윈도우 이벤트 로그 분석-Logparser
log parser를 이용하여 윈도우 이벤트를 분석하기 위해 먼저 이벤트 로그를 파일로 저장한다.
첨고로 각 단계에서 참조된 이벤트ID에 대한 자세한 정보는 https://docs.microsoft.com/ko-kr/windows/security/threat-protection/auditing/event-4625 를 참조한다.
이벤트 로그 저장
C:\DFIR\EventLog>wevtutil epl security security-origin.evtx
C:\DFIR\EventLog>wevtutil epl system system_backup.evtx
C:\DFIR\EventLog>copy "c:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx" firewall_backup.evtx
예제
특정 이벤트ID 조회
C:\DFIR\EventLog>LogParser.exe' -stats:OFF -i:EVT "SELECT * FROM 'Security-Origin.evtx' WHERE EventID = '5038'"
이벤트ID별 발생 건수
C:\DFIR\EventLog> LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EventID FROM 'Security-origin.evtx' GROUP BY EventID ORDER BY CNT DESC"
케이스별 이벤트 조회
이벤트 로그 삭제 내역
EventID 1102
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') as Username, EXTRACT_TOKEN(Strings, 2, '|') AS Workstation FROM 'Security-origin.evtx' WHERE EventID = '1102'"
RDP Session
Event id 4778
RDP session reconnected
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date,EXTRACT_TOKEN(Strings, 0, '|') AS Username, EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 4, '|') AS Workstation, EXTRACT_TOKEN(Strings, 5, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4778"
Event id 4779
RDP session disconnected
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date,EXTRACT_TOKEN(Strings, 0, '|') AS Username, EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 4, '|') AS Workstation, EXTRACT_TOKEN(Strings, 5, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4779"
Event id 4781
User account was renamed
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 0, '|') AS newname, EXTRACT_TOKEN(Strings, 1, '|') AS oldname, EXTRACT_TOKEN(Strings, 2, '|') AS accdomain, EXTRACT_TOKEN(Strings, 5, '|') AS Username, EXTRACT_TOKEN(Strings, 6, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4781"
Event id 4825
RDP Access denied
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 0, '|') AS Username, EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 3, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4825"
RDP Local Session Log
Successful logon
LogParser.exe -stats:OFF -i:EVT "Select timegenerated as Date, extract_token(strings, 0, '|') as user, extract_token(strings, 2, '|') as sourceip FROM 'Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21"
find specific user
LogParser.exe -stats:OFF -i:EVT "Select timegenerated as Date, extract_token(strings, 0, '|') as user, extract_token(strings, 2, '|') as sourceip FROM 'Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21 AND user LIKE '%Administrator%'"
group by user
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as user, count(*) as CNT FROM 'Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21 GROUP BY user ORDER BY CNT DESC"
RDP Remote Session Log
Successful logon
LogParser.exe -stats:OFF -i:EVT "Select timegenerated as Date, extract_token(strings, 0, '|') as user, extract_token(strings, 2, '|') as sourceip FROM 'Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx' WHERE EventID = 1149"
group by user
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as user, count(*) as CNT FROM 'Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx' WHERE EventID = 1149 GROUP BY user ORDER BY CNT DESC"
RDP 및 Console 로그인
로그인 성공, EventID 4624
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY')"
특정 User 로그인
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"
RDP 로그인
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND LogonType = '10'"
Console 로그인
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND LogonType = '2'"
특정 IP 로그인
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = '10.1.47.151'"
NTLM 로그인
possible pass-the-hash
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType, EXTRACT_TOKEN(strings, 10, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$'"
group by NTLM users
LogParser.exe -q:ON -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType, EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$' GROUP BY Username, Domain, LogonType, AuthPackage, Workstation, ProcessName, SourceIP ORDER BY CNT DESC"
group by users
LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 5, '|') as Username, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"
group by domain
LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 6, '|') as Domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY Domain ORDER BY CNT DESC"
group by authpackage
LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 9, '|') as AuthPackage, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY AuthPackage ORDER BY CNT DESC"
group by LogonType
LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 8, '|') as LogonType, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY LogonType ORDER BY CNT DESC"
group by workstation name
LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 11, '|') as Workstation, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY Workstation ORDER BY CNT DESC"
group by process name
LogParser.exe -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 17, '|') as ProcName, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4624 GROUP BY ProcName ORDER BY CNT DESC"
로그인 실패
EventID 4625
unsuccessful logon
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY')"
Find specific User
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"
Find specific IP
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = '10.1.47.151'"
check ntlm based attempts
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType, EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$'"
group by ntlm users
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$' GROUP BY Username, Domain, LogonType, AuthPackage, Workstation, SourceIP ORDER BY CNT DESC"
group by Username
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username FROM 'Security-origin.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"
Log Off
EventID 4634
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4634 AND Domain NOT IN ('NT AUTHORITY')"
명시적 자젹증명을 이용한 로그인
EventID = 4648
explicit creds was used
LogParser.exe -stats:OFF -i:EVT "SELECT timegenerated as date, extract_token(strings, 1, '|') as accountname, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings, 8, '|') as targetserver, extract_token(strings, 9, '|') as extradata, extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as sourceip from 'Security-origin.evtx' WHERE EventID = 4648"
Search by accountname
LogParser.exe -stats:OFF -i:EVT "SELECT timegenerated as date, extract_token(strings, 1, '|') as accountname, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings, 8, '|') as targetserver, extract_token(strings, 9, '|') as extradata, extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as sourceip from 'Security-origin.evtx' WHERE EventID = 4648 AND accountname = 'Administrator'"
Search by usedaccount
LogParser.exe -stats:OFF -i:EVT "SELECT timegenerated as date, extract_token(strings, 1, '|') as accountname, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings, 8, '|') as targetserver, extract_token(strings, 9, '|') as extradata, extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as sourceip from 'Security-origin.evtx' WHERE EventID = 4648 AND usedaccount = 'Administrator'"
group by accountname
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) as CNT, extract_token(strings, 1, '|') as accountname from 'Security-origin.evtx' WHERE EventID = 4648 GROUP BY accountname ORDER BY CNT DESC"
group by used account
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) as CNT, extract_token(strings, 5, '|') as usedaccount from 'Security-origin.evtx' WHERE EventID = 4648 GROUP BY usedaccount ORDER BY CNT DESC"
레지스트리 접근
레지스트리 값 변경
EventID 4657
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4657'"
Object Access
EventID = 4663
An attempt was made to access an object
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4663'"
Admin Logon
Event id 4672
Admin logon
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4672 AND Domain NOT IN ('NT AUTHORITY')
Find specific user
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4672 AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"
group by username
LogParser.exe -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 1, '|') AS Username, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4672 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"
group by domain
LogParser.exe -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 2, '|') AS Domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4672 AND Domain NOT IN ('NT AUTHORITY') GROUP BY Domain ORDER BY CNT DESC"
프로세스 관련
event id 4688
new process was created
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security-origin.evtx' WHERE EventID = 4688"
Search by user
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security-origin.evtx' WHERE EventID = 4688 AND Username = 'Administrator'"
Search by process name
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security-origin.evtx' WHERE EventID = 4688 AND Process LIKE '%rundll32.exe%'"
group by username
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 1, '|') AS Username FROM 'Security-origin.evtx' WHERE EventID = 4688 GROUP BY Username ORDER BY CNT DESC"
group by process name
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security-origin.evtx' WHERE EventID = 4688 GROUP BY Process ORDER BY CNT DESC"
사용자 권한
event id 4704
A user right was assigned
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4704'"
event id 4705
A user right was removed
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4705'"
event id 4706
A new trust was created to a domain
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4706'"
사용자 계정
event id 4720
A user account was created
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') AS createduser, extract_token(strings, 1, '|') AS createddomain, extract_token(strings, 4, '|') as whocreated, extract_token(strings, 5, '|') AS whodomain FROM 'Security-origin.evtx' WHERE EventID = '4720'"
Event id 4722
user account was enabled
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4722"
Event id 4723
attempt to change password for the account - user changed his own password
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4723"
Event id 4724
attempt to reset user
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4724"
Event id 4725
user account was disabled
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4725"
Event id 4726
A user account was deleted
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') AS deleteduser, extract_token(strings, 1, '|') AS deleteddomain, extract_token(strings, 4, '|') as whodeleted, extract_token(strings, 5, '|') AS whodomain FROM 'Security-origin.evtx' WHERE EventID = '4726'"
Security-enabled Global group
Event id 4727
A security-enabled global group was created
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4727'"
Event id 4728
A member was added to a security-enabled global group
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser, extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4728'"
Event id 4729
A member was removed from a security-enabled global group
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser, extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4729'"
Event id 4730
A security-enabled global group was deleted
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4730'"
Security-enabled Local group
Event id 4731
A security-enabled local group was created
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as createdgroup, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4731"
Event id 4732
A member was added to a security-enabled local group
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser, extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4732'"
Event id 4733
A member was removed from a security-enabled local group
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser, extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4733'"
Event id 4734
A security-enabled local group was deleted
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 2, '|') AS whichgroup, EXTRACT_TOKEN(Strings, 3, '|') AS domaingroup, EXTRACT_TOKEN(Strings, 6, '|') AS who, EXTRACT_TOKEN(Strings, 7, '|') AS workstation FROM 'Security-origin.evtx' WHERE EventID = 4734"
Event id 4738
user account was changed
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 1, '|') as user, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as whichaccount, extract_token(strings, 6, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4738"
Event id 4740
A user account was locked out
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as workstation, extract_token(strings, 4, '|') as wholocked, extract_token(strings, 5, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4740'"
Event id 4742
computer account was changed
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 5, '|') as user, extract_token(strings, 6, '|') as domain, extract_token(strings, 1, '|') as whichaccount, extract_token(strings, 2, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4742"
Security-enabled Universal group
Event id 4754
A security-enabled universal group was created
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as createdgroup, extract_token(strings, 1, '|') as domain, extract_token(strings, 4, '|') as whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security-origin.evtx' WHERE EventID = 4754"
Event id 4756
A member was added to a security-enabled universal group
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser, extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4756'"
Event id 4757
A member was removed from a security-enabled universal group
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser, extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings, 7, '|') as whodomain FROM 'Security-origin.evtx' WHERE EventID = '4757'"
Event id 4758
A security-enabled universal group was deleted
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 2, '|') AS whichgroup, EXTRACT_TOKEN(Strings, 3, '|') AS domaingroup, EXTRACT_TOKEN(Strings, 6, '|') AS who, EXTRACT_TOKEN(Strings, 7, '|') AS workstation FROM 'Security-origin.evtx' WHERE EventID = 4758"
A user account was unlocked
Event id 4767
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '4767'"
Kerberos TGT
커버로스 프로토콜(Kerberos Protocol) – 서버 접근 권한 관리
클라이언트/서버 외에 제3의 인증서버(Authentication Server, AS)를 도입 하고, 이와 연동된 티켓 부여 서비스(Ticket Granting Service, TGS)를 통해 티켓을 발급하여 유효한 티켓이 있는 유저만 서비스 서버(Service Server, SS)에 접속을 할 수 있도록 제어하는 커버로스(Kerberos) 프로토콜
Event id 4768
Kerberos TGT was requested
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 7, '|') as cipher, extract_token(strings, 9, '|') as sourceip FROM 'Security-origin.evtx' WHERE EventID = 4768"
group by user
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 0, '|') as user, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4768 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"
group by domain
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 1, '|') as domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4768 GROUP BY domain ORDER BY CNT DESC"
group by cipher
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 7, '|') as cipher, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4768 GROUP BY cipher ORDER BY CNT DESC"
Kerberos Service
Event id 4769
Kerberos Service ticket was requested
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0, '|') as user, extract_token(strings, 1, '|') as domain, extract_token(strings, 2, '|') as service, extract_token(strings, 5, '|') as cipher, extract_token(strings, 6, '|') as sourceip FROM 'Security-origin.evtx' WHERE EventID = 4769"
group by user
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 0, '|') as user, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4769 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"
group by domain
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 1, '|') as domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4769 GROUP BY domain ORDER BY CNT DESC"
group by service
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 2, '|') as service, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4769 GROUP BY service ORDER BY CNT DESC"
group by cipher
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 5, '|') as cipher, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4769 GROUP BY cipher ORDER BY CNT DESC"
Event id 4771
kerberos pre-atuhentication failed
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 0 , '|') as user, extract_token(strings, 6 , '|') as sourceip FROM 'Security-origin.evtx' WHERE EventID = 4771 AND user NOT LIKE '%$'"
group by user
LogParser.exe -stats:OFF -i:EVT "SELECT extract_token(strings, 0, '|') as user, COUNT(user) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4771 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"
domain/computer attemped to validate user credentials
Event id 4776
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4776 AND Domain NOT IN ('NT AUTHORITY') AND Username NOT LIKE '%$'"
Search by username
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = 4776 AND Domain NOT IN ('NT AUTHORITY') AND Username NOT LIKE '%$' AND Username = 'Administrator'"
group by username
LogParser.exe -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 1, '|') AS Username, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4776 AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"
group by domain
LogParser.exe -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings, 2, '|') AS Domain, COUNT(*) AS CNT FROM 'Security-origin.evtx' WHERE EventID = 4776 GROUP BY Domain ORDER BY CNT DESC"
FireWall Rules
Event id 4946
new exception was added to firewall
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 2, '|') as rulename FROM 'Security-origin.evtx' WHERE EventID = 4946"
group by rule name
LogParser.exe -stats:OFF -i:EVT "Select Count(*) as CNT, extract_token(strings, 2, '|') as rulename FROM 'Security-origin.evtx' WHERE EventID = 4946 GROUP BY rulename ORDER BY CNT DESC"
Event id 4948
rule was deleted from firewall
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 2, '|') as rulename FROM 'Security-origin.evtx' WHERE EventID = 4948"
group by rule name
LogParser.exe -stats:OFF -i:EVT "Select Count(*) as CNT, extract_token(strings, 2, '|') as rulename FROM 'Security-origin.evtx' WHERE EventID = 4948 GROUP BY rulename ORDER BY CNT DESC"
Code integrity determined that the image hash of a file is not valid
Event id 5038
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5038'"
directory service object was modified
Event id 5136
LogParser.exe -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings, 3, '|') AS Username, extract_token(strings, 4, '|') AS Domain, extract_token(strings, 8, '|') AS objectdn, extract_token(strings, 10, '|') AS objectclass, extract_token(strings, 11, '|') AS objectattrib, extract_token(strings, 13, '|') AS attribvalue FROM 'Security-origin.evtx' WHERE EventID = '5136'"
group by username
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 3, '|') AS Username FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY Username ORDER BY CNT DESC"
group by domain
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 4, '|') AS Domain FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY Domain ORDER BY CNT DESC"
group by objectdn
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 8, '|') AS objectdn FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY objectdn ORDER BY CNT DESC"
group by objectclass
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 10, '|') AS objectclass FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY objectclass ORDER BY CNT DESC"
group by objectattrib
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 11, '|') AS objectattrib FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY objectattrib ORDER BY CNT DESC"
group by attribvalue
LogParser.exe -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings, 13, '|') AS attribvalue FROM 'Security-origin.evtx' WHERE EventID = '5136' GROUP BY attribvalue ORDER BY CNT DESC"
Event id 5137
A directory service object was created
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5137'"
Event id 5138
A directory service object was undeleted
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5138'"
Event id 5139
A directory service object was moved
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5139'"
Event id 5141
A directory service object was deleted
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5141'"
Network Share Object
Event id 5140
A network share object was accessed
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5140'"
Event id 5142
A network share object was added
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5142'"
Event id 5143
A network share object was modified
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5143'"
Event id 5144
A network share object was deleted
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5144'"
Event id 5145
A network share object was checked to see whether client can be granted desired access
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5145'"
Windows Filtering Platform
Event id 5154
The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5154'"
Event id 5155
The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5155'"
Event id 5156
The Windows Filtering Platform has allowed a connection
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5156'"
Event id 5157
The Windows Filtering Platform has blocked a connection
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5157'"
Event id 5158
The Windows Filtering Platform has permitted a bind to a local port
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5158'"
Event id 5159
The Windows Filtering Platform has blocked a bind to a local port
LogParser.exe -stats:OFF -i:EVT "SELECT * FROM 'Security-origin.evtx' WHERE EventID = '5159'"
System Log
New Service was installed in system
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 0, '|') AS ServiceName, extract_token(strings, 1, '|') AS ServicePath, extract_token(strings, 4, '|') AS ServiceUser FROM System_backup.evtx WHERE EventID = 7045"
Service actions
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 0, '|') as servicename FROM System_backup.evtx WHERE EventID = 7036"
group by service name
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 0, '|') as servicename FROM System_backup.evtx WHERE EventID = 7036 GROUP BY servicename ORDER BY CNT DESC"
Task Schedule Log
Task was Run
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings,0, '|') as taskname, extract_token(strings, 1, '|') as username FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 100"
group by taskname
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 100 GROUP BY taskname ORDER BY CNT DESC"
action was executed
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings,0, '|') as taskname, extract_token(strings, 1, '|') as taskaction FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 200"
group by action
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 1, '|') as taskaction, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 200 GROUP BY taskaction ORDER BY CNT DESC"
user updated a task
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated as Date, extract_token(strings, 0, '|') as taskname, extract_token(strings, 1, '|') as user FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 140"
group by user
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 1, '|') as user, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 140 GROUP BY user ORDER BY CNT DESC"
group by taskname
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 140 GROUP BY taskname ORDER BY CNT DESC"
user deleted a task
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated as Date, extract_token(strings, 0, '|') as taskname, extract_token(strings, 1, '|') as user FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 141"
group by user
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 1, '|') as user, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 141 GROUP BY user ORDER BY CNT DESC"
group by taskname
LogParser.exe -stats:OFF -i:EVT "Select extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 141 GROUP BY taskname ORDER BY CNT DESC"
Windows Firewall Log
FW New exception rule was added
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings, 1, '|') as rulename, extract_token(strings, 3, '|') as apppath, extract_token(strings, 22, '|') as changedapp from 'Firewall_backup.evtx' WHERE EventID = 2004"
group by apppath
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 3, '|') as apppath from 'Firewall_backup.evtx' WHERE EventID = 2004 GROUP BY apppath ORDER BY CNT DESC"
FW Rule was Changed
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(Strings, 1, '|') as rulename, extract_token(Strings, 3, '|') AS apppath, extract_token(Strings, 4, '|') AS servicename, extract_token(strings, 7, '|') AS localport, extract_token(strings, 22, '|') as modifyingapp from 'Firewall_backup.evtx' WHERE EventID = 2005"
group by apppath
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 3, '|') as apppath from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY apppath ORDER BY CNT DESC"
group by rulename
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 1, '|') as rulename from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY rulename ORDER BY CNT DESC"
group by servicename
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 4, '|') as servicename from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY servicename ORDER BY CNT DESC"
group by local port
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 7, '|') as localport from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY localport ORDER BY CNT DESC"
group by modifyingapp
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 22, '|') as modifyingapp from 'Firewall_backup.evtx' WHERE EventID = 2005 GROUP BY modifyingapp ORDER BY CNT DESC"
FW Rule was Deleted
LogParser.exe -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(Strings, 1, '|') as rulename, extract_token(strings, 3, '|') as changedapp from 'Firewall_backup.evtx' WHERE EventID = 2006"
group by rulename
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 1, '|') as rulename from 'Firewall_backup.evtx' WHERE EventID = 2006 GROUP BY rulename ORDER BY CNT DESC"
group by changedapp
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 3, '|') as changedapp from 'Firewall_backup.evtx' WHERE EventID = 2006 GROUP BY changedapp ORDER BY CNT DESC"
Firewall blocked inbound connections to the application
Firewall blocked inbound connections to the application, but did not notify the user
LogParser.exe -stats:OFF -i:EVT "Select Timegenerated as date, extract_token(strings, 1, '|') as file, extract_token(strings, 4, '|') as port from 'Firewall_backup.evtx' WHERE EventID = 2011"
group by application
LogParser.exe -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings, 1, '|') as file from'Firewall_backup.evtx' WHERE EventID = 2011 GROUP BY file ORDER BY CNT DESC"
'DFIR > 이벤트 로그 분석' 카테고리의 다른 글
| 윈도우 이벤트 로그 분석-3rd Party Tool (0) | 2020.03.03 |
|---|---|
| 윈도우 이벤트 로그 분석-WMI (0) | 2020.03.03 |
| 윈도우 이벤트 로그 분석-파워쉘(PowerShell) (0) | 2020.03.03 |
| 윈도우 이벤트 로그 분석-Visual Basic Script(vbs) (0) | 2020.03.03 |
| 윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-3rd Party Tool
Myeventviewer by NirSoft
From : https://www.nirsoft.net/utils/my_event_viewer.html
Command-Line Options
| aveDirect | Save the log lines in SaveDirect mode. For using with the other save command-line options ( /scomma, /stab, /sxml, and so on...) When you use the SaveDirect mode, the event log lines are saved directly to the disk, without loading them into the memory first. This means that you can save a list with large amount of event log lines into your disk without any memory problem, as long as you have enough disk space to store the saved file. The drawback of this mode: You cannot sort the log lines according to the column you choose with /sort command-line option. |
| /ShowOnlyLastEvents [0 | 1] | If you specify '1' value, the last events filter will be activated. |
| /LastEventsUnit [Unit] | Unit to specify the last events filter. 1 = Minutes 2 = Hours 3 = Days |
| /LastEventsValue [Number of Units] | specifies the number of units (Minutes/Hours/Days) for the last events filter. |
| /VisibleEventTypes [Number] | Specifies which type of events to display: 1 = Error 2 = Warning 4 = Information 8 = Audit Success 16 = Audit Failure You can combine multiple event types, for exmaple: if you want to display both errors and warnings, set the VisibleEventTypes value to 3 (1 + 2 = 3): |
| /EventLogNames [Name1] [Name2] [Name3]... | Specifies the event log names that you wish to load.
Examples: |
| /cfg <Filename> | Start MyEventViewer with the specified configuration file. For example: MyEventViewer.exe /cfg "c:\config\MyEventViewer.cfg" MyEventViewer.exe /cfg "%AppData%\MyEventViewer.cfg" |
| /advanced | Starts MyEventViewer with the 'Advanced Filter' window, before loading the events. |
| /stext <Filename> | Save the events list into a regular text file. |
| /stab <Filename> | Save the events list into a tab-delimited text file. |
| /scomma <Filename> | Save the events list into a comma-delimited text file (csv). |
| /stabular <Filename> | Save the events list into a tabular text file. |
| /shtml <Filename> | Save the events list into HTML file (Horizontal). |
| /sverhtml <Filename> | Save the events list into HTML file (Vertical). |
| /sxml <Filename> | Save the events list into XML file. |
| /sort <column> | This command-line option can be used with other save options for sorting by the desired column. If you don't specify this option, the list is sorted according to the last sort that you made from the user interface. The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "Source" and "Time". You can specify the '~' prefix character (e.g: "~Time") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns. |
| /nosort | When you specify this command-line option, the list will be saved without any sorting. |
예제
최근 3일 이벤트 조회
C:\myeventviewer>MyEventViewer.exe /shtml C:\DFIR\EventLog\Security-Export.html /EventLogNames "Security" /ShowOnlyLastEvents 1 /LastEventsValue 3 /LastEventsUnit 3 /sort "~Time" /sort "Event Type"
evtx 파일 로드
C:\myeventviewer>MyEventViewer.exe /Loadfile "C:\DFIR\EventLog\Security-20190716.evtx" /shtml C:\DFIR\EventLog\Security-Export-2.html /ShowOnlyLastEvents 1 /LastEventsValue 3 /LastEventsUnit 3 /sort "~Time"
최근 이벤트 N개 조회
C:\myeventviewer>MyEventViewer.exe /shtml f:\temp\events.html /ShowOnlyLastEvents 1 /LastEventsValue 2000 /LastEventsUnit 1 /sort "~Time"
조회 결과 정렬
C:\myeventviewer>MyEventViewer.exe /shtml f:\temp\events.html /sort "Event Type" /sort "Log Type"
< 참고 >
Command Line Interface Mode에서는 특정 이벤트 ID나 From – To 날짜 범위로 조회가 불가능하다.
FullEventlogview by NirSoft
From : https://www.nirsoft.net/utils/full_event_log_view.html
이전 버전인 MyEventviewer의 부족한 부분을 개선. Command Line Interface Mode에서 특정 이벤트 ID등으로 조회가 가능하다.
Command-Line Options
|
/ChannelFilter [1 - 3] |
You can use any variable inside the .cfg file in order to set the configuration from command line, here's some examples: In order to show only events with Event ID 8000 and 8001: In order show only events from Microsoft-Windows-Dhcp-Client/Admin channel: In order to read events from .evtx files stored in c:\temp\logs : In order to read events from remote computer: |
|
/cfg <Filename> |
Start FullEventLogView with the specified configuration file. For example: |
|
/RunAsAdmin |
Run FullEventLogView as administrator. |
|
/stext <Filename> |
Save the event log items into a simple text file. |
|
/stab <Filename> |
Save the event log items into a tab-delimited text file. |
|
/scomma <Filename> |
Save the event log items into a comma-delimited text file (csv). |
|
/stabular <Filename> |
Save the event log items into a tabular text file. |
|
/shtml <Filename> |
Save the event log items into HTML file (Horizontal). |
|
/sverhtml <Filename> |
Save the event log items into HTML file (Vertical). |
|
/sxml <Filename> |
Save the event log items into XML file. |
|
/sjson <Filename> |
Save the event log items into JSON file. |
|
/SaveDirect |
Save the event log items in SaveDirect mode. For using with the other save command-line options ( /scomma, /stab, /sxml, and so on...) When you use the SaveDirect mode, the event log items are saved directly to the disk, without loading them into the memory first. Be aware that the sorting feature is not supported in SaveDirect mode. |
|
/sort <column> |
This command-line option can be used with other save options for sorting by the desired column. The <column> parameter can specify the column index (0 for the first column, 1 for the second column, and so on) or the name of the column, like "Record ID" and "Event ID". You can specify the '~' prefix character (e.g: "~Channel") if you want to sort in descending order. You can put multiple /sort in the command-line if you want to sort by multiple columns. |
예제
C:\fulleventlogview>FullEventLogView.exe /ChannelFilter 2 /ChannelFilterStr "Security" /EventIDFilter 2 /EventIDFilterstr "4624" /shtml C:\DFIR\EventLog\Security-Export-3.html /ShowOnlyLastEvents 1 /LastEventsValue 3 /LastEventsUnit 3 /sort "~Time" /RunAsAdmin
'DFIR > 이벤트 로그 분석' 카테고리의 다른 글
| 윈도우 이벤트 로그 분석-Logparser (0) | 2020.03.03 |
|---|---|
| 윈도우 이벤트 로그 분석-WMI (0) | 2020.03.03 |
| 윈도우 이벤트 로그 분석-파워쉘(PowerShell) (0) | 2020.03.03 |
| 윈도우 이벤트 로그 분석-Visual Basic Script(vbs) (0) | 2020.03.03 |
| 윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil) (0) | 2020.03.03 |
윈도우 이벤트 로그 분석-WMI
Win32_NTLogEvent class
f:\temp>wmic ntevent /?
NTEVENT - NT 이벤트 로그에 있는 항목입니다.
힌트: 별칭 사용의 BNF입니다.
(<별칭> [WMIObject] | <별칭> [<경로>] | [<별칭>] <경로>) [<동사 절>]
사용법:
NTEVENT ASSOC [<형식 지정자>]
NTEVENT CREATE <할당 목록>
NTEVENT DELETE
NTEVENT GET [<속성 목록>] []
NTEVENT LIST [<목록 형식>] [<목록 스위치>]
표시할 수 있는 항목
f:\temp>wmic ntevent list /?
속성 목록 작업입니다.
사용법:
LIST [<목록 형식>] [<목록 스위치>]
다음과 같은 LIST 형식을 사용할 수 있습니다.
BRIEF - EventIdentifier, TypeEvent, Message, RecordNumber, SourceName, TimeGenerated
FULL - Category, CategoryString, ComputerName, Data, EventCode, EventIdentifier, TypeEvent, InsertionStrings,
LogFile, Message, RecordNumber, SourceName, TimeGenerated, TimeWritten, Type, UserName
다음과 같은 LIST 스위치를 사용할 수 있습니다.
/TRANSLATE:<테이블 이름> - <테이블 이름>의 값을 통해 출력을 변환합니다.
/EVERY:<간격> [/REPEAT:<반복 횟수>] - (X 간격)초마다 값을 반환합니다. /REPEAT를 지정하면 명령이 <반복 횟수>번 실행됩니다.
/FORMAT:<형식 지정자> - XML 결과를 처리할 키워드/XSL 파일 이름입니다.
사용할 수 있는 포맷
f:\temp>wmic ntevent list /format /?
XML 결과를 처리할 키워드/XSL 파일 이름입니다.
사용법:
/FORMAT:<형식 지정자>
키워드:
CSV / HFORM / HTABLE / LIST / MOF / RAWXML / TABLE / VALUE / XML /
htable-sortby / htable-sortby.x니 / texttablewsys / texttablewsys.x니 / wmiclimofformat /
wmiclimofformat.x니 / wmiclitableformat / wmiclitableformat.x니 / wmiclitableformatnosys /
wmiclitableformatnosys.xsl / wmiclivalueformat / wmiclivalueformat.xsl
사용할 수 있는 속성
f:\temp>wmic NTEVENT get /?
사용법:
GET [<속성 목록>] []
참고: <속성 목록> ::= <속성 이름> | <속성 이름>, <속성 목록>
다음과 같은 속성을 사용할 수 있습니다.
속성 유형 작업
======== ==== =========
Category N/A N/A
CategoryString N/A N/A
ComputerName N/A N/A
Data N/A N/A
EventCode N/A N/A
EventIdentifier N/A N/A
InsertionStrings N/A N/A
LogFile N/A N/A
Message N/A N/A
RecordNumber N/A N/A
SourceName N/A N/A
TimeGenerated N/A N/A
TimeWritten N/A N/A
Type N/A N/A
TypeEvent N/A N/A
UserName N/A N/A
EventType In Win32_NtLogEvent
Types of Event Logs
Each event entry is classified by Type to identify the severity of the event. They are Information, Warning, Error,
Success Audit (Security Log) and Failure Audit (Security Log).
|
Event Type |
Description |
|
Information |
An event that describes the successful operation of a task, such as an application, driver, or service. For example, an Information event is logged when a network driver loads successfully. |
|
Warning |
An event that describes the successful operation of a task, such as an application, driver, or service. For example, an Information event is logged when a network driver loads successfully. |
|
Error |
An event that is not necessarily significant, however, may indicate the possible occurrence of a future problem. For example, a Warning message is logged when disk space starts to run low. |
|
Success Audit (Security log) |
An event that describes the successful completion of an audited security event. For example, a Success Audit event is logged when a user logs on to the computer. |
|
Failure Audit (Security log) |
An event that describes an audited security event that did not complete successfully. For example, a Failure Audit may be logged when a user cannot access a network drive. |
조회 예제
일반 조회
F:\temp>WMIC path Win32_NtLogEvent WHERE "LogFile='System'" GET Message, TimeGenerated /format:list
F:\temp>WMIC NtEvent WHERE "LogFile='System'" GET Message, TimeGenerated /format:list
F:\temp>WMIC NtEvent WHERE "LogFile='System'" GET user, type, Message, InsertionStrings, TimeGenerated /format:list
특정 기간 조회
F:\temp>WMIC NtEvent WHERE "LogFile='System' and TimeGenerated >= '20200210000000.000000-240' and TimeGenerated <= '20290215000000.000000-240'" GET Message, TimeGenerated /format:list
특정 기간 특정 EventID 조회
F:\temp>WMIC NtEvent WHERE "LogFile='System' and EventCode='4624' and TimeGenerated >= '20200210000000.000000-240' and TimeGenerated <= '20290215000000.000000-240'" GET Message, TimeGenerated /format:list
특정 기간 Error 이벤트 조회
F:\temp>WMIC NtEvent WHERE "LogFile='System' and Eventtype='1' and TimeGenerated >= '20200210000000.000000-240' and TimeGenerated <= '20290215000000.000000-240'" GET Message, TimeGenerated /format:list
F:\temp>WMIC NtEvent WHERE "LogFile='System' and type='오류' and TimeGenerated >= '20200210000000.000000-240' and TimeGenerated <= '20290215000000.000000-240'" GET Message, TimeGenerated /format:list
<참고>
영문의 경우 "오류" 문자열이 "Error"이다.
'DFIR > 이벤트 로그 분석' 카테고리의 다른 글
| 윈도우 이벤트 로그 분석-Logparser (0) | 2020.03.03 |
|---|---|
| 윈도우 이벤트 로그 분석-3rd Party Tool (0) | 2020.03.03 |
| 윈도우 이벤트 로그 분석-파워쉘(PowerShell) (0) | 2020.03.03 |
| 윈도우 이벤트 로그 분석-Visual Basic Script(vbs) (0) | 2020.03.03 |
| 윈도우 이벤트 로그 분석-이벤트 관리도구(wevtutil) (0) | 2020.03.03 |
