Windows event logs & finding evil

cans omeone help on skill assessment?

how to find the answer for the following?

  1. By examining the logs located in the “C:\Logs\DLLHijack” directory, determine the process responsible for executing a DLL hijacking attack. Enter the process name as your answer. Answer format: _.exe
    2.By examining the logs located in the “C:\Logs\PowershellExec” directory, determine the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: _.exe

i have been stuck for HOURS! please, advise

thank you!

For example excluding locations which are normal for example locations including system32 etc …

1 Like

Using XML?

I was also stuck for a while on this one. I over complicated it for 2 hours.

While trying to figure this out, I stumbled on the same exploit we went through earlier in the module on this website. It breaks down the exploit of calc.exe loading wininet.dll. The article mentions using the Find function in Event Viewer to find the wininet.dll.

In our case, after loading the logs into event viewer, we can Find for wininet.dll. There should only be a few logs that come up, and one specifically looks fishier than the rest. This should lead you to the correct .exe file.

There is no wininet.dll in the logs of DLLHijack.evtx.

Im still stuck if someone has some responses

My logs are not showing Event 7 at all is it bugged?

1 Like

I also have the same issue, I don’t see Event 7. Did you manage to solve it?

Sysmon with the config like in the Detection Example 1: Detecting DLL Hijacking

dm me if u really dont solve it, i needed a sleepness night to flag this

I have sent you a DM regarding this, please get back to me if you have the time.

Hello brother.You did a good job and I also came up with another way to solve this.I created an xml query to search for events where event data is not signed. In my opinion, one could feel more confident hunting dll hijacks this way , eliminating the need for hints

Does anyone know if the lab is working correctly? I have re-read the DLL hijacking lab and can’t find much with event ID 7, find, or searching via a customized XML query.

Detecting DLL hijacking with Sysmon, Chainsaw & custom Sigma rules | by Ben Folland | Medium

^ this is really good, you can create a txt file for the yml files, copy/paste the raw data into the text files, save/rename them as .yml. Afterward, run the chainsaw command to look for DLL hijacking against the event log.

However, I am not getting the correct result. Any tips/help are greatly appreciated.

Got it. The lab is working as intended. Open Event Viewer and then from event viewer open the logs. It seems to work/load properly like this for me.

Another option/hint is Chainsaw. the labs is pretty much all chainsaw.

Chainsaw: Hunt, search, and extract event log records - SANS Internet Storm Center

The answer is in the results, review DLL hijacking from HTB notes and there’s a keyword in the search that will give you the answer.

1 Like

Unmasking Defence Evasion: Unmanaged PowerShell / C# / .NET process injection | by Ben Folland | Medium

Unmanaged-.NET-Process-Injection-Sigma-rule/unmanaged_powershell_process_injection_detection.yml at main · polygonben/Unmanaged-.NET-Process-Injection-Sigma-rule · GitHub

this will help find the powershell answer.

1 Like

I already find the wininet but still couldnt get which exe is injected

i found three logs with wininet.dll but they all are signed, how do we know which one I am looking for?

bro make sure to edit the sysmon-config.export file correctly

how did u filter through the logs tho to find the dll hijacked one?