Get-WinEvent

Understanding the importance of mass analysis of Windows Event Logs and Sysmon logs is pivotal in the realm of cybersecurity, especially in Incident Response (IR) and threat hunting scenarios.

Using Get-WinEvent

The Get-WinEvent cmdlet is an indispensable tool in PowerShell for querying Windows Event logs. We can retrieve different types of logs (like System and Application logs, logs generated by Windows Event Log technology, and Event Tracing for Windows (ETW) logs)

See available Logs

Get-WinEvent -ListLog *

By using the pipe ( | ), we can input the output from the previus command in the one after the pipe. For example we can retrieve the list of logs and display essential properties such as LogName, RecordCount, IsClassicLog, IsEnabled, LogMode, and LogType.

list of logs with displayed essential properties

Get-WinEvent -ListLog * | Select-Object LogName, RecordCount, IsClassicLog, IsEnabled, LogMode, LogType | Format-Table -AutoSize

This command provides us with valuable information about each log, including the name of the log, the number of records present, whether the log is in the classic .evt format or the newer .evtx format, its enabled status, the log mode (Circular, Retain, or AutoBackup), and the log type (Administrative, Analytical, Debug, or Operational).

Additionally, we can explore the event log providers associated with each log using the -ListProvider parameter.

Get-WinEvent -ListProvider * | Format-Table -AutoSize

Lets see now more specific events

1. Retrieving events from the System log

Get-WinEvent -LogName 'System' -MaxEvents 50 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize

• -LogName 'System' - retrives system logs

• -MaxEvents 30 - shows 30 events

2. Retrieving events from Microsoft-Windows-WinRM/Operational

• -LogName 'Microsoft-Windows-WinRM/Operational' - events are retrieved from the Microsoft-Windows-WinRM/Operational log

• -MaxEvents 30 - shows 30 events

To retrieve the oldest events, instead of manually sorting the results, we can utilize the -Oldest parameter

3. Retrieving events from .evtx Files

If you have an exported .evtx file from another computer or you have backed up an existing log, you can utilize the Get-WinEvent cmdlet to read and query those logs. Just provide the -Path parameter

4. Filtering events with FilterHashtable

To filter Windows event logs, we can use the -FilterHashtable parameter

The command above retrieves events with IDs 1 and 3 from the Microsoft-Windows-Sysmon/Operational event log, selects specific properties from those events, and displays them in a table format.

Exported events

Specific date events

5. Filtering events with FilterHashtable & XML

Consider an intrusion detection scenario where a suspicious network connection to a particular IP (52.113.194.132) has been identified. With Sysmon installed, you can use Event ID 3 (Network Connection) logs to investigate the potential threat.

leveraging Sysmon's Event ID 7 to detect the loading of abovementioned DLLs.

6. Filtering events with FilterXPath

To use XPath queries with Get-WinEvent, we need to use the -FilterXPath parameter.

For instance, if we want to get Process Creation (Sysmon Event ID 1) events in the Sysmon log to identify installation of any Sysinterals tool we can use the command below.

7. Filtering events based on property values

The -Property * parameter, when used with Select-Object, instructs the command to select all properties of the objects passed to it. And the output would be more like a sysmon output. See example below: