Event Log Forensics with Log Parser
HTML-код
- Опубликовано: 30 июл 2024
- As a continuation of the "Introduction to Windows Forensics" series, this video introduces Log Parser. This powerful tool from Microsoft allows us to query text-based data such as log files, CSV files, XML files, and numerous other data sources including Active Directory and the Registry. In this video, we're going to look at how Log Parser can allow us to query numerous Windows EVTX event logs using SQL syntax. This allows us to scale our queries in ways not possible with Windows Event Viewer or third-party log viewers.
** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
Introduction to Windows Forensics:
• Introduction to Window...
Log Parser 2.2:
technet.microsoft.com/en-us/s...
Log Parser Lizard:
www.lizard-labs.com/log_parser...
Events to Monitor:
docs.microsoft.com/en-us/wind...
Log Parser Example Queries:
gist.github.com/exp0se/1bae65...
Background Music Courtesy of Modern Vintage Gamer:
/ modernvintagegamer
** [ EXAMPLES USED IN VIDEO ] **
Search for a particular event ID:
"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '4624'"
Search for logins grouped by user ID:
"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 5, '|') as Username, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"
Search logs for a specific user:
"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"
Search logs for a specific IP:
"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = 'x.x.x.x'"
Complex Examples Using PowerShell:
Get-ChildItem -recurse | where {$_.name -eq "Security.evtx"} | foreach { cd $_.DirectoryName; pwd; & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT -q:ON "SELECT * FROM 'Security.evtx' WHERE EventID = '4624'" }
Get-ChildItem -recurse | where {$_.name -eq "Security.evtx"} | foreach { cd $_.DirectoryName; pwd; & 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:ON -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = 'x.x.x.x'"; cd ..; }
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics 
Наука
Just wanted to say again how much I appreciate this series. Good luck at the 4cast awards 👍
Thanks very much!
Very enlightening, congratulations for the work
Loved it, thanks for sharing...
Great job man its to good u saved a day for me ...
Very enlightening, thanks for your share
thank you so much for this amazing video.
Great intro to the log parser tool. Sad Microsoft does not provide/teach as part of "Getting Started". Thanks.
Nice video TY
sir.... how to extract the software execution data .
On aime :)
On supporte :)
Isn’t it illegal to example log parser due to the directory being cancelled in 2005 by Internet Explorer and transferee tranced to Mozilla Firefox?
Thanks for this awesome content. Do you have a solution while opening an event logs, it is giving me "the data is invalid" error, but I know the data is not corrupted. It has something to do with mismatched floating footer. Was referring some docs online, but couldn't follow.
Take a look at EvtxECmd and see if that helps you out: ruclips.net/video/YvMg3p7O6ro/видео.html
I am a huge fan of your work. You explain everything simple and easy.
I would like to know which is an easier tool in (splunk, log parser ) which one do you prefer and why ?
Thanks! They both serve different purposes. Splunk can be a full-blown SIEM (depending on how it is configured), whereas LogParser is a command line utility that can parse numerous types of data in an SQL-like syntax. It's a bit like comparing apples and oranges, as they say. I like both, but if you are specifically asking about parsing Windows Event Logs, check out the episode coming 1 week from today. It covers a new tool from Eric Zimmerman called EvtxECmd which is pretty incredible. It's available now for Patreon supporters at patreon.com/13cubed.
@@13Cubed I don't have enough experience in forensic to say some tool is better than another, so I go with your word and learn log parser.
Rohith kalvala It’s a great tool.
C:\Users\Hp\Desktop\logs\10>"C:\Program Files (x86)\Log Parser 2.2\LogParser.exe" -stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '4624'"
Error: Error retrieving files: Error opening file "C:\Users\Hp\Desktop\logs\10\Security.evtx": The system cannot find the file specified.
I am getting this error while running the query
Amazing video series! You covered some great foundational concepts. I know that in the examples provided, many of the parsed fields are set as aliases. When examining logs, how do you set conditions on aliases? For example, if I wanted to find all usernames within 4624's where Type 3 Logons were less than 10 count, how would I go about creating this query? Is Log Parser the right tool for this? Thanks for any help you can provide!
I'm sure you could do that with Log Parser, but honestly I use EvtxECmd and grep/sed/awk/etc. to get that level of granularity.
@@13Cubed Thanks for the response! Do you find yourself gravitating to any other tool when analyzing firewall, AV, netflow, auditd, CSV, etc logs? Or mostly grep/awk/sort/uniq?
@@PajamaJumper If the data is in CSV format, which is common, I find myself using Timeline Explorer and/or grep/awk/sort/uniq more than anything else.
This is the heart of Kansa :( I am not sure why it is used over standard PowerShell. Does anyone else know?
Hi love the videos, could you maybe zoom in slightly? the text is always very small, notepad section was a lovely size
Mini Sota Yes, will do. Future videos I’ve completed since this one are zoomed - look for those coming soon...
awesome thank you
Log parser is totally legal in Mozilla never Windows because it doesn’t create files. It’s a duplicate of prompt. Used to bring data to now not to explain data