Windows Event Logs & Finding Evil Mini-Module

I lost my faith on this question any help?
from the skill assessment questions

By examining the logs located in the “C:\Logs\PowershellExec” directory, determine the process that injected into the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: _.exe

you should find a name of process that run a PowerShell code in those log files at “C:\Logs\PowershellExec” directory, You can check dir /a /r to see if there is a hidden log file there.
You can also try these:

What are the running processes/services on the system? Is there an inside service not exposed? If so, can we open it? See Port Forwarding in Appendix.

tasklist /svc
tasklist /v
net start
sc query

Get-Process has a -IncludeUserName option to see the process owner, however you have to have administrative rights to use it.

Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id

This one liner returns the process owner without admin rights, if something is blank under owner it’s probably running as SYSTEM, NETWORK SERVICE, or LOCAL SERVICE.

Get-WmiObject -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize
1 Like

The attack was in the past that’s why it’s logged and I couldn’t really look into the running process and I couldn’t also emulate it but I managed to find the answer by looking in the parent process that injected the dll file.
However, I am very open if you could please advice me on how to be better with windows os to understand the process, services, etc and be more familiar so I can detect anomalies on the system.

You can study this page:

and this page:

to be better with windows os and understand process, services, etc and detect anomalies on the system.

1 Like

Thank you

have you completed the exercise?


Yes, I did you need to check what dll file from .net was used check it’s parent .exe image that loaded and from this parent you must find a the parent of the parent lemme know

I don’t see the solution

there’s a blog shared in this module, that talks about famous service that runs most of powershell.ese service

I am stumbling on the third question as well. I assume that I need to find the parent process. Can someone help me with my thought process?
I reviewed the dll that are normally associated with unmanaged powershell execution. I filtered based on those dll AND process ID 7. I reviewed unsigned process and dll loaded from unusual location (not from System32). I still ca not figure out the parent process. Any thoughts?

​I’m standing there

What do you mean standing there? did you solve this question?

no, I don’t see the solution

I understand I need to find the parent process but I don’t know why but I am lost and going in circles at this point, think I have missed something simple but any pointers would be great.

Hi guys,
You should read the blog post shared in this module about the unmanaged code, we have two main dll that are normal for powershell process ran and apperanlty poweshell.exe isn’t the parent of this so you should find the parent of powershell.exe that injects the dll into the powershell

Hi guys,

after stucking on this question for 3 hr, I decided to go to sleep. Better get your mind a rest and read the question again in the morning.
after reading the question again and again, and understanding the logic behind this, you shall realize Q3 is related to Q2. you need to find out which process injected the powershell code to the answer of Q2.

Having FUN!

1 Like

I can’t find the solution, help would be good or a more detailed explanation, I can’t find the solution

I am very confused by this question. First, the wording is a bit confusing, but once I understood to find the parent of the previous answer I thought I was on the right track. I guess I am not sure how to find this answer as I dont see that information in Event ID 7 logs. So I looked at Event ID 1 Logs (Process Creation) and found a parent ID associated with the respective PID (answer to #2). However, this is not the correct answer, and so I am very confused now…

This stumped me because it event viewer kept opening the file but I wasn’t getting results. If you already have answer 2, open the PowerShellExec with Notepad. Find the first event when the answer to Question 2 appears, you’ll find its parent there.

1 Like

There is a super simple way to find it, you can simple filter in event viewer by (CreateRemoteThread) and you will find which executable created a process into the target Image.

I spent some hours running around thinking that the event id 1(eventCreation) was the related to it, till someone told me about the event.

1 Like