Part Two Lab

Lab 5.2 - Windows Event Logs

Objectives:

• Analyze Windows Event logs.

• Perform hands-on long tail analysis of Windows event logs.

• Provide hands-on experience with PowerShell.

This lab uses these .evtx files, located in c:\labs:

• pegasus-security.evtx (domain controller)

These logs are from the compromised PC:

• valkyrie-defender.evtx

• valkyrie-security.evtx

• valkyrie-security-logons.evtx

• valkyrie-sysmon.evtx

• valkyrie-system.evtx

Challenges:

1. Perform long tail analysis on valkyrie-security.evtx

2. Locate all service creation events in valkyrie-system.evtx

3. Identify all process creation events that reference "powershell.exe -nop" in valkyrie-security.evtx

4. Identify all process creation events that reference "ADMIN$" in valkyrie-security.evtx

5. Identify the RDP events that reference "The start type of the Remote Desktop Services service was changed..." in valkyrie-system.evtx

6. Identify the event that references "A new self-signed certificate..." in valkyrie-system.evtx

7. Identify the user creation event for the account NumberSix in pegasus-security.evtx

8. Identify the event where users were added to the domain administrators group pegasus-security.evtx

9. Identify all events in valkyrie-defender.evtx that reference "Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software."

10. Identify the event in in valkyrie-defender.evtx where Microsoft Defender Antivirus Real-time Protection was disabled

11. Identify the events in both valkyrie-system.evtx and valkyrie-security.evtx where the event log was cleared

12. Bonus step: count the number of failed logons in valkyrie-security-logons.evtx

Q1) Perform long tail analysis on valkyrie-security.evtx

Get-WinEvent -Path C:\labs\valkyrie-security.evtx | Group-Object Id -NoElement | sort Count

Q2) Locate all service creation events in valkyrie-system.evtx.

Get-WinEvent @{Path="C:\labs\valkyrie-system.evtx"; Id=7045} | fl | more

Service creation events involving PowerShell are unusual and often associated with malicious activity. Additionally, running powershell.exe through cmd.exe is highly suspicious, especially when using flags like -nop (no profile) and -w hidden (hidden window).

Q3) Identify all process creation events that reference "powershell.exe -nop" in valkyrie-security.evtx

Get-WinEvent @{Path="C:\labs\valkyrie-security.evtx"; Id=4688} 
| Where-Object {$_.Message -like "*powershell.exe -nop*"} | fl | more

Windows clients can now log full command-line details instead of just the process name. However, this feature is not enabled by default. It should be activated on all systems running Windows 7 or later.

Q4) Identify all process creation events that reference "ADMIN$" in valkyrie-security.evtx

Get-WinEvent @{Path="C:\labs\valkyrie-security.evtx"; Id=4688} 
| Where-Object {$_.Message -like "*ADMIN$*"} | fl | more

The WmiPrvSe.exe process, known as the WMI Provider Host, is being used here to launch cmd.exe. Attackers are increasingly using WMI to exploit systems, as psexec-based attacks are often blocked by antivirus or EDR solutions. SOC teams should monitor WmiPrvSe.exe for launching any processes, especially cmd.exe or powershell.exe, and investigate such activity.

Q5) Identify the RDP events that reference "The start type of the Remote Desktop Services service was changed..." in valkyrie-system.evtx

Get-WinEvent @{Path="C:\labs\valkyrie-system.evtx";id=7040} | Where-Object {$_.Message -like "*Remote Desktop*"} | fl

The change in the start type of the Remote Desktop Services (RDP) service from demand start to auto start could indicate an attempt to persistently enable RDP for remote access, potentially signaling suspicious activity.

Q6) Identify the event that references "A new self-signed certificate..." in valkyrie-system.evtx

Get-WinEvent @{Path="C:\labs\valkyrie-system.evtx"; Id=1056} | fl

Q7) Identify the user creation event for the account NumberSix in pegasus-security.evtx

Get-WinEvent @{Path="C:\labs\pegasus-security.evtx"; Id=4720} | fl

Q8) Identify the event where users were added to the domain administrators group in pegasus-security.evtx

Get-WinEvent @{Path="\labs\\pegasus-security.evtx"; Id=4728} | fl

 Get-WinEvent @{Path="\labs\\pegasus-security.evtx"; Id=4737} | fl

Security event 4737 is particularly critical and should be closely monitored. Any changes should be immediately reviewed by the SOC to confirm if they are authorized. Unauthorized changes must be escalated to incident handlers without delay.

Q9) Identify all events in valkyrie-defender.evtx that reference "Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software."

Get-WinEvent @{Path="C:\labs\valkyrie-defender.evtx"; Id=1117} | fl | more

Q10) Identify the event in in valkyrie-defender.evtx where Microsoft Defender Antivirus Real-time Protection was disabled

Get-WinEvent @{Path="C:\labs\valkyrie-defender.evtx"; Id=5001} | fl

Q11) Identify the events in both valkyrie-system.evtx and valkyrie-security.evtx where the event log was cleared

Get-WinEvent @{Path="C:\labs\valkyrie-security.evtx"; Id=1102} | fl

Get-WinEvent @{Path="C:\labs\valkyrie-system.evtx"; Id=104} | fl

Clear the logs for Event ID 1102 in the security log and Event ID 104 in the system log.

Q12) Bonus step: count the number of failed logons in valkyrie-security-logons.evtx

Get-WinEvent -Path C:\labs\valkyrie-security-logons.evtx | Group-Object Id -NoElement | sort count

Event 4624 indicates a successful account logon, while Event 4625 represents a failed logon attempt. In this case, there were 18,311 failed logon attempts.