Windows event logs & finding evil

clpbr · September 20, 2023, 1:32am

cans omeone help on skill assessment?

how to find the answer for the following?

By examining the logs located in the “C:\Logs\DLLHijack” directory, determine the process responsible for executing a DLL hijacking attack. Enter the process name as your answer. Answer format: _.exe
2.By examining the logs located in the “C:\Logs\PowershellExec” directory, determine the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: _.exe

i have been stuck for HOURS! please, advise

thank you!

LevelUp · October 5, 2023, 5:52am

For example excluding locations which are normal for example locations including system32 etc …

jackb · October 9, 2023, 6:34pm

Using XML?

itsAppl · October 23, 2023, 2:36am

I was also stuck for a while on this one. I over complicated it for 2 hours.

While trying to figure this out, I stumbled on the same exploit we went through earlier in the module on this website. It breaks down the exploit of calc.exe loading wininet.dll. The article mentions using the Find function in Event Viewer to find the wininet.dll.

In our case, after loading the logs into event viewer, we can Find for wininet.dll. There should only be a few logs that come up, and one specifically looks fishier than the rest. This should lead you to the correct .exe file.

dipl3 · November 1, 2023, 4:17pm

There is no wininet.dll in the logs of DLLHijack.evtx.

Im still stuck if someone has some responses

pcallos · November 6, 2023, 11:41pm

My logs are not showing Event 7 at all is it bugged?

MaxDrljic · November 7, 2023, 8:46am

I also have the same issue, I don’t see Event 7. Did you manage to solve it?

dipl3 · November 7, 2023, 9:52am

Sysmon with the config like in the Detection Example 1: Detecting DLL Hijacking

dipl3 · November 7, 2023, 9:54am

dm me if u really dont solve it, i needed a sleepness night to flag this

MaxDrljic · November 9, 2023, 7:16am

I have sent you a DM regarding this, please get back to me if you have the time.

concessiontt · November 24, 2023, 9:11am

Hello brother.You did a good job and I also came up with another way to solve this.I created an xml query to search for events where event data is not signed. In my opinion, one could feel more confident hunting dll hijacks this way , eliminating the need for hints

xpvrius · December 10, 2023, 1:34am

Does anyone know if the lab is working correctly? I have re-read the DLL hijacking lab and can’t find much with event ID 7, find, or searching via a customized XML query.

Detecting DLL hijacking with Sysmon, Chainsaw & custom Sigma rules | by Ben Folland | Medium

^ this is really good, you can create a txt file for the yml files, copy/paste the raw data into the text files, save/rename them as .yml. Afterward, run the chainsaw command to look for DLL hijacking against the event log.

However, I am not getting the correct result. Any tips/help are greatly appreciated.

xpvrius · December 10, 2023, 1:51am

Got it. The lab is working as intended. Open Event Viewer and then from event viewer open the logs. It seems to work/load properly like this for me.

Another option/hint is Chainsaw. the labs is pretty much all chainsaw.

Chainsaw: Hunt, search, and extract event log records - SANS Internet Storm Center

The answer is in the results, review DLL hijacking from HTB notes and there’s a keyword in the search that will give you the answer.

xpvrius · December 10, 2023, 2:52am

Unmasking Defence Evasion: Unmanaged PowerShell / C# / .NET process injection | by Ben Folland | Medium

Unmanaged-.NET-Process-Injection-Sigma-rule/unmanaged_powershell_process_injection_detection.yml at main · polygonben/Unmanaged-.NET-Process-Injection-Sigma-rule · GitHub

this will help find the powershell answer.

keymeal · December 25, 2023, 8:01pm

I already find the wininet but still couldnt get which exe is injected

amrinder_gill · February 1, 2024, 9:41pm

i found three logs with wininet.dll but they all are signed, how do we know which one I am looking for?

Ishan56 · February 8, 2024, 5:53am

bro make sure to edit the sysmon-config.export file correctly

Ishan56 · February 8, 2024, 5:55am

how did u filter through the logs tho to find the dll hijacked one?

Flobeey · March 1, 2024, 2:37am

Finally found a decent solution for this (“C:\Logs\DLLHijack) using the get-winevent method.
i ran this in the folder, so the path is just wildcarded (could specify the one file in there if you want)

We are looking for event ID 7 as this is looking for image loaded
We select some relevant fields
Then we use the where-object command to search through the message for any containing Signed: false
then we can either use the for each command or the select -expandproperty message to then print the message.
This should show us any dlls loaded that were not signed which indicate possible hijacking

> Get-WinEvent -FilterHashtable @{Path=‘*’; ID=7} | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Where-Object {$.Message -match ‘Signed: false’} | ForEach-Object {Write-Host $.Message `n}

karibueli.certs · April 1, 2024, 5:40pm

Hi, I’m noob and stuck here too, spend whole night re-read the entire module cannot seem to get the answers for skills assesement, first i see event ID 7 and comes up with MMC.exe but this isn’t right can’t be so obvious, Any help clarification would be awesome thanks