Windows Event Log Analyzer wants to be the Swiss Army knife of Windows event logs. At the moment, WELA’s best feature is that it can make an easy-to-understand timeline of logins to help with fast forensics and incident reaction. WELA’s logon timeline generator will combine only the useful information from multiple logon log entries (4624, 4634, 4647, 4672, 4776) into a single event, reduce the amount of data by ignoring about 90% of the noise, and turn any hard to read data (like hex status codes) into a format that people can understand.
Tested on Windows PowerShell version 5.1, but it may also work with older versions. It won’t work with Powershell Core because it doesn’t have any built-in way to read Windows event logs.
Features
Note: “The last time WELA will follow the SIGMA rule is in July 2021.Please use Hayabusa if you want to use the most up-to-date SIGMA rules for evtx detection.”
- Written in PowerShell so is easy to read and customize.
- Fast Forensics Logon Timeline Generator
- Detect lateral movement, system usage, suspicious logons, vulnerable protocol usage, etc…
- 90%+ noise reduction for logon events
- Calculate Logon Elapsed Time
- GUI analysis
- Logon Type Summary
- Live Analysis and Offline Analysis
- Japanese support
- Event ID Statistics
- Output to CSV to analyze in Timeline Explorer, etc…
- Analyze NTLM usage before disabling NTLM
- Sigma rules
- Custom attack detection rules
- Remote analysis
- Logon Statistics
Usage
At the moment, please use a Windows Powershell 5.1. You will need local Administrator access for live analysis.
Analysis Source (Specify one):
-LiveAnalysis : Creates a timeline based on the live host's log
-LogFile <path-to-logfile> : Creates a timelime from an offline .evtx file
-LogDirectory <path-to-logfiles> (Warning: not fully implemented.) : Analyze offline .evtx files
-RemoteLiveAnalysis : Creates a timeline based on the remote host's log
Analysis Type (Specify one):
-AnalyzeNTLM_UsageBasic : Returns basic NTLM usage based on the NTLM Operational log
-AnalyzeNTLM_UsageDetailed : Returns detailed NTLM usage based on the NTLM Operational log
-SecurityEventID_Statistics : Output event ID statistics
-EasyToReadSecurityLogonTimeline : Output essy to read event ID statics
-SecurityLogonTimeline : Output a condensed timeline of user logons based on the Security log
-SecurityAuthenticationSummary : Output a summary of authentication events for each logon type based on the Security log
Analysis Options:
-StartTimeline "<YYYY-MM-DD HH:MM:SS>" : Specify the start of the timeline
-EndTimeline "<YYYY-MM-DD HH:MM:SS>" : Specify the end of the timeline
-LogonTimeline Analysis Options:
-IsDC : Specify if the logs are from a DC
Output Types (Default: Standard Output):
-SaveOutput <outputfile-path> : Output results to a text file
-OutputCSV : Outputs to CSV
-OutputGUI : Outputs to the Out-GridView GUI
General Output Options:
-USDateFormat : Output the dates in MM-DD-YYYY format (Default: YYYY-MM-DD)
-EuropeDateFormat : Output the dates in DD-MM-YYYY format (Default: YYYY-MM-DD)
-UTC : Output in UTC time (default is the local timezone)
-Japanese : Output in Japanese
-LogonTimeline Output Options:
-HideTimezone : Hides the timezone
-ShowLogonID : Show logon IDs
Other:
-ShowContributors : Show the contributors
-QuietLogo : Do not display the WELA logo
Useful Options
Show Event ID Statistics To Get a Grasp Of What Kind Of Events There Are:
./WELA.ps1 -LogFile .\Security.evtx -SecurityEventID_Statistics
Create a timeline via offline analysis outputted to a GUI in UTC time:
.\WELA.ps1 -LogFile .\Security.evtx -SecurityLogonTimeline -OutputGUI -UTC
Analyze NTLM Operational logs for NTLM usage before disabling it:
.\WELA.ps1 -LogFile .\DC1-NTLM-Operational.evtx -AnalyzeNTLM_UsageBasic
Security logon statistics on a live machine:
.\WELA.ps1 -LiveAnalysis -SecurityAuthenticationSummary
Screenshots
Logon Timeline GUI:
Human Readable Timeline:
Logon Type Statistics:
Event ID Statistics:
Logon Type Summary:
NTLM Authentication Analysis:
Related Windows Event Log Threat Hunting Projects
- APT-Hunter – Attack detection tool written in Python.
- Chainsaw – Sigma-based attack detection tool written in Rust.
- DeepBlueCLI – Attack detection tool written in Powershell.
- EVTX ATTACK Samples – EVTX Attack sample event log files.
- Hayabusa – Sigma-based attack detection and fast forensics timeline generator by Yamato Security.
- RustyBlue Rust port of DeepBlueCLI.
- Sigma – generic SIEM rules.
- so-import-evtx – Import evtx files into Security Onion.
- Zircolite – Sigma-based attack detection tool written in Python.
Contribution
We would love any form of contributing. Pull requests are the best but feature requests, notifying us of bugs, etc… are also very welcome.