You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '5038'"
# Show what eventids in event log sorted by count
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EventID FROM 'Security.evtx' GROUP BY EventID ORDER BY CNT DESC"
# Eventid 1102
# Eventlog was cleared
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') as Username, EXTRACT_TOKEN(Strings, 2, '|') AS Workstation FROM 'Security.evtx' WHERE EventID = '1102'"
# Eventid 4624
# successful logon
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY')"
# Find specific user
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"
# Find RDP logons
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND LogonType = '10'"
# Find console logons
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND LogonType = '2'"
# Find specific IP
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType,EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = '10.1.47.151'"
# look at NTLM based logons
# possible pass-the-hash
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType, EXTRACT_TOKEN(strings, 10, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$'"
# group by NTLM users
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-q:ON -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 8, '|') as LogonType, EXTRACT_TOKEN(strings, 9, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 11, '|') AS Workstation, EXTRACT_TOKEN(Strings, 17, '|') AS ProcessName, EXTRACT_TOKEN(Strings, 18, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$' GROUP BY Username, Domain, LogonType, AuthPackage, Workstation, ProcessName, SourceIP ORDER BY CNT DESC"
# group by users
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 5, '|') as Username, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4624 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"
# group by domain
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 6, '|') as Domain, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4624 GROUP BY Domain ORDER BY CNT DESC"
# group by authpackage
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 9, '|') as AuthPackage, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4624 GROUP BY AuthPackage ORDER BY CNT DESC"
# group by LogonType
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 8, '|') as LogonType, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4624 GROUP BY LogonType ORDER BY CNT DESC"
# group by workstation name
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 11, '|') as Workstation, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4624 GROUP BY Workstation ORDER BY CNT DESC"
# group by process name
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT EXTRACT_TOKEN(Strings, 17, '|') as ProcName, COUNT(*) AS CNT FROM 'Security.evtx' WHERE EventID = 4624 GROUP BY ProcName ORDER BY CNT DESC"
#
# Event id 4625
# unsuccessful logon
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY')"
# Find specific User
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND Username = 'Administrator'"
# Find specific IP
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND SourceIP = '10.1.47.151'"
# check ntlm based attempts
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType, EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$'"
# group by ntlm users
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username, EXTRACT_TOKEN(Strings, 6, '|') as Domain, EXTRACT_TOKEN(Strings, 10, '|') as LogonType,EXTRACT_TOKEN(strings, 11, '|') AS AuthPackage, EXTRACT_TOKEN(Strings, 13, '|') AS Workstation, EXTRACT_TOKEN(Strings, 19, '|') AS SourceIP FROM 'Security.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Domain NOT IN ('NT AUTHORITY') AND AuthPackage LIKE '%NtLmSsp%' AND Username NOT LIKE '%$' GROUP BY Username, Domain, LogonType, AuthPackage, Workstation, SourceIP ORDER BY CNT DESC"
# group by Username
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings, 5, '|') as Username FROM 'Security.evtx' WHERE EventID = 4625 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"
# event id 4634
# user logoff
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security.evtx' WHERE EventID = 4634 AND Domain NOT IN ('NT AUTHORITY')"
# Event id 4648
# explicit creds was used
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT timegenerated as date, extract_token(strings, 1, '|') as accountname, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings, 8, '|') as targetserver, extract_token(strings, 9, '|') as extradata, extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as sourceip from 'Security.evtx' WHERE EventID = 4648"
# Search by accountname
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT timegenerated as date, extract_token(strings, 1, '|') as accountname, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings, 8, '|') as targetserver, extract_token(strings, 9, '|') as extradata, extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as sourceip from 'Security.evtx' WHERE EventID = 4648 AND accountname = 'Administrator'"
# Search by usedaccount
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT timegenerated as date, extract_token(strings, 1, '|') as accountname, extract_token(strings, 2, '|') as domain, extract_token(strings, 5, '|') as usedaccount, extract_token(strings, 6, '|') as useddomain, extract_token(strings, 8, '|') as targetserver, extract_token(strings, 9, '|') as extradata, extract_token(strings, 11, '|') as procname, extract_token(strings, 12, '|') as sourceip from 'Security.evtx' WHERE EventID = 4648 AND usedaccount = 'Administrator'"
# group by accountname
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT COUNT(*) as CNT, extract_token(strings, 1, '|') as accountname from 'Security.evtx' WHERE EventID = 4648 GROUP BY accountname ORDER BY CNT DESC"
# group by used account
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT COUNT(*) as CNT, extract_token(strings, 5, '|') as usedaccount from 'Security.evtx' WHERE EventID = 4648 GROUP BY usedaccount ORDER BY CNT DESC"
# event id 4657
# A registry value was modified
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '4657'"
# event id 4663
# An attempt was made to access an object
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "SELECT * FROM 'Security.evtx' WHERE EventID = '4663'"
# Event id 4672
# Admin logon
&'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe'-stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings, 1, '|') AS Username, EXTRACT_TOKEN(Strings, 2, '|') AS Domain FROM 'Security.evtx' WHERE EventID = 4672 AND Domain NOT IN ('NT AUTHORITY')
# Find specific user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings,1,'|') AS Username, EXTRACT_TOKEN(Strings,2,'|') AS Domain FROM'Security.evtx'WHERE EventID =4672 AND Domain NOT IN ('NT AUTHORITY') AND Username ='Administrator'"
# group by username
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings,1,'|') AS Username, COUNT(*) AS CNT FROM'Security.evtx'WHERE EventID =4672 AND Username NOT IN ('SYSTEM'; 'ANONYMOUS LOGON'; 'LOCAL SERVICE'; 'NETWORK SERVICE') AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"
# group by domain
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings,2,'|') AS Domain, COUNT(*) AS CNT FROM'Security.evtx'WHERE EventID =4672 AND Domain NOT IN ('NT AUTHORITY') GROUP BY Domain ORDER BY CNT DESC"
# event id 4688
# new process was created
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings,1,'|') AS Username, EXTRACT_TOKEN(Strings,2,'|') AS Domain, EXTRACT_TOKEN(Strings,5,'|') AS ProcessFROM'Security.evtx'WHERE EventID =4688"
# Search by user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings,1,'|') AS Username, EXTRACT_TOKEN(Strings,2,'|') AS Domain, EXTRACT_TOKEN(Strings,5,'|') AS ProcessFROM'Security.evtx'WHERE EventID =4688 AND Username ='Administrator'"
# Search by process name
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings,1,'|') AS Username, EXTRACT_TOKEN(Strings,2,'|') AS Domain, EXTRACT_TOKEN(Strings,5,'|') AS ProcessFROM'Security.evtx'WHERE EventID =4688 AND Process LIKE '%rundll32.exe%'"
# group by username
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings,1,'|') AS Username FROM'Security.evtx'WHERE EventID =4688 GROUP BY Username ORDER BY CNT DESC"
# group by process name
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, EXTRACT_TOKEN(Strings,5,'|') AS ProcessFROM'Security.evtx'WHERE EventID =4688 GROUP BY Process ORDER BY CNT DESC"
# A member was added to a security-enabled global group
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings,0,'|') as addeduser, extract_token(strings,2,'|') as togroup, extract_token(strings,3,'|') as groupdomain, extract_token(strings,6,'|') as whoadded, extract_token(strings,7,'|') as whodomain FROM'Security.evtx'WHERE EventID ='4728'"
# event id 4729
# A member was removed from a security-enabled global group
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings,0,'|') as removeduser, extract_token(strings,2,'|') as fromgroup, extract_token(strings,3,'|') as groupdomain, extract_token(strings,6,'|') as whoremoved, extract_token(strings,7,'|') as whodomain FROM'Security.evtx'WHERE EventID ='4729'"
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings,0,'|') as createdgroup, extract_token(strings,1,'|') as domain, extract_token(strings,4,'|') as whichaccount, extract_token(strings,5,'|') as whichdomain FROM'Security.evtx'WHERE EventID =4731"
# event id 4732
# A member was added to a security-enabled local group
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings,0,'|') as addeduser, extract_token(strings,2,'|') as togroup, extract_token(strings,3,'|') as groupdomain, extract_token(strings,6,'|') as whoadded, extract_token(strings,7,'|') as whodomain FROM'Security.evtx'WHERE EventID ='4732'"
# event id 4733
# A member was removed from a security-enabled local group
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings,0,'|') as removeduser, extract_token(strings,2,'|') as fromgroup, extract_token(strings,3,'|') as groupdomain, extract_token(strings,6,'|') as whoremoved, extract_token(strings,7,'|') as whodomain FROM'Security.evtx'WHERE EventID ='4733'"
# event id 4734
# A security-enabled local group was deleted
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings,2,'|') AS whichgroup, EXTRACT_TOKEN(Strings,3,'|') AS domaingroup, EXTRACT_TOKEN(Strings,6,'|') AS who, EXTRACT_TOKEN(Strings,7,'|') AS workstation FROM'Security.evtx'WHERE EventID =4734"
# event id 4738
# user account was changed
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings,1,'|') as user, extract_token(strings,2,'|') as domain, extract_token(strings,5,'|') as whichaccount, extract_token(strings,6,'|') as whichdomain FROM'Security.evtx'WHERE EventID =4738"
# event id 4740
# A user account was locked out
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings,0,'|') as user, extract_token(strings,1,'|') as workstation, extract_token(strings,4,'|') as wholocked, extract_token(strings,5,'|') as whodomain FROM'Security.evtx'WHERE EventID ='4740'"
# event id 4742
# computer account was changed
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings,5,'|') as user, extract_token(strings,6,'|') as domain, extract_token(strings,1,'|') as whichaccount, extract_token(strings,2,'|') as whichdomain FROM'Security.evtx'WHERE EventID =4742"
# event id 4754
# A security-enabled universal group was created
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings,0,'|') as createdgroup, extract_token(strings,1,'|') as domain, extract_token(strings,4,'|') as whichaccount, extract_token(strings,5,'|') as whichdomain FROM'Security.evtx'WHERE EventID =4754"
# event id 4756
# A member was added to a security-enabled universal group
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings,0,'|') as addeduser, extract_token(strings,2,'|') as togroup, extract_token(strings,3,'|') as groupdomain, extract_token(strings,6,'|') as whoadded, extract_token(strings,7,'|') as whodomain FROM'Security.evtx'WHERE EventID ='4756'"
# event id 4757
# A member was removed from a security-enabled universal group
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(Strings,0,'|') as removeduser, extract_token(strings,2,'|') as fromgroup, extract_token(strings,3,'|') as groupdomain, extract_token(strings,6,'|') as whoremoved, extract_token(strings,7,'|') as whodomain FROM'Security.evtx'WHERE EventID ='4757'"
# event id 4758
# A security-enabled universal group was deleted
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings,2,'|') AS whichgroup, EXTRACT_TOKEN(Strings,3,'|') AS domaingroup, EXTRACT_TOKEN(Strings,6,'|') AS who, EXTRACT_TOKEN(Strings,7,'|') AS workstation FROM'Security.evtx'WHERE EventID =4758"
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings,0,'|') as user, extract_token(strings,1,'|') as domain, extract_token(strings,7,'|') as cipher, extract_token(strings,9,'|') as sourceip FROM'Security.evtx'WHERE EventID =4768"
# group by user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT extract_token(strings,0,'|') as user, COUNT(*) AS CNT FROM'Security.evtx'WHERE EventID =4768 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"
# group by domain
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT extract_token(strings,1,'|') as domain, COUNT(*) AS CNT FROM'Security.evtx'WHERE EventID =4768 GROUP BY domain ORDER BY CNT DESC"
# group by cipher
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT extract_token(strings,7,'|') as cipher, COUNT(*) AS CNT FROM'Security.evtx'WHERE EventID =4768 GROUP BY cipher ORDER BY CNT DESC"
# event id 4769
# Kerberos Service ticket was requested
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings,0,'|') as user, extract_token(strings,1,'|') as domain, extract_token(strings,2,'|') as service, extract_token(strings,5,'|') as cipher, extract_token(strings,6,'|') as sourceip FROM'Security.evtx'WHERE EventID =4769"
# group by user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT extract_token(strings,0,'|') as user, COUNT(*) AS CNT FROM'Security.evtx'WHERE EventID =4769 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"
# group by domain
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT extract_token(strings,1,'|') as domain, COUNT(*) AS CNT FROM'Security.evtx'WHERE EventID =4769 GROUP BY domain ORDER BY CNT DESC"
# group by service
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT extract_token(strings,2,'|') as service, COUNT(*) AS CNT FROM'Security.evtx'WHERE EventID =4769 GROUP BY service ORDER BY CNT DESC"
# group by cipher
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT extract_token(strings,5,'|') as cipher, COUNT(*) AS CNT FROM'Security.evtx'WHERE EventID =4769 GROUP BY cipher ORDER BY CNT DESC"
# event id 4771
# kerberos pre-atuhentication failed
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings,0,'|') as user, extract_token(strings,6,'|') as sourceip FROM'Security.evtx'WHERE EventID =4771 AND user NOT LIKE '%$'"
# group by user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT extract_token(strings,0,'|') as user, COUNT(user) AS CNT FROM'Security.evtx'WHERE EventID =4771 AND user NOT LIKE '%$' GROUP BY user ORDER BY CNT DESC"
# event id 4776
# domain/computer attemped to validate user credentials
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings,1,'|') AS Username, EXTRACT_TOKEN(Strings,2,'|') AS Domain FROM'Security.evtx'WHERE EventID =4776 AND Domain NOT IN ('NT AUTHORITY') AND Username NOT LIKE '%$'"
# Search by username
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, EXTRACT_TOKEN(Strings,1,'|') AS Username, EXTRACT_TOKEN(Strings,2,'|') AS Domain FROM'Security.evtx'WHERE EventID =4776 AND Domain NOT IN ('NT AUTHORITY') AND Username NOT LIKE '%$' AND Username ='Administrator'"
# group by username
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings,1,'|') AS Username, COUNT(*) AS CNT FROM'Security.evtx'WHERE EventID =4776 AND Username NOT LIKE '%$' GROUP BY Username ORDER BY CNT DESC"
# group by domain
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select EXTRACT_TOKEN(Strings,2,'|') AS Domain, COUNT(*) AS CNT FROM'Security.evtx'WHERE EventID =4776 GROUP BY Domain ORDER BY CNT DESC"
# event id 4778
# RDP session reconnected
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date,EXTRACT_TOKEN(Strings,0,'|') AS Username, EXTRACT_TOKEN(Strings,1,'|') AS Domain, EXTRACT_TOKEN(Strings,4,'|') AS Workstation, EXTRACT_TOKEN(Strings,5,'|') AS SourceIP FROM'Security.evtx'WHERE EventID =4778"
# event id 4779
# RDP session disconnected
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date,EXTRACT_TOKEN(Strings,0,'|') AS Username, EXTRACT_TOKEN(Strings,1,'|') AS Domain, EXTRACT_TOKEN(Strings,4,'|') AS Workstation, EXTRACT_TOKEN(Strings,5,'|') AS SourceIP FROM'Security.evtx'WHERE EventID =4779"
# event id 4781
# User account was renamed
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings,0,'|') AS newname, EXTRACT_TOKEN(Strings,1,'|') AS oldname, EXTRACT_TOKEN(Strings,2,'|') AS accdomain, EXTRACT_TOKEN(Strings,5,'|') AS Username, EXTRACT_TOKEN(Strings,6,'|') AS Domain FROM'Security.evtx'WHERE EventID =4781"
# event id 4825
# RDP Access denied
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, EXTRACT_TOKEN(Strings,0,'|') AS Username, EXTRACT_TOKEN(Strings,1,'|') AS Domain, EXTRACT_TOKEN(Strings,3,'|') AS SourceIP FROM'Security.evtx'WHERE EventID =4825"
# event id 4946
# new exception was added to firewall
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings,2,'|') as rulename FROM'Security.evtx'WHERE EventID =4946"
# group by rule name
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select Count(*) as CNT, extract_token(strings,2,'|') as rulename FROM'Security.evtx'WHERE EventID =4946 GROUP BY rulename ORDER BY CNT DESC"
# event id 4948
# rule was deleted from firewall
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings,2,'|') as rulename FROM'Security.evtx'WHERE EventID =4948"
# group by rule name
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select Count(*) as CNT, extract_token(strings,2,'|') as rulename FROM'Security.evtx'WHERE EventID =4948 GROUP BY rulename ORDER BY CNT DESC"
# event id 5038
# Code integrity determined that the image hash of a file is not valid
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT TimeGenerated AS Date, extract_token(strings,3,'|') AS Username, extract_token(strings,4,'|') AS Domain, extract_token(strings,8,'|') AS objectdn, extract_token(strings,10,'|') AS objectclass, extract_token(strings,11,'|') AS objectattrib, extract_token(strings,13,'|') AS attribvalue FROM'Security.evtx'WHERE EventID ='5136'"
# group by username
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings,3,'|') AS Username FROM'Security.evtx'WHERE EventID ='5136' GROUP BY Username ORDER BY CNT DESC"
# group by domain
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings,4,'|') AS Domain FROM'Security.evtx'WHERE EventID ='5136' GROUP BY Domain ORDER BY CNT DESC"
# group by objectdn
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings,8,'|') AS objectdn FROM'Security.evtx'WHERE EventID ='5136' GROUP BY objectdn ORDER BY CNT DESC"
# group by objectclass
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings,10,'|') AS objectclass FROM'Security.evtx'WHERE EventID ='5136' GROUP BY objectclass ORDER BY CNT DESC"
# group by objectattrib
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings,11,'|') AS objectattrib FROM'Security.evtx'WHERE EventID ='5136' GROUP BY objectattrib ORDER BY CNT DESC"
# group by attribvalue
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "SELECT COUNT(*) AS CNT, extract_token(strings,13,'|') AS attribvalue FROM'Security.evtx'WHERE EventID ='5136' GROUP BY attribvalue ORDER BY CNT DESC"
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings,0,'|') AS ServiceName, extract_token(strings,1,'|') AS ServicePath, extract_token(strings,4,'|') AS ServiceUser FROM System.evtx WHERE EventID =7045"
# EventID 7036
# Service actions
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings,0,'|') as servicename FROM System.evtx WHERE EventID =7036"
# group by service name
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings,0,'|') as servicename FROM System.evtx WHERE EventID =7036 GROUP BY servicename ORDER BY CNT DESC"
#####################
# Task Scheduler Log
#####################
# EventID 100
# Task was run
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings,0,'|') as taskname, extract_token(strings,1,'|') as username FROM'Microsoft-Windows-TaskScheduler%4Operational.evtx'WHERE EventID =100"
# group by taskname
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select extract_token(strings,0,'|') as taskname, count(*) as cnt FROM'Microsoft-Windows-TaskScheduler%4Operational.evtx'WHERE EventID =100 GROUP BY taskname ORDER BY CNT DESC"
# eventid 200
# action was executed
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings,0,'|') as taskname, extract_token(strings,1,'|') as taskaction FROM'Microsoft-Windows-TaskScheduler%4Operational.evtx'WHERE EventID =200"
# group by action
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select extract_token(strings,1,'|') as taskaction, count(*) as cnt FROM'Microsoft-Windows-TaskScheduler%4Operational.evtx'WHERE EventID =200 GROUP BY taskaction ORDER BY CNT DESC"
# eventid 140
# user updated a task
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated as Date, extract_token(strings,0,'|') as taskname, extract_token(strings,1,'|') as user FROM'Microsoft-Windows-TaskScheduler%4Operational.evtx'WHERE EventID =140"
# group by user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select extract_token(strings,1,'|') as user, count(*) as cnt FROM'Microsoft-Windows-TaskScheduler%4Operational.evtx'WHERE EventID =140 GROUP BY user ORDER BY CNT DESC"
# group by taskname
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select extract_token(strings,0,'|') as taskname, count(*) as cnt FROM'Microsoft-Windows-TaskScheduler%4Operational.evtx'WHERE EventID =140 GROUP BY taskname ORDER BY CNT DESC"
# event id 141
# user deleted a task
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated as Date, extract_token(strings,0,'|') as taskname, extract_token(strings,1,'|') as user FROM'Microsoft-Windows-TaskScheduler%4Operational.evtx'WHERE EventID =141"
# group by user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select extract_token(strings,1,'|') as user, count(*) as cnt FROM'Microsoft-Windows-TaskScheduler%4Operational.evtx'WHERE EventID =141 GROUP BY user ORDER BY CNT DESC"
# group by taskname
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select extract_token(strings,0,'|') as taskname, count(*) as cnt FROM'Microsoft-Windows-TaskScheduler%4Operational.evtx'WHERE EventID =141 GROUP BY taskname ORDER BY CNT DESC"
#######################
# Windows Firewall Log
#######################
# EventID 2004
# New exception rule was added
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(strings,1,'|') as rulename, extract_token(strings,3,'|') as apppath, extract_token(strings,22,'|') as changedapp from'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx'WHERE EventID =2004"
# group by apppath
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings,3,'|') as apppath from'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx'WHERE EventID =2004 GROUP BY apppath ORDER BY CNT DESC"
# event id 2005
# rule was changed
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(Strings,1,'|') as rulename, extract_token(Strings,3,'|') AS apppath, extract_token(Strings,4,'|') AS servicename, extract_token(strings,7,'|') AS localport, extract_token(strings,22,'|') as modifyingapp from'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx'WHERE EventID =2005"
# group by apppath
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings,3,'|') as apppath from'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx'WHERE EventID =2005 GROUP BY apppath ORDER BY CNT DESC"
# group by rulename
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings,1,'|') as rulename from'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx'WHERE EventID =2005 GROUP BY rulename ORDER BY CNT DESC"
# group by servicename
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings,4,'|') as servicename from'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx'WHERE EventID =2005 GROUP BY servicename ORDER BY CNT DESC"
# group by local port
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings,7,'|') as localport from'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx'WHERE EventID =2005 GROUP BY localport ORDER BY CNT DESC"
# group by modifyingapp
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings,22,'|') as modifyingapp from'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx'WHERE EventID =2005 GROUP BY modifyingapp ORDER BY CNT DESC"
# event id 2006
# rule was deleted
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select TimeGenerated AS Date, extract_token(Strings,1,'|') as rulename, extract_token(strings,3,'|') as changedapp from'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx'WHERE EventID =2006"
# group by rulename
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings,1,'|') as rulename from'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx'WHERE EventID =2006 GROUP BY rulename ORDER BY CNT DESC"
# group by changedapp
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings,3,'|') as changedapp from'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx'WHERE EventID =2006 GROUP BY changedapp ORDER BY CNT DESC"
# EventID 2011
# Firewall blocked inbound connections to the application, but did not notify the user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select Timegenerated as date, extract_token(strings,1,'|') as file, extract_token(strings,4,'|') as port from'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx'WHERE EventID =2011"
# group by application
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select COUNT(*) as CNT, extract_token(strings,1,'|') as file from'Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx'WHERE EventID =2011 GROUP BY file ORDER BY CNT DESC"
######################
# RDP LocalSession Log
# Local logins
######################
# Event id 21
# Successful logon
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select timegenerated as Date, extract_token(strings,0,'|') as user, extract_token(strings,2,'|') as sourceip FROM'Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx'WHERE EventID =21"
# find specific user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select timegenerated as Date, extract_token(strings,0,'|') as user, extract_token(strings,2,'|') as sourceip FROM'Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx'WHERE EventID =21 AND user LIKE '%Administrator%'"
# group by user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select extract_token(strings,0,'|') as user, count(*) as CNT FROM'Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx'WHERE EventID =21 GROUP BY user ORDER BY CNT DESC"
#######################
# RDP RemoteSession Log
#######################
# Event ID 1149
# Successful logon
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select timegenerated as Date, extract_token(strings,0,'|') as user, extract_token(strings,2,'|') as sourceip FROM'Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx'WHERE EventID =1149"
# group by user
& 'C:\Program Files (x86)\Log Parser 2.2\LogParser.exe' -stats:OFF -i:EVT "Select extract_token(strings,0,'|') as user, count(*) as CNT FROM'Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx'WHERE EventID =1149 GROUP BY user ORDER BY CNT DESC"
CSIRT hackery, Incident Response & Forensics created this gist
CSIRT hackery, Incident Response & Forensics
created
this gist