Get-WinEvent
Understanding the importance of mass analysis of Windows Event Logs and Sysmon logs is pivotal in the realm of cybersecurity, especially in Incident Response (IR) and threat hunting scenarios.
Using Get-WinEvent
The Get-WinEvent cmdlet is an indispensable tool in PowerShell for querying Windows Event logs. We can retrieve different types of logs (like System and Application logs, logs generated by Windows Event Log technology, and Event Tracing for Windows (ETW) logs)
See available Logs
Get-WinEvent -ListLog *By using the pipe ( | ), we can input the output from the previus command in the one after the pipe. For example we can retrieve the list of logs and display essential properties such as LogName, RecordCount, IsClassicLog, IsEnabled, LogMode, and LogType.
list of logs with displayed essential properties
Get-WinEvent -ListLog * | Select-Object LogName, RecordCount, IsClassicLog, IsEnabled, LogMode, LogType | Format-Table -AutoSizeThis command provides us with valuable information about each log, including the name of the log, the number of records present, whether the log is in the classic .evt format or the newer .evtx format, its enabled status, the log mode (Circular, Retain, or AutoBackup), and the log type (Administrative, Analytical, Debug, or Operational).
Additionally, we can explore the event log providers associated with each log using the -ListProvider parameter.
Get-WinEvent -ListProvider * | Format-Table -AutoSizeLets see now more specific events
1. Retrieving events from the System log
Get-WinEvent -LogName 'System' -MaxEvents 50 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize-LogName 'System' - retrives system logs
-MaxEvents 30 - shows 30 events
2. Retrieving events from Microsoft-Windows-WinRM/Operational
-LogName 'Microsoft-Windows-WinRM/Operational' - events are retrieved from the Microsoft-Windows-WinRM/Operational log
-MaxEvents 30 - shows 30 events
To retrieve the oldest events, instead of manually sorting the results, we can utilize the -Oldest parameter
3. Retrieving events from .evtx Files
If you have an exported .evtx file from another computer or you have backed up an existing log, you can utilize the Get-WinEvent cmdlet to read and query those logs. Just provide the -Path parameter
4. Filtering events with FilterHashtable
To filter Windows event logs, we can use the -FilterHashtable parameter
The command above retrieves events with IDs 1 and 3 from the Microsoft-Windows-Sysmon/Operational event log, selects specific properties from those events, and displays them in a table format.
Exported events
Specific date events
5. Filtering events with FilterHashtable & XML
Consider an intrusion detection scenario where a suspicious network connection to a particular IP (52.113.194.132) has been identified. With Sysmon installed, you can use Event ID 3 (Network Connection) logs to investigate the potential threat.
leveraging Sysmon's Event ID 7 to detect the loading of abovementioned DLLs.
6. Filtering events with FilterXPath
To use XPath queries with Get-WinEvent, we need to use the -FilterXPath parameter.
For instance, if we want to get Process Creation (Sysmon Event ID 1) events in the Sysmon log to identify installation of any Sysinterals tool we can use the command below.
7. Filtering events based on property values
The -Property * parameter, when used with Select-Object, instructs the command to select all properties of the objects passed to it. And the output would be more like a sysmon output. See example below:
Last updated