Windows Event Log Analysis for IR

Welcome to the Windows Event Log Analysis for Incident Response Lab!

This lab is designed to provide you with a practical, hands-on experience in capturing, analyzing, and investigating Windows event logs as part of a simulated security incident.

You will learn how to collect Windows event logs from an endpoint, use tools like EvtxECmd and Chainsaw to triage and detect suspicious activity, and apply timeline analysis techniques using Timeline Explorer.

Whether you’re a student, aspiring analyst, or cybersecurity professional, this lab will help you develop essential skills in endpoint-focused threat detection and incident response using real-world tools and techniques.

Task 1: Exporting Windows Event Logs Using wevtutil

Objective

This task involves exporting critical Windows Event Logs from the target system using the built-in wevtutil command-line utility. These logs will be used for later parsing and analysis tasks.

Step 1: Open Command Prompt as Administrator

1. Click on the Start menu and search for "cmd".
2. Right-click on "Command Prompt" and select "Run as administrator".

Step 2: Export the Event Logs Using wevtutil

Before exporting, you will need to create/specify a destination. In this lab, an output/destination folder for exports has already been created for you: C:\Users\Administrator\Desktop\Exports\

1. Use the following commands to export each log into .evtx format:

wevtutil epl Security C:\Users\Administrator\Desktop\Exports\Security.evtx
wevtutil epl System C:\Users\Administrator\Desktop\Exports\System.evtx
wevtutil epl Application C:\Users\Administrator\Desktop\Exports\Application.evtx
wevtutil epl Microsoft-Windows-Sysmon/Operational C:\Users\Administrator\Desktop\Exports\Sysmon.evtx

1. Navigate to the output folder C:\Users\Administrator\Desktop\Exports\ and confirm the .evtx files are present and correctly named.

You have successfully exported key Windows Event Logs using wevtutil. These .evtx files will be used in the next tasks for parsing and analysis.

Task 2: Parsing Event Logs with EvtxECmd

Objective

• In this task, you will use EvtxECmd to parse the .evtx files exported in Task 1.
• This tool converts event logs into structured .csv files that are easier to filter, analyze, and correlate in later tasks.

Step 1: Navigate to the Tools Directory

• EvtxECmd has already been downloaded for you and is accessible in the Tools directory: C:\Users\Administrator\Desktop\Tools\EvtxECmd

1. Open Command Prompt as Administrator.
2. Navigate to the folder where EvtxECmd is located.

cd C:\Users\Administrator\Desktop\Tools\EvtxECmd

Step 2: Parse Event Log Files with EvtxECmd

In this lab, we will be limiting our focus to the Security channel and the Sysmon event logs.

1. Use the -f flag to specify the input .evtx file and the --csv flag to specify the output directory:

EvtxECmd.exe -f C:\Users\Administrator\Desktop\Exports\Security.evtx --csv C:\Users\Administrator\Desktop\Exports\Security
EvtxECmd.exe -f C:\Users\Administrator\Desktop\Exports\Sysmon.evtx --csv C:\Users\Administrator\Desktop\Exports\Sysmon

Step 3: Verify the Parsed Output

Navigate to the directory/folder where you saved the parsed logs and confirm that .csv files have been created for each .evtx input.

You have now successfully parsed the Windows Event Logs into structured CSV format using EvtxECmd. These files will be used in the following tasks for log analysis and timeline construction.

Task 3: Timeline Analysis with Timeline Explorer

Objective

• In this task, you will use Timeline Explorer to review and analyze the parsed event logs from Task 2.
• Timeline Explorer provides a visual interface to sort, filter, and correlate events by timestamp to help reconstruct a timeline of attacker activity.

Step 1: Launch Timeline Explorer

1. Navigate to the folder where Timeline Explorer is located: C:\Users\Administrator\Desktop\Tools\TimelineExplorer\TimelineExplorer\
2. Double-click on TimelineExplorer.exe to launch the tool.

Step 2: Load a Parsed CSV File

1. Drag and drop one of the parsed .csv files (e.g., Sysmon.csv) from the C:\Users\Administrator\Desktop\Exports\Sysmon\ directory into the Timeline Explorer window.

1. The data will load into a table format sorted by the TimeCreated column.

Step 3: Explore the Data

1. Scroll through the events and examine columns like:
2. TimeCreated
3. EventID

4. Image or CommandLine (if present)

5. Sort the data by TimeCreated to view the chronological sequence of events.

Step 4: Apply Filters to Identify Key Events

Use the filter bar to narrow down events: - Example: Filter EventID == 1 to show process creation events.

• Example: Filter Executable Info contains powershell to identify suspicious script execution.

• Applying both of the filters will allow you to identify malicious execution of PowerShell. As shown in the following screenshot, it appears that PowerShell was used to download and execute a PowerShell implementation of Mimikatz for the purpose of dumping credentials.

Step 5: Analyze the Timeline

Review the filtered and sorted data to: - Identify logon events and follow-up processes - Detect signs of persistence like scheduled tasks or new services - Correlate activity across multiple logs if merged into one CSV

You have successfully used Timeline Explorer to analyze parsed Windows event logs. This step enables you to visualize attacker behavior and build a coherent timeline of events, which is crucial in incident response investigations.

Task 4: Threat Detection with Chainsaw and Sigma Rules

Objective

• In this task, you will use Chainsaw*, a fast forensic triage tool, to *scan parsed Windows Event Logs using Sigma detection rules.
• This process helps identify suspicious activity, such as unauthorized logons, PowerShell abuse, or persistence mechanisms.

Step 1: Navigate to the Chainsaw Directory

• Open Command Prompt or PowerShell as Administrator and navigate to the Chainsaw directory: C:\Users\Administrator\Desktop\Tools\chainsaw_all_platforms+rules\chainsaw

Step 2: Identify Input and Rules Directories

• Parsed .evtx logs (from Task 1) should be located in C:\Users\Administrator\Desktop\Exports\
• Sigma rules are in the rules subfolder of the current directory: C:\Users\Administrator\Desktop\Tools\chainsaw_all_platforms+rules\chainsaw\sigma
• The mapping file is located in: C:\Users\Administrator\Desktop\Tools\chainsaw_all_platforms+rules\chainsaw\mappings

Step 3: Run Chainsaw Hunt Against a Log File

• Use the following command to run Chainsaw against the Sysmon.evtx file using Sigma rules:

.\chainsaw_x86_64-pc-windows-msvc.exe hunt C:\Users\Administrator\Desktop\Exports\Sysmon.evtx -s C:\Users\Administrator\Desktop\Tools\chainsaw_all_platforms+rules\chainsaw\sigma\ --mapping C:\Users\Administrator\Desktop\Tools\chainsaw_all_platforms+rules\chainsaw\mappings\sigma-event-logs-all.yml --csv --output Output\sysmon

This command will scan the Security.evtx log and output any rule matches to a specified folder.

• The -s flag specifies the path of the directory containing the Sigma rules.
• The --mapping flag specifies the Sigmap mapping file.
• The --csv and --output flags specify the format of the output and the output destination.

Step 4: Review the Output

• Navigate to the output directory and open the resulting .csv file. Review:
• Timestamps of detected events
• Matched Sigma rule names

• Associated process names, event IDs, or user accounts

• As shown in the following screenshot, you can drag and drop the .csv file generated by Chainsaw into Timeline Explorer for analysis.

You have successfully used Chainsaw and Sigma rules to identify suspicious events in Windows event logs. This automated detection step streamlines the triage process and enhances your ability to spot adversary tactics efficiently.