Try Hack Me: Windows Event Logs

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

all right what's going on guys welcome back today we're covering windows event logs so i got through this entire box and then realized it says at the end this is a precursor to the sysmon and sysinternals box that we already covered um so i don't know why they're out of order in the cyber defense path but just heads up this is technically supposed to be learned before that i guess um but anyway let's get into it if you guys are enjoying the cyber defense path i would love for you guys to hit that subscribe button like the videos let me know what you guys think and let's hop into it this one is a lot of information and hopefully we'll close this because this is for later so hopefully this box cooperates because i've had a lot of issues with this and i have to get it reset but anyway all right so what are event logs event logs are literally what they sound like they are whatever you're going to basically log on your systems so you're going to hear the term seem a lot this is right here seems security information and management such as splunk and elastic whatever seams allow you to do a lot more with logs it will take logs from all kinds of sources and catalog them and make them much much easier to search we're going to show you here how to manually search all this stuff so that way we can we can get through this this is just the regular stuff so that way you can see what it's like if you were just to check a regular log on your machine or what you would like to check if you have a very small infrastructure so let's go ahead and hop into it there's three things we're going to cover in this there's event viewer the command line tool and then powershell so all three are good it just depends on what you prefer um typically if you're doing like a full-on investigation you're gonna want to use like a command line or powershell um if you're just doing a quick like hey this is weird let me check into it event viewer is great for that it's all dependent on what you are comfortable with don't let someone tell you that because you don't use powershell you don't know how to check logs um it's event viewers a little slower and things like that but it's not going to stop you it's not there's not a one way to do this that's my point is a lot of people get hung up on well i want to use command line tools command well if you're not very good the command line tool don't use it right i'm not saying don't get better at it i'm saying until you're good with it don't start using it for your day-to-day tasks if you're not good with it and it's taking you way way longer okay like it says here for the savvy sis ads that use cly much of their day event viewer can be launched using event viewer.msc which is a microsoft console um so we didn't do that they actually had it on the taskbar for us we just clicked it so this is event viewer welcome so you'll see here there's different we're going to cover this but here's the different five categories and here they actually have um where they got it at all right i don't see it but you can see here they have kind of out of order but you can see they have critical error or criticals event types critical error warning information and audit success and then failure audit doesn't show it down here but that will be monitored if you allow it as well and then you can see let's so they're covered the way they're covering it is they're saying there's three tabs there's this one right here the middle one and then this one right this one covers i clicked windows logs because that's what we're looking at in windows box but you can ask also have your own applications and services logged in here so a developer when he develops an app he's going to tell that application what to log where the logs go when the application's files and things and you can point this to that or and point the application to this and you can import those logs and start seeing them right here in applications now you'll see this you won't even notice this on big name applications because it's done seamlessly but if you're developing an application you might find it a little bit harder to do to get good logs but um we're going to go ahead and hop into the windows logs so windows logs you can see there's application security setup system and forwarded events so the application is pretty much what you're gonna see what you're gonna expect yep so here's desktop windows manager which is what we're looking at um so these are your application type logs um an application starts up an application shuts down that type of thing security is more of your you know audit success meaning someone logged into the computer someone failed meaning someone tried to log in it didn't work those type of things and then you can see here the next section is application services and logs which is right here and you can see here this is where you're starting to get into applications this is what they're talking about here now they put this windows powershell in here but there is one in the microsoft windows and you see this is all the microsoft windows applications now you can see how this gets very complex very quick because every one of these has thousands of entries okay so you got you're probably sitting there thinking well how do i go through all them well we're going to cover how to filter them and things like that and then on top of that a seam is i can't even tell you how good it is to have a seam and splunk is free so i don't see why you wouldn't have it if you're trying to figure this out all right so there we go so now we're in operational in powershell which is what's going to have us go to the first one you guys can read some of this stuff but getting around in event viewer is pretty simple pretty easy um you just the key is messing around with it you got it you have to go do it right so now it's telling us go in here right click on operational and select properties all right so here's some important stuff you can see enable logging that's important because by default windows will have certain things enabled right if you don't enable this it's not going to log anything it's just going to get rid of any of those logs so for instance if a hacker comes in he disables the logging guess what it's not logging anymore so that is a an event that you should be logging which is disabling logging as well but you can see then here it's the size and then overwrites events as needed oldest events first and then so on so forth you can archive them now this is based on your company's policy that type of thing but if you are doing this just for yourself be careful how much you're logging think about it really are really uh complex thoughts i guess this is the right i don't know what i was trying to say but basically think about it deeply because you it's a fine line of having too much auditing and not enough now the reason i say that is because if you have too much you'll never figure out what's going on because you'll have to go through millions of logs if it's not enough you'll miss important events so that's where you have to have that balance and that's where a seam can help you as well because you can store it in a huge database and it can pull alerts for you based on um behavior okay so lastly notice the clear log button at the top right so i i guess we didn't i didn't show that you can see there's a clear log button here what they're saying but i notice that is if you click that you will clear all the logs and that's where a hacker will attempt to do that now a hacker's not going to log in maybe you will but not common he's going to log in on remote desktop and do it this way he's going to do it a different way but just be cognizant of that because if you clear the logs there you go and all the logs are gone okay so focus your attention here on the middle now and we're gonna look at this now these levels these are just oper or different levels of basically importance if you will and those are the information all that stuff that we covered um so you can see we'll just click on what one of them the first column is level which so yeah there's level which is the event type so informational critical error you can read more about those but it's pretty self-explanatory informational is just informational it might be legit activity or it might be something you need to look into critical is a big alert and then error is something clearly errored out something didn't run correctly if you ran a powershell script that aired out it would pop in a log that says error not information information or critical so on so forth okay so recall from the earlier there's five event types the first one is information next is date and time this is when it happened that's obviously super important because you need to start building a timeline when an incident happens um then you have the source this is what was causing this what was running what what did whatever cause this event that's the source of the event then you have the event id now these are it says here they're not unique and i agree with that but at the same time they are unique in a sense so for instance event id 4103 in powershell this is what it's going to be it's going to be executing a pipeline um i understand that in other applications they might have an event id name 4103 so it's technically not unique but in powershell it is a unique id and it's the same in windows so keep that in mind that you can they say it's not unique and it technically isn't but you can google hey what event id is like here i'll show you um we'll just do a quick google search and we'll say windows failed login event id right right there log event id 4625 will document failed login attempts so while it's not a unique number because technically that could be logged in another application as well with the same number in windows 4625 means someone failed to log in meaning someone tried to log in and didn't type the right password or whatever so keep that in mind that it's not unique but also it is it can help you tremendously to know the event id okay now create custom views and filter logs so this is where let's say go over 4 103 is the event id let's see do we have any other there's 4 104 so we'll go to filter and we can go to event id and we can just say just show us the 4 103s and then boom now we got rid of all the four 104s it's just gonna show us the four 103s so filtering is self-explanatory obviously now one thing to keep in mind you can see here by log and by source is grayed out what that means and we can clear the filters what that means is you can't you can't mess with those in the filter current log why well you're in the current log you clicked filter current log why would you change the log right but what you can do is you can create custom views or import them and you can change pretty much everything and then there you go now you can get more specific and what that does is it creates that custom view that you can then just hop in anytime and click it and it'll show you those logs rather than you sitting here and trying to type it all back out or filtering out again okay so for the questions below use event viewer to okay to analyze the operational which we're in was the event event id for the first id all right first things first let's clear the logs make sure we don't have any filters alright so what is the event id for the first event so the first event so we're needing to go all the way down to the very first one if it don't let me all right very first one all right well that's not it because that's 4100 okay and you notice that's not the right date anyway because we have it filtered by level because i did that earlier so let's filter it by date and time there we go so now if we go all the way down because we need it filtered by date and time you see well i might have it backwards yep i had it backwards okay so there's the very first one forty zero four zero nine six one now i'll tell you guys when you guys get in here the date and time will be filtered the opposite way it will be the first one will be at the bottom i just clicked these filters and changed changed it earlier basically um and i didn't mean to so that's why i had to go to the top instead of the bottom if i click it again it's now vice versa you can see now i'd have to go all the way down here to get that same one okay so keep that in mind that when you guys open this up it'll be at the bottom um now filter on event 4104 okay so now we need to put filter in for 104. boom okay so now what was the second command executed okay so we gotta go all the way to the bottom again and we can look here and there's the second one right so the first one was the prompt second one was whoops who am i that was the first or the second thing they basically said was who am i so the second command executed in powershell and this is the second in the logs keep that in mind because it only keeps logs for so long who am i so perfect we know exactly what was ran in powershell so keep now you guys can kind of see everything you do is logged now unless someone turns them off or deletes them or something they are logged and it's going to tell us a lot of information about who did it so it was ran who am i and then you can see here um you can see this is the computer that it was ran on and then you can see here's the user that it was ran on this the id and the number for the security user okay so keep that in mind you're pretty much gonna get busted if you don't know what you're doing as far as covering your tracks okay all right so what is the task category for event id 4104 so we're filtered by 4104 and there's the task category right there and it's execute a remote command so execute a remote command perfect all right so for the questions below use event viewer to analyze the windows powershell log all right what is the task category for event id 800 so all we have to do go here change that to 800 because that's the one we want all right and it wasn't here so that's because we need to change this to the windows powershell log not the one that was created here we need to go up here go back there and then here's the windows powershell log so now if we filter it by 800 we get these and then it's asking for the event id category the task category and it's pipeline execution boom pipeline execution details all right enough with event viewer for a second because this is where it starts getting a little bit more complex okay so now we have command prompt open so now we're going to use this tool w-e-v-t-u-till.exe all right so if we run it and we do this whoops that's our help menu go and make this bigger and you can see it kind of gives us a little information if we want to enumerate logs there we go if we want to get long lists so on so forth um so keep that in mind that this you can always go back to this help menu that's something i recommend on pretty much everything um and you guys will see that i do have notes on this one because not on this specific one but on this box because there's a lot that you have to google in this box and a lot you have to look up so to save some time i just kind of wrote stuff down all right so here we go we got the help command in this example the new publishers which you can see right here in new publishers is ep so there to do let's see let's get to the bread and butter here okay so here you go you can do this which is very similar to some of the stuff you've seen on linux if you actually do q e which is right here where is it q e query events and then do the help command it gives you more information about the query events so you can see usage by default you can right here read events from an event log log file or using structured query so what does qe do it reads events from an event log perfect okay we figured it out okay now you have enough information to use this tool time to answer some questions now this one this is one problem i have with this box it's very convoluted and not very clear on a lot of stuff um so like it says here you can get more information about using this tool at docs.microsoft.com okay but it doesn't tell you you have to look outside the tool currently um and you'll you'll see what i mean um but yeah you're gonna have to basically look outside the tool um let's see so what we're gonna do is we're gonna say now if you look here at a hint it'll say use powershell pipe the l command to measure object commandlet so that's what i'm saying is you need to do this so it's saying use powershell right off the bat that's not something they told you right off the bat so that's kind of frustrating right so what we'll do powershell we'll just hop into a powershell we'll use the same tool oh cool it did actually keep all my stuff from earlier so i don't have to retype all this perfect okay so here we go so are we using the el yep so you can see we're going to use the utility then we're going to use el which if you look up here is enumerate logs and then we're piping it if you guys don't know what the pipe does it takes whatever the result of this first command is and feeds it into the next and we're going to measure object now i'll show you why first we'll hit it if it loads this box has been doing this to me all day so hopefully this this bears with me here okay come on there we go okay so you see the count is 1071. how many log names are in the machine 1071. so now if you do this without the the pipe without saying measure it you get 1071 results so you can see why the pipe is kind of important here okay now what is the definition for query events command okay so what does that mean it means if we do the query events which is qe and then the help command we need the definition read events from an event log log files or use log file or using structured query so it wants that exact definition that's not that hard okay now what option would you use to provide a path to a log file well you can see right here here's the actual option it's and there that's what they're looking for they're looking for the forward slash lf and then the colon true now this is kind of confusing the way they wrote this and i'm so i'm going to kind of explain it a little bit what they're saying is you can use lf or you can use the actual full word log file and then what they're saying is then a colon then you can put true or false that's what they're saying okay so i know it's confusing i know it looks weird but that's what they're saying okay so now what is the value for forward slash q and right here forward slash q or query and value is an x path query so it's what is the value x xpath query and we're going to cover xpath queries here shortly now the questions below are based on this command okay so i guess we run this command so web t util qe application so when you're typing application like this you remember there's application security logs all those things that's what it's doing it's going to query the application and then the c is saying and i think it walks you through it here let's see let's let's type this out run it and then we'll walk through what happened okay so you can see we get some results here pretty easy pretty normal um but it's asking us some questions first it's asking us what is the log name well we typed it out it was application that's the name of the log and it says right here log name application so that's literally what we're typing out now if you remember the c the c is the maximum amount so count count three so only show us three basically logs um and then the rd the rd true that's saying we want the most recent first so that's just basically kind of formatting how we get it and then the text is just the format that we want it in and we want it in text so you can see here we're getting them in order and we're getting text okay so now what is the rd option event read direction how we're getting them we want it read to us in the correct direction if you will or the correct timeline and then c maximum number of events to read now if you have questions how to get these exact answers if you remember up here on the help menu the c maximum number of events to read and the rd event redirection there you go all right and you can see it said if true for rd then most recent will come first which is why we put true okay so now we're hopping into powershell commands which i think powershell is a little bit better than this tool but this tool allows you to do some pretty good stuff when you're starting to do the uh xml stuff so let's get into windows event logs let's do it all right so here's the format for it get win event log name application where object let's drive me nuts where object equals blah blah now what they're saying here is this has been replaced okay so if you've never used this perfect don't ever use it just forget about it use filter hash table so you can see here okay i thought that'd be bigger it says get win event and then filter hash table and then you can build a table so at sign and then put it in a bracket and then log name equals application provider name equals wlms you can put as much information there as you want and close it with a bracket and boom you run it and you get that filter so it's very similar to looking at event viewer you're gonna get the filter this crashed on me again all right and then so basically you don't have to see if we can open that viewer here so if we look at details here in event viewer you're gonna see that all these details we can start filtering for all that stuff if we want to okay so that's kind of keep in mind what we're doing here if if we wanted to okay so you don't need to use a semicolon if you separate each key value with a new line so if you write a script that will run and give you every log that you want for something keep that script and then you can just keep doing that okay so when building query with hash tables now it gives you here's some of the stuff you can filter for or you can look for log name provider name path keywords id level start blah blah blah blah you get it you can get very specific with the filtering now the reason i'm skimming through a lot of this is because number one it's a lot of information number two this isn't gonna help you to just read this you have to actually use this you have to go through make an event happen go run some powershell scripts wait two or three days then go try and find where you did it how you did it and follow that path right now you could do it just right after but it's not gonna be hard to find if you do it right after because you're gonna it's gonna be the first thing that pops up okay so all right so here we go based on this information the hash table look as follows so if you're trying to filter for this log you look at the log name so windows event log filter hash table log name application provider name or source msi installer okay and then id 11707 so you see how right here you can just filter that specific information and take the information here filter it and then you'll get that log that you're looking for okay so here's a command that you might find useful boom and you can see it's just giving you examples now i will say you're going to need to look at some of the microsoft documentation on this um that's again why i don't really like this box because i don't like boxes that tell you go over here to do this go over here do this go over here to this i can google that and find that for me right so if you're an educational box if you're teaching me something teach it to me don't say go check this out to teach it right because then you're not teaching me you're telling me to do my own research and i could have done that at the beginning right so just keep that in mind um okay so answer the following using the online help deck documentation now it's important that you use this online documentation and i'll show you why because for some of you uh do i have to maybe i don't have it i think i do actually okay for some of you including myself you may have done what i did which is not go to this which this is the documentation that you need the online and then i'm sitting here going where is example one there was no example one i'm looking for it i can't find it well ta-da if you go down here to the microsoft documentation here is example one now the reason that's important is because i'm going to be referencing this i'm not going to pull it over every single time because we're going to type the commands out but i'm going to show you so what it's saying is execute the command as is to see what you get okay so now we're going to say get win event and you can tab out some things in powershell the reason i say some things you can technically tab out everything but it will keep scroll cycling through all the options so sometimes you have to kind of spell it out for it all right so this is the first example that it's given us you can see we get a ton of results but at the bottom is open ssh admin and open ssh operational which is right here now what was the command get windows event and list the logs so what was it it was listing all the logs for us on the windows events okay so that's why there's so many of them all right now execute command from example eight so let's go down to example a okay so this one is get win so you're gonna see this is what happens if you tab it and you have to scroll through them until you get to windows event i'm not gonna do that i'll just go win event okay and then list provider okay and then here they have in the example policy but it's telling us instead of policy search for powershell so the provider now we're only looking at powershell as the provider or the application that's providing the logs okay was the name of the third log provider so if we hit this what's the name of the third log provider well let's look well we've got one powershell two windows powershell and then three microsoft windows powershell desired state configuration download manager okay so that's what they want now what does that mean it means when you're looking at providers for logs anything with powershell in the name here's the three that come up so those three are providing logs to your log whatever you're using whether it's a seam or a log aggregator or whatever you're using to collect your logs these three are providers of that okay now execute the command from example nine okay so this one's a little bit bigger let's see does it give us any use microsoft windows powershell as a log provider okay so i'm gonna type this out um exactly as is and then we can um go back and fix it so get when event list provider and here's where it's telling us to change the provider to microsoft windows power shell okay so that's who we're going to use as the provider and then from there events and then we're gonna pipe this into format table so all this is gonna do is give us a nice table how it looks with just the id and description okay and you can see we get a bunch of stuff boom boom now how many events are are displayed now if you remember we need to do the same thing but this time we're going to pipe it again so if you remember we had to pipe it we did this once before we're going to go ahead and we're going to pipe it again into the um the other the geez max events i can't talk today max events okay what did i do okay gotcha all right so you can see right here that's why it did not work because i didn't pipe it correctly so we're going to say measure i looked at the next step instead of the one i was looking at that's why measure object okay and you can see measure object we piped it earlier that way that's what we needed to get the count which is 192. i was looking at the next step and i skipped ahead so if you're confused at all i just typed in the wrong thing because i was looking at the next step okay but if you remember we did that at the beginning on task two maybe to get the exact same result so we just piped it twice that time so what we did is we ran this command get win event list provider microsoft windows powershell so we're asking for anything any of the providers with microsoft windows powershell and then we're saying format it so that we just get the table id and description and then we're saying feed all that into measure object to give us we'll have 192 results now how do you specify the number of events to display now you can look at the help menus you can look at the documentation um let's see let's pull it up and see on the documentation [Music] i don't see it right off the bat but basically it's in the documentation i mean they have an entire dedicated website to powershell basically um but that's going to be what you're looking for max events that's going to give you the maximum number of events to display and that would be a syntax that you would use so if we pipe that into or if we use that here we would say max events and let's say we wanted two we'll only get two okay when using the filter hash table parameter and filtering by level what is the value of the informational and i'll show you what that means because that might not make sense to everybody so you just go on here this is the same documentation but this is just windows documentation now so let's just go to filter hash table and this is because i'm going to start i'm going to look at the filter hash table command and we're going to take a look and say here we go creating get win event query with hash table and it's saying when using the filter hash table parameter filtering by level what is the value of the information so what does that mean we're filtering by level so let's scroll down look so here we go there's you can filter by level okay now what level is informational that's what they're saying and if we scroll down here we go filtering by level right here so we're exactly on it filtering by level here's informational right okay it's not there so scroll down a little further informational the value is four so instead of saying filter by informational you can say filter four right and then you'll get it all right so now here's the here's the bad part everybody that was the easy stuff right so if this is going way over your head just get in here and start messing with windows events um unless you're doing a lot of windows event logging looking unless you're familiar with seams and stuff like that you're probably going to be a little bit confused and that's okay the biggest thing is to start diving in and using this to find events the reason this whole thing exists is to find events now most enterprise systems don't use things like this they're going to actually use um they're going to actually go in and use seams but keep in mind if you're doing like an investigation or something and you have a very small you know you've got it narrowed down you will use stuff like this so it's important to know it okay so now we're going to use examine filtering events using xpath now xpath whoops there we go is this xml view and we're going to basically be using this to get our path and you'll see what i mean here okay so when we're using xpath we're going to say get win event log name application filter path okay now this is how it looks filter path and the star starts it now a star starts the comm the path but you have to fill in the path so here's how it's pretty easy to figure out it's actually not complex if you if you break it down so let's say we're looking at excuse me this right here this whole log you go to xml view well we're at the event we've already got because that's what the star indicates the event so we're good there now system okay so now we need to just like a regular directory put in forward slash system okay so now we're into the system now let's say we wanted to do task well then we do forward slash task as our next one and then you would say equals eight so now perfect example here we go so here's our filter xpath system and they went straight to the event id so then they went to event id so event id equals 100 and you can see that's the command so they're going down the tree just like you would in any other directory all right and then you can see here you can do this with the same tools that we used previously all right it's still let me in and then you can see it gets a little more complicated if you go to this one you get get windows event log log name application filter path blah blah that's always going to be the same and then the star and then system provider and then this at symbol for the name you're going to basically have to put that in front of anything that you're going to be putting in brackets like that and a lot of this is just playing with the syntax if you get the concept you're fine you can figure out the syntax if you get the concept okay the big thing is knowing what to look for now if you're looking for data name rather than system just like you think you change system to event data to hop into this tree and then data and then at name equals and then there's target username and then there's the system so target username equals system okay and we're going to cover this all right so now one thing i'll tell you here i made the mistake of thinking this command i sat here and ran it on the box over and over i'm like i'm not messing this command up what's it doing this command they just ask you for it they don't want it doesn't do anything on the box you get no results okay so using get win event in xpath what was the query to find wlms events so with the system time so you can kind of piece together what they've already done to get this for you so get win event log name application filter xpath that's going to always be there right so we can just go ahead and take that copy it boom we've got that now we're going to put in quotes to start and then a star to say event right so now we're in the system forward slash system okay and we're trying to get keep in mind if you remember says here we're trying to get find it wlms events okay so if you look up here they already have it here wlms events so we can just take this right we don't have to over complicate this we don't have to try and reinvent the wheel they've already done this for us so take this put that as your first your first one oops all right so system provider name wlms we did that now we need to add another parameter so we say and and then right there again we have to hit start with an asterisk and system again we're going down the system tree system okay and then we're looking for time so system time created so now we go to time created and then because this has a little bit it has a space that we need to throw in there system time we say at system time equals and then they give us the time here and those go in quotes and then you end the brackets or you end the quotes i'm sorry then end the brackets and then close the whole thing and then when you run that boom you're in business that's what you're gonna gonna run now that's just what they want they're not going to i that one didn't run or when it ran it didn't do anything on my box so keep that in mind this one will so this one using get win event xpath was the query to find username sam now this one hopefully i haven't saved because i'll go back because we need to run it again um okay so this is it right here i think yeah okay so we'll break this down here so we have get win event log name security so here's a big key to this one that you might miss you notice we changed the log name from application to security because we're looking at logon events now that's a security log not an application log okay now then you have filter path filter xpath excuse me which you're always going to have and then here we go so we go straight into it we're going into the command now keep in mind if we look at the screenshot here we're going into event data we're not going into system we're going into event data so we go into event data and then we say okay and then we know data is the next one because right here's data and then you notice anytime there's a space in there you're throwing in this cold this uh bracket and then at and then the next word so at name and the name is target username so that's where we're getting the target username and then equals same because they're telling us we need to figure out sam and then we need to figure out the event id so and then we say and and then we go back and now we're now not in data anymore we're in system so now we go into system and event id equals 4720 so let's hit enter on that come on i hate this box it just it just does not want to cooperate there we go okay and it says based on the previous query how many results are returned and we've got two here so perfect so now based on the output from from the question two okay what is the message and the message is right here a user account was created perfect so there's your message a user account was created now still working with sam what time was event id 4724 created now we can look we can go right back and we can run all right and this is so this is the same thing we're saying sam and we're saying system and we're doing the event id but we just changed the event id so we did the exact same command as before we changed the event id to four seven two four not four seven two oh we hit enter and boom you can see we don't really need to do anything else because it tells us right there that's the time it was created so there you put the time in boom now what is the provider name and the provider name right here microsoft windows security auditing so there you go you know that microsoft windows security auditing provided this log and this log happened at this time and so on so forth so hopefully that makes sense to you guys i know that the you know xpath is a little bit harder but it pays off in the end if you really want to look specifically for things okay so now event ids okay here we are again talking about how event ids aren't unique but you can search with you event ids so keep that in mind that while they're not unique they kind of are okay so what they're telling you here is you can use um a couple of these resources logging cheat sheets um event id cheat sheets you could find all kinds of pre uh made queries for powershell and things to find specific logs all that stuff um you can use mitered tack we've used the miter room so you can go onto my video for that one you can do all kinds of stuff to get cheat sheets basically what they're saying they're saying don't reinvent the wheel don't memorize all this crap and i'm not saying don't memorize some of it because you should understand how to get around here you should be able to if someone says hey at 12 40 yesterday someone was trying to log into my account and i need to find that log you should be able to go find that now it might take you an hour it might take you five minutes depends on your experience but you should be able to go find that that's the key to this box okay now detection collect events that correlate with changes to accounts objection blah blah so what they're telling us here what they start talking about here is they start telling us that basically you can have it set up to where your windows firewall will record things as well um like firewall changes acl changes all that stuff but the thing is not a lot of enterprise systems might have windows firewall turned on for certain things but they're not going to um usually use windows firewall as their firewall now here's another thing to keep in mind these what is being logged on your machine is usually set by group policy that you cannot control if you're if it's for work or something like that so keep that in mind in an enterprise environment what is being logged is not being logged the same way that you saw it before which is where we go and select that little box and say log this don't log this whatever it is being logged at a higher level group policy every time you log in that group policy gets updated so keep that in mind okay so you can see here they're showing you how to turn logs on versus off and that's why i say group policy is going to usually do this but you can do it through um different things i'm not going to walk through a lot of this because you can go through this they're just showing you that if you ran that there you go there's the process all that stuff okay so now we're ready to look at some event logs so let's go ahead and put theory into practice um the reason i didn't cover all that is because this is already a long video i'm trying not to make this any longer than we need to and let's go all right so what event id is to detect a powershell downgrade attack so again this is where we come back to we're going to need to do a lot of googling okay and it's not even a lot of googling it's just pretty easy so what event id is powershell downgrade attack and keep in mind this is real life when i say this in real life if this specific thing happened to me i would go google what is the power or what id is the powershell downgrade attack i would not just have that memorized in my head okay now you can see here i type it in first thing pops up is id 400 what's the answer id 400 perfect so now we open up event manager now this one it's i believe we're using yeah so this one we're going to be using this we're going to be using this file which is a saved um log that happened i guess or they they recreated whatever so they give you scenarios here right so the powershell downgrade attack happened boom boom boom and here you go what are you going to do all right so we found the event id is 400 so now we can go ahead and filter this and we can say show us all okay what's the date and time that this attack took place now you can see right here boom that's when it took place now there's a couple ways you can tell it took place you may have to know a little bit more but you can see here here their regular commands are running and this is where they're embedding and then here there you go you can see that it's now giving you and if you look at it you can actually break this down it's now it's kind of hidden if you will right so this is where the downgrade happened so that's where and it's the first thing first log they give you so you can pretty much guess that um okay let's keep going a log clear event was recorded what is the event record id okay so what do you do quick google search will tell us that right here let's find it to do a log clear event was recorded so now what do we need to do we need to find the event id so let's go ahead and start looking do to do and if you google you find that event id 104 is log clear now there's keep in mind there's multiple logs that you can clear so you may have to try a couple different ones because 1102 is also one but if you type 104 there's only one that's easy so now it's saying what is the event record id this is where you got to go in the xml view or you can go in the general view and details however you want to do it doesn't matter you're just looking for as much information as you can this doesn't give me much here but the xml will now we're looking for event record id event record id 27736 boom what is the name of the computer right there computer pc01.example.corp so that's important because most people most people when they get a new computer or create a new login or whatever on a computer when you very first turn on your windows machine for the first time ever it asks you what do you want to name your computer and you might say john's computer tim's computer so on so forth right that's a key because look what happens when you do anything it gives me the name of that computer so even if you try to hide your tracks and let's say you hide your ip all that stuff but you forget that your computer is named you're gonna get busted so keep that stuff in mind um now that's that's not a common one but it's a commonly overlooked one we'll say that okay so now are we still in example one i don't even know so questions three and okay guys welcome back the system has crashed like three times we finally got it working let's hope that this stays okay so first things first we're on this question here what's the name of the first variable now make sure you're paying attention to what questions or what scenarios because otherwise you're gonna be confused so they advise searching for event id 4104 and the text script block text okay so what's that tell us it tells us that we got to go ahead and filter to 4104 hit okay boom and then it says here find the encoded powershell payload and then find what's the name of the first variable so we know that it's an attack right so we're going to go all the way down to the bottom to when it first happened because these are all the power shell this is probably what is going on in the in the attack so we go to the first one and boom there's your first pay our powershell variable because we know that all powershell variables start with a money sign so there you go now you can see it's obviously you're obviously not going to be able to read through this but you might be able to decode it figure out what's going on now was the date time to the attack took place that's pretty easy 8 25 2020 10 09 28 pm pretty simple and then was the execution process id so if we go over to xml and we go to execution process id 6620 perfect so that's the process id of what was executed and then was the group security id of the group she enumerated okay so this is a different one eight nine a report came in that an intern was suspected of running unusual commands on a machine such as numerating members of the admin group a senior analyst suggested searching for windows system32net1.exe to confirm the suspicion okay so we're on a totally different scenario now keep that in mind okay so now what we're going to do is we're going to go back and we're going to google search okay and we're going to find basically what we need to find so let's go ahead and google okay and [Music] okay so now we're going to look for uh basically what affects a group that's what we're going to look for and i think i actually had that this saved so what event id is all right oh crap i can't there we go okay so what event id is activity affecting a group okay and it looks like okay nope what we want to do pay more attention to the question zack you idiot all right so what we're going to do is enumerating members so we're going to say what event id is used for enumerating groups okay and there we go we get event id 4798 okay and then if you look through that and you actually go through four seven nine nine is also um one of the event id so four seven nine eight four seven nine nine well just to cut save some time because this video is very long it's four seven nine nine but you can search for both and get them um now so then we're going to go through and we're going to obviously view the one that's at the same time frame right or the earliest one i'll say because all these attacks i think happen around the same time um and you can see if we go to details and we can stay here on xml view or we can you can see here the target sid is s15 target security id pretty simple um there we go let's see then it's asking us what is the event id 4799 now like i said if you just google enumerating users groups four seven nine eight four four seven nine nine will come up all right and that's it guys that's it now this is where i realize it's supposed to be for windows internal sysmon and various seam tools it's supposed to be before that but we already covered some of the seam tools so make sure you realize that all of these logs because there's millions of them getting generated are being pushed into a seam where you can do quick queries and log 1000 computers at once rather than trying to go to each one and look through their event viewer so hopefully that makes sense to you guys hopefully you guys enjoyed it um it was a little bit messed up because the box kept crashing on me as i was trying to do tasks and it was driving me nuts so i was getting thrown off um so hopefully you guys understood everything this is a very complex um box if you will because it has you reaching out to other sites it has you doing all it's just very convoluted i didn't like the way they did it but hopefully you guys enjoyed it hopefully it helped some of you guys and hopefully it's the longest one on the on the cyber defense path thanks guys and i hope every one of you has a good day and hopefully you guys have better luck with this box that i did

Info

Channel: stuffy24

Views: 6,066

Rating: undefined out of 5

Keywords: hacking, tryhackme tutorial, tryhackme cyber defense, cyber security, cyber defense, cyber defense course, cyber defense vs cyber security, cyber defense operations air force, event viewer, event viewer troubleshooting, event viewer windows 10, tryhackme windows event logs, tryhackme windows event logs walkthrough, windows event logs, windows event logs tryhackme, windows event logs location, windows event logs location windows 10, windows logs, windows logs explained

Id: 6GdX55-Gxpo

Channel Id: undefined

Length: 55min 5sec (3305 seconds)

Published: Wed Jun 29 2022