Event Log Management in Windows | TryHackMe Windows Event Logs

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Great video - thanks for sharing. I'd love to hear your thoughts about our new log management platform, observIQ: https://observiq.com/

We offer simple, powerful hosted windows event log monitoring, as well as a fully featured 'free plan' as well. Curious to see how that fits into you work flow.

👍︎︎ 1 👤︎︎ u/observIQ 📅︎︎ Jun 09 2021 🗫︎ replies

Captions

what's going on today we're doing windows event logs windows event log this room is a room from tryhackme and is part of cyber defense pathway if you're taking the cyber events pathway you will find the room by accessing your pathway from here and you will go to security operations and monitoring in the security operations and monitoring you will find the room name called windows event logs in the last two videos we did core windows processes and we did sis internals where we will be used this is internals tool to detect malicious activities or to train the system to train detect to detect malicious activities or malicious processes in this room today windows event logs you will be introduced on how to use the event logs the event viewer which is the gui interface of the logs aggregated by the system and you will use the windows event utility to filter through the logs also you will use get win events ended from partial to also enhance your search the logs and also we will use expat queries expired queries is the filtering feature we will be using the xml language to filter through logs to facilitate the search and lastly we will take two practical scenarios or one practical scenario we will be examining a powershell downgrade attack we will examine the event ids the logs what happened what are the partial commands that have been executed all right so if you're bigger to even viewer this rule might take a bit to finish if you are a lightning technician or system administrator or even blue teamer who uses event viewer a lot you'll not find this difficult all right so let's get started by make sure to deploy the machine i'm going to add one hour to extend the time okay so starting from task two the questions start from task so i guess yes so basically in task two i will introduce you to event viewer and answer the questions you will have the option to read through the material but if we don't want to read you can just listen to the video and we will answer the questions of course we will explain everything while answering the questions all right so we will switch to my machine and here i am logged into the uh a deployed machine using rdp all right and here let me close these instances here windows so all right so the first task is about event viewers i'm going to click on even if your icon from here so as you can see here on the right pane we have the publishers what they call the publishers and on the middle pane is where we examine the summary of the events of course and the details on the right we have the action pane where we want if you want to create a custom view filter through the logs or connect to another computer if your computer is part of a domain controller all right so let's get back and see what we have to answer so for the questions below use event viewer to analyze microsoft windows powershell operational log so first we have to access the microsoft powershell operation log so in order to do that we have to go to windows you know applications and services logs expand the microsoft expand windows and all the way down until you see powershell in the partial click on operational and you will be presented with the logs that have been aggregated and gathered by the windows to display the partial activity that took place at the time displayed here okay going back what is the event id for the first event now i know it's answered but let me tell you why it is 4961 so let's get back so here we have the events right if we filter all this to newest so here the first event we have to find out the event id so we're going back we see here the first event id is 413 let me get back microsoft powershell operational log go up so here as you can see the first input that is four zero nine six one if you examine the date it is 12 21 2020. if you examine the last entry dates here 529 2021 so that's the answer for the first question filter on event id 4104 what was the second command executed in departure session now here we get to how to filter for event ids if you are given an event id and every event id actually is not unique even ideas here if you have 401 0 4 here which is the even id for partial command execution in this context it is given a context that's different from a context that might be examined in other views here or publishers so these numbers are not unique you might see them repeated or occurred in other publishers so remember that every even id has a descriptive a task or object so for example even id 4104 is for examining partial commands right so we're required to filter locks we go to the right of the action pane click on the filter current log and we go to all of it ids four one zero four uh yes so here we click on ok and we will be presented with all of the ids or events that have the id 4104. now all of the events depict partial command being executed we have to find out in the question we have to find out what is what was the second current all right let's get back and see here what do we have to find so if you click on the first one for example you see in the details pane here down here you see more details about the event for example you did a source different id and here in the middle you see more information about the context of the command click on the details we see it kind of here we have xml view which which i prefer and we have friends with you now in this video we're going to examine the xml view and we will extract the answer from this view as you can see from the first one there is no command right if you see the next one also there is no command on to the third one so as you can see here we have many number of uh events right and going through these events when you have large number of events is kind of exhaustive so that's why in the next section we will look at command line tools to filter these events and extract the answers directly but for now we're gonna just go through these and see what is the second command so so here we have get win event prompt prompt prompt prompt the same command also the same so you're looking for a partial command provider prompt if i filter through the date this is from the newest to oldest now all this to newest this is the first command i guess as you can see now these are my commands actually that i executed so i'm gonna have to go down and filter starting from here so as you can see the second entry but you have to filter from oldest to newest all right the second entry gives who am i the first command was prompt so the second command was who am i that's your answer what is the task category of event id 4104 now the test category is a description of the event id so the description of vivid id is executing a remote command that's what we call task category for the questions below use event viewer to analyze the windows powershell log so here we move out of from here and we go to windows logs no application of service logs windows powershell logs so what is the task category of events 800 so in here let's go to the left the right and we see the event id 800 has the task category saying pipeline execution details so that's the answer for this one that's for event viewer now remember that the gui interface is useful if you are filtering for a specific event and if you know where you're looking right but if you have large number of events all right and you are trying to find you you're not giving an event id you're not giving any information so it's kind of uh painful to sift through all of these events that's why it's recommended you use the event viewer recovery interface along with a command line utility like the ones we will examine now so keep this open open the command prompt and here we will use a tool called win event utility so i'm gonna clear here okay so one event utility here let's see the questions and while i answer the questions i will answer why i answered with these answers so okay so in the question here we're given how many log names are in the machine so we are in the machine here the remote targets or the machinery examining we have to find out what are what are the names or how many uh how many log names are in the machine how we can use when events viewer for that so if you type when let me make the font bigger properties font okay so when when events you tell all right i think we have to remove the uh okay so in order to get the help menu we have to type slash question mark so here we get the help menu scroll up you see here first the definition windows events command line utility enables you to retrieve information about different logs and publishers and install and uninstall even manifest rank quiz and export archive and clear logs it's pretty much useful tool if you want to manipulate events filter through events run queries of course it's bets the best use or the best use case is to couple it with event viewer the google interface usage you can use either the short or long for example the options or the commands we're given here are these so this is the short name and this is the long name you can use either one of them in your command all right for example if you want to use if you want to enumerate the logs you can type el or in your blogs which will list the log names the same with the rest so you can as you can see get log configuration information modify configuration for log list even publishers you can even query events from a log file which we will do later and here we have the command options so additional to these comments we can use these right here so slash starts with slash and we either use a short name which is r or remote and value so slash r simic uh we have semicolon and value or column sorry and value so what this does if specified around the command on the remote computer value is the remote computer name this is in case you are in an active directory environment your username value if you're looking for username slash p password if you're looking for passwords and here uni for unicodes etc so what was the first question how many log names are in the machine so we have to enumerate the logs right so what we do when event retail exe and we use the short name which is el enumerate the logs all right and here i'm gonna just pipe the output to another command to just find or count the lines so find slash n slash c slash v just to count the number of lines so as you can see we have one seven zero one log names if i don't count the lines execute this as you can see it will list all of the log names all right but this is a very long list i can just sit down and count through them right so go back that's the number of log names what is the definition for query events command all right so let's get back to the help menu and look for the query commands so as you can see we have on line number uh one two three four five six seven eight nine so we have the query events or qe create events from a lock or log file so here we can just as the name suggests we could events from a log or log file now we're required to find the definition of this this this has to do with using the command so if you don't know how to use the command you can get more information about specific command for example win event hotel dxe and the command name is qe and we type slash question mark to get the help menu of the specific mad eq let's go up create a log it is qe so here qe okay so this is the help menu for using this command which is query events so as per the definition read events from an event log log file or using structured query that's the definition what option would you use to provide a path to a log file let's examine the help menu for this so when i use qe i'm instructing the windows event utility to create a specific event okay or to create a specific event from a file how do i do that that is the user here so we type the tool name qe for short or query events for long the path of the file complete path if you don't know where it is and here the option value option value now let's take a look at the options here the options is if you are using a file or if you're requiring events from file you have to define the option slash f for short or log file all right column true if you are querying from a log file you put true if you if we're not quoting from a log file we put false and here slash queue or the query call on the value here you put your query if you're looking or if you're filtering for a specific event id you put the query here all right so what option would you use to provide a path to lock file which is slash lf true what is the value for slash q so if you go up you see the options slash queue value the value here is an xpath query which is which stands for xml query we will get to that later on how to use the xml to filter through events with the win event utility but for now it is expat query all right the questions below are based on this command one event utility qe application slash c3 slash rd2 slash f text what does that mean let's break this comment down first the name of the tool one event utility right can we query the event here we don't use uh a file we use a publisher so we put the publisher name if you don't know what our publishers let's get back and remind you of what are the publishers that's why i was saying use the command line utility in conjunction with the gui so here we are taking the logs from the application log that's why if you get back here we use the application the publisher here is the application if you want to look through security system setup you just change the name here slash c3 will return the count of three events only so slash c controls the number of events to return in the output in this case it is three slash rd true rd is uh to retrieve the events in assorted order from newest to oldest if you enable this you put true if you put false it will retrieve the list oldest to newest slash f text the format to be text okay let's take this command and copy it to an editor then we copy it from here and back to the command line enter so let's examine the outputs so so we have after we entered the command we retrieved one one event two and three so three events as instructed in the command retrieved from the application publisher in text format and sorted in descending order so what do what do they want from us what is the log name the log name as i said is application what is the slash rd option for even to read direction i explained that so how do you know what it stands for you just go back go up slash rd as you can see it is reverse direction definition is event read direction if true the most recent events are returned first which equal or equals to descending order what is the slash c option for as i said earlier to max it is maximum number of events to read i mean i said to retrieve a limited number of events you find the definition in the help menu of the query command so if you go up slash c maximum number of events to reach fine i don't spice it all right definitely we don't need python in this fight so collapse this and let's get to get to an event of course if you if you if you like one of these tools you can research more on the internet documentation or the tool to get yourself more familiar with the tool now let's get to the partial equivalent so get let's keep this open and we open the partial clear so we have another tool called gets again let's make this bigger point size 36 all right so get when um event yep yeah so this is uh the partial cmd that we will use now now let's skip right to the questions and we will answer we'll explain why we'll answer so here we are giving examples i'm gonna open the page that contains the examples so this this page is a documentation of the get win event cmt from microsoft and the page contains examples on how to use that now to answer the questions we have to look at the examples and extract the answers while performing the commands the first question is execute the command from example one as is what are the names of the logs related to open ssh let's go to example one the example one is using the cmt let's when you get to the event to get all the logs from a local computer all the logs with no filtering so this command gets all the event logs on the local computer logs are listed in the order that get win event gets them classic logs are retrieved first followed by the new windows event logs it's possible for a locks record count to be null which is blank or zero all right so let's type this gateway event dash list log so we list all of the logs in the system the question is what are the names of the logs related to open ssh so you see here we have two open ssh admin and open ssh operational simply right execute the command from example seven and instead of restoring policy search for powershell what is the name of the third law provider let's go to example seven and see what it's about examples of get event log provider names that contain a specific string which is very useful if you're looking for if you're searching for if you have a specific string in your mind and you want to list all of the events related to that string in our case we're interested in listing the events okay that are connected to the partial so we have partial in our mind and we want to list all of the events that are connected or related or pertaining to powershell so what we have to do is to use this command so get an event list provider the provider here is policy but in our case the provider will be partial so let's copy that paste here replace policy with with powershell copy that so the question uh what is the name of the third log provider let's see here the third one so we have as you can see the first one name is partial lock links windows partial the next one is microsoft windows powershell the third one is this one so just copy that which is uh the microsoft windows partial desired state configuration file download manager okay execute the command from example 8 use microsoft windows partials as the log provider how many event ids are displayed for this image provider so let's take a look at the example 8 first so in example 8 we aim to get even ids that the event provider generates so if you have an even provider in mind and you want to get all the different ids that it has generated you use this command so let's copy the command first to our local machine and modify on the command to answer the question so get real event listed provider in this case it is microsoft windows group policy and from table we list the id in the description in this case we want to list the ids of the microsoft windows partial azure provider so replace the provider here with microsoft windows powershell we copy that and we get all of the ids pertaining to this log provider okay so what is the question here how many event ids are displayed for the event provider now we get back to the first point where we use the uh find slash vc slash v double quotes in windows dependent utility but in this case we can't use that with partial we have to use measure objects to measure the number of lines measure me your object so the count is 192 which is the count of events how do you specify the number of events to display so pretty self-explanatory we use the option max pipe let me check on that how do you specify the number of events to display yeah so use an option called max events max event say two oh we forgot this a parameter can't be found that matches parameter name max events okay yeah i think we got to start with this command so let me get back to [Music] so this lock and here we choose max events too dash list specifier parameter of time system all right a max events two so here we aimed at listing two entries but we're not getting there for some reason so the answer is dash max events uh we use the switch actually to control the number of events retrieved from the command line so as you can see in the documentation there is an option dash max events and here we specify integer for example if you go down there's an example on that if you search for let's see here so this is an example so here we are retrieving the events from a lock file and we limit the number of events to be displayed to 100. now we're using the filter hash table parameter and filtering by level what is the value for it informational hash table is another way of filtering through events you can use the hash table with kit or events if you are trying to filter through specific events from specific publishers this is an example of using the hash filter hash table but i'm not going to use it in this example the question here is what is the value for informational information is a level of level of events you can find the level numbers corresponding to informational by going to any event id that has the level informational and going to details xml view and as you can see the level is four which is all informational another events carry difference level for example your events carry error or other success these have different level ids for example or that success have a level id of zero so now on to expat queries okay so here expath as i explained earlier it is a kind of another way to search through search through events using the get toon event you can use xpath with get to an event or with win event utility in this case we're gonna use it with get to an event departure cmg let's all right coming coming back to partial if we type dirt we have here a log file called merged events x let's see here what do we have to do so using get win event and expat what is the query to find wlms events with system time off all right so this query here we're given a criteria to find um events from this provider and with the system type this is the command actually but how do we construct this command let's copy the command and i break it down for you let's also type it to here all right so as you can see here log name the log name is as we explained earlier we put here the log name it could be application system security whatsoever if you want to use the xpath for filtering you start it with the switch dash filter x path now as a rule of thumb all of the xpath queries start with start slash system it this is all the time all right doesn't matter what you're looking for you start your query or expat query with star slash system and then star slash what comes after the second slash is what you're looking for for example in this query here we're looking to find the events from the provider name called wlms how do we for where did this formula come from if we go back to the event viewer and we take an example go to system for example examine one event all right go to xml since we're using xpath it means we're using the xml language for filtering that's why we take the um the formulas here from the gui interface or from the uh what is that okay from here xml view for example as you can see we can use these parameters to find out the values for example if we go back to the partial command here we have provider name equal wlms if we get back to the even viewer we have a provider name here variable okay and it's equal in this case service control manager all right now if i want to search for a specific provider name i have to use these i have to use this variable name provider name so if i go back to the powershot command i see here slash provider okay and the name equal to wlms that's how you search for a specific provider name okay if you're looking for service control manager you just have to replace wlms with service control manager and you will get all of the events where the provider name is service control manager now and here is a logical operator okay where we are looking for a specific criteria for example you're looking to find all the events from the application name of the drop application where this is the provider name is wms and the system created time is equal to this time now whenever you're looking for a variable in your in your search you have to create specific uh formula for this for example i look for the provider name here i look for the time created doesn't matter i start with always with star slash system and then slash here we put the variable i'm looking to find for example time created can be found here the time created as you can see right and here i have the system time this time is actually it corresponds to the value of the dates [Music] of the event i'm looking for in this example here time created where system time which is this one equal to this time which is given if i type enter i will get the event id that corresponds to this criteria that's how we use the filter xpath to search through events and make it easier for us to find event ids or event information now if i want to retrieve the uh list if i want to retrieve the full information about this event id i have to retrieve or get the output in a list formula so format will display the information about the event time created to provide your name to id the message in this case there is no message i can get all of the info by typing dash property display all of the information about this event so here we get the list or we get all the information about the event about the events so if you have a specific criteria like time and publish your name and you want to get to a specific event id or specific event ids the filter xpath comes to the rescue which is the best actually okay so using get events and xpath what is the query to find user a user named sam with an event lock id of four seven twenty twenty so we have two criterias and even id of four seven and is a name called sam so you have to use the xpath to find the even id or the event that correlates to these criterias all right so you have a user called sam who generated an id of 4720 you have to find out the details of these events so let's get back and build the query well let me take it from here save time and i can explain it while i execute that execute it so paste it here copy that okay so first we have get with events the log name in this case since we're looking for usernames or audits we have to find that in the security log name which is uh in the query or the gui name gui interface it is here all right so going back to powershell so here we start the expert switch the first one is we have as you can see we start with something called event data why why we don't solve a system like all the time because the username information related relates or really it's related to event data in xml why i'm saying this if we get back to security here and we take an example audit success see we have in the xml view we have system view and we have the event data here the system here contains information about the event id the version the level of the event the channel the computer name the time but at the event that it contains more context about the event like for example the username the domain name the algorithm used in case there's an encryption that's how we know that if we want to filter for a username we have to use the event data here so that's why we used here the event data star slash event data and then we filter for the username how to filter for this and then we get back here and we find an example so for example subject username is id yeah so data here right and name so what do we do we put data which is here slash data and then the name of the data as you can see here so name in this case equal target user name there is no attacker username here but this is an example you will find more about this let me take an example where there is a mention of the target username target name target username subject username anyway it doesn't matter it could be either subject username or target username but here we have it is target username so we get back to okay so target username equals sam and then we have the event id the bit id is a system property that's why we put it under this star slash system slash event id so if we get if we enter now okay we get all the events where the username or the target username is sam and even ads for 720 and both of these events are informational when user account was created let's get more context by typing fl for for list format and property so the first event that account was created here is the user who has initiated the command now we have more info about that provider name the process id the machine name so here you can find more information and context about what happened so here is the account name that has been created which is sam okay so based on the output from the question number two what is oh okay based on the previous query how many results were returned it was two we see that based on the output from the question number two what is the message the message was is that account was created we also examined that still working with sam as the user what time was event id 4724 recorded so you have to find out the time where the time of the event id 4724 or the time from which or of which the event id was generated so here if we get back we have to filter for only event id in this case so we start we are still with sam as explained and here we replace this with the event id depicted in the question which is 4 7 24. so 4 7 24 and by copying that and executing this into partial here we get the time so this is the time where or at which the command or the event has been generated you just copy that and answer with it what is the provider name the provider name is listed here microsoft windows security auditing okay now event ids in this task you're not required to answer any question only given here some resources to find more context or to link context with event ids for example here sometimes you're looking for event ids that are generated based on firewall activity or based on partial activity based on specific activities so we're giving here some cheat sheets uh in order to get yourself familiar with these numbers and what do they mean all right let's you can just take a look at these pages from here and we're going to skip now right to the challenge putting theory into practice so we're gonna take a look at defy or deloc file so here we're giving a look file even look fine okay take it from an infected system let me say all right and we're required to examine the look file to find more context of about what happened regularly or normally as a security analyst you will examine the lock file from an siem device or even aggregator like splunk alien vault right but let's say in this case you're only given an event viewer look for and require to find more context about what happened so based on the introduction here you have four scenarios with each scenario relates to one or two questions so the first scenario here one the first and second question the server admins have made numerous complaints to management regarding powershell being blocked in the environments management finally approved the usage of partial within the environment so right now we have admins using partial in the environment or in the corporate computers visibility now or visibility is now needed to ensure there are no gaps in coverage you research this topic what logs to look at what event id is to monitor you enable partial logging on the test machine and i call it calling execute veriz commands what we require to find out what event id is to detect a partial downgrade attack so this event this event file contains events that um so this event log file contains events generated by a machine infected with partial downgrade attack we have to find out the event ids for this attack right so you're giving a look file they told you that this machine was infected with powershell damage attack please find more context based on this log file so the first thing you have to do is to find the event id that corresponds to partial downloaded attack for that all you have to do is just to google partial downgrade attack event id and you will find this page in this page here there's a section called detection and in here the if id is given which is 400. that marks the answer for the first question what is the date and time the attack or this attack took place so here let's find out the date and time the attack took place which means we have to filter through the event right with get to an event so if we get back to the commands here let's take the first one new line and let's remove this one so you replace even id with 400 and this way we get more context into this event with get real event c and delete uh no events for ah we have to uh yes we have to define the file so here we put dash path and the file name is merged so as you can see we have many events right now the question is what is the date and time this attack took place uh nope like this one so as you can see we will take the first state which indicates the first occurrence we copy that and you answer that that's the date and time at which the attack happened now the scenario or the next questions relates or related to scenario two scenario two questions three and four starting from here the security team is using event logs more they want to ensure they can monitor if event logs are cleared you assign a colleague to execute this action so in this question you have to find out more context about the uh events that were generated when someone cleared the locks want to find out who was the computer name and what was happened for that you had to find out the um the event id when an event is cleared so you know for every action in windows there's an even id generated or an event this event has an id so in this case let's filter through let's get back to the same command and in this case we're going to replace 400 with one zero four paste enter what oh yeah right path um yeah show me here so the system log file was cleared and we have the log here information 104 the dates created what's the question now a lock clear event was recorded what is the event record id so even record id is different from the event id right the record id is the record of the event which is different from the event id so here let's see um let's pipe to fl dash property to get more context if there is record id here record id 27736 27736 what is the name of the computer let's get back and find the name of the computer machine name pc01 example corp what is the name of the first variable within the partial command right so you have to find out the parser command executed so in this case uh i prefer we resort to the event viewer for more information so go interface so here we open save log and go to desktop open the file yes overwrite so here we look for filter for one zero four and scroll down details uh let's get back what is the name ah scenario oh this is different scenario i'm sorry okay so the third scenario here relates to question five six and seven so one two three four five five so the threat intelligence team shared its research on ammo that they advised searching for event id 4104 and the text script block text within the event data element find the encoded powershell payload so here we're here we're digging more to find out what the attacker have you attackers have have used why they conducted their powershell down with the attacker to find out the command of this attack so we're given the event id 3104 and we're given a text script text block okay so here instead of this one um let's go back to partial let me copy that okay so here we replace four one zero one four one zero four and we execute this comma you see we have many stuff here we there is no way there is no we can go through all of this data right so i'm gonna just yeah so now we need to get the help of the go interface filter for four one zero four okay let's go to details and see the script block section script date name equals cryptoclock okay so here we use remove this one and type and so we have here an event data example let's take this one even data data here instead of name we have oh well i don't know why i'm keep going to okay so here script block text is the name so we copy that i will replace that with instead of name equals crypto block text data ah no name equal here we have name equal script block text so remove the icon and yes that's it let's see here execute first the command see what is the output and then we decide whether we would use the property and the format list option that's good now we got all of the events for 104 and where there is an uh an instance of or an occurrence of command executed now let's get back to the question and to find more context how to answer this so what is the name of the first variable in the partial command the first variable the partial command so here we listed the events let's use the max event equal to one so that's the first one i guess pipe the output to [Music] say fl property star course dash so this is the first event let's look for the scripted block skip to look id so there is no command here how about two okay i think i'm going to have to use the google interface so here we have the logs filtered on four one zero four let's sort them all this to newest a25 so all this is here let's take a look so the oldest event we have as you can see script block text and we have what seems to be a variable name and there is here this is the partial command so you copy that and the answer was it what is it and time this attack took place if we get back seated in time so it is here but the actual time is here 8 25 10 20. that's it what is the execution process id the press id can be found from here as you can see 6620 what is the group security id of the uh what is the group security id of the group she integrated this has to do with the last scenario the last scenario is a report came in that an intern was suspected of running unusual commands on her machine so you have a guy in your company who is an intern and he is just playing smart running some comments trying to hack pcs such as enumerating members of the administrator's group a senior analyst suggested asser suggested searching for c windows 72 net1 dxc confirmed the suspicion okay so we have to find out as you can see there is a the the attacker or the suspect is enumerating groups in partial right and now if you don't want to use this i found out an alternative way which is finding the ebit id that correlates to group enumeration so if you go to google type partial group enumeration event id you will see this 4799 now in order to find that you have to execute a command where the event id is 4799 so just take this one 4799 copy that back to the command line yep here we have to find we have to modify the path and put it in list format fl dash property star oh come on property star so what when events german events oh look what now we forgot to get okay again property oh too many two minutes away wait system with id fl let's see here more context so i have many many uh events right let's examine one of them so here we type max max events one seven one so we see here machine name and we got a group as id let's look for something called group s id so group s id here this one 544 32 nope not this one i guess it was one of the groups enumerated but not the one the question what one not the the answer actually to [Music] 544 this one what is the event id filing the event id is easy so the event id is we answer that right 4799 okay then so that marks the end of this room which was very very useful room if you are a lock aggregator or if you are one of the guys who will examine examines logs on a daily basis this room is very useful for you or could be refresher for your knowledge okay then see you in the next video

Info

Channel: Motasem Hamdan

Views: 3,880

Rating: undefined out of 5

Keywords: windows, powershell, logs, cybersecurity

Id: KA9WccJEe14

Channel Id: undefined

Length: 63min 8sec (3788 seconds)

Published: Sat May 29 2021