🕵️‍♂️

Using Windows Event Logs for Forensics

Sep 16, 2024

Forensic Investigation Using Windows Event Logs

Introduction

  • Importance of Windows Event Viewer for forensic analysis.
  • Logs as valuable artifacts for investigation.

Lab Environment Setup

  • Utilize a free virtual machine from John Strand's pay-what-you-can courses.
  • Access to a wide range of forensic tools (Linux command line, memory analysis, etc.).

Deep Blue CLI

  • Developed by Eric Conrad for forensic investigations and incident response.
  • Integration with User Entity and Behavior Analytics (UEBA).
  • How to Use:
    • Open terminal as administrator.
    • Navigate to the tools directory.
    • Run Deep Blue CLI from PowerShell with the command: .\deepblue.ps1 <event_log_file>

Detecting User Account Changes

  • Common attack method: adding users for persistence.
  • Example: Event ID 4732 shows a user added to the local administrators group.
  • Importance of monitoring user account changes to detect potential threats.

Password Spraying Attacks

  • Definition: Using a list of users with a single password to evade account lockout.
  • Effective because it avoids triggering lockout policies.
  • Example detection using Deep Blue CLI to identify logon failures targeting one account.

Powershell Encoding Detection

  • Attackers use encoding to bypass detection.
  • Example: Powershell invoke obfuscation utility tracking.

Deep Blue CLI Capabilities

  • Detects various powershell encoding techniques.
  • Can analyze local EVTX files and produce PowerShell objects as output.
  • Recommendations for Enhanced Logging:
    • Enable command line auditing.
    • Enable failed logon tracking.
    • Use Sysmon for advanced event logging.

Alternatives to Deep Blue CLI

  • Older tool; consider Chainsaw for more modern features.
  • Chainsaw supports Sigma rules and offers enhanced functionality.

Conclusion

  • Windows Event Logs are critical for incident response and forensic analysis.
  • Deep Blue CLI is an easy-to-use tool worth adding to your toolkit.
  • Explore additional resources from Black Hills Information Security and Anti-Siphon training for further learning.

Full transcript