{
    "id": "924bd007-82e7-4175-88a3-33e8981b9c2b",
    "name": "Windows Event Log Analysis for IR",
    "slug": "windows-event-log-analysis-for-ir",
    "status": "published",
    "lab_type": "pta",
    "is_sample": false,
    "duration_in_seconds": 1800,
    "metadata": {
        "courses": [
            "1c059cf9-e0a3-4d5f-8aa9-cbfc8e5981ed"
        ],
        "pta_sdn": "1884",
        "collections": [],
        "pta_manual_id": "2f60-6123-ad34-fd1f",
        "pta_namespace": "my.ine",
        "learning_paths": [],
        "has_published_parent": true
    },
    "session": null,
    "company": "a491bc32-c056-4946-9169-cc053387bada",
    "created": "2025-06-30T00:08:39.874610Z",
    "modified": "2025-06-30T21:22:31.508885Z",
    "is_beta": false,
    "lab_objectives": [],
    "main_learning_area": "3e1aa06f-2e9f-4789-b50d-aa027ad8dcfa",
    "learning_areas": [
        {
            "id": "3e1aa06f-2e9f-4789-b50d-aa027ad8dcfa",
            "name": "Cyber Security",
            "slug": "cyber-security"
        }
    ],
    "categories": [],
    "tags": [],
    "difficulty": "professional",
    "is_web_access": false,
    "is_lab_experience": false,
    "is_featured": false,
    "cve": null,
    "severity": null,
    "year": null,
    "classification": null,
    "is_trackable": false,
    "cpe_credits": null,
    "is_skill_check": false,
    "external_url": "",
    "solution_video": null,
    "explanation_video": null,
    "description": "## Windows Event Log Analysis for IR\nWelcome to the Windows Event Log Analysis for Incident Response Lab!\n\nThis lab is designed to provide you with a practical, hands-on experience in capturing, analyzing, and investigating Windows event logs as part of a simulated security incident.\n\nYou will learn how to collect Windows event logs from an endpoint, use tools like `EvtxECmd` and **Chainsaw** to triage and detect suspicious activity, and apply timeline analysis techniques using Timeline Explorer. \n\nWhether you\u2019re a student, aspiring analyst, or cybersecurity professional, this lab will help you develop essential skills in endpoint-focused threat detection and incident response using real-world tools and techniques.",
    "description_html": "<h2>Windows Event Log Analysis for IR</h2>\n<p>Welcome to the Windows Event Log Analysis for Incident Response Lab!</p>\n<p>This lab is designed to provide you with a practical, hands-on experience in capturing, analyzing, and investigating Windows event logs as part of a simulated security incident.</p>\n<p>You will learn how to collect Windows event logs from an endpoint, use tools like <code>EvtxECmd</code> and <strong>Chainsaw</strong> to triage and detect suspicious activity, and apply timeline analysis techniques using Timeline Explorer. </p>\n<p>Whether you\u2019re a student, aspiring analyst, or cybersecurity professional, this lab will help you develop essential skills in endpoint-focused threat detection and incident response using real-world tools and techniques.</p>",
    "tasks": "## Task 1: Exporting Windows Event Logs Using `wevtutil`\n- In this task, you will use the built-in Windows command-line tool `wevtutil` to export key event logs (such as Security, Sysmon, and Application logs) from the endpoint system. \n- This process simulates the real-world collection phase of incident response, where analysts acquire logs for further investigation.\n\n## Task 2: Parsing Event Logs with `EvtxECmd`\n- Use `EvtxECmd` to parse the exported `.evtx` files into structured **CSV** format. \n- This makes it easier to search, filter, and triage events using familiar tools like Excel or timeline utilities. \n- This step reflects the preprocessing phase, where raw logs are converted into a format suitable for analysis.\n\n## Task 3: Timeline Analysis with Timeline Explorer\n- Use Timeline Explorer to view and analyze event data chronologically. \n- Identify relationships between logon events, process creation, and other artifacts\u2014helping you build a timeline of the attacker\u2019s activity on the system.\n\n## Task 4: Threat Detection with Chainsaw and Sigma Rules\n- Use Chainsaw, a powerful forensic triage tool, to scan the event logs using Sigma rules. \n- Sigma provides a standardized way to define suspicious patterns in logs, and Chainsaw quickly flags matching events. \n- This task demonstrates how detection engineering and automated triage can accelerate incident response.",
    "tasks_html": "<h2>Task 1: Exporting Windows Event Logs Using <code>wevtutil</code></h2>\n<ul>\n<li>In this task, you will use the built-in Windows command-line tool <code>wevtutil</code> to export key event logs (such as Security, Sysmon, and Application logs) from the endpoint system. </li>\n<li>This process simulates the real-world collection phase of incident response, where analysts acquire logs for further investigation.</li>\n</ul>\n<h2>Task 2: Parsing Event Logs with <code>EvtxECmd</code></h2>\n<ul>\n<li>Use <code>EvtxECmd</code> to parse the exported <code>.evtx</code> files into structured <strong>CSV</strong> format. </li>\n<li>This makes it easier to search, filter, and triage events using familiar tools like Excel or timeline utilities. </li>\n<li>This step reflects the preprocessing phase, where raw logs are converted into a format suitable for analysis.</li>\n</ul>\n<h2>Task 3: Timeline Analysis with Timeline Explorer</h2>\n<ul>\n<li>Use Timeline Explorer to view and analyze event data chronologically. </li>\n<li>Identify relationships between logon events, process creation, and other artifacts\u2014helping you build a timeline of the attacker\u2019s activity on the system.</li>\n</ul>\n<h2>Task 4: Threat Detection with Chainsaw and Sigma Rules</h2>\n<ul>\n<li>Use Chainsaw, a powerful forensic triage tool, to scan the event logs using Sigma rules. </li>\n<li>Sigma provides a standardized way to define suspicious patterns in logs, and Chainsaw quickly flags matching events. </li>\n<li>This task demonstrates how detection engineering and automated triage can accelerate incident response.</li>\n</ul>",
    "published_date": "2025-06-30T21:22:31.503438Z",
    "solutions": "## Task 1: Exporting Windows Event Logs Using `wevtutil`\n\n### Objective\nThis task involves exporting critical Windows Event Logs from the target system using the built-in `wevtutil` command-line utility. These logs will be used for later parsing and analysis tasks.\n\n### Step 1: Open Command Prompt as Administrator\n1. Click on the Start menu and search for \"cmd\".\n2. Right-click on \"Command Prompt\" and select \"Run as administrator\".\n\n![image0](https://assets.ine.com/lab/learningpath/d0d1d47e62121c80a2bda929ab9121d1299604ada7ade88307bed21e81c3a1cd.png)\n\n### Step 2: Export the Event Logs Using `wevtutil`\nBefore exporting, you will need to create/specify a destination. In this lab, an output/destination folder for exports has already been created for you: `C:\\Users\\Administrator\\Desktop\\Exports\\`\n\n1. Use the following commands to export each log into .evtx format:\n\n```\nwevtutil epl Security C:\\Users\\Administrator\\Desktop\\Exports\\Security.evtx\nwevtutil epl System C:\\Users\\Administrator\\Desktop\\Exports\\System.evtx\nwevtutil epl Application C:\\Users\\Administrator\\Desktop\\Exports\\Application.evtx\nwevtutil epl Microsoft-Windows-Sysmon/Operational C:\\Users\\Administrator\\Desktop\\Exports\\Sysmon.evtx\n```\n\n![image5](https://assets.ine.com/lab/learningpath/3036a3059a7fa6a496cc161f296da0599d651f45bf5120443127bffccdb03432.png)\n\n2. Navigate to the output folder `C:\\Users\\Administrator\\Desktop\\Exports\\` and confirm the `.evtx` files are present and correctly named.\n\n![image4](https://assets.ine.com/lab/learningpath/d0e89ccd987b62ca1298ee60917a8498e34a3e85c6e1f20aa9c41339a14b712f.png)\n\n\nYou have successfully exported key Windows Event Logs using `wevtutil`. These `.evtx` files will be used in the next tasks for parsing and analysis.\n\n---\n\n## Task 2: Parsing Event Logs with `EvtxECmd`\n\n### Objective \n- In this task, you will use EvtxECmd to parse the `.evtx` files exported in **Task 1**. \n- This tool converts event logs into structured `.csv` files that are easier to filter, analyze, and correlate in later tasks.\n\n### Step 1: Navigate to the `Tools` Directory\n- `EvtxECmd` has already been downloaded for you and is accessible in the `Tools` directory: `C:\\Users\\Administrator\\Desktop\\Tools\\EvtxECmd`\n\n![image1](https://assets.ine.com/lab/learningpath/2ba8cd7b45a11593d572cc7db948864b0c63983ec46290c16eb0e0de1651f615.png)\n\n1. Open Command Prompt as Administrator.\n2. Navigate to the folder where `EvtxECmd` is located.\n\n```\ncd C:\\Users\\Administrator\\Desktop\\Tools\\EvtxECmd\n``` \n\n![image2](https://assets.ine.com/lab/learningpath/5f1e64745cac019199a1f23461897634deee5a2041f2e219543135d1d66f6fca.png)\n\n### Step 2: Parse Event Log Files with `EvtxECmd`\nIn this lab, we will be limiting our focus to the **Security** channel and the **Sysmon** event logs.\n\n1. Use the `-f` flag to specify the input `.evtx` file and the `--csv` flag to specify the output directory:\n\n```\nEvtxECmd.exe -f C:\\Users\\Administrator\\Desktop\\Exports\\Security.evtx --csv C:\\Users\\Administrator\\Desktop\\Exports\\Security\nEvtxECmd.exe -f C:\\Users\\Administrator\\Desktop\\Exports\\Sysmon.evtx --csv C:\\Users\\Administrator\\Desktop\\Exports\\Sysmon\n``` \n\n![image14](https://assets.ine.com/lab/learningpath/cc7c90ea6757eac3e2db587352f449a6fef02aa8268f0b506e488e3e5f981d49.png)\n\n![image19](https://assets.ine.com/lab/learningpath/41cb89c884f7db87d9a4e62b7e38e6bc1ce8adf30dc4bb30e0bba3c119805102.png)\n\n\n### Step 3: Verify the Parsed Output\nNavigate to the directory/folder where you saved the parsed logs and confirm that `.csv` files have been created for each `.evtx` input.\n\n![image12](https://assets.ine.com/lab/learningpath/a107d2d7990b899a6e8d196b54d13c072a020f53142044e2b83a42d7c6a9df67.png)\n\nYou have now successfully parsed the Windows Event Logs into structured CSV format using `EvtxECmd`. These files will be used in the following tasks for log analysis and timeline construction.\n\n---\n\n## Task 3: Timeline Analysis with **Timeline Explorer**\n\n### Objective\n- In this task, you will use Timeline Explorer to review and analyze the parsed event logs from **Task 2**. \n- **Timeline Explorer** provides a visual interface to sort, filter, and correlate events by timestamp to help reconstruct a timeline of attacker activity.\n\n### Step 1: Launch Timeline Explorer\n1. Navigate to the folder where Timeline Explorer is located: `C:\\Users\\Administrator\\Desktop\\Tools\\TimelineExplorer\\TimelineExplorer\\`\n2. Double-click on `TimelineExplorer.exe` to launch the tool.\n\n![image16](https://assets.ine.com/lab/learningpath/f51d76c4dae4f9d79060a5ced70b9f8814d11f6e06840595e3a26d60b5dd6ecc.png)\n\n\n### Step 2: Load a Parsed CSV File\n1. Drag and drop one of the parsed `.csv` files (e.g., `Sysmon.csv`) from the `C:\\Users\\Administrator\\Desktop\\Exports\\Sysmon\\` directory into the Timeline Explorer window.\n\n![image18](https://assets.ine.com/lab/learningpath/c803cb1df6c74479c2814a1c55e52625569998103973d6b06ef7bb4723aa7714.png)\n\n\n2. The data will load into a table format sorted by the `TimeCreated` column.\n\n![image13](https://assets.ine.com/lab/learningpath/a9ea43e3f9464db3fdf0504b88128541047f7571596dc25c8fb93ef5f3445b62.png)\n\n\n### Step 3: Explore the Data\n1. Scroll through the events and examine columns like:\n   - `TimeCreated`\n   - `EventID`\n   - `Image` or `CommandLine` (if present)\n\n2. Sort the data by `TimeCreated` to view the chronological sequence of events.\n\n![image8](https://assets.ine.com/lab/learningpath/9de23da1a96b2222ac401a3917a16a7156e8b08796f9684e0d86acb075847b0e.png)\n\n\n### Step 4: Apply Filters to Identify Key Events\nUse the filter bar to narrow down events:\n- Example: Filter `EventID == 1` to show process creation events.\n\n![image3](https://assets.ine.com/lab/learningpath/a24d1efce31b02fce75f883520ec47ae3a09853305a0841a15f90c613af46792.png)\n\n- Example: Filter `Executable Info contains powershell` to identify suspicious script execution.\n\n![image6](https://assets.ine.com/lab/learningpath/8ac11cfc2aff462d930976f9676aeaa97a7804c5dd3c33ee4a966d30842bfc2e.png)\n\n- Applying both of the filters will allow you to identify malicious execution of PowerShell. As shown in the following screenshot, it appears that PowerShell was used to download and execute a PowerShell implementation of `Mimikatz` for the purpose of dumping credentials.\n\n![image10](https://assets.ine.com/lab/learningpath/2bbb5da255d5f5d99d8992e7b727afb3f928e9da0fa7fee549533e9fb0c8aba4.png)\n\n\n### Step 5: Analyze the Timeline\nReview the filtered and sorted data to:\n- Identify logon events and follow-up processes\n- Detect signs of persistence like scheduled tasks or new services\n- Correlate activity across multiple logs if merged into one CSV\n\n![image9](https://assets.ine.com/lab/learningpath/e42456e1b7cc1d72d790908a3cf225e2ca1d41efa8fd61a71ae6e83c3e676374.png)\n\nYou have successfully used Timeline Explorer to analyze parsed Windows event logs. This step enables you to visualize attacker behavior and build a coherent timeline of events, which is crucial in incident response investigations.\n\n---\n\n## Task 4: Threat Detection with **Chainsaw** and **Sigma** Rules\n\n### Objective\n- In this task, you will use **Chainsaw**, a fast forensic triage tool, to ***scan parsed Windows Event Logs*** using **Sigma** detection rules. \n- This process helps identify suspicious activity, such as unauthorized logons, PowerShell abuse, or persistence mechanisms.\n\n### Step 1: Navigate to the Chainsaw Directory\n- Open Command Prompt or PowerShell as Administrator and navigate to the Chainsaw directory: `C:\\Users\\Administrator\\Desktop\\Tools\\chainsaw_all_platforms+rules\\chainsaw`\n\n![image7](https://assets.ine.com/lab/learningpath/e8264a5ab31f71f2db5b0f6e01ef40c99bc095eb70fc45456f52db8e45aca207.png)\n\n\n### Step 2: Identify Input and Rules Directories\n- Parsed `.evtx` logs (from Task 1) should be located in `C:\\Users\\Administrator\\Desktop\\Exports\\`\n- Sigma rules are in the rules subfolder of the current directory: `C:\\Users\\Administrator\\Desktop\\Tools\\chainsaw_all_platforms+rules\\chainsaw\\sigma`\n- The mapping file is located in: `C:\\Users\\Administrator\\Desktop\\Tools\\chainsaw_all_platforms+rules\\chainsaw\\mappings`\n\n![image17](https://assets.ine.com/lab/learningpath/91a6784b5fb987c213f4eabf15c855bed0ca744e4e4e86045fcf91b05eae652b.png)\n\n### Step 3: Run Chainsaw ***Hunt*** Against a Log File\n- Use the following command to run Chainsaw against the `Sysmon.evtx` file using Sigma rules:\n\n```\n.\\chainsaw_x86_64-pc-windows-msvc.exe hunt C:\\Users\\Administrator\\Desktop\\Exports\\Sysmon.evtx -s C:\\Users\\Administrator\\Desktop\\Tools\\chainsaw_all_platforms+rules\\chainsaw\\sigma\\ --mapping C:\\Users\\Administrator\\Desktop\\Tools\\chainsaw_all_platforms+rules\\chainsaw\\mappings\\sigma-event-logs-all.yml --csv --output Output\\sysmon\n```\n![image11](https://assets.ine.com/lab/learningpath/7b4930a12a529562158f424867c43447d1ca124f0e7e4d8f99c8c9f7e637c202.png)\n\n\nThis command will scan the Security.evtx log and output any rule matches to a specified folder.\n\n- The `-s` flag specifies the path of the directory containing the Sigma rules.\n- The `--mapping` flag specifies the Sigmap mapping file.\n- The `--csv` and `--output` flags specify the format of the output and the output destination.\n\n![image20](https://assets.ine.com/lab/learningpath/7f9c308b1d1185e83e8b6f39c11cdfc07b4b346a3de15387855bcdfa331e11be.png)\n\n\n### Step 4: Review the Output\n- Navigate to the output directory and open the resulting `.csv` file. Review:\n  - Timestamps of detected events\n  - Matched Sigma rule names\n  - Associated process names, event IDs, or user accounts\n\n- As shown in the following screenshot, you can drag and drop the `.csv` file generated by Chainsaw into **Timeline Explorer** for analysis.\n\n![image15](https://assets.ine.com/lab/learningpath/5f4217062805d48ab00a92ae5f611caf6b14dea17b244fea8b375597e58dd152.png)\n\nYou have successfully used Chainsaw and Sigma rules to identify suspicious events in Windows event logs. This automated detection step streamlines the triage process and enhances your ability to spot adversary tactics efficiently.\n\n---",
    "solutions_html": "<h2>Task 1: Exporting Windows Event Logs Using <code>wevtutil</code></h2>\n<h3>Objective</h3>\n<p>This task involves exporting critical Windows Event Logs from the target system using the built-in <code>wevtutil</code> command-line utility. These logs will be used for later parsing and analysis tasks.</p>\n<h3>Step 1: Open Command Prompt as Administrator</h3>\n<ol>\n<li>Click on the Start menu and search for \"cmd\".</li>\n<li>Right-click on \"Command Prompt\" and select \"Run as administrator\".</li>\n</ol>\n<p><img alt=\"image0\" src=\"https://assets.ine.com/lab/learningpath/d0d1d47e62121c80a2bda929ab9121d1299604ada7ade88307bed21e81c3a1cd.png\" /></p>\n<h3>Step 2: Export the Event Logs Using <code>wevtutil</code></h3>\n<p>Before exporting, you will need to create/specify a destination. In this lab, an output/destination folder for exports has already been created for you: <code>C:\\Users\\Administrator\\Desktop\\Exports\\</code></p>\n<ol>\n<li>Use the following commands to export each log into .evtx format:</li>\n</ol>\n<pre class=\"codehilite\"><code>wevtutil epl Security C:\\Users\\Administrator\\Desktop\\Exports\\Security.evtx\nwevtutil epl System C:\\Users\\Administrator\\Desktop\\Exports\\System.evtx\nwevtutil epl Application C:\\Users\\Administrator\\Desktop\\Exports\\Application.evtx\nwevtutil epl Microsoft-Windows-Sysmon/Operational C:\\Users\\Administrator\\Desktop\\Exports\\Sysmon.evtx</code></pre>\n\n<p><img alt=\"image5\" src=\"https://assets.ine.com/lab/learningpath/3036a3059a7fa6a496cc161f296da0599d651f45bf5120443127bffccdb03432.png\" /></p>\n<ol>\n<li>Navigate to the output folder <code>C:\\Users\\Administrator\\Desktop\\Exports\\</code> and confirm the <code>.evtx</code> files are present and correctly named.</li>\n</ol>\n<p><img alt=\"image4\" src=\"https://assets.ine.com/lab/learningpath/d0e89ccd987b62ca1298ee60917a8498e34a3e85c6e1f20aa9c41339a14b712f.png\" /></p>\n<p>You have successfully exported key Windows Event Logs using <code>wevtutil</code>. These <code>.evtx</code> files will be used in the next tasks for parsing and analysis.</p>\n<hr />\n<h2>Task 2: Parsing Event Logs with <code>EvtxECmd</code></h2>\n<h3>Objective</h3>\n<ul>\n<li>In this task, you will use EvtxECmd to parse the <code>.evtx</code> files exported in <strong>Task 1</strong>. </li>\n<li>This tool converts event logs into structured <code>.csv</code> files that are easier to filter, analyze, and correlate in later tasks.</li>\n</ul>\n<h3>Step 1: Navigate to the <code>Tools</code> Directory</h3>\n<ul>\n<li><code>EvtxECmd</code> has already been downloaded for you and is accessible in the <code>Tools</code> directory: <code>C:\\Users\\Administrator\\Desktop\\Tools\\EvtxECmd</code></li>\n</ul>\n<p><img alt=\"image1\" src=\"https://assets.ine.com/lab/learningpath/2ba8cd7b45a11593d572cc7db948864b0c63983ec46290c16eb0e0de1651f615.png\" /></p>\n<ol>\n<li>Open Command Prompt as Administrator.</li>\n<li>Navigate to the folder where <code>EvtxECmd</code> is located.</li>\n</ol>\n<pre class=\"codehilite\"><code>cd C:\\Users\\Administrator\\Desktop\\Tools\\EvtxECmd</code></pre>\n\n<p><img alt=\"image2\" src=\"https://assets.ine.com/lab/learningpath/5f1e64745cac019199a1f23461897634deee5a2041f2e219543135d1d66f6fca.png\" /></p>\n<h3>Step 2: Parse Event Log Files with <code>EvtxECmd</code></h3>\n<p>In this lab, we will be limiting our focus to the <strong>Security</strong> channel and the <strong>Sysmon</strong> event logs.</p>\n<ol>\n<li>Use the <code>-f</code> flag to specify the input <code>.evtx</code> file and the <code>--csv</code> flag to specify the output directory:</li>\n</ol>\n<pre class=\"codehilite\"><code>EvtxECmd.exe -f C:\\Users\\Administrator\\Desktop\\Exports\\Security.evtx --csv C:\\Users\\Administrator\\Desktop\\Exports\\Security\nEvtxECmd.exe -f C:\\Users\\Administrator\\Desktop\\Exports\\Sysmon.evtx --csv C:\\Users\\Administrator\\Desktop\\Exports\\Sysmon</code></pre>\n\n<p><img alt=\"image14\" src=\"https://assets.ine.com/lab/learningpath/cc7c90ea6757eac3e2db587352f449a6fef02aa8268f0b506e488e3e5f981d49.png\" /></p>\n<p><img alt=\"image19\" src=\"https://assets.ine.com/lab/learningpath/41cb89c884f7db87d9a4e62b7e38e6bc1ce8adf30dc4bb30e0bba3c119805102.png\" /></p>\n<h3>Step 3: Verify the Parsed Output</h3>\n<p>Navigate to the directory/folder where you saved the parsed logs and confirm that <code>.csv</code> files have been created for each <code>.evtx</code> input.</p>\n<p><img alt=\"image12\" src=\"https://assets.ine.com/lab/learningpath/a107d2d7990b899a6e8d196b54d13c072a020f53142044e2b83a42d7c6a9df67.png\" /></p>\n<p>You have now successfully parsed the Windows Event Logs into structured CSV format using <code>EvtxECmd</code>. These files will be used in the following tasks for log analysis and timeline construction.</p>\n<hr />\n<h2>Task 3: Timeline Analysis with <strong>Timeline Explorer</strong></h2>\n<h3>Objective</h3>\n<ul>\n<li>In this task, you will use Timeline Explorer to review and analyze the parsed event logs from <strong>Task 2</strong>. </li>\n<li><strong>Timeline Explorer</strong> provides a visual interface to sort, filter, and correlate events by timestamp to help reconstruct a timeline of attacker activity.</li>\n</ul>\n<h3>Step 1: Launch Timeline Explorer</h3>\n<ol>\n<li>Navigate to the folder where Timeline Explorer is located: <code>C:\\Users\\Administrator\\Desktop\\Tools\\TimelineExplorer\\TimelineExplorer\\</code></li>\n<li>Double-click on <code>TimelineExplorer.exe</code> to launch the tool.</li>\n</ol>\n<p><img alt=\"image16\" src=\"https://assets.ine.com/lab/learningpath/f51d76c4dae4f9d79060a5ced70b9f8814d11f6e06840595e3a26d60b5dd6ecc.png\" /></p>\n<h3>Step 2: Load a Parsed CSV File</h3>\n<ol>\n<li>Drag and drop one of the parsed <code>.csv</code> files (e.g., <code>Sysmon.csv</code>) from the <code>C:\\Users\\Administrator\\Desktop\\Exports\\Sysmon\\</code> directory into the Timeline Explorer window.</li>\n</ol>\n<p><img alt=\"image18\" src=\"https://assets.ine.com/lab/learningpath/c803cb1df6c74479c2814a1c55e52625569998103973d6b06ef7bb4723aa7714.png\" /></p>\n<ol>\n<li>The data will load into a table format sorted by the <code>TimeCreated</code> column.</li>\n</ol>\n<p><img alt=\"image13\" src=\"https://assets.ine.com/lab/learningpath/a9ea43e3f9464db3fdf0504b88128541047f7571596dc25c8fb93ef5f3445b62.png\" /></p>\n<h3>Step 3: Explore the Data</h3>\n<ol>\n<li>Scroll through the events and examine columns like:</li>\n<li><code>TimeCreated</code></li>\n<li><code>EventID</code></li>\n<li>\n<p><code>Image</code> or <code>CommandLine</code> (if present)</p>\n</li>\n<li>\n<p>Sort the data by <code>TimeCreated</code> to view the chronological sequence of events.</p>\n</li>\n</ol>\n<p><img alt=\"image8\" src=\"https://assets.ine.com/lab/learningpath/9de23da1a96b2222ac401a3917a16a7156e8b08796f9684e0d86acb075847b0e.png\" /></p>\n<h3>Step 4: Apply Filters to Identify Key Events</h3>\n<p>Use the filter bar to narrow down events:\n- Example: Filter <code>EventID == 1</code> to show process creation events.</p>\n<p><img alt=\"image3\" src=\"https://assets.ine.com/lab/learningpath/a24d1efce31b02fce75f883520ec47ae3a09853305a0841a15f90c613af46792.png\" /></p>\n<ul>\n<li>Example: Filter <code>Executable Info contains powershell</code> to identify suspicious script execution.</li>\n</ul>\n<p><img alt=\"image6\" src=\"https://assets.ine.com/lab/learningpath/8ac11cfc2aff462d930976f9676aeaa97a7804c5dd3c33ee4a966d30842bfc2e.png\" /></p>\n<ul>\n<li>Applying both of the filters will allow you to identify malicious execution of PowerShell. As shown in the following screenshot, it appears that PowerShell was used to download and execute a PowerShell implementation of <code>Mimikatz</code> for the purpose of dumping credentials.</li>\n</ul>\n<p><img alt=\"image10\" src=\"https://assets.ine.com/lab/learningpath/2bbb5da255d5f5d99d8992e7b727afb3f928e9da0fa7fee549533e9fb0c8aba4.png\" /></p>\n<h3>Step 5: Analyze the Timeline</h3>\n<p>Review the filtered and sorted data to:\n- Identify logon events and follow-up processes\n- Detect signs of persistence like scheduled tasks or new services\n- Correlate activity across multiple logs if merged into one CSV</p>\n<p><img alt=\"image9\" src=\"https://assets.ine.com/lab/learningpath/e42456e1b7cc1d72d790908a3cf225e2ca1d41efa8fd61a71ae6e83c3e676374.png\" /></p>\n<p>You have successfully used Timeline Explorer to analyze parsed Windows event logs. This step enables you to visualize attacker behavior and build a coherent timeline of events, which is crucial in incident response investigations.</p>\n<hr />\n<h2>Task 4: Threat Detection with <strong>Chainsaw</strong> and <strong>Sigma</strong> Rules</h2>\n<h3>Objective</h3>\n<ul>\n<li>In this task, you will use <strong>Chainsaw*<em>, a fast forensic triage tool, to *</em><em>scan parsed Windows Event Logs</em></strong> using <strong>Sigma</strong> detection rules. </li>\n<li>This process helps identify suspicious activity, such as unauthorized logons, PowerShell abuse, or persistence mechanisms.</li>\n</ul>\n<h3>Step 1: Navigate to the Chainsaw Directory</h3>\n<ul>\n<li>Open Command Prompt or PowerShell as Administrator and navigate to the Chainsaw directory: <code>C:\\Users\\Administrator\\Desktop\\Tools\\chainsaw_all_platforms+rules\\chainsaw</code></li>\n</ul>\n<p><img alt=\"image7\" src=\"https://assets.ine.com/lab/learningpath/e8264a5ab31f71f2db5b0f6e01ef40c99bc095eb70fc45456f52db8e45aca207.png\" /></p>\n<h3>Step 2: Identify Input and Rules Directories</h3>\n<ul>\n<li>Parsed <code>.evtx</code> logs (from Task 1) should be located in <code>C:\\Users\\Administrator\\Desktop\\Exports\\</code></li>\n<li>Sigma rules are in the rules subfolder of the current directory: <code>C:\\Users\\Administrator\\Desktop\\Tools\\chainsaw_all_platforms+rules\\chainsaw\\sigma</code></li>\n<li>The mapping file is located in: <code>C:\\Users\\Administrator\\Desktop\\Tools\\chainsaw_all_platforms+rules\\chainsaw\\mappings</code></li>\n</ul>\n<p><img alt=\"image17\" src=\"https://assets.ine.com/lab/learningpath/91a6784b5fb987c213f4eabf15c855bed0ca744e4e4e86045fcf91b05eae652b.png\" /></p>\n<h3>Step 3: Run Chainsaw <strong><em>Hunt</em></strong> Against a Log File</h3>\n<ul>\n<li>Use the following command to run Chainsaw against the <code>Sysmon.evtx</code> file using Sigma rules:</li>\n</ul>\n<p><pre class=\"codehilite\"><code>.\\chainsaw_x86_64-pc-windows-msvc.exe hunt C:\\Users\\Administrator\\Desktop\\Exports\\Sysmon.evtx -s C:\\Users\\Administrator\\Desktop\\Tools\\chainsaw_all_platforms+rules\\chainsaw\\sigma\\ --mapping C:\\Users\\Administrator\\Desktop\\Tools\\chainsaw_all_platforms+rules\\chainsaw\\mappings\\sigma-event-logs-all.yml --csv --output Output\\sysmon</code></pre>\n<img alt=\"image11\" src=\"https://assets.ine.com/lab/learningpath/7b4930a12a529562158f424867c43447d1ca124f0e7e4d8f99c8c9f7e637c202.png\" /></p>\n<p>This command will scan the Security.evtx log and output any rule matches to a specified folder.</p>\n<ul>\n<li>The <code>-s</code> flag specifies the path of the directory containing the Sigma rules.</li>\n<li>The <code>--mapping</code> flag specifies the Sigmap mapping file.</li>\n<li>The <code>--csv</code> and <code>--output</code> flags specify the format of the output and the output destination.</li>\n</ul>\n<p><img alt=\"image20\" src=\"https://assets.ine.com/lab/learningpath/7f9c308b1d1185e83e8b6f39c11cdfc07b4b346a3de15387855bcdfa331e11be.png\" /></p>\n<h3>Step 4: Review the Output</h3>\n<ul>\n<li>Navigate to the output directory and open the resulting <code>.csv</code> file. Review:</li>\n<li>Timestamps of detected events</li>\n<li>Matched Sigma rule names</li>\n<li>\n<p>Associated process names, event IDs, or user accounts</p>\n</li>\n<li>\n<p>As shown in the following screenshot, you can drag and drop the <code>.csv</code> file generated by Chainsaw into <strong>Timeline Explorer</strong> for analysis.</p>\n</li>\n</ul>\n<p><img alt=\"image15\" src=\"https://assets.ine.com/lab/learningpath/5f4217062805d48ab00a92ae5f611caf6b14dea17b244fea8b375597e58dd152.png\" /></p>\n<p>You have successfully used Chainsaw and Sigma rules to identify suspicious events in Windows event logs. This automated detection step streamlines the triage process and enhances your ability to spot adversary tactics efficiently.</p>\n<hr />",
    "flags": [],
    "min_points_to_pass": null,
    "access_type": "default",
    "user_status": "unstarted",
    "user_lab_status": null,
    "user_status_modified": null,
    "user_flags": [],
    "global_running_session": null
}