banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。
HomeArchives图文

Windows XML Event Log (EVTX) Parsing

#应急响应646
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
This text provides information about evtx logs in Windows. It mentions the location of evtx logs in the system and the main types of logs such as application, security, and system logs. The text also mentions the default size of the logs and how to view them using the Windows event viewer. It then discusses the evtx_dump tool for parsing evtx logs and provides links to download the tool. Various commands for using evtx_dump are mentioned, including converting logs to XML or JSON format and outputting them to specific files. The text also explains how to extract EventID from evtx files and sort and count them. It mentions the significance of certain EventIDs and how they can be used to determine the impact of related events. Finally, it mentions the ability to extract multiple fields from evtx logs.

Description of evtx logs#

Location of evtx logs in Windows

%SystemRoot%\System32\Winevt\Logs\

image.png

The main logs include application, security, system logs, etc. The default size of the logs is 20484K (20M), and any excess will overwrite expired logs.

You can view the corresponding logs using the built-in Event Viewer in Windows.

image.png

By randomly clicking on an event with ID 4624, the general content is as follows. Switching to XML view allows you to view the log in XML format.

image.png

evtx_dump#

Parsing evtx logs using a tool

Download the corresponding version:

https://github.com/omerbenamram/evtx/releases

evtx_dump <evtx_file> dumps in XML format

evtx_dump -o json <evtx_file> dumps in JSON format

evtx_dump -f <output_file> -o json <input_file> outputs to a specified file

Used in conjunction with fd (https://github.com/cha0ran/fd-zh) for batch processing

fd -e evtx -x evtx_dump -o jsonl dumps all files with the evtx extension into separate json files

fd -e evtx -x evtx_dump '{}' -f '{.}.xml' creates an xml file corresponding to the evtx file, and then dumps the content into the corresponding xml file

fd -a -e evtx | xargs -I input sh -c "evtx_dump -o jsonl input | jq --arg path 'input' '. + {path: \$path}'"

-e: file extension
-a: search hidden files or directories
xargs -I input sh -c "command": pass the input variable and execute it with the command
jq --arg path 'input' '. + {path: \$path}': append the path variable to the output json file

Extraction#

Extract EventID from evtx file

evtx_dump temp_scheduled_task_4698_4699.evtx -o jsonl | jq '.Event.System.EventID'

Sort and count the EventID

evtx_dump Security.evtx -o jsonl | jq '.Event.System.EventID' | sort | uniq

image.png

By viewing the EventID, you can determine the status of most logs in the current log. For example, 5379 represents events related to Microsoft Windows Defender antivirus software. This event records the corresponding policy information of Windows Defender, indicating the regular scanning or update status of Defender. 4625 represents a failed login, and if there is only one log, it means there is no attempt to brute force the login. 4672 represents an administrator login, and logs of operations performed with administrator privileges will also be recorded as 4672, similar to sudo in Linux, where each sudo records one log.

By comparing with the EventID, you can determine the impact of related events.

Extract multiple fields

evtx_dump temp_scheduled_task_4698_4699.evtx -o jsonl | jq '.Event.System.EventID','.Event.System.Computer'

Event ID reference: Windows Emergency Response Manual Notes

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.