# Log Analysis ## 00. Tools ### 00.1 Windows * [01.1 ChainShow](https://github.com/WithSecureLabs/chainsaw.git) ```bash ## ------------------| Install sudo apt install cargo git clone https://github.com/WithSecureLabs/chainsaw.git && chainsaw git clone https://github.com/SigmaHQ/sigma cargo build --release mv target/release/chainsaw . ``` * [01.2 Hayabusa](https://github.com/Yamato-Security/hayabusa) ```bash ## ------------------| Install ## Or Download from https://github.com/Yamato-Security/hayabusa/releases/latest ./hayabusa update ## ------------------| Compiling From Source sudo apt install cargo rustup git clone https://github.com/Yamato-Security/hayabusa && hayabusa rustup update stable cargo update cargo build --release mv target/release/hayabusa . ./hayabusa update ``` ## 01. Windows ### 01.1 Windows XML Event Log (.EVTX) * ChainShow ```bash ## ------------------| Hunt with Sigma and Chainsaw Rules ./chainsaw hunt *.evtx -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/ ## ------------------| Output in JSON ./chainsaw hunt *.evtx -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/ --json ## ------------------| Search for the case-insensitive word 'mimikatz' ./chainsaw search mimikatz -i *.evtx ## ------------------| Search for Powershell Script Block Events (EventID 4014) ./chainsaw search -t 'Event.System.EventID: =4104' *.evtx ## ------------------| Search by EventID ./chainsaw search -t 'Event.System.EventID: =' *.evtx ## ------------------| Search by PID ./chainsaw search *.evtx ## ------------------| Dump data ./chainsaw dump *.evtx --jsonl > events.json ### List of logs we have cat events.json | jq '.Event | .System.Channel' | sort | uniq ### Grep from logs cat events.json | jq '.Event' -c | grep -i "" ### Get all System event logs cat events.json | jq '.Event | select(.System.Channel == "System")' cat events.json | jq '.Event | select(.System.Channel == "System") | .System.EventID' | sort | uniq -c | awk '{print $2"\t"$1}' | sort -n ### Get all Security event logs cat events.json | jq '.Event | select(.System.Channel == "Security")' cat events.json | jq '.Event | select(.System.Channel == "Security") | .System.EventID' | sort | uniq -c | awk '{print $2"\t"$1}' | sort -n ### Get all NTFS Operational event logs cat events.json | jq '.Event | select(.System.Channel == "Microsoft-Windows-Ntfs/Operational")' cat events.json | jq '.Event | select(.System.Channel == "Microsoft-Windows-Ntfs/Operational") | .System.EventID' | sort | uniq -c | awk '{print $2"\t"$1}' | sort -n ### Search by EventID cat events.json | jq '.Event | select(.System.EventID ==)' ### Get EventID's name cat events.json | jq '.Event | select(.System.EventID ==) | .EventData.param1' | sort -u cat events.json | jq '.Event | select(.System.EventID ==) | select(.EventData.param1 == "")' ``` * Hayabusa ```bash ## ------------------| Hunt ./hayabusa csv-timeline -d ``` ### 01.2 Managed File Transfer ($MFT) ```bash ## ------------------| Dump data using chainsaw ./chainsaw dump mft.bin ./chainsaw dump mft.bin --jsonl > mft.json ``` ### 01.3 Genaral Events ```bash ## ------------------| System Events 1 - The logon process has completed. 3 - A network link is established. 6 - The event log service has started. 12 - System Information (System events). 14 - The system has entered sleep mode. 15 - A system-wide resource has been initialized. 16 - The system is resuming from sleep. 18 - The network adapter has connected. 20 - A logon attempt was made. 24 - A user account was successfully logged on. 25 - A disk volume has been successfully mounted. 27 - The system event notification service was triggered. 32 - The system time zone information has been updated. 41 - The system has rebooted without a clean shutdown. 55 - Windows Update has completed successfully. 98 - A Windows Update operation has completed. 129 - A Volume Shadow Copy was created successfully. 139 - A Kerberos authentication request was made. 143 - The Kerberos authentication process failed. 153 - Hardware event occurred on the system. 162 - Group Policy settings have been applied. 172 - A Windows Update installation has started. 238 - Setup has completed successfully. 1001 - A bug check (stop error) occurred. 1014 - The DNS client encountered an error. 6005 - The Event Log service was started. 6008 - The previous system shutdown was unexpected. 6009 - The system has started. 6013 - The system has shut down. 7001 - A service has been installed on the system. 7026 - A service failed to start during the system boot process. 7036 - The service has entered the running state. 7040 - A service was stopped unexpectedly. 10016 - The DCOM permissions have been modified. 10148 - Windows Defender has updated its definitions. 10154 - Windows Defender found an issue. 14531 - The Windows Server Essentials service started. 14533 - The Windows Server Essentials service stopped. 16962 - Windows Defender detected a potential threat. 16977 - Windows Defender completed a scan. 16983 - Windows Defender quarantined an item. 50036 - Windows Defender detected a suspicious item. 50103 - Windows Defender found malware. 51046 - Windows Defender performed a full scan. ## ------------------| Security Events 521 - The security log has been cleared. 1101 - The audit log was cleared. 4616 - The system time was changed. 4662 - An attempt was made to query the existence of a named pipe. 4688 - A new process has been created. 4696 - A trusted domain was added to the domain. 4698 - A scheduled task was created. 4699 - A scheduled task was deleted. 4700 - A scheduled task was enabled. 4701 - A scheduled task was disabled. 4702 - A scheduled task was updated. 4742 - A computer account was changed. 4768 - A Kerberos authentication ticket (TGT) was requested. 4769 - A service ticket was requested. 4799 - A user right was assigned. 4826 - A certificate request was completed. 5140 - A network share object was accessed. 5142 - A network share object was modified. 5379 - The Windows Defender Antivirus protection was turned on. ## ------------------| Microsoft-Windows-Sysmon/Operational 1 - ProcessCreate 2 - FileCreationTimeChanged 3 - NetworkConnection 4 - SysmonServiceStateChanged 5 - ProcessTerminated 6 - DriverLoaded 7 - ImageLoaded 8 - CreateRemoteThread 9 - RawAccessRead 10 - ProcessAccess 11 - FileCreated 12 - RegistryObjectAddedorDeleted 13 - RegistryValueSet 14 - RegistryKeyandValueRename 15 - FileStreamCreated 16 - SysmonConfigurationChanged 17 - PipeCreated 18 - PipeConnected 19 - WMIFilterCreated 20 - WMIConsumerCreated 21 - WMIConsumerFilterLinked 22 - DNSEvent(DNSQuery) 23 - FileDeleted 24 - ClipboardChange 25 - ProcessTampering 255 - Error ## ------------------| Microsoft-Windows-Ntfs/Operational Events 4 - The system is shutting down. 9 - A security package has been successfully loaded. 10 - The system is starting up. 142 - The system is in the process of shutting down. 158 - The operating system is starting up. 159 - The operating system has finished starting up. 300 - A user logon attempt has occurred. 301 - A user logoff attempt has occurred. 302 - A successful logon was made to the system. 303 - A failed logon attempt was made to the system. 500 - A security audit failure occurred. ``` ## 02. Linux ### 02.1 WTMP 
## ------------------| utmpdump
utmpdump <file>

## ------------------| last
sudo apt install wtmpdb
TZ=utc last -f <file> -F
### 02.2 Auth.log ```bash ## ------------------| View all the programs awk '{print $5}' auth.log | sed 's/[\[\:].*//g'| sort | uniq -c | sort -n ## ------------------| Check new user added grep 'useradd\|usermod' auth.log ## ------------------| Check brutefoce SSH logins grep ssh auth.log | grep -v pam_unix | grep -oP ' [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort | uniq -c | sort -n ## ------------------| Check Successfully logged users grep ssh auth.log | grep -v pam_unix | grep 'Accepted password' ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.h4rithd.com/forensic/log-analysis.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.