😬
Golgothus' Lab
  • 🥃Welcome!
  • 🏴‍☠️CTF
    • TryHackMe Write-ups
      • Mr Robot
      • Burp Suite
      • Web Fundamentals
      • TMUX
      • Linux Fundamentals - Part 1
      • Linux Fundamentals - Part 2
      • Linux Priv Escalation
      • OWASP JuiceShop
      • OWASP Top 10
    • HackTheBox
      • Pilgrimage
      • Codify
      • CozyHosting
      • Sau
      • Analytics
      • Tracks - Beginner
        • Lame
  • ☁️Azure
    • AZ-104 Review
      • AZ-104 Notes
      • AZ-104: Prerequisites for Azure administrators
      • Windows virtual machine in Azure
      • Protect your virtual machine settings with Azure Automation State Configuration
      • Manage virtual machines with the Azure CLI
      • web application in the Azure App Service
      • Control access to Azure Storage with shared access signatures
      • Configure Azure Kubernetes Service
  • ❔Other Research
    • Research & Misc. Write-Ups
      • Registry Key Info
      • Windows Event Logging
      • Sysmon
      • Google Dorking
      • DPS Challenge
      • Discord Payload Recon
      • Kasm Install
Powered by GitBook
On this page
  1. Other Research
  2. Research & Misc. Write-Ups

Windows Event Logging

Get-WinEvent -Path C:\Users\ContosoAdmin\Desktop\SystemLog.evtx -FilterXPath 'Event/System/TimeCreated[@SystemTime="2019-12-13T08:24:27.5440626"]'
Get-WinEvent -Path C:\Users\ContosoAdmin\Desktop\SecurityLog.evtx -FilterXPath '*/*/TimeCreated[(@SystemTime>"2020-02-26T00:00:00Z") and (@SystemTime<"2020-02-26T23:59:00Z")] and */*/EventID=4624 and */*/Data[@Name="TargetUserName"]="Eleanor"'
wevtutil.exe qe /lf "c:\Users\ContosoAdmin\Desktop\SecurityLog.evtx" /q:"*/*/TimeCreated[(@SystemTime>'2020-02-26T00:00:00Z') and (@SystemTime<'2020-02-26T23:59:00Z')] /c:1"
wevtutil.exe qe /lf "c:\Users\ContosoAdmin\Desktop\SecurityLog.evtx" /q:"Event/EventData/Data[@Name='TargetUserName']='Eleanor' and */*/EventID=4624" /c:1 /rd
wevtutil.exe qe /lf "%userprofile%/dedsktop/SecurityLog.evtx" /q:"*/*/TimeCreated[(@SystemTime>'2020-02-26T00:00:00Z') and (@SystemTime<'2020-02-26T23:59:00Z')] and */*/EventID=4624 and */*/Data[@Name='TargetUserName']='Eleanor'"
Get-WinEvent -path C:\Users\ContosoAdmin\Desktop\ApplicationLog.evtx -FilterXPath "*/*/TimeCreated[@SystemTime>'2020-02-11T10:50:00:00Z' and (@SystemTime<'2020-02-11T11:10:00Z')] and */*/Provider[@Name='MsiInstaller']"
Get-WinEvent -path C:\Users\ContosoAdmin\Desktop\Systemlog.evtx -FilterXPath "*/*/TimeCreated[@SystemTime>'2020-02-03T00:00:00:00Z' and (@SystemTime<'2020-02-03T23:59:00Z')] and */*/EventID=13"
Get-WinEvent -path C:\Users\ContosoAdmin\Desktop\Securitylog.evtx -FilterXPath "*/*/TimeCreated[@SystemTime>'2020-02-26T00:00:00:00Z' and (@SystemTime<'2020-02-26T23:59:00Z')] and */*/EventID=4616 and */*/Data[@Name='SubjectDomainName']='NT Authority'"
$test = Get-WinEvent -path C:\Users\ContosoAdmin\Desktop\Securitylog.evtx -FilterXPath "*/*/TimeCreated[@SystemTime>'2020-02-26T00:00:00:00Z' and (@SystemTime<'2020-02-26T23:59:00Z')] and */*/EventID=4624 and */*/Data[@Name='TargetUserName']='Network Service'"
PreviousRegistry Key InfoNextSysmon
❔