Overview
Windows Event Logs are one of the most critical forensic artifacts in Windows environments, recording system events, security auditing, application errors, and service activity. Event Log analysis tools help forensic analysts and incident responders efficiently parse, filter, search, and correlate events across multiple log files to reconstruct timelines of attacker activity, identify compromise indicators, and understand system behavior. Modern Windows stores Event Logs in EVTX format (XML-based binary) in C:\Windows\System32\winevt\Logs\.
Multiple tools exist for Event Log analysis. Native Windows tools include wevtutil, Get-WinEvent PowerShell cmdlet, and Event Viewer (GUI). Third-party forensic tools include Eric Zimmerman’s EvtxECmd, Hayabusa (threat hunting), Chainsaw (Sigma-based detection), and DeepBlueCLI (PowerShell-based detection). Each offers different strengths — EvtxECmd excels at parsing and exporting for timeline analysis, Hayabusa provides thousands of built-in detection rules mapped to MITRE ATT&CK, and Chainsaw enables rapid Sigma rule matching against offline EVTX files. Combined, these tools provide comprehensive Event Log analysis capabilities.
Installation
EvtxECmd (Eric Zimmerman)
# Download EvtxECmd
Invoke-WebRequest -Uri "https://f001.backblazeb2.com/file/EricZimmermanTools/net6/EvtxECmd.zip" -OutFile EvtxECmd.zip
Expand-Archive EvtxECmd.zip -DestinationPath C:\Tools\EvtxECmd
# Update event maps
C:\Tools\EvtxECmd\EvtxECmd.exe --sync
Hayabusa
# Download Hayabusa
Invoke-WebRequest -Uri "https://github.com/Yamato-Security/hayabusa/releases/latest/download/hayabusa-win-x64.zip" -OutFile hayabusa.zip
Expand-Archive hayabusa.zip -DestinationPath C:\Tools\Hayabusa
Chainsaw
# Download Chainsaw
wget https://github.com/WithSecureLabs/chainsaw/releases/latest/download/chainsaw_x86_64-unknown-linux-gnu.tar.gz
tar xzf chainsaw_x86_64-unknown-linux-gnu.tar.gz
sudo mv chainsaw /usr/local/bin/
DeepBlueCLI
# Clone DeepBlueCLI
git clone https://github.com/sans-blue-team/DeepBlueCLI.git
cd DeepBlueCLI
wevtutil
| Command | Description |
|---|
wevtutil el | List all event log names |
wevtutil gli <logname> | Get log information |
wevtutil qe <logname> | Query events |
wevtutil epl <logname> <file> | Export log to EVTX file |
wevtutil cl <logname> | Clear a log |
# List all logs
wevtutil el
# Export Security log
wevtutil epl Security C:\Evidence\Security.evtx
# Export all logs for forensic collection
$logs = wevtutil el
foreach ($log in $logs) {
$safeName = $log -replace '[/\\]', '_'
wevtutil epl "$log" "C:\Evidence\Logs\$safeName.evtx" 2>$null
}
# Query specific events
wevtutil qe Security /q:"*[System[EventID=4624]]" /c:10 /f:text
# Query events in time range
wevtutil qe Security /q:"*[System[TimeCreated[@SystemTime>='2026-05-01T00:00:00' and @SystemTime<='2026-05-18T23:59:59']]]"
Get-WinEvent (PowerShell)
# Query by Event ID
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} -MaxEvents 20
# Query by time range
Get-WinEvent -FilterHashtable @{
LogName='Security'
StartTime=(Get-Date).AddDays(-7)
EndTime=Get-Date
} | Select-Object TimeCreated, Id, Message | Format-Table
# Multiple Event IDs
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624,4625,4648,4672}
# Query EVTX file (offline analysis)
Get-WinEvent -Path "C:\Evidence\Security.evtx" -FilterHashtable @{Id=4624}
# XPath query
Get-WinEvent -LogName Security -FilterXPath "*[System[EventID=4688] and EventData[Data[@Name='NewProcessName'] and contains(Data, 'powershell')]]"
# Export to CSV
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} |
Select-Object TimeCreated, Id,
@{N='User';E={$_.Properties[5].Value}},
@{N='LogonType';E={$_.Properties[8].Value}},
@{N='SourceIP';E={$_.Properties[18].Value}} |
Export-Csv "logon_events.csv" -NoTypeInformation
EvtxECmd
# Parse single EVTX file
EvtxECmd.exe -f "C:\Windows\System32\winevt\Logs\Security.evtx" --csv C:\Analysis\
# Parse entire log directory
EvtxECmd.exe -d "C:\Windows\System32\winevt\Logs" --csv C:\Analysis\
# Parse with specific maps
EvtxECmd.exe -f Security.evtx --csv C:\Analysis\ --maps C:\Tools\EvtxECmd\Maps\
# JSON output
EvtxECmd.exe -f Security.evtx --json C:\Analysis\
# Parse from forensic image
EvtxECmd.exe -d "E:\Windows\System32\winevt\Logs" --csv C:\Evidence\
# Include full event data
EvtxECmd.exe -f Security.evtx --csv C:\Analysis\ --inc 4624,4625,4648,4672
Hayabusa
# Quick scan of all logs
hayabusa.exe csv-timeline -d "C:\Windows\System32\winevt\Logs" -o timeline.csv
# Scan with minimum alert level
hayabusa.exe csv-timeline -d "C:\Windows\System32\winevt\Logs" -o timeline.csv -m high
# JSON timeline output
hayabusa.exe json-timeline -d "C:\Windows\System32\winevt\Logs" -o timeline.jsonl
# Scan specific EVTX files
hayabusa.exe csv-timeline -f "C:\Evidence\Security.evtx" -o security_timeline.csv
# Show metrics/statistics
hayabusa.exe metrics -d "C:\Windows\System32\winevt\Logs"
# Logon summary
hayabusa.exe logon-summary -d "C:\Windows\System32\winevt\Logs" -o logon_summary.csv
# Update rules
hayabusa.exe update-rules
Chainsaw
# Hunt with Sigma rules
chainsaw hunt /evidence/logs/ --sigma-rules sigma/rules/ --mapping mappings/sigma-event-logs-all.yml
# Hunt with built-in rules
chainsaw hunt /evidence/logs/ --rules chainsaw/rules/
# Search for specific events
chainsaw search /evidence/logs/ -e 4624
# Search by keyword
chainsaw search /evidence/logs/ -s "mimikatz"
# Output as JSON
chainsaw hunt /evidence/logs/ --rules chainsaw/rules/ --json --output results.json
# Filter by time range
chainsaw hunt /evidence/logs/ --rules chainsaw/rules/ --from "2026-05-01T00:00:00" --to "2026-05-18T23:59:59"
Key Security Event IDs
Authentication Events
| Event ID | Log | Description |
|---|
| 4624 | Security | Successful logon |
| 4625 | Security | Failed logon |
| 4634 | Security | Logoff |
| 4648 | Security | Explicit credential logon (runas) |
| 4672 | Security | Special privileges assigned |
| 4768 | Security | Kerberos TGT requested |
| 4769 | Security | Kerberos service ticket requested |
| 4771 | Security | Kerberos pre-auth failed |
| 4776 | Security | NTLM authentication |
Process and Service Events
| Event ID | Log | Description |
|---|
| 4688 | Security | Process creation |
| 4689 | Security | Process termination |
| 7034 | System | Service crashed |
| 7035 | System | Service control sent |
| 7036 | System | Service started/stopped |
| 7040 | System | Service start type changed |
| 7045 | System | New service installed |
Persistence and Lateral Movement
| Event ID | Log | Description |
|---|
| 4698 | Security | Scheduled task created |
| 4699 | Security | Scheduled task deleted |
| 4702 | Security | Scheduled task updated |
| 5140 | Security | Network share accessed |
| 5145 | Security | Network share object checked |
| 4104 | PowerShell | Script block logging |
| 4103 | PowerShell | Module logging |
Advanced Analysis
DeepBlueCLI
# Analyze Security log
.\DeepBlue.ps1 .\Security.evtx
# Analyze System log
.\DeepBlue.ps1 .\System.evtx
# Live analysis of current system
.\DeepBlue.ps1 -log Security
# Analyze PowerShell logs
.\DeepBlue.ps1 ".\Microsoft-Windows-PowerShell%4Operational.evtx"
Logon Type Analysis
# Logon types in Event ID 4624
# 2 = Interactive (local)
# 3 = Network (SMB, mapped drives)
# 4 = Batch (scheduled tasks)
# 5 = Service
# 7 = Unlock
# 8 = NetworkCleartext
# 9 = NewCredentials (runas /netonly)
# 10 = RemoteInteractive (RDP)
# 11 = CachedInteractive
# Find RDP logons
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} |
Where-Object { $_.Properties[8].Value -eq 10 } |
Select-Object TimeCreated,
@{N='User';E={$_.Properties[5].Value}},
@{N='SourceIP';E={$_.Properties[18].Value}} |
Format-Table
# Find network logons from non-local IPs
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4624} |
Where-Object { $_.Properties[8].Value -eq 3 -and $_.Properties[18].Value -notmatch "^(127\.|::1)" } |
Select-Object TimeCreated,
@{N='User';E={$_.Properties[5].Value}},
@{N='SourceIP';E={$_.Properties[18].Value}}
Lateral Movement Detection
# Detect PsExec usage (Event ID 7045 + specific pipe name)
Get-WinEvent -FilterHashtable @{LogName='System'; Id=7045} |
Where-Object { $_.Properties[1].Value -match "PSEXESVC" } |
Select-Object TimeCreated, @{N='Service';E={$_.Properties[0].Value}}
# Detect WMI lateral movement
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4648} |
Where-Object { $_.Properties[9].Value -match "WMI" }
# Remote scheduled task creation
Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4698}
Troubleshooting
| Issue | Solution |
|---|
| EVTX file corrupted | Try wevtutil cl <logname> to repair, or use third-party recovery tools |
| Event Log service stopped | Restart: net start EventLog |
| Logs rolled over too quickly | Increase log size: wevtutil sl Security /ms:4194304000 |
| Missing audit events | Enable advanced audit policy via Group Policy or auditpol |
| Cannot parse offline EVTX | Use -Path parameter with Get-WinEvent or EvtxECmd -f flag |
| Hayabusa slow on large logs | Use -m high to filter only high-severity alerts |
| Chainsaw Sigma errors | Update Sigma rules and verify mapping file matches log format |
| Time zone confusion | Windows Event Logs store timestamps in UTC; convert for local analysis |
