# Get-WinEvent

Understanding the importance of mass analysis of Windows Event Logs and Sysmon logs is pivotal in the realm of cybersecurity, especially in Incident Response (IR) and threat hunting scenarios. These logs hold invaluable information about the state of your systems, user activities, potential threats, system changes, and troubleshooting information.

### Using Get-WinEvent

The `Get-WinEvent` cmdlet is a powerful tool in PowerShell for querying Windows Event logs en masse. It allows the retrieval of different types of event logs, including classic logs (like System and Application logs) and Event Tracing for Windows (ETW) logs.

#### Listing Available Logs

To retrieve a list of all logs and display key properties:

```
Get-WinEvent -ListLog * | Select-Object LogName, RecordCount, IsClassicLog, IsEnabled, LogMode, LogType | Format-Table -AutoSize
```

**Output Example**

| LogName            | RecordCount | IsClassicLog | IsEnabled | LogMode  | LogType        |
| ------------------ | ----------- | ------------ | --------- | -------- | -------------- |
| Windows PowerShell | 2916        | True         | True      | Circular | Administrative |
| System             | 1786        | True         | True      | Circular | Administrative |

#### Listing Event Providers

Event providers are sources of events in the logs. To list providers and their associated logs:

```
Get-WinEvent -ListProvider * | Format-Table -AutoSize
```

#### Retrieving Specific Events

**System Log Events**

Retrieve the first 50 events from the System log:

```
Get-WinEvent -LogName 'System' -MaxEvents 50 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize
```

**WinRM Operational Log**

Retrieve events from `Microsoft-Windows-WinRM/Operational`:

```
Get-WinEvent -LogName 'Microsoft-Windows-WinRM/Operational' -MaxEvents 30 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize
```

#### Filtering by Date Range

To filter events by date, specify a range:

```
$startDate = (Get-Date -Year 2023 -Month 5 -Day 28).Date
$endDate   = (Get-Date -Year 2023 -Month 6 -Day 3).Date
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1,3; StartTime=$startDate; EndTime=$endDate} | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize
```

#### Filtering by Event ID and Properties

Retrieve Sysmon event IDs 1 and 3:

```
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1,3} | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize
```

#### Filtering with XML Content

Detect specific DLL loads (`mscoree.dll` and `clr.dll`) using XML:

```
$Query = @"
<QueryList>
    <Query Id="0">
        <Select Path="Microsoft-Windows-Sysmon/Operational">*[System[(EventID=7)]] and *[EventData[Data='mscoree.dll']] or *[EventData[Data='clr.dll']]</Select>
    </Query>
</QueryList>
"@
Get-WinEvent -FilterXml $Query | ForEach-Object {Write-Host $_.Message `n}
```

#### Detecting Specific Network Connections

An example command to check for network connections to a specific IP:

```
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' -FilterXPath "*[System[EventID=3] and EventData[Data[@Name='DestinationIp']='52.113.194.132']]"
```

#### Viewing All Properties of a Sysmon Event

To get a detailed view of all properties in a Sysmon event:

```
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} -MaxEvents 1 | Select-Object -Property *
```

#### Searching for Encoded Commands

Detects events where encoded commands (`-enc`) are used, often for obfuscating scripts:

```
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Where-Object {$_.Properties[21].Value -like "*-enc*"} | Format-List
```

These examples demonstrate using `Get-WinEvent` for efficient log analysis, including filtering, XML queries, and detailed event inspection.