[Latest KB's] How to Collect Windows Events Logs using AttackLogs.XML

Hi Community,

When investigating malware attacks on a computer it is often necessary to look at the Windows Event logs, this could be to understand:

  • Which user was logged in at the time
  • If any new services were created
  • If any PowerShell scripts had been executed

As well as many other useful bits of evidence.

Windows includes a large selection of event logs, only some of which are typically used in a malware investigation. As going through separate logs can be time-consuming, to help with this Sophos have created a 'custom view' which can be imported onto the victim's machine and used to collect the relevant logs, grouping them into one large log (AttackLogs.evtx) with everything in time/date order.

The custom view which is can be imported is called AttackLogs.XML, the logs can then be saved as AttackLogs.EVTX.

More info: How to Collect Windows Events Logs using AttackLogs.XML

Special thanks to  and  !