Windows Event Logs Tryhackme Walkthrough

Introduction to Windows Event Logs and the tools to query them.

This write-up covers the Windows Event Logs Room on TryHackMe.
Learning Path (s): SOC Level 1, Cyber Defense
Module: Endpoint Security Monitoring, Security Operations & Monitoring
Skill: SIEM Tools

Setting up

1. Connect to the TryHackMe VM and Spawn the machine or Connect to THM’s network via OpenVPN
2. Use the tool xfreerdp to connect with an RDP session to the Machine: xfreerdp /v:MACHINE-IP /u:administrator /p:blueT3aming! /dynamic-resolution
3. We then performed the entire room in PowerShell_ISE.

Task 1. What are Event Logs?

Event logs record events taking place in the execution of a system to provide an audit trail that can be used to understand the activity of the system and to diagnose problems.

• Event logs can be used for security purposes to provide a record of unauthorized access attempts or suspicious activity.
• Analyzing event logs can help identify patterns and trends, which can be used to improve system performance and security.

Task 2. Event Viewer

Event Viewer is a tool in Windows that displays detailed information about significant events on your computer.

• It allows users to view events from different sources and categories, such as Application, Security, and System.
• It can be used to view and manage event logs, gather information about hardware and software problems, and monitor Windows security events.
• It can also be used to view and manage event logs on remote computers.

Task 3: wevtutil.exe

wevtutil.exe is a command-line utility in Windows used to manage event logs.

• wevtutil.exe is primarily used by system administrators and advanced users who need to manage event logs on a Windows system.
• It can be used to query, export, and archive event logs, as well as create and delete event log files.
• The utility supports various parameters that allow users to perform specific tasks, such as filtering events based on specific criteria or exporting events to a file in a specific format.

Task 4: Get-WinEvent

Get-WinEvent is a PowerShell cmdlet used to retrieve event log data from a Windows system.

• It can be used to retrieve events from different event logs, such as Application, Security, and System.
• Users can filter events based on various criteria, such as event ID, date range, and source.
• Get-WinEvent can also be used to export event log data to a file in various formats, such as CSV or XML.
• This cmdlet is primarily used by system administrators and advanced users who need to retrieve and analyze event log data on a Windows system.

Task 5: XPath Queries

XPath queries are used to retrieve data from XML documents. They are used to navigate through the structure of an XML document and select specific elements or attributes based on various criteria.

• XPath queries are commonly used in web development, data analysis, and other applications that deal with XML data.
• The syntax of XPath queries consists of a path expression that describes the location of the desired elements or attributes within an XML document.
• XPath queries can be used with various programming languages and tools, such as Python, Java, and XSLT.

Task 6 & 7: Event IDs

Event ID is a unique identifier for a specific event in the Windows Event Log.

It can be used to filter and search for specific events in the log.

Room Questions and Walkthrough

Note: Due to Medium’s formatting, some elements are dropped. Please visit our Notion page for the full tutorial.

ESM & SOM

Task 2

For the questions below, use Event Viewer to analyze Microsoft-Windows-PowerShell/Operational log.

What is the Event ID for the earliest recorded event?

(Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | Select-Object -Last 1).Id

Filter on Event ID 4104. What was the 2nd command executed in the PowerShell session?

Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | Where-Object {$.Id -eq “4104”} | Select-Object -Last 2 | Select-Object Message | Format-List

Scroll down
What is the Task Category for Event ID 4104?

(Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational | Where-Object {$.Id -eq “4104”} | Select-Object -Last 1).TaskDisplayName

Analyze the Windows PowerShell log. What is the Task Category for Event ID 800?

(Get-WinEvent -LogName “Windows PowerShell” | Where-Object {$.Id -eq “800”} | Select-Object -Last 1 | Select-Object ).TaskDisplayName

Task 3

How many log names are in the machine?

(wevtutil enum-logs).Count or wevtutil.exe el | Measure-Object

What event files would be read when using the query-events command?

wevtutil query-events /? or wevtutil.exe qe /? then Scroll down to find the rest of the answers.

What option would you use to provide a path to a log file?
What is the VALUE for /q?
What is the log name?

wevtutil qe Application /c:3 /rd:true /f:text
What is the /rd option for?

What is the /c option for?

Task 4
Execute the command from Example 1 (as is). What are the names of the logs related to OpenSSH?

Answer the following questions using the online help documentation for Get-WinEvent
Get-WinEvent -ListLog * | Select-Object LogName | Select-String “ssh”

Execute the command from Example 8. Instead of the string Policy search for PowerShell. What is the name of the 3rd log provider?

(Get-WinEvent -ListProvider Powershell).Name[2]

Execute the command from Example 9. Use Microsoft-Windows-PowerShell as the log provider. How many event ids are displayed for this event provider?

((Get-WinEvent -ListProvider Microsoft-Windows-PowerShell).Events | Format-Table Id, Description).Count

When using the FilterHashtable parameter and filtering by level, what is the value for Informational?

Check Microsoft’s documentation and we see: Informational = 4

Task 5
Using the knowledge gained on Get-WinEvent and XPath, what is the query to find WLMS events with a System Time of 2020–12–15T01:09:08.940277500Z?

Using Get-WinEvent and XPath, what is the query to find a user named Sam with a Logon Event ID of 4720?

Based on the previous query, how many results are returned?

Based on the output from the question #2, what is Message?

Get-WinEvent -LogName Security -FilterXPath ‘/EventData/Data[@Name=”TargetUserName”]=”Sam” and */System/EventID=4720’ | Select-Object Message | Format-List

Still working with Sam as the user, what time was Event ID 4724 recorded? (MM/DD/YYYY H:MM:SS [AM/PM])

(Get-WinEvent -LogName Security | Where-Object {($.Id -eq “4724”) -and ($.Message -like “Sam”)}).TimeCreated

What is the Provider Name?

$Event = Get-WinEvent -LogName Security | Where-Object {($.Id -eq "4724") -and ($.Message -like "Sam")} | Select-Object -Last 1 | Select-Object * $Event.ProviderName

Task 7

What event ID is to detect a PowerShell downgrade attack?

1. On the desktop, double-click the merge file. This will open it in event viewer
2. Google search or Lee Holmes | Detecting and Preventing PowerShell Downgrade Attacks

What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])

$Attack = Get-WinEvent -Path ".\merged.evtx" | Where-Object {($.Id -eq "400")} | Select-Object -Last 1 | Select-Object * $Attack.TimeCreated

A Log clear event was recorded. What is the ‘Event Record ID’?

The clear log is a task category

$Stuff = Get-WinEvent -Path “.\merged.evtx” | Were-Object {$.Id -eq “104”}

What is the name of the computer?

$Stuff.MachineName

What is the name of the first variable within the PowerShell command?

Filter on source PowerShell and scroll down to the first event

$CLI_Stuff = Get-WinEvent -Path ".\merged.evtx" | Where-Object {$.ProviderName -like "PowerShell"} | Select-Object * $CLI_Stuff | Select-Object -Last 1

This query also solved the next two questions.

What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])

What is the Execution Process ID?

What is the Group Security ID of the group she enumerated?

What is the event ID?

Get-ADUser -Filter {SID -eq “ S-1–5–21–2895499743–3664716236–3399808827–1001”}