Eventlog Analysis using Windows tool - Powershell
Windows Powershell is a cross-platform task automation solution made up of a command-line shell, a scripting language, and a configuration framework. Powershell runs on Windows, Linux, and MacOS.
Powershell makes the lives of administrators easier in managing their endpoints and servers. Why Powershell? Powershell is built on the .NET Common Language Runtime (CLR) which it makes possible for us to work on any technology we work with.
From an incident response perspective, it is necessary for the responder to have the ability and skill to triage to patient zero by using no additional tools and using built-in in Windows like Powershell that has the ability to query and parse event logs, which can be of great use for the responder.
During an investigation, we may be asked to look for a specific event log, particularly one related to Account Logon/Logoff, Process Creation, or Powershell Creation; these logs are typically bread crumbs of an incident, and responders must be able to parse and follow these crumbs.
To put this to use, we can run the following syntax: Get-EventLog -Logname <log_name> | where{$_.EventId -eq 4624}
In this case, we will hunt for event log 4624 Account Logon and we will use the -Newest parameter to parse the newest event log 4624.
Out-GridView answers the question “How can we read these logs?”
To put this to work, pipe the syntax to Out-GridView to display a GUI representation of the log.
