There are two possible sources of windows event logs, in place logs on active systems and logs that have been exported. Exported logs are preferable because they can be preserved, parsed through easily, and uploaded to engines that detect suspicious behavior.


Log Export and Backup Procedures


  1. Export logs to .evtx format so that their integrity can be preserved. There are two ways to do this:

    1. Through the event viewer navigate to the main view

      1. Under "Summary of Administrative Events" right click and "View All Instances of this Event"

      2. This will direct you to a custom filter that displays all of the events with the same log level

      3. On the right hand "Actions" panel select "Save All Events in Custom View As…"

      4. Create a file with the name desired, when prompted be sure to select the below button to save logs in English

      5. Repeat steps 1.1.1-1.1.4 until all events have been saved.

    2. The more efficent way to save logs is through powershell

      1. You must have the ability to execute powershell scripts or the ability to open powershell on the local machine

      2. Open a powershell prompt in the destination drive or directory that logs should be output to.

      3. The following script will export all Events from the windows event viewer and for proper functioning will need to be run as admin

        wevtutil epl Application Application.evtx
        wevtutil epl Security Security.evtx
        wevtutil epl Setup Setup.evtx
        wevtutil epl System System.evtx
        wevtutil epl "Windows PowerShell" PowerShell.evtx

    3. The manual way.

      1. If the system cannot be booted or you are concerned about alerting attackers, exporting files manually can be done by copying the files directly

      2. All application .evtx logs are stored in the C:\windows\system32\winevt\Logs directory

      3. In order to pull logs from here you must be working at an administrator level or the machine must be powered off.



Parsing What Was Gathered


The output format of the log files is evtx and can only be reliably read through powershell or the windows event log viewer. In order to view the saved logs you can; View them in event viewer (Slow cumbersome difficult), View them through the use of PowerShell (Quick), Export them to text format for advanced processing.


  1. The difficult way

    1. Open the directory in explorer and click on the log file you want to view

    2. Event viewer will load and you will be able to view the files in the Event Viewer GUI.

  2. In place powershell parsing and exporting full text of logs to an ASCII file

    1. There are a number of commands used to view and parse through the logs in powershell most of which will be done with commands below and more documentation can be found at: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-5.1

get-winevent -path .\test.evtx

Will open the test.evtx file and dump output to standard standard out. Pipe output to the below in order to output all text that is contained.

Format-table -wrap

This will ensure that output is output non wrapped so that when hunting all strings are displayed

findstr "dll"

Used to find specific strings in the log



User Accounts in the Logs


More information can be found here: https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4624. But for a short and sweet to identify odd behavour see below.


Logon types and descriptions

Logon Type

Logon Title

Description

0

System

Used only by the System account, for example at system startup.

2

Interactive

A user logged on to this computer.

3

Network

A user or computer logged on to this computer from the network.

4

Batch

Batch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.

5

Service

A service was started by the Service Control Manager.

7

Unlock

This workstation was unlocked.

8

NetworkCleartext

A user logged on to this computer from the network. The user's password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).

9

NewCredentials

A caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.

10

RemoteInteractive

A user logged on to this computer remotely using Terminal Services or Remote Desktop.

11

CachedInteractive

A user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.

12

CachedRemoteInteractive

Same as RemoteInteractive. This is used for internal auditing.

13

CachedUnlock

Workstation login



Impersonation Level [Version 1, 2] [Type = UnicodeString]: can have one of these four values:

  • SecurityAnonymous (displayed as empty string): The server process cannot obtain identification information about the client, and it cannot impersonate the client. It is defined with no value given, and thus, by ANSI C rules, defaults to a value of zero.

  • SecurityIdentification (displayed as "Identification"): The server process can obtain information about the client, such as security identifiers and privileges, but it cannot impersonate the client. This is useful for servers that export their own objects, for example, database products that export tables and views. Using the retrieved client-security information, the server can make access-validation decisions without being able to use other services that are using the client's security context.

  • SecurityImpersonation (displayed as "Impersonation"): The server process can impersonate the client's security context on its local system. The server cannot impersonate the client on remote systems. This is the most common type.

  • SecurityDelegation (displayed as "Delegation"): The server process can impersonate the client's security context on remote systems.


Windows Events to monitor

To see the most up to date information put out by Microsoft visit this link. https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/appendix-l—events-to-monitor. These include interesting information such as logins and privileged activity.


Powershell and CMD Logging


Enable powershell command line logging by changing the following group policy:
Computer Configuration -> Policies -> Administrative Settings -> Windows Components -> Windows PowerShell
This can also be achieved through editing the registry entries as follows
HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging->EnableModuleLogging = 1

HKLM\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows\PowerShell\ModuleLogging \ModuleNames -> * = *


Enable Command line logging by enabling the following group policy:
Local Computer Policy -> Computer Configuration -> Administrative Templates -> System -> Audit Process Creation -> Include command line in process creation events