Task 2: Event Viewer
For the questions below, use Event Viewer to analyze Microsoft-Windows-PowerShell/Operational log.
no answer needed
What is the Event ID for the first event?
40961
Filter on Event ID 4104. What was the 2nd command executed in the PowerShell session?
whoami
What is the Task Category for Event ID 4104?
Execute a Remote Command
For the questions below, use Event Viewer to analyze the Windows PowerShell log.
no answer needed
What is the Task Category for Event ID 800?
Pipeline Execution Details
Task 3: wevtutil.exe
How many log names are in the machine?
1071
What is the definition for the query-events command?
Read events from an event log, log file or using structured query.
What option would you use to provide a path to a log file?
/lf:true
What is the VALUE for /q?
Xpath query
The questions below are based on this command: wevtutil qe Application /c:3 /rd:true /f:text
no answer needed
What is the log name?
Application
What is the /rd option for?
Event read direction
What is the /c option for?
Maximum number of events to read
Task 4: Get-WinEvent
Answer the following questions using the online help documentation for Get-WinEvent
No answers needed
Execute the command from Example 1 (as is). What are the names of the logs related to OpenSSH?
OpenSSH/Admin,OpenSSH/Operational
Execute the command from Example 7. Instead of the string *Policy* search for *PowerShell*. What is the name of the 3rd log provider?
Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager
Execute the command from Example 8. Use Microsoft-Windows-PowerShell as the log provider. How many event ids are displayed for this event provider?
192
How do you specify the number of events to display?
-MaxEvents
When using the FilterHashtable parameter and filtering by level, what is the value for Informational?
4
Task 5: XPath Queries
Using Get-WinEvent and XPath, what is the query to find WLMS events with a System Time of 2020–12–15T01:09:08.940277500Z?
Get-WinEvent -LogName Application -FilterXPath ‘*/System/Provider[@Name=”WLMS”] and */System/TimeCreated[@SystemTime=”2020–12–15T01:09:08.940277500Z”]’
Using Get-WinEvent and XPath, what is the query to find a user named Sam with an Logon Event ID of 4720?
Get-WinEvent -LogName Security -FilterXPath ‘*/EventData/Data[@Name=”TargetUserName”]=”Sam” and */System/EventID=4720’
Based on the previous query, how many results are returned?
2
Based on the output from the question #2, what is Message?
A user account was created
Still working with Sam as the user, what time was Event ID 4724 recorded? (MM/DD/YYYY H:MM:SS [AM/PM])
12/17/2020 1:57:14 PM
What is the Provider Name?Microsoft-Windows-Security-Auditing
Task 7: Putting theory into practice
What event ID is to detect a PowerShell downgrade attack?
400What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])
12/18/2020 7:50:33 AM
A Log clear event was recorded. What is the ‘Event Record ID’?
27736
What is the name of the computer?
PC01.example.corp
What is the name of the first variable within the PowerShell command?
$Va5w3n8
What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])
8/25/2020 10:09:28 PM
What is the Execution Process ID?
6620
What is the Group Security ID of the group she enumerated?
S-1–5–32–544
What is the event ID?
4799
tl;dr
This room taught me what sections of a Windows Event Log give us details that we need to look at in order to make sense of what’s going on with the log and how to find indicators of compromise (IOCs).
My favorite part of this room was that it taught me how to read XPath Queries and how to…query them.
