Windows Event Log Analysis
Was ist Windows Event Log Analysis?
Windows Event Log AnalysisThe DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques.
Windows Event Log analysis is one of the foundational DFIR skills on Windows endpoints and Active Directory servers. The Windows Event Log subsystem stores records in the binary EVTX format under `%SystemRoot%\System32\winevt\Logs\`, with each provider writing into channels such as `Security`, `System`, `Application`, `Microsoft-Windows-PowerShell/Operational`, `Microsoft-Windows-Sysmon/Operational`, and dozens more. High-value event IDs include 4624 (logon), 4625 (failed logon), 4672 (special privileges assigned), 4688 (process creation), 4698 (scheduled task created), 4720 (account created), 4768/4769 (Kerberos TGT/TGS), 4776 (NTLM auth), 7045 (service install), 1102 (audit log cleared), and Sysmon 1/3/7/8/10/11/22. Practical analysis tools include Event Viewer, `wevtutil`, EZ Tools' EvtxECmd (Eric Zimmerman), Chainsaw, Hayabusa, Velociraptor, plus SIEM ingestion (Splunk, Elastic, Sentinel). Hardening prerequisites — increasing log size, enabling Process Creation auditing with command-line, deploying Sysmon, and enabling PowerShell Script Block Logging (4104) — are essential because Windows ships with most useful audits off by default.
● Beispiele
- 01
An IR analyst pulls 4624 Type 3 events with workstation names matching the suspect host to reconstruct lateral movement from a compromised endpoint.
- 02
Hayabusa runs Sigma rules against a folder of EVTX exports and surfaces 4688 events showing `whoami /all` and `nltest /dclist` enumeration shortly before privilege escalation.
● Häufige Fragen
Was ist Windows Event Log Analysis?
The DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques. Es gehört zur Kategorie Forensik und Incident Response der Cybersicherheit.
Was bedeutet Windows Event Log Analysis?
The DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques.
Wie funktioniert Windows Event Log Analysis?
Windows Event Log analysis is one of the foundational DFIR skills on Windows endpoints and Active Directory servers. The Windows Event Log subsystem stores records in the binary EVTX format under `%SystemRoot%\System32\winevt\Logs\`, with each provider writing into channels such as `Security`, `System`, `Application`, `Microsoft-Windows-PowerShell/Operational`, `Microsoft-Windows-Sysmon/Operational`, and dozens more. High-value event IDs include 4624 (logon), 4625 (failed logon), 4672 (special privileges assigned), 4688 (process creation), 4698 (scheduled task created), 4720 (account created), 4768/4769 (Kerberos TGT/TGS), 4776 (NTLM auth), 7045 (service install), 1102 (audit log cleared), and Sysmon 1/3/7/8/10/11/22. Practical analysis tools include Event Viewer, `wevtutil`, EZ Tools' EvtxECmd (Eric Zimmerman), Chainsaw, Hayabusa, Velociraptor, plus SIEM ingestion (Splunk, Elastic, Sentinel). Hardening prerequisites — increasing log size, enabling Process Creation auditing with command-line, deploying Sysmon, and enabling PowerShell Script Block Logging (4104) — are essential because Windows ships with most useful audits off by default.
Wie schützt man sich gegen Windows Event Log Analysis?
Schutzmaßnahmen gegen Windows Event Log Analysis kombinieren typischerweise technische Kontrollen und operative Praktiken, wie in der Definition oben beschrieben.
Welche anderen Bezeichnungen gibt es für Windows Event Log Analysis?
Übliche alternative Bezeichnungen: EVTX analysis, Security log analysis.
● Verwandte Begriffe
- defense-ops№ 1242
Sysmon
Ein Windows-Systemdienst aus Microsoft Sysinternals, der reichhaltige Telemetrie zu Prozessen, Netzwerk, Dateien, Registry und Image-Loads in das Eventlog schreibt.
- forensics-ir№ 698
Log-Analyse
Systematische Auswertung von System-, Anwendungs- und Sicherheits-Logs, um sicherheitsrelevante Ereignisse zu erkennen, zu untersuchen und zu rekonstruieren.
- forensics-ir№ 1276
Timeline-Analyse
Eine forensische Technik, die die chronologische Abfolge von Ereignissen auf einem System rekonstruiert, indem Zeitstempel aus Dateien, Logs und anderen Artefakten korreliert werden.
- defense-ops№ 1153
Sigma-Regel
Eine herstellerunabhaengige, YAML-basierte Detection-Signature fuer Log-Events, die sich in Queries fuer SIEM-, EDR- oder XDR-Backends uebersetzen laesst.
- forensics-ir№ 430
EZ Tools von Eric Zimmerman
Eine kostenlose Sammlung von Windows-DFIR-Tools (CLI und GUI) von Eric Zimmerman zum Parsen gaengiger forensischer Artefakte und zum Erstellen von Zeitlinien.
- defense-ops№ 1151
SIEM
Plattform, die Sicherheits-Telemetrie aus dem gesamten Unternehmen aggregiert, normalisiert und korreliert, um Erkennung, Untersuchung, Compliance und Reporting zu ermöglichen.
● Siehe auch
- № 1021RegRipper