Cybersecurity · Windows Event Log Monitoring

Windows Event Log Monitoring

Using Sysmon, Windows Event Viewer, and PowerShell scripts to detect suspicious activity like failed logons, process creation, and registry changes.

View this project on GitHub

Overview

This lab demonstrates how to leverage Sysmon, Event Viewer, and PowerShell for effective log monitoring and detection on Windows systems.

Sysmon: Provides detailed system activity logging.
Windows Event Viewer: GUI for log visualization.
PowerShell: Automates querying and filtering logs.

Monitoring with Sysmon

Sysmon (System Monitor) extends Windows logging by capturing events like process creation, file changes, and network connections. Below are example queries using Get-WinEvent in PowerShell.

Example Queries

List All Sysmon Events

List all network connection events

List all process creation events

List events for new files created

List events for file modifications

Monitor for remote thread creation

Monitor for registry changes

List failed logon attempts

List successful logon events

Monitoring with Windows Event Viewer

Failed Login Attempts

Failed logon 1

Failed logon 2

Failed logon 3

Failed logon 4

Failed logon 5

Successful Logins

Successful login 1

Successful login 2

Successful login 3

Successful login 4

Successful login 5

Successful login 6

Special Privileges Assigned to New Logon

Special privileges 1

Special privileges 2

Special privileges 3

Monitoring with PowerShell Scripts

Failed Login Attempts

PowerShell failed logon script

Running failed logon script

Successful Logins

PowerShell successful logon script

Running successful logon script

Process Creation Events

Process creation script

Running process creation script