Writeup: Windows Event Logs - AtomicMaya/knowledge-base GitHub Wiki
Windows Event Logs
For this box I used Remmina on Kali Linux while connected to the TryHackMe VPN.
Link: Windows Event Logs Room on TryHackMe
Task 1
Question 1
Let's begin...
Answer: No answer needed
Task 2
Question 1
For the questions below, use Event Viewer to analyze Microsoft-Windows-PowerShell/Operational log.
Answer: No answer needed
Question 2
What is the Event ID for the first event?
Scroll to the bottom to find it.
Answer: 40961
Question 3
Filter on Event ID 4104. What was the 2nd command executed in the PowerShell session?
Create a filter on the event ID.
Then scroll to the bottom and take the second element.
Answer: whoami
Question 4
What is the Task Category for Event ID 4104?
Answer: Execute a remote command
Question 5
For the questions below, use Event Viewer to analyze the Windows PowerShell log.
Answer: No answer needed
Question 6
What is the Task Category for Event ID 800?
Filter on Event ID 800.
Answer: Pipeline Execution Details
Task 3
Question 1
How many log names are in the machine?
wevtutil.exe el | Measure-Object
Answer: 1071
Question 2
What is the definition for the query-events command?
wevtutil.exe qe /?
Answer: Read events from an event log, log file or using structured query.
Question 3
What option would you use to provide a path to a log file?
Answer: /lf:true
Question 4
What is the VALUE for /q?
Answer: XPATH query
Question 5
The questions below are based on this command: wevtutil qe Application /c:3 /rd:true /f:text
Answer: No answer needed
Question 6
What is the log name?
Answer: From the query, the log name is Application
Question 7
What is the /rd option for?
Answer: Event read direction
Question 8
What is the /c option for?
Answer: Maximum number of events to read
Task 4
Question 1
Answer the following questions using the online help documentation for Get-WinEvent
Answer: No answer needed
Question 2
Execute the command from Example 1 (as is). What are the names of the logs related to OpenSSH?
Get-WinEvent -ListLog *
Answer: OpenSSH/Admin,OpenSSH/Operational
Question 3
Execute the command from Example 7. Instead of the string *Policy*
search for *PowerShell*
. What is the name of the 3rd log provider?
Get-WinEvent -ListProvider *Powershell*
Answer: Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager
Question 4
Execute the command from Example 8. Use Microsoft-Windows-PowerShell as the log provider. How many event ids are displayed for this event provider?
(Get-WinEvent -ListProvider Microsoft-Windows-PowerShell).Events | Format-Table Id, Description | Measure-Object
Answer: 192
Question 5
How do you specify the number of events to display?
Answer: -MaxEvents
Question 6
How do you specify the number of events to display?
Answer: 4
Task 5
Question 1
Using Get-WinEvent and XPath, what is the query to find WLMS events with a System Time of 2020-12-15T01:09:08.940277500Z?
Answer: Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@Name="SystemTime"]="2020-12-15T01:09:08.940277500Z"'
Question 2
Using Get-WinEvent and XPath, what is the query to find a user named Sam with an Logon Event ID of 4720?
Answer: Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="Sam" and */System/EventID=4720'
Question 3
Based on the previous query, how many results are returned?
Answer: 2
Question 4
Based on the output from the question #2, what is Message?
Answer: A user account was created
Question 5
Still working with Sam as the user, what time was Event ID 4724 recorded? (MM/DD/YYYY H:MM:SS [AM/PM])
Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="Sam" and */System/EventID=4724'
Answer: 12/17/2020 1:57:14 PM
Question 6
What is the Provider Name?
Answer: Microsoft-Windows-Security-Auditing
Task 6
Question 1
I'm ready to look at some event logs...
Answer: No answer needed
Task 7
Question 1
What event ID is to detect a PowerShell downgrade attack?
Answer: From a bit of research, I stumbled upon this website which puts the "classic" event ID at 400
Question 2
What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])
Get-WinEvent -Path .\merged.evtx -FilterXPath '*/System/EventID=400'
Answer: 12/18/2020 7:50:33 AM
Question 3
A Log clear event was recorded. What is the 'Event Record ID'?
By going to the EventViewer and filtering by Task Category
we can find a single Log Clear
event. When moving to the Details
pane and selecting XML View
(or unpacking system in the Friendly View
) we obtain our answer.
Answer: 27736
Question 4
What is the name of the computer?
Same view as before, but under Computer
.
Answer: PC01.example.corp
Question 5
What is the name of the first variable within the PowerShell command?
(From the instructions we are advised to search for event ID 4104 and the text "ScriptBlockText" within the EventData element).
Get-WinEvent -Path .\merged.evtx -FilterXPath '*/EventData/Data[@Name="ScriptBlockText"] and */System/EventID=4104' -Oldest -MaxEvents 1 | Format-List
Answer: $Va5w3n8
Question 6
What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])
Answer: 8/25/2020 10:09:28 PM
Question 7
What is the Execution Process ID?
In the Event Viewer, we can filter by Event ID 4104, and then go down to the oldest event, in the XML view lies our answer.
Answer: 6620
Question 8
What is the Group Security ID of the group she enumerated?
First, we find the event ID, by googling, which brings us to event ID 4799.
This is also the answer to Question 9.
Get-WinEvent -Path .\merged.evtx -FilterXPath '*/System/EventID=4799' -Oldest -MaxEvents 1 | Format-List
This gets us the following:
Answer: S-1-5-32-544
Question 9
Answer: 4799
Task 8
Question 1
Hope you enjoyed this room and learned a thing or two.
Answer: No answer needed