Windows Eventlog investigation using PowerShell

Investigating Windows Event Logs using PowerShell is a powerful and flexible way of analyzing and monitoring system events. Here are some key points about its effectiveness, speed and practicality :

• Automation : PowerShell automates investigation tasks, reducing the need for manual intervention. You can write scripts to collect, filter and analyze events automatically.
• Customization : You can tailor PowerShell scripts to meet specific needs, such as searching for particular event types or analyzing specific time periods.
• Direct access : PowerShell offers direct access to event logs via cmdlets such as Get-EventLog and Get-WinEvent, enabling you to quickly retrieve the necessary data.
• Mass processing : Thanks to its ability to process large quantities of data in a single command, PowerShell can analyze event logs faster than manual methods.
• Advanced filtering : PowerShell lets you apply advanced filters to extract only relevant information, improving analysis efficiency.
• Integration : It integrates well with other tools and scripts, enabling a more complete and consistent analysis of security data.

1 - Access investigation :

To investigate access and security in Windows event logs, certain Event IDs are particularly useful.

Here's a list of some of the most common and relevant:

• 4722 : User account activation
• 4723 : Attempt to change account password
• 4624 : Connection successful. This event is triggered when a user or computer connects to a machine (RDP, local login, etc.).
• 4625 : Connection failed. This event is triggered when a connection attempt fails.
• 4726 : Deleting a user account. Records when a user account is deleted.
• 4634 : Account logout. Event indicating that a user session has ended.
• 4647 : User initiating connection
• 4672 : Assignment of special privileges to an account at login (often an administrator).
• 4768 : TGT Kerberos ticket request. Used for Kerberos network authentication.
• 4769 : Kerberos service ticket request (TGS). An account has tried to use a Kerberos-protected service.
• 4776 : NTLM authentication failure. This log is recorded when an NTLM connection attempt fails.
• 4720 : New user creation. Records when a new user is created on the system.
• 4732 : A user has been added to a group. Used to monitor changes in group management.
• 4733 : Remove a user from a global security group

A - Get all access history :

here, you should replace id number with the right event id number from the top list.

The following command will retrieve all log records with all details :

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} | select *        

B - Get time based all access history :

The following command will retrieve all log records with all details for a specific time duration, you need to change $backdays variable (-1 : the last one day )

# Get time based access history
$backdays = -1
# --------------------------------------------------
$startDate = (Get-Date).AddDays($backdays)
$enddate = Get-Date
Get-WinEvent -FilterHashTable @{LogName='Security' ; StartTime=$startDate ; EndTime=$enddate} | select *        

C - Get time based access history using keywords :

here we will search for security events using Keyword1 and Keyword2.

you can changes first 3 variable as your needs.

# Search by keywords for X last days
$backdays = -1
$Keyword1 = 'error'
$Keyword2 = 'access'
# --------------------------------------------------
$startDate = (Get-Date).AddDays($backdays)
$enddate = Get-Date
$Result = Get-WinEvent -FilterHashTable @{LogName='Security' ; StartTime=$startDate ; EndTime=$enddate} | Where-Object {$_.Message -match $Keyword1 -or $_.Message -match $Keyword2} | Select-Object RecordId,Id, UserId ,TimeCreated, message        

2 - Reboot History :

Display last 10 reboot :

# (You can change $MaxEvent value)
$MaxEvent = 10
# Trouver les derniers redémarrages
Get-WinEvent -FilterHashtable @{LogName = "System"; ID = 1074, 6005, 6006 } -MaxEvents $MaxEvent
        

3 - Check for installed Hotfix :

# Check for installed Windows updates :
Get-HotFix | Sort-Object InstalledOn -Descending        

4 - Examine open ports :

# Examine open ports :
Get-NetTCPConnection | Where-Object State -eq 'Listen' | Select-Object LocalPort,State,OwningProcess        

5 - List running services :

# List running services :
Get-Service | Where-Object {$_.Status -eq "Running"}        

6 - Check user accounts and privileges :

# Check user accounts and privileges :
Get-LocalUser | Select-Object Name,Enabled,LastLogon
Get-LocalGroupMember -Group "Administrators"        

7 - Examine firewall settings :

# Examine firewall settings :
Get-NetFirewallProfile        

8 - Check antivirus status (if using Windows Defender) :

# Check antivirus status (if using Windows Defender)
Get-MpComputerStatus        

9 - Some diffrents eventlog investigations :

# Search for failed connection attempts (You can change $Max_Event value) :
$Max_Event = 100
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4625} -MaxEvents $Max_Event  | Format-Table TimeCreated, Id, Message -AutoSize -Wrap        

# Check group changes (You can change $Max_Event value) :
$Max_Event = 100
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4728,4732,4756} -MaxEvents $Max_Event | Format-Table TimeCreated, Id, Message -AutoSize -Wrap        

# Review security policy changes (You can change $Max_Event value) :
$Max_Event = 100
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4719} -MaxEvents $Max_Event | Format-Table TimeCreated, Id, Message -AutoSize -Wrap        

10 - The gift of this article : an investigation script for system errors, application errors and High CPU investigations :

The following script is gift for you, it allows you to :

• system errors
• application errors
• access security investigations
• last 5 restarts
• and High CPU/Memory usage events
• Export result to C:\temp\EventLogAnalysis*.txt for easy search

Before using the script, keep in mind that you can change default values of :

• $startTime = (Get-Date).Adddays(-1) : number of days must be negative
• $EventsToDisplay = 500 : this will display first 500 event , you can change it as your needs

Here is the script :

# Define investigation period (default: last 24 hours)
$startTime = (Get-Date).Adddays(-1)
$endTime = Get-Date
$EventsToDisplay = 500

# Events function
function Get-FilteredEvents 
{
    param (
        [string]$LogName = $null,
        [int[]]$EventID = $null,
        [int]$Level = $null    <#Level 1 = Critical ,  Level 2 = Error , Level 3 = Warning #>
    )
    $filter = @{LogName = $LogName; StartTime = $startTime; EndTime = $endTime }

    if ($EventID) { $filter.Add("ID", $EventID) }
    if ($Level) { $filter.Add("Level", $Level) }
    
    Get-WinEvent -FilterHashtable $filter -ErrorAction SilentlyContinue
}

# Collect relevant events
$systemErrors = Get-FilteredEvents -LogName "System" -Level 2
$applicationErrors = Get-FilteredEvents -LogName "Application" -Level 2
$SecurityInvestigation = Get-FilteredEvents -LogName "Security" -EventID 4720,4723,4624,4625,4726,4732,4672,4768 
$highCpuEvents = Get-FilteredEvents -LogName "System" -Level 1 -EventID 2004,2019,2020

 
# Find last 5 restart
$lastReboot = Get-WinEvent -FilterHashtable @{
    LogName = "System"
    ID = 1074, 6005, 6006
} -MaxEvents 5

# Event formatting function
function Format-EventsDetailed {
    param($events)
    $events | ForEach-Object {
        "`nTimestamp: $($_.TimeCreated)"
        "ID: $($_.Id)"
        "Message:"
        $_.Message
        "-" * 80
    }
}

# Generate report
$report = @"
================================================= Event log analysis report ==========================================================
Investigation period : $startTime à $endTime

================================================= Last 5 reboot : ====================================================================
$($lastReboot.TimeCreated) - $($lastReboot.Message)

================================================= System Errors système (Top $EventsToDisplay) : =====================================
$(Format-EventsDetailed ($systemErrors | Select-Object -First $EventsToDisplay))

================================================= Application Errors (Top $EventsToDisplay) : ========================================
$(Format-EventsDetailed ($applicationErrors | Select-Object -First $EventsToDisplay))

================================================= Security investigation (Top $EventsToDisplay) : ====================================
$(Format-EventsDetailed ($SecurityInvestigation | Select-Object -First $EventsToDisplay))

================================================= High CPU usage events : ============================================================
$(if ($highCpuEvents) { Format-EventsDetailed $highCpuEvents } else { "Aucun événement trouvé." })

"@

# Export report to text file
$Dir = "C:\temp\" 
if((Test-Path $Dir) -eq $false)
{
    New-Item -ItemType Directory -Path $Dir -erroraction SilentlyContinue | Out-Null
}
$report | Out-File "C:\temp\EventLogAnalysis_$(Get-Date -Format 'yyyyMMdd_HHmmss').txt" -Width 4096
        

Conclusion :

In summary, using PowerShell to investigate Windows event logs is often more convenient, quicker and more efficient than traditional methods, especially for system administrators and security professionals who need to manage and analyze large amounts of data.

Thanks

Aymen EL JAZIRI

System Administrator