ETW ‐ Lab - lpcyber1/SEC440 GitHub Wiki

Deliverables

Deliverable #1: Finding Notepad and File Created using WPA

image

Deliverable #2: Finding Notepad and File Created using PrefView

image

Deliverable #3 - Submit a screenshot of the PowerShell provider output you found.

image

Deliverable #4: provide a screenshot of your query mytrace1 output.

image

Deliverable #5: provide a screenshot of your query mytrace1 output showing the provider being added to this trace.

image

Deliverable #6: You are required to do the following (PLEASE READ CAREFULLY):

image

Deliverable #7: provide a screenshot of your query showing that both mytrace1 and mytrace2 are running.

image

Deliverable #8: provide a screenshot of your query showing that both mytrace1 and mytrace2 are no longer running and have been successfully stopped, similar to the output of 1.4.

image

Deliverable #9: You are required to find traces of usage in the mytrace1.etl for all of the following:

image

image

image

Deliverable #10: You are required to find PowerShell CmdLet traces of usage in the mytrace2.etl for all of the following:

image

image

Deliverable #11: Use the methods and techniques that you have learned so far to analyze this file and find the following:

What was the name of the process that loaded the suspicious DLL?

image

What was the name of the DLL?

image

Where is this Td from (file location)?

image