Part Two Lab
Lab 5.2 - Windows Event Logs
Objectives:
Analyze Windows Event logs.
Perform hands-on long tail analysis of Windows event logs.
Provide hands-on experience with PowerShell.
This lab uses these .evtx files, located in c:\labs:
pegasus-security.evtx (domain controller)
These logs are from the compromised PC:
valkyrie-defender.evtx
valkyrie-security.evtx
valkyrie-security-logons.evtx
valkyrie-sysmon.evtx
valkyrie-system.evtx
Challenges:
Perform long tail analysis on valkyrie-security.evtx
Locate all service creation events in valkyrie-system.evtx
Identify all process creation events that reference "powershell.exe -nop" in valkyrie-security.evtx
Identify all process creation events that reference "ADMIN$" in valkyrie-security.evtx
Identify the RDP events that reference "The start type of the Remote Desktop Services service was changed..." in valkyrie-system.evtx
Identify the event that references "A new self-signed certificate..." in valkyrie-system.evtx
Identify the user creation event for the account NumberSix in pegasus-security.evtx
Identify the event where users were added to the domain administrators group pegasus-security.evtx
Identify all events in valkyrie-defender.evtx that reference "Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software."
Identify the event in in valkyrie-defender.evtx where Microsoft Defender Antivirus Real-time Protection was disabled
Identify the events in both valkyrie-system.evtx and valkyrie-security.evtx where the event log was cleared
Bonus step: count the number of failed logons in valkyrie-security-logons.evtx
Q1) Perform long tail analysis on valkyrie-security.evtx
Q2) Locate all service creation events in valkyrie-system.evtx.
Service creation events involving PowerShell are unusual and often associated with malicious activity. Additionally, running powershell.exe
through cmd.exe
is highly suspicious, especially when using flags like -nop
(no profile) and -w hidden
(hidden window).
Q3) Identify all process creation events that reference "powershell.exe -nop" in valkyrie-security.evtx
Windows clients can now log full command-line details instead of just the process name. However, this feature is not enabled by default. It should be activated on all systems running Windows 7 or later.
Q4) Identify all process creation events that reference "ADMIN$" in valkyrie-security.evtx
The WmiPrvSe.exe process, known as the WMI Provider Host, is being used here to launch cmd.exe. Attackers are increasingly using WMI to exploit systems, as psexec-based attacks are often blocked by antivirus or EDR solutions. SOC teams should monitor WmiPrvSe.exe for launching any processes, especially cmd.exe or powershell.exe, and investigate such activity.
Q5) Identify the RDP events that reference "The start type of the Remote Desktop Services service was changed..." in valkyrie-system.evtx
The change in the start type of the Remote Desktop Services (RDP) service from demand start to auto start could indicate an attempt to persistently enable RDP for remote access, potentially signaling suspicious activity.
Q6) Identify the event that references "A new self-signed certificate..." in valkyrie-system.evtx
Q7) Identify the user creation event for the account NumberSix in pegasus-security.evtx
Q8) Identify the event where users were added to the domain administrators group in pegasus-security.evtx
Security event 4737 is particularly critical and should be closely monitored. Any changes should be immediately reviewed by the SOC to confirm if they are authorized. Unauthorized changes must be escalated to incident handlers without delay.
Q9) Identify all events in valkyrie-defender.evtx that reference "Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software."
Q10) Identify the event in in valkyrie-defender.evtx where Microsoft Defender Antivirus Real-time Protection was disabled
Q11) Identify the events in both valkyrie-system.evtx and valkyrie-security.evtx where the event log was cleared
Clear the logs for Event ID 1102 in the security log and Event ID 104 in the system log.
Q12) Bonus step: count the number of failed logons in valkyrie-security-logons.evtx
Event 4624 indicates a successful account logon, while Event 4625 represents a failed logon attempt. In this case, there were 18,311 failed logon attempts.
Last updated