extracting-windows-event-logs-artifacts

# Extracting Windows Event Logs Artifacts ## When to Use - When investigating security incidents on Windows systems through event log analysis - For detecting lateral movement, privilege escalation, and persistence mechanisms - When performing threat hunting across Windows event log data - During compliance audits requiring review of authentication and access events - When building forensic timelines from Windows system activity ## Prerequisites - Windows Event Log files (EVTX format) from forensic image or live system - Chainsaw, Hayabusa, or EvtxECmd for parsing and detection - Sigma rules for automated threat detection - Understanding of critical Windows Event IDs - Python with python-evtx or evtx library for custom parsing - PowerShell for live system analysis (if applicable) ## Workflow ### Step 1: Collect Windows Event Log Files ```bash # Extract EVTX files from forensic image mount -o ro,loop,offset=$((2048*512)) /cases/case-2024-001/images/evidence.dd /mnt/evidence mkdir -p /cases/case-2024-001/evtx/ cp /mnt/evidence/Windows/System32/winevt/Logs/*.evtx /cases/case-2024-001/evtx/ # Key event logs to prioritize # Security.evtx - Authentication, authorization, audit events # System.evtx - System services, drivers, hardware events # Application.evtx - Application errors and events # Microsoft-Windows-Sysmon%4Operational.evtx - Detailed process/network monitoring # Microsoft-Windows-PowerShell%4Operational.evtx - PowerShell activity # Microsoft-Windows-TerminalServi...