윈도우 이벤트 로그 분석-Logparser
log parser를 이용하여 윈도우 이벤트를 분석하기 위해 먼저 이벤트 로그를 파일로 저장한다.
첨고로 각 단계에서 참조된 이벤트ID에 대한 자세한 정보는 https://docs.microsoft.com/ko-kr/windows/security/threat-protection/auditing/event-4625 를 참조한다.
이벤트 로그 저장
C:\DFIR\EventLog>wevtutil epl security security-origin.evtx
C:\DFIR\EventLog>wevtutil epl system system_backup.evtx
C:\DFIR\EventLog>copy "c:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" firewall_backup.evtx
예제
특정 이벤트ID 조회
C:\DFIR\EventLog>LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security-Origin.evtx' WHERE EventID = '5038'"
이벤트ID별 발생 건수
C:\DFIR\EventLog> LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EventID FROM 'Security-origin.evtx' GROUP BY EventID ORDER BY CNT DESC"
케이스별 이벤트 조회
이벤트 로그 삭제 내역
EventID 1102
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') as Username, EXTRACT_TOKEN(Strings, 2, '|') AS Workstation FROM 'Security-origin.evtx' WHERE EventID = '1102'"
RDP Session
Event id 4778
RDP session reconnected
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date,EXTRACT_TOKEN(Strings, 0, '|') AS Username, EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 4, '|') AS Workstation, EXTRACT_TOKEN(Strings, 5, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4778"
Event id 4779
RDP session disconnected
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date,EXTRACT_TOKEN(Strings, 0, '|') AS Username, EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 4, '|') AS Workstation, EXTRACT_TOKEN(Strings, 5, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4779"
Event id 4781
User account was renamed
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 0, '|') AS newname, EXTRACT_TOKEN(Strings, 1, '|') AS oldname, EXTRACT_TOKEN(Strings, 2, '|') AS accdomain, EXTRACT_TOKEN(Strings, 5, '|') AS Username, EXTRACT_TOKEN(Strings, 6, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4781"
Event id 4825
RDP Access denied
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 0, '|') AS Username, EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 3, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4825"
RDP Local Session Log
Successful logon
LogParser.exe -stats:OFF -i:EVT "Select timegenerated as Date, extract_token(strings, 0, '|') as user, extract_token(strings, 2, '|') as sourceip FROM 'Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21"
find specific user
LogParser.exe -stats:OFF -i:EVT "Select timegenerated as Date, extract_token(strings, 0, '|') as user, extract_token(strings, 2, '|') as sourceip FROM 'Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21 AND user LIKE '%Administrator%'"
group by user
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as user, count(*) as CNT FROM 'Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21 GROUP BY user ORDER BY CNT DESC"
RDP Remote Session Log
Successful logon
LogParser.exe -stats:OFF -i:EVT "Select timegenerated as Date, extract_token(strings, 0, '|') as user, extract_token(strings, 2, '|') as sourceip FROM 'Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx' WHERE EventID = 1149"
group by user
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as user, count(*) as CNT FROM 'Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx' WHERE EventID = 1149 GROUP BY user ORDER BY CNT DESC"
RDP 및 Console 로그인
로그인 성공, EventID 4624
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY')"
특정 User 로그인
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"
RDP 로그인
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND LogonType = '10'"
Console 로그인
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND LogonType = '2'"
특정 IP 로그인
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = '10.1.47.151'"
NTLM 로그인
possible pass-the-hash
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType, EXTRACT_TOKEN(strings, 10, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$'"
group by NTLM users
LogParser.exe -q:ON -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType, EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$' GROUP BY Username, Domain, LogonType, AuthPackage, Workstation, ProcessName, SourceIP ORDER BY CNT DESC"
group by users
LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 5, '|') as Username, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"
group by domain
LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 6, '|') as Domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY Domain ORDER BY CNT DESC"
group by authpackage
LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 9, '|') as AuthPackage, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY AuthPackage ORDER BY CNT DESC"
group by LogonType
LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 8, '|') as LogonType, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY LogonType ORDER BY CNT DESC"
group by workstation name
LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 11, '|') as Workstation, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY Workstation ORDER BY CNT DESC"
group by process name
LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 17, '|') as ProcName, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY ProcName ORDER BY CNT DESC"
로그인 실패
EventID 4625
unsuccessful logon
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY')"
Find specific User
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"
Find specific IP
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = '10.1.47.151'"
check ntlm based attempts
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType, EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$'"
group by ntlm users
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$' GROUP BY Username, Domain, LogonType, AuthPackage, Workstation, SourceIP ORDER BY CNT DESC"
group by Username
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"
Log Off
EventID 4634
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4634 AND Domain NOT IN ('NT AUTHORITY')"
명시적 자젹증명을 이용한 로그인
EventID = 4648
explicit creds was used
LogParser.exe -stats:OFF -i:EVT "SELECT timegenerated as date, extract_token(strings, 1, '|') as accountname, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings, 8, '|') as targetserver, extract_token(strings, 9, '|') as extradata, extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as sourceip from 'Security-origin.evtx' WHERE EventID = 4648"
Search by accountname
LogParser.exe -stats:OFF -i:EVT "SELECT timegenerated as date, extract_token(strings, 1, '|') as accountname, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings, 8, '|') as targetserver, extract_token(strings, 9, '|') as extradata, extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as sourceip from 'Security-origin.evtx' WHERE EventID = 4648 AND accountname = 'Administrator'"
Search by usedaccount
LogParser.exe -stats:OFF -i:EVT "SELECT timegenerated as date, extract_token(strings, 1, '|') as accountname, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings, 8, '|') as targetserver, extract_token(strings, 9, '|') as extradata, extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as sourceip from 'Security-origin.evtx' WHERE EventID = 4648 AND usedaccount = 'Administrator'"
group by accountname
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) as CNT, extract_token(strings, 1, '|') as accountname from 'Security-origin.evtx' WHERE EventID = 4648 GROUP BY accountname ORDER BY CNT DESC"
group by used account
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) as CNT, extract_token(strings, 5, '|') as usedaccount from 'Security-origin.evtx' WHERE EventID = 4648 GROUP BY usedaccount ORDER BY CNT DESC"
레지스트리 접근
레지스트리 값 변경
EventID 4657
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4657'"
Object Access
EventID = 4663
An attempt was made to access an object
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4663'"
Admin Logon
Event id 4672
Admin logon
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4672 AND Domain NOT IN ('NT AUTHORITY')
Find specific user
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4672 AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"
group by username
LogParser.exe -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 1, '|') AS Username, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4672 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"
group by domain
LogParser.exe -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 2, '|') AS Domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4672 AND Domain NOT IN ('NT AUTHORITY') GROUP BY Domain ORDER BY CNT DESC"
프로세스 관련
event id 4688
new process was created
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security-origin.evtx' WHERE EventID = 4688"
Search by user
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security-origin.evtx' WHERE EventID = 4688 AND Username = 'Administrator'"
Search by process name
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security-origin.evtx' WHERE EventID = 4688 AND Process LIKE '%rundll32.exe%'"
group by username
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 1, '|') AS Username FROM 'Security-origin.evtx' WHERE EventID = 4688 GROUP BY Username ORDER BY CNT DESC"
group by process name
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security-origin.evtx' WHERE EventID = 4688 GROUP BY Process ORDER BY CNT DESC"
사용자 권한
event id 4704
A user right was assigned
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4704'"
event id 4705
A user right was removed
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4705'"
event id 4706
A new trust was created to a domain
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4706'"
사용자 계정
event id 4720
A user account was created
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') AS createduser, extract_token(strings, 1, '|') AS createddomain, extract_token(strings, 4, '|') as whocreated, extract_token(strings, 5, '|') AS whodomain FROM 'Security-origin.evtx' WHERE EventID = '4720'"
Event id 4722
user account was enabled
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4722"
Event id 4723
attempt to change password for the account - user changed his own password
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4723"
Event id 4724
attempt to reset user
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4724"
Event id 4725
user account was disabled
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4725"
Event id 4726
A user account was deleted
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') AS deleteduser, extract_token(strings, 1, '|') AS deleteddomain, extract_token(strings, 4, '|') as whodeleted, extract_token(strings, 5, '|') AS whodomain FROM 'Security-origin.evtx' WHERE EventID = '4726'"
Security-enabled Global group
Event id 4727
A security-enabled global group was created
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4727'"
Event id 4728
A member was added to a security-enabled global group
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser, extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4728'"
Event id 4729
A member was removed from a security-enabled global group
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser, extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4729'"
Event id 4730
A security-enabled global group was deleted
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4730'"
Security-enabled Local group
Event id 4731
A security-enabled local group was created
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as createdgroup, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4731"
Event id 4732
A member was added to a security-enabled local group
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser, extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4732'"
Event id 4733
A member was removed from a security-enabled local group
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser, extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4733'"
Event id 4734
A security-enabled local group was deleted
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 2, '|') AS whichgroup, EXTRACT_TOKEN(Strings, 3, '|') AS domaingroup, EXTRACT_TOKEN(Strings, 6, '|') AS who, EXTRACT_TOKEN(Strings, 7, '|') AS workstation FROM 'Security-origin.evtx' WHERE EventID = 4734"
Event id 4738
user account was changed
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 1, '|') as user, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as whichaccount, extract_token(strings, 6, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4738"
Event id 4740
A user account was locked out
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as workstation, extract_token(strings, 4, '|') as wholocked, extract_token(strings, 5, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4740'"
Event id 4742
computer account was changed
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 5, '|') as user, extract_token(strings, 6, '|') as domain, extract_token(strings, 1, '|') as whichaccount, extract_token(strings, 2, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4742"
Security-enabled Universal group
Event id 4754
A security-enabled universal group was created
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as createdgroup, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4754"
Event id 4756
A member was added to a security-enabled universal group
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser, extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4756'"
Event id 4757
A member was removed from a security-enabled universal group
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser, extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4757'"
Event id 4758
A security-enabled universal group was deleted
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 2, '|') AS whichgroup, EXTRACT_TOKEN(Strings, 3, '|') AS domaingroup, EXTRACT_TOKEN(Strings, 6, '|') AS who, EXTRACT_TOKEN(Strings, 7, '|') AS workstation FROM 'Security-origin.evtx' WHERE EventID = 4758"
A user account was unlocked
Event id 4767
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4767'"
Kerberos TGT
커버로스 프로토콜(Kerberos Protocol) – 서버 접근 권한 관리
클라이언트/서버 외에 제3의 인증서버(Authentication Server, AS)를 도입 하고, 이와 연동된 티켓 부여 서비스(Ticket Granting Service, TGS)를 통해 티켓을 발급하여 유효한 티켓이 있는 유저만 서비스 서버(Service Server, SS)에 접속을 할 수 있도록 제어하는 커버로스(Kerberos) 프로토콜
Event id 4768
Kerberos TGT was requested
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 7, '|') as cipher, extract_token(strings, 9, '|') as sourceip FROM 'Security-origin.evtx' WHERE EventID = 4768"
group by user
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 0, '|') as user, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4768 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"
group by domain
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 1, '|') as domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4768 GROUP BY domain ORDER BY CNT DESC"
group by cipher
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 7, '|') as cipher, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4768 GROUP BY cipher ORDER BY CNT DESC"
Kerberos Service
Event id 4769
Kerberos Service ticket was requested
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 2, '|') as service, extract_token(strings, 5, '|') as cipher, extract_token(strings, 6, '|') as sourceip FROM 'Security-origin.evtx' WHERE EventID = 4769"
group by user
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 0, '|') as user, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4769 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"
group by domain
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 1, '|') as domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4769 GROUP BY domain ORDER BY CNT DESC"
group by service
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 2, '|') as service, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4769 GROUP BY service ORDER BY CNT DESC"
group by cipher
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 5, '|') as cipher, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4769 GROUP BY cipher ORDER BY CNT DESC"
Event id 4771
kerberos pre-atuhentication failed
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0 , '|') as user, extract_token(strings, 6 , '|') as sourceip FROM 'Security-origin.evtx' WHERE EventID = 4771 AND user NOT LIKE '%$'"
group by user
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 0, '|') as user, COUNT(user) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4771 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"
domain/computer attemped to validate user credentials
Event id 4776
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4776 AND Domain NOT IN ('NT AUTHORITY') AND Username NOT LIKE '%$'"
Search by username
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4776 AND Domain NOT IN ('NT AUTHORITY') AND Username NOT LIKE '%$' AND Username = 'Administrator'"
group by username
LogParser.exe -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 1, '|') AS Username, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4776 AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"
group by domain
LogParser.exe -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 2, '|') AS Domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4776 GROUP BY Domain ORDER BY CNT DESC"
FireWall Rules
Event id 4946
new exception was added to firewall
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 2, '|') as rulename FROM 'Security-origin.evtx' WHERE EventID = 4946"
group by rule name
LogParser.exe -stats:OFF -i:EVT "Select Count(*) as CNT, extract_token(strings, 2, '|') as rulename FROM 'Security-origin.evtx' WHERE EventID = 4946 GROUP BY rulename ORDER BY CNT DESC"
Event id 4948
rule was deleted from firewall
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 2, '|') as rulename FROM 'Security-origin.evtx' WHERE EventID = 4948"
group by rule name
LogParser.exe -stats:OFF -i:EVT "Select Count(*) as CNT, extract_token(strings, 2, '|') as rulename FROM 'Security-origin.evtx' WHERE EventID = 4948 GROUP BY rulename ORDER BY CNT DESC"
Code integrity determined that the image hash of a file is not valid
Event id 5038
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5038'"
directory service object was modified
Event id 5136
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 3, '|') AS Username, extract_token(strings, 4, '|') AS Domain, extract_token(strings, 8, '|') AS objectdn, extract_token(strings, 10, '|') AS objectclass, extract_token(strings, 11, '|') AS objectattrib, extract_token(strings, 13, '|') AS attribvalue FROM 'Security-origin.evtx' WHERE EventID = '5136'"
group by username
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 3, '|') AS Username FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY Username ORDER BY CNT DESC"
group by domain
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 4, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY Domain ORDER BY CNT DESC"
group by objectdn
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 8, '|') AS objectdn FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY objectdn ORDER BY CNT DESC"
group by objectclass
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 10, '|') AS objectclass FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY objectclass ORDER BY CNT DESC"
group by objectattrib
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 11, '|') AS objectattrib FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY objectattrib ORDER BY CNT DESC"
group by attribvalue
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 13, '|') AS attribvalue FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY attribvalue ORDER BY CNT DESC"
Event id 5137
A directory service object was created
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5137'"
Event id 5138
A directory service object was undeleted
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5138'"
Event id 5139
A directory service object was moved
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5139'"
Event id 5141
A directory service object was deleted
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5141'"
Network Share Object
Event id 5140
A network share object was accessed
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5140'"
Event id 5142
A network share object was added
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5142'"
Event id 5143
A network share object was modified
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5143'"
Event id 5144
A network share object was deleted
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5144'"
Event id 5145
A network share object was checked to see whether client can be granted desired access
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5145'"
Windows Filtering Platform
Event id 5154
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5154'"
Event id 5155
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5155'"
Event id 5156
The Windows Filtering Platform has allowed a connection
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5156'"
Event id 5157
The Windows Filtering Platform has blocked a connection
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5157'"
Event id 5158
The Windows Filtering Platform has permitted a bind to a local port
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5158'"
Event id 5159
The Windows Filtering Platform has blocked a bind to a local port
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5159'"
System Log
New Service was installed in system
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 0, '|') AS ServiceName, extract_token(strings, 1, '|') AS ServicePath, extract_token(strings, 4, '|') AS ServiceUser FROM System_backup.evtx WHERE EventID = 7045"
Service actions
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 0, '|') as servicename FROM System_backup.evtx WHERE EventID = 7036"
group by service name
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 0, '|') as servicename FROM System_backup.evtx WHERE EventID = 7036 GROUP BY servicename ORDER BY CNT DESC"
Task Schedule Log
Task was Run
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings,0, '|') as taskname, extract_token(strings, 1, '|') as username FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 100"
group by taskname
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 100 GROUP BY taskname ORDER BY CNT DESC"
action was executed
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings,0, '|') as taskname, extract_token(strings, 1, '|') as taskaction FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 200"
group by action
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 1, '|') as taskaction, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 200 GROUP BY taskaction ORDER BY CNT DESC"
user updated a task
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated as Date, extract_token(strings, 0, '|') as taskname, extract_token(strings, 1, '|') as user FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 140"
group by user
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 1, '|') as user, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 140 GROUP BY user ORDER BY CNT DESC"
group by taskname
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 140 GROUP BY taskname ORDER BY CNT DESC"
user deleted a task
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated as Date, extract_token(strings, 0, '|') as taskname, extract_token(strings, 1, '|') as user FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 141"
group by user
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 1, '|') as user, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 141 GROUP BY user ORDER BY CNT DESC"
group by taskname
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 141 GROUP BY taskname ORDER BY CNT DESC"
Windows Firewall Log
FW New exception rule was added
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 1, '|') as rulename, extract_token(strings, 3, '|') as apppath, extract_token(strings, 22, '|') as changedapp from 'Firewall_backup.evtx' WHERE EventID = 2004"
group by apppath
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 3, '|') as apppath from 'Firewall_backup.evtx' WHERE EventID = 2004 GROUP BY apppath ORDER BY CNT DESC"
FW Rule was Changed
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(Strings, 1, '|') as rulename, extract_token(Strings, 3, '|') AS apppath, extract_token(Strings, 4, '|') AS servicename, extract_token(strings, 7, '|') AS localport, extract_token(strings, 22, '|') as modifyingapp from 'Firewall_backup.evtx' WHERE EventID = 2005"
group by apppath
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 3, '|') as apppath from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY apppath ORDER BY CNT DESC"
group by rulename
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 1, '|') as rulename from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY rulename ORDER BY CNT DESC"
group by servicename
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 4, '|') as servicename from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY servicename ORDER BY CNT DESC"
group by local port
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 7, '|') as localport from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY localport ORDER BY CNT DESC"
group by modifyingapp
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 22, '|') as modifyingapp from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY modifyingapp ORDER BY CNT DESC"
FW Rule was Deleted
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(Strings, 1, '|') as rulename, extract_token(strings, 3, '|') as changedapp from 'Firewall_backup.evtx' WHERE EventID = 2006"
group by rulename
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 1, '|') as rulename from 'Firewall_backup.evtx' WHERE EventID = 2006 GROUP BY rulename ORDER BY CNT DESC"
group by changedapp
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 3, '|') as changedapp from 'Firewall_backup.evtx' WHERE EventID = 2006 GROUP BY changedapp ORDER BY CNT DESC"
Firewall blocked inbound connections to the application
Firewall blocked inbound connections to the application, but did not notify the user
LogParser.exe -stats:OFF -i:EVT "Select Timegenerated as date, extract_token(strings, 1, '|') as file, extract_token(strings, 4, '|') as port from 'Firewall_backup.evtx' WHERE EventID = 2011"
group by application
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 1, '|') as file from'Firewall_backup.evtx' WHERE EventID = 2011 GROUP BY file ORDER BY CNT DESC"
'DFIR > 이벤트 로그 분석' 카테고리의 다른 글
| 윈도우 이벤트 로그 분석-3rd Party Tool (0) | 2020.03.03 |
|---|---|
| 윈도우 이벤트 로그 분석-WMI (0) | 2020.03.03 |
| 윈도우 이벤트 로그 분석-파워쉘(PowerShell) (0) | 2020.03.03 |
| 윈도우 이벤트 로그 분석-Visual Basic Script(vbs) (0) | 2020.03.03 |
| 윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil) (0) | 2020.03.03 |
