Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
中文
Entry № 1371

Windows Event Log Analysis

Windows Event Log Analysis 是什么?

Windows Event Log AnalysisThe DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques.

Windows Event Log analysis is one of the foundational DFIR skills on Windows endpoints and Active Directory servers. The Windows Event Log subsystem stores records in the binary EVTX format under `%SystemRoot%\System32\winevt\Logs\`, with each provider writing into channels such as `Security`, `System`, `Application`, `Microsoft-Windows-PowerShell/Operational`, `Microsoft-Windows-Sysmon/Operational`, and dozens more. High-value event IDs include 4624 (logon), 4625 (failed logon), 4672 (special privileges assigned), 4688 (process creation), 4698 (scheduled task created), 4720 (account created), 4768/4769 (Kerberos TGT/TGS), 4776 (NTLM auth), 7045 (service install), 1102 (audit log cleared), and Sysmon 1/3/7/8/10/11/22. Practical analysis tools include Event Viewer, `wevtutil`, EZ Tools' EvtxECmd (Eric Zimmerman), Chainsaw, Hayabusa, Velociraptor, plus SIEM ingestion (Splunk, Elastic, Sentinel). Hardening prerequisites — increasing log size, enabling Process Creation auditing with command-line, deploying Sysmon, and enabling PowerShell Script Block Logging (4104) — are essential because Windows ships with most useful audits off by default.

示例

  1. 01

    An IR analyst pulls 4624 Type 3 events with workstation names matching the suspect host to reconstruct lateral movement from a compromised endpoint.

  2. 02

    Hayabusa runs Sigma rules against a folder of EVTX exports and surfaces 4688 events showing `whoami /all` and `nltest /dclist` enumeration shortly before privilege escalation.

常见问题

Windows Event Log Analysis 是什么?

The DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques. 它属于网络安全的 取证与应急响应 分类。

Windows Event Log Analysis 是什么意思?

The DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques.

Windows Event Log Analysis 是如何工作的?

Windows Event Log analysis is one of the foundational DFIR skills on Windows endpoints and Active Directory servers. The Windows Event Log subsystem stores records in the binary EVTX format under `%SystemRoot%\System32\winevt\Logs\`, with each provider writing into channels such as `Security`, `System`, `Application`, `Microsoft-Windows-PowerShell/Operational`, `Microsoft-Windows-Sysmon/Operational`, and dozens more. High-value event IDs include 4624 (logon), 4625 (failed logon), 4672 (special privileges assigned), 4688 (process creation), 4698 (scheduled task created), 4720 (account created), 4768/4769 (Kerberos TGT/TGS), 4776 (NTLM auth), 7045 (service install), 1102 (audit log cleared), and Sysmon 1/3/7/8/10/11/22. Practical analysis tools include Event Viewer, `wevtutil`, EZ Tools' EvtxECmd (Eric Zimmerman), Chainsaw, Hayabusa, Velociraptor, plus SIEM ingestion (Splunk, Elastic, Sentinel). Hardening prerequisites — increasing log size, enabling Process Creation auditing with command-line, deploying Sysmon, and enabling PowerShell Script Block Logging (4104) — are essential because Windows ships with most useful audits off by default.

如何防御 Windows Event Log Analysis?

针对 Windows Event Log Analysis 的防御通常结合技术控制与运营实践,详见上方完整定义。

Windows Event Log Analysis 还有哪些其他名称?

常见的别称包括: EVTX analysis, Security log analysis。

相关术语

参见