Windows EventViewer Analysis | DFIR

In this article, we will show you some approaches to analyze some activity on Windows events

Last Activity View

Other tools from NirSoft can be observed and downloaded here.

Evtx analysis

Create a new filter with the type of event ID or events between a specific date.

2. After create it, click on context menu and "Save As ...".

Use a specific tool to analyze the logs.

`Examples`

DeepBlueCLI: https://github.com/sans-blue-team/DeepBlueCLI

DeepBlueCLI – PowerShell Module for Threat Hunting - Security InvestigationSecurity Investigation - Be the first to investigate

WELA (Windows Event Log Analyzer): https://github.com/Yamato-Security/WELA

EventID - Windows Events Search

Event Log Security - Windows Event Searchsystem32.eventsentry.com

APT-Hunter

Outlook files analysis

Stellar OST Viewer

View .msg files (from Outlook)

GitHub - lolo101/MsgViewer: MsgViewer is email-viewer utility for .msg e-mail messages, implemented in pure Java. MsgViewer works on Windows/Linux/Mac Platforms. Also provides a java api to read mail messges (msg files) programmatically.GitHub

LogonTracer

GitHub - JPCERTCC/LogonTracer: Investigate malicious Windows logon by visualizing and analyzing Windows event logGitHub

Installation: Usage Neo4j 4.4.26

./neo4j console

LogonTracer:

python -m venv venv
source venv/bin/activate

$ pip3 install -r LogonTracer/requirements.txt

See installation manual: https://github.com/JPCERTCC/LogonTracer/wiki/for-linux

python logontracer.py -r -o 8081 -u neo4j -p neo4j1 -s localhost

[+] Script start. 2024/10/09 17:58:14
[+] Neo4j Kernel 4.4.26 (Community)
[+] Can't create database. This feature is in Neo4j Enterprise.
 * Serving Flask app 'logontracer'
 * Debug mode: off

Acess: http://localhost:8081

Now load security.evtx logs from Windows.

Import larger 'security.evtx' files and parse them before

In some cases, we need to parse evtx files because a lot of junk is imported.

I created a rust script capable of filter larger files:

Usage: evtx_to_xml [OPTIONS] --input-path <INPUT_PATH> --output-file <OUTPUT_FILE>

Options:
  -i, --input-path <INPUT_PATH>    Path to the .evtx file or directory
  -o, --output-file <OUTPUT_FILE>  Path to the output XML file
  -u, --users-file <USERS_FILE>    Path to the file with the list of owned users (optional)
  -s, --start-date <START_DATE>    Start date for filtering logs (format: YYYY-MM-DD) (optional)
  -e, --end-date <END_DATE>        End date for filtering logs (format: YYYY-MM-DD) (optional)
  -t, --threads <THREADS>          Optional number of threads (default is system maximum) [default: 12]
  -h, --help                       Print help
  -V, --version                    Print version

We can use an auxiliary file with owned users (users line by line).

./evtx_to_xml --input-path evtx_folder/ --output-file output.xml -u owned_users.txt --start-date 2024-03-18 --end-date 2024-08-26

Loading owned users from: owned_users.txt
Writing matched events to output file: output.xml
Processing EVTX file: security_evtx/1-Security.evtx
Processing EVTX file: security_evtx/2-Security.evtx
Processing EVTX file: security_evtx/3-Security.evtx
Processing EVTX file: security_evtx/4-Security.evtx
Processing EVTX file: security_evtx/5-Security.evtx
Processing EVTX file: security_evtx/6-Security.evtx
(..)

Download the binary file from releases:

GitHub - sirpedrotavares/evtx_to_xml: evtx_to_xmlGitHub

Dump Security EVTX files from Collectors ZIP files

import zipfile
import os
import shutil

# Lista das pastas
folders = [
    "cxxxx000031/",
    "Cxxxx00010CV/"
]

# Diretório de saída
output_dir = "output_evtx"
os.makedirs(output_dir, exist_ok=True)

# Loop por cada pasta para processar o ficheiro ZIP
for folder in folders:
    # Localizar qualquer arquivo ZIP que comece com "Collection-"
    for filename in os.listdir(folder):
        if filename.startswith("Collection-") and filename.endswith(".zip"):
            zip_path = os.path.join(folder, filename)
            prefix = os.path.basename(os.path.normpath(folder))  # Prefixo com o nome da pasta

            with zipfile.ZipFile(zip_path, 'r') as zip_ref:
                # Procurar o ficheiro Security.evtx dentro do ZIP
                for file in zip_ref.namelist():
                    if "Security.evtx" in file:
                        # Extrair e renomear o ficheiro com o prefixo da pasta
                        output_file_path = os.path.join(output_dir, f"{prefix}_Security.evtx")
                        with zip_ref.open(file) as source, open(output_file_path, "wb") as target:
                            shutil.copyfileobj(source, target)
                        print(f"Extraído: {output_file_path}")
                        break  # Parar após encontrar o Security.evtx
            break  # Prosseguir para a próxima pasta após encontrar um ZIP que comece com "Collection-"

Import the XML into LogonTracer

Before import the XML file, just one line needs to be updated on the logontracer.py:

Replace this: #if xml.startswith("<System>"

to:

if (xml.strip()).startswith('<System>'):):

After this change, upload the file and enjoy :)

Previousamcache.hve NextPrevent Windows shutdown after license expire

Last updated 1 year ago

hashtagLast Activity View

hashtagEvtx analysis

hashtagExamples

hashtagDeepBlueCLI: https://github.com/sans-blue-team/DeepBlueCLIarrow-up-right

hashtagWELA (Windows Event Log Analyzer): https://github.com/Yamato-Security/WELAarrow-up-right

hashtagEventID - Windows Events Search

hashtagAPT-Hunterarrow-up-right

hashtagOutlook files analysis

hashtagStellar OST Viewerarrow-up-right

hashtagView .msg files (from Outlook)

hashtagLogonTracer

hashtagImport larger 'security.evtx' files and parse them before

hashtagDump Security EVTX files from Collectors ZIP files

hashtagImport the XML into LogonTracer