Category: Incident Response

Get-WinEvent Timeline

Posted on by randrada

Eventlog Analysis using Windows tool - Powershell

Learn more about Powershell
Learn more about Get-EventLog
Learn more about Get-WinEvent

Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.

Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which it makes possible for us to work on any technology we work with.

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero by using no additional tools and using built-in in Windows like Powershell that has the ability to query and parse event logs, which can be of great use for the responder. 

Related Topic

Bread crumbs during an incident needs to be followed in a time specific manner, responders cannot risk the time they will consume wondering inside thousands of event logs where time to resolve the incident is critical. To aid this is to sort logs based on the time they were created.

To put this to use, we can run the following syntax: Get-EventLog -Logname <log_name> | Sort-Object TimeCreated

 

We can also sort time based on the hours, minutes or even seconds. We will use [starttime] and [endtime] in this case.

To put this to use, we can run the following syntax:

Get-WinEvent -FilterHashTable @{Logname='<log_name>’;starttime=[datetime]”<time>”;endtime=[datetime]”<endtime>”}

In this case, we will try to sort time ranging from 5:06:33 PM to 5:09:01 PM 

 

Get-WinEvent Hunt

Posted on by randrada

Eventlog Analysis using Windows tool - Powershell

Learn more about Powershell
Learn more about Get-WinEvent

Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.

Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which it makes possible for us to work on any technology we work with.

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero by using no additional tools and using built-in in Windows like Powershell that has the ability to query and parse event logs, which can be of great use for the responder. 

Related Topic

During an investigation, we may be asked to look for a specific event log, particularly one related to Account Logon/Logoff, Process Creation, or Powershell Creation; these logs are typically bread crumbs of an incident, and responders must be able to parse and follow these crumbs.

To put this to use, we can run the following syntax: 

Get-WinEvent -FilterHashTable @{Logname=”; Id=<event_log> } 

We can then pipe this syntax to –Format-List for viewing and display all the information.

 

Get-EventLog Hunt

Posted on by randrada

Eventlog Analysis using Windows tool - Powershell

Learn more about Powershell
Learn more about Get-EventLog

Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.

Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which it makes possible for us to work on any technology we work with.

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero by using no additional tools and using built-in in Windows like Powershell that has the ability to query and parse event logs, which can be of great use for the responder. 

Related Topic

During an investigation, we may be asked to look for a specific event log, particularly one related to Account Logon/Logoff, Process Creation, or Powershell Creation; these logs are typically bread crumbs of an incident, and responders must be able to parse and follow these crumbs.

To put this to use, we can run the following syntax: Get-EventLog -Logname <log_name> | where{$_.EventId -eq 4624}

In this case, we will hunt for event log 4624 Account Logon and we will use the -Newest parameter to parse the newest event log 4624.

 

Out-GridView answers the question “How can we read these logs?”

To put this to work, pipe the syntax to Out-GridView to display a GUI representation of the log.

 

Baseline

Posted on by randrada

Eventlog Analysis using Windows tool - Powershell

Learn more about Powershell
Learn more about Get-WinEvent

Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.

Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which it makes possible for us to work on any technology we work with.

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero by using no additional tools and using built-in in Windows like Powershell that has the ability to query and parse event logs, which can be of great use for the responder. 

Related Topic

Why Baseline? It is like answering the question, “How can I detect abnormal behavior when I don’t know what is normal?” Baseline is one of the best ways to know what is normal and abnormal inside the organization, especially on endpoints and critical systems. It is having a clear understanding of what normal looks like. Getting a baseline from time to time gives the organization the ability to detect abnormal behavior through different baseline comparisons gathered on different timelines.

How do we baseline events on your endpoint? We can run a powershell script to identify all the event logs from the desired endpoint.

There are two methods:

1. Save the .evtx file to your hard drive and run a powershell script to parse all the event logs.

2. Without exporting the .evtx file, parse directly to an event log.

To use both methods, you can run the following syntax:

(1) Get-WinEvent -FilterHashTable @{Logname='<event_log>’ | Group-Object id -NoElement | Sort-Object count

(2) Get-WinEvent -Path <path_to_.evtx> | Group-Object id -NoElement | Sort-Object count 

Running both script gives us the same result. 

 

Powershell CIM

Posted on by randrada

Endpoint Analysis using Windows tool - Powershell

Learn more about Powershell
Learn more about Get-CimInstance

Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.

Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which makes it possible for us to work on any technology we work with.

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in Windows features, can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) they can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

Windows Powershell’s Get-CimInstance cmdlet gets the CIM instance of a class from a CIM server.

To use the following syntax: In this case, to query a process’s name, pid, and parent pid

Get-CimInstance -Class Win32_<class_name> -Filter “Name = ‘<object_name>’ | Select-Object <object_property>

To apply a condition to the previous query, we can pipe it to a Where-Object

Get-CimInstance -Class Win32_<class_name> -Filter “Name = ‘<object_name>’ | Select-Object <object_property> | Where-Object{$_.ParentProcessId -eq <pid>}

 

Powershell services

Posted on by randrada

Endpoint Analysis using Windows tool - Powershell

Learn more about Powershell
Learn more about Get-Service

Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.

Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which makes it possible for us to work on any technology we work with.

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in Windows features, can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) they can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

Windows Powershell can query services through Get-Process and Get-WmiObject 

To put this to workrun the following syntax:

To view Services or specific service: Get-Service <service_name> 

To view Services or a specific service: 

Get-WmiObject -Class Win32_Service -Filter ‘Name = “<Service_name>”‘ -Property <property_name>

 

Powershell WMIObject

Posted on by randrada

Endpoint Analysis using Windows tool - Powershell

Learn more about Powershell
Learn more about Get-Wmiobject
Click here to view Get-WMIObject use cases

Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.

Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which makes it possible for us to work on any technology we work with.

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in Windows features can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) they can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

Powershell localuser

Posted on by randrada

Endpoint Analysis using Windows tool - Powershell

Learn more about Powershell
Learn more about Get-Localusers

Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.

Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which makes it possible for us to work on any technology we work with.

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in Windows features can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) they can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

We can get the list of local users through Powershell. We can parse the name, lastlogon, logontype

To achieve this run the following syntax: Get-LocalUser | Select-Object -Property name,lastlogon,logontype

 

Powershell

Posted on by randrada

Endpoint Analysis using Windows tool - Powershell

Learn more about Powershell
Learn more about Get-Process
Click here to view Get-Process use cases

Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.

Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which makes it possible for us to work on any technology we work with.

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in Windows features can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) they can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

wmic users

Posted on by randrada

Endpoint Analysis using Windows tool - wmic

Learn more about WMI

Windows Management Instrumentation(WMI) is the infrastructure for management data and operations on Windows-based operating systems. It automates administrative tasks on remote computers. The ability to obtain management data from remote computers is what makes WMI useful. You can achieve this by using the WMI command line(wmic).

From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero and, by using no additional tools and using the built-in features in Windows can make investigation easier and faster.

From an attacker’s perspective, they can triage inside the organization using this tool and it gives them an advantage; (1) They can mimic administrative tasks for less detection; (2) no additional tools to be dropped for less detection. This is part of the “living off the land” technique, which can give them time to triage inside the compromised organization without making too much noise. 

We can use WMI to query useraccounts, run the following syntax: wmic useraccount list brief