当前位置:网站首页>『应急响应实践』LogParser日志分析实践
『应急响应实践』LogParser日志分析实践
2022-06-24 03:55:00 【Ho1aAs】
任务
- 筛选登录失败日志,要求:日期2021-10-19、时间14:40-15:00
- 筛选日志中的进程创建,要求:排除进程
C:\Windows\System32\winlogon.exe
日志源码:
前置知识
windows日志格式
常用应急事件ID
Strings文本列格式
例如SELECT EXTRACT_TOKEN(Strings,18,'|’)可以截出源IP
任务一:筛选登陆失败日志
LogParser.exe -i:evt -o:datagrid "select * from 'log.evtx' where TimeGenerated>='2021-10-19 14:40:00' and TimeGenerated<='2021-10-19 15:00:00' and EventID=4625"
任务二:筛选日志中的进程创建
LogParser.exe -i:evt -o:datagrid "select * from 'log.evtx' where EventID=4688 and extract_token(Strings,5,'|')<>'C:\Windows\System32\winlogon.exe'"
排除前:
排除后:
完
欢迎关注我的CSDN博客 :@Ho1aAs
版权属于:Ho1aAs
本文链接:https://ho1aas.blog.csdn.net/article/details/125430259
版权声明:本文为原创,转载时须注明出处及本声明
边栏推荐
- ribbon
- Final summary of freshman semester (supplement knowledge loopholes)
- Go operation mongodb
- How does the compiler put the first instruction executed by the chip at the start address of the chip?
- Easyanticheat uses to inject unsigned code into a protected process (1)
- Advanced authentication of uni app [Day12]
- 脚本之美│VBS 入门交互实战
- SAP MTS/ATO/MTO/ETO专题之八:ATO模式2 D+空模式策略用85
- How are ECS leased? Can the ECS use VPN?
- Indicator statistics: real time uvpv statistics based on flow computing Oceanus (Flink)
猜你喜欢
什么是数据中台
TCPIP协议详解
编译器是如何将芯片执行的第一个指令放到芯片起始地址的?
External network access SVN server (external network access SVN server deployed on the cloud)
一款支持内网脱机分享文档的接口测试软件
Abnova membrane protein lipoprotein solution
openEuler Kernel 技术分享第 20 期 | 执行实体创建与切换
What is etcd and its application scenarios
开源之夏2022中选结果公示,449名高校生将投入开源项目贡献
How does the compiler put the first instruction executed by the chip at the start address of the chip?
随机推荐
Submit sitemap to Baidu
How to use and apply for ECS? What parameters can be configured
Naming of tables in MySQL
Physicochemical properties and specificity of Worthington trypsin
[2021 "shadow seeking" medical artificial intelligence algorithm competition] frequently asked questions related to Ti-One products
Multi task video recommendation scheme, baidu engineers' actual combat experience sharing
数据库解答建标,按要求回答
Easyanticheat uses to inject unsigned code into a protected process (1)
Collagenase -- four types of crude collagenase from Worthington
Next. JS + cloud development webify creates an excellent website
[receive] new benefits of 60 yuan / year? Lowest in history! Double 11 has now begun to seize resources! Get started quickly!!
Kubernetes 资源拓扑感知调度优化
Worthington胰蛋白酶的物化性质及特异性
What is the principle of Ping? How does the server disable Ping?
Library management backstage
Two most practical methods for cadence OrCAD capture to batch modify network names graphic tutorial and video demonstration
大一下学期期末总结(补充知识漏洞)
Congratulations to Zhong Jun for becoming the maintainer of chaos metric model working group
我与物联有个约定
TCPIP协议详解