윈도우 이벤트 로그 분석-Logparser
log parser를 이용하여 윈도우 이벤트를 분석하기 위해 먼저 이벤트 로그를 파일로 저장한다.
첨고로 각 단계에서 참조된 이벤트ID에 대한 자세한 정보는 https://docs.microsoft.com/ko-kr/windows/security/threat-protection/auditing/event-4625 를 참조한다.
이벤트 로그 저장
C:\DFIR\EventLog>wevtutil epl security security-origin.evtx
C:\DFIR\EventLog>wevtutil epl system system_backup.evtx
C:\DFIR\EventLog>copy "c:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" firewall_backup.evtx
예제
특정 이벤트ID 조회
C:\DFIR\EventLog>LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security-Origin.evtx' WHERE EventID = '5038'"
이벤트ID별 발생 건수
C:\DFIR\EventLog> LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EventID FROM 'Security-origin.evtx' GROUP BY EventID ORDER BY CNT DESC"
케이스별 이벤트 조회
이벤트 로그 삭제 내역
EventID 1102
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') as Username, EXTRACT_TOKEN(Strings, 2, '|') AS Workstation FROM 'Security-origin.evtx' WHERE EventID = '1102'"
RDP Session
Event id 4778
RDP session reconnected
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date,EXTRACT_TOKEN(Strings, 0, '|') AS Username, EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 4, '|') AS Workstation, EXTRACT_TOKEN(Strings, 5, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4778"
Event id 4779
RDP session disconnected
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date,EXTRACT_TOKEN(Strings, 0, '|') AS Username, EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 4, '|') AS Workstation, EXTRACT_TOKEN(Strings, 5, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4779"
Event id 4781
User account was renamed
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 0, '|') AS newname, EXTRACT_TOKEN(Strings, 1, '|') AS oldname, EXTRACT_TOKEN(Strings, 2, '|') AS accdomain, EXTRACT_TOKEN(Strings, 5, '|') AS Username, EXTRACT_TOKEN(Strings, 6, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4781"
Event id 4825
RDP Access denied
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 0, '|') AS Username, EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 3, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4825"
RDP Local Session Log
Successful logon
LogParser.exe -stats:OFF -i:EVT "Select timegenerated as Date, extract_token(strings, 0, '|') as user, extract_token(strings, 2, '|') as sourceip FROM 'Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21"
find specific user
LogParser.exe -stats:OFF -i:EVT "Select timegenerated as Date, extract_token(strings, 0, '|') as user, extract_token(strings, 2, '|') as sourceip FROM 'Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21 AND user LIKE '%Administrator%'"
group by user
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as user, count(*) as CNT FROM 'Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21 GROUP BY user ORDER BY CNT DESC"
RDP Remote Session Log
Successful logon
LogParser.exe -stats:OFF -i:EVT "Select timegenerated as Date, extract_token(strings, 0, '|') as user, extract_token(strings, 2, '|') as sourceip FROM 'Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx' WHERE EventID = 1149"
group by user
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as user, count(*) as CNT FROM 'Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx' WHERE EventID = 1149 GROUP BY user ORDER BY CNT DESC"
RDP 및 Console 로그인
로그인 성공, EventID 4624
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY')"
특정 User 로그인
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"
RDP 로그인
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND LogonType = '10'"
Console 로그인
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND LogonType = '2'"
특정 IP 로그인
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = '10.1.47.151'"
NTLM 로그인
possible pass-the-hash
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType, EXTRACT_TOKEN(strings, 10, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$'"
group by NTLM users
LogParser.exe -q:ON -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType, EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$' GROUP BY Username, Domain, LogonType, AuthPackage, Workstation, ProcessName, SourceIP ORDER BY CNT DESC"
group by users
LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 5, '|') as Username, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"
group by domain
LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 6, '|') as Domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY Domain ORDER BY CNT DESC"
group by authpackage
LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 9, '|') as AuthPackage, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY AuthPackage ORDER BY CNT DESC"
group by LogonType
LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 8, '|') as LogonType, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY LogonType ORDER BY CNT DESC"
group by workstation name
LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 11, '|') as Workstation, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY Workstation ORDER BY CNT DESC"
group by process name
LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 17, '|') as ProcName, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY ProcName ORDER BY CNT DESC"
로그인 실패
EventID 4625
unsuccessful logon
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY')"
Find specific User
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"
Find specific IP
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = '10.1.47.151'"
check ntlm based attempts
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType, EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$'"
group by ntlm users
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$' GROUP BY Username, Domain, LogonType, AuthPackage, Workstation, SourceIP ORDER BY CNT DESC"
group by Username
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"
Log Off
EventID 4634
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4634 AND Domain NOT IN ('NT AUTHORITY')"
명시적 자젹증명을 이용한 로그인
EventID = 4648
explicit creds was used
LogParser.exe -stats:OFF -i:EVT "SELECT timegenerated as date, extract_token(strings, 1, '|') as accountname, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings, 8, '|') as targetserver, extract_token(strings, 9, '|') as extradata, extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as sourceip from 'Security-origin.evtx' WHERE EventID = 4648"
Search by accountname
LogParser.exe -stats:OFF -i:EVT "SELECT timegenerated as date, extract_token(strings, 1, '|') as accountname, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings, 8, '|') as targetserver, extract_token(strings, 9, '|') as extradata, extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as sourceip from 'Security-origin.evtx' WHERE EventID = 4648 AND accountname = 'Administrator'"
Search by usedaccount
LogParser.exe -stats:OFF -i:EVT "SELECT timegenerated as date, extract_token(strings, 1, '|') as accountname, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings, 8, '|') as targetserver, extract_token(strings, 9, '|') as extradata, extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as sourceip from 'Security-origin.evtx' WHERE EventID = 4648 AND usedaccount = 'Administrator'"
group by accountname
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) as CNT, extract_token(strings, 1, '|') as accountname from 'Security-origin.evtx' WHERE EventID = 4648 GROUP BY accountname ORDER BY CNT DESC"
group by used account
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) as CNT, extract_token(strings, 5, '|') as usedaccount from 'Security-origin.evtx' WHERE EventID = 4648 GROUP BY usedaccount ORDER BY CNT DESC"
레지스트리 접근
레지스트리 값 변경
EventID 4657
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4657'"
Object Access
EventID = 4663
An attempt was made to access an object
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4663'"
Admin Logon
Event id 4672
Admin logon
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4672 AND Domain NOT IN ('NT AUTHORITY')
Find specific user
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4672 AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"
group by username
LogParser.exe -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 1, '|') AS Username, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4672 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"
group by domain
LogParser.exe -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 2, '|') AS Domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4672 AND Domain NOT IN ('NT AUTHORITY') GROUP BY Domain ORDER BY CNT DESC"
프로세스 관련
event id 4688
new process was created
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security-origin.evtx' WHERE EventID = 4688"
Search by user
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security-origin.evtx' WHERE EventID = 4688 AND Username = 'Administrator'"
Search by process name
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security-origin.evtx' WHERE EventID = 4688 AND Process LIKE '%rundll32.exe%'"
group by username
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 1, '|') AS Username FROM 'Security-origin.evtx' WHERE EventID = 4688 GROUP BY Username ORDER BY CNT DESC"
group by process name
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security-origin.evtx' WHERE EventID = 4688 GROUP BY Process ORDER BY CNT DESC"
사용자 권한
event id 4704
A user right was assigned
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4704'"
event id 4705
A user right was removed
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4705'"
event id 4706
A new trust was created to a domain
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4706'"
사용자 계정
event id 4720
A user account was created
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') AS createduser, extract_token(strings, 1, '|') AS createddomain, extract_token(strings, 4, '|') as whocreated, extract_token(strings, 5, '|') AS whodomain FROM 'Security-origin.evtx' WHERE EventID = '4720'"
Event id 4722
user account was enabled
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4722"
Event id 4723
attempt to change password for the account - user changed his own password
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4723"
Event id 4724
attempt to reset user
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4724"
Event id 4725
user account was disabled
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4725"
Event id 4726
A user account was deleted
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') AS deleteduser, extract_token(strings, 1, '|') AS deleteddomain, extract_token(strings, 4, '|') as whodeleted, extract_token(strings, 5, '|') AS whodomain FROM 'Security-origin.evtx' WHERE EventID = '4726'"
Security-enabled Global group
Event id 4727
A security-enabled global group was created
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4727'"
Event id 4728
A member was added to a security-enabled global group
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser, extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4728'"
Event id 4729
A member was removed from a security-enabled global group
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser, extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4729'"
Event id 4730
A security-enabled global group was deleted
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4730'"
Security-enabled Local group
Event id 4731
A security-enabled local group was created
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as createdgroup, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4731"
Event id 4732
A member was added to a security-enabled local group
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser, extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4732'"
Event id 4733
A member was removed from a security-enabled local group
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser, extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4733'"
Event id 4734
A security-enabled local group was deleted
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 2, '|') AS whichgroup, EXTRACT_TOKEN(Strings, 3, '|') AS domaingroup, EXTRACT_TOKEN(Strings, 6, '|') AS who, EXTRACT_TOKEN(Strings, 7, '|') AS workstation FROM 'Security-origin.evtx' WHERE EventID = 4734"
Event id 4738
user account was changed
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 1, '|') as user, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as whichaccount, extract_token(strings, 6, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4738"
Event id 4740
A user account was locked out
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as workstation, extract_token(strings, 4, '|') as wholocked, extract_token(strings, 5, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4740'"
Event id 4742
computer account was changed
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 5, '|') as user, extract_token(strings, 6, '|') as domain, extract_token(strings, 1, '|') as whichaccount, extract_token(strings, 2, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4742"
Security-enabled Universal group
Event id 4754
A security-enabled universal group was created
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as createdgroup, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4754"
Event id 4756
A member was added to a security-enabled universal group
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser, extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4756'"
Event id 4757
A member was removed from a security-enabled universal group
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser, extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4757'"
Event id 4758
A security-enabled universal group was deleted
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 2, '|') AS whichgroup, EXTRACT_TOKEN(Strings, 3, '|') AS domaingroup, EXTRACT_TOKEN(Strings, 6, '|') AS who, EXTRACT_TOKEN(Strings, 7, '|') AS workstation FROM 'Security-origin.evtx' WHERE EventID = 4758"
A user account was unlocked
Event id 4767
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4767'"
Kerberos TGT
커버로스 프로토콜(Kerberos Protocol) – 서버 접근 권한 관리
클라이언트/서버 외에 제3의 인증서버(Authentication Server, AS)를 도입 하고, 이와 연동된 티켓 부여 서비스(Ticket Granting Service, TGS)를 통해 티켓을 발급하여 유효한 티켓이 있는 유저만 서비스 서버(Service Server, SS)에 접속을 할 수 있도록 제어하는 커버로스(Kerberos) 프로토콜
Event id 4768
Kerberos TGT was requested
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 7, '|') as cipher, extract_token(strings, 9, '|') as sourceip FROM 'Security-origin.evtx' WHERE EventID = 4768"
group by user
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 0, '|') as user, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4768 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"
group by domain
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 1, '|') as domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4768 GROUP BY domain ORDER BY CNT DESC"
group by cipher
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 7, '|') as cipher, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4768 GROUP BY cipher ORDER BY CNT DESC"
Kerberos Service
Event id 4769
Kerberos Service ticket was requested
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 2, '|') as service, extract_token(strings, 5, '|') as cipher, extract_token(strings, 6, '|') as sourceip FROM 'Security-origin.evtx' WHERE EventID = 4769"
group by user
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 0, '|') as user, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4769 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"
group by domain
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 1, '|') as domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4769 GROUP BY domain ORDER BY CNT DESC"
group by service
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 2, '|') as service, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4769 GROUP BY service ORDER BY CNT DESC"
group by cipher
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 5, '|') as cipher, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4769 GROUP BY cipher ORDER BY CNT DESC"
Event id 4771
kerberos pre-atuhentication failed
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0 , '|') as user, extract_token(strings, 6 , '|') as sourceip FROM 'Security-origin.evtx' WHERE EventID = 4771 AND user NOT LIKE '%$'"
group by user
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 0, '|') as user, COUNT(user) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4771 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"
domain/computer attemped to validate user credentials
Event id 4776
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4776 AND Domain NOT IN ('NT AUTHORITY') AND Username NOT LIKE '%$'"
Search by username
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4776 AND Domain NOT IN ('NT AUTHORITY') AND Username NOT LIKE '%$' AND Username = 'Administrator'"
group by username
LogParser.exe -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 1, '|') AS Username, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4776 AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"
group by domain
LogParser.exe -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 2, '|') AS Domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4776 GROUP BY Domain ORDER BY CNT DESC"
FireWall Rules
Event id 4946
new exception was added to firewall
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 2, '|') as rulename FROM 'Security-origin.evtx' WHERE EventID = 4946"
group by rule name
LogParser.exe -stats:OFF -i:EVT "Select Count(*) as CNT, extract_token(strings, 2, '|') as rulename FROM 'Security-origin.evtx' WHERE EventID = 4946 GROUP BY rulename ORDER BY CNT DESC"
Event id 4948
rule was deleted from firewall
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 2, '|') as rulename FROM 'Security-origin.evtx' WHERE EventID = 4948"
group by rule name
LogParser.exe -stats:OFF -i:EVT "Select Count(*) as CNT, extract_token(strings, 2, '|') as rulename FROM 'Security-origin.evtx' WHERE EventID = 4948 GROUP BY rulename ORDER BY CNT DESC"
Code integrity determined that the image hash of a file is not valid
Event id 5038
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5038'"
directory service object was modified
Event id 5136
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 3, '|') AS Username, extract_token(strings, 4, '|') AS Domain, extract_token(strings, 8, '|') AS objectdn, extract_token(strings, 10, '|') AS objectclass, extract_token(strings, 11, '|') AS objectattrib, extract_token(strings, 13, '|') AS attribvalue FROM 'Security-origin.evtx' WHERE EventID = '5136'"
group by username
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 3, '|') AS Username FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY Username ORDER BY CNT DESC"
group by domain
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 4, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY Domain ORDER BY CNT DESC"
group by objectdn
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 8, '|') AS objectdn FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY objectdn ORDER BY CNT DESC"
group by objectclass
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 10, '|') AS objectclass FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY objectclass ORDER BY CNT DESC"
group by objectattrib
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 11, '|') AS objectattrib FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY objectattrib ORDER BY CNT DESC"
group by attribvalue
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 13, '|') AS attribvalue FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY attribvalue ORDER BY CNT DESC"
Event id 5137
A directory service object was created
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5137'"
Event id 5138
A directory service object was undeleted
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5138'"
Event id 5139
A directory service object was moved
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5139'"
Event id 5141
A directory service object was deleted
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5141'"
Network Share Object
Event id 5140
A network share object was accessed
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5140'"
Event id 5142
A network share object was added
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5142'"
Event id 5143
A network share object was modified
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5143'"
Event id 5144
A network share object was deleted
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5144'"
Event id 5145
A network share object was checked to see whether client can be granted desired access
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5145'"
Windows Filtering Platform
Event id 5154
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5154'"
Event id 5155
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5155'"
Event id 5156
The Windows Filtering Platform has allowed a connection
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5156'"
Event id 5157
The Windows Filtering Platform has blocked a connection
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5157'"
Event id 5158
The Windows Filtering Platform has permitted a bind to a local port
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5158'"
Event id 5159
The Windows Filtering Platform has blocked a bind to a local port
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5159'"
System Log
New Service was installed in system
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 0, '|') AS ServiceName, extract_token(strings, 1, '|') AS ServicePath, extract_token(strings, 4, '|') AS ServiceUser FROM System_backup.evtx WHERE EventID = 7045"
Service actions
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 0, '|') as servicename FROM System_backup.evtx WHERE EventID = 7036"
group by service name
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 0, '|') as servicename FROM System_backup.evtx WHERE EventID = 7036 GROUP BY servicename ORDER BY CNT DESC"
Task Schedule Log
Task was Run
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings,0, '|') as taskname, extract_token(strings, 1, '|') as username FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 100"
group by taskname
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 100 GROUP BY taskname ORDER BY CNT DESC"
action was executed
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings,0, '|') as taskname, extract_token(strings, 1, '|') as taskaction FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 200"
group by action
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 1, '|') as taskaction, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 200 GROUP BY taskaction ORDER BY CNT DESC"
user updated a task
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated as Date, extract_token(strings, 0, '|') as taskname, extract_token(strings, 1, '|') as user FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 140"
group by user
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 1, '|') as user, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 140 GROUP BY user ORDER BY CNT DESC"
group by taskname
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 140 GROUP BY taskname ORDER BY CNT DESC"
user deleted a task
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated as Date, extract_token(strings, 0, '|') as taskname, extract_token(strings, 1, '|') as user FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 141"
group by user
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 1, '|') as user, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 141 GROUP BY user ORDER BY CNT DESC"
group by taskname
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 141 GROUP BY taskname ORDER BY CNT DESC"
Windows Firewall Log
FW New exception rule was added
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 1, '|') as rulename, extract_token(strings, 3, '|') as apppath, extract_token(strings, 22, '|') as changedapp from 'Firewall_backup.evtx' WHERE EventID = 2004"
group by apppath
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 3, '|') as apppath from 'Firewall_backup.evtx' WHERE EventID = 2004 GROUP BY apppath ORDER BY CNT DESC"
FW Rule was Changed
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(Strings, 1, '|') as rulename, extract_token(Strings, 3, '|') AS apppath, extract_token(Strings, 4, '|') AS servicename, extract_token(strings, 7, '|') AS localport, extract_token(strings, 22, '|') as modifyingapp from 'Firewall_backup.evtx' WHERE EventID = 2005"
group by apppath
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 3, '|') as apppath from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY apppath ORDER BY CNT DESC"
group by rulename
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 1, '|') as rulename from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY rulename ORDER BY CNT DESC"
group by servicename
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 4, '|') as servicename from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY servicename ORDER BY CNT DESC"
group by local port
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 7, '|') as localport from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY localport ORDER BY CNT DESC"
group by modifyingapp
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 22, '|') as modifyingapp from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY modifyingapp ORDER BY CNT DESC"
FW Rule was Deleted
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(Strings, 1, '|') as rulename, extract_token(strings, 3, '|') as changedapp from 'Firewall_backup.evtx' WHERE EventID = 2006"
group by rulename
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 1, '|') as rulename from 'Firewall_backup.evtx' WHERE EventID = 2006 GROUP BY rulename ORDER BY CNT DESC"
group by changedapp
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 3, '|') as changedapp from 'Firewall_backup.evtx' WHERE EventID = 2006 GROUP BY changedapp ORDER BY CNT DESC"
Firewall blocked inbound connections to the application
Firewall blocked inbound connections to the application, but did not notify the user
LogParser.exe -stats:OFF -i:EVT "Select Timegenerated as date, extract_token(strings, 1, '|') as file, extract_token(strings, 4, '|') as port from 'Firewall_backup.evtx' WHERE EventID = 2011"
group by application
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 1, '|') as file from'Firewall_backup.evtx' WHERE EventID = 2011 GROUP BY file ORDER BY CNT DESC"
'DFIR > 이벤트 로그 분석' 카테고리의 다른 글
윈도우 이벤트 로그 분석-3rd Party Tool (0) | 2020.03.03 |
---|---|
윈도우 이벤트 로그 분석-WMI (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-파워쉘(PowerShell) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-Visual Basic Script(vbs) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-3rd Party Tool
Myeventviewer by NirSoft
From : https://www.nirsoft.net/utils/my_event_viewer.html
Command-Line Options
aveDirect | Save the log lines in SaveDirect mode. For using with the other save command-line options ( /scomma, /stab, /sxml, and so on...) When you use the SaveDirect mode, the event log lines are saved directly to the disk, without loading them into the memory first. This means that you can save a list with large amount of event log lines into your disk without any memory problem, as long as you have enough disk space to store the saved file. The drawback of this mode: You cannot sort the log lines according to the column you choose with /sort command-line option. |
/ShowOnlyLastEvents [0 | 1] | If you specify '1' value, the last events filter will be activated. |
/LastEventsUnit [Unit] | Unit to specify the last events filter. 1 = Minutes 2 = Hours 3 = Days |
/LastEventsValue [Number of Units] | specifies the number of units (Minutes/Hours/Days) for the last events filter. |
/VisibleEventTypes [Number] | Specifies which type of events to display: 1 = Error 2 = Warning 4 = Information 8 = Audit Success 16 = Audit Failure You can combine multiple event types, for exmaple: if you want to display both errors and warnings, set the VisibleEventTypes value to 3 (1 + 2 = 3): |
/EventLogNames [Name1] [Name2] [Name3]... | Specifies the event log names that you wish to load.
Examples: |
/cfg <Filename> | Start MyEventViewer with the specified configuration file. For example: MyEventViewer.exe /cfg "c:\config\MyEventViewer.cfg" MyEventViewer.exe /cfg "%AppData%\MyEventViewer.cfg" |
/advanced | Starts MyEventViewer with the 'Advanced Filter' window, before loading the events. |
/stext <Filename> | Save the events list into a regular text file. |
/stab <Filename> | Save the events list into a tab-delimited text file. |
/scomma <Filename> | Save the events list into a comma-delimited text file (csv). |
/stabular <Filename> | Save the events list into a tabular text file. |
/shtml <Filename> | Save the events list into HTML file (Horizontal). |
/sverhtml <Filename> | Save the events list into HTML file (Vertical). |
/sxml <Filename> | Save the events list into XML file. |
/sort <column> | This command-line option can be used with other save options for sorting by the desired column. If you don't specify this option, the list is sorted according to the last sort that you made from the user interface. The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "Source" and "Time". You can specify the '~' prefix character (e.g: "~Time") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns. |
/nosort | When you specify this command-line option, the list will be saved without any sorting. |
예제
최근 3일 이벤트 조회
C:\myeventviewer>MyEventViewer.exe /shtml C:\DFIR\EventLog\Security-Export.html /EventLogNames "Security" /ShowOnlyLastEvents 1 /LastEventsValue 3 /LastEventsUnit 3 /sort "~Time" /sort "Event Type"
evtx 파일 로드
C:\myeventviewer>MyEventViewer.exe /Loadfile "C:\DFIR\EventLog\Security-20190716.evtx" /shtml C:\DFIR\EventLog\Security-Export-2.html /ShowOnlyLastEvents 1 /LastEventsValue 3 /LastEventsUnit 3 /sort "~Time"
최근 이벤트 N개 조회
C:\myeventviewer>MyEventViewer.exe /shtml f:\temp\events.html /ShowOnlyLastEvents 1 /LastEventsValue 2000 /LastEventsUnit 1 /sort "~Time"
조회 결과 정렬
C:\myeventviewer>MyEventViewer.exe /shtml f:\temp\events.html /sort "Event Type" /sort "Log Type"
< 참고 >
Command Line Interface Mode에서는 특정 이벤트 ID나 From – To 날짜 범위로 조회가 불가능하다.
FullEventlogview by NirSoft
From : https://www.nirsoft.net/utils/full_event_log_view.html
이전 버전인 MyEventviewer의 부족한 부분을 개선. Command Line Interface Mode에서 특정 이벤트 ID등으로 조회가 가능하다.
Command-Line Options
/ChannelFilter [1 - 3] |
You can use any variable inside the .cfg file in order to set the configuration from command line, here's some examples: In order to show only events with Event ID 8000 and 8001: In order show only events from Microsoft-Windows-Dhcp-Client/Admin channel: In order to read events from .evtx files stored in c:\temp\logs : In order to read events from remote computer: |
/cfg <Filename> |
Start FullEventLogView with the specified configuration file. For example: |
/RunAsAdmin |
Run FullEventLogView as administrator. |
/stext <Filename> |
Save the event log items into a simple text file. |
/stab <Filename> |
Save the event log items into a tab-delimited text file. |
/scomma <Filename> |
Save the event log items into a comma-delimited text file (csv). |
/stabular <Filename> |
Save the event log items into a tabular text file. |
/shtml <Filename> |
Save the event log items into HTML file (Horizontal). |
/sverhtml <Filename> |
Save the event log items into HTML file (Vertical). |
/sxml <Filename> |
Save the event log items into XML file. |
/sjson <Filename> |
Save the event log items into JSON file. |
/SaveDirect |
Save the event log items in SaveDirect mode. For using with the other save command-line options ( /scomma, /stab, /sxml, and so on...) When you use the SaveDirect mode, the event log items are saved directly to the disk, without loading them into the memory first. Be aware that the sorting feature is not supported in SaveDirect mode. |
/sort <column> |
This command-line option can be used with other save options for sorting by the desired column. The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "Record ID" and "Event ID". You can specify the '~' prefix character (e.g: "~Channel") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns. |
예제
C:\fulleventlogview>FullEventLogView.exe /ChannelFilter 2 /ChannelFilterStr "Security" /EventIDFilter 2 /EventIDFilterstr "4624" /shtml C:\DFIR\EventLog\Security-Export-3.html /ShowOnlyLastEvents 1 /LastEventsValue 3 /LastEventsUnit 3 /sort "~Time" /RunAsAdmin
'DFIR > 이벤트 로그 분석' 카테고리의 다른 글
윈도우 이벤트 로그 분석-Logparser (0) | 2020.03.03 |
---|---|
윈도우 이벤트 로그 분석-WMI (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-파워쉘(PowerShell) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-Visual Basic Script(vbs) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-WMI
Win32_NTLogEvent class
f:\temp>wmic ntevent /?
NTEVENT - NT 이벤트 로그에 있는 항목입니다.
힌트: 별칭 사용의 BNF입니다.
(<별칭> [WMIObject] | <별칭> [<경로>] | [<별칭>] <경로>) [<동사 절>]
사용법:
NTEVENT ASSOC [<형식 지정자>]
NTEVENT CREATE <할당 목록>
NTEVENT DELETE
NTEVENT GET [<속성 목록>] []
NTEVENT LIST [<목록 형식>] [<목록 스위치>]
표시할 수 있는 항목
f:\temp>wmic ntevent list /?
속성 목록 작업입니다.
사용법:
LIST [<목록 형식>] [<목록 스위치>]
다음과 같은 LIST 형식을 사용할 수 있습니다.
BRIEF - EventIdentifier, TypeEvent, Message, RecordNumber, SourceName, TimeGenerated
FULL - Category, CategoryString, ComputerName, Data, EventCode, EventIdentifier, TypeEvent, InsertionStrings,
LogFile, Message, RecordNumber, SourceName, TimeGenerated, TimeWritten, Type, UserName
다음과 같은 LIST 스위치를 사용할 수 있습니다.
/TRANSLATE:<테이블 이름> - <테이블 이름>의 값을 통해 출력을 변환합니다.
/EVERY:<간격> [/REPEAT:<반복 횟수>] - (X 간격)초마다 값을 반환합니다. /REPEAT를 지정하면 명령이 <반복 횟수>번 실행됩니다.
/FORMAT:<형식 지정자> - XML 결과를 처리할 키워드/XSL 파일 이름입니다.
사용할 수 있는 포맷
f:\temp>wmic ntevent list /format /?
XML 결과를 처리할 키워드/XSL 파일 이름입니다.
사용법:
/FORMAT:<형식 지정자>
키워드:
CSV / HFORM / HTABLE / LIST / MOF / RAWXML / TABLE / VALUE / XML /
htable-sortby / htable-sortby.x니 / texttablewsys / texttablewsys.x니 / wmiclimofformat /
wmiclimofformat.x니 / wmiclitableformat / wmiclitableformat.x니 / wmiclitableformatnosys /
wmiclitableformatnosys.xsl / wmiclivalueformat / wmiclivalueformat.xsl
사용할 수 있는 속성
f:\temp>wmic NTEVENT get /?
사용법:
GET [<속성 목록>] []
참고: <속성 목록> ::= <속성 이름> | <속성 이름>, <속성 목록>
다음과 같은 속성을 사용할 수 있습니다.
속성 유형 작업
======== ==== =========
Category N/A N/A
CategoryString N/A N/A
ComputerName N/A N/A
Data N/A N/A
EventCode N/A N/A
EventIdentifier N/A N/A
InsertionStrings N/A N/A
LogFile N/A N/A
Message N/A N/A
RecordNumber N/A N/A
SourceName N/A N/A
TimeGenerated N/A N/A
TimeWritten N/A N/A
Type N/A N/A
TypeEvent N/A N/A
UserName N/A N/A
EventType In Win32_NtLogEvent
Types of Event Logs
Each event entry is classified by Type to identify the severity of the event. They are Information, Warning, Error,
Success Audit (Security Log) and Failure Audit (Security Log).
Event Type |
Description |
Information |
An event that describes the successful operation of a task, such as an application, driver, or service. For example, an Information event is logged when a network driver loads successfully. |
Warning |
An event that describes the successful operation of a task, such as an application, driver, or service. For example, an Information event is logged when a network driver loads successfully. |
Error |
An event that is not necessarily significant, however, may indicate the possible occurrence of a future problem. For example, a Warning message is logged when disk space starts to run low. |
Success Audit (Security log) |
An event that describes the successful completion of an audited security event. For example, a Success Audit event is logged when a user logs on to the computer. |
Failure Audit (Security log) |
An event that describes an audited security event that did not complete successfully. For example, a Failure Audit may be logged when a user cannot access a network drive. |
조회 예제
일반 조회
F:\temp>WMIC path Win32_NtLogEvent WHERE "LogFile='System'" GET Message, TimeGenerated /format:list
F:\temp>WMIC NtEvent WHERE "LogFile='System'" GET Message, TimeGenerated /format:list
F:\temp>WMIC NtEvent WHERE "LogFile='System'" GET user, type, Message, InsertionStrings, TimeGenerated /format:list
특정 기간 조회
F:\temp>WMIC NtEvent WHERE "LogFile='System' and TimeGenerated >= '20200210000000.000000-240' and TimeGenerated <= '20290215000000.000000-240'" GET Message, TimeGenerated /format:list
특정 기간 특정 EventID 조회
F:\temp>WMIC NtEvent WHERE "LogFile='System' and EventCode='4624' and TimeGenerated >= '20200210000000.000000-240' and TimeGenerated <= '20290215000000.000000-240'" GET Message, TimeGenerated /format:list
특정 기간 Error 이벤트 조회
F:\temp>WMIC NtEvent WHERE "LogFile='System' and Eventtype='1' and TimeGenerated >= '20200210000000.000000-240' and TimeGenerated <= '20290215000000.000000-240'" GET Message, TimeGenerated /format:list
F:\temp>WMIC NtEvent WHERE "LogFile='System' and type='오류' and TimeGenerated >= '20200210000000.000000-240' and TimeGenerated <= '20290215000000.000000-240'" GET Message, TimeGenerated /format:list
<참고>
영문의 경우 "오류" 문자열이 "Error"이다.
'DFIR > 이벤트 로그 분석' 카테고리의 다른 글
윈도우 이벤트 로그 분석-Logparser (0) | 2020.03.03 |
---|---|
윈도우 이벤트 로그 분석-3rd Party Tool (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-파워쉘(PowerShell) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-Visual Basic Script(vbs) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-파워쉘(PowerShell)
Get-WinEvent
이벤트 목록 확인
PS C:\Temp> Get-WinEvent -ListLog *
이벤트 건수 확인
PS C:\Temp> (get-winevent -FilterHashtable @{logname="security";id=4624;starttime=(get-date).adddays(-10);endtime=(get-date).adddays(-5)}).count
835
특정 기간 조회
PS C:\Temp> get-winevent -FilterHashtable @{logname="security";id=4624;starttime=(get-date).adddays(-10);endtime=(get-date).adddays(-5)}
ProviderName: Microsoft-Windows-Security-Auditing
TimeCreated Id LevelDisplayName Message
----------- -- ---------------- -------
2019-07-08 오후 6:01:22 4624 정보 계정이 성공적으로 로그온되었습니다....
2019-07-08 오후 6:01:20 4624 정보 계정이 성공적으로 로그온되었습니다....
2019-07-08 오후 6:01:18 4624 정보 계정이 성공적으로 로그온되었습니다....
......
최근 이벤트 조회
PS C:\Temp> Get-WinEvent -FilterHashtable @{logname='Security'} -MaxEvents 50
조회 결과 csv 저장 [1]
PS C:\Temp> get-winevent -FilterHashtable @{logname="security";id=4624;starttime=(get-date).adddays(-10);endtime=(get-date).adddays(-5)} | format-list -property id, timecreate, message | export-csv f:\temp\eve-login.csv
특정 이벤트ID 조회 [2]
PS C:\Temp> get-winevent security | where {$_.id -eq 4624} | where {$_.timecreated -ge (get-date).adddays(-10)} | where {$_.timecreated -le (get-date).adddays(-5)}
2019-07-13 오후 6:12:55 4624 정보 계정이 성공적으로 로그온되었습니다....
2019-07-13 오후 6:12:55 4624 정보 계정이 성공적으로 로그온되었습니다....
2019-07-13 오후 6:12:55 4624 정보 계정이 성공적으로 로그온되었습니다....
......
<참고>
[1]과 [2]를 비교해보면 FilterHashtable이 훨씬 빠르다
레퍼런스 : https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/get-winevent?view=powershell-7
Get-EventLog
Get-EventLog에서는 FilterHashtable 지원이 안된다. 그리고 Get-WinEvent와 항목의 컬럼명이 서로 다르다. 예를 들어 Get-WinEvent의 이벤트 Id는 ID명으로 표시되지만 Get-EventLog에서는 InstancedID로 표시된다.
이벤트 목록 확인
PS C:\Temp> Get-EventLog -List
최근 이벤트 조회
PS F:\script\powershell> get-eventlog -LogName Security -Newest 5
Index Time EntryType Source InstanceID Message
----- ---- --------- ------ ---------- -------
31284 3 03 11:52 SuccessA... Microsoft-Windows... 4672 특수 권한을 새 로그온에 할당했습니다....
31283 3 03 11:52 SuccessA... Microsoft-Windows... 4624 계정이 성공적으로 로그온되었습니다....
31282 3 03 11:52 SuccessA... Microsoft-Windows... 4798 사용자의 로컬 그룹 구성원이 열거되었습니다....
31281 3 03 11:52 SuccessA... Microsoft-Windows... 4798 사용자의 로컬 그룹 구성원이 열거되었습니다....
31280 3 03 11:52 SuccessA... Microsoft-Windows... 4798 사용자의 로컬 그룹 구성원이 열거되었습니다....
특정 이벤트ID 조회
PS C:\Temp> get-eventlog security | where {$_.Instanceid -eq 4624} | select -First 3
특정 기간 조회
PS C:\Temp> (get-eventlog security | where {$_.InstanceID -eq 4624} | where {$_.TimeWritten.toString("yyyy-MM-dd HH:mm:ss") -ge (get-date).adddays(-10).toString("yyyy-MM-dd HH:mm:ss")} | where {$_.TimeWritten.toString("yyyy-MM-dd HH:mm:ss") -le (get-date).adddays(-5).toString("yyyy-MM-dd HH:mm:ss")}).count
868
PS C:\Temp> get-eventlog security | where {$_.InstanceID -eq 4624} | where {$_.TimeWritten.toString("yyyy-MM-dd HH:mm:ss") -ge (get-date).adddays(-10).toString("yyyy-MM-dd HH:mm:ss")} | where {$_.TimeWritten.toString("yyyy-MM-dd HH:mm:ss") -le (get-date).adddays(-5).toString("yyyy-MM-dd HH:mm:ss")} | select -First 3 | select-object InstanceID, @{Name='CTime';Expression={$_.TimeWritten.toString("yyyy-MM-dd HH:mm:ss")}}, Message
시스템 이벤트 로그에서 1000 개의 최신 항목에 포함된 건수별 리소스 확인
PS F:\script\powershell>$Events = Get-EventLog -LogName System -Newest 1000
PS F:\script\powershell>$Events | Group-Object -Property Source -NoElement | Sort-Object -Property Count -Descending
Count Name
----- ----
227 Microsoft-Windows-Filt...
154 Microsoft-Windows-Kern...
113 Service Control Manager
72 DCOM
50 Microsoft-Windows-Time...
49 Microsoft-Windows-Kern...
42 Microsoft-Windows-Dhcp...
35 Microsoft-Windows-Ntfs
34 EventLog
32 Microsoft-Windows-Grou...
30 Microsoft-Windows-Wind...
28 Microsoft-Windows-TPM-WMI
28 Microsoft-Windows-Kern...
21 Microsoft-Windows-DHCP...
14 Microsoft-Windows-Winl...
14 Microsoft-Windows-Kern...
7 User32
7 volmgr
7 Microsoft-Windows-Dire...
7 TPM
7 Microsoft-Windows-Wininit
7 MEIx64
7 e1i65x64
4 Microsoft-Windows-DNS-...
3 Application Popup
1 WinDivert
에러 이벤트 조회
PS F:\script\powershell> Get-EventLog -LogName System -EntryType Error
< 참고 >
주요 분석 대상별로 ID나 InstanceID를 바꿔가면서 실행하면 된다.
Get-WmiObject
PS C:\Temp> Get-WmiObject -Query "Select EventCode,TimeGenerated,Type,Message from Win32_NTLogEvent WHERE (LogFile = 'Security' and Eventcode='4624')" | select -First 10 | select-object EventCode,TimeGenerated,Type,Message | ft
<참고>
조회 속도는 가장 빠른 거 같다.
PowerShell Scripts
check-windows-event-log.ps1
Application 이벤트 로그에서 메세지에 "보안"이 포함된 내역 조회
F:\script\powershell>powershell -ExecutionPolicy bypass -f check-windows-event-log.ps1 -LogName Application -Pattern 보안
'DFIR > 이벤트 로그 분석' 카테고리의 다른 글
윈도우 이벤트 로그 분석-3rd Party Tool (0) | 2020.03.03 |
---|---|
윈도우 이벤트 로그 분석-WMI (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-Visual Basic Script(vbs) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-이벤트 뷰어(Eventvwr) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-Visual Basic Script(vbs)
사용 예제
eventquery.vbs
1. cmdlib.wsc 등록
cmdlib.wsc는 Windows 용 WSC 파일로 Microsoft가 개발했으며 Windows Script Component 파일입니다.
F:\script\vbs>regsvr32 cmdlib.wsc /s
2. 도움말
F:\script\vbs>cscript eventquery.vbs /?
Microsoft (R) Windows Script Host 버전 5.812
Copyright (C) Microsoft Corporation. All rights reserved.
EVENTQUERY.vbs [/S system [/U username [/P password]]] [/FI filter]
[/FO format] [/R range] [/NH] [/V] [/L logname | *]
Description:
The EVENTQUERY.vbs script enables an administrator to list
the events and event properties from one or more event logs.
Parameter List:
/S system Specifies the remote system to connect to.
/U [domain\]user Specifies the user context under which the command should execute.
/P password Specifies the password for the given user context.
/V Specifies that the detailed information should be displayed in the output.
/FI filter Specifies the types of events to filter in or out of the query.
/FO format Specifies the format in which the output is to be displayed.
Valid formats are "TABLE", "LIST", "CSV".
/R range Specifies the range of events to list. Valid Values are:
'N' - Lists 'N' most recent events.
'-N' - Lists 'N' oldest events.
'N1-N2' - Lists the events N1 to N2.
/NH Specifies that the "Column Header" should not be displayed in the output.
Valid only for "TABLE" and "CSV" formats.
/L logname Specifies the log(s) to query.
/? Displays this help/usage.
Valid Filters Operators allowed Valid Values
------------- ------------------ ------------
DATETIME eq,ne,ge,le,gt,lt mm/dd/yy(yyyy),hh:mm:ssAM(/PM)
TYPE eq,ne ERROR, INFORMATION, WARNING, SUCCESSAUDIT, FAILUREAUDIT
ID eq,ne,ge,le,gt,lt non-negative integer
USER eq,ne string
COMPUTER eq,ne string
SOURCE eq,ne string
CATEGORY eq,ne string
NOTE: Filter "DATETIME" can be specified as "FromDate-ToDate" Only "eq" operator can be used for this format.
Examples:
EVENTQUERY.vbs
EVENTQUERY.vbs /L system
EVENTQUERY.vbs /S system /U user /P password /V /L *
EVENTQUERY.vbs /R 10 /L Application /NH
EVENTQUERY.vbs /R -10 /FO LIST /L Security
EVENTQUERY.vbs /R 5-10 /L "DNS Server"
EVENTQUERY.vbs /FI "Type eq Error" /L Application
EVENTQUERY.vbs /L Application
/FI "Datetime eq 06/25/00,03:15:00AM-06/25/00,03:15:00PM"
EVENTQUERY.vbs /FI "Datetime gt 08/03/00,06:20:00PM"
/FI "Id gt 700" /FI "Type eq warning" /L System
EVENTQUERY.vbs /FI "Type eq error OR Id gt 1000 "
3. 조회
F:\script\vbs>cscript //nologo eventquery.vbs /L security | more
------------------------------------------------------------------------------
Listing the events in 'security' log of host 'CHOHB'
------------------------------------------------------------------------------
Type Event Date Time Source ComputerName
------------- ------ ------------------------ ----------------- --------------
감사 성공 4672 2020-03-03 오전 2:03:57 Microsoft-Windows chohb
감사 성공 4624 2020-03-03 오전 2:03:57 Microsoft-Windows chohb
감사 성공 4672 2020-03-03 오전 1:57:02 Microsoft-Windows chohb
......
리스트 형태 조회
F:\script\vbs>cscript //nologo eventquery.vbs /L Security /FO list
------------------------------------------------------------------------------
Listing the events in 'security' log of host 'CHOHB'
------------------------------------------------------------------------------
Type: 감사 성공
Event: 4672
Date Time: 2020-03-03 오전 2:03:57
Source: Microsoft-Windows-Security-Auditing
ComputerName: chohb
Type: 감사 성공
Event: 4624
Date Time: 2020-03-03 오전 2:03:57
Source: Microsoft-Windows-Security-Auditing
ComputerName: chohb
......
특정 이벤트ID 조회
F:\script\vbs>cscript //nologo eventquery.vbs /L Security /FO list /Fi "id eq 4624"
이벤트 상세 내역 조회 : /V
F:\script\vbs>cscript eventquery.vbs /L Security /Fi "id eq 4624" /FO list /V
General VBS
On Error Resume Next
Const wbemFlagReturnImmediately = &h10
Const wbemFlagForwardOnly = &h20
Set wshNetwork = WScript.CreateObject("WScript.Network")
strComputer = wshNetwork.ComputerName
'strQuery = "SELECT * FROM Win32_NTLogEvent where logfile='Security' and EventCode='489'"
strQuery = "SELECT * FROM Win32_NTLogEvent where logfile='Security'"
WScript.StdOut.WriteLine ""
WScript.StdOut.WriteLine "====================================="
WScript.StdOut.WriteLine "COMPUTER : " & strComputer
WScript.StdOut.WriteLine "CLASS : ROOT\CIMV2:Win32_NTLogEvent"
WScript.StdOut.WriteLine "QUERY : " & strQuery
WScript.StdOut.WriteLine "====================================="
WScript.StdOut.WriteLine ""
Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\ROOT\CIMV2")
Set colItems = objWMIService.ExecQuery(strQuery, "WQL", wbemFlagReturnImmediately + wbemFlagForwardOnly)
For Each objItem in colItems
WScript.StdOut.WriteLine "Category: " & objItem.Category
WScript.StdOut.WriteLine "CategoryString: " & objItem.CategoryString
WScript.StdOut.WriteLine "ComputerName: " & objItem.ComputerName
strData = Join(objItem.Data, ",")
WScript.StdOut.WriteLine "Data: " & strData
WScript.StdOut.WriteLine "EventCode: " & objItem.EventCode
WScript.StdOut.WriteLine "EventIdentifier: " & objItem.EventIdentifier
WScript.StdOut.WriteLine "EventType: " & objItem.EventType
strInsertionStrings = Join(objItem.InsertionStrings, ",")
WScript.StdOut.WriteLine "InsertionStrings: " & strInsertionStrings
WScript.StdOut.WriteLine "Logfile: " & objItem.Logfile
WScript.StdOut.WriteLine "Message: " & objItem.Message
WScript.StdOut.WriteLine "RecordNumber: " & objItem.RecordNumber
WScript.StdOut.WriteLine "SourceName: " & objItem.SourceName
WScript.StdOut.WriteLine "TimeGenerated: " & objItem.TimeGenerated
WScript.StdOut.WriteLine "TimeWritten: " & objItem.TimeWritten
WScript.StdOut.WriteLine "Type: " & objItem.Type
WScript.StdOut.WriteLine "User: " & objItem.User
WScript.StdOut.WriteLine ""
Next
'DFIR > 이벤트 로그 분석' 카테고리의 다른 글
윈도우 이벤트 로그 분석-WMI (0) | 2020.03.03 |
---|---|
윈도우 이벤트 로그 분석-파워쉘(PowerShell) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-이벤트 뷰어(Eventvwr) (0) | 2020.03.03 |
윈도우 이벤트 로그 (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil)
wevtutil은 Window OS에서 제공하는 CLI(Command Line Interface) 이벤트 로그 관리 도구이다.
1. 명령어 개요
명령과 옵션
옵션 |
설명 |
/f:<형식 > |
출력 XML 또는 텍스트 형식으로이 되도록 지정 합니다. 경우 <형식 >는 XML 출력은 XML 형식으로 표시 됩니다. 경우 <형식 >은 텍스트 출력 XML 태그 없이 표시 됩니다. 기본값은 Text입니다. |
/e:<사용 > |
로그를 사용 하지 않도록 설정 하거나 사용 합니다. <설정 > true 또는 false 일 수 있습니다. |
/i:<격리 > |
로그 격리 모드를 설정합니다. <격리 > 시스템, 응용 프로그램 또는 사용자 지정 될 수 있습니다. 격리 모드는 로그의 로그는 같은 격리 클래스의 다른 로그 세션을 공유 하는지 여부를 결정 합니다. 대상 로그 공유 시스템 격리를 지정 하는 경우 시스템 로그를 사용 하 여 권한 쓰기입니다. 대상 로그 공유 응용 프로그램 격리를 지정 하면 응용 프로그램 로그를 사용 하 여 권한 쓰기입니다. 사용 하 여 보안 설명자를 제공 해야 사용자 지정 격리를 지정 하는 경우는 /ca 옵션입니다. |
/lfn:<Logpath> |
로그 파일 이름을 정의합니다. <Logpath > 이벤트 로그 서비스에서이 로그에 대 한 이벤트를 저장 하는 위치 파일에 전체 경로입니다. |
/rt:<보존 > |
로그 보존 모드를 설정합니다. <보존 > true 또는 false 일 수 있습니다. 로그 보존 모드 로그 최대 크기에 도달할 때 이벤트 로그 서비스의 동작을 결정 합니다. 이벤트 로그에는 최대 크기에 도달 하는 경우 로그 보존 모드가 true 기존 이벤트를 보존할 하 고 들어오는 이벤트는 삭제 됩니다. 로그 보존 모드 false 이면 들어오는 이벤트 로그에서 가장 오래 된 이벤트를 덮어씁니다. |
/ab:<자동 > |
로그 자동 백업 정책을 지정합니다. <자동 > true 또는 false 일 수 있습니다.이 값이 true 이면 로그는 백업할 자동으로 최대 크기에 도달 하면 합니다.이 값이 true 이면 보존 (지정 된 고 /rt 옵션) 설정 해야 true로 합니다. |
/ms:<MaxSize> |
로그의 최대 크기를 바이트 단위로 설정 합니다. 최소 로그 크기는 1048576 바이트 (1024KB) 및 로그 파일은 항상 64KB의 배수로 입력 되므로 반올림 됩니다 적절 하 게 합니다. |
/l:<수준 > |
로그 수준 필터를 정의합니다. <수준 > 유효한 수준 값이 될 수 있습니다. 이 옵션은 전용된 세션을 사용 하 여 로그에 적용할 수만 있습니다. 설정 하 여 수준 필터를 제거할 수 0입니다. |
/k:<Keywords> |
로그의 키워드 필터를 지정합니다. <키워드 > 모든 유효한 64 비트 키워드 마스크 될 수 있습니다. 이 옵션은 전용된 세션을 사용 하 여 로그에 적용할 수만 있습니다. |
/ca:<채널 > |
이벤트 로그에 대 한 액세스 권한을 설정합니다. <채널 > 보안 설명자 정의 언어 (SDDL)를 사용 하는 보안 설명자가 있습니다. SDDL 형식에 대 한 자세한 내용은 Microsoft 개발자 네트워크 (MSDN) 웹 사이트를 참조 하세요. (https://msdn.microsoft.com). |
/c:<Config> |
구성 파일의 경로를 지정합니다. 이 옵션에 정의 된 구성 파일에서 읽을 로그 속성 하면 <구성 >. 하는 경우이 옵션을 사용 하면를 지정 하지는 매개 변수입니다. 로그 이름은 구성 파일에서 읽힙니다. |
/ge:<메타 데이터 > |
이 게시자가 발생할 수 있는 이벤트에 대 한 메타 데이터 정보를 가져옵니다. <메타 데이터 > true 또는 false 일 수 있습니다. |
/gm:<Message> |
숫자 메시지 id입니다. 대신 실제 메시지를 표시합니다. <메시지 > true 또는 false 일 수 있습니다. |
/lf:<Logfile> |
로그 파일 또는 로그에서 이벤트를 읽어들여야 함을 지정 합니다. <로그 파일 > true 또는 false 일 수 있습니다. True 이면 명령에 매개 변수는 로그 파일의 경로입니다. |
/sq:<Structquery> |
이벤트는 구조화 된 쿼리로 변수를 지정 합니다. <Structquery > true 또는 false 일 수 있습니다. True 이면 경로 구조적된 쿼리를 포함 하는 파일입니다. |
/q:<Query> |
읽거나 내보낸 있는 이벤트를 필터링 하려면 XPath 쿼리를 정의 합니다. 이 옵션을 지정 하지 않으면 모든 이벤트가 반환 되거나 내보낸 됩니다. 이 옵션 사용할 수 없는 경우 /sq 그렇습니다. |
/bm:<책갈피 > |
이전 쿼리에서 책갈피가 있는 파일의 경로를 지정 합니다. |
/sbm:<Savebm > |
이 쿼리는 책갈피를 저장 하는 데 사용 되는 파일의 경로를 지정 합니다. 파일 이름 확장명은.xml 이어야 합니다. |
/rd:<방향 > |
이벤트를 읽고 방향을 지정 합니다. <방향 > true 또는 false 일 수 있습니다.True 인 경우, 가장 최근의 이벤트 먼저 반환 됩니다. |
/l:<로캘 > |
특정 로캘의 이벤트 텍스트를 인쇄 하는 데 사용 되는 로캘 문자열을 정의 합니다. 이벤트 형식을 사용 하 여 텍스트를 인쇄할 때만 사용할 수는 /f 옵션입니다. |
/c:<Count> |
읽을 수 있는 이벤트의 최대 수를 설정 합니다. |
/e:<요소 > |
XML에서 이벤트를 표시할 때 루트 요소가 포함 됩니다. <요소 > 루트 요소 내에서 원하는 된 문자열입니다. 예를 들어 /e:root 인해 XML 루트 요소 쌍이 포함 된 <루트 >합니다. |
/ow:<덮어쓰기 > |
내보내기 파일을 덮어쓰도록 지정 합니다. <덮어쓰기 > true 또는 false 일 수 있습니다. True 및 내보내기 파일에 지정 된 경우 이미 확인 하지 않고 덮어씁니다. |
/bu:<Backup> |
지운된 이벤트를 저장할 파일의 경로를 지정 합니다. 백업 파일의 이름을.evtx 확장명을 포함 합니다. |
r:<원격 > |
원격 컴퓨터에서 명령을 실행 합니다. <원격 > 원격 컴퓨터의 이름입니다.im 및 um 매개 변수는 원격 작업을 지원 하지 않습니다. |
/u:<사용자 이름 > |
원격 컴퓨터에 로그온 하는 다른 사용자를 지정 합니다. <사용자 이름 > 양식 도메인 \ 사용자 또는 사용자의 사용자 이름이 있습니다. 이 옵션은만 적용 될 때의 /r 옵션을 지정 합니다. |
/p:<암호 > |
사용자에 대 한 암호를 지정합니다. 경우는 /u 옵션을 사용 하 고이 옵션을 지정 하지 또는 <암호 >는 " ", 사용자 암호를 입력 하 라는 메시지가 표시 됩니다. 이 옵션은만 적용 될 때 합니다 * */u * 옵션을 지정 합니다. |
>batchsettings-<<Auth > |
원격 컴퓨터에 연결 하기 위한 인증 유형을 정의 합니다. <Auth > 기본, Negotiate, Kerberos 또는 NTLM을 수 있습니다. 기본값은 협상 합니다. |
/uni:<Unicode> |
유니코드로 출력을 표시합니다. <유니코드 > true 또는 false 일 수 있습니다. 경우 유니코드로 출력은 그렇습니다. |
2. 예제
2.1 조회 가능한 이벤트 로그 목록
C:\WINDOWS\system32>wevtutil el
AMSI/Debug
AMSI/Operational
AirSpaceChannel
Analytic
Application
CxAudioSvcLog
CxMonSvcLog
DebugChannel
DirectShowFilterGraph
DirectShowPluginControl
Els_Hyphenation/Analytic
EndpointMapper
FirstUXPerf-Analytic
ForwardedEvents
General Logging
HardwareEvents
......
2.2 이벤트 로그 파일 메타데이터 조회
C:\WINDOWS\system32>wevtutil gli Microsoft-Windows-TerminalServices-ServerUSBDevices/Operational
creationTime: 2020-03-03T01:09:31.423Z
lastAccessTime: 2020-03-03T01:09:31.424Z
lastWriteTime: 2020-03-03T01:09:31.424Z
fileSize: 69632
attributes: 2080
numberOfLogRecords: 0
oldestRecordNumber: 0
2.3 이벤트 로그 조회
wevtutil 명령을 통해 이벤트 로그를 조회하면 아래와 같이 결과가 기본적으로 xml type이다.
C:\WINDOWS\system32>wevtutil qe security
일반 텍스트 형태로 조회
C:\WINDOWS\system32>wevtutil qe security /f:text
최근 N개의 이벤트 조회
C:\WINDOWS\system32>wevtutil qe security /rd:true /c:3 /f:text
특정 이벤트ID 조회
wevtutil qe /rd System /q:"*[System[Provider[@Name='Microsoft-Windows-Perflib'] and (EventID=1023)]]" /uni:false /f:text
특정 날짜 이벤트 조회
wevtutil qe Security "/q:*[System[TimeCreated[@SystemTime>='2019-07-01T00:00:00' and @SystemTime<='2019-07-10T00:00:00']]]" /f:text /rd:true /c:3
특정 이벤트ID의 특정 날짜 이벤트 조회
wevtutil qe Security "/q:*[System[ EventID = 4624 and TimeCreated[@SystemTime>='2018-07-01T00:00:00' and @SystemTime<='2019-07-10T00:00:00']]]" /f:text /rd:true /c:1
2.4 이벤트 로그 내보내기
evtx 파일로 내보내기
wevtutil epl System f:\temp\system_event.evtx
텍스트 파일로 내보내기
wevtutil qe System /f:text > f:\temp\system_event.txt
'DFIR > 이벤트 로그 분석' 카테고리의 다른 글
윈도우 이벤트 로그 분석-WMI (0) | 2020.03.03 |
---|---|
윈도우 이벤트 로그 분석-파워쉘(PowerShell) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-Visual Basic Script(vbs) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-이벤트 뷰어(Eventvwr) (0) | 2020.03.03 |
윈도우 이벤트 로그 (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-이벤트 뷰어(Eventvwr)
Window OS에서 제공하는 이벤트 뷰어(eventvwr.msc)를 톻한 윈도우 이벤트 로그 분석
1.UI
이벤트 Export 가능 : evtx, xml, txt, csv 저장 가능
2. Filter
구성된 필터를 XML형태의 쿼리로 조회 및 편집이 가능하다.
3. 필터를 통한 조회
로드하고자 하는 쿼리 파일은 <QueryList>로 시작하는 XML 파일이어야 한다.
<security-event-view.xml>
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(Level=1 or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and TimeCreated[@SystemTime>='2019-06-01T06:21:55.000Z' and @SystemTime<='2019-07-15T06:21:55.999Z']]]</Select>
</Query>
</QueryList>
필터 로드 및 조회
c:\>eventvwr /v:"c:\DFIR\EventLog\security-event-view.xml"
. 사용자 지정 보기에 View_1 메뉴가 추가되면서 결과가 표시된다.
. 이 방법은 시스템에 변화를 발생시키므로 포렌식 분석 관점에서는 좋은 방법은 아니다.
'DFIR > 이벤트 로그 분석' 카테고리의 다른 글
윈도우 이벤트 로그 분석-WMI (0) | 2020.03.03 |
---|---|
윈도우 이벤트 로그 분석-파워쉘(PowerShell) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-Visual Basic Script(vbs) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil) (0) | 2020.03.03 |
윈도우 이벤트 로그 (0) | 2020.03.03 |
윈도우 이벤트 로그
1. 윈도우 이벤트 로그란 ?
윈도우 이벤트 로그는 윈도우의 운용과정에서 발생하는 특정 동작(이벤트)을 체계적으로 기록한 바이너리 로깅 시스템이다.
윈도우도 시스템 방화벽, 응용프로그램 관리 등에 관한 로그를 텍스트 형태로 기록하고 있지만, 이벤트 로그에서는 시스템의 전반적인 동작을 보다 종합적이고 체계적으로 기록하므로 디지털 포렌식 조사 시 중요하게 살펴 보아야 할 대상이다.
단, 시스템 운용 로그의 관점에서 볼 때, 이벤트 로그는 사용자의 행위 보다는 시스템의 운용 상태를 알 수 있는 정보가 많다. 따라서 사건 용의자에 관한 부정 조사 보다는 침해사고 대응에 효과적으로 이용되는 것이 현실이기도 하다.
침해사고 조사 시 이벤트 로그를 면밀하게 살펴 본다면, 악성코드가 실행된 원인을 비롯하여 유입 경로(내부 네트워크) 등 다양한 정보를 획득할 수 있을 것이다.
2. 주요 이벤트 IDs
아래는 침해사고 조사 시 주로 확인되는 몇가지 이벤트 ID에 관한 예시이다. 실제 조사 시에는 아래 표의 이벤트 ID에만 의존해서는 안되며, 숙지하고 있는 주요 이벤트 ID에 관해 빠르게 확인한 후 사건과 관련된 키워드 검색 및 관련 시간대에 존재하는 이벤트 로그를 정밀하게 조사하는 것이 바람직하다.
이벤트 ID는 OS 종류 및 버전별로 서로 다를 수 있으며 OS 업데이트시에도 추가, 변경, 삭제 등의 변화가 있을 수 있다.
'DFIR > 이벤트 로그 분석' 카테고리의 다른 글
윈도우 이벤트 로그 분석-WMI (0) | 2020.03.03 |
---|---|
윈도우 이벤트 로그 분석-파워쉘(PowerShell) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-Visual Basic Script(vbs) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-이벤트 뷰어(Eventvwr) (0) | 2020.03.03 |