1 / 10

Dump Event Log (Dumpel)

Dump Event Log (Dumpel). Dumpel.exe Retrieves information from Windows Event Log Appropriate OS auditing policies must be defined At least three logs available: application, security, system. Dumpel (2). dumpel –l security –s \ server –c –d 1 –f sec.csv Choose a log to retrieve (required)

lynna
Download Presentation

Dump Event Log (Dumpel)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dump Event Log (Dumpel) • Dumpel.exe • Retrieves information from Windows Event Log • Appropriate OS auditing policies must be defined • At least three logs available: application, security, system.

  2. Dumpel (2) dumpel –l security –s \\server –c –d 1 –f sec.csv • Choose a log to retrieve (required) -l [security | application | system] • Choose delimiter (-c) -c = comma -t = tab default = whitespace • Choose number of days to retrieve -d NN where NN is an integer > 0 • Choose server and output file -s \\server -f filename.txt

  3. Dumpel (3) • Limiting by Source (-m SOURCE) • LSASRV -l application -m LSASRV • Security -l security -m security • Retrieve specific information (-e NN) • Failed logins (-l security -m security -e 529) • Object access (-l security -m security -e 560) • Shutdown (-l security -m security -e 513) • Inverting the query (-r) • Retrieves everything EXCEPT what matches the limitations specified by other parameters.

  4. SC (Service Control) • Single service C:\>sc \\server query service • All services C:\>sc \\server query • Running services C:\>sc \\server query state= • Stopped services C:\>sc \\server query state= inactive • Export to a text file C:\>sc \\server query > filename.txt

  5. Reg C:\>reg REG Operation [Parameter List] Operation [ QUERY | ADD | DELETE | COPY | SAVE | LOAD | UNLOAD | RESTORE | COMPARE | EXPORT | IMPORT ] Return Code: (Except of REG COMPARE) 0 - Successful 1 - Failed For help on a specific operation type: REG Operation /?

  6. Reg Query Operation • Reg operations add, change, save or display registry content • Type ‘reg operation /?’ for context-sensitive help • ‘Query’ operation outputs registry contents in text format and works on remote systems • Syntax: • REG QUERY [\Machine\]FullKey [/v ValueName | /ve] [/s]

  7. Reg Query Examples • Query locally-installed software C:\>reg query HKLM\software • Query locally-installed software, including all subkeys C:\>reg query HKLM\software /s • Query hardware on a remote server C:\>reg query \\server\HKLM\hardware • Query user profiles on a remote server C:\>reg query \\server\HKU

  8. Addusers • Addusers_x86 \\server /d filename.txt • Run as administrator • To change the delimiter, add /s:x, where x is the character used to separate the fields • Change /d to /d:u to put the output in Unicode • Can also create, modify, and delete accounts.

  9. Importing Data into a Spreadsheet • To make the output easier to read: • Open empty sheet in Excel • Go to Data/Import External Data/Import Text File… • Select Delimited, then choose delimiter and ‘Treat Consecutive delimiters as one’ • Click Next, Finish, OK to finish

  10. Data in Excel

More Related