Simple Event Log Analysis

Event logs provide information about applications and can be modified including parameters using cdmlets characteristics that help to dump these events into specific variables or simply to identify specific dates within system registers.

The Log file analysis is an important task that allows us to get critical information about a service, an application or system. When we need to examine or when we need to research a target, it is highly recommended to dig into the logs files because, all the configurations, events, error warnings notices from a given system is stored in this files.

Step 1: Dump the event logs

The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.

To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.

If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.

Get-EventLog -LogName application | Export-Clixml Applog.xml
type .\Applog.xml
$logs = "system","application","security"

The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console

$logs | % { get-eventlog -LogName $_ | Export-Clixml "$_.xml" }

Step 2: Import the event log of interest

To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.

Store the results in a variable.

Let’s take a look at the commandlets Where-Object, Group-Object, and Select-Object.

The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.

$seclog = Import-Clixml security.xml
$seclog | select -Last 5

A cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:

Get-EventLog Application -After (Get-Date).AddDays(-1)

You can use ‘-after’ and ‘-before’ to filter date ranges

One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.

By default, an ordinary user does not have permission to read the security log.

Step 3: Drill into a specific entry

To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.

$seclog | select -first 1 | fl *

The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.

($seclog | select -first 1).message
(($seclog | select -first 1).message).gettype()

In the *nix world, you often want a count of something (wc -l).

How often is the security privilege mentioned in the message property?

To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:

$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | measure

If you want to ensure that only event log entries return that contains SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.

$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | group eventid

Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.

Use the count property to determine the total number of entries in the event log.



The Select-String  cmdlet, is the most used command to search or filter files :


The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows. You can type Select-String or its alias, sls.

Select-String is based on lines of text. By default, Select-String finds the first match in each line and, for each match, it displays the file name, line number, and all text in the line containing the match. However, you can direct it to detect multiple matches per line, display text before and after the match, or display only a Boolean value (True or False) that indicates whether a match is found.

Select-String uses regular expression matching, but it can also perform a simple match that searches the input for the text that you specify.

Select-String can display all of the text matches or stop after the first match in each input file. It can also display all text that does not match the specified pattern. You can also specify that Select-String should expect a particular character encoding, such as when you are searching files of Unicode text.


mkdir c:\ps
cd c:\ps
(new-object System.Net.WebClient).DownloadFile("", "c:\ps\CiscoLogFileExamples.txt")



Select-String cmdlet:

Select where the String “”:

Select-String .\CiscoLogFileExamples.txt

Select where the String “” by-line, as we can see in this example we can pipe a result to another cmdlet:

Select-String .\CiscoLogFileExamples.txt | select line

To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.

Select-String .\CiscoLogFileExamples.txt | select line | Measure-Object

To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.

Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object

Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.

Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique

To determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.

This sorts the IP addresses in a descending pattern as well as count and delivers the output to the shell.

Select-String "\b(?:\d{1,3}\.){3}\d{1,3}\b" .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des


They are very interesting things that you can do with powershell I invite you to continue researching more about this.

Try Certified Ethical Hacker for FREE!!!


How to understand phishing scams?


So, what about phishing scams?

Phishing is one of the most common social engineering attacks that has risen these days.

The following list provides some a few social engineering scams executed via phishing:

  1. Banking Link Scam:

Someone could easily send you an email to trick you to reveal some vital information about yourself. Even one may send a phony link to your bank to you such that you start to believe that your real bank sent it to you. Then, you will feel tempted to enter your user-name and password. In 2015, a campaign named Carbanak was able to get about around a billion dollars from over 30 countries. This information was found by Kaspersky. That is phishing.

What happened precisely is that spear phishing was highly depended on. As a result, workstations got infected through the help of their employees. Hackers were capable of tunneling more rooted into the bank’s systems, taking control over employee stations. This for sure allowed them to manage to transfer cash, to operate ATMs in a remote manner, get the information changed for different accounts, and do some other playful tricks on the reports.

The problem which occurred at that time was primarily due to a phishing email sent to some employees as if it was one of their colleagues who posted it. However, there was a malicious code right behind the scenes. It was able to spread from there widely. In the meantime, everything that happened on the victims’ machines was recorded by the attackers for future use. When proper time came, the attackers could understand everything in the system and get to know what things go where. This made it pretty easy for them when it came to doing several transactions among which was the ATM hits. In addition to that, inflating bank balances then siphoning off that amount was something on the scene such that an account balance for a customer might go from $20,000 to $100,000 and the $80,000 were the earnings of the hacker.


  1. Fax Notice Scam:

A phony link to a fake fax is all that it is. However, the damage is enormous when it occurs to your computer as a result. This type of scams appears significantly when it comes to dealing with companies that substantially rely on faxes. Firms that heavily utilize faxes are exemplified by document management firms, title companies, and other companies for insurance and other financial services.


  1. Dropbox Link Scam:

Even Dropbox has its surprises with regards to scams. Some security incidents occurred through the year 2014. In one of the cases, what happened is that there was a phishing email sent to victims, asking them to click on a fake link to reset their Dropbox password. After clicking the link, it led the users into a page. There, they faced a warning from the browser saying that their browser is out of date and they need to update it. There was a button where users needed to press to run their update. However, this was the trigger for a Trojan in the Zeus family of malware. Additionally, there was another phishing attack that used Dropbox. Emails were sent to victims having some Dropbox links. On clicking on such links, malicious software like “CryptoWall” ransomware got into the systems.


  1. Court Secretary Complaint Link Scam:

This is another phony link which hackers use to trick a customer who falls as a victim of phishing. It is a link that confirms a customer’s complaint. For instance, a phishing email of that sort may include a kind of prediction that a consumer is willing to complain about something very soon. The one who sends the email attempts to grasp the problems that the customer has to further work on them. Using this kind of phishing was in fact very common for quite some time.


  1. Facebook Message Link Scam:

This type of phishing trick mainly appears at the time of death time of a celebrity. A link is sent through Messenger or shared through different pages that daisies will be pushed up from the computer through a click on the proposed link.

One vivid example of this occurred when Robin Williams died. Unfortunately, a phishing message through Facebook was hugely widespread among different users tempting them to open a link to watch the Robin Williams goodbye video. The phishing message was really to the point such that even they added more flavor to the title of the link to indicate that it is an exclusive video of Williams saying goodbye through his cell phone. When the user clicked the link, the link drove them into a bogus BBC website page which had nothing but some bad links leading to scam online surveys.

How is it possible for an attacker to attract more victims to the counterfeit website?

There are in fact many methods which an attacker utilizes to get more victims to visit the fake website. Among these methods, the following four tricky methods exist:

  1. The attacker shortens the phishing website to the minimum appropriate length.
  2. The URL gets several shares on social media websites such as WhatsApp and Viber. It is more likely that people will have the incentive to get through these phishing links there because there is no shared awareness of computer security among the users of these social groups.
  3. Many use mostly social engineering here such that people will fall into the trap and open the links.
  4. URLs are sent by the attackers to the victims through emails especially from female names.

Try Certified Ethical Hacker for FREE!!!


Hacking GMail Using Phishing Method and Prevention

How to Hack Gmail using Phishing Method


In fact, a key answer to the proposed question in this article’s title is Wapka. So what is Wapka? It is a free platform for website creation. By using it, Gmail id, browser and IP address of a victim could be all sent. Through this website, a phishing website could be created easily without any much knowledge about PHP or MySql.


What do I have to get before getting into the steps?

You have to be aware of the following points before starting the steps which are to be discussed later on in this article:

1. You have to have an email account to be able to register on Wapka

2. You have to be knowledgeable of HTML to some extent.

3. You have to be knowledgeable of Gmail to some extent.

4. You also should be somehow aware of website creation.

5. You have to have a victim as a target for this attack.

What are we about to do now?

We are to create a website that looks exactly like Gmail mobile website. Then, we will receive the victim’s passwords, email id, IP address and browser information, through our email id.


Let’s discuss the detailed steps now:

1. Open the Wapka website and get a new account registered on the site.

2. Now, get logged into your new account and navigate through the Site List to create a new one.

3. Type the name of the site, noting that all characters should be in the range of characters a to z  and numbers 0 to 9. Special characters are not allowed.

For example, you can create a username:  newgmail21 and make it

4. After clicking “submit”, this should drive you to a screen with two options: either an Admin Mode or User Mode. You should click on “Admin Mode”.

5. A blank page should now appear, which is simply your site to which you have done nothing so far. To start editing your site, click on the link:: EDIT SITE(#):: This link is at the lower rightmost corner of the screen.

6. Click on the Mail form out of all the options which appear to you now.

7. A new screen will appear. You should uncheck “Enable CAPTCHA pictures”.

Now, click “submit”. Also, remember not to set it in admin mode.

8. To make your email id as the destination where the victim’s details will be sent, you need to do the following:

A. Navigate through the site list and click with the cursor on your website name. Without choosing the Admin Mode, you need to scroll down and hit “Source code viewer.”

B. Inside the box, you should type the link to your site. There should appear a screen with some code, search for the word “value=” and take note of the number right beside it.

C. Make the mail form hidden the Admin mode. This could be simply done through the next step, but this is after getting the value=’XXXX..” code.

D. Now click on your site, then choose the Admin mode. You should have a blank site again like what happened before, and now you should also click on “Edit Site”. Afterward, click on              “Users”.

E. Click now on items visibility, and then you should select X from the drop-down menu.

F. Now, download the following code from this link:

G. Click on your site again and press the Admin Mode. Now, you should press Edit site and choose “WML/XHTML code”. You should now make use of the code you have just downloaded; copy paste it into this section of WML/XHTML code.

I. Remember to get the value=”XXX..” in the code replaced by the one you extracted just now.

9. Now the phishing website is ready as a design, appearance, and even functionalities. Any victim’s details should now get sent to your email which you used while registering on the Wapka website. The email will be received from [email protected] The details that will be sent should include: User-name and password With IP Address and Browser used by the victim.

10. Congratulations! You can now hack the Gmail account. Well done.


Where can’t I use Wapka?

There are two locations where the use of Wapka is impossible:

1. Facebook: any Wapka URLs get blocked by Facebook before sharing them. That’s because people on Facebook try to save their clients to the most possible levels.

2. India: the government there blocked the use of this website inside the country. Even surfing the website is impossible inside India. However, they forgot how a proxy site could do all the magic as mentioned earlier no matter whether the website is blocked in a country or not.


How can one prevent himself/herself from getting hacked through Gmail phishing?

1. First of all, you’ve got to make sure that the URL starts with “https” in the URL bar. This ascertains that it is a Google site.

2. If there is a link which refers to any “Free Offer, Free Lottery, Free Insurance, Free Net” etc., it is very highly recommended not to click on the link because it may be a phishing site. This is so common on social media websites such as Whatsapp, or even text SMS messages.

3. Don’t press links sent to you in the email just because a girl has sent it to you. This is actually one of the commonly used phishing methods to trick male guys and motivate them to open the link. This method is one of the trickiest methods of social engineering.

4. So, in a nutshell, try not to get yourself into social engineering to avoid being a victim of phishing in general and Gmail Phishing in particular.

Try Certified Ethical Hacker for FREE!!!


Exploit Development webinar FREE!

Exploit developmentIn this FREE webinar Joe McCray will cover the fundamentals of exploit development and modifying public exploit code on penetration tests. People will little to no exploit development or programming experience, are the ones for whom Infosecaddicts designed this webinar. However, people from the information security field are also welcome to join.

About Joe McCray:

Joe McCray has been teaching IT Security since 2005 and it finally hit him. While he was helping by offering hands-on labs, and no death by PowerPoint in his classes. He realized that in order for him to be a good teacher he needed a more compact and complete training program.

This webinar will be held on the 22nd of February at 1pm EST.

Click the link below to sign up for this webinar:

Try Certified Ethical Hacker for FREE!!!

To check out all our free courses you can click here