Windows Event Logs & Finding Evil Mini-Module

If you want to find the right answer for the question, use this information for filtering: 2022-08-03T17:23:49
Event ID 4907

instead of the original wrong format:

“Analyze the event with ID 4624, that took place on 8/3/2022 at 10:23:25. Conduct a similar investigation as outlined in this section and provide the name of the executable responsible for the modification of the auditing settings as your answer. Answer format: T_W_____.exe”

3 Likes

hey man,
i have tried filtering both ways, ,but it still didnt work.

How did you set up your query? current log filter was security?

please, advise i been stuck for a while now

thank you so much!

It might be confusing because there are different IDs with DLLHiacks and Security logs, in Windows logs Security EventIDs are Unique, no XML needed here, just try to search for the exact EventID :slight_smile:
Don’t hesitate to reach me if my response isn’t satisfying :slight_smile:

hahaha

i can’t find it. i go to security > filter current log > i set the time for 2022-08-03T17:23:49 and event id
4907 and i can’t find the executable. neither when i set the time provided by HTB academy

Am i missing something?

oh man! lol just completed :wink:

lab is super unstable and the time for me that worked was 10:23:49

thank you so much. did you finish analyzing evil with sysmon & event logs?

3 Likes

yes, and i still see it in my nightmares…:frowning:

@clpbr @morgenstern Guys, can you help me? I am stuck in dll hijaking. What should I do with inject.exe and dll’s in this folder?

provide me more info please where you stuck? whats the question?

@morgenstern i am sutck on

by examining the logs located in the “C:\Logs\Dump” directory, determine the process that performed an LSASS dump. Enter the process name as your answer. Answer format: _.exe

i been using chainsw for this assessment. i used the proces_access rule ,but no lucky

ye actually, too bad i’ve got no proper solution for it, i bruteforced every .exe files , i dont know if its really broken or im way too dumb to get it. :man_shrugging: sorry.

i finished everything bro.

tried the god file. sould have a file called god. i think it is on others folders

Hello. I’m having issues here - Utilize the Get-WinEvent cmdlet to traverse all event logs located within the “C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\Lateral Movement” directory and determine when the \\PRINT share was accessed. Enter the time of the identified event in the format HH:MM:SS as your answer.*

I found the entry, but the timestamp is always bad. Any ideas ? Thank you

find the event in event viewer to see the right time!

1 Like

Thank you. Found it :slight_smile:

Thank you for your tip. That’s exactly what I used to work towards the answer for both. Only took a few minutes after reading this to figure it out!

Can somebody help me with the first question for " Analyzing Evil With Sysmon & Event Logs" section?
We have to do DLL Hijacking like it was shown in the lesson, but the problem is: we can’t move calc.exe like in the lesson. My second idea was to use inject.exe which was provided to us on the machine, and it actually worked, but I can see no logs which manipulate with WININET.dll so I can’t find the required hash to submit…

I would appriciate any help! :pray:

Try and look at the security settings…

You should copy the calc.exe and paste it in the folder with WININET.dll

Hello I’m having trouble with this question. I don’t seem to understand why services.exe does not work since that’s the only process I see with the correct format. I’m looking at the correct timestamp in the question. Is there anyone who can help guide me in the right direction?

1 Like