- 7 Tem 2013
- 8,207
- 4
- 688
In this topic, we'll examine the logs in our system with the PowerShell platform, which is one of Windows' platforms and is usually shown as an alternative to the cmd, but it has positive and negative differences in various aspects. First of all, the "log" means registry. Logging is the process of keeping digital movements with these registries. It is the keeping of records of every work done on electronic systems such as software, operating systems, IOT devices with the developing technology. Log registries are important for all electronic devices and have been made imperative for enlightening cybersecurity events. Logging has an important place especially for the detection of cyber events and incident management. The law numbered 5651 has made it essential to log the important laws of the IT sector such as ISO 27001. In short, logging is a structure that registers the movements of a system, a device, and users on the system.
Examination of logs
First, let's type "PowerShell" (without quotes) in the search bar next to the Windows icon at the bottom left corner and run Windows PowerShell.
Let's examine the logs kept on the system at the beginning and the number of records found for each log type.
Let's customize a little bit of research and search for a specific log type.
Hundreds of logs will start coming to your screen. You can organize them to facilitate the reading process. Besides, with the "Add criteria" button in the window that will open, you can group your log registries, list them according to certain criteria, and provide a detailed reading of the registries in these lists.
How about doing a more specific review of the recent past? Now, we will print the last 10 log registries with the operation that we'll do. Of course, the log title and number here are completely different. For example, if you want to examine the last 20 logs from system logs, you can change the "security" in the code to "system", and "10" to "20"
So, shouldn't it be necessary to do ********ation of these log registries and perform the storage process? The "$" command will be useful for this. We can enregister logs in the form of "$ = REGISTER_NAME" and we can call again faster.
Logs can be grouped and counted quickly. For this, it will be enough to use the following command:
If there is searching for a specific log type, the search can be extended by using the "-InstanceID" suffix.
We can view the details of our registries. Let's create an example for this; First, let's enregister the last log of the "Windows PowerShell" log with the name tht_edros. (All the names, numbers, and research titles here are examples, you can make changes for your purpose.)
Then let's check our registry.
Let's examine this registry in full detail.
At the end of the command *: It means "examination with all details".
In the rest of the topic, I'll also talk about detailing this place.
Let's perform the elaboration process mentioned in the previous step. Let's print the machine name and date of registration in the saved log as details. You can revise them according to your purposes and wishes.
Finally, let's talk about how the ********ation of the registries in a certain time period is done. As can be understood from this post, let's start our process by creating a registry directory;
We have assigned a log registry stack to our registry directory named pass_ay_logs. In this log registry stack, we wanted the registries to be scanned by adding -30 days over the current date, so we wanted to registries to go back 1 month. Numbers and operations here may also vary. Now let's print these registries on the screen.
Remember that your log registries are forensic evidence!
Source: https://www.turkhackteam.org/bilgis...2-powershell-araciligiyla-log-incelemesi.html
Çevirmen/Translator Gauloran
Examination of logs
First, let's type "PowerShell" (without quotes) in the search bar next to the Windows icon at the bottom left corner and run Windows PowerShell.
Let's examine the logs kept on the system at the beginning and the number of records found for each log type.
Kod:
Get-EventLog -List
Let's customize a little bit of research and search for a specific log type.
Kod:
Get-EventLog security
Hundreds of logs will start coming to your screen. You can organize them to facilitate the reading process. Besides, with the "Add criteria" button in the window that will open, you can group your log registries, list them according to certain criteria, and provide a detailed reading of the registries in these lists.
Kod:
Get-EventLog security | Out-GridView
How about doing a more specific review of the recent past? Now, we will print the last 10 log registries with the operation that we'll do. Of course, the log title and number here are completely different. For example, if you want to examine the last 20 logs from system logs, you can change the "security" in the code to "system", and "10" to "20"
Kod:
Get-EventLog security -Newest 10
So, shouldn't it be necessary to do ********ation of these log registries and perform the storage process? The "$" command will be useful for this. We can enregister logs in the form of "$ = REGISTER_NAME" and we can call again faster.
Kod:
$saklanacak_log_kayitlari = Get-EventLog security -Newest 10
$saklanacak_log_kayitlari
Logs can be grouped and counted quickly. For this, it will be enough to use the following command:
Kod:
$saklanacak_log_kayitlari | Group-Object InstanceID
If there is searching for a specific log type, the search can be extended by using the "-InstanceID" suffix.
Kod:
Get-EventLog -LogName "Windows PowerShell" -InstanceId 600
We can view the details of our registries. Let's create an example for this; First, let's enregister the last log of the "Windows PowerShell" log with the name tht_edros. (All the names, numbers, and research titles here are examples, you can make changes for your purpose.)
Kod:
$tht_edros = Get-EventLog -LogName "Windows PowerShell" -Newest 1
Then let's check our registry.
Kod:
$tht_edros
Let's examine this registry in full detail.
At the end of the command *: It means "examination with all details".
In the rest of the topic, I'll also talk about detailing this place.
Kod:
$tht_edros | Select-Object -Property *
Let's perform the elaboration process mentioned in the previous step. Let's print the machine name and date of registration in the saved log as details. You can revise them according to your purposes and wishes.
Kod:
$tht_edros | Select-Object -Property MachineName,TimeGenerated
Finally, let's talk about how the ********ation of the registries in a certain time period is done. As can be understood from this post, let's start our process by creating a registry directory;
Kod:
$gecen_ay_kayitlari = (Get-Date).AddDays(-30)
We have assigned a log registry stack to our registry directory named pass_ay_logs. In this log registry stack, we wanted the registries to be scanned by adding -30 days over the current date, so we wanted to registries to go back 1 month. Numbers and operations here may also vary. Now let's print these registries on the screen.
Kod:
Get-EventLog -LogName security -After $gecen_ay_kayitlari
Remember that your log registries are forensic evidence!
Source: https://www.turkhackteam.org/bilgis...2-powershell-araciligiyla-log-incelemesi.html
Çevirmen/Translator Gauloran