Windows Event Logs
Windows Event Logs
Difficulty:
Investigate the Windows event log mystery in the terminal or offline. Get hints for this challenge by typing hint in the upper panel of the Windows Event Logs terminal.
Elf Introduction
Talk to Dusty Giftwrap
Hi! I'm Dusty Giftwrap!
We think the Snowrog was attracted to the pungent smell from the baking lembanh.
I'm trying to discover which ingredient could be causing such a stench.
I think the answer may be in these suspicious logs.
I'm focusing on Windows Powershell logs. Do you have much experience there?
You can work on this offline or try it in this terminal.
Golly, I'd appreciate it if you could take a look.
Hints and Resources
Hints from Sparkle Redberry after completion of the Wireshark Practice objective
Eric Pursley's Talk
https://youtu.be/5NZeHYPMXAE
Hints from the terminal
grep command
https://linuxcommand.org/lc3_man_pages/grep1.html
Other resources
Eric Pursley, Log Analyzing off the Land | KringleCon 2022
https://www.youtube.com/watch?v=5NZeHYPMXAE&list=PLjLd1hNA7YVy9Xd1pRtE_TKWdzsnkHcqQ&index=2&t=6s
Solution
Open the terminal next to Dusty Giftwrap and answer the questions.
For this objective you can either download the event log from https://storage.googleapis.com/hhc22_player_assets/powershell.evtx to a Windows computer and open it with the Windows Event Log application, or use grep with the text formatted version of the event log on the terminal.
For the purposes of this investigation, there are two Windows Event Log IDs that are relevant.
Event 4104 lists commands that are being submitted for processing by PowerShell.
Event 4103 displays the execution of those commands.
While it's not strictly necessary to include event 4103, these can be helpful during our investigation by providing us the results of the commands executed (for example, the contents of a directory after the command 'ls' is used).
Setup the Windows Event Viewer by opening the log file and setting up a filter to include only event IDs 4103 and 4104.
It is also important to remember that when using the text formatted version the records are stored in reverse time order.
Question 1: What month/day/year did the attack take place? For example, 09/05/2021.
For this question both Event Viewer and grep are equally effective.
As we are looking for log entries related to the Lembanh recipe, use the Find action to locate records containing the word 'recipe'.
Search the text file for lines containing the word 'recipe'. Since lines are not individually time stamped include a few lines before the one with the matching value to get time stamp records.
grep -i recipe powershell.evtx.log -B 3 | more
Answer
12/24/2022
Question 2. An attacker got a secret from a file. What was the original file's name?
For this question Event Viewer is far simpler than grep.
Presumably the secret ingredient is labeled as such, so use the Find action to locate records containing the word 'secret'. An event that lists the contents of the recipe file is found at 12/24/2022 03:01:03. Look a few records prior to that one for the remote command that displayed the file.
Not advisable
Answer
Recipe
Question 3. The contents of the previous file were retrieved, changed, and stored to a variable by the attacker. This was done multiple times. Submit the last full PowerShell line that performed only these actions.
Use the Find action to locate records containing the word 'Recipe'. Look through them until we find commands that assign a value to a variable, in this case, $foo. Now that we have the variable name, use Find to locate records that assign this variable (use the string '$foo ='), and locate the last one.
Use the following command to find records including the word 'Recipe'
grep Recipe powershell.evtx.log
This will show that the varialbe being assigned is $foo. Use the following command to show all records that assign a value to this variable.
grep '^$foo =' powershell.evtx.log
Remember that this file is in reverse time order.
Answer
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'}
Question 4. After storing the altered file contents into the variable, the attacker used the variable to run a separate command that wrote the modified data to a file. This was done multiple times. Submit the last full PowerShell line that performed only this action.
The most common way for PowerShell to write content to a file is with either the Out-File, Add-Content, or Set-Content commands, so search the log for instances where one of these commands are used with the variable.
Modify the Find action to search just for '$foo' (since we are looking for any use of this variable). Find the last instance where this variable is used with one of the commands to write content to a file.
Use the following grep command to display all uses of the variable $foo, and look for the first record (remember that they are in reverse time order) in the output that uses a PowerShell command to write to a file.
grep '$foo' powershell.evtx.log
Answer
$foo | Add-Content -Path 'Recipe'
Question 5. The attacker ran the previous command against a file multiple times. What is the name of this file?
Use the Find action to search for the following string and make note of each file name written to and the number of times it was.
$foo | Add-Content -Path
Use the following grep command and examine the output for the file written to the most times.
grep '$foo | Add-Content -Path' powershell.evtx.log
Answer
Recipe.txt
Question 6. Were any files deleted? (Yes/No)
Modify the filter being used to only show event ID 4104, then use the Find action to search for any instance of the following string.
del
Use the following grep command to see if there are any instances where the delete command is used
grep '^del' powershell.evtx.log
Answer
yes
Question 7. Was the original file (from question 2) deleted? (Yes/No)
The result of the previous question will answer this one as well.
Answer
no
Question 8. What is the Event ID of the log that shows the actual command line used to delete the file?
If we've been using Event Viewer then we've been using this event ID throughout the objective.
Modify the grep command used to determine if a file was deleted to show the preceding line, one of which will have the event ID.
grep '^del' -B 1 powershell.evtx.log
Answer
4104
Question 9. Is the secret ingredient compromised (Yes/No)?
Refer to the answer to Question 3
Answer
yes
Question 10. What is the secret ingredient?
Refer to the answer to Question 3
Answer
honey
Completion
Talk to Dusty Giftwrap to receive hints for the next objective
Say, you did it! Thanks a million!
Now we can mix in the proper ingredients and stop attracting the Snowrog!
I'm all set now! Can you help Fitzy over there wield the exalted Suricata?
It can be a bit mystifying at first, but this Suricata Tome should help you fathom it.
I sure hope you can make it work!