Windows Event Log Analysis
¿Qué es Windows Event Log Analysis?
Windows Event Log AnalysisThe DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques.
Windows Event Log analysis is one of the foundational DFIR skills on Windows endpoints and Active Directory servers. The Windows Event Log subsystem stores records in the binary EVTX format under `%SystemRoot%\System32\winevt\Logs\`, with each provider writing into channels such as `Security`, `System`, `Application`, `Microsoft-Windows-PowerShell/Operational`, `Microsoft-Windows-Sysmon/Operational`, and dozens more. High-value event IDs include 4624 (logon), 4625 (failed logon), 4672 (special privileges assigned), 4688 (process creation), 4698 (scheduled task created), 4720 (account created), 4768/4769 (Kerberos TGT/TGS), 4776 (NTLM auth), 7045 (service install), 1102 (audit log cleared), and Sysmon 1/3/7/8/10/11/22. Practical analysis tools include Event Viewer, `wevtutil`, EZ Tools' EvtxECmd (Eric Zimmerman), Chainsaw, Hayabusa, Velociraptor, plus SIEM ingestion (Splunk, Elastic, Sentinel). Hardening prerequisites — increasing log size, enabling Process Creation auditing with command-line, deploying Sysmon, and enabling PowerShell Script Block Logging (4104) — are essential because Windows ships with most useful audits off by default.
● Ejemplos
- 01
An IR analyst pulls 4624 Type 3 events with workstation names matching the suspect host to reconstruct lateral movement from a compromised endpoint.
- 02
Hayabusa runs Sigma rules against a folder of EVTX exports and surfaces 4688 events showing `whoami /all` and `nltest /dclist` enumeration shortly before privilege escalation.
● Preguntas frecuentes
¿Qué es Windows Event Log Analysis?
The DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques. Pertenece a la categoría de Forense y respuesta en ciberseguridad.
¿Qué significa Windows Event Log Analysis?
The DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques.
¿Cómo funciona Windows Event Log Analysis?
Windows Event Log analysis is one of the foundational DFIR skills on Windows endpoints and Active Directory servers. The Windows Event Log subsystem stores records in the binary EVTX format under `%SystemRoot%\System32\winevt\Logs\`, with each provider writing into channels such as `Security`, `System`, `Application`, `Microsoft-Windows-PowerShell/Operational`, `Microsoft-Windows-Sysmon/Operational`, and dozens more. High-value event IDs include 4624 (logon), 4625 (failed logon), 4672 (special privileges assigned), 4688 (process creation), 4698 (scheduled task created), 4720 (account created), 4768/4769 (Kerberos TGT/TGS), 4776 (NTLM auth), 7045 (service install), 1102 (audit log cleared), and Sysmon 1/3/7/8/10/11/22. Practical analysis tools include Event Viewer, `wevtutil`, EZ Tools' EvtxECmd (Eric Zimmerman), Chainsaw, Hayabusa, Velociraptor, plus SIEM ingestion (Splunk, Elastic, Sentinel). Hardening prerequisites — increasing log size, enabling Process Creation auditing with command-line, deploying Sysmon, and enabling PowerShell Script Block Logging (4104) — are essential because Windows ships with most useful audits off by default.
¿Cómo defenderse de Windows Event Log Analysis?
Las defensas contra Windows Event Log Analysis combinan habitualmente controles técnicos y prácticas operativas, como se detalla en la definición.
¿Cuáles son otros nombres para Windows Event Log Analysis?
Nombres alternativos comunes: EVTX analysis, Security log analysis.
● Términos relacionados
- defense-ops№ 1242
Sysmon
Servicio de Sysinternals para Windows que genera telemetria detallada en el log de eventos sobre procesos, red, archivos, registro y carga de imagenes para monitoreo de seguridad.
- forensics-ir№ 698
Análisis de registros
Revisión sistemática de registros de sistema, aplicaciones y seguridad para detectar, investigar y reconstruir eventos relevantes para la seguridad.
- forensics-ir№ 1276
Análisis de línea de tiempo
Técnica forense que reconstruye la secuencia cronológica de eventos en un sistema correlacionando marcas de tiempo de archivos, registros y otros artefactos.
- defense-ops№ 1153
Regla Sigma
Firma de deteccion neutral respecto al fabricante, en YAML, para eventos de log que se convierte en consultas para SIEM, EDR o XDR.
- forensics-ir№ 430
EZ Tools de Eric Zimmerman
Suite gratuita de herramientas DFIR para Windows, de linea de comandos e interfaz grafica, creada por Eric Zimmerman para parsear artefactos forenses y construir cronologias.
- defense-ops№ 1151
SIEM
Plataforma que agrega, normaliza y correlaciona telemetría de seguridad de toda la organización para detectar, investigar, cumplir y reportar.
● Véase también
- № 1021RegRipper