Closed · 2015/07/29 10:27

0 x01 preface


In the process of work, especially in emergencies, you need to analyze Windows security logs when you encounter security events related to the intrusion of Windows domain controllers. Such logs are usually very large. At this point, it is particularly critical to efficiently analyze Windows security logs and extract useful information we want. Here I recommend a Windows log analysis tool I often use, LogParser, the current version is 2.2.

0x02 LogParser Description


First, let’s take a look at the Logparser architecture diagram. Being familiar with this diagram will help you understand and use Logparser

In short, our input sources (log sources of various formats) can be processed by SQL statements (with SQL engine processing) to output the format we want.

1. Input source

The input source is a fixed format, such as EVT (event), Registry (Registry), etc. For each input source, the value of the fields covered is fixed, you can use logParser — h — I :EVT to find out (here EVT as an example) :

Here are some optional parameters to control the results of a query, but we need to focus on the field values contained in a particular type of log structure (matching a particular segment in an SQL query) :

For details on the meaning of each type of field value, we can refer to the reference section of the documentation provided with LogParser, using EVT (events) as an example:

2, output source output can be a variety of formats, such as text (CSV, etc.) or written into the database, form charts, according to their own needs, form customized files (using TPL), etc., relatively free

0x03 Basic Query Structure


With input and output sources in mind, let’s look at a basic query structure

Logparser. Exe -I :EVT -o :DATAGRID "SELECT * FROM E:\ Logparser \xx.evtx"Copy the code

This is a basic query with input EVT (event) and output DATAGRID (grid), followed by an SQL statement that queries all fields of E:\ logParser \xx. Evtx, resulting in a grid:

See here, you must have understood, for Windows security log analysis, we only need to take out the key for judgment or comparison, we can extract the information we want from the huge Windows security log.

0x04 Windows Security Log Analysis


For Windows security log analysis, we can take out the values we care about according to our own analysis needs, and then conduct statistics, matching and comparison, so as to effectively obtain information. Here, we quickly take out the information we care about through the EVENT ID of Windows security log. Different EVENT ids represent different meanings. These can be easily found on the Internet, but here are some of the things we use

Event Task categories explain
ID
540 Login/Logout Event 540 gets logged when a user elsewhere on the network connects to a resource (e.g. shared folder) provided by the Server service on this computer. The Logon Type will always be 3 or 8, both of which indicate a network logon.
538 Login/Logout Ostensibly, event 538 is logged whenever a user logs off, whether from a network connection, interactive logon, or other logon type

For network connections (such as to a file server), it will appear that users log on and off many times a day. This phenomenon is caused by the way the Server service terminates idle connections.
528 ! [enter image description here][6]
675 Account login When a user attempts to log on at a workstation and uses a valid domain account name but enters a bad password, the DC records event ID 675 (pre-authentication failed) with Failure Code 24. By reviewing each of your DC Security logs for this event and failure code, you can track every domain logon attempt that failed as a result of a bad password. In addition to providing the username and domain name, the event provides the IP address of the system from which the logon attempt originated.

With these we can analyze the Windows logs such as we control log analysis domain, want to query the account login process, user right, wrong password, we need the statistics source IP, time, user name, so we may write (of course can also be combined with some statistical functions, packet statistics, etc.) :

LogParser.exe -i:EVT "SELECT TimeGenerated,EXTRACT\_TOKEN(Strings,0,'|') AS USERNAME,EXTRACT\_TOKEN(Strings,2,'|') AS SERVICE\_NAME,EXTRACT\_TOKEN(Strings,5,'|') AS Client_IP FROM 'e:\logparser\xx.evtx' WHERE EventID=675"
Copy the code

The query results are as follows:

If we need statistics for a particular IP address, we can write it like this (NAT output by default) :

LogParser.exe -i:EVT "SELECT TimeGenerated,EXTRACT\_TOKEN(Strings,0,'|') AS USERNAME,EXTRACT\_TOKEN(Strings,2,'|') AS SERVICE\_NAME,EXTRACT\_TOKEN(Strings,5,'|') AS Client\_IP FROM 'e:\logparser\xx.evtx' WHERE EventID=675 AND EXTRACT\_TOKEN(Strings,5,'|')='x.x.x.x'"
Copy the code

Or save the query in an SQL format:

SELECT TimeGenerated,EXTRACT\_TOKEN(Strings,0,'|') AS UserName,EXTRACT\_TOKEN(Strings,1,'|') AS Domain ,EXTRACT\_TOKEN(Strings,13,'|') AS SouceIP,EXTRACT\_TOKEN(Strings,14,'|') AS SourcePort FROM 'E:\logparser\xx.evtx' WHERE EXTRACT_TOKEN(Strings,13,'|') ='%ip%'
Copy the code

It is then called when it is used

logparser.exe file:e:\logparser\ipCheck.sql? IP = X.X.X.X - I: EVT - o: NATCopy the code

Query results are as follows:

How’s that? Is it easy to see? According to the specific login event, directly locate the abnormal IP address, the connection status during the abnormal period.

We can also choose other output formats for log analysis and statistics. All of the above is done from the command line. For those of you who like graphical interfaces, We also have choices! Here we can choose to use LogParser Lizard. Log Parser Lizard in GUI environment is easy to use. You don’t even need to memorize complicated commands. You only need to set up and write basic SQL statements to get results intuitively

Here we select Windows Event Log and enter the query we just entered:

SELECT TimeGenerated,EXTRACT\_TOKEN(Strings,0,'|') AS USERNAME,EXTRACT\_TOKEN(Strings,2,'|') AS SERVICE\_NAME,EXTRACT\_TOKEN(Strings,5,'|') AS Client\_IP FROM 'e:\logparser\xx.evtx' WHERE EventID=675 AND EXTRACT\_TOKEN(Strings,5,'|')='x.x.x.x'
Copy the code

The resulting query results are (and we can have multiple query formats here) :

Specific other functions, we can try ~

0 x05 summary


Logparser can be used to analyze multiple types of logs. Combining the logParser Lizard with the commercial version, you can customize many beautiful reports, graph statistics, etc. As for the other functions, I leave it to you to explore