Ejemplo LP

# Logparser
###############
# Security Log
###############
# Find Event id
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT *
FROM 'Security.evtx' WHERE EventID = '5038'"
# Show what eventids in event log sorted by count

& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT
COUNT(*) AS CNT, EventID FROM 'Security.evtx' GROUP BY EventID ORDER BY CNT DESC"
# Eventid 1102
# Eventlog was cleared
TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') as Username,
EXTRACT_TOKEN(Strings, 2, '|') AS Workstation FROM 'Security.evtx' WHERE EventID =
'1102'"
# Eventid 4624
# successful logon
EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as
LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11,
'|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,
EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID =
4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK
SERVICE') AND Domain NOT IN ('NT AUTHORITY')"
# Find specific user

SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"
# Find RDP logons

SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND LogonType = '10'"
# Find console logons

SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND LogonType = '2'"
# Find specific IP
SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = '10.1.47.151'"
# look at NTLM based logons

# possible pass-the-hash
LogonType, EXTRACT_TOKEN(strings, 10, '|') AS AuthPackage, EXTRACT_TOKEN(Strings,
11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,
SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND
Username NOT LIKE '%$'"
# group by NTLM users

& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -q:ON -stats:OFF -i:EVT
"SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username,
11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName,
SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND
Username NOT LIKE '%$' GROUP BY Username, Domain, LogonType, AuthPackage,
Workstation, ProcessName, SourceIP ORDER BY CNT DESC"
# group by users
EXTRACT_TOKEN(Strings, 5, '|') as Username, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL
SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY
CNT DESC"
# group by domain
EXTRACT_TOKEN(Strings, 6, '|') as Domain, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4624 GROUP BY Domain ORDER BY CNT DESC"
# group by authpackage
EXTRACT_TOKEN(Strings, 9, '|') as AuthPackage, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4624 GROUP BY AuthPackage ORDER BY CNT DESC"
# group by LogonType
EXTRACT_TOKEN(Strings, 8, '|') as LogonType, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4624 GROUP BY LogonType ORDER BY CNT DESC"
# group by workstation name

EXTRACT_TOKEN(Strings, 11, '|') as Workstation, COUNT(*) AS CNT FROM
'Security.evtx' WHERE EventID = 4624 GROUP BY Workstation ORDER BY CNT DESC"
# group by process name

EXTRACT_TOKEN(Strings, 17, '|') as ProcName, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4624 GROUP BY ProcName ORDER BY CNT DESC"
# Event id 4625
# unsuccessful logon
LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings,
13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM
'Security.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS
LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY')"
# Find specific User

LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND
Username = 'Administrator'"
# Find specific IP
SourceIP = '10.1.47.151'"
# check ntlm based attempts

AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$'"
# group by ntlm users

COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings,
6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as
AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$' GROUP BY Username, Domain,
LogonType, AuthPackage, Workstation, SourceIP ORDER BY CNT DESC"
# group by Username
COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username FROM 'Security.evtx'
CNT DESC"
# event id 4634
# user logoff
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select

TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username,
EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security.evtx' WHERE EventID = 4634
AND Domain NOT IN ('NT AUTHORITY')"
# Event id 4648
# explicit creds was used
timegenerated as date, extract_token(strings, 1, '|') as accountname,
extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as
usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings,
8, '|') as targetserver, extract_token(strings, 9, '|') as extradata,
extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as
sourceip from 'Security.evtx' WHERE EventID = 4648"
# Search by accountname
sourceip from 'Security.evtx' WHERE EventID = 4648 AND accountname =
'Administrator'"
# Search by usedaccount
sourceip from 'Security.evtx' WHERE EventID = 4648 AND usedaccount =
'Administrator'"
# group by accountname
COUNT(*) as CNT, extract_token(strings, 1, '|') as accountname from 'Security.evtx'
WHERE EventID = 4648 GROUP BY accountname ORDER BY CNT DESC"
# group by used account

COUNT(*) as CNT, extract_token(strings, 5, '|') as usedaccount from 'Security.evtx'
WHERE EventID = 4648 GROUP BY usedaccount ORDER BY CNT DESC"
# event id 4657
# A registry value was modified
# event id 4663
# An attempt was made to access an object
# Event id 4672
# Admin logon

AND Domain NOT IN ('NT AUTHORITY')
# Find specific user

AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"
# group by username
EXTRACT_TOKEN(Strings, 1, '|') AS Username, COUNT(*) AS CNT FROM 'Security.evtx'
CNT DESC"
# group by domain
EXTRACT_TOKEN(Strings, 2, '|') AS Domain, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4672 AND Domain NOT IN ('NT AUTHORITY') GROUP BY Domain ORDER BY
CNT DESC"
# event id 4688
# new process was created
EXTRACT_TOKEN(Strings, 2, '|') AS Domain, EXTRACT_TOKEN(Strings, 5, '|') AS Process
FROM 'Security.evtx' WHERE EventID = 4688"
# Search by user
FROM 'Security.evtx' WHERE EventID = 4688 AND Username = 'Administrator'"
# Search by process name

FROM 'Security.evtx' WHERE EventID = 4688 AND Process LIKE '%rundll32.exe%'"
# group by username
COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 1, '|') AS Username FROM 'Security.evtx'
WHERE EventID = 4688 GROUP BY Username ORDER BY CNT DESC"
# group by process name

COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') AS Process FROM 'Security.evtx'
WHERE EventID = 4688 GROUP BY Process ORDER BY CNT DESC"
# event id 4704
# A user right was assigned
# event id 4705
# A user right was removed
# event id 4706
# A new trust was created to a domain
# event id 4720
# A user account was created
TimeGenerated AS Date, extract_token(Strings, 0, '|') AS createduser,
extract_token(strings, 1, '|') AS createddomain, extract_token(strings, 4, '|') as
whocreated, extract_token(strings, 5, '|') AS whodomain FROM 'Security.evtx' WHERE
EventID = '4720'"
# Event id 4722
# user account was enabled
TimeGenerated AS Date, extract_token(strings, 0, '|') as user,
whichaccount, extract_token(strings, 5, '|') as whichdomain FROM 'Security.evtx'
WHERE EventID = 4722"
# event id 4723
# attempt to change password for the account - user changed his own password
# event id 4724
# attempt to reset user
# event id 4725
# user account was disabled
# event id 4726
# A user account was deleted
TimeGenerated AS Date, extract_token(Strings, 0, '|') AS deleteduser,
extract_token(strings, 1, '|') AS deleteddomain, extract_token(strings, 4, '|') as
whodeleted, extract_token(strings, 5, '|') AS whodomain FROM 'Security.evtx' WHERE
EventID = '4726'"
# event id 4727
# A security-enabled global group was created
# event id 4728
# A member was added to a security-enabled global group
TimeGenerated AS Date, extract_token(Strings, 0, '|') as addeduser,
extract_token(strings, 2, '|') as togroup, extract_token(strings, 3, '|') as
groupdomain, extract_token(strings, 6, '|') as whoadded, extract_token(strings, 7,
'|') as whodomain FROM 'Security.evtx' WHERE EventID = '4728'"
# event id 4729
# A member was removed from a security-enabled global group
TimeGenerated AS Date, extract_token(Strings, 0, '|') as removeduser,
extract_token(strings, 2, '|') as fromgroup, extract_token(strings, 3, '|') as
groupdomain, extract_token(strings, 6, '|') as whoremoved, extract_token(strings,
7, '|') as whodomain FROM 'Security.evtx' WHERE EventID = '4729'"
# event id 4730
# A security-enabled global group was deleted
# event id 4731
# A security-enabled local group was created
TimeGenerated AS Date, extract_token(strings, 0, '|') as createdgroup,
# event id 4732
# A member was added to a security-enabled local group
# event id 4733
# A member was removed from a security-enabled local group
# event id 4734
# A security-enabled local group was deleted
TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 2, '|') AS whichgroup,
EXTRACT_TOKEN(Strings, 3, '|') AS domaingroup, EXTRACT_TOKEN(Strings, 6, '|') AS
who, EXTRACT_TOKEN(Strings, 7, '|') AS workstation FROM 'Security.evtx' WHERE
EventID = 4734"
# event id 4738
# user account was changed
# event id 4740
# A user account was locked out
extract_token(strings, 1, '|') as workstation, extract_token(strings, 4, '|') as
wholocked, extract_token(strings, 5, '|') as whodomain FROM 'Security.evtx' WHERE
EventID = '4740'"
# event id 4742
# computer account was changed
# event id 4754
# A security-enabled universal group was created
TimeGenerated AS Date, extract_token(strings, 0, '|') as createdgroup,
# event id 4756
# A member was added to a security-enabled universal group
# event id 4757
# A member was removed from a security-enabled universal group
# event id 4758
# A security-enabled universal group was deleted
TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 2, '|') AS whichgroup,
EXTRACT_TOKEN(Strings, 3, '|') AS domaingroup, EXTRACT_TOKEN(Strings, 6, '|') AS
who, EXTRACT_TOKEN(Strings, 7, '|') AS workstation FROM 'Security.evtx' WHERE
EventID = 4758"
# event id 4767
# A user account was unlocked
# event id 4768
# Kerberos TGT was requested
extract_token(strings, 1, '|') as domain, extract_token(strings, 7, '|') as cipher,
extract_token(strings, 9, '|') as sourceip FROM 'Security.evtx' WHERE EventID =
4768"
# group by user
extract_token(strings, 0, '|') as user, COUNT(*) AS CNT FROM 'Security.evtx' WHERE
EventID = 4768 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"
# group by domain
extract_token(strings, 1, '|') as domain, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4768 GROUP BY domain ORDER BY CNT DESC"
# group by cipher
extract_token(strings, 7, '|') as cipher, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4768 GROUP BY cipher ORDER BY CNT DESC"
# event id 4769
# Kerberos Service ticket was requested
service, extract_token(strings, 5, '|') as cipher, extract_token(strings, 6, '|')
as sourceip FROM 'Security.evtx' WHERE EventID = 4769"
# group by user
extract_token(strings, 0, '|') as user, COUNT(*) AS CNT FROM 'Security.evtx' WHERE
EventID = 4769 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"
# group by domain
extract_token(strings, 1, '|') as domain, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4769 GROUP BY domain ORDER BY CNT DESC"
# group by service
extract_token(strings, 2, '|') as service, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4769 GROUP BY service ORDER BY CNT DESC"
# group by cipher
extract_token(strings, 5, '|') as cipher, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4769 GROUP BY cipher ORDER BY CNT DESC"
# event id 4771
# kerberos pre-atuhentication failed
TimeGenerated AS Date, extract_token(strings, 0 , '|') as user,
extract_token(strings, 6 , '|') as sourceip FROM 'Security.evtx' WHERE EventID =
4771 AND user NOT LIKE '%$'"
# group by user
extract_token(strings, 0, '|') as user, COUNT(user) AS CNT FROM 'Security.evtx'
WHERE EventID = 4771 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"
# event id 4776
# domain/computer attemped to validate user credentials
AND Domain NOT IN ('NT AUTHORITY') AND Username NOT LIKE '%$'"
# Search by username
AND Domain NOT IN ('NT AUTHORITY') AND Username NOT LIKE '%$' AND Username =
'Administrator'"
# group by username
EXTRACT_TOKEN(Strings, 1, '|') AS Username, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4776 AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT
DESC"
# group by domain
EXTRACT_TOKEN(Strings, 2, '|') AS Domain, COUNT(*) AS CNT FROM 'Security.evtx'
WHERE EventID = 4776 GROUP BY Domain ORDER BY CNT DESC"
# event id 4778
# RDP session reconnected
TimeGenerated AS Date,EXTRACT_TOKEN(Strings, 0, '|') AS Username,
EXTRACT_TOKEN(Strings, 1, '|') AS Domain, EXTRACT_TOKEN(Strings, 4, '|') AS
Workstation, EXTRACT_TOKEN(Strings, 5, '|') AS SourceIP FROM 'Security.evtx' WHERE
EventID = 4778"
# event id 4779
# RDP session disconnected
TimeGenerated AS Date,EXTRACT_TOKEN(Strings, 0, '|') AS Username,
Workstation, EXTRACT_TOKEN(Strings, 5, '|') AS SourceIP FROM 'Security.evtx' WHERE
EventID = 4779"
# event id 4781
# User account was renamed
TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 0, '|') AS newname,
EXTRACT_TOKEN(Strings, 1, '|') AS oldname, EXTRACT_TOKEN(Strings, 2, '|') AS
accdomain, EXTRACT_TOKEN(Strings, 5, '|') AS Username, EXTRACT_TOKEN(Strings, 6,
'|') AS Domain FROM 'Security.evtx' WHERE EventID = 4781"
# event id 4825
# RDP Access denied
SourceIP FROM 'Security.evtx' WHERE EventID = 4825"
# event id 4946
# new exception was added to firewall
TimeGenerated AS Date, extract_token(strings, 2, '|') as rulename FROM
'Security.evtx' WHERE EventID = 4946"
# group by rule name

Count(*) as CNT, extract_token(strings, 2, '|') as rulename FROM 'Security.evtx'
WHERE EventID = 4946 GROUP BY rulename ORDER BY CNT DESC"
# event id 4948
# rule was deleted from firewall
TimeGenerated AS Date, extract_token(strings, 2, '|') as rulename FROM
'Security.evtx' WHERE EventID = 4948"
# group by rule name

Count(*) as CNT, extract_token(strings, 2, '|') as rulename FROM 'Security.evtx'
WHERE EventID = 4948 GROUP BY rulename ORDER BY CNT DESC"
# event id 5038
# Code integrity determined that the image hash of a file is not valid
# event id 5136
# A directory service object was modified
TimeGenerated AS Date, extract_token(strings, 3, '|') AS Username,
extract_token(strings, 4, '|') AS Domain, extract_token(strings, 8, '|') AS
objectdn, extract_token(strings, 10, '|') AS objectclass, extract_token(strings,
11, '|') AS objectattrib, extract_token(strings, 13, '|') AS attribvalue FROM
'Security.evtx' WHERE EventID = '5136'"
# group by username
COUNT(*) AS CNT, extract_token(strings, 3, '|') AS Username FROM 'Security.evtx'
WHERE EventID = '5136' GROUP BY Username ORDER BY CNT DESC"
# group by domain
COUNT(*) AS CNT, extract_token(strings, 4, '|') AS Domain FROM 'Security.evtx'
WHERE EventID = '5136' GROUP BY Domain ORDER BY CNT DESC"
# group by objectdn
COUNT(*) AS CNT, extract_token(strings, 8, '|') AS objectdn FROM 'Security.evtx'
WHERE EventID = '5136' GROUP BY objectdn ORDER BY CNT DESC"
# group by objectclass
COUNT(*) AS CNT, extract_token(strings, 10, '|') AS objectclass FROM
'Security.evtx' WHERE EventID = '5136' GROUP BY objectclass ORDER BY CNT DESC"
# group by objectattrib
COUNT(*) AS CNT, extract_token(strings, 11, '|') AS objectattrib FROM
'Security.evtx' WHERE EventID = '5136' GROUP BY objectattrib ORDER BY CNT DESC"
# group by attribvalue
COUNT(*) AS CNT, extract_token(strings, 13, '|') AS attribvalue FROM
'Security.evtx' WHERE EventID = '5136' GROUP BY attribvalue ORDER BY CNT DESC"
# event id 5137
# A directory service object was created
# event id 5138
# A directory service object was undeleted
# event id 5139
# A directory service object was moved
# event id 5141
# A directory service object was deleted
# event id 5140
# A network share object was accessed
# event id 5142
# A network share object was added
# event id 5143
# A network share object was modified
# event id 5144
# A network share object was deleted
# event id 5145
# A network share object was checked to see whether client can be granted desired
access
# event id 5154
# The Windows Filtering Platform has permitted an application or service to listen
on a port for incoming connections
# event id 5155
# The Windows Filtering Platform has blocked an application or service from
listening on a port for incoming connections
# event id 5156
# The Windows Filtering Platform has allowed a connection
# event id 5157
# The Windows Filtering Platform has blocked a connection
# event id 5158
# The Windows Filtering Platform has permitted a bind to a local port
# event id 5159
# The Windows Filtering Platform has blocked a bind to a local port
#############
# System Log
#############
# EventID 7045
# New Service was installed in system
TimeGenerated AS Date, extract_token(strings, 0, '|') AS ServiceName,
extract_token(strings, 1, '|') AS ServicePath, extract_token(strings, 4, '|') AS
ServiceUser FROM System.evtx WHERE EventID = 7045"
# EventID 7036
# Service actions
TimeGenerated AS Date, extract_token(strings, 0, '|') as servicename FROM
System.evtx WHERE EventID = 7036"
# group by service name

COUNT(*) as CNT, extract_token(strings, 0, '|') as servicename FROM System.evtx
WHERE EventID = 7036 GROUP BY servicename ORDER BY CNT DESC"
#####################
# Task Scheduler Log
#####################
# EventID 100
# Task was run
TimeGenerated AS Date, extract_token(strings,0, '|') as taskname,
extract_token(strings, 1, '|') as username FROM 'Microsoft-Windows-TaskScheduler
%4Operational.evtx' WHERE EventID = 100"
# group by taskname
extract_token(strings, 0, '|') as taskname, count(*) as cnt FROM 'Microsoft-
Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 100 GROUP BY taskname
ORDER BY CNT DESC"
# eventid 200
# action was executed
TimeGenerated AS Date, extract_token(strings,0, '|') as taskname,
extract_token(strings, 1, '|') as taskaction FROM 'Microsoft-Windows-TaskScheduler
# group by action
extract_token(strings, 1, '|') as taskaction, count(*) as cnt FROM 'Microsoft-
Windows-TaskScheduler%4Operational.evtx' WHERE EventID = 200 GROUP BY taskaction
ORDER BY CNT DESC"
# eventid 140
# user updated a task

TimeGenerated as Date, extract_token(strings, 0, '|') as taskname,
extract_token(strings, 1, '|') as user FROM 'Microsoft-Windows-TaskScheduler
# group by user
extract_token(strings, 1, '|') as user, count(*) as cnt FROM 'Microsoft-Windows-
TaskScheduler%4Operational.evtx' WHERE EventID = 140 GROUP BY user ORDER BY CNT
DESC"
# group by taskname
ORDER BY CNT DESC"
# event id 141
# user deleted a task
TimeGenerated as Date, extract_token(strings, 0, '|') as taskname,
extract_token(strings, 1, '|') as user FROM 'Microsoft-Windows-TaskScheduler
# group by user
extract_token(strings, 1, '|') as user, count(*) as cnt FROM 'Microsoft-Windows-
TaskScheduler%4Operational.evtx' WHERE EventID = 141 GROUP BY user ORDER BY CNT
DESC"
# group by taskname
ORDER BY CNT DESC"
#######################
# Windows Firewall Log
#######################
# EventID 2004
# New exception rule was added
TimeGenerated AS Date, extract_token(strings, 1, '|') as rulename,
extract_token(strings, 3, '|') as apppath, extract_token(strings, 22, '|') as
changedapp from 'Microsoft-Windows-Windows Firewall With Advanced Security
%4Firewall.evtx' WHERE EventID = 2004"
# group by apppath
COUNT(*) as CNT, extract_token(strings, 3, '|') as apppath from 'Microsoft-Windows-
Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2004 GROUP
BY apppath ORDER BY CNT DESC"
# event id 2005
# rule was changed
TimeGenerated AS Date, extract_token(Strings, 1, '|') as rulename,
extract_token(Strings, 3, '|') AS apppath, extract_token(Strings, 4, '|') AS
servicename, extract_token(strings, 7, '|') AS localport, extract_token(strings,
22, '|') as modifyingapp from 'Microsoft-Windows-Windows Firewall With Advanced
Security%4Firewall.evtx' WHERE EventID = 2005"
# group by apppath
COUNT(*) as CNT, extract_token(strings, 3, '|') as apppath from 'Microsoft-Windows-
BY apppath ORDER BY CNT DESC"
# group by rulename
COUNT(*) as CNT, extract_token(strings, 1, '|') as rulename from 'Microsoft-
Windows-Windows Firewall With Advanced Security%4Firewall.evtx' WHERE EventID =
2005 GROUP BY rulename ORDER BY CNT DESC"
# group by servicename
COUNT(*) as CNT, extract_token(strings, 4, '|') as servicename from 'Microsoft-
2005 GROUP BY servicename ORDER BY CNT DESC"
# group by local port

COUNT(*) as CNT, extract_token(strings, 7, '|') as localport from 'Microsoft-
2005 GROUP BY localport ORDER BY CNT DESC"
# group by modifyingapp
COUNT(*) as CNT, extract_token(strings, 22, '|') as modifyingapp from 'Microsoft-
2005 GROUP BY modifyingapp ORDER BY CNT DESC"
# event id 2006
# rule was deleted
TimeGenerated AS Date, extract_token(Strings, 1, '|') as rulename,
extract_token(strings, 3, '|') as changedapp from 'Microsoft-Windows-Windows
Firewall With Advanced Security%4Firewall.evtx' WHERE EventID = 2006"
# group by rulename
COUNT(*) as CNT, extract_token(strings, 1, '|') as rulename from 'Microsoft-
2006 GROUP BY rulename ORDER BY CNT DESC"
# group by changedapp
COUNT(*) as CNT, extract_token(strings, 3, '|') as changedapp from 'Microsoft-
2006 GROUP BY changedapp ORDER BY CNT DESC"
# EventID 2011
# Firewall blocked inbound connections to the application, but did not notify the
user
Timegenerated as date, extract_token(strings, 1, '|') as file,
extract_token(strings, 4, '|') as port from 'Microsoft-Windows-Windows Firewall
With Advanced Security%4Firewall.evtx' WHERE EventID = 2011"
# group by application
COUNT(*) as CNT, extract_token(strings, 1, '|') as file from'Microsoft-Windows-
BY file ORDER BY CNT DESC"
######################
# RDP LocalSession Log
# Local logins
######################
# Event id 21
# Successful logon
timegenerated as Date, extract_token(strings, 0, '|') as user,
extract_token(strings, 2, '|') as sourceip FROM 'Microsoft-Windows-
TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21"
# find specific user

TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21 AND user
LIKE '%Administrator%'"
# group by user
extract_token(strings, 0, '|') as user, count(*) as CNT FROM 'Microsoft-Windows-
TerminalServices-LocalSessionManager%4Operational.evtx' WHERE EventID = 21 GROUP BY
user ORDER BY CNT DESC"
#######################
# RDP RemoteSession Log
#######################
# Event ID 1149
# Successful logon
TerminalServices-RemoteConnectionManager%4Operational.evtx' WHERE EventID = 1149"
# group by user
extract_token(strings, 0, '|') as user, count(*) as CNT FROM 'Microsoft-Windows-
TerminalServices-RemoteConnectionManager%4Operational.evtx' WHERE EventID = 1149
GROUP BY user ORDER BY CNT DESC"

Ejemplo LP

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Ejemplo LP

Uploaded by

Copyright:

Available Formats

# Logparser

# Show what eventids in event log sorted by count

# Find specific user

# Find RDP logons

# Find console logons

# look at NTLM based logons

# group by NTLM users

# group by workstation name

# group by process name

# Find specific User

# check ntlm based attempts

# group by ntlm users

& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select

# group by used account

& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select

# Find specific user

# Search by process name

# group by process name

# group by rule name

# group by rule name

# group by service name

& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select

# group by local port

# find specific user

You might also like