1 Dump Event Log (Dumpel) Dumpel.exe –Retrieves information from Windows Event Log –Appropriate...
-
Upload
sabina-may -
Category
Documents
-
view
212 -
download
0
Transcript of 1 Dump Event Log (Dumpel) Dumpel.exe –Retrieves information from Windows Event Log –Appropriate...
![Page 1: 1 Dump Event Log (Dumpel) Dumpel.exe –Retrieves information from Windows Event Log –Appropriate OS auditing policies must be defined –At least three logs.](https://reader036.fdocuments.net/reader036/viewer/2022083009/56649eeb5503460f94bfc7fe/html5/thumbnails/1.jpg)
1
Dump Event Log (Dumpel)
• Dumpel.exe–Retrieves information from Windows Event Log
–Appropriate OS auditing policies must be defined
–At least three logs available: application, security, system.
![Page 2: 1 Dump Event Log (Dumpel) Dumpel.exe –Retrieves information from Windows Event Log –Appropriate OS auditing policies must be defined –At least three logs.](https://reader036.fdocuments.net/reader036/viewer/2022083009/56649eeb5503460f94bfc7fe/html5/thumbnails/2.jpg)
2
Dumpel (2)
dumpel –l security –s \\server –c –d 1 –f sec.csv
• Choose a log to retrieve (required)-l [security | application | system]
• Choose delimiter (-c)-c = comma -t = tab default =
whitespace
• Choose number of days to retrieve -d NN where NN is an integer > 0
• Choose server and output file-s \\server -f filename.txt
![Page 3: 1 Dump Event Log (Dumpel) Dumpel.exe –Retrieves information from Windows Event Log –Appropriate OS auditing policies must be defined –At least three logs.](https://reader036.fdocuments.net/reader036/viewer/2022083009/56649eeb5503460f94bfc7fe/html5/thumbnails/3.jpg)
3
Dumpel (3)
• Limiting by Source (-m SOURCE)– LSASRV -l application -m LSASRV– Security -l security -m security
• Retrieve specific information (-e NN)– Failed logins (-l security -m security -e 529)– Object access (-l security -m security -e 560)– Shutdown (-l security -m security -e 513)
• Inverting the query (-r)– Retrieves everything EXCEPT what matches the
limitations specified by other parameters.
![Page 4: 1 Dump Event Log (Dumpel) Dumpel.exe –Retrieves information from Windows Event Log –Appropriate OS auditing policies must be defined –At least three logs.](https://reader036.fdocuments.net/reader036/viewer/2022083009/56649eeb5503460f94bfc7fe/html5/thumbnails/4.jpg)
4
SC (Service Control)
• Single serviceC:\>sc \\server query service
• All servicesC:\>sc \\server query
• Running services C:\>sc \\server query state=
• Stopped services C:\>sc \\server query state= inactive
• Export to a text file C:\>sc \\server query > filename.txt
![Page 5: 1 Dump Event Log (Dumpel) Dumpel.exe –Retrieves information from Windows Event Log –Appropriate OS auditing policies must be defined –At least three logs.](https://reader036.fdocuments.net/reader036/viewer/2022083009/56649eeb5503460f94bfc7fe/html5/thumbnails/5.jpg)
5
Reg
C:\>reg
REG Operation [Parameter List]
Operation [ QUERY | ADD | DELETE | COPY | SAVE | LOAD | UNLOAD | RESTORE | COMPARE | EXPORT | IMPORT ]
Return Code: (Except of REG COMPARE)
0 - Successful 1 - Failed
For help on a specific operation type:
REG Operation /?
![Page 6: 1 Dump Event Log (Dumpel) Dumpel.exe –Retrieves information from Windows Event Log –Appropriate OS auditing policies must be defined –At least three logs.](https://reader036.fdocuments.net/reader036/viewer/2022083009/56649eeb5503460f94bfc7fe/html5/thumbnails/6.jpg)
6
Reg Query Operation
• Reg operations add, change, save or display registry content
• Type ‘reg operation /?’ for context-sensitive help
• ‘Query’ operation outputs registry contents in text format and works on remote systems
• Syntax:– REG QUERY [\Machine\]FullKey [/v ValueName
| /ve] [/s]
![Page 7: 1 Dump Event Log (Dumpel) Dumpel.exe –Retrieves information from Windows Event Log –Appropriate OS auditing policies must be defined –At least three logs.](https://reader036.fdocuments.net/reader036/viewer/2022083009/56649eeb5503460f94bfc7fe/html5/thumbnails/7.jpg)
7
Reg Query Examples
• Query locally-installed softwareC:\>reg query HKLM\software
• Query locally-installed software, including all subkeysC:\>reg query HKLM\software /s
• Query hardware on a remote serverC:\>reg query \\server\HKLM\hardware
• Query user profiles on a remote serverC:\>reg query \\server\HKU
![Page 8: 1 Dump Event Log (Dumpel) Dumpel.exe –Retrieves information from Windows Event Log –Appropriate OS auditing policies must be defined –At least three logs.](https://reader036.fdocuments.net/reader036/viewer/2022083009/56649eeb5503460f94bfc7fe/html5/thumbnails/8.jpg)
8
Addusers
• Addusers_x86 \\server /d filename.txt – Run as administrator– To change the delimiter, add /s:x,
where x is the character used to separate the fields
– Change /d to /d:u to put the output in Unicode
• Can also create, modify, and delete accounts.
![Page 9: 1 Dump Event Log (Dumpel) Dumpel.exe –Retrieves information from Windows Event Log –Appropriate OS auditing policies must be defined –At least three logs.](https://reader036.fdocuments.net/reader036/viewer/2022083009/56649eeb5503460f94bfc7fe/html5/thumbnails/9.jpg)
9
Importing Data into a Spreadsheet
• To make the output easier to read:– Open empty sheet in Excel– Go to Data/Import External Data/Import Text
File…– Select Delimited, then choose delimiter and
‘Treat Consecutive delimiters as one’– Click Next, Finish, OK to finish
![Page 10: 1 Dump Event Log (Dumpel) Dumpel.exe –Retrieves information from Windows Event Log –Appropriate OS auditing policies must be defined –At least three logs.](https://reader036.fdocuments.net/reader036/viewer/2022083009/56649eeb5503460f94bfc7fe/html5/thumbnails/10.jpg)
10
Data in Excel