PowerShell Quick Guide: Working with Event Logs Like a Pro

0 Comments 10 min read

PowerShell Quick Guide

Hey there, fellow threat hunters! 👋 Today we're diving into the fascinating world of Windows Event Logs with PowerShell. Sure, the Event Viewer GUI is nice, but real pros use PowerShell to get exactly what they need. Let's cut through the noise and get to the good stuff!

The Basics

Event viewer: Overview

First things first - let's see what we're working with. Here's how to get a list of available logs:

Get-WinEvent -ListLog * | Where-Object {$_.RecordCount -gt 0} | Select-Object LogName, RecordCount

Finding the Important Stuff

Nobody wants to scroll through thousands of events. Here's how to find what matters:

# Get last 50 Error events from System log
Get-WinEvent -FilterHashtable @{
    LogName = 'System'
    Level = 2  # Error level
} -MaxEvents 50

# Look for recent failed logons across your domain
$start = (Get-Date).AddHours(-1)
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4625  # Failed logon attempts
    StartTime = $start
} -ErrorAction SilentlyContinue  # Handles case when no events are found

Domain Controller Logs

For Active Directory environments, the most valuable logs are often on your Domain Controllers. Here's how to access them:

# Access DC logs remotely
$dc = "DC01.domain.name"
Get-WinEvent -ComputerName $dc -FilterHashtable @{
    LogName = 'Security'
    ID = 4624  # Successful logon
    StartTime = (Get-Date).AddHours(-1)
} -ErrorAction SilentlyContinue

# Or connect directly to your DC and run:
Get-WinEvent -FilterHashtable @{
    LogName = 'Directory Service'  # AD-specific events
    Level = 2  # Error level
} -MaxEvents 50

Pro tip: Always check these logs on your Domain Controllers:

  • Security: For authentication and security-related events
  • Directory Service: For AD replication and changes
  • DNS Server: For DNS-related issues
  • DFS Replication: If using DFS

Handling No Results

Sometimes you won't find any events matching your criteria. Let's handle that gracefully:

try {
    Get-WinEvent -FilterHashtable @{
        LogName = 'Security'
        ID = 4625
        StartTime = (Get-Date).AddHours(-1)
    } -ErrorAction Stop
} catch {
    if ($_.Exception.Message -like '*No events were found*') {
        Write-Host "No matching events in the last hour"
    } else {
        Write-Host "Error: $($_.Exception.Message)"
    }
}

Common Security Event IDs

Here are some event IDs you'll want to know:

  • 4624: Successful logon
  • 4625: Failed logon
  • 4688: New process created
  • 4720: User account created
  • 1102: Audit log cleared (Someone's hiding something?)
  • 4647: User initiated logoff
  • 4723: Password change attempt

Making It Useful

Let's create something actually useful - checking for potential brute force attempts:

# Find repeated failed logons
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4625
} -MaxEvents 1000 -ErrorAction SilentlyContinue | 
Select-Object TimeCreated,
    @{N='Username';E={$_.Properties[5].Value}},
    @{N='Source';E={$_.Properties[2].Value}} |
Group-Object Username |
Where-Object {$_.Count -gt 10}

Exporting for Analysis

Found something interesting? Export it for further analysis:

# Export to CSV with custom properties
Get-WinEvent -FilterHashtable @{
    LogName = 'Security'
    ID = 4688  # New process created
} -MaxEvents 100 -ErrorAction SilentlyContinue | 
Select-Object TimeCreated,
    @{N='Process';E={$_.Properties[5].Value}},
    @{N='Creator';E={$_.Properties[13].Value}} |
Export-Csv -Path ".\new_processes.csv" -NoTypeInformation

Pro Tips

  • Use FilterHashtable: It's WAY faster than Where-Object for event logs
  • Always handle errors: Use -ErrorAction SilentlyContinue or try/catch blocks
  • Test your filters: Start with a small MaxEvents value to verify your properties
  • Check your permissions: Some logs need admin rights to access
  • Remote collection: Use -ComputerName parameter for remote systems (requires appropriate permissions)
  • DC logs are gold: Most security events in an AD environment are best found on Domain Controllers

Wrapping Up

Event logs are a goldmine of information if you know how to dig. These PowerShell commands will help you find what you need without drowning in the noise.

Stay safe, and happy hunting! 🕵️‍♂️

P.S. Remember to check your event log sizes and retention policies - nothing worse than missing logs when you need them!

0 comments:

Post a Comment