WEBVTT 0:00:04.060000 --> 0:00:08.160000 Analyzing Windows Event Logs with Timeline Explorer. 0:00:08.160000 --> 0:00:12.160000 So in the previous two videos, we've taken a look at how to export Windows 0:00:12.160000 --> 0:00:18.980000 Event Logs. We then took a look at in the previous video the process of 0:00:18.980000 --> 0:00:24.420000 passing those logs into, you know, formats like CSV that we can then use 0:00:24.420000 --> 0:00:29.900000 in conjunction with tools like Timeline Explorer to analyze as it were. 0:00:29.900000 --> 0:00:37.760000 And it's very important to note or, you know, to understand that, as I 0:00:37.760000 --> 0:00:41.880000 mentioned, the latter phase of the previous video, it's always good to 0:00:41.880000 --> 0:00:48.100000 think about this process in the form of, you know, phases or steps that 0:00:48.100000 --> 0:00:49.560000 feed into each other. 0:00:49.560000 --> 0:00:55.880000 So as the title of this video suggests, we're now going to be analyzing 0:00:55.880000 --> 0:01:01.460000 those event logs, you know, both the security channel logs, you know, 0:01:01.460000 --> 0:01:04.440000 both logs from the security channel as well as the Sysmon operational 0:01:04.440000 --> 0:01:07.940000 channel using a tool called Timeline Explorer. 0:01:07.940000 --> 0:01:09.960000 So we're still using the same lab environment. 0:01:09.960000 --> 0:01:13.640000 Now, before we get started with a practical aspect, you may be asking 0:01:13.640000 --> 0:01:16.960000 yourself, what exactly is Timeline Explorer? 0:01:16.960000 --> 0:01:21.840000 Well, Timeline Explorer is a GUI tool created by Eric Zimmerman designed 0:01:21.840000 --> 0:01:25.460000 to help digital forensics and incident response professionals analyze 0:01:25.460000 --> 0:01:30.980000 time-based forensic data, especially CSV files generated from past logs 0:01:30.980000 --> 0:01:32.380000 and system artifacts. 0:01:32.380000 --> 0:01:36.340000 Now, if you've never heard of Eric Zimmerman, he is the creator of not 0:01:36.340000 --> 0:01:41.460000 only Timeline Explorer, not only EVTX ECMD, which we used in the previous 0:01:41.460000 --> 0:01:46.740000 video, but a plethora or a boatload of other digital forensics and incident 0:01:46.740000 --> 0:01:50.600000 response tools that are open source and free. 0:01:50.600000 --> 0:01:54.600000 And I highly recommend you take a look at the Eric Zimmerman tools page 0:01:54.600000 --> 0:01:58.040000 that is hyperlinked in this particular slide, or you can just perform 0:01:58.040000 --> 0:02:02.800000 a quick Google search of either Timeline Explorer, registry Explorer, 0:02:02.800000 --> 0:02:08.360000 or EVTX ECMD. The reason why I'm bringing this up is because Eric's contribution 0:02:08.360000 --> 0:02:13.040000 to this field with regards to the countless tools that is developed to 0:02:13.040000 --> 0:02:20.060000 support the operations or the tasks that instant or the work that instant 0:02:20.060000 --> 0:02:25.040000 responders and digital forensic analysts perform is invaluable. 0:02:25.040000 --> 0:02:30.600000 So, I highly recommend you check that particular web page out. 0:02:30.600000 --> 0:02:32.800000 There's a ton of tools. 0:02:32.800000 --> 0:02:37.960000 So, the big question is, okay, we know what Timeline Explorer is, but 0:02:37.960000 --> 0:02:40.620000 what is it used for, generally speaking? 0:02:40.620000 --> 0:02:44.160000 Well, Timeline Explorer is primarily used to a build and review forensic 0:02:44.160000 --> 0:02:48.880000 timelines. What that means is you can visualize a chronological sequence 0:02:48.880000 --> 0:02:54.160000 of events from logs, registry data, file system activity, etc. 0:02:54.160000 --> 0:02:58.460000 You also have the ability to correlate artifacts from multiple sources. 0:02:58.460000 --> 0:03:10.580000 So, you combine exported data from tools like EECMD, RECMD, PE CMD for 0:03:10.580000 --> 0:03:16.280000 NTFS registry and prefetch, and then Cape as a triage artifact extractor. 0:03:16.280000 --> 0:03:20.160000 By the way, Eric Zimmerman also developed Cape. 0:03:20.160000 --> 0:03:25.920000 So, you can see the level or the extent to which he has contributed to 0:03:25.920000 --> 0:03:30.700000 this field. You then have the ability to filter and search Timeline data. 0:03:30.700000 --> 0:03:36.940000 So, you can apply filters across timestamps, file parts, event types, 0:03:36.940000 --> 0:03:41.420000 or keywords to spot attack activity. 0:03:41.420000 --> 0:03:47.240000 And you can also identify suspicious patterns over time. 0:03:47.240000 --> 0:03:52.900000 That is in the form of highlighting log on spikes, script execution, persistence, 0:03:52.900000 --> 0:04:02.300000 setup, etc. So, let's take a look at the Windows event logs in the previous 0:04:02.300000 --> 0:04:08.000000 video using EVTX, ECMD, so that we can analyze them with a tool like Timeline 0:04:08.000000 --> 0:04:11.460000 Explorer. However, that does not mean you're limited to just using Timeline 0:04:11.460000 --> 0:04:15.600000 Explorer. You can also utilize a spreadsheet if you want, because you 0:04:15.600000 --> 0:04:19.040000 still have the same filtering capabilities there, but you'll sort of see 0:04:19.040000 --> 0:04:21.760000 the power of Timeline Explorer shortly. 0:04:21.760000 --> 0:04:24.880000 Now, we're going to be using the same lab that we used. 0:04:24.880000 --> 0:04:32.940000 One thing I would like to point out is, firstly, that with regard to the 0:04:32.940000 --> 0:04:39.300000 Sysmon events and specifically the export you did, it may not contain 0:04:39.300000 --> 0:04:44.020000 all of the events because they may have been overwritten, which is why 0:04:44.020000 --> 0:04:49.760000 the exports folder I had created the initial exports folder and dumped 0:04:49.760000 --> 0:04:55.320000 the actual Sysmon event logs pertinent to the actual incident. 0:04:55.320000 --> 0:04:58.460000 So, I just wanted to point that out. 0:04:58.460000 --> 0:05:03.780000 If you're actually going to try and analyze and find the suspicious events, 0:05:03.780000 --> 0:05:05.740000 in any case, I'll just walk you through it. 0:05:05.740000 --> 0:05:08.460000 So, I'm going to switch over into the lab environment. 0:05:08.460000 --> 0:05:13.020000 Remember, it's the same one we used in the last two previous videos. 0:05:13.020000 --> 0:05:18.620000 So, I'll just switch over and I'll see you guys back in a couple of seconds. 0:05:18.620000 --> 0:05:22.720000 All right, so I'm back in the lab environment and I have the tools folder 0:05:22.720000 --> 0:05:29.840000 open in one window right over here, one file explorer window and the other, 0:05:29.840000 --> 0:05:32.120000 I have the exports folder open. 0:05:32.120000 --> 0:05:35.520000 So, within the tools folder, you're going to find the Timeline Explorer 0:05:35.520000 --> 0:05:40.440000 zip file. You can extract it if it hasn't been extracted already. 0:05:40.440000 --> 0:05:41.560000 So, you want to open this up. 0:05:41.560000 --> 0:05:42.980000 It's an executable. 0:05:42.980000 --> 0:05:46.520000 So, this is a graphical user interface tool, GUI tool. 0:05:46.520000 --> 0:05:48.160000 So, you just open it up here. 0:05:48.160000 --> 0:05:51.640000 You want to give it a few seconds and you might be asking yourself, well, 0:05:51.640000 --> 0:05:53.680000 what on earth is going on here? 0:05:53.680000 --> 0:05:54.760000 What do I do next? 0:05:54.760000 --> 0:05:56.700000 Well, it really is very simple. 0:05:56.700000 --> 0:06:01.440000 So, you remember those exports or, you know, the logs you passed with 0:06:01.440000 --> 0:06:06.840000 EVTX ECMD? Well, all you need to do will start with the security channel 0:06:06.840000 --> 0:06:15.840000 logs is just typically do here and I'm just going to get rid of a filter 0:06:15.840000 --> 0:06:17.500000 I'd applied earlier. 0:06:17.500000 --> 0:06:20.600000 So, just bring it up and this is exactly what you will see. 0:06:20.600000 --> 0:06:24.560000 So, first things first, I'm just going to change this. 0:06:24.560000 --> 0:06:29.340000 I'm just going to go into tools, change the skin to Office 2019 black 0:06:29.340000 --> 0:06:33.080000 because that's really easy on my eyes. 0:06:33.080000 --> 0:06:38.000000 So, you have, you know, this is a table format and you have, I believe, 0:06:38.000000 --> 0:06:43.420000 let's see, yeah, you have the oldest logs at the top and you can, you 0:06:43.420000 --> 0:06:48.100000 know, sort in, you know, by sending or descending order like so. 0:06:48.100000 --> 0:06:51.860000 So, you can actually bring the newest logs to the very top right over 0:06:51.860000 --> 0:06:55.320000 here. So, you have the line, the tag. 0:06:55.320000 --> 0:07:00.240000 So, you can tag specific, you know, specific logs here. 0:07:00.240000 --> 0:07:04.340000 You have the record number, the event record ID and then more importantly, 0:07:04.340000 --> 0:07:07.480000 you have the timestamp right over here, right, which is sort of what we're 0:07:07.480000 --> 0:07:11.760000 interested in and then the event ID, that's all, you know, also something 0:07:11.760000 --> 0:07:15.480000 that's useful. You have the provider, so Microsoft Windows security auditing 0:07:15.480000 --> 0:07:19.500000 and then the channel, which in this case is security. 0:07:19.500000 --> 0:07:26.380000 You have the process ID, the use ID and let me just resize this so you 0:07:26.380000 --> 0:07:28.300000 guys can see this a little bit better. 0:07:28.300000 --> 0:07:33.600000 But then you have the map description, the username here, the remote host 0:07:33.600000 --> 0:07:40.720000 details, payload data, one payload data, two, three, four, five, six and 0:07:40.720000 --> 0:07:45.300000 then the executable info, the source file and the payload itself, the 0:07:45.300000 --> 0:07:47.660000 raw payload right over here. 0:07:47.660000 --> 0:07:52.520000 So, first things first in terms of finding, you know, activity that's, 0:07:52.520000 --> 0:08:02.300000 let's say, filter by Windows event ID. 0:08:02.300000 --> 0:08:05.420000 Remember, these are not the Sysmon logs. 0:08:05.420000 --> 0:08:10.460000 So, you can actually, you know, filter for, you know, different Windows 0:08:10.460000 --> 0:08:14.300000 event IDs depending on what type of information you're looking for, what 0:08:14.300000 --> 0:08:17.880000 type of activity you are trying to analyze closely. 0:08:17.880000 --> 0:08:20.960000 Again, this is going to be based on the nature of the instant that you're 0:08:20.960000 --> 0:08:26.080000 analyzing. But for example, if I go into event ID and I right click on 0:08:26.080000 --> 0:08:30.780000 a column here, I can go into the filter editor, and this is really where 0:08:30.780000 --> 0:08:35.040000 the power of timeline explorer comes into play because you have a logical 0:08:35.040000 --> 0:08:39.920000 filter editor. So, you know, logical operators like and so and event ID 0:08:39.920000 --> 0:08:46.320000 is equal to, let's go with the event ID of let's say 4, 6, 2, 4, 4, you 0:08:46.320000 --> 0:08:47.900000 know, successful log on. 0:08:47.900000 --> 0:08:54.020000 So, 4, 6, 2, 4, hit apply and now only those event logs are displayed. 0:08:54.020000 --> 0:08:59.240000 So, you can actually see that here map description that says successful 0:08:59.240000 --> 0:09:02.100000 log on the username here. 0:09:02.100000 --> 0:09:06.100000 And you can then look for, you know, remote connections as it were, very 0:09:06.100000 --> 0:09:10.300000 nice. You then have your payload data here, which sort of gives you an 0:09:10.300000 --> 0:09:14.980000 idea as to, you know, what the authentication is pertinent to. 0:09:14.980000 --> 0:09:18.560000 But more importantly, remember, the log on type here tells you what you're 0:09:18.560000 --> 0:09:24.240000 dealing with either a local log on, remote log on, etc, etc. 0:09:24.240000 --> 0:09:29.040000 And then of course, you can go through the payload data columns here. 0:09:29.040000 --> 0:09:33.320000 And yeah, so that's how to filter it there. 0:09:33.320000 --> 0:09:37.760000 You can then right click on it here or you have your filter displayed 0:09:37.760000 --> 0:09:42.320000 at the bottom, you can go ahead and, you know, get rid of a filter or 0:09:42.320000 --> 0:09:46.080000 you can just modify it directly from here one second. 0:09:46.080000 --> 0:09:48.360000 Actually, hold on. 0:09:48.360000 --> 0:09:54.780000 Now you need to go in here, my bad, and then filter editor to modify it. 0:09:54.780000 --> 0:10:00.440000 Let's do another Windows event ID here like process creation, right? 0:10:00.440000 --> 0:10:04.240000 So we can say 4, 6, 8, 8, something like this. 0:10:04.240000 --> 0:10:07.020000 So, tracking process creation. 0:10:07.020000 --> 0:10:10.680000 And then there we are, we can see it's performed the filtering and now 0:10:10.680000 --> 0:10:16.920000 you can see map description, a new process has been, I don't want to drag 0:10:16.920000 --> 0:10:20.280000 that there. So, a new process has been created and then you can take a 0:10:20.280000 --> 0:10:24.080000 look at the payload data to understand or get a better idea as to what 0:10:24.080000 --> 0:10:28.180000 process was created. 0:10:28.180000 --> 0:10:30.980000 And yeah, so you can do that. 0:10:30.980000 --> 0:10:34.480000 But to make it a bit more specific, let's say we're looking for malicious, 0:10:34.480000 --> 0:10:38.640000 let's say the incident that we're told to analyze was specific to execution 0:10:38.640000 --> 0:10:40.220000 of PowerShell, right? 0:10:40.220000 --> 0:10:46.640000 So what we can do now is we can search for, you know, right over here, 0:10:46.640000 --> 0:10:51.540000 you know, using the search tool, that'll highlight all matches there in 0:10:51.540000 --> 0:10:55.680000 yellow. So you can actually see that or we can get rid of that and go 0:10:55.680000 --> 0:11:01.260000 to a, you know, column or field that actually contains that type of information. 0:11:01.260000 --> 0:11:04.220000 We can then right click and filter editor. 0:11:04.220000 --> 0:11:07.500000 Now, because there's more than one filter in place, we can actually hover 0:11:07.500000 --> 0:11:10.640000 over and add a condition. 0:11:10.640000 --> 0:11:15.280000 And say payload data begins with no, we want just contains. 0:11:15.280000 --> 0:11:18.660000 And in here, we can then specify something like, you know, PowerShell 0:11:18.660000 --> 0:11:21.920000 dot exe. So now we're sort of using two filters. 0:11:21.920000 --> 0:11:24.800000 So 468, for process creation. 0:11:24.800000 --> 0:11:28.980000 And then we are checking the payload data field to see if it matches partial 0:11:28.980000 --> 0:11:32.520000 dot exe. So that's the only logs that we want to see. 0:11:32.520000 --> 0:11:34.280000 And there we are beautiful. 0:11:34.280000 --> 0:11:39.260000 So this is the power of a tool like timeline explorer. 0:11:39.260000 --> 0:11:44.620000 And you can actually see the source file there. 0:11:44.620000 --> 0:11:50.420000 And now actually, if we go to, let's see if we go into file, actually 0:11:50.420000 --> 0:11:59.160000 hold on tools. Let me go to. 0:11:59.160000 --> 0:12:01.100000 No, actually hold on. 0:12:01.100000 --> 0:12:04.580000 So date time, yeah, the date time format, you can actually change that 0:12:04.580000 --> 0:12:07.120000 to some, you know, the format that's suitable for you. 0:12:07.120000 --> 0:12:15.160000 But what I wanted was, let's see tools, find, let's see, select. 0:12:15.160000 --> 0:12:21.620000 One second, actually hold on, let's go time created here. 0:12:21.620000 --> 0:12:23.520000 So sort of sending sort descending. 0:12:23.520000 --> 0:12:25.280000 Let's let's do that. 0:12:25.280000 --> 0:12:30.660000 Now, I'm just going to go to the very top here, to some of the oldest 0:12:30.660000 --> 0:12:34.440000 ones. And let's see if we can find anything interesting, because the incident 0:12:34.440000 --> 0:12:37.780000 happened a while back. 0:12:37.780000 --> 0:12:44.400000 So let's see if we can find anything interesting here. 0:12:44.400000 --> 0:12:48.960000 I'm guessing, you know, we should be able to find something interesting. 0:12:48.960000 --> 0:12:51.340000 So that was, yeah. 0:12:51.340000 --> 0:12:53.560000 Okay, so let's see. 0:12:53.560000 --> 0:12:59.380000 You can actually highlight a particular role, just like you can in Excel. 0:12:59.380000 --> 0:13:06.040000 So the payload data to three, which hold the process ID and parent process 0:13:06.040000 --> 0:13:11.620000 ID are in hex there, which you can easily convert is not really, you know, 0:13:11.620000 --> 0:13:15.660000 you know, big issue, but just hold on a second. 0:13:15.660000 --> 0:13:20.200000 So now you can start to see the limitations of, you know, just using the 0:13:20.200000 --> 0:13:26.200000 security logs, one of which is, you know, you're not really getting that 0:13:26.200000 --> 0:13:31.120000 much info, but you can always take a look at the actual log file here. 0:13:31.120000 --> 0:13:34.440000 So you can double click on it and you get it sort of, you know, raw, so 0:13:34.440000 --> 0:13:41.420000 event data. You can see right over here, so partial dot exe, and then 0:13:41.420000 --> 0:13:46.320000 text, that's in hex command line target user. 0:13:46.320000 --> 0:13:49.860000 Yeah, so you can see that there. 0:13:49.860000 --> 0:13:55.280000 So that's, you know, basically how to navigate around logs in timeline 0:13:55.280000 --> 0:14:01.780000 explorer. Now, of course, there's a lot more you can do with, you know, 0:14:01.780000 --> 0:14:05.620000 it really doesn't make sense me going through this without any context 0:14:05.620000 --> 0:14:07.640000 or without any instant to investigate. 0:14:07.640000 --> 0:14:13.360000 So what I'll do now is, let me close it up. 0:14:13.360000 --> 0:14:17.380000 And what we want is I'm going to use the initial exports folder. 0:14:17.380000 --> 0:14:24.320000 There's the sysmon logs right over here that actually contain the malicious 0:14:24.320000 --> 0:14:28.060000 activity. If you remember, I just mentioned when we were going through 0:14:28.060000 --> 0:14:37.080000 the slides, that the sysmon logs that you export and pass with EVTX ECMD 0:14:37.080000 --> 0:14:45.880000 will most likely not contain the malicious activity, because, you know, 0:14:45.880000 --> 0:14:47.640000 they probably have been overwritten. 0:14:47.640000 --> 0:14:58.520000 In any case, I'll make modifications to the lab to ensure that, you know, 0:14:58.520000 --> 0:15:00.980000 when you perform the bring that one in, so you can use the initial export 0:15:00.980000 --> 0:15:04.800000 is, you know, pretty much encapsulates all that I wanted to cover. 0:15:04.800000 --> 0:15:09.820000 Now, because these are sysmon event logs, this ID is not going to work, 0:15:09.820000 --> 0:15:12.460000 so we need to change it to one. 0:15:12.460000 --> 0:15:17.340000 So let me go ahead and event ID. 0:15:17.340000 --> 0:15:21.760000 I'm just going to go into the filter editor, we can still keep actually, 0:15:21.760000 --> 0:15:29.060000 wait, we might not want that, we're just going to do event ID one for 0:15:29.060000 --> 0:15:30.460000 process creation. 0:15:30.460000 --> 0:15:32.240000 There we are, very nice, very nice. 0:15:32.240000 --> 0:15:37.420000 Okay. And now, we can take a look at the field. 0:15:37.420000 --> 0:15:41.500000 So with sysmon event IDs, you just pretty much have the same organization 0:15:41.500000 --> 0:15:45.040000 to begin with. So you have the channel process ID. 0:15:45.040000 --> 0:15:46.780000 In this case, now it's not in hex. 0:15:46.780000 --> 0:15:51.180000 So one of the advantages of sysmon, you have the map description, so process 0:15:51.180000 --> 0:15:55.140000 creation, the username, remote host payload data. 0:15:55.140000 --> 0:15:57.260000 And then you should have the hashes here. 0:15:57.260000 --> 0:16:01.260000 So the char one hash here for payload data. 0:16:01.260000 --> 0:16:06.340000 And then you have the mitre attack mapping, which is one of the advantages 0:16:06.340000 --> 0:16:12.760000 of sysmon. So with regard to the sysmon configuration on this system, 0:16:12.760000 --> 0:16:19.120000 it actually uses a configuration that has this mitre attack TTP mapping, 0:16:19.120000 --> 0:16:24.480000 which is great for advanced correlation and stuff like this. 0:16:24.480000 --> 0:16:29.940000 But now, you know, you have payload data for which has the parent process. 0:16:29.940000 --> 0:16:35.540000 They payload data five parent process ID payload data six, this is very 0:16:35.540000 --> 0:16:40.100000 important. That contains the parent command line. 0:16:40.100000 --> 0:16:43.300000 And then you also have the executable info. 0:16:43.300000 --> 0:16:47.960000 So, you know, we can pretty much filter any one of these. 0:16:47.960000 --> 0:16:52.800000 But I believe the one that we want is this one here. 0:16:52.800000 --> 0:16:56.880000 So payload data six, this is where we want to apply our, you know, special 0:16:56.880000 --> 0:16:58.500000 filter, as it were. 0:16:58.500000 --> 0:17:02.220000 So filter editor, I'm going to add a condition. 0:17:02.220000 --> 0:17:10.700000 We're going to say payload data six begins with contains PowerShell.exe. 0:17:10.700000 --> 0:17:15.420000 Okay, now we're getting to the interesting stuff. 0:17:15.420000 --> 0:17:19.820000 So this is the malicious activity I was referring to. 0:17:19.820000 --> 0:17:23.420000 This one right over here. 0:17:23.420000 --> 0:17:25.740000 So you can see the creation of a scheduled task. 0:17:25.740000 --> 0:17:31.020000 I used, you know, the atomic red team at Tomics to, you know, simulate 0:17:31.020000 --> 0:17:34.040000 emulate malicious activity. 0:17:34.040000 --> 0:17:39.920000 But, you know, for the execute the executable info column or field is 0:17:39.920000 --> 0:17:46.560000 where we have some of these really interesting information or payloads, 0:17:46.560000 --> 0:17:50.940000 as it were. So over here, you can always double click on any one of these 0:17:50.940000 --> 0:17:55.040000 fields to get the actual, you know, to actually view all the data contained 0:17:55.040000 --> 0:17:59.060000 therein. So you can see PowerShell .exe, new item. 0:17:59.060000 --> 0:18:01.840000 So this is a registry modification. 0:18:01.840000 --> 0:18:06.200000 In this case, it appears to be a service being created. 0:18:06.200000 --> 0:18:12.020000 So we can see a CMD four start process, not not a service. 0:18:12.020000 --> 0:18:21.580000 This is this case, a partial class MC, shell open command. 0:18:21.580000 --> 0:18:24.820000 Yeah. Okay. So that is definitely malicious. 0:18:24.820000 --> 0:18:33.520000 And we have here, this one right over here, this is specific to this atomic 0:18:33.520000 --> 0:18:39.360000 test. I believe this is, yeah, this is a service being configured there. 0:18:39.360000 --> 0:18:42.680000 We can also make it a bit more interesting. 0:18:42.680000 --> 0:18:48.480000 Let's see. So that is, if we take a look at the payload data here, we 0:18:48.480000 --> 0:18:52.180000 can actually see Windows service, the MITOTAC mapping. 0:18:52.180000 --> 0:19:02.800000 So what we want is, let's see, Windows command shell actually probably 0:19:02.800000 --> 0:19:10.100000 wise to get rid of this filter here. 0:19:10.100000 --> 0:19:12.480000 Okay. And just go to event ID one. 0:19:12.480000 --> 0:19:17.580000 And now we take a look at our mapping here, you might attack mapping. 0:19:17.580000 --> 0:19:19.620000 So we have WMI here. 0:19:19.620000 --> 0:19:26.040000 So let me go and I'm just going to tag this particular one here. 0:19:26.040000 --> 0:19:27.920000 So just tag that there. 0:19:27.920000 --> 0:19:29.960000 Very nice. Okay. 0:19:29.960000 --> 0:19:32.880000 So now let's take a look at what was going on here. 0:19:32.880000 --> 0:19:36.640000 So yeah, we can see WMI being used. 0:19:36.640000 --> 0:19:41.640000 SVC host, WMI PR VSE. 0:19:41.640000 --> 0:19:45.880000 Yeah. Okay. And then PowerShell.exe. 0:19:45.880000 --> 0:19:48.640000 Yeah. I believe we saw this one here. 0:19:48.640000 --> 0:19:53.660000 We can also see sharp on being downloaded and executed. 0:19:53.660000 --> 0:19:57.500000 We can see a scheduled task being created here. 0:19:57.500000 --> 0:20:00.000000 So scheduled task. 0:20:00.000000 --> 0:20:03.520000 So again, this just gives you an idea of what you can do with timeline 0:20:03.520000 --> 0:20:08.420000 explorer. As I said, there's, you know, there's no real scenario or incident 0:20:08.420000 --> 0:20:12.740000 scenario that I built into this, because again, we're really focused on 0:20:12.740000 --> 0:20:14.880000 tooling and methodology here. 0:20:14.880000 --> 0:20:18.640000 But based on the nature of the incident and what you've been told to investigate, 0:20:18.640000 --> 0:20:20.240000 you would know where to go to. 0:20:20.240000 --> 0:20:24.640000 And of course, if you know your Windows event IDs and your system and 0:20:24.640000 --> 0:20:27.560000 your system on event IDs, then you'd know what to do. 0:20:27.560000 --> 0:20:30.720000 So, you know, let's go ahead and play around with this a little bit, just 0:20:30.720000 --> 0:20:32.860000 a bit more. And I always like doing this. 0:20:32.860000 --> 0:20:34.260000 It's always fun. 0:20:34.260000 --> 0:20:39.080000 So let's do event ID, because we're doing actually hold on. 0:20:39.080000 --> 0:20:46.000000 No event IDs equal to no wait, wait, wait, wait, a minute event ID filter 0:20:46.000000 --> 0:20:54.180000 editor. Yeah. So we want to change this to if we do 11, while created, 0:20:54.180000 --> 0:20:56.800000 this is more event ID here. 0:20:56.800000 --> 0:21:00.040000 Let's see if them if I'm actually correct. 0:21:00.040000 --> 0:21:07.940000 There we are file so file permission weakness. 0:21:07.940000 --> 0:21:09.840000 Oh, this one looks interesting. 0:21:09.840000 --> 0:21:13.040000 Let's just go ahead and highlight this here. 0:21:13.040000 --> 0:21:18.240000 So we can see something where mighty interesting, mighty interesting. 0:21:18.240000 --> 0:21:22.980000 Oh my God. Oh, we have a PowerShell script. 0:21:22.980000 --> 0:21:24.480000 Oh, interesting. 0:21:24.480000 --> 0:21:26.900000 So we have something to investigate. 0:21:26.900000 --> 0:21:31.160000 So this is the essence of analysis, but you need to be able to navigate 0:21:31.160000 --> 0:21:35.420000 and find what you're looking for. 0:21:35.420000 --> 0:21:41.480000 You know, so the the mighty mapping here is, you know, as you can obviously 0:21:41.480000 --> 0:21:44.040000 tell is immensely useful. 0:21:44.040000 --> 0:21:48.780000 So for permission weakness, let's see anything interesting, no rule mapping 0:21:48.780000 --> 0:21:51.520000 there. Interesting. 0:21:51.520000 --> 0:21:56.280000 JavaScript who interest know that's Mozilla. 0:21:56.280000 --> 0:22:00.320000 We have another PowerShell here. 0:22:00.320000 --> 0:22:03.660000 Let's go ahead and check this one out. 0:22:03.660000 --> 0:22:08.880000 Oh, that was me setting up atomic interesting. 0:22:08.880000 --> 0:22:11.800000 Okay. Let's see. 0:22:11.800000 --> 0:22:17.300000 trusted developer utilities proxy execution. 0:22:17.300000 --> 0:22:20.920000 That's interesting. 0:22:20.920000 --> 0:22:24.560000 Mighty interesting. 0:22:24.560000 --> 0:22:27.720000 In any case, that's what you can do. 0:22:27.720000 --> 0:22:31.380000 And yeah, you can also let's see. 0:22:31.380000 --> 0:22:35.880000 Yeah, you can probably also use this or use the mapping here in terms 0:22:35.880000 --> 0:22:41.420000 of the rules. So filter editor, we can say and condition payload data 0:22:41.420000 --> 0:22:45.560000 begins with, we can say contains. 0:22:45.560000 --> 0:22:52.440000 We can filter for my attack technique or sub technique IDs here. 0:22:52.440000 --> 0:23:01.260000 So for example, a PowerShell would be T one, zero five nine zero zero 0:23:01.260000 --> 0:23:06.420000 one. So, you know, we can actually just say T one, zero five nine. 0:23:06.420000 --> 0:23:09.080000 Let's see whether that works. 0:23:09.080000 --> 0:23:10.440000 Beautiful. Beautiful. 0:23:10.440000 --> 0:23:14.780000 So now things are getting even better now, because now I can pretty much 0:23:14.780000 --> 0:23:18.340000 limit it. Oh, man, look at how much we have in here. 0:23:18.340000 --> 0:23:20.920000 Just look at this. 0:23:20.920000 --> 0:23:23.600000 Wow. Okay. This is interesting. 0:23:23.600000 --> 0:23:29.620000 So file creation or event ID 11 and payload data contains T one zero five 0:23:29.620000 --> 0:23:33.240000 nine. So we have this one here. 0:23:33.240000 --> 0:23:38.520000 This, these partial scripts look interesting. 0:23:38.520000 --> 0:23:44.800000 We also have all of these partial scripts here pertinent to atomic. 0:23:44.800000 --> 0:23:47.060000 Yeah, and a couple of others. 0:23:47.060000 --> 0:23:56.220000 And then of course, we can also let me go ahead and one second. 0:23:56.220000 --> 0:24:00.740000 Sorry, let me just go back to event ID here. 0:24:00.740000 --> 0:24:04.800000 Both editor, let's change this back to one just a second. 0:24:04.800000 --> 0:24:08.380000 Okay, now things are getting into. 0:24:08.380000 --> 0:24:11.020000 So this is process execution. 0:24:11.020000 --> 0:24:13.360000 So partial right over here. 0:24:13.360000 --> 0:24:16.520000 And then we take a look at payload data six. 0:24:16.520000 --> 0:24:19.400000 We can see what was executed. 0:24:19.400000 --> 0:24:22.060000 This one looks interesting. 0:24:22.060000 --> 0:24:25.240000 Or at least I thought it looked interesting. 0:24:25.240000 --> 0:24:27.660000 Let's take a look at this here. 0:24:27.660000 --> 0:24:29.900000 So schedule tasks service creation. 0:24:29.900000 --> 0:24:33.280000 That's pretty much the activity I wanted to emulate. 0:24:33.280000 --> 0:24:38.540000 Now, yes, schedule task being created here. 0:24:38.540000 --> 0:24:43.920000 And now it makes sense because I didn't even know what I executed. 0:24:43.920000 --> 0:24:45.880000 I didn't know it properly. 0:24:45.880000 --> 0:24:47.860000 So windows no wait a minute. 0:24:47.860000 --> 0:24:52.900000 So I remember I saw this here. 0:24:52.900000 --> 0:24:58.640000 Event view. So that's why when I click on event view here, it opens up 0:24:58.640000 --> 0:24:59.440000 the command prompt. 0:24:59.440000 --> 0:25:02.700000 So I actually perform some really malicious stuff here. 0:25:02.700000 --> 0:25:04.000000 That makes sense now. 0:25:04.000000 --> 0:25:05.660000 In any case, you get the idea. 0:25:05.660000 --> 0:25:08.040000 Maybe we can try a bit more. 0:25:08.040000 --> 0:25:12.200000 Let's try technique one. 0:25:12.200000 --> 0:25:16.400000 Actually, you know what, let me go ahead and clear this filter. 0:25:16.400000 --> 0:25:22.880000 Let me go back to the MITRE attack techniques or mapping as it were. 0:25:22.880000 --> 0:25:26.480000 So I'm just going to go in here. 0:25:26.480000 --> 0:25:32.300000 Filter editor begins with contains. 0:25:32.300000 --> 0:25:33.920000 I mean, this is just awesome. 0:25:33.920000 --> 0:25:35.340000 I love doing this anyway. 0:25:35.340000 --> 0:25:38.440000 Let's see here we do. 0:25:38.440000 --> 0:25:43.900000 Let's try T1548. 0:25:43.900000 --> 0:25:47.060000 I believe that's UAC bypass. 0:25:47.060000 --> 0:25:49.260000 Ah, nothing in there. 0:25:49.260000 --> 0:25:58.060000 Okay. So how about T1003? 0:25:58.060000 --> 0:26:08.760000 Okay. Am I using the correct filter? 0:26:08.760000 --> 0:26:10.300000 Because you have the mapping there. 0:26:10.300000 --> 0:26:12.100000 The one five four seven. 0:26:12.100000 --> 0:26:13.460000 We have any filters active? 0:26:13.460000 --> 0:26:20.440000 No, we don't. So actually, you know what, let's make it a bit more pertinent 0:26:20.440000 --> 0:26:22.560000 to what we're investigating here. 0:26:22.560000 --> 0:26:30.660000 So I'm going to the filter editor on Tanes and I will say new service 0:26:30.660000 --> 0:26:34.880000 if we use MITRE attack mapping would be and don't worry, we'll go through 0:26:34.880000 --> 0:26:39.080000 the MITRE attack framework in the threat intelligence and threat hunting 0:26:39.080000 --> 0:26:44.760000 course. You may think it's important at this point, but until you know 0:26:44.760000 --> 0:26:47.640000 the fundamentals of there we are beautiful. 0:26:47.640000 --> 0:26:53.540000 Okay. So you can see the power of a tool like timeline explorer. 0:26:53.540000 --> 0:26:57.200000 Now I'm not using it as you would, you know, because there's quite a bit 0:26:57.200000 --> 0:27:00.500000 of stuff that you'd be doing in terms of correlation. 0:27:00.500000 --> 0:27:06.620000 Case in point, if I, sorry, if I go in here, let me clear the filter. 0:27:06.620000 --> 0:27:10.000000 You can actually correlate logs directly. 0:27:10.000000 --> 0:27:15.020000 So I'm using initial exports and I'll import the security, the logs from 0:27:15.020000 --> 0:27:17.340000 the security channel in here. 0:27:17.340000 --> 0:27:23.560000 Hold on a second now. 0:27:23.560000 --> 0:27:25.700000 There we are. Beautiful. 0:27:25.700000 --> 0:27:29.460000 So we have them both in here. 0:27:29.460000 --> 0:27:32.140000 And now you can perform. 0:27:32.140000 --> 0:27:35.340000 Wait a minute, that has that filter already applied. 0:27:35.340000 --> 0:27:37.880000 Let's clear that now. 0:27:37.880000 --> 0:27:42.600000 So let me see if I can test something here. 0:27:42.600000 --> 0:27:45.960000 So we can right click, actually hold on. 0:27:45.960000 --> 0:27:52.680000 So we tag this, stack that, just go in here, tag this, tag that. 0:27:52.680000 --> 0:27:55.660000 There we are. Okay. 0:27:55.660000 --> 0:28:04.220000 So now if we go into tools, my bad, I just remember the correct way of 0:28:04.220000 --> 0:28:10.180000 doing it. This is true new behavior, but you need to drag both of them. 0:28:10.180000 --> 0:28:14.280000 I think the correlation should work because you essentially have the ability 0:28:14.280000 --> 0:28:19.440000 to, or I should say timeline, explore as the ability to handle multiple 0:28:19.440000 --> 0:28:24.200000 CSV files at once, which as you know, is awesome for correlating events 0:28:24.200000 --> 0:28:29.840000 from different sources, like Sysmon and security logs. 0:28:29.840000 --> 0:28:34.840000 So if we drag both of them now, they should actually open up. 0:28:34.840000 --> 0:28:37.520000 No, wait, it opens up. 0:28:37.520000 --> 0:28:44.020000 I think that may be because one second time created, time created. 0:28:44.020000 --> 0:28:45.020000 Yeah, they both do. 0:28:45.020000 --> 0:28:46.180000 That's interesting. 0:28:46.180000 --> 0:28:48.100000 So here event ID. 0:28:48.100000 --> 0:28:49.520000 Yeah. Okay. Okay. 0:28:49.520000 --> 0:29:00.800000 All right. So let's see. 0:29:00.800000 --> 0:29:04.980000 I'm not too sure whether it's actually done it. 0:29:04.980000 --> 0:29:08.140000 We take a look at, yeah, that's security. 0:29:08.140000 --> 0:29:10.940000 The channel is security here. 0:29:10.940000 --> 0:29:14.280000 That is what we expected. 0:29:14.280000 --> 0:29:24.060000 I'm not sure why it isn't allowing us to sort of conjoin both here. 0:29:24.060000 --> 0:29:25.820000 That is interesting. 0:29:25.820000 --> 0:29:31.160000 So view one second, open files. 0:29:31.160000 --> 0:29:40.260000 Now we have any filters applied. 0:29:40.260000 --> 0:29:49.840000 I don't think so. 0:29:49.840000 --> 0:29:54.460000 Yeah, it's I believe that feature was available, but there is a way to 0:29:54.460000 --> 0:29:58.340000 actually do this using a script, but it allows you to merge, you know, 0:29:58.340000 --> 0:30:01.120000 two logs and then import them in here. 0:30:01.120000 --> 0:30:09.500000 But for example, if I drag event ID in here, okay, and then let me drag 0:30:09.500000 --> 0:30:13.840000 this in here into the header right over here. 0:30:13.840000 --> 0:30:17.120000 Okay. So record number event ID one. 0:30:17.120000 --> 0:30:18.720000 Yeah, we can see that there. 0:30:18.720000 --> 0:30:20.020000 Nice. Very nice. 0:30:20.020000 --> 0:30:23.720000 And then we can expand that in here. 0:30:23.720000 --> 0:30:27.060000 One second, I don't want to expand that. 0:30:27.060000 --> 0:30:38.560000 So tools. Select in values in column, go to line, multi line, open tabs. 0:30:38.560000 --> 0:30:40.820000 Yeah, that's interesting. 0:30:40.820000 --> 0:30:43.260000 Let me try something. 0:30:43.260000 --> 0:30:45.480000 Uh, ta ta ta ta. 0:30:45.480000 --> 0:30:47.000000 Let me go into tools. 0:30:47.000000 --> 0:30:49.180000 Let me clear this clear groups. 0:30:49.180000 --> 0:30:51.600000 We cleared the groups here. 0:30:51.600000 --> 0:30:53.580000 Now tools, clear groups. 0:30:53.580000 --> 0:30:54.760000 Let me just try something. 0:30:54.760000 --> 0:30:59.860000 So this is the initial Sysmon, um, initial export. 0:30:59.860000 --> 0:31:06.540000 Let me just try and bring in the second or the Sysmon export we did previously. 0:31:06.540000 --> 0:31:09.240000 Now it opens it up in there. 0:31:09.240000 --> 0:31:10.120000 That's very strange. 0:31:10.120000 --> 0:31:12.680000 I believe that there was a way to do that. 0:31:12.680000 --> 0:31:18.280000 In any case, um, yeah, that is mighty interesting. 0:31:18.280000 --> 0:31:25.840000 Um, Oh, am I missing a plugin CSV? 0:31:25.840000 --> 0:31:32.260000 Now this has all, uh, in any case, that's what I wanted to highlight. 0:31:32.260000 --> 0:31:37.020000 Uh, by the way, there is one more log, uh, I wouldn't say, but yeah, it 0:31:37.020000 --> 0:31:39.060000 is an, an, an analysis tool. 0:31:39.060000 --> 0:31:44.500000 Um, it is the full event log view, uh, utility right over here. 0:31:44.500000 --> 0:31:45.760000 So you bring this up. 0:31:45.760000 --> 0:31:49.900000 Um, this allows you sort of a better version, at least in my opinion, 0:31:49.900000 --> 0:31:54.460000 it's a better version of the default Windows log explorer. 0:31:54.460000 --> 0:31:58.680000 You want to give it a couple of seconds, um, right over here. 0:31:58.680000 --> 0:32:03.500000 And this will give you sort of all, um, Windows event logs. 0:32:03.500000 --> 0:32:05.420000 Oh, that's interesting. 0:32:05.420000 --> 0:32:07.060000 What's going on here? 0:32:07.060000 --> 0:32:08.760000 Choose data source. 0:32:08.760000 --> 0:32:09.860000 That is very strange. 0:32:09.860000 --> 0:32:12.820000 Why is that not, uh, oh, yes. 0:32:12.820000 --> 0:32:15.740000 My bad. I had some filters applied there. 0:32:15.740000 --> 0:32:17.380000 So show all providers. 0:32:17.380000 --> 0:32:18.340000 No, wait a minute. 0:32:18.340000 --> 0:32:20.280000 Show all providers there. 0:32:20.280000 --> 0:32:21.020000 I squared in it. 0:32:21.020000 --> 0:32:24.700000 Okay. Oh yes. Everything's coming in now. 0:32:24.700000 --> 0:32:28.720000 So I'll just give it a few seconds to load everything up. 0:32:28.720000 --> 0:32:40.120000 So Sysmon operational is coming in very nice. 0:32:40.120000 --> 0:32:43.960000 Okay. I'm waiting and waiting and waiting. 0:32:43.960000 --> 0:32:50.260000 Now how many events were there? 0:32:50.260000 --> 0:32:53.100000 Yeah, there's about 70 meg. 0:32:53.100000 --> 0:33:09.140000 I remember. But, uh, one more thing video is utilizing a tool like chainsaw 0:33:09.140000 --> 0:33:12.880000 to help us identify malicious activity. 0:33:12.880000 --> 0:33:13.540000 So there we are. 0:33:13.540000 --> 0:33:15.220000 We can see this here. 0:33:15.220000 --> 0:33:19.740000 Um, we can, uh, I believe we can apply a filter here. 0:33:19.740000 --> 0:33:25.020000 Uh, one second. Actually no, we would need to go in here so we can find 0:33:25.020000 --> 0:33:30.440000 as we can with, uh, Windows event viewers. 0:33:30.440000 --> 0:33:32.060000 So one second. Yeah. 0:33:32.060000 --> 0:33:33.580000 Uh, choose data source. 0:33:33.580000 --> 0:33:39.900000 You can load events from this computer or remote computer or on a single 0:33:39.900000 --> 0:33:43.280000 log file. Let's bring this in here. 0:33:43.280000 --> 0:33:45.860000 Desktop exports initial. 0:33:45.860000 --> 0:33:47.940000 Let's do Sysmon.evtx. 0:33:47.940000 --> 0:33:51.380000 It can only bring that in here. 0:33:51.380000 --> 0:33:53.980000 So let's get that in there. 0:33:53.980000 --> 0:33:56.120000 All right. Beautiful. 0:33:56.120000 --> 0:33:59.400000 So now you can see the Sysmon logs in here. 0:33:59.400000 --> 0:34:01.820000 You know, this may be better for you. 0:34:01.820000 --> 0:34:05.540000 Again, it's all about your own preference, but we can pretty much see, 0:34:05.540000 --> 0:34:07.160000 you know, what we wanted there. 0:34:07.160000 --> 0:34:12.560000 And then of course, um, I believe they should be a way to, yeah, choose 0:34:12.560000 --> 0:34:16.760000 columns. So you can actually modify what you want to see them and then, 0:34:16.760000 --> 0:34:22.180000 uh, filter. Yes, but, uh, actually hold on. 0:34:22.180000 --> 0:34:27.160000 Yeah. So you can filter like so in any case, that's what I wanted to highlight. 0:34:27.160000 --> 0:34:30.080000 Um, with that being said, that brings us to the end of the practical demonstration 0:34:30.080000 --> 0:34:32.660000 section of this video. 0:34:32.660000 --> 0:34:37.140000 All right. So that was the process of analyzing Windows event logs with 0:34:37.140000 --> 0:34:37.980000 timeline explorer. 0:34:37.980000 --> 0:34:40.760000 Hopefully you found that useful. 0:34:40.760000 --> 0:34:44.020000 Um, and, uh, that brings us to the end of this video. 0:34:44.020000 --> 0:34:48.680000 So with that being said, I will be seeing you in the next video.