Windows Event Logs
Windows Event Logs contain system, security, and application records. Common useful logs in CTFs:
- Security: login attempts, privilege changes
- System: device events, service changes
- Application: program execution, errors
- PowerShell: powershell commands and scriptblocks
| Tool | Purpose |
|---|---|
| Event Viewer (Windows) | View Windows Event Logs (GUI) |
| evtx (Cross platform) | View and Parse Windows Event Logs |
| evtx_dump | Command-line Windows Event Logs Parser |
| chainsaw | Identify Threats in Windows Event Logs |
| Eric Zimmerman’s Tools | Multiple Tools to Parse Different Logs and System Artifacts |
C:\Windows\System32\winevt\Logs\
| Event ID | Description | Use Case |
|---|---|---|
| 4104 | PowerShell script block | Code execution |
| 4624 | Successful logon | Initial access |
| 4625 | Failed logon | Brute force |
| 4688 | Process creation | Execution monitoring |
| 4720 | Account creation | Persistence |
| 7045 | Service installation | Rootkits/malware |
View logs using GUI:
- Open Event Viewer or
evtx - Navigate to Windows Logs -> Security / System / Application
- Filter by Event IDs or keywords
Command line extraction using evtx_dump:
evtx_dump Security.evtx > security.xml
Command line extraction using EvtxECmd (part of Eric Zimmerman’s Tools):
EvtxECmd.exe -f "C:\Temp\Application.evtx" --csv "c:\temp\out"
Analyze logs using chainsaw:
Hunt with Sigma and Chainsaw Rules:
./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/
Hunt with Sigma rules and output in JSON:
./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml --json
Search for the case-insensitive word 'mimikatz':
./chainsaw search mimikatz -i evtx_attack_samples/
Search for Powershell Script Block Events (EventID 4014):
./chainsaw search -t 'Event.System.EventID: =4104' evtx_attack_samples/