Windows Event Log Analysis
Qu'est-ce que Windows Event Log Analysis ?
Windows Event Log AnalysisThe DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques.
Windows Event Log analysis is one of the foundational DFIR skills on Windows endpoints and Active Directory servers. The Windows Event Log subsystem stores records in the binary EVTX format under `%SystemRoot%\System32\winevt\Logs\`, with each provider writing into channels such as `Security`, `System`, `Application`, `Microsoft-Windows-PowerShell/Operational`, `Microsoft-Windows-Sysmon/Operational`, and dozens more. High-value event IDs include 4624 (logon), 4625 (failed logon), 4672 (special privileges assigned), 4688 (process creation), 4698 (scheduled task created), 4720 (account created), 4768/4769 (Kerberos TGT/TGS), 4776 (NTLM auth), 7045 (service install), 1102 (audit log cleared), and Sysmon 1/3/7/8/10/11/22. Practical analysis tools include Event Viewer, `wevtutil`, EZ Tools' EvtxECmd (Eric Zimmerman), Chainsaw, Hayabusa, Velociraptor, plus SIEM ingestion (Splunk, Elastic, Sentinel). Hardening prerequisites — increasing log size, enabling Process Creation auditing with command-line, deploying Sysmon, and enabling PowerShell Script Block Logging (4104) — are essential because Windows ships with most useful audits off by default.
● Exemples
- 01
An IR analyst pulls 4624 Type 3 events with workstation names matching the suspect host to reconstruct lateral movement from a compromised endpoint.
- 02
Hayabusa runs Sigma rules against a folder of EVTX exports and surfaces 4688 events showing `whoami /all` and `nltest /dclist` enumeration shortly before privilege escalation.
● Questions fréquentes
Qu'est-ce que Windows Event Log Analysis ?
The DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques. Cette notion relève de la catégorie Forensique et réponse en cybersécurité.
Que signifie Windows Event Log Analysis ?
The DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques.
Comment fonctionne Windows Event Log Analysis ?
Windows Event Log analysis is one of the foundational DFIR skills on Windows endpoints and Active Directory servers. The Windows Event Log subsystem stores records in the binary EVTX format under `%SystemRoot%\System32\winevt\Logs\`, with each provider writing into channels such as `Security`, `System`, `Application`, `Microsoft-Windows-PowerShell/Operational`, `Microsoft-Windows-Sysmon/Operational`, and dozens more. High-value event IDs include 4624 (logon), 4625 (failed logon), 4672 (special privileges assigned), 4688 (process creation), 4698 (scheduled task created), 4720 (account created), 4768/4769 (Kerberos TGT/TGS), 4776 (NTLM auth), 7045 (service install), 1102 (audit log cleared), and Sysmon 1/3/7/8/10/11/22. Practical analysis tools include Event Viewer, `wevtutil`, EZ Tools' EvtxECmd (Eric Zimmerman), Chainsaw, Hayabusa, Velociraptor, plus SIEM ingestion (Splunk, Elastic, Sentinel). Hardening prerequisites — increasing log size, enabling Process Creation auditing with command-line, deploying Sysmon, and enabling PowerShell Script Block Logging (4104) — are essential because Windows ships with most useful audits off by default.
Comment se défendre contre Windows Event Log Analysis ?
Les défenses contre Windows Event Log Analysis combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.
Quels sont les autres noms de Windows Event Log Analysis ?
Noms alternatifs courants : EVTX analysis, Security log analysis.
● Termes liés
- defense-ops№ 1242
Sysmon
Service Windows de Microsoft Sysinternals qui emet dans le journal d'evenements une telemetrie detaillee sur les processus, le reseau, les fichiers, le registre et les chargements d'images.
- forensics-ir№ 698
Analyse des journaux
Examen systématique des journaux système, applicatifs et de sécurité pour détecter, investiguer et reconstituer des événements pertinents pour la sécurité.
- forensics-ir№ 1276
Analyse de chronologie
Technique forensique qui reconstitue la séquence chronologique des événements d'un système en corrélant les horodatages des fichiers, des journaux et d'autres artefacts.
- defense-ops№ 1153
Regle Sigma
Signature de detection au format YAML, agnostique au fournisseur, qui s'applique aux logs et se convertit en requetes pour SIEM, EDR ou XDR.
- forensics-ir№ 430
EZ Tools d'Eric Zimmerman
Suite gratuite d'outils DFIR Windows (CLI et GUI) d'Eric Zimmerman pour parser les artefacts forensiques courants et construire des chronologies.
- defense-ops№ 1151
SIEM
Plateforme qui agrège, normalise et corrèle la télémétrie de sécurité de toute l'entreprise pour la détection, l'investigation, la conformité et le reporting.
● Voir aussi
- № 1021RegRipper