Windows Event Logs & Finding Evil - Skills Assessment

I’m stuck on the last question of the skills assignment in the module on the Window Event Logs and Finding Evil Course. After reading the whole module and trying a couple techniques listed, I still don’t know how to go about answering this question:

By examining the logs located in the “C:\Logs\StrangePPID” directory, determine a process that was used to temporarily execute code based on a strange parent-child relationship. Enter the process name as your answer. Answer format: _.exe

Does anyone know the best way to find the answer to this question? Any help would be appreciated. Thanks.

So far I’ve been having trouble with all of that module. What was your game plan for the rest of the questions? I find myself going through the logs pretty much manually.

I had some trouble getting through this module too but it’s about persistence. I had to go back and reread each module as well as using sources outside of htb to get through it. I believe the module is designed so that it doesn’t just hand you the answer. Just keep at it and don’t give up, it’s very rewarding when you actually find the answers you’re looking for.

hey!

thats the last question for me. any hints ,please?

Unfortunately, I am still waiting for any ideas/hints on how to solve this challenge too.

bro, i solved it. run chainsaw with sigame rule from windows legacy.

it will give you the answer. unfortuantely, the i feel that the flags are a bit unstable.

process starts with w…exe

Ok cool I’ll try that when I get a chance, if I have trouble figuring it out I’ll @ you in this thread.

@clpbr I just completed it with the chainsaw tool you mentioned. Massive thanks for the hint.