Ticket #162 (new new_feature)

Opened 1 month ago

Would like to grab Windows Event Log data

Reported by: xkovah Assigned to: kindlund
Priority: normal Milestone: 1.1
Component: Unknown Version: none
Severity: none Keywords:
Cc:

Description

It would be nice if we had a way of grabbing just the windows event log events which occur starting maybe 2 minutes before the first event seen by capture. The reason for pushing the time back a little bit is because it could give some idea of what may have crashed or started prior to the first seen event (to see what an exploit may have done while still resident in memory).

Also the events in general can be quite interesting, such as b883c2ac6372dede81243a5298 which eventually writes C:\WINDOWS\system32\RESSDT.exe

But what does it do with RESSDT.exe? Well if we had the ability to grab the relevant last entries from the event log we could see at a glance that it gets started as a service.

Xeno

Attachments

Add/Change #162 (Would like to grab Windows Event Log data)




Change Properties
Action