news

Query event logs with PowerShell to find malicious activity

admin
Spread the love

Query event logs to find malicious log entries

To help with investigations, we will use PowerShell to retrieve log entries and filter them. You collect malicious logged entries the same way as any other entries, though the filtering might differ. To understand what actions to fetch, you need to know the standard event IDs to monitor.

You also need to categorize event IDs Some example event IDs for each category are:

  • Services
    • 4697: A service was installed in the system.
    • 7034: The service terminated unexpectedly.
    • 7045: A new service was created on the local Windows machine.
  • Scheduled tasks
    • 106: The user registered a new scheduled task.
    • 4702: A scheduled task was updated.
    • 4699: A scheduled task was deleted.
  • Account management
    • 4720: A user account was created.
    • 4724: An attempt was made to reset an account password.
    • 4782: Password hash access.
  • Event log manipulation
    • 1100: Event log service shutdown.
    • 104: Log file cleared.
    • 1102: Security audit log cleared.

Depending on the server workload, you could add many more event IDs. For example, Microsoft provides a list of nearly 400 event IDs to monitor in Active Directory. For the purposes of this tutorial, the goal is to target specific event IDs related to malicious actions.

The first PowerShell code example below filters the event log entries using specific event IDs. In this example, event ID 4104 refers to the execution of a remote command using PowerShell.

The second PowerShell example queries an exported event log for the phrase “PowerShell.”

# Retrieve Potentially Malicious PowerShell Event Log Entries using Event ID
$id = “4104”
$events = Get-WinEvent -FilterHashtable @{ Path=’C:UsersAdministratorDownloadspwsh.evtx’; Id=$id }
$events | Select ID, Message

# Query Event Log Entries to Retrieve Malicious PowerShell Commands
$events = Get-WinEvent -Path ‘C:UsersAdministratorDownloadspwsh.evtx’ | Where-Object {$_.Message -like ‘*PowerShell*’}
$events | Select ID, Message

These are simple commands that retrieve specific entries that might be malicious because they involve PowerShell. You can customize the filter for other keywords such as ScriptBlock, Mimikatz and Python.exe or a PowerShell function name such as Invoke-Expression.

It is more critical than ever to monitor event logs for potentially malicious activities to help you mitigate issues and be more proactive with security.