WEBVTT

0:00:03.640000 --> 0:00:09.680000
 Exporting Windows Event Logs with
 the Windows Event Utility.

0:00:09.680000 --> 0:00:16.420000
 So welcome everyone in this video as
 well as the next subsequent videos.

0:00:16.420000 --> 0:00:24.000000
 We are going to be taking a look at the
 complete Windows Event Log Analysis

0:00:24.000000 --> 0:00:29.980000
 Lifecycle or Process, beginning
 with acquisition or collection.

0:00:29.980000 --> 0:00:32.520000
 And again, we are not using a SEAM.

0:00:32.520000 --> 0:00:36.680000
 We are going to be working under the
 assumption that you are performing

0:00:36.680000 --> 0:00:41.940000
 on a host or analysis directly
 on the endpoint.

0:00:41.940000 --> 0:00:47.340000
 And in this case, this is going to be specific
 to Windows Event Log Analysis.

0:00:47.340000 --> 0:00:54.060000
 So the objective is going to be to walk
 you through the process of collecting

0:00:54.060000 --> 0:00:59.420000
 or, indeed, exporting Windows
 Event Logs from an endpoint.

0:00:59.420000 --> 0:01:04.020000
 So we are going to be taking a look
 at the inbuilt Windows Event Utility

0:01:04.020000 --> 0:01:06.620000
 to do that for us.

0:01:06.620000 --> 0:01:13.780000
 And then in the next set of videos, we
 are going to be building onto that

0:01:13.780000 --> 0:01:17.020000
 by taking a look at passing
 what we have collected.

0:01:17.020000 --> 0:01:20.920000
 In terms of the Windows Event Logs.

0:01:20.920000 --> 0:01:28.720000
 And after that, we will take a look at
 utilizing a log exploration utility

0:01:28.720000 --> 0:01:39.280000
 that can be used in many ways, but specifically
 for timeline construction.

0:01:39.280000 --> 0:01:45.640000
 We will also be taking a look at analyzing
 Windows Event Logs that we

0:01:45.640000 --> 0:01:52.140000
 have collected and passed with a tool
 like Chainsaw and combining that

0:01:52.140000 --> 0:01:58.260000
 with Sigma to give us even better visibility
 as to the suspicious or malicious

0:01:58.260000 --> 0:02:03.680000
 events that we need to be taking
 or paying close attention to.

0:02:03.680000 --> 0:02:08.200000
 In any case, the reason I mentioned this
 is because in order to demonstrate

0:02:08.200000 --> 0:02:13.120000
 all of these steps, all of these phases,
 we are going to be making use

0:02:13.120000 --> 0:02:16.620000
 or leveraging one particular lab.

0:02:16.620000 --> 0:02:21.940000
 Now, that lab will be placed at the
 end of the videos associated with

0:02:21.940000 --> 0:02:29.220000
 said lab. So the easy way to find it
 is given that this is going to be

0:02:29.220000 --> 0:02:33.400000
 the last video with regards
 to Windows log analysis.

0:02:33.400000 --> 0:02:38.100000
 It's going to be under all videos associated
 with this lifecycle that

0:02:38.100000 --> 0:02:40.000000
 I just mentioned.

0:02:40.000000 --> 0:02:47.260000
 So the name of the lab will be Windows
 Event Log Analysis and it pretty

0:02:47.260000 --> 0:02:56.160000
 much encapsulates or contains all of
 the or will be used to demonstrate

0:02:56.160000 --> 0:03:00.720000
 all of these phases that I've just
 mentioned beginning with this one.

0:03:00.720000 --> 0:03:04.920000
 So just to give you a bit of a background
 as to how the lab is set up

0:03:04.920000 --> 0:03:10.580000
 when you start it up, you'll be provided
 with access to a Windows system.

0:03:10.580000 --> 0:03:14.340000
 And this is the endpoint that we're going
 to be analyzing for the purposes

0:03:14.340000 --> 0:03:17.920000
 of contextualizing this.

0:03:17.920000 --> 0:03:24.460000
 This particular system, what I did
 or what our job is to do is or what

0:03:24.460000 --> 0:03:28.520000
 our job entails is to again perform
 endpoint analysis on it.

0:03:28.520000 --> 0:03:35.440000
 So there is some malicious activity that
 was reported in relation to this

0:03:35.440000 --> 0:03:41.180000
 specific system and we've been told
 to perform to validate it, which we

0:03:41.180000 --> 0:03:43.760000
 did. And now we're performing
 the endpoint analysis.

0:03:43.760000 --> 0:03:46.880000
 So it has all the tools you require
 to perform the analysis.

0:03:46.880000 --> 0:03:50.700000
 Of course, in the real world or in
 the field, you'd probably be doing

0:03:50.700000 --> 0:03:52.520000
 this on your own analyst system.

0:03:52.520000 --> 0:03:56.140000
 So you'd be collecting or exporting the
 Windows event logs and then transferring

0:03:56.140000 --> 0:03:58.340000
 them to your analyst system.

0:03:58.340000 --> 0:04:01.460000
 But in this case, we're just going
 to be doing it on the host.

0:04:01.460000 --> 0:04:07.220000
 That may not be that realistic, but
 again, we're focusing really on the

0:04:07.220000 --> 0:04:10.940000
 tools, the technology and the
 techniques here for doing.

0:04:10.940000 --> 0:04:16.020000
 So in any case, I'm going to start
 off my lab and I'll see you in the

0:04:16.020000 --> 0:04:18.740000
 lab in a couple of seconds.

0:04:18.740000 --> 0:04:23.620000
 All right, so I'm currently
 within the lab environment.

0:04:23.620000 --> 0:04:26.980000
 One thing to keep in mind is on the desktop,
 there's going to be two folders

0:04:26.980000 --> 0:04:29.340000
 that I've created for you.

0:04:29.340000 --> 0:04:30.980000
 The first is called tools.

0:04:30.980000 --> 0:04:36.800000
 This contains all of the tools that we'll
 be using to perform our collection

0:04:36.800000 --> 0:04:40.640000
 triage and analysis of Windows
 event logs on this system.

0:04:40.640000 --> 0:04:45.160000
 And you don't need to worry about what
 all of them are or the purpose

0:04:45.160000 --> 0:04:48.200000
 that they will serve, at least for now.

0:04:48.200000 --> 0:04:52.320000
 And that's why I wanted to break
 this down into individual videos.

0:04:52.320000 --> 0:04:56.960000
 So it's not to confuse you, but
 then we have an exports folder.

0:04:56.960000 --> 0:05:01.900000
 This is the folder I created for you
 to export your logs to that you're

0:05:01.900000 --> 0:05:05.320000
 collecting as well as the passing
 that you'll be performing.

0:05:05.320000 --> 0:05:09.540000
 Now, when you open it up, you'll
 find an initial exports folder.

0:05:09.540000 --> 0:05:13.440000
 This was a folder that I created
 for my initial export.

0:05:13.440000 --> 0:05:18.180000
 I just did this to verify that
 everything is as it should be.

0:05:18.180000 --> 0:05:21.860000
 You can go ahead and use this if you
 don't want to go through the export

0:05:21.860000 --> 0:05:29.660000
 process. But it's just there
 as a diagnostic tool for me.

0:05:29.660000 --> 0:05:31.260000
 So just keep that in mind.

0:05:31.260000 --> 0:05:33.120000
 I just wanted to point that out.

0:05:33.120000 --> 0:05:34.300000
 So let's get started.

0:05:34.300000 --> 0:05:40.460000
 So as I said, this system
 is the system of interest.

0:05:40.460000 --> 0:05:44.240000
 And it was reported to us that there's
 some malicious activity going on

0:05:44.240000 --> 0:05:47.540000
 or was detected with regards
 to this system.

0:05:47.540000 --> 0:05:49.940000
 And we don't know the full extent
 of what we're dealing with.

0:05:49.940000 --> 0:05:53.300000
 So we're now going to play the role
 of instant responder, specifically

0:05:53.300000 --> 0:06:04.420000
 performing endpoint analysis, even more
 specific than that, which is the

0:06:04.420000 --> 0:06:10.100000
 way we can do it on Windows, which is
 in the focus of this video, is through

0:06:10.100000 --> 0:06:12.900000
 the Windows event utility.

0:06:12.900000 --> 0:06:16.280000
 So let me see. Why can't
 I make that larger?

0:06:16.280000 --> 0:06:22.900000
 In fact, I will let me just resize this
 like so so we can see what's going

0:06:22.900000 --> 0:06:24.440000
 on just a second.

0:06:24.440000 --> 0:06:29.800000
 All right. So I've just resized that
 there and increased the font size.

0:06:29.800000 --> 0:06:34.420000
 So we're going to be using the Windows
 event utility to, you know, pretty

0:06:34.420000 --> 0:06:40.480000
 much extract and save the Windows event
 logs that we are interested in.

0:06:40.480000 --> 0:06:47.540000
 So what we're doing pretty much is just
 exporting or saving the EVTX files.

0:06:47.540000 --> 0:06:54.000000
 So the way we can do it is I'll just navigate
 over into my onto the desktop

0:06:54.000000 --> 0:07:00.340000
 here. The way we can do it is by simply
 typing in Windows event utility.

0:07:00.340000 --> 0:07:04.420000
 So you hit enter and that'll give you
 an idea as to, you know, provide

0:07:04.420000 --> 0:07:11.100000
 you with more information regarding the
 tool itself, as well as the various

0:07:11.100000 --> 0:07:14.920000
 options that you can use
 when running the tool.

0:07:14.920000 --> 0:07:22.460000
 So you can use, for example, you know,
 with Windows event utility.exeEL

0:07:22.460000 --> 0:07:24.180000
 to list all the logs.

0:07:24.180000 --> 0:07:29.260000
 You can see they're all the sources
 and channels right over there, but

0:07:29.260000 --> 0:07:31.680000
 we're interested in the key one.

0:07:31.680000 --> 0:07:38.000000
 So in my case, what I usually like
 doing to begin with is getting the

0:07:38.000000 --> 0:07:41.920000
 security and Sysmon logs.

0:07:41.920000 --> 0:07:44.920000
 And, you know, we talked
 about Sysmon previously.

0:07:44.920000 --> 0:07:47.760000
 This system has Sysmon
 configured already.

0:07:47.760000 --> 0:07:54.040000
 So we say Windows event utility EPL
 to extract or export the logs.

0:07:54.040000 --> 0:08:01.200000
 And then we specify the actual
 log that we want to extract.

0:08:01.200000 --> 0:08:07.300000
 Or as I should say, the channel
 that we want to extract.

0:08:07.300000 --> 0:08:13.400000
 And from this point, we then need to
 specify the target direction or where

0:08:13.400000 --> 0:08:14.980000
 we want to save this.

0:08:14.980000 --> 0:08:21.760000
 So in my case, I'll just use the same
 exports folder that we had used

0:08:21.760000 --> 0:08:27.540000
 previously. So, you know, I'll just say
 right over here, so I'll encapsulate

0:08:27.540000 --> 0:08:31.900000
 that and I'll say C users.

0:08:31.900000 --> 0:08:34.720000
 In this case, sorry, my bad.

0:08:34.720000 --> 0:08:36.100000
 That is backslash.

0:08:36.100000 --> 0:08:42.540000
 So users administrator, that's the
 name of the user on this system and

0:08:42.540000 --> 0:08:48.960000
 then desktop. And then I believe the
 name of the folder was exports.

0:08:48.960000 --> 0:08:52.020000
 So we just want to save
 it on the exports.

0:08:52.020000 --> 0:08:54.660000
 So I'll just say exports like so.

0:08:54.660000 --> 0:08:58.980000
 And we want to save it
 as security dot evtx.

0:08:58.980000 --> 0:09:01.060000
 Okay, very nice, very simple.

0:09:01.060000 --> 0:09:02.240000
 Let's close that up.

0:09:02.240000 --> 0:09:04.500000
 We hit enter and it's done.

0:09:04.500000 --> 0:09:08.560000
 The next channel is going to be.

0:09:08.560000 --> 0:09:12.640000
 Let's do Sysmon.

0:09:12.640000 --> 0:09:14.700000
 So here we need to specify the path.

0:09:14.700000 --> 0:09:18.640000
 So Microsoft, I already mentioned
 this in one of the earlier videos.

0:09:18.640000 --> 0:09:22.180000
 In this section, so Microsoft
 Windows Sysmon.

0:09:22.180000 --> 0:09:26.420000
 That's why I went through it because of,
 you know, this is where you actually

0:09:26.420000 --> 0:09:29.280000
 see the importance of
 the theoretical stuff.

0:09:29.280000 --> 0:09:32.440000
 So not operations operational.

0:09:32.440000 --> 0:09:37.800000
 And we want to save it
 as Sysmon.evtx, right?

0:09:37.800000 --> 0:09:39.780000
 That makes the most sense here.

0:09:39.780000 --> 0:09:43.580000
 So we'll say Sysmon.evtx.

0:09:43.580000 --> 0:09:46.440000
 And we hit enter.

0:09:46.440000 --> 0:09:47.700000
 Okay, there we go.

0:09:47.700000 --> 0:09:53.060000
 So now if we take a look at our exports
 folder, this is what you'd copy

0:09:53.060000 --> 0:09:57.580000
 to your analyst system to, you know,
 pass, analyze whatever you want to

0:09:57.580000 --> 0:10:02.360000
 do with it. And that's really what
 I wanted to showcase to begin with.

0:10:02.360000 --> 0:10:06.320000
 Now, one more thing to,
 you know, before we.

0:10:06.320000 --> 0:10:11.920000
 Let me open up the event view here
 before we actually conclude.

0:10:11.920000 --> 0:10:15.140000
 That's really weird event viewer.

0:10:15.140000 --> 0:10:22.260000
 That's strange. And just open up
 the event viewer right over here.

0:10:22.260000 --> 0:10:28.200000
 So you can also go about exporting
 logs, you know, manually using the

0:10:28.200000 --> 0:10:33.000000
 event viewer. So if you click on security
 here, for example, and, you

0:10:33.000000 --> 0:10:38.640000
 know, you just give it a right click
 like so, you can then go ahead and,

0:10:38.640000 --> 0:10:42.480000
 yeah, actually, this should be okay.

0:10:42.480000 --> 0:10:45.760000
 You can, I don't think you can
 actually export all of them.

0:10:45.760000 --> 0:10:49.740000
 You can click on a particular one and
 you can save the selected events.

0:10:49.740000 --> 0:10:56.360000
 So you can go ahead and highlight
 all, I believe, one second.

0:10:56.360000 --> 0:11:03.100000
 Let's see that actually should allow us.

0:11:03.100000 --> 0:11:03.760000
 Yeah, there we are.

0:11:03.760000 --> 0:11:06.720000
 Save all events as and then
 you can save it as an eVtx.

0:11:06.720000 --> 0:11:08.240000
 So nothing too complicated.

0:11:08.240000 --> 0:11:10.960000
 You can also save it as an XML.

0:11:10.960000 --> 0:11:17.460000
 A tab delimited text file or comma separated,
 you know, file over here.

0:11:17.460000 --> 0:11:24.160000
 So CSV as well. But I personally like
 utilizing the Windows event utility.

0:11:24.160000 --> 0:11:27.600000
 And there's many more things
 that you can do.

0:11:27.600000 --> 0:11:30.760000
 But with that being said, that brings us
 to the end of the practical demonstration

0:11:30.760000 --> 0:11:33.560000
 section of this video.

0:11:33.560000 --> 0:11:38.000000
 All right. So that was exporting Windows
 event logs with the Windows event

0:11:38.000000 --> 0:11:43.420000
 utility. Now that we have exported or
 extracted them or collected them,

0:11:43.420000 --> 0:11:45.880000
 use whatever term you want.

0:11:45.880000 --> 0:11:51.640000
 Our next step is going to be parsing
 these particular Windows event logs.

0:11:51.640000 --> 0:11:56.200000
 Now, of course, where you do this either
 on the endpoint itself or on

0:11:56.200000 --> 0:11:58.400000
 your analyst system is
 not really important.

0:11:58.400000 --> 0:12:00.460000
 But we'll be using the same lab.

0:12:00.460000 --> 0:12:07.400000
 So if you're going through these videos
 sequentially and one at a time,

0:12:07.400000 --> 0:12:10.180000
 all in one sitting, then
 don't stop the lab.

0:12:10.180000 --> 0:12:13.520000
 Just keep it running because we'll be
 following right from where we left

0:12:13.520000 --> 0:12:18.440000
 it off, you know, at the end of the practical
 demonstration in this video.

0:12:18.440000 --> 0:12:21.420000
 In any case, that's going
 to be it for this video.

0:12:21.420000 --> 0:12:23.620000
 And I will be seeing you
 in the next video.