Windows Event Logs

Introduction to Windows Event Logs and the tools to query them.

Event Logs are recorded events occurring in the execution of a system. This provided audit trail can be utilized to understand activity and diagnosis of a system. This includes complex systems with little user interaction. A defender can use event logs to combine entries from multiple sources with statistical analysis to view possible correlations. SIEM's can be used to accomplish this in a large enterprise environment where one can view the logs from all the endpoints, appliances, etc. to query the logs from multiple devices instead of manually connecting to a single device to view its logs.

Event Viewer

The Windows Event Logs are not text files that can be viewed using a text editor. The raw data can be translated into XML using the Windows API. The events in these log files are stored in a proprietary binary format with a .evt or .evtx extension. The log files with the .evtx file extension typically reside in C:\Windows\System32\winevt\Logs.

Elements of a Windows Event Log

Event logs are used to troubleshoot incidents and understanding the situation and to remediate.

Elements in event logs in Windows systems are:

• System Logs: Records events associated with the Operating System segments. They may include information about hardware changes, device drivers, system changes, and other activities related to the device.

• Security Logs: Records events connected to logon and logoff activities on a device. The system's audit policy specifies the events. The logs are an excellent source for analysts to investigate attempted or successful unauthorized activity.

• Application Logs: Records events related to applications installed on a system. The main pieces of information include application errors, events, and warnings.

• Directory Service Events: Active Directory changes and activities are recorded in these logs, mainly on domain controllers.

• File Replication Service Events: Records events associated with Windows Servers during the sharing of Group Policies and logon scripts to domain controllers, from where they may be accessed by the users through the client servers.

• DNS Event Logs: DNS servers use these logs to record domain events and to map out.

• Custom Logs: Events are logged by applications that require custom data storage. This allows applications to control the log size or attach other parameters, such as ACLs, for security purposes.

Event logs can be classified into types to describe the activity resulting a logged event.

Event type	Description
Error	Indicates a significant problem such as loss of data or functionality.
Warning	May indicate a possible future problem.
Information	Describes successful operation of an application, driver, or service.
Success Audit	Recorded audited security access attempt that is successful.
Failure Audit	Recorded audited security access attempt that fails.

Recorded audited security access attempt that is successful.

Three main ways of accessing these event logs within a Windows system:

1. Event Viewer (GUI-based application)

2. Wevtutil.exe (command-line tool)

3. Get-WinEvent (PowerShell cmdlet)

Event Viewer

In any Windows system, the Event Viewer, a Microsoft Management Console (MMC) snap-in, can be launched by simply right-clicking the Windows icon in the taskbar and selecting Event Viewer. For the savvy sysadmins that use the CLI much of their day, Event Viewer can be launched by typing eventvwr.msc. It is a GUI-based application that allows you to interact quickly with and analyze logs.

Event Viewer has three panes.

1. The pane on the left provides a hierarchical tree listing of the event log providers.

2. The pane in the middle will display a general overview and summary of the events specific to a selected provider.

3. The pane on the right is the actions pane.

Event Viewer

The following section is the Applications and Services Logs. Expand this section and drill down on Microsoft > Windows > PowerShell > Operational. PowerShell will log operations from the engine, providers, and cmdlets to the Windows event log. Right-click on Operational then Properties.

Within Properties, we see the log location, log size, and when it was created, modified, and last accessed. Within the Properties window, we can also see the maximum set log size and what action to take once the criteria are met. This concept is known as log rotation. These are discussions held with corporations of various sizes. How long does it take to keep logs, and when it's permissible to overwrite them with new data.

Properties

Lastly, noticing the Clear Log button at the bottom right. Know there are legitimate reasons to use this button, such as during security maintenance, but adversaries will likely attempt to clear the logs to go undetected. Note: This is not the only method to remove the event logs for any given event provider.

Focusing on the middle pane, we can display the events specific to a selected provider. In this case, PowerShell/Operational.

Middle Pane

The event provider's name and the number of events logged and displayed here.

Each column of the pane presents a particular type of information as described below:

• Level: Highlights the log recorded type based on the identified event types specified earlier. In this case, the log is labeled as Information.

• Date and Time: Highlights the time at which the event was logged.

• Source: The name of the software that logs the event is identified. From the above image, the source is PowerShell.

• Event ID: This is a predefined numerical value that maps to a specific operation or event based on the log source. This makes Event IDs not unique, so Event ID 4103 in the above image is related to Executing Pipeline but will have an entirely different meaning in another event log.

• Task Category: Highlights the Event Category. This entry will help you organize events so the Event Viewer can filter them. The event source defines this column.

Even 4103

The middle pane has a split view. More information is displayed in the bottom half of the middle pane for any event you click on. This section has two tabs: General and Details.

• General is the default view, and the rendered data is displayed.

• The Details view has two options: Friendly view and XML view.

General View

Lastly, we can open a saved log within the Actions pane. This is useful if the remote machine can't be accessed. The logs can be provided to the analyst.

The Create Custom View and Filter Current Log are nearly identical. The only difference between the 2 is that the By log and By source radio buttons are greyed out in Filter Current Log. What is the reason for that? The filter we can make with this specific action only relates to the current log. Hence no reason for by log or by source to be enabled.

Create Custom View

Filter Current Log

Why are these actions beneficial? If we don't want all the events associated with PowerShell/Operational cluttering all the real estate in the pane and are only interested in 4104 events. That is possible with these two actions.

To view event logs from another computer, right-click Event Viewer (Local) > Connect to Another Computer...

Connect to Another Computer

What is the Event ID for the first recorded event?

40961

Filter on Event ID 4104. What was the 2nd command executed in the PowerShell session?

whoami

What is the Task Category for Event ID 4104?

Execute a Remote Command

Analyze the Windows PowerShell log. What is the Task Category for Event ID 800?

Pipeline Execution Details

wevtutil.exe

Wevtutil.exe is a tool that can be utilized for allowing querying of event logs via command line and Powershell. An addition to the tool is the ability to install/uninstall event manifests, run queries, and to export/archive/clear logs.

Usage

Under Usage is a brief example of how to use the tool. ep (enum-publishers) is used as a command for wevtutil.exe.

Next are Common options that can be used with WIndows Events Utility.

Common Options

The bottom of the command prompt shows wevtutil COMMAND /?. This provides additional information specific to a command. Ex, to get more information on the command qe (query-events):

How many log names are in the machine?

1071

What event files would be read when using the query-events command?

event log, log file, structured query

What option would you use to provide a path to a log file?

/lf:true

What is the VALUE for /q?

xpath query

The questions below are based on this command: wevtutil qe Application /c:3 /rd:true /f:text

What is the log name?

Application

What is the /rd option for?

Event read direction

What is the /c option for?

Maximum number of events to read

Get-WinEvent

The Powershell cmdlet Get-WinEvent gets events from event logs and event tracing log files as well as remote computers. This cmdlet provides information on event logs and providers and allows for combining numerous events from multiple sources. This is put into a single command and filter using XPath, structured XML, and hash table queries.

The Get-WinEvent cmdlet replaces the Get-EventLog cmdlet.

Example 1: Get all logs from a computer

Below describes how to obtainall event logs locally. The list starts with class logs before listing new Window Event logs. The RecordCount be zero or null.

-ListLog *

Example 2: Get event log providers and log names

Theis command results in the event log providers and their associated logs. The Name is the provider, and LogLinks is the log that is written to.

-ListProvider *

Example 3: Log filtering

Log filtering allows for selecting events from an event log. Filter event logs using the Where-Object cmdlet as follows:

-LogName Application | Where-Object

It's inefficient to send objects down the pipeline to a Where-Object command when working with large event logs. The use of the Get-WinEvent cmdlet's FilterHashtable parameter is recommended to filter event logs. Achieve the same results as above by running the following command:

Get-WinEvent -FilterHashtable @{
  LogName='Application' 
  ProviderName='WLMS' 
}

The syntax of a hash table is as follows:

@{ <name> = <value>; [<name> = <value> ] ...}

Guidelines for defining a hash table are:

• Begin the hash table with an @ sign.

• Enclose the hash table in braces {}

• Enter one or more key-value pairs for the content of the hash table.

• Use an equal sign (=) to separate each key from its value.

A semicolon is not needed if each key/value is seperated with a new line, as shown above for the -FilterHashtable for ProviderName='WLMS'.

The accepted key/value pairs for the Get-WinEvent FilterHashtable parameter:

Key name	Value data type	Accepts wildcard characters?
LogName	<String[]>	Yes
ProviderName	<String[]>	Yes
Path	<String[]>	No
Keywords	<Long[]>	No
ID	<Int32>	No
Level	<Int32>	No
StartTime	<DateTime>	No
EndTime	<DateTime>	No
UserID	<SID>	No
Data	<String[]>	No
<named-data>	<String[]>	No

Microsoft recommends making the hash table one key-value pair at a time when building a query. Event viewer can provide information on what is needed to build the hash table.

Event Viewer

Using the information above, create a hash table:

Get-WinEvent -FilterHashtable @{
    LogName='Application'
    ProviderName='LoadPerf'
    ID=1000
}

An example of a Git-WinEvent and FilterHashtable command/syntax:

Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property Message | Select-String -Pattern 'SecureString'

More about creating hash tables can be found here.

Answer the following questions using the online help documentation for Get-WinEvent

Execute the command from Example 1 (as is). What are the names of the logs related to OpenSSH?

OpenSSH/Admin,OpenSSH/Operational

Execute the command from Example 8. Instead of the string Policy search for PowerShell. What is the name of the 3rd log provider?

Microsoft-Windows-Powershell-DesiredStateConfiguration-FileDownloadManager

Execute the command from Example 9. Use Microsoft-Windows-PowerShell as the log provider. How many event ids are displayed for this event provider?

192 - Omit the first Line

192

How do you specify the number of events to display?

MaxEvents

When using the FilterHashtable parameter and filtering by level, what is the value for Informational?

https://learn.microsoft.com/en-us/powershell/scripting/samples/creating-get-winevent-queries-with-filterhashtable?view=powershell-7.3

XPath Queries

XPath (XML Path Language) provides standard syntax and semantics for addressing parts of an XML document and manipulating strings, numbers, and booleans. The Windows Event Log supports a subset of XPath 1.0.

Below is an example XPath query along with its explanation:

XPath Query

// The following query selects all events from the channel or log file where the severity level is less than or equal to 3 and the event occurred in the last 24 hour period. 
XPath Query: *[System[(Level <= 3) and TimeCreated[timediff(@SystemTime) <= 86400000]]]

XPath event query starts with '*' or 'Event'.

Both wevtutil and Get-WinEvent support XPath queries as event filters.

https://assets.tryhackme.com/additional/win-event-logs/xpath-2.png

Click on the Details tab and select the XML View radio button to understand how to use the XML View to construct a valid XPath query.

https://assets.tryhackme.com/additional/win-event-logs/xpath-3a.png

The first tag is the starting point. This can either be an * or the word Event.

The command so far looks like this: Get-WinEvent -LogName Application -FilterXPath '*'

https://assets.tryhackme.com/additional/win-event-logs/xpath-3b.png

The next tag is System.

Add that to the command: Get-WinEvent -LogName Application -FilterXPath '*/System/'

Note: Its best practice to explicitly use the keyword System but can use an * instead as with the Event keyword. The query -FilterXPath '*/*' is still valid.

The Event ID is 100. Plug that into the command.

https://assets.tryhackme.com/additional/win-event-logs/xpath-3c.png

The command now is: Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=100'

When using wevtutil.exe and XPath to query for the same event log and ID, this is the result:

Two additional parameters were used in the above command to retrieve one event and for it not to contain any XML tags.

to query a different element, such as Provider Name, the syntax will be different. To filter on the provider, use the Name attribute of Provider

The XPath query is:

In the syntax above, the Provider Name is WLMS, and there are two Event IDs. Below will only query for events with Event ID 101:

Create XPath queries for elements within EventData.

The EventData element doesn't always contain information.

Below is the XML View of the event for which we will build our XPath query.

https://assets.tryhackme.com/additional/win-event-logs/xpath-7b.png

Build the query for TargetUserName. In this case, that will be System. The XPath query would be:

The -MaxEvents parameter was used, and it was set to 1 to return one event.

More info can be found at the official Microsoft XPath Reference.

Using Get-WinEvent and XPath, what is the query to find WLMS events with a System Time of 2020-12-15T01:09:08.940277500Z?

Get-Event -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@SystemTime="2020-12-15T01:09:08.940277500Z"]'

Using Get-WinEvent and XPath, what is the query to find a user named Sam with an Logon Event ID of 4720?

Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="Sam" and */System/EventID=4720'

Based on the previous query, how many results are returned?

2

Based on the output from the question #2, what is Message?

A user account was created

Still working with Sam as the user, what time was Event ID 4724 recorded? (MM/DD/YYYY H:MM:SS [AM/PM])

12/17/2020 1:57:14

What is the Provider Name?

Microsoft-Windows-Security-Auditing

Event IDs

The Windows Logging Cheat Sheet (Windows 7 - Windows 2012)

Spotting the Adversary with Windows Event Log Monitoring

MITRE ATT&CK

Events to Monitor (Best Practices for Securing Active Directory)

The Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference

Some events will not be generated by default, and certain features will need to be enabled/configured on the endpoint, such as PowerShell logging. This feature can be enabled via Group Policy or the Registry.

Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell

Local Group Policy Editor

Some resources to provide more information about enabling this feature, along with its associated event IDs:

• About Logging Windows

• Greater Visibility Through PowerShell Logging

• Configure PowerShell logging to see PowerShell anomalies in Splunk UBA

Another feature to enable/configure is Audit Process Creation, which will generate event ID 4688. This will allow command-line process auditing.

Local Computer Policy > Computer Configuration > Administrative Templates > System > Audit Process Creation

Putting Theory Into Practice

The next scenarios/questions are based on the external event log file titled merged.evtx found on the Desktop.

Scenario 1 (Questions 1 & 2): The server admins have made numerous complaints to Management regarding PowerShell being blocked in the environment. Management finally approved the usage of PowerShell within the environment. Visibility is now needed to ensure there are no gaps in coverage. You researched this topic: what logs to look at, what event IDs to monitor, etc. You enabled PowerShell logging on a test machine and had a colleague execute various commands.

What event ID is to detect a PowerShell downgrade attack?

What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])

filer for event 400

12/18/2020 7:50:33 AM

Scenario 2 (Questions 3 & 4): The Security Team is using Event Logs more. They want to ensure they can monitor if event logs are cleared. You assigned a colleague to execute this action.

A Log clear event was recorded. What is the 'Event Record ID'?

22736

What is the name of the computer?

PC01.example.corp

Scenario 3 (Questions 5, 6 & 7): The threat intel team shared its research on Emotet. They advised searching for event ID 4104 and the text "ScriptBlockText" within the EventData element. Find the encoded PowerShell payload.

What is the name of the first variable within the PowerShell command?

$Va5w3n8

What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])

8/25/2020 10:09:28 PM

What is the Execution Process ID?

6620

Scenario 4 (Questions 8 & 9): A report came in that an intern was suspected of running unusual commands on her machine, such as enumerating members of the Administrators group. A senior analyst suggested searching for "C:\Windows\System32\net1.exe". Confirm the suspicion.

What is the Group Security ID of the group she enumerated?

S-1-5-32-544

What is the event ID?

4799