Logpaser分析-Windows系统日志
本文重点在于用logparser收集windows日志中指定字段及语法.
前言
本文重点在于用logparser收集windows日志中指定字段及语法,关于字段详细含义可参考
注:此文中命令为了方便阅读做了换行处理,请在powershell中执行,勿在cmd下执行。
目录
安全日志删除:(Security.Evtx 事件ID:1102)
其他日志删除:(Securit.Evtx 事件ID:104)
Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.Evtx
Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.Evtx
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.Evtx
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Servers
Microsoft-Windows-PowerShell%4Operational.Evtx
网络连接排查(Security.Evtx 事件ID 5156)
日志服务重启及日志清除
日志服务重启
事件ID:7031 (System.Evtx)
LogParser.exe -i:evt -o:datagrid "
SELECT TimeGenerated AS 时间, EXTRACT_TOKEN(Strings, 0, '|') AS 服务名
, EXTRACT_TOKEN(Strings, 4, '|') AS 动作
, Message AS 描述
FROM System.evtx
WHERE eventid = 7031
AND 服务名 = 'Windows Event Log'
"
日志清除
安全日志删除:(Security.Evtx 事件ID:1102)
LogParser.exe -i:evt -o:datagrid "
SELECT TimeGenerated AS 时间, Message AS 描述
FROM Security.evtx
WHERE eventid = 1102
"
其他日志删除:(Securit.Evtx 事件ID:104)
LogParser.exe -i:evt -o:datagrid "
select TimeGenerated as 时间,EXTRACT_TOKEN(Strings,0,'|') as 用户,Message as 描述
from system where eventid=104"
RDP端口检查
注册表:
HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
LogParser.exe -i:reg -o:datagrid "
SELECT LastWriteTime AS 最后写入时间, Value AS 远程端口
FROM 'HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp'
WHERE ValueName LIKE 'PortNumber'
"
被远程记录检查
Security.Evtx
事件ID:4625(登录失败)
LogParser -i:EVT -o:DATAGRID "
SELECT TimeGenerated AS 登录时间, EXTRACT_TOKEN(Strings, 5, '|') AS 用户名
, EXTRACT_TOKEN(Strings, 13, '|') AS 计算机名
, EXTRACT_TOKEN(Strings, 10, '|') AS 登录类型
, EXTRACT_TOKEN(Strings, 19, '|') AS 源IP
, EXTRACT_TOKEN(Strings, 17, '|') AS 请求进程ID
, EXTRACT_TOKEN(Strings, 18, '|') AS 请求进程名
FROM yours.evtx
WHERE eventid = 4625
AND 用户名 NOT LIKE '%$'
"
事件Id:4624(登录成功)
LogParser -i:EVT -o:DATAGRID "
SELECT TimeGenerated AS 登录时间, EXTRACT_TOKEN(Strings, 5, '|') AS 用户名
, EXTRACT_TOKEN(Strings, 11, '|') AS 计算机名
, EXTRACT_TOKEN(Strings, 8, '|') AS 登录类型
, EXTRACT_TOKEN(Strings, 18, '|') AS 登录源IP
, EXTRACT_TOKEN(Strings, 16, '|') AS 请求进程ID
, EXTRACT_TOKEN(Strings, 17, '|') AS 请求进程名
FROM yours.evtx
WHERE eventid = 4624
AND 用户名 NOT LIKE '%$'
"
Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.Evtx
事件Id:21(登录会话)
logparser -i:evt -o:datagrid "
SELECT TimeGenerated AS 登录时间, ComputerName AS 计算机名
, EXTRACT_TOKEN(Strings, 0, '|') AS 登录用户名
, EXTRACT_TOKEN(Strings, 2, '|') AS 登录源
FROM your.evtx
WHERE EventID = 21
"
事件Id:22(Shell启动)
logparser -i:evt -o:datagrid "
SELECT TimeGenerated AS 登录时间, ComputerName AS 计算机名
, EXTRACT_TOKEN(Strings, 0, '|') AS 登录用户名
, EXTRACT_TOKEN(Strings, 2, '|') AS 登录源
FROM your.evtx
WHERE EventID = 22
"
Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.Evtx
事件Id:1149(登录记录)
logparser -i:evt -o:datagrid "
SELECT TimeGenerated AS 登录时间, ComputerName AS 计算机名
, EXTRACT_TOKEN(Strings, 0, '|') AS 登录用户名
, EXTRACT_TOKEN(Strings, 2, '|') AS 登录源
FROM your.evtx
WHERE EventID = 1149
"
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.Evtx
ps:这里提供一些额外的日志(131,140等),这里会记录RDP连接的源IP,但是该日志默认最大大小为1M,记录信息有限,有需要可手动调整日志大小。
LogParser.exe -i:evt -o:datagrid "SELECT TimeGenerated AS 时间, EXTRACT_TOKEN(Strings, 1, '|') AS 登录源
FROM Microsoft - Windows - RemoteDesktopServices - RdpCoreTS % 4Operational.evtx
WHERE eventid = 131"
远程登录记录
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Servers
远程登录记录需要通过查询注册表获取
查询登录的IP,时间,用户名
LogParser.exe -i:reg -o:datagrid "
select LastWriteTime as 最后登录时间,KeyName as 远程IP,Value as 用户名
from 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Servers'
"
Powershell执行记录
Windows PowerShell.Evtx
在powershell日志中,执行一个powershell命令会产生6条日志,其中2条引擎生命周期日志(EventID:400启用;EvnetID:403停止),6条程序生命周期日志(EventID:600)(Registry、Alias、Environment、FileSystem、Function、Variable的启动)
事件ID:400
logparser.exe -i:evt -o:datagrid "
SELECT TimeGenerated AS 时间
, EXTRACT_TOKEN(EXTRACT_TOKEN(Strings, 1, 'Host Application = '), 0, 'Engine Version') AS 数据
FROM your.evtx
WHERE eventid = 4103
"
这里未使用表格格式输出,因为有长度限制。
主要关注hostApplication的值。
Microsoft-Windows-PowerShell%4Operational.Evtx
事件ID:4103(正在执行管道)
logparser.exe -i:evt "
SELECT TimeGenerated AS 时间, ComputerName AS 计算机名, Sid
, EXTRACT_TOKEN(EXTRACT_TOKEN(Strings, 1, 'Host Application = '), 0, 'Engine Version') AS 数据
FROM winpowershell.evtx
WHERE eventid = 4103
"
进程启动及退出记录
注:此功能需要开启一条审核策略:secpol.msc进入本地安全策略–本地策略–审核策略–审核进程跟踪
Security.Evtx 事件ID4688(进程启动)
LogParser.exe -i:EVT "
SELECT TimeGenerated AS 时间, EXTRACT_TOKEN(Strings, 1, '|') AS 用户名
, EXTRACT_TOKEN(Strings, 4, '|') AS 进程pid
, EXTRACT_TOKEN(Strings, 5, '|') AS 进程名
, EXTRACT_TOKEN(Strings, 7, '|') AS 父进程ppid
, EXTRACT_TOKEN(Strings, 13, '|') AS 父进程名
, EXTRACT_TOKEN(Strings, 8, '|') AS 命令行
FROM Security.evtx
WHERE EventID = 4688
"
Security.Evtx 事件ID4689(进程退出)
LogParser.exe -i:EVT -o:datagrid "
select TimeGenerated As 时间,
extract_token(Strings,1,'|') As 用户名,
extract_token(Strings,5,'|') as 进程id,
extract_token(Strings,6,'|') as 进程名,
extract_token(Strings,4,'|') as 状态
from Security.evtx where eventid=4689
"
网络连接排查(Security.Evtx 事件ID 5156)
注:此功能需要开启一条审核策略:secpol.msc进入本地安全策略–本地策略–审核策略–审核对象访问
外对内网络连接请求
LogParser.exe -i:EVT -o:datagrid "
select TimeGenerated As 时间,extract_token(Strings,1,'|') As 应用程序名
,extract_token(Strings,0,'|') as 进程id
,extract_token(Strings,2,'|') as 方向
,extract_token(Strings,3,'|') as 源IP
,extract_token(Strings,4,'|') as 源端口
,extract_token(Strings,5,'|') as 目的IP
,extract_token(Strings,6,'|') as 目的端口
,extract_token(Strings,7,'|') as 协议号
from Security.evtx where eventid=5156 and 方向='%%14593'
"
内对外网络连接请求
LogParser.exe -i:EVT -o:datagrid "
select TimeGenerated As 时间,extract_token(Strings,1,'|') As 应用程序名
,extract_token(Strings,0,'|') as 进程id
,extract_token(Strings,2,'|') as 方向
,extract_token(Strings,3,'|') as 源IP
,extract_token(Strings,4,'|') as 源端口
,extract_token(Strings,5,'|') as 目的IP
,extract_token(Strings,6,'|') as 目的端口
,extract_token(Strings,7,'|') as 协议号
from Security.evtx where eventid=5156 and 方向='%%14592'
"
计划任务
已创建计划任务(事件ID:4698)
.\LogParser.exe -i:EVT -o:datagrid "
select TimeWritten as 创建时间
,extract_token(Strings,1,'|') as 创建者
,extract_token(Strings,4,'|') as 计划任务名称
,extract_token(Strings,1,'Exec>') as 执行命令
,extract_token(Strings,1,'Enabled>') as 是否启用
from Security where eventid=4698
"
已删除计划任务(事件ID:4699)
.\LogParser.exe -i:EVT -o:datagrid "
select TimeGenerated as 删除时间
,extract_token(Strings,1,'|') as 删除者
,extract_token(Strings,4,'|') as 计划任务名称
from Security where eventid=4699
"
用户创建启用删除
用户创建(事件ID:4720)
.\LogParser.exe -i:EVT -o:datagrid "
select TimeGenerated as 创建时间
,extract_token(Strings,0,'|') as 被创建用户名
,extract_token(Strings,4,'|') as 创建者
from Security where eventid=4720
"
用户启用(事件ID:4722)
.\LogParser.exe -i:EVT -o:datagrid "
select TimeGenerated as 启用时间
,extract_token(Strings,0,'|') as 被启用用户名
,extract_token(Strings,4,'|') as 启用者
from Security where eventid=4722
"
用户删除(事件ID:4726)
.\LogParser.exe -i:EVT -o:datagrid "
select TimeGenerated as 删除时间
,extract_token(Strings,0,'|') as 被删除用户名
,extract_token(Strings,4,'|') as 删除者
from Security where eventid=4726
"
用户属组变更(事件ID:4732)
.\LogParser.exe -i:EVT -o:datagrid "
select TimeGenerated as 操作时间
,extract_token(Strings,0,'|') as 被变更用户名
,extract_token(Strings,2,'|') as 变更组
,extract_token(Strings,6,'|') as 操作者
from Security where eventid=4732
"
Cobalt Strike排查(事件ID:1057)
开启日志记录
1、图形化操作
此事件需要开启 ”应用程序日志“ ——“Microsoft“ —— ” Windows“ ——”Microsoft-Windows-WinINet/UsageLog“
2、命令行操作
PS C:\Windows\system32> wevtutil sl Microsoft-Windows-WinINet/UsageLog /e:true
**** 警告: 启用此类型日志会将其清除。是否要启用并
清除此日志? [y/n]:
y
排查:事件ID:1057
查看事件ID 1057即可
注意事项:
应用程序远程登录
此处主要针对Application.evtx做分析,主要针对不同的应用程序
MSSQL远程登录
事件ID:18456(登录失败)
logparser.exe -i:evt -o:datagrid "
SELECT TimeGenerated AS 时间, SourceName AS 来源, ComputerName AS 计算机名
, EXTRACT_TOKEN(Strings, 0, '|') AS 登录名
, EXTRACT_TOKEN(Strings, 1, '|') AS 原因
, EXTRACT_TOKEN(Strings, 2, '|') AS 源IP
FROM Application.evtx
WHERE EventID = 18456
"
事件ID:18454(登录成功)
logparser.exe -i:evt -o:datagrid "
select TimeGenerated as 时间,SourceName as 来源,ComputerName as 计算机名,EXTRACT_TOKEN(Strings,0,'|') as username as 登录名,EXTRACT_TOKEN(Strings,1,'|') as 原因,EXTRACT_TOKEN(Strings,2,'|') as 源IP from Application.evtx where EventID=18454
"
事件ID:15457(查看Xp_cmdshell启用信息)
状态为1表示启用
.\logparser.exe -i:evt -o:datagrid "
SELECT TimeGenerated AS 时间, SourceName AS 来源, ComputerName AS 计算机名
, EXTRACT_TOKEN(Strings, 0, '|') AS 方法
, EXTRACT_TOKEN(Strings, 1, '|') AS 状态1
, EXTRACT_TOKEN(Strings, 2, '|') AS 状态2
FROM Application.evtx
WHERE EventID = 15457
AND 方法 = 'xp_cmdshell'
"
开放原子开发者工作坊旨在鼓励更多人参与开源活动,与志同道合的开发者们相互交流开发经验、分享开发心得、获取前沿技术趋势。工作坊有多种形式的开发者活动,如meetup、训练营等,主打技术交流,干货满满,真诚地邀请各位开发者共同参与!
更多推荐
所有评论(0)