Windows Event Logs & Finding Evil Mini-Module

If you want to find the right answer for the question, use this information for filtering: 2022-08-03T17:23:49
Event ID 4907

instead of the original wrong format:

“Analyze the event with ID 4624, that took place on 8/3/2022 at 10:23:25. Conduct a similar investigation as outlined in this section and provide the name of the executable responsible for the modification of the auditing settings as your answer. Answer format: T_W_____.exe”

1 Like

hey man,
i have tried filtering both ways, ,but it still didnt work.

How did you set up your query? current log filter was security?

please, advise i been stuck for a while now

thank you so much!

It might be confusing because there are different IDs with DLLHiacks and Security logs, in Windows logs Security EventIDs are Unique, no XML needed here, just try to search for the exact EventID :slight_smile:
Don’t hesitate to reach me if my response isn’t satisfying :slight_smile:


i can’t find it. i go to security > filter current log > i set the time for 2022-08-03T17:23:49 and event id
4907 and i can’t find the executable. neither when i set the time provided by HTB academy

Am i missing something?

oh man! lol just completed :wink:

lab is super unstable and the time for me that worked was 10:23:49

thank you so much. did you finish analyzing evil with sysmon & event logs?

1 Like

yes, and i still see it in my nightmares…:frowning:

@clpbr @morgenstern Guys, can you help me? I am stuck in dll hijaking. What should I do with inject.exe and dll’s in this folder?

provide me more info please where you stuck? whats the question?

@morgenstern i am sutck on

by examining the logs located in the “C:\Logs\Dump” directory, determine the process that performed an LSASS dump. Enter the process name as your answer. Answer format: _.exe

i been using chainsw for this assessment. i used the proces_access rule ,but no lucky

ye actually, too bad i’ve got no proper solution for it, i bruteforced every .exe files , i dont know if its really broken or im way too dumb to get it. :man_shrugging: sorry.

i finished everything bro.

tried the god file. sould have a file called god. i think it is on others folders