Security & Forensic

윈도우 이벤트 로그 분석-Logparser

DFIR/이벤트 로그 분석2020. 3. 3. 14:59
반응형

log parser를 이용하여 윈도우 이벤트를 분석하기 위해 먼저 이벤트 로그를 파일로 저장한다.

 

첨고로 각 단계에서 참조된 이벤트ID에 대한 자세한 정보는 https://docs.microsoft.com/ko-kr/windows/security/threat-protection/auditing/event-4625 를 참조한다.


이벤트 로그 저장

C:\DFIR\EventLog>wevtutil epl security security-origin.evtx

C:\DFIR\EventLog>wevtutil epl system system_backup.evtx

C:\DFIR\EventLog>copy "c:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" firewall_backup.evtx

 

예제

특정 이벤트ID 조회

C:\DFIR\EventLog>LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security-Origin.evtx' WHERE EventID = '5038'"

          

이벤트ID별 발생 건수

C:\DFIR\EventLog> LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EventID FROM 'Security-origin.evtx' GROUP BY EventID ORDER BY CNT DESC"

 

케이스별 이벤트 조회

이벤트 로그 삭제 내역

EventID 1102

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') as Username, EXTRACT_TOKEN(Strings, 2, '|') AS Workstation FROM 'Security-origin.evtx' WHERE EventID = '1102'"

 

RDP Session

Event id 4778

RDP session reconnected

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date,EXTRACT_TOKEN(Strings, 0, '|') AS Username, EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 4, '|') AS Workstation, EXTRACT_TOKEN(Strings, 5, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4778"

          

Event id 4779

RDP session disconnected

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date,EXTRACT_TOKEN(Strings, 0, '|') AS Username, EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 4, '|') AS Workstation, EXTRACT_TOKEN(Strings, 5, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4779"

 

Event id 4781

User account was renamed

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 0, '|') AS newname, EXTRACT_TOKEN(Strings, 1, '|') AS oldname, EXTRACT_TOKEN(Strings, 2, '|') AS accdomain, EXTRACT_TOKEN(Strings, 5, '|') AS Username, EXTRACT_TOKEN(Strings, 6, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4781"

          

Event id 4825

RDP Access denied

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 0, '|') AS Username, EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 3, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4825"

 

RDP Local Session Log

Successful logon

LogParser.exe -stats:OFF -i:EVT "Select timegenerated as Date, extract_token(strings, 0, '|') as user, extract_token(strings, 2, '|') as sourceip FROM 'Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21"

          

find specific user

LogParser.exe -stats:OFF -i:EVT "Select timegenerated as Date, extract_token(strings, 0, '|') as user, extract_token(strings, 2, '|') as sourceip FROM 'Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21 AND user LIKE '%Administrator%'"

          

group by user

LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as user, count(*) as CNT FROM 'Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21 GROUP BY user ORDER BY CNT DESC"

 

RDP Remote Session Log

Successful logon

LogParser.exe -stats:OFF -i:EVT "Select timegenerated as Date, extract_token(strings, 0, '|') as user, extract_token(strings, 2, '|') as sourceip FROM 'Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx' WHERE EventID = 1149"

          

group by user

LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as user, count(*) as CNT FROM 'Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx' WHERE EventID = 1149 GROUP BY user ORDER BY CNT DESC"

 

RDP 및 Console 로그인

로그인 성공, EventID 4624

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY')"

 

특정 User 로그인

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"

 

RDP 로그인

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND LogonType = '10'"

 

Console 로그인

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND LogonType = '2'"

 

특정 IP 로그인

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = '10.1.47.151'"

 

NTLM 로그인

possible pass-the-hash

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType, EXTRACT_TOKEN(strings, 10, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$'"

          

group by NTLM users

LogParser.exe -q:ON -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType, EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$' GROUP BY Username, Domain, LogonType, AuthPackage, Workstation, ProcessName, SourceIP ORDER BY CNT DESC"

          

group by users

LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 5, '|') as Username, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"

          

group by domain

LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 6, '|') as Domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY Domain ORDER BY CNT DESC"

          

group by authpackage

LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 9, '|') as AuthPackage, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY AuthPackage ORDER BY CNT DESC"

          

group by LogonType

LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 8, '|') as LogonType, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY LogonType ORDER BY CNT DESC"

          

group by workstation name

LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 11, '|') as Workstation, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY Workstation ORDER BY CNT DESC"

          

group by process name

LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 17, '|') as ProcName, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY ProcName ORDER BY CNT DESC"

 

로그인 실패

EventID 4625

unsuccessful logon

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY')"

          

Find specific User

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"

          

Find specific IP

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = '10.1.47.151'"

          

check ntlm based attempts

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType, EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$'"

          

group by ntlm users

LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$' GROUP BY Username, Domain, LogonType, AuthPackage, Workstation, SourceIP ORDER BY CNT DESC"

          

group by Username

LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"

 

Log Off

EventID 4634

LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4634 AND Domain NOT IN ('NT AUTHORITY')"

 

명시적 자젹증명을 이용한 로그인

EventID = 4648

explicit creds was used

LogParser.exe -stats:OFF -i:EVT "SELECT timegenerated as date, extract_token(strings, 1, '|') as accountname, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings, 8, '|') as targetserver, extract_token(strings, 9, '|') as extradata, extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as sourceip from 'Security-origin.evtx' WHERE EventID = 4648"

          

Search by accountname

LogParser.exe -stats:OFF -i:EVT "SELECT timegenerated as date, extract_token(strings, 1, '|') as accountname, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings, 8, '|') as targetserver, extract_token(strings, 9, '|') as extradata, extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as sourceip from 'Security-origin.evtx' WHERE EventID = 4648 AND accountname = 'Administrator'"

          

Search by usedaccount

LogParser.exe -stats:OFF -i:EVT "SELECT timegenerated as date, extract_token(strings, 1, '|') as accountname, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings, 8, '|') as targetserver, extract_token(strings, 9, '|') as extradata, extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as sourceip from 'Security-origin.evtx' WHERE EventID = 4648 AND usedaccount = 'Administrator'"

          

group by accountname

LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) as CNT, extract_token(strings, 1, '|') as accountname from 'Security-origin.evtx' WHERE EventID = 4648 GROUP BY accountname ORDER BY CNT DESC"

          

group by used account

LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) as CNT, extract_token(strings, 5, '|') as usedaccount from 'Security-origin.evtx' WHERE EventID = 4648 GROUP BY usedaccount ORDER BY CNT DESC"

 

레지스트리 접근

레지스트리 값 변경

EventID 4657

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4657'"

 

Object Access

EventID = 4663

An attempt was made to access an object

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4663'"

 

Admin Logon
Event id 4672
Admin logon
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4672 AND Domain NOT IN ('NT AUTHORITY')

 

Find specific user

LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4672 AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"

 

group by username

LogParser.exe -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 1, '|') AS Username, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4672 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"

 

group by domain

LogParser.exe -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 2, '|') AS Domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4672 AND Domain NOT IN ('NT AUTHORITY') GROUP BY Domain ORDER BY CNT DESC"

 

프로세스 관련

event id 4688

new process was created

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security-origin.evtx' WHERE EventID = 4688"

          

Search by user

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security-origin.evtx' WHERE EventID = 4688 AND Username = 'Administrator'"

          

Search by process name

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security-origin.evtx' WHERE EventID = 4688 AND Process LIKE '%rundll32.exe%'"

          

group by username

LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 1, '|') AS Username FROM 'Security-origin.evtx' WHERE EventID = 4688 GROUP BY Username ORDER BY CNT DESC"

          

group by process name

LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security-origin.evtx' WHERE EventID = 4688 GROUP BY Process ORDER BY CNT DESC"

 

사용자 권한

event id 4704

A user right was assigned

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4704'"

          

event id 4705

A user right was removed

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4705'"

          

event id 4706

A new trust was created to a domain

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4706'"

 

사용자 계정

event id 4720

A user account was created

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') AS createduser, extract_token(strings, 1, '|') AS createddomain, extract_token(strings, 4, '|') as whocreated, extract_token(strings, 5, '|') AS whodomain FROM 'Security-origin.evtx' WHERE EventID = '4720'"

          

          

Event id 4722

user account was enabled

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4722"

 

Event id 4723

attempt to change password for the account - user changed his own password

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4723"

 

Event id 4724

attempt to reset user

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4724"

 

Event id 4725

user account was disabled

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4725"

          

Event id 4726

A user account was deleted

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') AS deleteduser, extract_token(strings, 1, '|') AS deleteddomain, extract_token(strings, 4, '|') as whodeleted, extract_token(strings, 5, '|') AS whodomain FROM 'Security-origin.evtx' WHERE EventID = '4726'"

 

Security-enabled Global group

Event id 4727

A security-enabled global group was created

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4727'"

          

Event id 4728

A member was added to a security-enabled global group

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser, extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4728'"

          

Event id 4729

A member was removed from a security-enabled global group

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser, extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4729'"

          

Event id 4730

A security-enabled global group was deleted

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4730'"

 

Security-enabled Local group

Event id 4731

A security-enabled local group was created

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as createdgroup, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4731"

          

Event id 4732

A member was added to a security-enabled local group

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser, extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4732'"

          

Event id 4733

A member was removed from a security-enabled local group

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser, extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4733'"

          

Event id 4734

A security-enabled local group was deleted

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 2, '|') AS whichgroup, EXTRACT_TOKEN(Strings, 3, '|') AS domaingroup, EXTRACT_TOKEN(Strings, 6, '|') AS who, EXTRACT_TOKEN(Strings, 7, '|') AS workstation FROM 'Security-origin.evtx' WHERE EventID = 4734"

          

Event id 4738

user account was changed

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 1, '|') as user, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as whichaccount, extract_token(strings, 6, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4738"

          

Event id 4740

A user account was locked out

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as workstation, extract_token(strings, 4, '|') as wholocked, extract_token(strings, 5, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4740'"

          

Event id 4742

computer account was changed

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 5, '|') as user, extract_token(strings, 6, '|') as domain, extract_token(strings, 1, '|') as whichaccount, extract_token(strings, 2, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4742"

 

Security-enabled Universal group

Event id 4754

A security-enabled universal group was created

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as createdgroup, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4754"

          

Event id 4756

A member was added to a security-enabled universal group

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser, extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4756'"

          

Event id 4757

A member was removed from a security-enabled universal group

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser, extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4757'"

          

Event id 4758

A security-enabled universal group was deleted

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 2, '|') AS whichgroup, EXTRACT_TOKEN(Strings, 3, '|') AS domaingroup, EXTRACT_TOKEN(Strings, 6, '|') AS who, EXTRACT_TOKEN(Strings, 7, '|') AS workstation FROM 'Security-origin.evtx' WHERE EventID = 4758"

          

A user account was unlocked

Event id 4767

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4767'"

 

Kerberos TGT

커버로스 프로토콜(Kerberos Protocol) – 서버 접근 권한 관리

클라이언트/서버 외에 제3의 인증서버(Authentication Server, AS)를 도입 하고, 이와 연동된 티켓 부여 서비스(Ticket Granting Service, TGS)를 통해 티켓을 발급하여 유효한 티켓이 있는 유저만 서비스 서버(Service Server, SS)에 접속을 할 수 있도록 제어하는 커버로스(Kerberos) 프로토콜 

 

Event id 4768

Kerberos TGT was requested

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 7, '|') as cipher, extract_token(strings, 9, '|') as sourceip FROM 'Security-origin.evtx' WHERE EventID = 4768"

 

group by user

LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 0, '|') as user, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4768 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"

 

group by domain

LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 1, '|') as domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4768 GROUP BY domain ORDER BY CNT DESC"

 

group by cipher

LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 7, '|') as cipher, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4768 GROUP BY cipher ORDER BY CNT DESC"

 

Kerberos Service

Event id 4769

Kerberos Service ticket was requested

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 2, '|') as service, extract_token(strings, 5, '|') as cipher, extract_token(strings, 6, '|') as sourceip FROM 'Security-origin.evtx' WHERE EventID = 4769"

          

group by user

LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 0, '|') as user, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4769 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"


group by domain

LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 1, '|') as domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4769 GROUP BY domain ORDER BY CNT DESC"

 

group by service

LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 2, '|') as service, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4769 GROUP BY service ORDER BY CNT DESC"

 

group by cipher

LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 5, '|') as cipher, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4769 GROUP BY cipher ORDER BY CNT DESC"

                    

Event id 4771

kerberos pre-atuhentication failed

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0 , '|') as user, extract_token(strings, 6 , '|') as sourceip FROM 'Security-origin.evtx' WHERE EventID = 4771 AND user NOT LIKE '%$'"


group by user

LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 0, '|') as user, COUNT(user) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4771 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"

 

domain/computer attemped to validate user credentials

Event id 4776

LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4776 AND Domain NOT IN ('NT AUTHORITY') AND Username NOT LIKE '%$'"

 

Search by username

LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4776 AND Domain NOT IN ('NT AUTHORITY') AND Username NOT LIKE '%$' AND Username = 'Administrator'"

 

group by username

LogParser.exe -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 1, '|') AS Username, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4776 AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"


group by domain

LogParser.exe -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 2, '|') AS Domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4776 GROUP BY Domain ORDER BY CNT DESC"

 

FireWall Rules

Event id 4946

new exception was added to firewall

LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 2, '|') as rulename FROM 'Security-origin.evtx' WHERE EventID = 4946"

          

group by rule name

LogParser.exe -stats:OFF -i:EVT "Select Count(*) as CNT, extract_token(strings, 2, '|') as rulename FROM 'Security-origin.evtx' WHERE EventID = 4946 GROUP BY rulename ORDER BY CNT DESC"

          

Event id 4948

rule was deleted from firewall

LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 2, '|') as rulename FROM 'Security-origin.evtx' WHERE EventID = 4948"

          

group by rule name

LogParser.exe -stats:OFF -i:EVT "Select Count(*) as CNT, extract_token(strings, 2, '|') as rulename FROM 'Security-origin.evtx' WHERE EventID = 4948 GROUP BY rulename ORDER BY CNT DESC"

 

Code integrity determined that the image hash of a file is not valid
Event id 5038
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5038'"

directory service object was modified
Event id 5136

LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 3, '|') AS Username, extract_token(strings, 4, '|') AS Domain, extract_token(strings, 8, '|') AS objectdn, extract_token(strings, 10, '|') AS objectclass, extract_token(strings, 11, '|') AS objectattrib, extract_token(strings, 13, '|') AS attribvalue FROM 'Security-origin.evtx' WHERE EventID = '5136'"

          

group by username

LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 3, '|') AS Username FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY Username ORDER BY CNT DESC"

          

group by domain

LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 4, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY Domain ORDER BY CNT DESC"

          

group by objectdn

LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 8, '|') AS objectdn FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY objectdn ORDER BY CNT DESC"

          

group by objectclass

LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 10, '|') AS objectclass FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY objectclass ORDER BY CNT DESC"

          

group by objectattrib

LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 11, '|') AS objectattrib FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY objectattrib ORDER BY CNT DESC"

          

group by attribvalue

LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 13, '|') AS attribvalue FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY attribvalue ORDER BY CNT DESC"

          

Event id 5137

A directory service object was created

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5137'"

          

Event id 5138

A directory service object was undeleted

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5138'"

          

Event id 5139

A directory service object was moved

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5139'"

          

Event id 5141

A directory service object was deleted

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5141'"

 

Network Share Object

Event id 5140

A network share object was accessed

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5140'"

          

Event id 5142

A network share object was added

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5142'"

          

Event id 5143

A network share object was modified

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5143'"

          

Event id 5144

A network share object was deleted

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5144'"

          

Event id 5145

A network share object was checked to see whether client can be granted desired access

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5145'"

 

Windows Filtering Platform

Event id 5154

The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5154'"

          

Event id 5155

The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5155'"

          

Event id 5156

The Windows Filtering Platform has allowed a connection

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5156'"

          

Event id 5157

The Windows Filtering Platform has blocked a connection

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5157'"

          

Event id 5158

The Windows Filtering Platform has permitted a bind to a local port

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5158'"

          

Event id 5159

The Windows Filtering Platform has blocked a bind to a local port

LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5159'"

 

System Log

New Service was installed in system

LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 0, '|') AS ServiceName, extract_token(strings, 1, '|') AS ServicePath, extract_token(strings, 4, '|') AS ServiceUser FROM System_backup.evtx WHERE EventID = 7045"

 

Service actions

LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 0, '|') as servicename FROM System_backup.evtx WHERE EventID = 7036"

 

group by service name

LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 0, '|') as servicename FROM System_backup.evtx WHERE EventID = 7036 GROUP BY servicename ORDER BY CNT DESC"

 

Task Schedule Log

Task was Run

LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings,0, '|') as taskname, extract_token(strings, 1, '|') as username FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 100"

 

group by taskname

LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 100 GROUP BY taskname ORDER BY CNT DESC"

 

action was executed

LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings,0, '|') as taskname, extract_token(strings, 1, '|') as taskaction FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 200"

 

group by action

LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 1, '|') as taskaction, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 200 GROUP BY taskaction ORDER BY CNT DESC"

 

user updated a task

LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated as Date, extract_token(strings, 0, '|') as taskname, extract_token(strings, 1, '|') as user FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 140"

          

group by user

LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 1, '|') as user, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 140 GROUP BY user ORDER BY CNT DESC"

          

group by taskname

LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 140 GROUP BY taskname ORDER BY CNT DESC"

 

user deleted a task

LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated as Date, extract_token(strings, 0, '|') as taskname, extract_token(strings, 1, '|') as user FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 141"


group by user

LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 1, '|') as user, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 141 GROUP BY user ORDER BY CNT DESC"


group by taskname

LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 141 GROUP BY taskname ORDER BY CNT DESC"

 

Windows Firewall Log

FW New exception rule was added

LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 1, '|') as rulename, extract_token(strings, 3, '|') as apppath, extract_token(strings, 22, '|') as changedapp from 'Firewall_backup.evtx' WHERE EventID = 2004"

          

group by apppath

LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 3, '|') as apppath from 'Firewall_backup.evtx' WHERE EventID = 2004 GROUP BY apppath ORDER BY CNT DESC"

 

FW Rule was Changed

LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(Strings, 1, '|') as rulename, extract_token(Strings, 3, '|') AS apppath, extract_token(Strings, 4, '|') AS servicename, extract_token(strings, 7, '|') AS localport, extract_token(strings, 22, '|') as modifyingapp from 'Firewall_backup.evtx' WHERE EventID = 2005"

          

group by apppath

LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 3, '|') as apppath from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY apppath ORDER BY CNT DESC"

          

group by rulename

LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 1, '|') as rulename from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY rulename ORDER BY CNT DESC"

          

group by servicename

LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 4, '|') as servicename from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY servicename ORDER BY CNT DESC"

          

group by local port

LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 7, '|') as localport from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY localport ORDER BY CNT DESC"

          

group by modifyingapp

LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 22, '|') as modifyingapp from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY modifyingapp ORDER BY CNT DESC"

 

FW Rule was Deleted

LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(Strings, 1, '|') as rulename, extract_token(strings, 3, '|') as changedapp from 'Firewall_backup.evtx' WHERE EventID = 2006"

          

group by rulename

LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 1, '|') as rulename from 'Firewall_backup.evtx' WHERE EventID = 2006 GROUP BY rulename ORDER BY CNT DESC"

          

group by changedapp

LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 3, '|') as changedapp from 'Firewall_backup.evtx' WHERE EventID = 2006 GROUP BY changedapp ORDER BY CNT DESC"

 

Firewall blocked inbound connections to the application

Firewall blocked inbound connections to the application, but did not notify the user

LogParser.exe -stats:OFF -i:EVT "Select Timegenerated as date, extract_token(strings, 1, '|') as file, extract_token(strings, 4, '|') as port from 'Firewall_backup.evtx' WHERE EventID = 2011"

          

group by application

LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 1, '|') as file from'Firewall_backup.evtx' WHERE EventID = 2011 GROUP BY file ORDER BY CNT DESC"

 

반응형
저작자표시 비영리 변경금지

'DFIR > 이벤트 로그 분석' 카테고리의 다른 글

윈도우 이벤트 로그 분석-3rd Party Tool  (0) 2020.03.03
윈도우 이벤트 로그 분석-WMI  (0) 2020.03.03
윈도우 이벤트 로그 분석-파워쉘(PowerShell)  (0) 2020.03.03
윈도우 이벤트 로그 분석-Visual Basic Script(vbs)  (0) 2020.03.03
윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil)  (0) 2020.03.03

윈도우 이벤트 로그 분석-3rd Party Tool

DFIR/이벤트 로그 분석2020. 3. 3. 14:29
반응형

Myeventviewer by NirSoft

From : https://www.nirsoft.net/utils/my_event_viewer.html


Command-Line Options

aveDirect Save the log lines in SaveDirect mode. For using with the other save command-line options ( /scomma, /stab, /sxml, and so on...)
When you use the SaveDirect mode, the event log lines are saved directly to the disk, without loading them into the memory first. This means that you can save a list with large amount of event log lines into your disk without any memory problem, as long as you have enough disk space to store the saved file. The drawback of this mode: You cannot sort the log lines according to the column you choose with /sort command-line option.
/ShowOnlyLastEvents [0 | 1] If you specify '1' value, the last events filter will be activated.
/LastEventsUnit [Unit] Unit to specify the last events filter.
1 = Minutes
2 = Hours
3 = Days
/LastEventsValue [Number of Units] specifies the number of units (Minutes/Hours/Days) for the last events filter.
/VisibleEventTypes [Number] Specifies which type of events to display:
1 = Error
2 = Warning
4 = Information
8 = Audit Success
16 = Audit Failure

You can combine multiple event types, for exmaple: if you want to display both errors and warnings, set the VisibleEventTypes value to 3 (1 + 2 = 3):
/EventLogNames [Name1] [Name2] [Name3]... Specifies the event log names that you wish to load.

Examples:
MyEventViewer.exe /EventLogNames "osession" "security" "Internet Explorer"
MyEventViewer.exe /EventLogNames "Application" "Security"
/cfg <Filename> Start MyEventViewer with the specified configuration file. For example:
MyEventViewer.exe /cfg "c:\config\MyEventViewer.cfg"
MyEventViewer.exe /cfg "%AppData%\MyEventViewer.cfg"
/advanced Starts MyEventViewer with the 'Advanced Filter' window, before loading the events.
/stext <Filename> Save the events list into a regular text file.
/stab <Filename> Save the events list into a tab-delimited text file.
/scomma <Filename> Save the events list into a comma-delimited text file (csv).
/stabular <Filename> Save the events list into a tabular text file.
/shtml <Filename> Save the events list into HTML file (Horizontal).
/sverhtml <Filename> Save the events list into HTML file (Vertical).
/sxml <Filename> Save the events list into XML file.
/sort <column> This command-line option can be used with other save options for sorting by the desired column. If you don't specify this option, the list is sorted according to the last sort that you made from the user interface. The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "Source" and "Time". You can specify the '~' prefix character (e.g: "~Time") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns.
/nosort When you specify this command-line option, the list will be saved without any sorting.

예제

최근 3일 이벤트 조회
C:\myeventviewer>MyEventViewer.exe /shtml C:\DFIR\EventLog\Security-Export.html /EventLogNames "Security" /ShowOnlyLastEvents 1 /LastEventsValue 3 /LastEventsUnit 3 /sort "~Time" /sort "Event Type"

evtx 파일 로드
C:\myeventviewer>MyEventViewer.exe /Loadfile "C:\DFIR\EventLog\Security-20190716.evtx" /shtml C:\DFIR\EventLog\Security-Export-2.html /ShowOnlyLastEvents 1 /LastEventsValue 3 /LastEventsUnit 3 /sort "~Time"


최근 이벤트 N개 조회

C:\myeventviewer>MyEventViewer.exe /shtml f:\temp\events.html /ShowOnlyLastEvents 1 /LastEventsValue 2000 /LastEventsUnit 1 /sort "~Time"

조회 결과 정렬
C:\myeventviewer>MyEventViewer.exe /shtml f:\temp\events.html /sort "Event Type" /sort "Log Type"


< 참고 >
 Command Line Interface Mode에서는 특정 이벤트 ID나 From – To 날짜 범위로 조회가 불가능하다.

 

FullEventlogview by NirSoft

From : https://www.nirsoft.net/utils/full_event_log_view.html

 

이전 버전인 MyEventviewer의 부족한 부분을 개선. Command Line Interface Mode에서 특정 이벤트 ID등으로 조회가 가능하다.

Command-Line Options

/ChannelFilter [1 - 3] 
/EventIDFilter [1 - 3] 
/ProviderFilter [1 - 3] 
/ChannelFilterStr [Filter String] 
/EventIDFilterStr [Filter String] 
/ProviderFilterStr [Filter String] 


.

You can use any variable inside the .cfg file in order to set the configuration from command line, here's some examples:

In order to show only events with Event ID 8000 and 8001: 
FullEventLogView.exe /EventIDFilter 2 /EventIDFilterStr "8000,8001"

In order show only events from Microsoft-Windows-Dhcp-Client/Admin channel: 
FullEventLogView.exe /ChannelFilter 2 /ChannelFilterStr "Microsoft-Windows-Dhcp-Client/Admin"

In order to read events from .evtx files stored in c:\temp\logs : 
FullEventLogView.exe /DataSource 3 /LogFolder "c:\temp\logs" /LogFolderWildcard "*"

In order to read events from remote computer: 
FullEventLogView.exe /DataSource 2 /ComputerName "192.168.0.70"

/cfg <Filename>

Start FullEventLogView with the specified configuration file. For example: 
FullEventLogView.exe /cfg "c:\config\felv.cfg" 
FullEventLogView.exe /cfg "%AppData%\FullEventLogView.cfg"

/RunAsAdmin

Run FullEventLogView as administrator.

/stext <Filename>

Save the event log items into a simple text file.

/stab <Filename>

Save the event log items into a tab-delimited text file.

/scomma <Filename>

Save the event log items into a comma-delimited text file (csv).

/stabular <Filename>

Save the event log items into a tabular text file.

/shtml <Filename>

Save the event log items into HTML file (Horizontal).

/sverhtml <Filename>

Save the event log items into HTML file (Vertical).

/sxml <Filename>

Save the event log items into XML file.

/sjson <Filename>

Save the event log items into JSON file.

/SaveDirect

Save the event log items in SaveDirect mode. For using with the other save command-line options ( /scomma, /stab, /sxml, and so on...) When you use the SaveDirect mode, the event log items are saved directly to the disk, without loading them into the memory first. Be aware that the sorting feature is not supported in SaveDirect mode.

/sort <column>

This command-line option can be used with other save options for sorting by the desired column. The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "Record ID" and "Event ID". You can specify the '~' prefix character (e.g: "~Channel") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns.

예제
C:\fulleventlogview>FullEventLogView.exe  /ChannelFilter 2 /ChannelFilterStr "Security" /EventIDFilter 2  /EventIDFilterstr "4624" /shtml C:\DFIR\EventLog\Security-Export-3.html /ShowOnlyLastEvents 1 /LastEventsValue 3 /LastEventsUnit 3 /sort "~Time" /RunAsAdmin

 

반응형
저작자표시 비영리 변경금지

'DFIR > 이벤트 로그 분석' 카테고리의 다른 글

윈도우 이벤트 로그 분석-Logparser  (0) 2020.03.03
윈도우 이벤트 로그 분석-WMI  (0) 2020.03.03
윈도우 이벤트 로그 분석-파워쉘(PowerShell)  (0) 2020.03.03
윈도우 이벤트 로그 분석-Visual Basic Script(vbs)  (0) 2020.03.03
윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil)  (0) 2020.03.03

윈도우 이벤트 로그 분석-WMI

DFIR/이벤트 로그 분석2020. 3. 3. 14:06
반응형

Win32_NTLogEvent class

f:\temp>wmic ntevent /?
NTEVENT - NT 이벤트 로그에 있는 항목입니다.
힌트: 별칭 사용의 BNF입니다. 
(<별칭> [WMIObject] | <별칭> [<경로>] | [<별칭>] <경로>) [<동사 절>]

사용법:
NTEVENT ASSOC [<형식 지정자>]
NTEVENT CREATE <할당 목록>
NTEVENT DELETE
NTEVENT GET [<속성 목록>] []
NTEVENT LIST [<목록 형식>] [<목록 스위치>]

표시할 수 있는 항목
f:\temp>wmic ntevent list /?
속성 목록 작업입니다.

사용법:
LIST [<목록 형식>] [<목록 스위치>]

다음과 같은 LIST 형식을 사용할 수 있습니다.
BRIEF   - EventIdentifier, TypeEvent, Message, RecordNumber, SourceName, TimeGenerated
FULL    - Category, CategoryString, ComputerName, Data, EventCode, EventIdentifier, TypeEvent, InsertionStrings, 
            LogFile, Message, RecordNumber, SourceName, TimeGenerated, TimeWritten, Type, UserName

다음과 같은 LIST 스위치를 사용할 수 있습니다.
/TRANSLATE:<테이블 이름>      - <테이블 이름>의 값을 통해 출력을 변환합니다.
/EVERY:<간격> [/REPEAT:<반복 횟수>] - (X 간격)초마다 값을 반환합니다. /REPEAT를 지정하면 명령이 <반복 횟수>번 실행됩니다.
/FORMAT:<형식 지정자>   - XML 결과를 처리할 키워드/XSL 파일 이름입니다.

사용할 수 있는 포맷
f:\temp>wmic ntevent list /format /?
XML 결과를 처리할 키워드/XSL 파일 이름입니다.

사용법:
/FORMAT:<형식 지정자>

키워드:
CSV / HFORM / HTABLE / LIST / MOF / RAWXML / TABLE / VALUE / XML /
htable-sortby / htable-sortby.x니 / texttablewsys / texttablewsys.x니 / wmiclimofformat /
wmiclimofformat.x니 / wmiclitableformat / wmiclitableformat.x니 / wmiclitableformatnosys /
wmiclitableformatnosys.xsl / wmiclivalueformat / wmiclivalueformat.xsl

사용할 수 있는 속성
f:\temp>wmic NTEVENT get /?
사용법:
GET [<속성 목록>] []
참고: <속성 목록> ::= <속성 이름> | <속성 이름>,  <속성 목록>
다음과 같은 속성을 사용할 수 있습니다.
속성                            유형                    작업
========                   ====                    =========
Category                       N/A                     N/A
CategoryString                N/A                     N/A
ComputerName              N/A                     N/A
Data                             N/A                     N/A
EventCode                     N/A                     N/A
EventIdentifier                 N/A                     N/A
InsertionStrings               N/A                     N/A
LogFile                          N/A                     N/A
Message                        N/A                     N/A
RecordNumber                N/A                     N/A
SourceName                   N/A                     N/A
TimeGenerated                N/A                     N/A
TimeWritten                   N/A                     N/A
Type                             N/A                     N/A
TypeEvent                      N/A                     N/A
UserName                      N/A                     N/A

EventType In Win32_NtLogEvent

Types of Event Logs
Each event entry is classified by Type to identify the severity of the event. They are Information, Warning, Error, 
Success Audit (Security Log) and Failure Audit (Security Log).

Event Type

Description

Information

An event that describes the successful operation of a task, such as an application, driver, or service. For example, an Information event is logged when a network driver loads successfully.

Warning

An event that describes the successful operation of a task, such as an application, driver, or service. For example, an Information event is logged when a network driver loads successfully.

Error

An event that is not necessarily significant, however, may indicate the possible occurrence of a future problem. For example, a Warning message is logged when disk space starts to run low.

Success Audit

(Security log)

An event that describes the successful completion of an audited security event. For example, a Success Audit event is logged when a user logs on to the computer.

Failure Audit

(Security log)

An event that describes an audited security event that did not complete successfully. For example, a Failure Audit may be logged when a user cannot access a network drive.

조회 예제

일반 조회

F:\temp>WMIC path Win32_NtLogEvent WHERE "LogFile='System'" GET Message, TimeGenerated /format:list 

F:\temp>WMIC NtEvent WHERE "LogFile='System'" GET Message, TimeGenerated /format:list 

F:\temp>WMIC NtEvent WHERE "LogFile='System'" GET user, type, Message, InsertionStrings, TimeGenerated /format:list


특정 기간 조회

F:\temp>WMIC NtEvent WHERE "LogFile='System' and TimeGenerated >= '20200210000000.000000-240' and TimeGenerated <= '20290215000000.000000-240'" GET Message, TimeGenerated /format:list


특정 기간 특정 EventID 조회
F:\temp>WMIC NtEvent WHERE "LogFile='System' and EventCode='4624' and TimeGenerated >= '20200210000000.000000-240' and TimeGenerated <= '20290215000000.000000-240'" GET Message, TimeGenerated /format:list

특정 기간 Error 이벤트 조회
F:\temp>WMIC NtEvent WHERE "LogFile='System' and Eventtype='1' and TimeGenerated >= '20200210000000.000000-240' and TimeGenerated <= '20290215000000.000000-240'" GET Message, TimeGenerated /format:list

 

F:\temp>WMIC NtEvent WHERE "LogFile='System' and type='오류' and TimeGenerated >= '20200210000000.000000-240' and TimeGenerated <= '20290215000000.000000-240'" GET Message, TimeGenerated /format:list


<참고>

영문의 경우 "오류" 문자열이 "Error"이다.

 

반응형
저작자표시 비영리 변경금지

'DFIR > 이벤트 로그 분석' 카테고리의 다른 글

윈도우 이벤트 로그 분석-Logparser  (0) 2020.03.03
윈도우 이벤트 로그 분석-3rd Party Tool  (0) 2020.03.03
윈도우 이벤트 로그 분석-파워쉘(PowerShell)  (0) 2020.03.03
윈도우 이벤트 로그 분석-Visual Basic Script(vbs)  (0) 2020.03.03
윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil)  (0) 2020.03.03

윈도우 이벤트 로그 분석-파워쉘(PowerShell)

DFIR/이벤트 로그 분석2020. 3. 3. 12:05
반응형

check-windows-event-log.zip
0.00MB

Get-WinEvent

이벤트 목록 확인 

PS C:\Temp> Get-WinEvent -ListLog *

이벤트 건수 확인
PS C:\Temp> (get-winevent -FilterHashtable @{logname="security";id=4624;starttime=(get-date).adddays(-10);endtime=(get-date).adddays(-5)}).count
835

특정 기간 조회
PS C:\Temp> get-winevent -FilterHashtable @{logname="security";id=4624;starttime=(get-date).adddays(-10);endtime=(get-date).adddays(-5)}

   ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated                     Id LevelDisplayName Message
-----------                     -- ---------------- -------
2019-07-08 오후 6:01:22       4624 정보             계정이 성공적으로 로그온되었습니다....
2019-07-08 오후 6:01:20       4624 정보             계정이 성공적으로 로그온되었습니다....
2019-07-08 오후 6:01:18       4624 정보             계정이 성공적으로 로그온되었습니다....
......

 

최근 이벤트 조회
PS C:\Temp> Get-WinEvent -FilterHashtable @{logname='Security'} -MaxEvents 50

 

조회 결과 csv 저장 [1]
PS C:\Temp> get-winevent -FilterHashtable @{logname="security";id=4624;starttime=(get-date).adddays(-10);endtime=(get-date).adddays(-5)} | format-list -property id, timecreate, message | export-csv f:\temp\eve-login.csv

특정 이벤트ID 조회 [2]

PS C:\Temp> get-winevent security | where {$_.id -eq 4624} | where {$_.timecreated -ge (get-date).adddays(-10)} |  where {$_.timecreated -le (get-date).adddays(-5)}
2019-07-13 오후 6:12:55       4624 정보             계정이 성공적으로 로그온되었습니다....
2019-07-13 오후 6:12:55       4624 정보             계정이 성공적으로 로그온되었습니다....
2019-07-13 오후 6:12:55       4624 정보             계정이 성공적으로 로그온되었습니다....
......


<참고>

[1]과 [2]를 비교해보면 FilterHashtable이 훨씬 빠르다

레퍼런스 : https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7

Get-EventLog
Get-EventLog에서는 FilterHashtable 지원이 안된다. 그리고 Get-WinEvent와 항목의 컬럼명이 서로 다르다. 예를 들어 Get-WinEvent의 이벤트 Id는 ID명으로 표시되지만 Get-EventLog에서는 InstancedID로 표시된다.

 

이벤트 목록 확인 

PS C:\Temp> Get-EventLog  -List

 

최근 이벤트 조회

PS F:\script\powershell> get-eventlog -LogName Security -Newest 5                                                       
   Index Time          EntryType   Source                 InstanceID Message
   ----- ----          ---------   ------                 ---------- -------
   31284 3 03 11:52    SuccessA... Microsoft-Windows...         4672 특수 권한을 새 로그온에 할당했습니다....
   31283 3 03 11:52    SuccessA... Microsoft-Windows...         4624 계정이 성공적으로 로그온되었습니다....
   31282 3 03 11:52    SuccessA... Microsoft-Windows...         4798 사용자의 로컬 그룹 구성원이 열거되었습니다....
   31281 3 03 11:52    SuccessA... Microsoft-Windows...         4798 사용자의 로컬 그룹 구성원이 열거되었습니다....
   31280 3 03 11:52    SuccessA... Microsoft-Windows...         4798 사용자의 로컬 그룹 구성원이 열거되었습니다....


특정 이벤트ID 조회
PS C:\Temp> get-eventlog security | where {$_.Instanceid -eq 4624} | select -First 3

특정 기간 조회
PS C:\Temp> (get-eventlog security | where {$_.InstanceID -eq 4624} | where {$_.TimeWritten.toString("yyyy-MM-dd HH:mm:ss") -ge (get-date).adddays(-10).toString("yyyy-MM-dd HH:mm:ss")} |  where {$_.TimeWritten.toString("yyyy-MM-dd HH:mm:ss") -le (get-date).adddays(-5).toString("yyyy-MM-dd HH:mm:ss")}).count
868

PS C:\Temp> get-eventlog security | where {$_.InstanceID -eq 4624} | where {$_.TimeWritten.toString("yyyy-MM-dd HH:mm:ss") -ge (get-date).adddays(-10).toString("yyyy-MM-dd HH:mm:ss")} |  where {$_.TimeWritten.toString("yyyy-MM-dd HH:mm:ss") -le (get-date).adddays(-5).toString("yyyy-MM-dd HH:mm:ss")} | select -First 3 | select-object InstanceID, @{Name='CTime';Expression={$_.TimeWritten.toString("yyyy-MM-dd HH:mm:ss")}}, Message

 

시스템 이벤트 로그에서 1000 개의 최신 항목에 포함된 건수별 리소스 확인

PS F:\script\powershell>$Events = Get-EventLog -LogName System -Newest 1000                                            

PS F:\script\powershell>$Events | Group-Object -Property Source -NoElement | Sort-Object -Property Count -Descending   


Count Name
----- ----
  227 Microsoft-Windows-Filt...
  154 Microsoft-Windows-Kern...
  113 Service Control Manager
   72 DCOM
   50 Microsoft-Windows-Time...
   49 Microsoft-Windows-Kern...
   42 Microsoft-Windows-Dhcp...
   35 Microsoft-Windows-Ntfs
   34 EventLog
   32 Microsoft-Windows-Grou...
   30 Microsoft-Windows-Wind...
   28 Microsoft-Windows-TPM-WMI
   28 Microsoft-Windows-Kern...
   21 Microsoft-Windows-DHCP...
   14 Microsoft-Windows-Winl...
   14 Microsoft-Windows-Kern...
    7 User32
    7 volmgr
    7 Microsoft-Windows-Dire...
    7 TPM
    7 Microsoft-Windows-Wininit
    7 MEIx64
    7 e1i65x64
    4 Microsoft-Windows-DNS-...
    3 Application Popup
    1 WinDivert

 

에러 이벤트 조회

PS F:\script\powershell> Get-EventLog -LogName System -EntryType Error  


< 참고 >
주요 분석 대상별로 ID나 InstanceID를 바꿔가면서 실행하면 된다.

레퍼런스 : https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-eventlog?view=powershell-5.1


Get-WmiObject
PS C:\Temp>  Get-WmiObject -Query "Select EventCode,TimeGenerated,Type,Message from Win32_NTLogEvent WHERE (LogFile = 'Security' and Eventcode='4624')" | select -First 10 | select-object EventCode,TimeGenerated,Type,Message | ft

 

<참고>

조회 속도는 가장 빠른 거 같다.

레퍼런스 : https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-wmiobject?view=powershell-5.1

 

PowerShell Scripts

check-windows-event-log.ps1

 

Application 이벤트 로그에서 메세지에 "보안"이 포함된 내역 조회
F:\script\powershell>powershell -ExecutionPolicy bypass -f check-windows-event-log.ps1 -LogName Application -Pattern 보안         

 

 

반응형
저작자표시 비영리 변경금지

'DFIR > 이벤트 로그 분석' 카테고리의 다른 글

윈도우 이벤트 로그 분석-3rd Party Tool  (0) 2020.03.03
윈도우 이벤트 로그 분석-WMI  (0) 2020.03.03
윈도우 이벤트 로그 분석-Visual Basic Script(vbs)  (0) 2020.03.03
윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil)  (0) 2020.03.03
윈도우 이벤트 로그 분석-이벤트 뷰어(Eventvwr)  (0) 2020.03.03

윈도우 이벤트 로그 분석-Visual Basic Script(vbs)

DFIR/이벤트 로그 분석2020. 3. 3. 11:09
반응형

사용 예제

eventquery.vbs

1.  cmdlib.wsc 등록

cmdlib.wsc는 Windows 용 WSC 파일로 Microsoft가 개발했으며 Windows Script Component 파일입니다.

F:\script\vbs>regsvr32 cmdlib.wsc /s

 

2. 도움말

F:\script\vbs>cscript eventquery.vbs /?
Microsoft (R) Windows Script Host 버전 5.812
Copyright (C) Microsoft Corporation. All rights reserved.

EVENTQUERY.vbs [/S system [/U username [/P password]]] [/FI filter]
               [/FO format] [/R range] [/NH] [/V] [/L logname | *]

Description:
    The EVENTQUERY.vbs script enables an administrator to list
    the events and event properties from one or more event logs.

Parameter List:
    /S     system              Specifies the remote system to connect to.
    /U     [domain\]user   Specifies the user context under which the command should execute.
    /P     password          Specifies the password for the given  user context.
    /V                           Specifies that the detailed information should be displayed in the output.
    /FI    filter                 Specifies the types of events to filter in or out of the query.
    /FO    format             Specifies the format in which the output is to be displayed.
                                   Valid formats are "TABLE", "LIST", "CSV".
    /R     range           Specifies the range of events to list. Valid Values are:
                               'N' - Lists 'N' most recent events.
                               '-N' - Lists 'N' oldest events.
                               'N1-N2' - Lists the events N1 to N2.
    /NH                    Specifies that the "Column Header" should not be displayed in the output.
                              Valid only for "TABLE" and "CSV" formats.
    /L     logname         Specifies the log(s) to query.
    /?                     Displays this help/usage.

    Valid Filters  Operators allowed   Valid Values
    -------------  ------------------  ------------
    DATETIME       eq,ne,ge,le,gt,lt   mm/dd/yy(yyyy),hh:mm:ssAM(/PM)
    TYPE           eq,ne               ERROR, INFORMATION, WARNING,  SUCCESSAUDIT, FAILUREAUDIT
    ID             eq,ne,ge,le,gt,lt   non-negative integer
    USER           eq,ne               string
    COMPUTER       eq,ne               string
    SOURCE         eq,ne               string
    CATEGORY       eq,ne               string

NOTE: Filter "DATETIME" can be specified as "FromDate-ToDate" Only "eq" operator can be used for this format.

Examples:
    EVENTQUERY.vbs
    EVENTQUERY.vbs /L system
    EVENTQUERY.vbs /S system /U user /P password /V /L *
    EVENTQUERY.vbs /R 10 /L Application /NH
    EVENTQUERY.vbs /R -10 /FO LIST /L Security
    EVENTQUERY.vbs /R 5-10 /L "DNS Server"
    EVENTQUERY.vbs /FI "Type eq Error" /L Application
    EVENTQUERY.vbs /L Application
            /FI "Datetime eq 06/25/00,03:15:00AM-06/25/00,03:15:00PM"
    EVENTQUERY.vbs /FI "Datetime gt 08/03/00,06:20:00PM"
            /FI "Id gt 700" /FI "Type eq warning" /L System
    EVENTQUERY.vbs /FI "Type eq error OR Id gt 1000 "

 

3. 조회

F:\script\vbs>cscript //nologo eventquery.vbs /L security | more
------------------------------------------------------------------------------
Listing the events in 'security' log of host 'CHOHB'
------------------------------------------------------------------------------
 Type          Event  Date Time                Source            ComputerName
 ------------- ------ ------------------------ ----------------- --------------
 감사 성공     4672   2020-03-03 오전 2:03:57  Microsoft-Windows chohb
 감사 성공     4624   2020-03-03 오전 2:03:57  Microsoft-Windows chohb
 감사 성공     4672   2020-03-03 오전 1:57:02  Microsoft-Windows chohb

......

 

리스트 형태 조회

F:\script\vbs>cscript //nologo eventquery.vbs /L Security /FO list
------------------------------------------------------------------------------
Listing the events in 'security' log of host 'CHOHB'
------------------------------------------------------------------------------
Type:         감사 성공
Event:        4672
Date Time:    2020-03-03 오전 2:03:57
Source:       Microsoft-Windows-Security-Auditing
ComputerName: chohb

Type:         감사 성공
Event:        4624
Date Time:    2020-03-03 오전 2:03:57
Source:       Microsoft-Windows-Security-Auditing
ComputerName: chohb

......

 

특정 이벤트ID 조회
F:\script\vbs>cscript //nologo eventquery.vbs /L Security /FO list /Fi "id eq 4624"

 

이벤트 상세 내역 조회 : /V
F:\script\vbs>cscript eventquery.vbs /L Security /Fi "id eq 4624" /FO list /V

 

General VBS

On Error Resume Next 

Const wbemFlagReturnImmediately = &h10 
Const wbemFlagForwardOnly = &h20 

Set wshNetwork = WScript.CreateObject("WScript.Network") 
strComputer = wshNetwork.ComputerName 

'strQuery = "SELECT * FROM Win32_NTLogEvent where logfile='Security' and EventCode='489'" 
strQuery = "SELECT * FROM Win32_NTLogEvent where logfile='Security'" 

WScript.StdOut.WriteLine "" 
WScript.StdOut.WriteLine "=====================================" 
WScript.StdOut.WriteLine "COMPUTER : " & strComputer 
WScript.StdOut.WriteLine "CLASS    : ROOT\CIMV2:Win32_NTLogEvent" 
WScript.StdOut.WriteLine "QUERY    : " & strQuery 
WScript.StdOut.WriteLine "=====================================" 
WScript.StdOut.WriteLine "" 

Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\ROOT\CIMV2") 
Set colItems = objWMIService.ExecQuery(strQuery, "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly) 

For Each objItem in colItems 
    WScript.StdOut.WriteLine "Category: " & objItem.Category 
    WScript.StdOut.WriteLine "CategoryString: " & objItem.CategoryString 
    WScript.StdOut.WriteLine "ComputerName: " & objItem.ComputerName 
    strData = Join(objItem.Data, ",") 
    WScript.StdOut.WriteLine "Data: " &  strData 
    WScript.StdOut.WriteLine "EventCode: " & objItem.EventCode 
    WScript.StdOut.WriteLine "EventIdentifier: " & objItem.EventIdentifier 
    WScript.StdOut.WriteLine "EventType: " & objItem.EventType 
    strInsertionStrings = Join(objItem.InsertionStrings, ",") 
    WScript.StdOut.WriteLine "InsertionStrings: " &  strInsertionStrings 
    WScript.StdOut.WriteLine "Logfile: " & objItem.Logfile 
    WScript.StdOut.WriteLine "Message: " & objItem.Message 
    WScript.StdOut.WriteLine "RecordNumber: " & objItem.RecordNumber 
    WScript.StdOut.WriteLine "SourceName: " & objItem.SourceName 
    WScript.StdOut.WriteLine "TimeGenerated: " & objItem.TimeGenerated 
    WScript.StdOut.WriteLine "TimeWritten: " & objItem.TimeWritten 
    WScript.StdOut.WriteLine "Type: " & objItem.Type 
    WScript.StdOut.WriteLine "User: " & objItem.User 
    WScript.StdOut.WriteLine "" 
Next 

eventquery.zip
0.02MB

반응형
저작자표시 비영리 변경금지

'DFIR > 이벤트 로그 분석' 카테고리의 다른 글

윈도우 이벤트 로그 분석-WMI  (0) 2020.03.03
윈도우 이벤트 로그 분석-파워쉘(PowerShell)  (0) 2020.03.03
윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil)  (0) 2020.03.03
윈도우 이벤트 로그 분석-이벤트 뷰어(Eventvwr)  (0) 2020.03.03
윈도우 이벤트 로그  (0) 2020.03.03

윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil)

DFIR/이벤트 로그 분석2020. 3. 3. 10:31
반응형

wevtutil은 Window OS에서 제공하는 CLI(Command Line Interface) 이벤트 로그 관리 도구이다.

 

1. 명령어 개요

 

명령과 옵션

옵션

설명

/f:<형식 >

출력 XML 또는 텍스트 형식으로이 되도록 지정 합니다경우 <형식 > XML 출력은 XML 형식으로 표시 됩니다경우 <형식 >은 텍스트 출력 XML 태그 없이 표시 됩니다기본값은 Text입니다.

/e:<사용 >

로그를 사용 하지 않도록 설정 하거나 사용 합니다. <설정 > true 또는 false 일 수 있습니다.

/i:<격리 >

로그 격리 모드를 설정합니다. <격리 > 시스템, 응용 프로그램 또는 사용자 지정 될 수 있습니다격리 모드는 로그의 로그는 같은 격리 클래스의 다른 로그 세션을 공유 하는지 여부를 결정 합니다대상 로그 공유 시스템 격리를 지정 하는 경우 시스템 로그를 사용 하 여 권한 쓰기입니다대상 로그 공유 응용 프로그램 격리를 지정 하면 응용 프로그램 로그를 사용 하 여 권한 쓰기입니다사용 하 여 보안 설명자를 제공 해야 사용자 지정 격리를 지정 하는 경우는 /ca 옵션입니다.

/lfn:<Logpath>

로그 파일 이름을 정의합니다. <Logpath > 이벤트 로그 서비스에서이 로그에 대 한 이벤트를 저장 하는 위치 파일에 전체 경로입니다.

/rt:<보존 >

로그 보존 모드를 설정합니다. <보존 > true 또는 false 일 수 있습니다로그 보존 모드 로그 최대 크기에 도달할 때 이벤트 로그 서비스의 동작을 결정 합니다이벤트 로그에는 최대 크기에 도달 하는 경우 로그 보존 모드가 true 기존 이벤트를 보존할 하 고 들어오는 이벤트는 삭제 됩니다로그 보존 모드 false 이면 들어오는 이벤트 로그에서 가장 오래 된 이벤트를 덮어씁니다.

/ab:<자동 >

로그 자동 백업 정책을 지정합니다. <자동 > true 또는 false 일 수 있습니다.이 값이 true 이면 로그는 백업할 자동으로 최대 크기에 도달 하면 합니다.이 값이 true 이면 보존 (지정 된 고 /rt 옵션) 설정 해야 true로 합니다.

/ms:<MaxSize>

로그의 최대 크기를 바이트 단위로 설정 합니다최소 로그 크기는 1048576 바이트 (1024KB) 및 로그 파일은 항상 64KB의 배수로 입력 되므로 반올림 됩니다 적절 하 게 합니다.

/l:<수준 >

로그 수준 필터를 정의합니다. <수준 > 유효한 수준 값이 될 수 있습니다이 옵션은 전용된 세션을 사용 하 여 로그에 적용할 수만 있습니다설정 하 여 수준 필터를 제거할 수 0입니다.

/k:<Keywords>

로그의 키워드 필터를 지정합니다. <키워드 > 모든 유효한 64 비트 키워드 마스크 될 수 있습니다이 옵션은 전용된 세션을 사용 하 여 로그에 적용할 수만 있습니다.

/ca:<채널 >

이벤트 로그에 대 한 액세스 권한을 설정합니다. <채널 > 보안 설명자 정의 언어 (SDDL)를 사용 하는 보안 설명자가 있습니다. SDDL 형식에 대 한 자세한 내용은 Microsoft 개발자 네트워크 (MSDN) 웹 사이트를 참조 하세요. (https://msdn.microsoft.com).

/c:<Config>

구성 파일의 경로를 지정합니다이 옵션에 정의 된 구성 파일에서 읽을 로그 속성 하면 <구성 >. 하는 경우이 옵션을 사용 하면를 지정 하지는 매개 변수입니다로그 이름은 구성 파일에서 읽힙니다.

/ge:<메타 데이터 >

이 게시자가 발생할 수 있는 이벤트에 대 한 메타 데이터 정보를 가져옵니다. <메타 데이터 > true 또는 false 일 수 있습니다.

/gm:<Message>

숫자 메시지 id입니다. 대신 실제 메시지를 표시합니다. <메시지 > true 또는 false 일 수 있습니다.

/lf:<Logfile>

로그 파일 또는 로그에서 이벤트를 읽어들여야 함을 지정 합니다. <로그 파일 > true 또는 false 일 수 있습니다. True 이면 명령에 매개 변수는 로그 파일의 경로입니다.

/sq:<Structquery>

이벤트는 구조화 된 쿼리로 변수를 지정 합니다. <Structquery > true 또는 false 일 수 있습니다. True 이면 경로 구조적된 쿼리를 포함 하는 파일입니다.

/q:<Query>

읽거나 내보낸 있는 이벤트를 필터링 하려면 XPath 쿼리를 정의 합니다이 옵션을 지정 하지 않으면 모든 이벤트가 반환 되거나 내보낸 됩니다이 옵션 사용할 수 없는 경우 /sq 그렇습니다.

/bm:<책갈피 >

이전 쿼리에서 책갈피가 있는 파일의 경로를 지정 합니다.

/sbm:<Savebm >

이 쿼리는 책갈피를 저장 하는 데 사용 되는 파일의 경로를 지정 합니다파일 이름 확장명은.xml 이어야 합니다.

/rd:<방향 >

이벤트를 읽고 방향을 지정 합니다. <방향 > true 또는 false 일 수 있습니다.True 인 경우, 가장 최근의 이벤트 먼저 반환 됩니다.

/l:<로캘 >

특정 로캘의 이벤트 텍스트를 인쇄 하는 데 사용 되는 로캘 문자열을 정의 합니다이벤트 형식을 사용 하 여 텍스트를 인쇄할 때만 사용할 수는 /f 옵션입니다.

/c:<Count>

읽을 수 있는 이벤트의 최대 수를 설정 합니다.

/e:<요소 >

XML에서 이벤트를 표시할 때 루트 요소가 포함 됩니다. <요소 > 루트 요소 내에서 원하는 된 문자열입니다예를 들어 /e:root 인해 XML 루트 요소 쌍이 포함 된 <루트 >합니다.

/ow:<덮어쓰기 >

내보내기 파일을 덮어쓰도록 지정 합니다. <덮어쓰기 > true 또는 false 일 수 있습니다. True 및 내보내기 파일에 지정 된 경우 이미 확인 하지 않고 덮어씁니다.

/bu:<Backup>

지운된 이벤트를 저장할 파일의 경로를 지정 합니다백업 파일의 이름을.evtx 확장명을 포함 합니다.

r:<원격 >

원격 컴퓨터에서 명령을 실행 합니다. <원격 > 원격 컴퓨터의 이름입니다.im  um 매개 변수는 원격 작업을 지원 하지 않습니다.

/u:<사용자 이름 >

원격 컴퓨터에 로그온 하는 다른 사용자를 지정 합니다. <사용자 이름 > 양식 도메인 \ 사용자 또는 사용자의 사용자 이름이 있습니다이 옵션은만 적용 될 때의 /r 옵션을 지정 합니다.

/p:<암호 >

사용자에 대 한 암호를 지정합니다경우는 /u 옵션을 사용 하 고이 옵션을 지정 하지 또는 <암호 >", 사용자 암호를 입력 하 라는 메시지가 표시 됩니다. 이 옵션은만 적용 될 때 합니다 * */u * 옵션을 지정 합니다.

>batchsettings-&lt<Auth >

원격 컴퓨터에 연결 하기 위한 인증 유형을 정의 합니다. <Auth > 기본, Negotiate, Kerberos 또는 NTLM을 수 있습니다기본값은 협상 합니다.

/uni:<Unicode>

유니코드로 출력을 표시합니다. <유니코드 > true 또는 false 일 수 있습니다경우 유니코드로 출력은 그렇습니다.

2. 예제

2.1 조회 가능한 이벤트 로그 목록

C:\WINDOWS\system32>wevtutil el
AMSI/Debug
AMSI/Operational
AirSpaceChannel
Analytic
Application
CxAudioSvcLog
CxMonSvcLog
DebugChannel
DirectShowFilterGraph
DirectShowPluginControl
Els_Hyphenation/Analytic
EndpointMapper
FirstUXPerf-Analytic
ForwardedEvents
General Logging
HardwareEvents

......

 

2.2 이벤트 로그 파일 메타데이터 조회

C:\WINDOWS\system32>wevtutil gli Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
creationTime: 2020-03-03T01:09:31.423Z
lastAccessTime: 2020-03-03T01:09:31.424Z
lastWriteTime: 2020-03-03T01:09:31.424Z
fileSize: 69632
attributes: 2080
numberOfLogRecords: 0
oldestRecordNumber: 0

 

2.3 이벤트 로그 조회

wevtutil 명령을 통해 이벤트 로그를 조회하면 아래와 같이 결과가 기본적으로 xml type이다.

C:\WINDOWS\system32>wevtutil qe security

일반 텍스트 형태로 조회

C:\WINDOWS\system32>wevtutil qe security /f:text

최근 N개의 이벤트 조회

C:\WINDOWS\system32>wevtutil qe security /rd:true /c:3 /f:text

 

특정 이벤트ID 조회

wevtutil qe /rd System /q:"*[System[Provider[@Name='Microsoft-Windows-Perflib'] and (EventID=1023)]]" /uni:false /f:text

 

특정 날짜 이벤트 조회

wevtutil qe Security "/q:*[System[TimeCreated[@SystemTime>='2019-07-01T00:00:00' and @SystemTime<='2019-07-10T00:00:00']]]" /f:text /rd:true /c:3

 

특정 이벤트ID의 특정 날짜 이벤트 조회

wevtutil qe Security "/q:*[System[ EventID = 4624 and TimeCreated[@SystemTime>='2018-07-01T00:00:00' and @SystemTime<='2019-07-10T00:00:00']]]" /f:text /rd:true /c:1

 

2.4 이벤트 로그 내보내기

evtx 파일로 내보내기 

wevtutil epl System f:\temp\system_event.evtx

 

텍스트 파일로 내보내기

wevtutil qe System /f:text > f:\temp\system_event.txt

 

반응형
저작자표시 비영리 변경금지

'DFIR > 이벤트 로그 분석' 카테고리의 다른 글

윈도우 이벤트 로그 분석-WMI  (0) 2020.03.03
윈도우 이벤트 로그 분석-파워쉘(PowerShell)  (0) 2020.03.03
윈도우 이벤트 로그 분석-Visual Basic Script(vbs)  (0) 2020.03.03
윈도우 이벤트 로그 분석-이벤트 뷰어(Eventvwr)  (0) 2020.03.03
윈도우 이벤트 로그  (0) 2020.03.03

윈도우 이벤트 로그 분석-이벤트 뷰어(Eventvwr)

DFIR/이벤트 로그 분석2020. 3. 3. 09:46
반응형

Window OS에서 제공하는 이벤트 뷰어(eventvwr.msc)를 톻한 윈도우 이벤트 로그 분석

 

1.UI

이벤트 Export 가능 : evtx, xml, txt, csv 저장 가능

 

2. Filter

구성된 필터를 XML형태의 쿼리로 조회 편집이 가능하다.

 

3. 필터를 통한 조회

로드하고자 하는 쿼리 파일은 <QueryList>로 시작하는 XML 파일이어야 한다.

 

<security-event-view.xml>

<QueryList>

  <Query Id="0" Path="Security">

    <Select Path="Security">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime&gt;='2019-06-01T06:21:55.000Z' and @SystemTime&lt;='2019-07-15T06:21:55.999Z']]]</Select>

  </Query>

</QueryList>

 

필터 로드 및 조회

c:\>eventvwr /v:"c:\DFIR\EventLog\security-event-view.xml"

 

. 사용자 지정 보기에 View_1 메뉴가 추가되면서 결과가 표시된다.

. 이 방법은 시스템에 변화를 발생시키므로 포렌식 분석 관점에서는 좋은 방법은 아니다.

반응형
저작자표시 비영리 변경금지

'DFIR > 이벤트 로그 분석' 카테고리의 다른 글

윈도우 이벤트 로그 분석-WMI  (0) 2020.03.03
윈도우 이벤트 로그 분석-파워쉘(PowerShell)  (0) 2020.03.03
윈도우 이벤트 로그 분석-Visual Basic Script(vbs)  (0) 2020.03.03
윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil)  (0) 2020.03.03
윈도우 이벤트 로그  (0) 2020.03.03

윈도우 이벤트 로그

DFIR/이벤트 로그 분석2020. 3. 3. 09:42
반응형

1.  윈도우 이벤트 로그란 ?
윈도우 이벤트 로그는 윈도우의 운용과정에서 발생하는 특정 동작(이벤트)을 체계적으로 기록한 바이너리 로깅 시스템이다.
윈도우도 시스템 방화벽, 응용프로그램 관리 등에 관한 로그를 텍스트 형태로 기록하고 있지만이벤트 로그에서는 시스템의 전반적인 동작을 보다 종합적이고 체계적으로 기록하므로 디지털 포렌식 조사 시 중요하게 살펴 보아야 할 대상이다.

, 시스템 운용 로그의 관점에서 볼 때, 이벤트 로그는 사용자의 행위 보다는 시스템의 운용 상태를 알 수 있는 정보가 많다. 따라서 사건 용의자에 관한 부정 조사 보다는 침해사고 대응에 효과적으로 이용되는 것이 현실이기도 하다.

침해사고 조사 시 이벤트 로그를 면밀하게 살펴 본다면, 악성코드가 실행된 원인을 비롯하여 유입 경로(내부 네트워크) 등 다양한 정보를 획득할 수 있을 것이다.

 

2.  주요 이벤트 IDs

아래는 침해사고 조사 시 주로 확인되는 몇가지 이벤트 ID에 관한 예시이다. 실제 조사 시에는 아래 표의 이벤트 ID에만 의존해서는 안되며, 숙지하고 있는 주요 이벤트 ID에 관해 빠르게 확인한 후 사건과 관련된 키워드 검색 및 관련 시간대에 존재하는 이벤트 로그를 정밀하게 조사하는 것이 바람직하다.

이벤트 ID는 OS 종류 및 버전별로 서로 다를 수 있으며 OS 업데이트시에도 추가, 변경, 삭제 등의 변화가 있을 수 있다.

반응형
저작자표시 비영리 변경금지

'DFIR > 이벤트 로그 분석' 카테고리의 다른 글

윈도우 이벤트 로그 분석-WMI  (0) 2020.03.03
윈도우 이벤트 로그 분석-파워쉘(PowerShell)  (0) 2020.03.03
윈도우 이벤트 로그 분석-Visual Basic Script(vbs)  (0) 2020.03.03
윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil)  (0) 2020.03.03
윈도우 이벤트 로그 분석-이벤트 뷰어(Eventvwr)  (0) 2020.03.03

티스토리툴바