大柚子

这世界不过如此

前言

本文重点在于用logparser收集windows日志中指定字段及语法,关于字段详细含义可参考http://dayouzi.xyz/logparser%e7%9a%84%e4%bd%bf%e7%94%a8%e6%8a%80%e5%b7%a7/

注:文中命令为了方便阅读做了换行处理,请在powershell中执行,勿在cmd下执行。

日志服务重启及日志清除

日志服务重启

事件id:7031(system.evtx)
LogParser.exe -i:evt -o:datagrid "
SELECT TimeGenerated AS 时间, EXTRACT_TOKEN(Strings, 0, '|') AS 服务名
	, EXTRACT_TOKEN(Strings, 4, '|') AS 动作
	, Message AS 描述
FROM System.evtx
WHERE eventid = 7031
	AND 服务名 = 'Windows Event Log'
"

日志清除

安全日志删除:(Security.evtx事件id:1102)
LogParser.exe -i:evt -o:datagrid "
SELECT TimeGenerated AS 时间, Message AS 描述
FROM Security.evtx
WHERE eventid = 1102
"
其他日志删除(System.evtx事件id:104)
LogParser.exe -i:evt -o:datagrid "select TimeGenerated as 时间,EXTRACT_TOKEN(Strings,0,'|') as 用户,Message as 描述 from system where eventid=104"

RDP端口

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

LogParser.exe -i:reg -o:datagrid "SELECT LastWriteTime AS 最后写入时间, Value AS 远程端口
FROM 'HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp'
WHERE ValueName LIKE 'PortNumber'
"

被远程记录

security.evtx

事件id:4625(登录失败)
LogParser -i:EVT -o:DATAGRID "
SELECT TimeGenerated AS 登录时间, EXTRACT_TOKEN(Strings, 5, '|') AS 用户名
	, EXTRACT_TOKEN(Strings, 13, '|') AS 计算机名
	, EXTRACT_TOKEN(Strings, 10, '|') AS 登录类型
	, EXTRACT_TOKEN(Strings, 19, '|') AS 源IP
	, EXTRACT_TOKEN(Strings, 17, '|') AS 请求进程ID
	, EXTRACT_TOKEN(Strings, 18, '|') AS 请求进程名
FROM yours.evtx
WHERE eventid = 4625
	AND 用户名 NOT LIKE '%$'
"
事件id:4624(登录成功)
LogParser -i:EVT -o:DATAGRID "
SELECT TimeGenerated AS 登录时间, EXTRACT_TOKEN(Strings, 5, '|') AS 用户名
	, EXTRACT_TOKEN(Strings, 11, '|') AS 计算机名
	, EXTRACT_TOKEN(Strings, 8, '|') AS 登录类型
	, EXTRACT_TOKEN(Strings, 18, '|') AS 登录源IP
	, EXTRACT_TOKEN(Strings, 16, '|') AS 请求进程ID
	, EXTRACT_TOKEN(Strings, 17, '|') AS 请求进程名
FROM yours.evtx
WHERE eventid = 4624
	AND 用户名 NOT LIKE '%$'
"

Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

事件id:21(登录会话)
logparser -i:evt -o:datagrid "
SELECT TimeGenerated AS 登录时间, ComputerName AS 计算机名
	, EXTRACT_TOKEN(Strings, 0, '|') AS 登录用户名
	, EXTRACT_TOKEN(Strings, 2, '|') AS 登录源
FROM your.evtx
WHERE EventID = 21
"
事件id:22(shell启动)
logparser -i:evt -o:datagrid "
SELECT TimeGenerated AS 登录时间, ComputerName AS 计算机名
	, EXTRACT_TOKEN(Strings, 0, '|') AS 登录用户名
	, EXTRACT_TOKEN(Strings, 2, '|') AS 登录源
FROM your.evtx
WHERE EventID = 22
"

Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx

事件id:1149(登录记录)
logparser -i:evt -o:datagrid "
SELECT TimeGenerated AS 登录时间, ComputerName AS 计算机名
	, EXTRACT_TOKEN(Strings, 0, '|') AS 登录用户名
	, EXTRACT_TOKEN(Strings, 2, '|') AS 登录源
FROM your.evtx
WHERE EventID = 1149
"

Microsoft-Windows-RemoteDesktopServices-RdpCoreTS%4Operational.evtx

这里提供一些额外的日志(131,140等),这里会记录RDP连接的源IP,但是该日志默认最大大小为1M,记录信息有限,有需要可手动调整日志大小。

LogParser.exe -i:evt -o:datagrid "SELECT TimeGenerated AS 时间, EXTRACT_TOKEN(Strings, 1, '|') AS 登录源
FROM Microsoft - Windows - RemoteDesktopServices - RdpCoreTS % 4Operational.evtx
WHERE eventid = 131"

远程登录记录

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\servers

远程登录记录需要通过查询注册表获取

查询登录的IP,时间,用户名

LogParser.exe -i:reg -o:datagrid "
select LastWriteTime as 最后登录时间,KeyName as 远程IP,Value as 用户名 from 'HKEY_CURRENT_USER\SOFTWARE\Microsoft\Terminal Server Client\Servers' 
"

powershell执行记录

Windows PowerShell.evtx

在powershell日志中,执行一个powershell命令会产生6条日志,其中2条引擎生命周期日志(EventID:400启用;EvnetID:403停止),6条程序生命周期日志(EventID:600)(Registry、Alias、Environment、FileSystem、Function、Variable的启动)

事件ID:400
logparser.exe -i:evt -o:datagrid "
SELECT TimeGenerated AS 时间
	, EXTRACT_TOKEN(EXTRACT_TOKEN(Strings, 1, 'Host Application = '), 0, 'Engine Version') AS 数据
FROM your.evtx
WHERE eventid = 4103
"

这里未使用表格格式输出,因为有长度限制。

主要关注hostApplication的值。

Microsoft-Windows-PowerShell%4Operational.evtx

事件ID:4103(正在执行管道)
logparser.exe -i:evt "
SELECT TimeGenerated AS 时间, ComputerName AS 计算机名, Sid
	, EXTRACT_TOKEN(EXTRACT_TOKEN(Strings, 1, 'Host Application = '), 0, 'Engine Version') AS 数据
FROM winpowershell.evtx
WHERE eventid = 4103
"

进程启动及退出记录

注:此功能需要开启一条审核策略:secpol.msc进入本地安全策略–本地策略–审核策略–审核进程跟踪

Security.evtx 事件ID4688(进程启动)

LogParser.exe -i:EVT "
SELECT TimeGenerated AS 时间, EXTRACT_TOKEN(Strings, 1, '|') AS 用户名
 , EXTRACT_TOKEN(Strings, 4, '|') AS 进程pid
 , EXTRACT_TOKEN(Strings, 5, '|') AS 进程名
 , EXTRACT_TOKEN(Strings, 7, '|') AS 父进程ppid
 , EXTRACT_TOKEN(Strings, 13, '|') AS 父进程名
 , EXTRACT_TOKEN(Strings, 8, '|') AS 命令行
FROM Security.evtx
WHERE EventID = 4688
"

Security.evtx 事件ID4689(进程退出)

LogParser.exe -i:EVT   -o:datagrid "
select TimeGenerated As 时间,
extract_token(Strings,1,'|') As 用户名,
extract_token(Strings,5,'|') as 进程id,
extract_token(Strings,6,'|') as 进程名,
extract_token(Strings,4,'|') as 状态 
from Security.evtx  where eventid=4689
"

网络连接(security.evtx 事件ID 5156)

注:此功能需要开启一条审核策略:secpol.msc进入本地安全策略–本地策略–审核策略–审核对象访问

外对内网络连接请求

LogParser.exe -i:EVT   -o:datagrid "
select TimeGenerated As 时间,extract_token(Strings,1,'|') As 应用程序名
         ,extract_token(Strings,0,'|') as 进程id
         ,extract_token(Strings,2,'|') as 方向
         ,extract_token(Strings,3,'|') as 源IP
         ,extract_token(Strings,4,'|') as 源端口
         ,extract_token(Strings,5,'|') as 目的IP
         ,extract_token(Strings,6,'|') as 目的端口
         ,extract_token(Strings,7,'|') as 协议号 
from Security.evtx  where eventid=5156 and 方向='%%14593'
"

内对外网络连接请求

LogParser.exe -i:EVT   -o:datagrid "
select TimeGenerated As 时间,extract_token(Strings,1,'|') As 应用程序名
         ,extract_token(Strings,0,'|') as 进程id
         ,extract_token(Strings,2,'|') as 方向
         ,extract_token(Strings,3,'|') as 源IP
         ,extract_token(Strings,4,'|') as 源端口
         ,extract_token(Strings,5,'|') as 目的IP
         ,extract_token(Strings,6,'|') as 目的端口
         ,extract_token(Strings,7,'|') as 协议号 
from Security.evtx  where eventid=5156 and 方向='%%14592'
"

应用程序远程登录

此处主要针对Application.evtx做分析,主要针对不同的应用程序

MSSQL远程登录

事件ID:18456(登录失败)
logparser.exe -i:evt -o:datagrid "
SELECT TimeGenerated AS 时间, SourceName AS 来源, ComputerName AS 计算机名
	, EXTRACT_TOKEN(Strings, 0, '|') AS 登录名
	, EXTRACT_TOKEN(Strings, 1, '|') AS 原因
	, EXTRACT_TOKEN(Strings, 2, '|') AS 源IP
FROM Application.evtx
WHERE EventID = 18456
"
事件ID:18454(登录成功)
logparser.exe -i:evt -o:datagrid "
select TimeGenerated as 时间,SourceName as 来源,ComputerName as 计算机名,EXTRACT_TOKEN(Strings,0,'|') as username as 登录名,EXTRACT_TOKEN(Strings,1,'|') as 原因,EXTRACT_TOKEN(Strings,2,'|') as 源IP from Application.evtx where EventID=18454
"
事件ID:15457(查看xp_cmdshell启用信息)

状态为1表示启用

.\logparser.exe -i:evt -o:datagrid  "
SELECT TimeGenerated AS 时间, SourceName AS 来源, ComputerName AS 计算机名
	, EXTRACT_TOKEN(Strings, 0, '|') AS 方法
	, EXTRACT_TOKEN(Strings, 1, '|') AS 状态1
	, EXTRACT_TOKEN(Strings, 2, '|') AS 状态2
FROM Application.evtx
WHERE EventID = 15457
	AND 方法 = 'xp_cmdshell'
"

Print Friendly, PDF & Email

发表回复

您的电子邮箱地址不会被公开。