I’m stumped on the get-winevent module on the Window Event Logs and Finding Evil Course. After reading the whole module, I still don’t know how to go about answering the module question:
Utilize the Get-WinEvent cmdlet to traverse all event logs located within the “C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\Lateral Movement” directory and determine when the \*\PRINT share was accessed. Enter the time of the identified event in the format HH:MM:SS as your answer.
Anyone know the get-winevent command to find that event in the entire folder of logs? Or how to tackle this task? Thanks.
For anyone wondering, there is a cmdlet you can use to traverse the entire folder with a single command using a wildcard *. ChatGPT actually showed it to me which ended up making this way less time consuming (unless I missed something in the content which oops my b if I did!).
Get-ChildItem and pipe the response with the Get-WinEvent! Boom, done.
Hope this helps! I couldn’t get the wildcard to work in the Get-WinEvent cmdlet but I guess ymmv
Guys can anyone offer any assistance on this completly stumped for 2 days now and iv’e tried the suggestions above and nothing has worked for me think i need a step by step walkthrough as Iv’e managed to get the rest without any assistance needed
Thank you so much for this! I was trying to make sure that if I got help with this I’d still be learning what I need to learn. Combination of this command and the other user pointing out the 5142 windows event ID got me where I needed to be and I learned more along the way.
If I recall correctly, I used the GetChildItem to bring in a fairly large list of results, but it’s segmented, so by combing through it I found where there was one with an event ID of 5142 and that was the one I was looking for.
Two hints with the Get-WinEvent cmdlet that worked for me:
Make sure you set -Path correctly (there is a space in the Lateral Movement directory I missed; also, you can use a wildcard for the filenames to process all of them at once).
-FilterXPath can get you where you need to be for finding the Data ‘\*\PRINT’
I was stuck in this question too. After 2 hours of research when i was about to bash my head to the door, i simply followed the rule, “start with the simple queries”. I stumbled upon a very good stackoverflow post here
Now, its really easy to create your own query to find out the correct answer.
I seem to be stuck here as well. I’ve tried various scripts and even worked with ChatGPT but I cant seem to return any results. If anyone can offer some direction I would greatly appreciate it.
This one took me a week. What I got from these posts was the *evtx. at the end of the path. I used Where-Object command which is in the lecture. I used -Property Message -Match (from Google search) “PRINT” then format-list from lecture. I spent the week yelling and cursing in frustration but I would come back to something I picked up in the learning process module. Patience is required when learning something new. I was looking for a quick answer, something i could copy paste so I could move on and continue skimming through these articles and questions. I tried copy pasting a command i found on this post but it didn’t work thankfully. This forced me to change my perspective and realize I need to learn this and have it in my mental tool bag. We all have our own way of figuring it out. Here’s to you finding yours. Also one last thing, I gave myself to the end of the day to figure it out. If I didn’t get it today, I was going to contact support.
