Windows Event Logs & Finding Evil Mini-Module

I spent hours on this question. And the solution is simple if you come to an idea that events 8 “CreateRemoteThread”. Just filter log by event id 8 and there you will easily find answer :slight_smile:

I did the same as you and i got confused too, since i found only one event when i filtered and it had a parentimage

I tried filtering with Event ID 8 but I am unable to find the process. Any pointers?

whats the hint?

which blog post is it?

I’m on Question 2 and then 3 and I have scoured each and every event around a createremotethread event and nothing thus far is the correct answer. Any pointers via DM would be greatly appreciated.

Abuser error. Figured it out.

It’s not really hard, but the lack of hints can make it tough, and the way the logs are presented makes this more confusing than it should be. It’s important to open the log file correctly: open a new Event Viewer window and manually open the log file using the ‘Open Saved Log’ option at the top.