Get-WinEvent
Understanding the importance of mass analysis of Windows Event Logs and Sysmon logs is pivotal in the realm of cybersecurity, especially in Incident Response (IR) and threat hunting scenarios. These logs hold invaluable information about the state of your systems, user activities, potential threats, system changes, and troubleshooting information.
Using Get-WinEvent
The Get-WinEvent cmdlet is a powerful tool in PowerShell for querying Windows Event logs en masse. It allows the retrieval of different types of event logs, including classic logs (like System and Application logs) and Event Tracing for Windows (ETW) logs.
Listing Available Logs
To retrieve a list of all logs and display key properties:
Get-WinEvent -ListLog * | Select-Object LogName, RecordCount, IsClassicLog, IsEnabled, LogMode, LogType | Format-Table -AutoSizeOutput Example
Windows PowerShell
2916
True
True
Circular
Administrative
System
1786
True
True
Circular
Administrative
Listing Event Providers
Event providers are sources of events in the logs. To list providers and their associated logs:
Get-WinEvent -ListProvider * | Format-Table -AutoSizeRetrieving Specific Events
System Log Events
Retrieve the first 50 events from the System log:
Get-WinEvent -LogName 'System' -MaxEvents 50 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSizeWinRM Operational Log
Retrieve events from Microsoft-Windows-WinRM/Operational:
Get-WinEvent -LogName 'Microsoft-Windows-WinRM/Operational' -MaxEvents 30 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSizeFiltering by Date Range
To filter events by date, specify a range:
$startDate = (Get-Date -Year 2023 -Month 5 -Day 28).Date
$endDate = (Get-Date -Year 2023 -Month 6 -Day 3).Date
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1,3; StartTime=$startDate; EndTime=$endDate} | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSizeFiltering by Event ID and Properties
Retrieve Sysmon event IDs 1 and 3:
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1,3} | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSizeFiltering with XML Content
Detect specific DLL loads (mscoree.dll and clr.dll) using XML:
$Query = @"
<QueryList>
<Query Id="0">
<Select Path="Microsoft-Windows-Sysmon/Operational">*[System[(EventID=7)]] and *[EventData[Data='mscoree.dll']] or *[EventData[Data='clr.dll']]</Select>
</Query>
</QueryList>
"@
Get-WinEvent -FilterXml $Query | ForEach-Object {Write-Host $_.Message `n}Detecting Specific Network Connections
An example command to check for network connections to a specific IP:
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' -FilterXPath "*[System[EventID=3] and EventData[Data[@Name='DestinationIp']='52.113.194.132']]"Viewing All Properties of a Sysmon Event
To get a detailed view of all properties in a Sysmon event:
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} -MaxEvents 1 | Select-Object -Property *Searching for Encoded Commands
Detects events where encoded commands (-enc) are used, often for obfuscating scripts:
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Where-Object {$_.Properties[21].Value -like "*-enc*"} | Format-ListThese examples demonstrate using Get-WinEvent for efficient log analysis, including filtering, XML queries, and detailed event inspection.
Last updated