Windows EventViewer Analysis | DFIR

In this article, we will show you some approaches to analyze some activity on Windows events

Last Activity View

https://www.nirsoft.net/utils/computer_activity_view.html

Other tools from NirSoft can be observed and downloaded here.

Evtx analysis

  1. Create a new filter with the type of event ID or events between a specific date.

2. After create it, click on context menu and "Save As ...".

  1. Use a specific tool to analyze the logs.

Examples

DeepBlueCLI: https://github.com/sans-blue-team/DeepBlueCLI

LogoDeepBlueCLI – PowerShell Module for Threat Hunting - Security InvestigationSecurity Investigation - Be the first to investigate

WELA (Windows Event Log Analyzer): https://github.com/Yamato-Security/WELA

EventID - Windows Events Search

LogoEvent Log Security - Windows Event Search

APT-Hunter

Outlook files analysis

Stellar OST Viewer

View .msg files (from Outlook)

LogoGitHub - lolo101/MsgViewer: MsgViewer is email-viewer utility for .msg e-mail messages, implemented in pure Java. MsgViewer works on Windows/Linux/Mac Platforms. Also provides a java api to read mail messges (msg files) programmatically.GitHub

LogonTracer

LogoGitHub - JPCERTCC/LogonTracer: Investigate malicious Windows logon by visualizing and analyzing Windows event logGitHub

Installation: Usage Neo4j 4.4.26

./neo4j console

LogonTracer:

python -m venv venv
source venv/bin/activate

$ pip3 install -r LogonTracer/requirements.txt

See installation manual: https://github.com/JPCERTCC/LogonTracer/wiki/for-linux

python logontracer.py -r -o 8081 -u neo4j -p neo4j1 -s localhost

[+] Script start. 2024/10/09 17:58:14
[+] Neo4j Kernel 4.4.26 (Community)
[+] Can't create database. This feature is in Neo4j Enterprise.
 * Serving Flask app 'logontracer'
 * Debug mode: off

Acess: http://localhost:8081

Now load security.evtx logs from Windows.

Import larger 'security.evtx' files and parse them before

In some cases, we need to parse evtx files because a lot of junk is imported.

I created a rust script capable of filter larger files:

Usage: evtx_to_xml [OPTIONS] --input-path <INPUT_PATH> --output-file <OUTPUT_FILE>

Options:
  -i, --input-path <INPUT_PATH>    Path to the .evtx file or directory
  -o, --output-file <OUTPUT_FILE>  Path to the output XML file
  -u, --users-file <USERS_FILE>    Path to the file with the list of owned users (optional)
  -s, --start-date <START_DATE>    Start date for filtering logs (format: YYYY-MM-DD) (optional)
  -e, --end-date <END_DATE>        End date for filtering logs (format: YYYY-MM-DD) (optional)
  -t, --threads <THREADS>          Optional number of threads (default is system maximum) [default: 12]
  -h, --help                       Print help
  -V, --version                    Print version

We can use an auxiliary file with owned users (users line by line).

./evtx_to_xml --input-path evtx_folder/ --output-file output.xml -u owned_users.txt --start-date 2024-03-18 --end-date 2024-08-26

Loading owned users from: owned_users.txt
Writing matched events to output file: output.xml
Processing EVTX file: security_evtx/1-Security.evtx
Processing EVTX file: security_evtx/2-Security.evtx
Processing EVTX file: security_evtx/3-Security.evtx
Processing EVTX file: security_evtx/4-Security.evtx
Processing EVTX file: security_evtx/5-Security.evtx
Processing EVTX file: security_evtx/6-Security.evtx
(..)

Download the binary file from releases:

LogoGitHub - sirpedrotavares/evtx_to_xml: evtx_to_xmlGitHub

Dump Security EVTX files from Collectors ZIP files

import zipfile
import os
import shutil

# Lista das pastas
folders = [
    "cxxxx000031/",
    "Cxxxx00010CV/"
]

# Diretório de saída
output_dir = "output_evtx"
os.makedirs(output_dir, exist_ok=True)

# Loop por cada pasta para processar o ficheiro ZIP
for folder in folders:
    # Localizar qualquer arquivo ZIP que comece com "Collection-"
    for filename in os.listdir(folder):
        if filename.startswith("Collection-") and filename.endswith(".zip"):
            zip_path = os.path.join(folder, filename)
            prefix = os.path.basename(os.path.normpath(folder))  # Prefixo com o nome da pasta

            with zipfile.ZipFile(zip_path, 'r') as zip_ref:
                # Procurar o ficheiro Security.evtx dentro do ZIP
                for file in zip_ref.namelist():
                    if "Security.evtx" in file:
                        # Extrair e renomear o ficheiro com o prefixo da pasta
                        output_file_path = os.path.join(output_dir, f"{prefix}_Security.evtx")
                        with zip_ref.open(file) as source, open(output_file_path, "wb") as target:
                            shutil.copyfileobj(source, target)
                        print(f"Extraído: {output_file_path}")
                        break  # Parar após encontrar o Security.evtx
            break  # Prosseguir para a próxima pasta após encontrar um ZIP que comece com "Collection-"

Import the XML into LogonTracer

Before import the XML file, just one line needs to be updated on the logontracer.py:

Replace this: #if xml.startswith("<System>"

to:

if (xml.strip()).startswith('<System>'):):

After this change, upload the file and enjoy :)

Previousamcache.hveNextPrevent Windows shutdown after license expire

Last updated

Was this helpful?