The Windows event log contains logs from the operating system and applications such as Logins, processes, scheduled tasks, and application logs (SQL Server, IIS, etc). The logs use a structured data format, making them easy to search and analyze. Some applications also write to log files in text format. For example, IIS Access Logs.
Windows event logs provide a rich source of forensic information for threat hunting and incident response investigations. Unfortunately, processing and searching through event logs can be a slow and time-consuming process, and in most cases requires the overhead of surrounding infrastructure – such as an ELK stack or Splunk instance – to hunt efficiently through the log data and apply detection logic. This overhead often means that blue teams are unable to quickly triage Windows event logs to provide the direction and conclusions required to progress their investigations.
In this article, I will represent a few tools and examples that help to speed up this process.
Files location
All .evtx files are being saved in -
C:\Windows\System32\winevt\Logs
EvtxCmd - Eric Zimmerman
Eric Zimmerman released EvtxECmd in 2019, a Windows Event Log file parser that bypasses the Windows API.
This tool has many benefits, such as bypassing the Windows API. it doesn't have the issues that may occur as a result of files that weren't closed properly, or for some other reason, aren't formatted in a manner the API agrees with.
With EVTXCmd.exe, we can combine and export our EVTX files into .CSV file and investigate it with other tools:
EvtxECmd.exe -d PATH-TO-EVTX-FILES --csv PATH-TO-SAVE-EVTX-FILESWe can use TimeLineExplorer.exe to easily parse and investigate the .CSV file:
EventFinder2 - GUI
This program allows you to mark a beginning and end time period, then grabs all events between those periods. It dumps these to a sorted CSV on the desktop.
For example, choose a specific time range and click "Find Events". After a few seconds, a. CSV file will appear on your desktop, including all the events logs saved on the system in the time range you chose.
Chainsaw - github
I really recommend using Chainsaw while investigating event logs. offers a generic and fast method of searching through event logs for keywords, and by identifying threats using built-in detection logic and via support for Sigma detection rules.
In order to download the executable file with the sigma rules please refer to:
Chainsaw provides a range of searching and hunting features that aim to help threat hunters and incident response teams detect suspicious event log entries to aid in their investigations. The main feature of Chainsaw is to create Sigma rule-based detection against
a wide variety of Windows event IDs, including:
Process Creation (Sysmon) - 1
Network Connections (Sysmon) - 3
Image Loads (Sysmon) - 7
File Creation (Sysmon) - 11
Registry Events (Sysmon) - 13
Powershell Script Blocks - 4104
Process Creation - 4688
Scheduled Task Creation - 4698
Service Creation - 7045
Other key features include:
Search through event logs by event ID, keyword, and regex patterns
Extraction and parsing of Windows Defender, F-Secure, Sophos, and Kaspersky AV alerts
Detection of key event logs being cleared, or the event log service is stopped
Users being created or added to sensitive user groups
Brute-force of local user accounts
RDP logins, network logins, etc.
Hunting
Hunt through all event logs in a specific path, show additional information relating to potential lateral movement:
chainsaw.exe hunt PATH-TO-EVTX-FILES --lateral-allHunt through all event logs in a specific path, apply detection logic and TAU rules from the specified path:
chainsaw hunt PATH-TO-EVTX-FILES --rules sigma_rules/ --mapping mapping_files/sigma-mapping.yml
Searching
Search all .evtx files in the evtx_files dir for event id 4624
chainsaw.exe search PATH-TO-EVTX-FILES -e 4624 Search a specific EVTX log for logon events containing the string "XXX" :
chainsaw.exe search PATH-TO-EVTX-FILES/security.evtx -e 4624 -s "XXX" -i
Search a specific EVTX log for logon events, with a matching regex pattern. Save results to file:
chainsaw.exe search PATH-TO-EVTX-FILES/security.evtx -e 4624 -r "XXX[a-zA-Z]" -o out.txtThe output is the raw event log in both of these commands.
Comments