Skip to content

Windows Event Logs

Windows Event Logs                                 Tolkien Ring                                 A picture containing clipart Description automatically generatedDusty Giftwrap

Graphical user interface Description automatically generated

A screenshot of a computer Description automatically generated with medium confidence

Windows Event log file (.EVTX)
https://storage.googleapis.com/hhc22_player_assets/powershell.evtx

 

In the terminal, we are asked a series of questions from the .EVTX file.
Text Description automatically generated

As the 1st step, we convert the powershell.evtx to CSV

Get-WinEvent -Path powershell.evtx `
| Export-Csv powershell_logs.csv -NoTypeInformation</p>

 

Q1. What month/day/year did the attack take place?

Answer : 12/24/2022

# check for all dates for the events which mentioned the word 'recipe'

Import-Csv powershell_logs.csv | Where-Object
{$_.'message' -like '*recipe*'} | select TimeCreated

# There were 56 events where "recipe" was mentioned

(Import-Csv powershell_logs.csv | Where-Object {$_.'message'
-like '*recipe*'} | select TimeCreated).count

Out of 56, there were only 3 events on 12/18/2022 which mentioned recipe and they look innocuous. So the attack took place on 12/24/2024.

Q2. An attacker got a secret from a file. What was the original file's name?

Answer: Recipe

The attacker got a secret from a file which means they may have used Get-Content.

So, we look for that in the events on 12/24/2022

Import-Csv powershell_logs.csv | Where-Object {$_.'message' -like '*$foo*'
-and $_.'message' -like '*Get-Content*' -and $_.TimeCreated -like
'*12/24/2022*'} | select message | Format-Table -Wrap -Autosize


And here it is. They are trying to get the content from a file named Recipe, replacing 'honey' with 'fish oil' and putting the changed content in the variable named $foo


 

Q3. The contents of the previous file were retrieved, changed, and stored to a variable by the attacker. This was done multiple times. Submit the last full PowerShell line that performed only these actions.

Answer :

$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'}

The attacker retrieved contents of the file, changed, and stored to a variable. So, they may have used "Get-Content" 

Import-Csv powershell_logs.csv | Where-Object
{$_.'message' -like '*$foo*' -and $_.'message' -like '*Get-Content*' -and
$_.TimeCreated -like '*12/24/2022*'} | select message | Format-Table -Wrap
-Autosize

 

Q4. After storing the altered file contents into the variable, the attacker used the variable to run a separate command that wrote the modified data to a file. This was done multiple times. Submit the last full PowerShell line that performed only this action.

Answer :$foo | Add-Content -Path 'Recipe'

To write altered file contents from a variable to a file, attacker may have used Add-Content.

Import-Csv powershell_logs.csv | Where-Object
{$_.'message' -like '*$foo*' -and $_.'message' -like '*Add-Content*' -and
$_.TimeCreated -like '*12/24/2022*'} | select message | Format-Table -Wrap
-Autosize

 

Q5. The attacker ran the previous command against one file multiple times. What is the name of this file?

Answer : Recipe.txt

 

Import-Csv powershell_logs.csv | Where-Object
{$_.'message' -like '*$foo*' -and $_.'message' -like '*Add-Content*' -and
$_.TimeCreated -like '*12/24/2022*'} | select message | Format-Table -Wrap
-Autosize

Text Description automatically generated

 

 

Q7. Was the original file (from question 2) deleted? (Yes/No)

Answer: No

From question 2, the original file name was "recipe".

The files deleted were recipe.txt and recipe_updated.txt.

Import-Csv powershell_logs.csv | Where-Object {$_.'message'
-like '*del*' -and $_.TimeCreated -like '*12/24/2022*'} | select message |
Format-Table -Wrap -Autosize

 

Q6. Were any files deleted?

Answer : Yes

Looking for usage of 'del' command in PowerShell events. Looks like 2 files were deleted.

Import-Csv powershell_logs.csv | Where-Object
{$_.'message' -like '*del*' -and $_.TimeCreated -like '*12/24/2022*'} |
select message | Format-Table -Wrap -Autosize

 

 

Q8. What is the Event ID of the logs that show the actual command lines the attacker typed and ran?

Answer : 4104

Looking for the event id of the event showing file deletion and It looks like 4104

Import-Csv powershell_logs.csv | Where-Object
{$_.'message' -like '*del*' -and $_.TimeCreated -like '*12/24/2022*'} |
select Id,Message | Format-Table -Wrap -Autosize

Q9. Is the secret ingredient compromised (Yes/No)?

Answer: Yes

This is because :

# The attacker got the content from original recipe file and replaced the honey with fish oil and put that updated value in the variable $foo

$foo = Get-Content .\Recipe| % {$_ -replace 'honey',
'fish oil'}

And then wrote the changed variable back to the original file named Recipe

$foo | Add-Content -Path 'Recipe'

Q10. What is the secret ingredient?

Answer: Honey

From the answer to the question 9) the ingredient which got replaced in the original recipe file was honey.

Therefore, the secret ingredient is honey

The objective is now completed and we get 10 coins as well
Text Description automatically generated with low confidenceGraphical user interface, text Description automatically generated