Little Help with windows Logs

Good morning. I’d like to ask you to explain this. It’s very important to me. I pay in nods.

Find the user account that logged in.
Find the login date
Find the IP of the account used to log in.

Event Log windows:

  • Someone knows the free event log management software in addition to the built-in windows

Windows event logs can be a complex area - but it largely depends on what you are looking for and, importantly, what you actually capture. Not all logs are created equal.

When you say “log management software”, do you mean something to read logs or something to store/analyse them.

For the former: Eric Zimmerman's tools is a great place to start with EvtxExplorer. You can also try LogMD (Free — IMF Security) to check the log configurations.

For storage/analysis - Look at ELK.

As for the questions, I’d start with Event ID 4624 in the security event log. More detail on it is here: Windows Security Log Event ID 4624 - An account was successfully logged on

If your logging is set up properly, it will have all that information.

Note, some of the data might be a bit misleading. The IP address isn’t always the IP of the remote machine (especially if you forward logon requests). Sometimes the user account isn’t captured correctly etc. The date/time can trick you if you don’t synchronise it across devices (and watch out for timezone offsets).

Thank you for such a quick answer.

I filtered out the logs.

I found two interesting logs

Can I count on more tips ? Unfortunately, I have zero experience of working with logs

I can certainly try to help but it depends what you want to know.

I might not be the most useful person here as I’ve no idea how to get either file to download without paying for an account, and I’ve no intention of paying for an account.

I have uploaded files to another hosting
original file;

I need this information :smile: ;

Find the user account that logged in.
Find the login date
Find the IP of the account used to log in.

Thank you for trying to help

Ok - I’ve requested access.

I forgot about access
already working

Got it now.

Is there anything you want to pivot on because there are 475 logon events.

I think I can see the user account which logged on, and dates/IPs but I don’t know if its the account you are interested in.

For example:

New Logon:
	Security ID:		S-1-5-21-1327243971-766763558-3563500504-1109
	Account Name:		paradeuser
	Account Domain:		BLACKPARADE
	Logon ID:		0x208F4
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

but there are quite a few dates.

On 18 March 2019, there is this event (logon type 10 - RDP)

New Logon:
	Security ID:		S-1-5-21-1327243971-766763558-3563500504-1103
	Account Name:		paradeadmin
	Account Domain:		BLACKPARADE
	Logon ID:		0x86DC5
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Network Information:
	Workstation Name:	HACKERU7-PC
	Source Network Address:
	Source Port:		57566

So if that is the activity of interest - you have the username, date and IP address.

Thank you very much, you are a god. Have a nice day.