This is the write up for the Room Windows Event Logs on Tryhackme and it is part of the Tryhackme Cyber Defense Path
Make connection with VPN or use the attack box on Tryhackme site to connect to the Tryhackme lab environment
Tasks Window Event Logs
Task 1
Start the machine attached to this task then read all that is in this task. Use the tool Remina to connect with an RDP session to the Machine.
When asked to accept the certificate press yes
Open event viewer by right click on the start menu button and select event viewer
Naviagte to Microsoft -> Windows -> Powershell and click on operational
Task 2
2.1 What is the Event ID for the first event?
Scroll all the way down
Answer: 40961
2.2 Filter on Event ID 4104. What was the 2nd command executed in the PowerShell session?
Scroll all the way down
Answer: whoami
2.3 What is the Task Category for Event ID 4104?
Answer: Execute a Remote Command
2.4 What is the Task Category for Event ID 800?
Answer: Pipeline Execution Details
Task 3
3.1 How many log names are in the machine?
Open poweshell and type in the command
wevtutil.exe el | Measure-Object
Answer: 1071
3.2 What is the definition for the query-events command?
Type in the command
wevtutil.exe qe /?
Answer: Read events from an event log, log file or using structured query.
3.3 Read events from an event log, log file or using structured query.
Answer: /lf:true
3.4 What is the VALUE for /q?
Answer: XPATH query
3.5 What is the log name?
The questions below are based on this command: wevtutil qe Application /c:3 /rd:true /f:text
Type in the following command
wevtutil qe Application /c:3 /rd:true /f:text
Answer: Application
3.6 What is the /rd option for?
Answer: Event read direction
3.7 What is the /c option for?
Answer: Maximum number of events to read
Task 4
Answer the following questions using the online help documentation for Get-WinEvent
4.1 Execute the command from Example 1 (as is). What are the names of the logs related to OpenSSH?
Type in the following command
Get-WinEvent -ListLog *
Answer: OpenSSH/Admin,OpenSSH/Operational
4.2 Execute the command from Example 7. Instead of the string *Policy* search for *PowerShell*. What is the name of the 3rd log provider?
Type in the following command
Get-WinEvent -ListProvider *Powershell*
Answer: Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager
4.3 Execute the command from Example 8. Use Microsoft-Windows-PowerShell as the log provider. How many event ids are displayed for this event provider?
Type in the following command
(Get-WinEvent -ListProvider Microsoft-Windows-PowerShell).Events | Format-Table Id, Description | Measure-Object
Answer: 192
4.4 How do you specify the number of events to display?
Answer: -MaxEvents
4.5 When using the FilterHashtable parameter and filtering by level, what is the value for Informational?
Answer: 4
Task 5
5.1 Using Get-WinEvent and XPath, what is the query to find WLMS events with a System Time of 2020-12-15T01:09:08.940277500Z?
Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@Name="SystemTime"]="2020-12-15T01:09:08.940277500Z"'
5.2 Using Get-WinEvent and XPath, what is the query to find a user named Sam with an Logon Event ID of 4720?
Answer: Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="Sam" and */System/EventID=4720'5.3 Based on the previous query, how many results are returned?
Answer: 2
5.4 based on the output from the question #2, what is Message?
Answer: A user account was created
5.5 Still working with Sam as the user, what time was Event ID 4724 recorded? (MM/DD/YYYY H:MM:SS [AM/PM])
Type in the following command
Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="Sam" and */System/EventID=4724'
Answer: 12/17/2020 1:57:14 PM
5.6 What is the Provider Name?
Answer: Microsoft-Windows-Security-Auditing
Task 6
Read all that is in this task and press complete
Task 7
On the desktop, double-click the merge file. This will open it in event viewer
7.1 What event ID is to detect a PowerShell downgrade attack?
I found the answer on this website Lee Holmes | Detecting and Preventing PowerShell Downgrade Attacks
Answer: 400
7.2 What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])
Filter on eventID 400
Answer: 12/18/2020 7:50:33 AM
7.3 A Log clear event was recorded. What is the ‘Event Record ID’?
The clear log is a task category
Answer: 27736
7.4 What is the name of the computer?
Found in the same place
Answer: PC01.example.corp
7.5 What is the name of the first variable within the PowerShell command?
Filter on source PowerShell and scroll down to the first event
Answer: $Va5w3n8
7.6 What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])
Answer: 8/25/2020 10:09:28 PM
7.7 What is the Execution Process ID?
Found in the XML part of the event
Answer: 6620
7.8 What is the Group Security ID of the group she enumerated?
First, we need to find the even ID. After some google
We filter on EventID 4799
The answer is de SID of the security group administrators
Answer: S-1-5-32-544
7.9 What is the event ID?
We already found the ID, Which indicates there must be an alternate path to find this. Porbably scan for enumerated
Answer: 4799
