Windows Event Logs & Finding Evil - Skills Assessment

I’m stuck on the last question of the skills assignment in the module on the Window Event Logs and Finding Evil Course. After reading the whole module and trying a couple techniques listed, I still don’t know how to go about answering this question:

By examining the logs located in the “C:\Logs\StrangePPID” directory, determine a process that was used to temporarily execute code based on a strange parent-child relationship. Enter the process name as your answer. Answer format: _.exe

Does anyone know the best way to find the answer to this question? Any help would be appreciated. Thanks.

1 Like

So far I’ve been having trouble with all of that module. What was your game plan for the rest of the questions? I find myself going through the logs pretty much manually.

1 Like

I had some trouble getting through this module too but it’s about persistence. I had to go back and reread each module as well as using sources outside of htb to get through it. I believe the module is designed so that it doesn’t just hand you the answer. Just keep at it and don’t give up, it’s very rewarding when you actually find the answers you’re looking for.

3 Likes

hey!

thats the last question for me. any hints ,please?

Unfortunately, I am still waiting for any ideas/hints on how to solve this challenge too.

Ok cool I’ll try that when I get a chance, if I have trouble figuring it out I’ll @ you in this thread.

@clpbr I just completed it with the chainsaw tool you mentioned. Massive thanks for the hint.

Except the first 2, I am stuck with the rest! I even tried all listed processes but no luck! It seems that the event ID for process access is not leading me to the answer.

Chainsaw gives a very big output too, so not that useful!

The most complicated lab for me ever! Any hint will be appreciated!

@LevelUp Using the chainsaw tool, include only the strangePPID log without the evtx attack samples in the parameters of the command. You want look for the section that says strange ppid/parent child on the list.

1 Like

Hi brother.Have you tried chainsaw commandline utility ? Navigate to tools and pivot into chainsaw.Next rename chainsaw application as chainsaw since it has a rather long name which caused an error in my case.Fire up a cmd as admin cd into chainsaw directory . You will see examples of hunt queries when you type chainsaw.exe --help. Use the first one but change ’ -all ’ to ’ legacy ’ cuz we need legacy rules . before executing the command write the output into a text file utilizing adding this " > results.txt " at the end of the command

1 Like

clutch. Thanks for the save.

good info there’s a blog on this in the module I think!

This worked… Thanks

There is a super simples way to solve it, on event viewer you can filter by (CreateRemoteThread) that indicates the creation of a remote thread within a process.

This can also help for the 3rd exercise (By examining the logs located in the “C:\Logs\PowershellExec” directory, determine the process that injected into the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: _.exe)

2 Likes

Great hint! Yes, it works perfect!

filter event ID 8 and the rest is easy,

1 Like

thanks bro, it works

I filtered by event ID 8 as well. I am still struggling. Any pointers?

send me question cause i am already at splunk,

By examining the logs located in the “C:\Logs\StrangePPID” directory, determine a process that was used to temporarily execute code based on a strange parent-child relationship. Enter the process name as your answer. Answer format: _.exe
i do not have directions but answer format … wxxfxxlt.exe

2 Likes