Windows event log analysis is an important skill in threat hunting. These logs silently record system events, security incidents, and user interactions, providing crucial insights into system health and security. In this blog, we will explore the art of Windows Event Log analysis

Im going to discuss log analysis of windows events in linux, we will be utilizing a tool called chainsaw, you can get it » here.

In this tutorial i will be analysing the files from cybertalents blue scholarship.

1. chainsaw search

an attacker after compromising the machine added a new account as admin. can you find the name of the new account? flag format : flag{md5 of string}

file »» ex1

In windows, each event has a unique event id. So we have to find event id for account creation , a quick google search

Then in chainsaw

1
2

./chainsaw/chainsaw-gnu search  -t 'Event.System.EventID: =4720'  Security436509324654726509.evtx

Here we can filter events with the event id 4720.

SAM means security account manager , it is a database that stores accounts on windows systems. Usename is sam md5hash ba0e0cde1bf72c28d435c89a66afc61a.

flag{ba0e0cde1bf72c28d435c89a66afc61a}

2. chainsaw hunt

file »» here

1
2
3
4
5
6
7

Our network got compromised two days ago by an unknown attacker, and we need to get an answer for the following questions:

1. What is the domain's SID?
2. The attacker failed to login to some accounts, What is the attacker's machine IP address?
3. What is the workstation's name that the attacker was using to authenticate with the administrator account?

Flag format: Flag{ANS1_ANS2_ANS3} 

Since this is account failed login it has event id 4776 for failed login from domain controller. The domain controller in this case is HYDRA-DC.MARVEL.local.

Since chainsaw has rules to detect certain events , you can use the folowing command to hunt for events

1
2

./chainsaw/chainsaw-gnu hunt -r ./chainsaw/rules/ logs.evtx

This returns alot of output , but retuns events in a format we can easily comprehend.

1
2

./chainsaw/chainsaw-gnu hunt --sigma ./chainsaw/sigma/  --mapping ./chainsaw/mappings/sigma-event-logs-all.yml -r ./chainsaw/rules/lateral_movement/ logs/

You can use the command above to get more info. Now here is where the fun begins.

From the logs we can see that there are several users lke pbarker,fcasle, Administrator and these avents are have a common ipaddress “192.168.80.128”

If we search for the following users in the sigma output , we can find the sid

pbarker : S-1-5-21-271597537-2992796785-3713134209-1105

fcastle: S-1-5-21-271597537-2992796785-3713134209-1103

Adminitrator : S-1-5-21-271597537-2992796785-3713134209-500

The structure of an sid is as follows :

S-1-5-21--<relative_id>

Where:

S: A constant prefix indicating that it is a Security Identifier.

1: Revision number (currently always 1).

5: Identifier authority value (the identifier authority for Windows is always 5).

21: The identifier authority’s top-level domain identifier. The actual number may vary depending on the Windows version or configuration but is typically 21 for Windows domains.

: The SID for the domain. It is a unique value assigned to each domain by the domain controller during domain creation.

<relative_id>: A relative identifier that uniquely identifies a specific security principal within the domain. For users and groups, this relative ID is usually the RID (Relative Identifier) assigned by the domain controller.

so in this case domain sid is “S-1-5-21-271597537-2992796785-3713134209”

To get the workstation you can ue the command we used earlier to filter events using event id

1
2

./chainsaw/chainsaw-gnu search  -t 'Event.System.EventID: =4776'  logs/ | grep -i workstation

workstation: THEPUNISHER

flag is Flag{S-1-5-21-271597537-2992796785-3713134209_192.168.80.128_THEPUNISHER}