# Disboard #
  • Reconnaissance
    • Quick Guide
    • Ports and Protocols
    • Passive Reconnaissance
    • Active Reconnaissance
  • Enumeration
    • Password Cracking
    • Hydra
    • Wireshark
    • Snort
    • Steganography
  • Web
    • OWASP Top 10
    • OWASP API
    • SQL Injection
      • Microsoft SQL Injection
    • Cross Site Scripting
    • Browser Vulnerabilities
    • Fuzzing
  • Linux
    • Privilege Escalation
    • Docker
    • Program Life Cycle
  • Windows
    • Privilege Escalation
    • Active Directory
    • Powershell
  • Event Logs
    • Sysmon
  • Exploitation
    • Shells
      • Upgrading Shells
    • Metasploit
      • Meterpreter
    • KOTH
    • Source Code Review
  • Hack the Box
    • ARCHETYPE
    • BASE
    • BASHED
    • EXPLORE
    • NIBBLES
  • Try Hack Me
    • ADVENTURE TIME
    • HACKFINITY
    • MOTHER'S SECRET
    • OFFSEC
    • POSTEXPLOIT
    • ROASTED
    • TEMPEST
    • TRAVERSE
  • CompTIA
    • Network
      • 1.0 Networking Fundamentals
      • 2.0 Network Implementations
      • 3.0 Network Operations
      • 4.0 Network Security
      • 5.0 Network Troubleshooting
    • PenTest
  • SIEM
    • Splunk
    • Elastic
  • Wireless
    • Wi-Fi Hacking
  • Other
    • PicoCTF
    • SSH Tunneling
    • Life Hacks
    • My Pokémon API
    • Github
Powered by GitBook
On this page
  • Event Logs Usage
  • Event Viewer
  • Tool [wevtutil.exe]
  • PowerShell Cmdlet Get-WinEvent

Event Logs

Windows Event Logs and tools to query them

PreviousPowershellNextSysmon

Last updated 9 days ago

Event logs record events taking place in the execution of a system to provide an audit trail that can be used to understand the activity of the system and to diagnose problems.

Security Information and Event Management (SIEM) focuses on threat detection, investigation, and time to respond. Additional features include:

  • Basic security monitoring

  • Advanced threat detection

  • Forensics and incident response

  • Log collection

  • Normalisation

  • Notifications and alerts

  • Security incident detection

  • Threat response workflow

Event Logs Usage

Event logs within Windows typically reside in C:\Windows\System32\winevt\Logs and are crucial for troubleshooting any computer incident and help understand the situation and how to remediate the incident. The following elements form event logs in Windows systems:

  • System Logs: Records events associated with the OS segments which include information about hardware changes, device drivers, and system changes

  • Security Logs: Events connected to logon and logoff activities on a device

  • Application Logs: Records events related to applications installed on a system which include application errors, events, and warnings

  • Directory Service Events: Active directory changes and activities

  • File Replication Service Events: Events associated with Windows Servers during the sharing of Group Policies and logon scripts to domain controllers

  • DNS Event Logs: DNS servers use these logs to record domain events

  • Custom Logs: Events logged by applications that require custom data storage

There are 3 ways of accessing event logs within Windows:

  1. Event Viewer (GUI-based application)

  2. Wevtutil.exe (command-line tool)

  3. Get-WinEvent (PowerShell cmdlet)

Event Viewer

Event Viewer, a Microsoft Management Console (MMC) snap-in, can be launched by entering eventvwr.msc into the Windows run box. Event Viewer has three panes:

  1. Left pane which provides a hierarchical tree listing of the event log providers

  2. Middle pane which displays a general overview and summary of the events specific to a selected provider

  3. Right pane which is the actions pane

Tool [wevtutil.exe]

This tool allows you to query event logs via the command line or PowerShell. Per Microsoft, it enables a user to retrieve information about event logs and publishers.

Example usage of wevtutil.exe is as follows:

# Get amount of logs enumerated
wevtutil el | Measure-Object

# Sample command
# - Queries Application log
# - Option rd for event read direction, most recent if true
# - Optoion c for maximum number of events to read
# - Option f for format to text
wevtutil qe Application /c:3 /rd:true /f:text

PowerShell Cmdlet Get-WinEvent

The cmdlet Get-WinEvent getrs events from event logs and event tracing log files on local and remote computers. It provides information on event logs and event log providers. It can combine numerous events from multiple sources into a single command and filter using XPath queries, structured XML queries, and hash table queries.

Example usage of Get-WinEvent

# Get all logs from a computer
Get-WinEvent -ListLog *

# Get event log providers and log names
Get-WinEvent -ListProvider *

# Log filtering
Get-WinEvent -LogName Application | Where-Object { $_.ProviderName -Match 'WLMS' }
Get-WinEvent -FilterHashtable @{
    LogName='Application'
    ProviderName='WLMS'
}

# Find WLMS events at a time
Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@SystemTime="$TIME"]'

# Find events related to a user
Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="$USERNAME" and */System/EventID=$EVENTID'

# Filters for passwords in PowerShell
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property Message | Select-String -Pattern 'SecureString'

List of accepted key-value pairs for the Get-WinEvent FilterHashtable Parameter

  • LogName <string>

  • ProviderName <string> (Same as Source in Event Viewer)

  • Path <string>

  • Keywords <long>

  • ID <int32>

  • Level <int32>

  • StartTime <datetime>

  • <EndTime> <datetime>

  • UserID <SID>

  • Data <string>

  • <named-data> <string>