Introduction to Windows Command Line-Skill Asessment 10

I cant get this last one, mutliple commands looking at the logs but none the usernames work as the flag I am not sure what I am doing wrong: Some of the commands I used to filter through the logs:

Get-WinEvent -FilterHashTable @{LogName=‘Security’;ID=‘4625’} | Where-Object {$.TimeCreated -gt $date} | where-object {$.TimeCreated -lt $date2} | select-object -expandproperty message

Get-WinEvent -FilterHashTable @{LogName=‘Security’;ID=‘4625’}

even going through and trying all the usernames found as the answer didn’t work is there something im missing?

Did you find any method?

You can Filter even better, when you save get-winevent in a variable and then looking at the properties directly:
$Events = Get-WinEvent -FilterHashTable @{LogName=‘Security’;ID=‘4625’}
$Events[0].property
$Events | foreachObject{$_.property}

still non of the usernames works as a flag…
I dont’t get it either

Hi, still can’t find a track?
I’m still having trouble finding the flag

me too. this one is tough.
Ill keep you posted if I make progress.

I have done it
I used Get-WinEvent, I was doing it in a local account but as it says in the request, you must be in domain control.

In User7 if I remember correctly, the activity of entering domain control was carried out

2 Likes

Thank you. Your suggestion was very helpful.

1 Like

I also struggled with this for a long time.
Check out this link.

There is a description of how to find a brute force attack.

As you do the assignment, keep in mind that there are logon failures for many different users. Some users may just have forgotten or mistyped their passwords. That is not a brute force attack. You need to find the user with the most logon failures.

Read the above link and it should guide you to the solution.
Read and follow the part under the below section.

log in to DC same user 7
and use power shell

Filter for event ID 4625 in the Security log

$events = Get-WinEvent -FilterHashTable @{LogName=‘Security’; ID=4625}

Group events by the username and count occurrences

$userLoginCounts = $events | ForEach-Object {
$eventProperties = $_.Properties
$username = $eventProperties[5].Value
$domain = $eventProperties[6].Value
$status = $eventProperties[8].Value

# Construct a user identifier (domain\username)
$userIdentifier = "$domain\$username"

# Output the user identifier
$userIdentifier

} | Group-Object | Sort-Object Count -Descending

Display the user with the most login failures

if ($userLoginCounts.Count -gt 0) {
$mostFailedUser = $userLoginCounts[0].Name
$failedAttempts = $userLoginCounts[0].Count
Write-Host “User with the most login failures: $mostFailedUser ($failedAttempts attempts)”
} else {
Write-Host “No login failures found.”
}