Windows Event Logs & Finding Evil Mini-Module

morgenstern · August 20, 2023, 9:19pm

If you want to find the right answer for the question, use this information for filtering: 2022-08-03T17:23:49
Event ID 4907

instead of the original wrong format:

“Analyze the event with ID 4624, that took place on 8/3/2022 at 10:23:25. Conduct a similar investigation as outlined in this section and provide the name of the executable responsible for the modification of the auditing settings as your answer. Answer format: T_W_____.exe”

clpbr · September 15, 2023, 10:22pm

hey man,
i have tried filtering both ways, ,but it still didnt work.

How did you set up your query? current log filter was security?

please, advise i been stuck for a while now

thank you so much!

morgenstern · September 15, 2023, 11:13pm

It might be confusing because there are different IDs with DLLHiacks and Security logs, in Windows logs Security EventIDs are Unique, no XML needed here, just try to search for the exact EventID
Don’t hesitate to reach me if my response isn’t satisfying

clpbr · September 15, 2023, 11:34pm

hahaha

i can’t find it. i go to security > filter current log > i set the time for 2022-08-03T17:23:49 and event id
4907 and i can’t find the executable. neither when i set the time provided by HTB academy

Am i missing something?

clpbr · September 15, 2023, 11:42pm

oh man! lol just completed

lab is super unstable and the time for me that worked was 10:23:49

thank you so much. did you finish analyzing evil with sysmon & event logs?

morgenstern · September 15, 2023, 11:51pm

yes, and i still see it in my nightmares…

feztix · September 19, 2023, 3:38pm

@clpbr @morgenstern Guys, can you help me? I am stuck in dll hijaking. What should I do with inject.exe and dll’s in this folder?

morgenstern · September 20, 2023, 8:45am

provide me more info please where you stuck? whats the question?

clpbr · September 20, 2023, 8:31pm

@morgenstern i am sutck on

by examining the logs located in the “C:\Logs\Dump” directory, determine the process that performed an LSASS dump. Enter the process name as your answer. Answer format: _.exe

clpbr · September 20, 2023, 8:31pm

i been using chainsw for this assessment. i used the proces_access rule ,but no lucky

morgenstern · September 22, 2023, 8:44pm

ye actually, too bad i’ve got no proper solution for it, i bruteforced every .exe files , i dont know if its really broken or im way too dumb to get it. sorry.

clpbr · September 23, 2023, 1:27am

i finished everything bro.

tried the god file. sould have a file called god. i think it is on others folders