Build an XML query to determine if the previously mentioned executable modified the auditing settings of C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\wpfgfx_v0400.dll.
So I know we are going to be looking for event 4907. When I look at other events it seems like we want to be looking for ObjectName and ProcessName. I’ve created the Query below referencing the link in the academy module. Since both those fields are under EventData I figured I could do a wildcard search but its not showing any results.
Well, it looks like I’m not as smart as I thought. Good thing I’m in the Academy . In the article it states
You don’t need to specify the specific name that the data can be in, but just search that some data in contains test5 .
I read this as more of a wildcard search that would match anything in event data containing “test5”. Instead it will look for an exact match but for any of the data fields.
If we copy the whole path “C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\wpfgfx_v0400.dll” and replace it with “test5” in the Broader Filtering example Here we will easily be able to find the answer.
What I did was to take into account that we are still talking about previous process (4907). So, I created an XML script to search for process ID 4907 with the previous time stamp (8/3/2022 at 10:23:25). From there, I look chronological for the Object Name: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\wpfgfx_v0400.dll then pick the time corresponding to it.
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(EventID=4907)]]
and
*[EventData[Data[@Name='ObjectName'] and (Data='C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\wpfgfx_v0400.dll')]]
and
*[EventData[Data[@Name='SubjectUserName'] and (Data='C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1790_none_7df2aec07ca10e81\TiWorker.exe')]]
</Select>
</Query>
</QueryList>
. In the article it states