Log Analysis
00. Tools
00.1 Windows
## ------------------| Install
sudo apt install cargo
git clone https://github.com/WithSecureLabs/chainsaw.git && chainsaw
git clone https://github.com/SigmaHQ/sigma
cargo build --release
mv target/release/chainsaw .
## ------------------| Install
## Or Download from https://github.com/Yamato-Security/hayabusa/releases/latest
./hayabusa update
## ------------------| Compiling From Source
sudo apt install cargo rustup
git clone https://github.com/Yamato-Security/hayabusa && hayabusa
rustup update stable
cargo update
cargo build --release
mv target/release/hayabusa .
./hayabusa update
01. Windows
01.1 Windows XML Event Log (.EVTX)
ChainShow
## ------------------| Hunt with Sigma and Chainsaw Rules
./chainsaw hunt *.evtx -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/
## ------------------| Output in JSON
./chainsaw hunt *.evtx -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/ --json
## ------------------| Search for the case-insensitive word 'mimikatz'
./chainsaw search mimikatz -i *.evtx
## ------------------| Search for Powershell Script Block Events (EventID 4014)
./chainsaw search -t 'Event.System.EventID: =4104' *.evtx
## ------------------| Search by EventID
./chainsaw search -t 'Event.System.EventID: =<ID>' *.evtx
## ------------------| Search by PID
./chainsaw search <PID> *.evtx
## ------------------| Dump data
./chainsaw dump *.evtx --jsonl > events.json
### List of logs we have
cat events.json | jq '.Event | .System.Channel' | sort | uniq
### Grep from logs
cat events.json | jq '.Event' -c | grep -i "<word>"
### Get all System event logs
cat events.json | jq '.Event | select(.System.Channel == "System")'
cat events.json | jq '.Event | select(.System.Channel == "System") | .System.EventID' | sort | uniq -c | awk '{print $2"\t"$1}' | sort -n
### Get all Security event logs
cat events.json | jq '.Event | select(.System.Channel == "Security")'
cat events.json | jq '.Event | select(.System.Channel == "Security") | .System.EventID' | sort | uniq -c | awk '{print $2"\t"$1}' | sort -n
### Get all NTFS Operational event logs
cat events.json | jq '.Event | select(.System.Channel == "Microsoft-Windows-Ntfs/Operational")'
cat events.json | jq '.Event | select(.System.Channel == "Microsoft-Windows-Ntfs/Operational") | .System.EventID' | sort | uniq -c | awk '{print $2"\t"$1}' | sort -n
### Search by EventID
cat events.json | jq '.Event | select(.System.EventID ==<ID>)'
### Get EventID's name
cat events.json | jq '.Event | select(.System.EventID ==<ID>) | .EventData.param1' | sort -u
cat events.json | jq '.Event | select(.System.EventID ==<ID>) | select(.EventData.param1 == "<EventName>")'
Hayabusa
## ------------------| Hunt
./hayabusa csv-timeline -d <directory>
01.2 Managed File Transfer ($MFT)
## ------------------| Dump data using chainsaw
./chainsaw dump mft.bin
./chainsaw dump mft.bin --jsonl > mft.json
01.3 Genaral Events
## ------------------| System Events
1 - The logon process has completed.
3 - A network link is established.
6 - The event log service has started.
12 - System Information (System events).
14 - The system has entered sleep mode.
15 - A system-wide resource has been initialized.
16 - The system is resuming from sleep.
18 - The network adapter has connected.
20 - A logon attempt was made.
24 - A user account was successfully logged on.
25 - A disk volume has been successfully mounted.
27 - The system event notification service was triggered.
32 - The system time zone information has been updated.
41 - The system has rebooted without a clean shutdown.
55 - Windows Update has completed successfully.
98 - A Windows Update operation has completed.
129 - A Volume Shadow Copy was created successfully.
139 - A Kerberos authentication request was made.
143 - The Kerberos authentication process failed.
153 - Hardware event occurred on the system.
162 - Group Policy settings have been applied.
172 - A Windows Update installation has started.
238 - Setup has completed successfully.
1001 - A bug check (stop error) occurred.
1014 - The DNS client encountered an error.
6005 - The Event Log service was started.
6008 - The previous system shutdown was unexpected.
6009 - The system has started.
6013 - The system has shut down.
7001 - A service has been installed on the system.
7026 - A service failed to start during the system boot process.
7036 - The service has entered the running state.
7040 - A service was stopped unexpectedly.
10016 - The DCOM permissions have been modified.
10148 - Windows Defender has updated its definitions.
10154 - Windows Defender found an issue.
14531 - The Windows Server Essentials service started.
14533 - The Windows Server Essentials service stopped.
16962 - Windows Defender detected a potential threat.
16977 - Windows Defender completed a scan.
16983 - Windows Defender quarantined an item.
50036 - Windows Defender detected a suspicious item.
50103 - Windows Defender found malware.
51046 - Windows Defender performed a full scan.
## ------------------| Security Events
521 - The security log has been cleared.
1101 - The audit log was cleared.
4616 - The system time was changed.
4662 - An attempt was made to query the existence of a named pipe.
4688 - A new process has been created.
4696 - A trusted domain was added to the domain.
4698 - A scheduled task was created.
4699 - A scheduled task was deleted.
4700 - A scheduled task was enabled.
4701 - A scheduled task was disabled.
4702 - A scheduled task was updated.
4742 - A computer account was changed.
4768 - A Kerberos authentication ticket (TGT) was requested.
4769 - A service ticket was requested.
4799 - A user right was assigned.
4826 - A certificate request was completed.
5140 - A network share object was accessed.
5142 - A network share object was modified.
5379 - The Windows Defender Antivirus protection was turned on.
## ------------------| Microsoft-Windows-Sysmon/Operational
1 - ProcessCreate
2 - FileCreationTimeChanged
3 - NetworkConnection
4 - SysmonServiceStateChanged
5 - ProcessTerminated
6 - DriverLoaded
7 - ImageLoaded
8 - CreateRemoteThread
9 - RawAccessRead
10 - ProcessAccess
11 - FileCreated
12 - RegistryObjectAddedorDeleted
13 - RegistryValueSet
14 - RegistryKeyandValueRename
15 - FileStreamCreated
16 - SysmonConfigurationChanged
17 - PipeCreated
18 - PipeConnected
19 - WMIFilterCreated
20 - WMIConsumerCreated
21 - WMIConsumerFilterLinked
22 - DNSEvent(DNSQuery)
23 - FileDeleted
24 - ClipboardChange
25 - ProcessTampering
255 - Error
## ------------------| Microsoft-Windows-Ntfs/Operational Events
4 - The system is shutting down.
9 - A security package has been successfully loaded.
10 - The system is starting up.
142 - The system is in the process of shutting down.
158 - The operating system is starting up.
159 - The operating system has finished starting up.
300 - A user logon attempt has occurred.
301 - A user logoff attempt has occurred.
302 - A successful logon was made to the system.
303 - A failed logon attempt was made to the system.
500 - A security audit failure occurred.
02. Linux
02.1 WTMP
## ------------------| utmpdump
utmpdump <file>
## ------------------| last
sudo apt install wtmpdb
TZ=utc last -f <file> -F
02.2 Auth.log
## ------------------| View all the programs
awk '{print $5}' auth.log | sed 's/[\[\:].*//g'| sort | uniq -c | sort -n
## ------------------| Check new user added
grep 'useradd\|usermod' auth.log
## ------------------| Check brutefoce SSH logins
grep ssh auth.log | grep -v pam_unix | grep -oP ' [0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | sort | uniq -c | sort -n
## ------------------| Check Successfully logged users
grep ssh auth.log | grep -v pam_unix | grep 'Accepted password'
Last updated