Logs analytics

There are three main ways of accessing event logs within a Windows system

• Event Viewer (GUI-based application)
• Wevtutil.exe (command-line tool) -> "enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs."
• Get-WinEvent (PowerShell cmdlet) gets data from event logs
  • Get-WinEvent -LogName Application | Where-Object { $_.ProviderName -Match 'WLMS' }
  • one recommendation is to use filters Link
  • Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-PowerShell/Operational'; ID=4104} | Select-Object -Property Message | Select-String -Pattern 'SecureString'

Some documentation of Event Viewer can be found here

We can use tools that are available for filtering events, these are:

• XPath queries can be used using wevtutil.exe or Get-WinEvent

  • Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@SystemTime="2020-12-15T01:09:08.940277500Z"]'

• Get-WinEvent -Path <Path to Log> -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444'

• Filter by Event ID: */System/EventID=<ID>

• Filter by XML Attribute/Name: */EventData/Data[@Name="<XML Attribute/Name>"]

• Filter by Event Data: */EventData/Data=<Data>

These are some useful tools to know the IDs in use.

• Windows Logging Cheat Sheet
• Spotting the Adversary with Windows Event Log Monitoring
• MITRE ATT&CK
• The Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference

Malware Common Ports Spreadsheet

Sysmon

From Microsoft Docs, "System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network."

Events within Sysmon are stored in Applications and Services Logs/Microsoft/Windows/Sysmon/Operational. Sysmon requires a config file, there is an example of it

Command used to start sysmon Sysmon.exe -accepteula -i sysmonconfig-export.xml

The event log is located under Applications and Services Logs/Microsoft/Windows/Sysmon/Operational

OSquery

It is an open-source tool developed by Meta. We can query an endpoint using SQL sintax.

osqueryi

• To list all the available tables that can be queried, use the .tables
• Tables are associated with processes, you can use .tables process
• .schema processes prints the columns and their types of a table

Kolide Fleet

Another open-source Osquery Fleet Manager is Kolide Fleet, this tool allows us to query multiple endpoints.

Osquery extensions:

• https://github.com/trailofbits/osquery-extensions
• https://github.com/polylogyx/osq-ext-bin

Sigma

As per the GitHub repo, "Sigma is a generic and open signature format that allows you to describe relevant log events in a straightforward manner. The rule format is very flexible, easy to write, and applicable to any type of log file. The main purpose of this project is to provide a structured form in which researchers or analysts can describe their once developed detection methods and make them shareable with others."

Sigma is an effective way to share rules between SIEMs, some of them are:

• Splunk
• Microsoft Defender Advanced Threat Protection
• Azure Sentinel
• ArcSight
• QRadar

The rules are written in YAML. There are some online tools Uncoder.io], github