Hey all, this is the twenty-eighth installment in my walkthrough series on TryHackMe’s SOC Level 1 path which covers the fourth room in this module on Endpoint Security Monitoring, where we are learning that monitoring activity on workstations is essential, as that’s where adversaries spend the most time trying to achieve their objectives.
In this room we will get an introduction to Windows Event Logs and the tools to query them.
Link: https://tryhackme.com/room/windowseventlogs
I hope you’re in it for the log haul, because here we go!
Task 1: What are event logs?
Per Wikipedia, “Event logs record events taking place in the execution of a system to provide an audit trail that can be used to understand the activity of the system and to diagnose problems. They are essential to understand the activities of complex systems, particularly in applications with little user interaction (such as server applications).”
This definition would apply to system administrators, IT technicians, desktop engineers, etc. If the endpoint is experiencing an issue, the event logs can be queried to see clues about what led to the problem. The operating system, by default, writes messages to these logs.
As defenders (blue teamers), there is another use case for event logs. “Combining log file entries from multiple sources can also be useful. This approach, in combination with statistical analysis, may yield correlations between seemingly unrelated events on different servers.”
This is where SIEMs (Security information and event management) such as Splunk and Elastic come into play.
If you don’t know exactly what a SIEM is used for, below is a visual overview of its capabilities.
Even though accessing a remote machine’s event logs is possible, this will not be feasible in a large enterprise environment. Instead, one can view the logs from all the endpoints, appliances, etc., in a SIEM. This will allow you to query the logs from multiple devices instead of manually connecting to a single device to view its logs.
Windows is not the only operating system that uses a logging system. Linux and macOS do as well. For example, the logging system on Linux systems is known as Syslog. In this room, though, we’re only focusing on the Windows logging system, Windows Event Logs.
Room Machine
Before moving forward, please deploy the machine.
You can use the AttackBox and Remmina to connect to the remote machine. Make sure the remote machine is deployed before proceeding.
Click on the plus icon, as shown below.
For the Server, provide (MACHINE_IP) as the IP address provided to you for the remote machine. The credentials for the user account are:
- User name:
administrator - User password:
blueT3aming!
Accept the Certificate when prompted, and you should be logged into the remote system now.
Note: The virtual machine may take up to 3 minutes to load.
Task 2: Event Viewer
The Windows Event Logs are not text files that can be viewed using a text editor. However, the raw data can be translated into XML using the Windows API. The events in these log files are stored in a proprietary binary format with a .evt or .evtx extension. The log files with the .evtx file extension typically reside in C:\Windows\System32\winevt\Logs.
Elements of a Windows Event Log
Event logs are crucial for troubleshooting any computer incident and help understand the situation and how to remediate the incident. To get this picture well, you must first understand the format in which the information will be presented. Windows offers a standardized means of relaying this system information.
First, we need to know what elements form event logs in Windows systems. These elements are:
- System Logs: Records events associated with the Operating System segments. They may include information about hardware changes, device drivers, system changes, and other activities related to the device.
- Security Logs: Records events connected to logon and logoff activities on a device. The system’s audit policy specifies the events. The logs are an excellent source for analysts to investigate attempted or successful unauthorized activity.
- Application Logs: Records events related to applications installed on a system. The main pieces of information include application errors, events, and warnings.
- Directory Service Events: Active Directory changes and activities are recorded in these logs, mainly on domain controllers.
- File Replication Service Events: Records events associated with Windows Servers during the sharing of Group Policies and logon scripts to domain controllers, from where they may be accessed by the users through the client servers.
- DNS Event Logs: DNS servers use these logs to record domain events and to map out
- Custom Logs: Events are logged by applications that require custom data storage. This allows applications to control the log size or attach other parameters, such as ACLs, for security purposes.
Under this categorization, event logs can be further classified into types. Here, types describe the activity that resulted in the event being logged. There are 5 types of events that can be logged, as described in the table below from docs.microsoft.com.
There are three main ways of accessing these event logs within a Windows system:
- Event Viewer (GUI-based application)
- Wevtutil.exe (command-line tool)
- Get-WinEvent (PowerShell cmdlet)
Event Viewer
In any Windows system, the Event Viewer, a Microsoft Management Console (MMC) snap-in, can be launched by simply right-clicking the Windows icon in the taskbar and selecting Event Viewer. For the savvy sysadmins that use the CLI much of their day, Event Viewer can be launched by typing eventvwr.msc. It is a GUI-based application that allows you to interact quickly with and analyze logs.
Event Viewer has three panes.
- The pane on the left provides a hierarchical tree listing of the event log providers.
- The pane in the middle will display a general overview and summary of the events specific to a selected provider.
- The pane on the right is the actions pane.
The standard logs we had earlier defined on the left pane are visible under Windows Logs.
The following section is the Applications and Services Logs. Expand this section and drill down on Microsoft > Windows > PowerShell > Operational. PowerShell will log operations from the engine, providers, and cmdlets to the Windows event log.
Right-click on Operational then Properties.
Within Properties, you see the log location, log size, and when it was created, modified, and last accessed. Within the Properties window, you can also see the maximum set log size and what action to take once the criteria are met. This concept is known as log rotation. These are discussions held with corporations of various sizes. How long does it take to keep logs, and when it’s permissible to overwrite them with new data.
Lastly, notice the Clear Log button at the bottom right. There are legitimate reasons to use this button, such as during security maintenance, but adversaries will likely attempt to clear the logs to go undetected. Note: This is not the only method to remove the event logs for any given event provider.
Focus your attention on the middle pane. Remember from previous descriptions that this pane will display the events specific to a selected provider. In this case, PowerShell/Operational.
From the above image, notice the event provider’s name and the number of events logged. In this case, there are 44 events logged. You might see a different number. No worries, though. Each column of the pane presents a particular type of information as described below:
- Level: Highlights the log recorded type based on the identified event types specified earlier. In this case, the log is labeled as Information.
- Date and Time: Highlights the time at which the event was logged.
- Source: The name of the software that logs the event is identified. From the above image, the source is PowerShell.
- Event ID: This is a predefined numerical value that maps to a specific operation or event based on the log source. This makes Event IDs not unique, so
Event ID 4103in the above image is related to Executing Pipeline but will have an entirely different meaning in another event log. - Task Category: Highlights the Event Category. This entry will help you organize events so the Event Viewer can filter them. The event source defines this column.
The middle pane has a split view. More information is displayed in the bottom half of the middle pane for any event you click on.
This section has two tabs: General and Details.
- General is the default view, and the rendered data is displayed.
- The Details view has two options: Friendly view and XML view.
Below is a snippet of the General view.
Lastly, take a look at the Actions pane. Several options are available, but we’ll only focus on a few. Please examine all the actions that can be performed at your leisure if you’re unfamiliar with MMC snap-ins.
As you should have noticed, you can open a saved log within the Actions pane. This is useful if the remote machine can’t be accessed. The logs can be provided to the analyst. You will perform this action a little later.
The Create Custom View and Filter Current Log are nearly identical. The only difference between the 2 is that the By log and By source radio buttons are greyed out in Filter Current Log. What is the reason for that? The filter you can make with this specific action only relates to the current log. Hence no reason for 'by log' or 'by source' to be enabled.
Why are these actions beneficial? Say, for instance, you don’t want all the events associated with PowerShell/Operational cluttering all the real estate in the pane. Maybe you’re only interested in 4104 events. That is possible with these two actions.
To view event logs from another computer, right-click Event Viewer (Local) > Connect to Another Computer...
That will conclude the general overview of the Event Viewer — time to become familiar with the tool.
Note: Don’t forget to deploy the machine for this room before proceeding. Give the room about 3 minutes to load fully.
Answer the questions below:
2.1 For the questions below, use Event Viewer to analyze Microsoft-Windows-PowerShell/Operational log.
Answer: no answer needed
2.2 What is the Event ID for the earliest recorded event?
Load up the VM and either connect to the AttackBox or use the TryHackMe VPN from your machine and RDP over. I’ll be using a VPN and Remmina to RDP into the VM.
Setup your RDP connection:
Connect to the VM and fire up Event Viewer (it’s in the task bar). Next, in the left pane, let’s drill into the tree to where we need to go. Expand Applications and Services Logs > Microsoft > Windows > PowerShell > Operational. From there filter by “Date and Time” and get the oldest EventID:
Answer: 40961
2.3 Filter on Event ID 4104. What was the 2nd command executed in the PowerShell session?
In the right pane, we’re going to select “Filter Current Log…”, then in the event ID field, enter “4104”, then click OK to apply. Now we’re scrolling to the 2nd oldest event and in the “General” tab we’ll see the command:
Answer: whoami
2.4 What is the Task Category for Event ID 4104?
It’s right in front of you in the middle pane, the column next to the “EventID” column…
Answer: Execute a Remote Command
2.5 Analyze the Windows PowerShell log. What is the Task Category for Event ID 800?
In the left pane, scroll down near the bottom to find the “Windows Powershell” log:
Filter again, this time using EventID 800:
Answer: Pipeline Execution Details
Task 3: wevtutil.exe
Ok, you played around with Event Viewer. Imagine you have to sit there and manually sift through hundreds or even thousands of events (even after filtering the log). Not fun. It would be nice if you could write scripts to do this work for you. We will explore some tools that will allow you to query event logs via the command line and/or PowerShell.
Let’s look at wevtutil.exe first. Per Microsoft, the wevtutil.exe tool “enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs.”
As with any tool, access its help files to find out how to run the tool. An example of a command to do this is wevtutil.exe /?.
From the above screenshot, under Usage, you are provided a brief example of how to use the tool. In this example, ep (enum-publishers) is used. This is a command for wevtutil.exe.
Below, we can find the Common options that can be used with Windows Events Utility.
Notice at the bottom of the above snapshot, wevtutil COMMAND /?. This will provide additional information specific to a command. We can use it to get more information on the command qe (query-events).
Look over the information within the help menu to fully understand how to use this command.
Ok, great! You have enough information to use this tool — time to answer some questions. It is always recommended to look into the tool and its related information at your own leisure.
Note: You can get more information about using this tool further but visiting the online help documentation docs.microsoft.com.
Answer the questions below:
3.1 How many log names are in the machine?
Well to get the logs we can follow the command from the task:
wevtutil elThis gave us a ton of output tho, more than we can manually count. Had to google how to pipe into a count in PowerShell, the answer is that we can use “Measure-Object”:
wevtutil el | Measure-Object
Answer: 1071
3.2 What event files would be read when using the query-events command?
This is outlined in the last screenshot in the task text. Restructure the answers, separating by commas:
Answer: event log, log file, structured query
3.3 What option would you use to provide a path to a log file?
We can solve this with some simple research laid out in the task. We know that we need to use ‘qe’ because:
We’re querying events from a log file. We also know from the task that we can use the following to get more information specific to a command:
wevtutil.exe qe /?So plug that in and we will get a list of options, including our answer:
Answer: /lf:true
3.4 What is the VALUE for /q?
We can find this in the same list of options from question 3.3:
Answer: XPath query
3.5 The questions below are based on this command: wevtutil qe Application /c:3 /rd:true /f:text
No answer needed
3.6 What is the log name?
Just plug that command in and it’s on the screen:
Answer: Application
3.7 What is the /rd option for?
Again, if we check the output from the command we used to get more info about options in question 3.3, we can get this info:
Answer: Event read direction
3.8 What is the /c option for?
Check the same output again:
Answer: Maximum number of events to read
Task 4: Get-WinEvent
Get-WinEvent
On to the next tool. This is a PowerShell cmdlet called Get-WinEvent. Per Microsoft, the Get-WinEvent cmdlet “gets events from event logs and event tracing log files on local and remote computers.” It provides information on event logs and event log providers. Additionally, you can combine numerous events from multiple sources into a single command and filter using XPath queries, structured XML queries, and hash table queries.
Note: The Get-WinEvent cmdlet replaces the Get-EventLog cmdlet.
As with any new tool, it’s good practice to read the Get-Help documentation to become acquainted with its capabilities. Please refer to the Get-Help information online at docs.microsoft.com.
Let us look at a couple of examples of how to use Get-WinEvent, as supported by the documentation. Some tasks might require some PowerShell-fu, while others don’t. Even if your PowerShell-fu is not up to par, fret not; each example has a detailed explanation of the commands/cmdlets used.
Example 1: Get all logs from a computer
Here, we are obtaining all event logs locally, and the list starts with classic logs first, followed by new Windows Event logs. It is possible to have a log’s RecordCount be zero or null.
Example 2: Get event log providers and log names
The command here will result in the event log providers and their associated logs. The Name is the provider, and LogLinks is the log that is written to.
Example 3: Log filtering
Log filtering allows you to select events from an event log. We can filter event logs using the Where-Object cmdlet as follows:
Tip: If you are ever working on a Windows evaluation virtual machine that is cut off from the Internet eventually, it will shut down every hour. ;^)
When working with large event logs, per Microsoft, it’s inefficient to send objects down the pipeline to a Where-Object command. The use of the Get-WinEvent cmdlet's FilterHashtable parameter is recommended to filter event logs. We can achieve the same results as above by running the following command:
The syntax of a hash table is as follows:
Guidelines for defining a hash table are:
- Begin the hash table with an @ sign.
- Enclose the hash table in braces {}
- Enter one or more key-value pairs for the content of the hash table.
- Use an equal sign (=) to separate each key from its value.
Note: You don’t need to use a semicolon if you separate each key/value with a new line, as in the screenshot above for the -FilterHashtable for ProviderName='WLMS'.
Below is a table that displays the accepted key/value pairs for the Get-WinEvent FilterHashtable parameter.
When building a query with a hash table, Microsoft recommends making the hash table one key-value pair at a time. Event Viewer can provide quick information on what you need to build your hash table.
Based on this information, the hash table will look as follows:
For more information on creating Get-WinEvent queries with FilterHashtable, check the official Microsoft documentation docs.microsoft.com.
Since we’re on the topic of Get-WinEvent and FilterHashtable, here is a command that you might find helpful (shared by @mubix):
You can read more about creating hash tables in general docs.microsoft.com.
Answer the questions below:
4.1 Answer the following questions using the online help documentation for Get-WinEvent
Answer: no answer needed
4.2 Execute the command from Example 1 (as is). What are the names of the logs related to OpenSSH?
Just do as instructed, the answer is towards the bottom of the output:
Get-WinEvent -ListLog *
Answer: OpenSSH/Admin, OpenSSH/Operational
4.3 Execute the command from Example 8. Instead of the string *Policy* search for *PowerShell*. What is the name of the 3rd log provider?
Example #8 in the Microsoft Get-WinEvent docs shows:
so swap that to:
Get-WinEvent -ListProvider *PowerShell*
Answer: Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager
4.4 Execute the command from Example 9. Use Microsoft-Windows-PowerShell as the log provider. How many event ids are displayed for this event provider?
Per the Microsoft Get-WinEvent docs, we need to alter this command:
to be this:
(Get-WinEvent -ListProvider Microsoft-Windows-PowerShell).Events
| Format-Table Id, Description | Measure-ObjectDon’t forget to tack on “Measure-Object” to get the count.
Answer: 192
4.5 How do you specify the number of events to display?
Use the Microsoft Get-WinEvent docs again for this:
Answer: -MaxEvents
4.6 When using the FilterHashtable parameter and filtering by level, what is the value for Informational?
You can find information related to Filtering by Level with FilterHashtable here:
Answer: 4
Now we get to learn some XPath Queries…
Task 5: XPath Queries
Now we will examine filtering events with XPath. The W3C created XPath, or XML Path Language in full, to provide a standard syntax and semantics for addressing parts of an XML document and manipulating strings, numbers, and booleans. The Windows Event Log supports a subset of XPath 1.0.
Below is an example XPath query along with its explanation:
Based on docs.microsoft.com, an XPath event query starts with ‘*’ or ‘Event’. The above code block confirms this. But how do we construct the rest of the query? Luckily the Event Viewer can help us with that.
Let’s create an XPath query for the same event from the previous section. Note that both wevtutil and Get-WinEvent support XPath queries as event filters.
Draw your attention to the bottom half of the middle pane. In the Event Viewer section, the Details tab was briefly touched on. Now you’ll see how the information in this section can be useful.
Click on the Details tab and select the XML View radio button. Don't worry if the log details you are viewing are slightly different. The point is understanding how to use the XML View to construct a valid XPath query.
The first tag is the starting point. This can either be an * or the word Event.
The command so far looks like this: Get-WinEvent -LogName Application -FilterXPath '*'
Now we work our way down the XML tree. The next tag is System.
Let’s add that. Now our command is: Get-WinEvent -LogName Application -FilterXPath '*/System/'
Note: Its best practice to explicitly use the keyword System but you can use an * instead as with the Event keyword. The query -FilterXPath '*/*' is still valid.
The Event ID is 100. Let’s plug that into the command.
Our command now is: Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=100'
When using wevtutil.exe and XPath to query for the same event log and ID, this is our result:
Note: 2 additional parameters were used in the above command. This was done to retrieve just 1 event and for it not to contain any XML tags.
If you want to query a different element, such as Provider Name, the syntax will be different. To filter on the provider, we need to use the Name attribute of Provider
What if you want to combine 2 queries? Is this possible? The answer is yes.
Let’s build this query based on the screenshot above. The Provider Name is WLMS, and based on the output, there are 2 Event IDs.
This time we only want to query for events with Event ID 101.
The XPath query would be Get-WinEvent -LogName Application -FilterXPath '*/System/EventID=101 and */System/Provider[@Name="WLMS"]'
Lastly, let’s discuss how to create XPath queries for elements within EventData. The query will be slightly different.
Note: The EventData element doesn’t always contain information.
Below is the XML View of the event for which we will build our XPath query.
We will build the query for TargetUserName. In this case, that will be System. The XPath query would be Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="System"'
Note: The -MaxEvents parameter was used, and it was set to 1. This will return just 1 event.
At this point, you have enough knowledge to create XPath queries for wevtutil.exe or Get-WinEvent. To further this knowledge, I suggest reading the official Microsoft XPath Reference docs.microsoft.com.
Answer the questions below:
5.1 Using the knowledge gained on Get-WinEvent and XPath, what is the query to find WLMS events with a System Time of 2020–12–15T01:09:08.940277500Z?
Don’t be like me, don’t bang your head against this wondering why you’re getting errors in PowerShell relating to your query, I had the correct answer for so long but never tried entering it into the task, running the command doesn’t actually work as of this writing on 3/1/24.
To get the query we can break down the log in XML view to find the fields we’re looking for. I HIGHLY suggest that you read and follow the task letter by letter otherwise this is going to seem like rocket science.
We’re going to do a 2 part query here. 1 query to filter by Time/Date, the other to filter by WLMS provider events.
To do a 2 part query, we can reference the task:
So we already know how to filter by WLMS provider events by just looking at this example. For Time/Date let’s check the XML View of an event:
That’s the field we want to capture, to do that we’ll craft our query like so:
*/System/TimeCreated[@SystemTime="2020-12-15T01:09:08.940277500ZSo now we just add the two together to get…
Answer: Get-WinEvent -LogName Application -FilterXPath ‘*/System/Provider[@Name=”WLMS”] and */System/TimeCreated[@SystemTime=”2020–12–15T01:09:08.940277500Z”]’
5.2 Using Get-WinEvent and XPath, what is the query to find a user named Sam with an Logon Event ID of 4720?
This one is kind of a doozy but luckily, the syntax to filter by username is provided in the task:
So put that together with the eventid filter and we get…
Answer: Get-WinEvent -LogName Security -FilterXPath ‘*/EventData/Data[@Name=”TargetUserName”]=”Sam” and */System/EventID=”4720"’
5.3 Based on the previous query, how many results are returned?
Answer: 2
5.4 Based on the output from the question #2, what is Message?
It’s in the same screen as question 5.2
Answer: A user account was created
5.5 Still working with Sam as the user, what time was Event ID 4724 recorded? (MM/DD/YYYY H:MM:SS [AM/PM])
Just saw the event ID for the query in question 5.2 with 4724 instead of 4720.
Answer: 12/17/2020 1:57:14 PM
5.6 What is the Provider Name?
It is in the same output as the previous question:
Answer: Microsoft-Windows-Security-Auditing
We made it through the task y’all. Now we know all about XPath Queries!
Task 6: Event IDs
When it comes to monitoring and hunting, you need to know what you are looking for. There are a large number of event IDs in use. This section is aimed at assisting you with this task. There are plenty of blogs, writeups, etc., on this topic. A few resources will be shared in this section. Please note this is not an exhaustive list.
First on the list is The Windows Logging Cheat Sheet (Windows 7 — Windows 2012). The last version update is October 2016, but it’s still a good resource. The document covers a few things that need to be enabled and configured and what event IDs to look for based on different categories, such as Accounts, Processes, Log Clear, etc.
Above is a snippet from the cheatsheet. Want to detect if a new service was installed? Look for Event ID 7045 within the System Log.
Next is Spotting the Adversary with Windows Event Log Monitoring. This NSA resource is also a bit outdated but good enough to build upon your foundation. The document covers some concepts touched on in this room and beyond. You must click on Get File to download the resource.
Above is a snippet from the document. Maybe you want to monitor if a firewall rule was deleted from the host. That is Event ID 2006/2033.
Where else can we get a list of event IDs to monitor/hunt for? MITRE ATT&CK!
If you are unfamiliar with MITRE or MITRE ATT&CK, I suggest you check out the MITRE Room.
Let’s look at ATT&CK ID T1098 (Account Manipulation). Each ATT&CK ID will contain a section sharing tips to mitigate the technique and detection tips.
The last two resources are from Microsoft:
- Events to Monitor (Best Practices for Securing Active Directory)
- The Windows 10 and Windows Server 2016 Security Auditing and Monitoring Reference (a comprehensive list [over 700 pages])
Note: Some events will not be generated by default, and certain features will need to be enabled/configured on the endpoint, such as PowerShell logging. This feature can be enabled via Group Policy or the Registry.
Local Computer Policy > Computer Configuration > Administrative Templates > Windows Components > Windows PowerShell
Some resources to provide more information about enabling this feature, along with its associated event IDs:
- About Logging Windows
- Greater Visibility Through PowerShell Logging
- Configure PowerShell logging to see PowerShell anomalies in Splunk UBA
Another feature to enable/configure is Audit Process Creation, which will generate event ID 4688. This will allow command-line process auditing. This setting is NOT enabled in the virtual machine but feel free to enable it and observe the events generated after executing some commands.
Local Computer Policy > Computer Configuration > Administrative Templates > System > Audit Process Creation
To read more about this feature, refer to docs.microsoft.com. The steps to test the configuration are at the bottom of the document.
To conclude this section, it will be reiterated that this is not an exhaustive list. There are countless blogs, writeups, threat intel reports, etc., on this topic.
To effectively monitor and detect, you need to know what to look for (as mentioned earlier).
Task 7: Putting theory into practice
Note: To successfully answer the questions below, you may need to search online for more information.
The next scenarios/questions are based on the external event log file titled merged.evtx found on the Desktop. You can use any of the aforementioned tools to answer the questions below.
Scenario 1 (Questions 1 & 2): The server admins have made numerous complaints to Management regarding PowerShell being blocked in the environment. Management finally approved the usage of PowerShell within the environment. Visibility is now needed to ensure there are no gaps in coverage. You researched this topic: what logs to look at, what event IDs to monitor, etc. You enabled PowerShell logging on a test machine and had a colleague execute various commands.
Scenario 2 (Questions 3 & 4): The Security Team is using Event Logs more. They want to ensure they can monitor if event logs are cleared. You assigned a colleague to execute this action.
Scenario 3 (Questions 5, 6 & 7): The threat intel team shared its research on Emotet. They advised searching for event ID 4104 and the text “ScriptBlockText” within the EventData element. Find the encoded PowerShell payload.
Scenario 4 (Questions 8 & 9): A report came in that an intern was suspected of running unusual commands on her machine, such as enumerating members of the Administrators group. A senior analyst suggested searching for “C:\Windows\System32\net1.exe". Confirm the suspicion.
Answer the questions below:
7.1 What event ID is to detect a PowerShell downgrade attack?
According to MITRE ATT&CK, the ID we need to detect a PowerShell downgrade attack is:
Answer: 400
7.2 What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])
Applying EventID 400 to filter through the “merged” event log brings up 113 events. Every single event that I checked was showing PowerShell version 5.1.17763.592. All except for the most recent, which was showing PowerShell version 2.0:
Answer: 12/18/2020 7:50:33 AM
7.3 A Log clear event was recorded. What is the 'Event Record ID'?
Using “The Windows Logging Cheat Sheet”, i was able to grab the two relevant Event IDs to filter for cleared logs.
So knowing this lets 1) filter by the two event IDs, 2) select the one event that matches, 3) hit the details tab, 4) click the XML view button and get our answer:
Answer: 27736
7.4 What is the name of the computer?
It’s in that same XML output as the previous question:
Answer: PC01.example.corp
7.5 What is the name of the first variable within the PowerShell command?
I tinkered with a couple ways of doing it but ultimately, I had to use an XPath query…
This is what I landed on, there’s probably a cleaner way but I’ve had it up to here with XPath at this point!
Get-WinEvent -Path .\\Desktop\\merged.evtx -FilterXPath '*/System/EventID=4104
and */EventData/Data[@Name="ScriptBlockText"]' | Format-ListThe bottom most result in the output had the variable we were looking for:
Answer: $Va5w3n8
7.6 What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])
It’s also in that screenshot above…
Answer: 8/25/2020 10:09:28 PM
7.7 What is the Execution Process ID?
For this I just pulled it up in event viewer by filtering by event ID 4104 and going to the last event, in the XML data:
Answer: 6620
7.8 What is the Group Security ID of the group she enumerated?
Well we’re using XPath again but the good news is that we’re actually so good at it, we know how to get what we want. Let’s grab the field name so we can craft the query:
So this is the field to call a process. Now, let’s query it up!
Get-WinEvent -Path .\\Desktop\\merged.evtx -FilterXPath
'*/EventData/Data[@Name="CallerProcessName"]="C:\Windows\System32\net1.exe"'0
| Format-List
Answer: S-1–5–32–544
7.9 What is the event ID?
Check the same screenshot above…
Answer: 4799
Task 8: Conclusion
In this room, we covered Windows Event Logs, what they are, and how to query them using various tools and techniques.
We also briefly discussed various features within Windows that you need to enable/configure to log additional events to gain visibility into those processes/features that are turned off by default.
The information covered in this room will serve as a primer for other rooms covering Windows Internals, Sysmon, and various SIEM tools.
I’ll end this room by providing additional reading material:
- EVTX Attack Samples (a few were used in this room)
- PowerShell ❤ the Blue Team
- Tampering with Windows Event Tracing: Background, Offense, and Defense
This concludes the Windows Event Logs room on TryHackMe. Look, I gave it flack but there was a ton of great info in here, especially if your organization is not running a SIEM for log correlation. As usual, I learned a lot here and hope you did as well.
Thanks for joining me on this walkthrough and I’ll see you in the next one when we tackle Sysmon.
