TryHackMe Walkthrough - Windows Event Logs
Introduction
The purpose of this article is to document my journey through the TryHackMe platform. This article will contain answers to the questions provided along with the thought process as to how I obtained them. I will also include any additional notes along the way.
This room was created as an introduction to Windows Event Logs and the tools to query them.
NOTE: only subscribers to TryHackMe are allowed to access this room. If you would like to subscribe to TryHackMe, sign up here.
Task 1: What are event logs?
Task 1.1 – Read through this section.
Task 1.2 – Click Start Machine to start the machine.
Task 1.3 – RDP into the machine via it’s IP address and login using the credentials administrator:blueT3aming!
. Alternatively, you can use the build-in AttackBox if you prefer.
Question 1.1 – Let’s begin…
Answer 1.1 – Click the Completed button to progress to the next task.
Task 2: Event Viewer
Task 2.1 – Read through this section and complete the tasks outlined. All of the answers to the following questions can be found within this section as well as within the machine you are connected to.
Question 2.1 – For the questions below, use Event Viewer to analyze Microsoft-Windows-PowerShell/Operational log.
Answer 2.1 – Click the Completed button to progress to the next task.
Question 2.2 – What is the Event ID for the first recorded event?
Answer 2.2 – 40961
Question 2.3 – Filter on Event ID 4104. What was the 2nd command executed in the PowerShell session?
Answer 2.3 – whoami
Question 2.4 – What is the Task Category for Event ID 4104?
Answer 2.4 – Execute a Remote Command
Question 2.5 – Analyze the Windows PowerShell log. What is the Task Category for Event ID 800?
Answer 2.6 – Pipeline Execution Details
Task 3: wevtutil.exe
Task 3.1 – Read through this section and complete the tasks outlined. All of the answers to the following questions can be found within this section as well as within the machine you are connected to.
Question 3.1 – How many log names are in the machine?
Answer 3.1 – 1071
Question 3.2 – What event files would be read when using the query-events command?
Answer 3.2 – event log, log file, structured query
Question 3.3 – What option would you use to provide a path to a log file?
Answer 3.3 – /lf:true
Question 3.4 – What is the VALUE for /q
?
Answer 3.4 – XPath query
Question 3.5 – The questions below are based on this command: wevtutil qe Application /c:3 /rd:true /f:text
Answer 3.5 – Click the **Completed** button to progress to the next task.
Question 3.6 – What is the log name?
Answer 3.6 – Application
Question 3.7 – What is the /rd
option for?
Answer 3.7 – event read direction
Question 3.8 – What is the /c
option for?
Answer 3.8 – Maximum number of events to read
Task 4: Get-WinEvent
Task 4.1 – Read through this section and complete the tasks outlined. All of the answers to the following questions can be found within this section, Microsoft’s online documentation, the machine you are connected to.
Question 4.1 – Answer the following questions using the online help documentation for Get-WinEvent
Answer 4.1 – Click the Completed button to progress to the next task.
Question 4.2 – Execute the command from Example 1 (as is). What are the names of the logs related to OpenSSH?
Answer 4.2 – OpenSSH/Admin
, OpenSSH/Operational
Question 4.3 – Execute the command from Example 8. Instead of the string /
*Policy/*
search for /
*PowerShell/*
. What is the name of the 3rd log provider?
Answer 4.3 – Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager
Question 4.4 – Execute the command from Example 9. Use Microsoft-Windows-PowerShell as the log provider. How many event ids are displayed for this event provider?
Answer 4.4 – 192
Question 4.5 – How do you specify the number of events to display?
Answer 4.5 – -MaxEvents
Question 4.6 – When using the FilterHashtable parameter and filtering by level, what is the value for Informational?
Answer 4.6 – 4
Task 5: XPath Queries
Task 5.1 – Read through this section and complete the tasks outlined. All of the answers to the following questions can be found within this section and the machine you are connected to.
Question 5.1 – Using Get-WinEvent and XPath, what is the query to find WLMS events with a System Time of 2020-12-15T01:09:08.940277500Z
?
Answer 5.1 – Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@SystemTime="2020-12-15T01:09:08.940277500Z"]'reated[@SystemTime="2020-12-15T01:09:08.940277500Z"]'
Question 5.2 – Using Get-WinEvent and XPath, what is the query to find a user named Sam with an Logon Event ID of 4720?
Answer 5.2 – Get-WinEvent -LogName Security -FilterXPath '*/System/EventID=4720 and */EventData/Data[@Name="TargetUserName"]="sam"'
Question 5.3 – Based on the previous query, how many results are returned?
Answer 5.3 – 2
Question 5.4 – Based on the output from the question #2, what is Message?
Answer 5.4 – A user account was created
Question 5.5 – Still working with Sam as the user, what time was Event ID 4724 recorded? (MM/DD/YYYY H:MM:SS [AM/PM])
Answer 5.5 – 12/17/2020 1:57:14 PM
Question 5.6 – What is the Provider Name?
Answer 5.6 – Microsoft-Windows-Security-Auditing
Task 6: Event IDs
Task 6.1 – Read through this section and complete the tasks outlined.
Question 6.1 – I’m ready to look at some event logs…
Answer 6.1 – Click the Completed button to progress to the next task.
Task 7: Putting theory into practice
Task 7.1 – Read through this section and complete the tasks outlined. All of the answers to the following questions can be found within this section, the machine you are connected to, and online.
Question 7.1 – What event ID is to detect a PowerShell downgrade attack?
Answer 7.1 – 400
Question 7.2 – What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])
Answer 7.2 – 12/18/2020 7:50:33 AM
Question 7.3 – A Log clear event was recorded. What is the ‘Event Record ID’?
Answer 7.3 – 27736
Question 7.4 – What is the name of the computer?
Answer 7.4 – PC01.example.corp
Question 7.5 – What is the name of the first variable within the PowerShell command?
Answer 7.5 – $Va5w3n8
Question 7.6 – What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])
Answer 7.6 – 8/25/2020 10:09:28 PM
Question 7.7 – What is the Execution Process ID?
Answer 7.7 – 6620
Question 7.8 – What is the Group Security ID of the group she enumerated?
Answer 7.8 – S-1-5-32-544
Question 7.9 – What is the event ID?
Answer 7.9 – 4799
Task 8: Conclusion
Task 8.1 – Read through this section and complete the tasks outlined.
Question 8.1 – Hope you enjoyed this room and learned a thing or two.
Answer 8.1 – Click the Completed button to progress to the next task.
My Conclusion
After completing this room, I obtained a better understanding of how Windows Event Logs work and how to manipulate them using the Event Viewer application, wevtutil.exe
, and Get-WinEvent
. As stated within the room, this knowledge will be used as a foundation for other technologies such as SIEMs, Sysmon, etc.
Reference: TryHackMe - Windows Event Logs