of the events specific to a selected provider. 3. The pane on the right is the actions pane.

The following section is the Applications and Services Logs. Expand this section and drill down on `Microsoft > Windows > PowerShell > Operational.` PowerShell will log operations from the engine, providers, and cmdlets to the Windows event log. \ Right-click on **Operational** then **Properties**. Within **Properties**, we see the log location, log size, and when it was created, modified, and last accessed. Within the Properties window, we can also see the maximum set log size and what action to take once the criteria are met. This concept is known as log rotation. These are discussions held with corporations of various sizes. How long does it take to keep logs, and when it's permissible to overwrite them with new data.

Lastly, noticing the **Clear Log** button at the bottom right. Know there are legitimate reasons to use this button, such as during security maintenance, but adversaries will likely attempt to clear the logs to go undetected. **Note**: This is not the only method to remove the event logs for any given event provider. Focusing on the middle pane, we can display the events specific to a selected provider. In this case, **PowerShell/Operational**.

The event provider's name and the number of events logged and displayed here. Each column of the pane presents a particular type of information as described below: * **Level**: Highlights the log recorded type based on the identified event types specified earlier. In this case, the log is labeled as Information. * **Date and Time**: Highlights the time at which the event was logged. * **Source**: The name of the software that logs the event is identified. From the above image, the source is PowerShell. * **Event ID**: This is a predefined numerical value that maps to a specific operation or event based on the log source. This makes Event IDs not unique, so `Event ID 4103` in the above image is related to Executing Pipeline but will have an entirely different meaning in another event log. * **Task Category**: Highlights the Event Category. This entry will help you organize events so the Event Viewer can filter them. The event source defines this column.

The middle pane has a split view. More information is displayed in the bottom half of the middle pane for any event you click on.\ This section has two tabs: **General** and **Details**. * General is the default view, and the rendered data is displayed. * The Details view has two options: Friendly view and XML view.

Lastly, we can open a saved log within the Actions pane. This is useful if the remote machine can't be accessed. The logs can be provided to the analyst. The **Create Custom View** and **Filter Current Log** are nearly identical. The only difference between the 2 is that the `By log` and `By source` radio buttons are greyed out in **Filter Current Log**. What is the reason for that? The filter we can make with this specific action only relates to the current log. Hence no reason for *by log* or *by source* to be enabled.

Why are these actions beneficial? If we don't want all the events associated with PowerShell/Operational cluttering all the real estate in the pane and are only interested in 4104 events. That is possible with these two actions. To view event logs from another computer, right-click `Event Viewer (Local) > Connect to Another Computer...`

***What is the Event ID for the first recorded event?***

***Filter on Event ID 4104. What was the 2nd command executed in the PowerShell session?***

***What is the Task Category for Event ID 4104?***

***Analyze the Windows PowerShell log. What is the Task Category for Event ID 800?***

## wevtutil.exe Wevtutil.exe is a tool that can be utilized for allowing querying of event logs via command line and Powershell. An addition to the tool is the ability to install/uninstall event manifests, run queries, and to export/archive/clear logs.

Under **Usage** is a brief example of how to use the tool. `ep` (enum-publishers) is used as a command for wevtutil.exe. Next are **Common options** that can be used with WIndows Events Utility.

The bottom of the command prompt shows `wevtutil COMMAND /?`. This provides additional information specific to a command. Ex, to get more information on the command `qe` (query-events):

***How many log names are in the machine?***

***What event files would be read when using the query-events command?*** event log, log file, structured query ***What option would you use to provide a path to a log file?*** /lf:true ***What is the VALUE for /q?*** xpath query **The questions below are based on this command: wevtutil qe Application /c:3 /rd:true /f:text** ***What is the log name?*** Application ***What is the /rd option for?*** Event read direction ***What is the /c option for?*** Maximum number of events to read ## Get-WinEvent The Powershell cmdlet **Get-WinEvent** gets events from event logs and event tracing log files as well as remote computers. This cmdlet provides information on event logs and providers and allows for combining numerous events from multiple sources. This is put into a single command and filter using XPath, structured XML, and hash table queries. The **Get-WinEvent** cmdlet replaces the **Get-EventLog** cmdlet. #### Example 1: Get all logs from a computer Below describes how to obtainall event logs locally. The list starts with class logs before listing new Window Event logs. The **RecordCount** be zero or null.

#### Example 2: Get event log providers and log names Theis command results in the event log providers and their associated logs. The **Name** is the provider, and **LogLinks** is the log that is written to.

#### Example 3: Log filtering Log filtering allows for selecting events from an event log. Filter event logs using the Where-Object cmdlet as follows:

It's inefficient to send objects down the pipeline to a `Where-Object` command when working with large event logs. The use of the Get-WinEvent cmdlet's **FilterHashtable** parameter is recommended to filter event logs. Achieve the same results as above by running the following command: ```powershell Get-WinEvent -FilterHashtable @{ LogName='Application' ProviderName='WLMS' } ``` The syntax of a hash table is as follows: ```powerquery @{ = ; [ = ] ...} ``` Guidelines for defining a hash table are: * Begin the hash table with an @ sign. * Enclose the hash table in braces {} * Enter one or more key-value pairs for the content of the hash table. * Use an equal sign (=) to separate each key from its value. A semicolon is not needed if each key/value is seperated with a new line, as shown above for the -FilterHashtable for `ProviderName='WLMS'`. The accepted key/value pairs for the Get-WinEvent FilterHashtable parameter:

Key name	Value data type	Accepts wildcard characters?
LogName	`<String[]>`	Yes
ProviderName	`<String[]>`	Yes
Path	`<String[]>`	No
Keywords	`<Long[]>`	No
ID	`<Int32>`	No
Level	`<Int32>`	No
StartTime	`<DateTime>`	No
EndTime	`<DateTime>`	No
UserID	`<SID>`	No
Data	`<String[]>`	No
`<named-data>`	`<String[]>`	No

Microsoft recommends making the hash table one key-value pair at a time when building a query. Event viewer can provide information on what is needed to build the hash table.

Using the information above, create a hash table: ```powershell Get-WinEvent -FilterHashtable @{ LogName='Application' ProviderName='LoadPerf' ID=1000 } ``` An example of a Git-WinEvent and FilterHashtable command/syntax: {% code overflow="wrap" %} ```powershell Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property Message | Select-String -Pattern 'SecureString' ``` {% endcode %} More about creating hash tables can be found [here](https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_hash_tables?view=powershell-7.3\&viewFallbackFrom=powershell-7.1). **Answer the following questions using the** [**online**](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/Get-WinEvent?view=powershell-7.1) **help documentation for Get-WinEvent** ***Execute the command from Example 1 (as is). What are the names of the logs related to OpenSSH?***

***Execute the command from Example 8. Instead of the string Policy search for PowerShell. What is the name of the 3rd log provider?***

Microsoft-Windows-Powershell-DesiredStateConfiguration-FileDownloadManager

***Execute the command from Example 9. Use Microsoft-Windows-PowerShell as the log provider. How many event ids are displayed for this event provider?***

***How do you specify the number of events to display?*** MaxEvents ***When using the FilterHashtable parameter and filtering by level, what is the value for Informational?***

https://learn.microsoft.com/en-us/powershell/scripting/samples/creating-get-winevent-queries-with-filterhashtable?view=powershell-7.3

## XPath Queries XPath (XML Path Language) provides standard syntax and semantics for addressing parts of an XML document and manipulating strings, numbers, and booleans. The Windows Event Log supports a subset of [XPath 1.0](https://www.w3.org/TR/1999/REC-xpath-19991116/). Below is an example XPath query along with its explanation: XPath Query {% code overflow="wrap" %} ```xml // The following query selects all events from the channel or log file where the severity level is less than or equal to 3 and the event occurred in the last 24 hour period. XPath Query: *[System[(Level <= 3) and TimeCreated[timediff(@SystemTime) <= 86400000]]] ``` {% endcode %} XPath event query starts with '**\***' or '**Event**'. Both **wevtutil** and **Get-WinEvent** support XPath queries as event filters.

https://assets.tryhackme.com/additional/win-event-logs/xpath-2.png

Click on the `Details` tab and select the `XML View` radio button to understand how to use the XML View to construct a valid XPath query.

https://assets.tryhackme.com/additional/win-event-logs/xpath-3a.png

The first tag is the starting point. This can either be an `*` or the word `Event`. The command so far looks like this: `Get-WinEvent -LogName Application -FilterXPath '*'`

https://assets.tryhackme.com/additional/win-event-logs/xpath-3b.png

The next tag is `System`. Add that to the command: `Get-WinEvent -LogName Application -FilterXPath '*/System/'` Note: Its best practice to explicitly use the keyword `System` but can use an `*` instead as with the `Event` keyword. The query `-FilterXPath '*/*'` is still valid. The Event ID is 100. Plug that into the command.

https://assets.tryhackme.com/additional/win-event-logs/xpath-3c.png

The command now is: `Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=100'`

When using wevtutil.exe and XPath to query for the same event log and ID, this is the result:

Two additional parameters were used in the above command to retrieve one event and for it not to contain any XML tags. to query a different element, such as `Provider Name`, the syntax will be different. To filter on the provider, use the `Name` attribute of `Provider` The XPath query is:

In the syntax above, the Provider Name is WLMS, and there are two Event IDs. Below will only query for events with Event ID 101:

Create XPath queries for elements within `EventData.` The EventData element doesn't always contain information. Below is the XML View of the event for which we will build our XPath query.

https://assets.tryhackme.com/additional/win-event-logs/xpath-7b.png

Build the query for `TargetUserName`. In this case, that will be System. The XPath query would be:

The `-MaxEvents` parameter was used, and it was set to 1 to return one event. More info can be found at the official[ Microsoft XPath Reference](https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ms256115$v=vs.100$). ***Using Get-WinEvent and XPath, what is the query to find WLMS events with a System Time of 2020-12-15T01:09:08.940277500Z?*** `Get-Event -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@SystemTime="2020-12-15T01:09:08.940277500Z"]'` ***Using Get-WinEvent and XPath, what is the query to find a user named Sam with an Logon Event ID of 4720?***

`Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="Sam" and */System/EventID=4720'`

***Based on the previous query, how many results are returned?*** 2 ***Based on the output from the question #2, what is Message?*** A user account was created ***Still working with Sam as the user, what time was Event ID 4724 recorded? (MM/DD/YYYY H:MM:SS \[AM/PM])***

***What is the Provider Name?*** Microsoft-Windows-Security-Auditing ## Event IDs [The Windows Logging Cheat Sheet (Windows 7 - Windows 2012)](https://static1.squarespace.com/static/552092d5e4b0661088167e5c/t/580595db9f745688bc7477f6/1476761074992/Windows+Logging+Cheat+Sheet_ver_Oct_2016.pdf) [Spotting the Adversary with Windows Event Log Monitoring](https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm) [MITRE ATT\&CK](https://attack.mitre.org/) [Events to Monitor](https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l--events-to-monitor) (Best Practices for Securing Active Directory) [The Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference](https://www.microsoft.com/en-us/download/confirmation.aspx?id=52630) Some events will not be generated by default, and certain features will need to be enabled/configured on the endpoint, such as PowerShell logging. This feature can be enabled via **Group Policy** or the **Registry**. Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell

Some resources to provide more information about enabling this feature, along with its associated event IDs: * [About Logging Windows](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_logging_windows?view=powershell-7.1) * [Greater Visibility Through PowerShell Logging](https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html) * [Configure PowerShell logging to see PowerShell anomalies in Splunk UBA](https://docs.splunk.com/Documentation/UBA/5.0.4/GetDataIn/AddPowerShell) Another feature to enable/configure is Audit Process Creation, which will generate **event ID 4688**. This will allow **command-line process auditing**. Local Computer Policy > Computer Configuration > Administrative Templates > System > Audit Process Creation

## Putting Theory Into Practice The next scenarios/questions are based on the external event log file titled `merged.evtx` found on the Desktop. Scenario 1 (Questions 1 & 2): The server admins have made numerous complaints to Management regarding PowerShell being blocked in the environment. Management finally approved the usage of PowerShell within the environment. Visibility is now needed to ensure there are no gaps in coverage. You researched this topic: what logs to look at, what event IDs to monitor, etc. You enabled PowerShell logging on a test machine and had a colleague execute various commands. ***What event ID is to detect a PowerShell downgrade attack?***

***What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS \[AM/PM])***

Scenario 2 (Questions 3 & 4): The Security Team is using Event Logs more. They want to ensure they can monitor if event logs are cleared. You assigned a colleague to execute this action. ***A Log clear event was recorded. What is the 'Event Record ID'?***

***What is the name of the computer?***

Scenario 3 (Questions 5, 6 & 7): The threat intel team shared its research on Emotet. They advised searching for event ID 4104 and the text "ScriptBlockText" within the EventData element. Find the encoded PowerShell payload. ***What is the name of the first variable within the PowerShell command?***

***What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS \[AM/PM])***

***What is the Execution Process ID?***

Scenario 4 (Questions 8 & 9): A report came in that an intern was suspected of running unusual commands on her machine, such as enumerating members of the Administrators group. A senior analyst suggested searching for "`C:\Windows\System32\net1.exe`". Confirm the suspicion. ***What is the Group Security ID of the group she enumerated?***

***What is the event ID?***

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jacob-taylor.gitbook.io/security-analyst/path-4/endpoint-security-monitoring/windows-event-logs.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.