This blog post aims to show how to combine EvtxECmd (v0.6.0.3) with LogonTracer (v1.5.0) during the analysis of Windows Event Log events.
To have some data to work on, download for instance the Windows EVTX Samples shared by Samir @SBousseaden on GitHub.
Extract the EVTX files to a temporary location like C:\TEMP\EVTX-ATTACK-SAMPLES-master and use EvtxECmd to extract only the events that are currently supported by LogonTracer.
- Add the following header: <?xml version="1.0" encoding="utf-8" standalone="yes"?><Events>
- Add this footer: </Events>
- Replace all the <Event> tags with <Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
- Merge all lines into one
- Remove all the spaces between ">" and "<"