Hi Community,
When investigating malware attacks on a computer it is often necessary to look at the Windows Event logs, this could be to understand:
- Which user was logged in at the time
- If any new services were created
- If any PowerShell scripts had been executed
As well as many other useful bits of evidence.
Windows includes a large selection of event logs, only some of which are typically used in a malware investigation. As going through separate logs can be time-consuming, to help with this Sophos have created a 'custom view' which can be imported onto the victim's machine and used to collect the relevant logs, grouping them into one large log (AttackLogs.evtx) with everything in time/date order.
The custom view which is can be imported is called AttackLogs.XML, the logs can then be saved as AttackLogs.EVTX.
More info: How to Collect Windows Events Logs using AttackLogs.XML
Special thanks to PeterM and Vikas !
This thread was automatically locked due to age.