WEBVTT 0:00:03.840000 --> 0:00:08.440000 passing Windows event logs with EVTX ECMD. 0:00:08.440000 --> 0:00:13.200000 So as you're probably aware in the previous video, we took a look at how 0:00:13.200000 --> 0:00:19.140000 to collect or export Windows event logs in the EVTX format. 0:00:19.140000 --> 0:00:24.060000 And now we're going to take a look at how to pass these Windows event 0:00:24.060000 --> 0:00:30.360000 logs or EVTX files so that we can analyze them or make them a little bit 0:00:30.360000 --> 0:00:36.760000 more readable. And we'll be exploring, you know, actually analyzing them 0:00:36.760000 --> 0:00:40.980000 with tool like timeline explorer in the next video. 0:00:40.980000 --> 0:00:42.640000 But for now, this is our focus. 0:00:42.640000 --> 0:00:47.620000 So we're still using the same lab as we did in the previous video. 0:00:47.620000 --> 0:00:52.780000 And I'm just going to be continuing from where I left off, you know, pretty 0:00:52.780000 --> 0:00:58.580000 much with the Windows event, Windows event logs that I've exported. 0:00:58.580000 --> 0:01:02.460000 So I'm just going to switch into the lab environment and I'll see you 0:01:02.460000 --> 0:01:04.740000 there in a couple of seconds. 0:01:04.740000 --> 0:01:09.180000 All right, so I'm back in the lab environment. 0:01:09.180000 --> 0:01:13.620000 And these are the two EVTX files we exported in the previous video. 0:01:13.620000 --> 0:01:16.320000 So I'm just going to open up the tools directory. 0:01:16.320000 --> 0:01:21.300000 And the tool we're going to be using is EVTX ECMD, which is an EVTX parser. 0:01:21.300000 --> 0:01:27.160000 It allows us to export a CSV EVTX files into formats like CSV that can 0:01:27.160000 --> 0:01:31.800000 be analyzed in a spreadsheet or better yet through the use of a tool that 0:01:31.800000 --> 0:01:36.840000 is built for this particular use case, that use case being analyzing CS, 0:01:36.840000 --> 0:01:42.620000 you know, logs, but more specifically in formats like a CSV's a tool, 0:01:42.620000 --> 0:01:45.940000 you know, an example of that would be timeline explorer, which we're going 0:01:45.940000 --> 0:01:49.820000 to be using. But in any case, you want to open up the folder and you'll 0:01:49.820000 --> 0:01:53.360000 see the EVTX ECMD program right over here. 0:01:53.360000 --> 0:01:56.540000 So you want to open up a PowerShell window there. 0:01:56.540000 --> 0:01:59.400000 And I'll go ahead and make this a little bit bigger. 0:01:59.400000 --> 0:02:03.180000 So you can see what's going on, maybe 28. 0:02:03.180000 --> 0:02:07.080000 There we are. Something like this. 0:02:07.080000 --> 0:02:14.100000 Okay, great. So first thing we need to do is if you type in EVTX ECMD 0:02:14.100000 --> 0:02:17.320000 and you hit enter, there's quite a few options. 0:02:17.320000 --> 0:02:19.320000 Pay attention to the output option. 0:02:19.320000 --> 0:02:25.300000 So you have CSV JSON, which is great, an XML, which is another great format. 0:02:25.300000 --> 0:02:29.840000 But you know, in our case, given we are performing our analysis, I wouldn't 0:02:29.840000 --> 0:02:35.820000 say manually. I would, I would, and I do prefer the CSV format, especially 0:02:35.820000 --> 0:02:37.980000 when using tools like timeline explorer. 0:02:37.980000 --> 0:02:43.520000 So what I typically do after I've exported the Windows Venn logs, regardless 0:02:43.520000 --> 0:02:48.920000 of the destination, I then want to pass them so that I can analyze them. 0:02:48.920000 --> 0:02:50.360000 So that's what we're doing right now. 0:02:50.360000 --> 0:02:56.480000 So what we want to do is we have two EVTX files, if you remember, we have 0:02:56.480000 --> 0:03:00.940000 the security channel logs and then SISMON, right? 0:03:00.940000 --> 0:03:12.380000 So what we need to specify the absolute path. 0:03:12.380000 --> 0:03:17.440000 So see users and administrator. 0:03:17.440000 --> 0:03:22.040000 And let me make sure I type this correctly. 0:03:22.040000 --> 0:03:25.760000 So there we are and desktop. 0:03:25.760000 --> 0:03:29.480000 And then we're going to say that is exports. 0:03:29.480000 --> 0:03:33.640000 Yeah. And in exports, we want security. 0:03:33.640000 --> 0:03:36.100000 Let's start with security.evtx. 0:03:36.100000 --> 0:03:38.440000 And then we specify the output format. 0:03:38.440000 --> 0:03:41.440000 So CSV. And then where we want this saved. 0:03:41.440000 --> 0:03:48.500000 So see users. And administrator. 0:03:48.500000 --> 0:03:51.260000 And then we want the desktop. 0:03:51.260000 --> 0:03:57.760000 And then let's go ahead and just hit, we'll save it in the exports folder 0:03:57.760000 --> 0:04:03.220000 as well. Like so, get rid of that there hit enter. 0:04:03.220000 --> 0:04:05.260000 That is going to save it. 0:04:05.260000 --> 0:04:08.640000 So it's going to load the maps and then there we are. 0:04:08.640000 --> 0:04:12.820000 You can see it's processed one file and it gives you a summary of, you 0:04:12.820000 --> 0:04:15.820000 know, summary that includes the metrics. 0:04:15.820000 --> 0:04:20.980000 So metrics per event ID sort of give you an idea of the most common ones. 0:04:20.980000 --> 0:04:27.200000 So now if we take a look at the exports folder here, we have the CSV right 0:04:27.200000 --> 0:04:32.160000 of here. Now as I said, you can choose to analyze this in an, you know, 0:04:32.160000 --> 0:04:37.880000 using Excel or whatever spreadsheet software you want to use. 0:04:37.880000 --> 0:04:41.580000 So but we'll be using timeline explorer. 0:04:41.580000 --> 0:04:43.860000 We'll be getting to that in the next video. 0:04:43.860000 --> 0:04:45.680000 So that's one down. 0:04:45.680000 --> 0:04:50.140000 The next one would be the sysmon.evtx. 0:04:50.140000 --> 0:04:51.540000 While that we had exported. 0:04:51.540000 --> 0:04:58.800000 So I'm just going to type in sysmon .evtx and just hit enter. 0:04:58.800000 --> 0:05:03.520000 This one will take a bit longer because there's a lot more events in there. 0:05:03.520000 --> 0:05:07.600000 For obvious reasons, it's just a native sysmon as you know, we already 0:05:07.600000 --> 0:05:09.720000 went through previously. 0:05:09.720000 --> 0:05:10.860000 So there we are. 0:05:10.860000 --> 0:05:16.100000 Just want to give that a few seconds shouldn't take too much time actually. 0:05:16.100000 --> 0:05:20.340000 But in this case, oh, it looks like it's taking some time. 0:05:20.340000 --> 0:05:24.760000 There we are. We can see that right over here. 0:05:24.760000 --> 0:05:30.000000 And we're done. So you can see it appears that for sysmon, the event ID, 0:05:30.000000 --> 0:05:33.140000 that's the most common would be 15 and 11. 0:05:33.140000 --> 0:05:35.640000 So file creation, all that good stuff. 0:05:35.640000 --> 0:05:39.720000 We also have quite a few for one event ID one, which is interesting. 0:05:39.720000 --> 0:05:42.540000 I hope you remember your sysmon event IDs. 0:05:42.540000 --> 0:05:45.000000 In any case, that's pretty much it. 0:05:45.000000 --> 0:05:46.960000 That's all that I wanted to cover in this video. 0:05:46.960000 --> 0:05:52.100000 Just wanted to keep it nice and short and go through this procedurally. 0:05:52.100000 --> 0:05:55.920000 So that brings us to the end of the practical demonstration section of 0:05:55.920000 --> 0:05:57.940000 this video. All right. 0:05:57.940000 --> 0:06:03.660000 So that was the process of passing Windows Venn logs with evtx ECMD. 0:06:03.660000 --> 0:06:06.180000 We passed them into a CSV format. 0:06:06.180000 --> 0:06:10.600000 So in the next video, we're going to be taking a look at how to analyze 0:06:10.600000 --> 0:06:17.200000 these, you know, the past logs with a tool like Timeline Explorer. 0:06:17.200000 --> 0:06:20.380000 And you'll see exactly why we've done what we've done. 0:06:20.380000 --> 0:06:22.460000 So again, going through this sequentially. 0:06:22.460000 --> 0:06:26.380000 So you actually understand that, you know, this process is really logically, 0:06:26.380000 --> 0:06:28.840000 yeah, can be broken down into steps. 0:06:28.840000 --> 0:06:31.900000 And it's very important that you understand that. 0:06:31.900000 --> 0:06:35.520000 And you begin to implement it into your own methodology when it comes 0:06:35.520000 --> 0:06:37.860000 down to endpoint analysis. 0:06:37.860000 --> 0:06:40.780000 And specifically endpoint log analysis. 0:06:40.780000 --> 0:06:43.120000 That being said, that's going to be it for this video. 0:06:43.120000 --> 0:06:45.780000 And I'll be seeing you in the next video.