# Part Two Lab

## Lab 5.2 - Windows Event Logs <a href="#lab-52-windows-event-logs" id="lab-52-windows-event-logs"></a>

**Objectives:**

* Analyze Windows Event logs.
* Perform hands-on long tail analysis of Windows event logs.
* Provide hands-on experience with PowerShell.

This lab uses these .evtx files, located in c:\labs:

* **pegasus-security.evtx** (domain controller)

These logs are from the compromised PC:

* **valkyrie-defender.evtx**
* **valkyrie-security.evtx**
* **valkyrie-security-logons.evtx**
* **valkyrie-sysmon.evtx**
* **valkyrie-system.evtx**

**Challenges:**

1. Perform long tail analysis on valkyrie-security.evtx
2. Locate all service creation events in valkyrie-system.evtx
3. Identify all process creation events that reference "powershell.exe -nop" in valkyrie-security.evtx
4. Identify all process creation events that reference "ADMIN$" in valkyrie-security.evtx
5. Identify the RDP events that reference "The start type of the Remote Desktop Services service was changed..." in valkyrie-system.evtx
6. Identify the event that references "A new self-signed certificate..." in valkyrie-system.evtx
7. Identify the user creation event for the account NumberSix in pegasus-security.evtx
8. Identify the event where users were added to the domain administrators group pegasus-security.evtx
9. Identify all events in valkyrie-defender.evtx that reference "Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software."
10. Identify the event in in valkyrie-defender.evtx where Microsoft Defender Antivirus Real-time Protection was disabled
11. Identify the events in both valkyrie-system.evtx and valkyrie-security.evtx where the event log was cleared
12. Bonus step: count the number of failed logons in valkyrie-security-logons.evtx

Q1) Perform long tail analysis on valkyrie-security.evtx

```powershell
Get-WinEvent -Path C:\labs\valkyrie-security.evtx | Group-Object Id -NoElement | sort Count
```

<figure><img src="/files/x6hxrVTdY1XNklqW64X2" alt=""><figcaption></figcaption></figure>

Q2) Locate all service creation events in valkyrie-system.evtx.

```powershell
Get-WinEvent @{Path="C:\labs\valkyrie-system.evtx"; Id=7045} | fl | more
```

<figure><img src="/files/AO8YerfrI5tT1KFitn2K" alt=""><figcaption></figcaption></figure>

Service creation events involving PowerShell are unusual and often associated with malicious activity. Additionally, running `powershell.exe` through `cmd.exe` is highly suspicious, especially when using flags like `-nop` (no profile) and `-w hidden` (hidden window).

Q3) Identify all process creation events that reference "powershell.exe -nop" in valkyrie-security.evtx

```powershell
Get-WinEvent @{Path="C:\labs\valkyrie-security.evtx"; Id=4688} 
| Where-Object {$_.Message -like "*powershell.exe -nop*"} | fl | more
```

<figure><img src="/files/YVyjwoa3xyK8dEiGbrs0" alt=""><figcaption></figcaption></figure>

Windows clients can now log full command-line details instead of just the process name. However, this feature is not enabled by default. It should be activated on all systems running Windows 7 or later.

Q4) Identify all process creation events that reference "ADMIN$" in valkyrie-security.evtx

```powershell
Get-WinEvent @{Path="C:\labs\valkyrie-security.evtx"; Id=4688} 
| Where-Object {$_.Message -like "*ADMIN$*"} | fl | more
```

<figure><img src="/files/IMEfCNkK0BAB1HbewAG3" alt=""><figcaption></figcaption></figure>

The WmiPrvSe.exe process, known as the WMI Provider Host, is being used here to launch cmd.exe. Attackers are increasingly using WMI to exploit systems, as psexec-based attacks are often blocked by antivirus or EDR solutions. SOC teams should monitor WmiPrvSe.exe for launching any processes, especially cmd.exe or powershell.exe, and investigate such activity.

Q5) Identify the RDP events that reference "The start type of the Remote Desktop Services service was changed..." in valkyrie-system.evtx

```powershell
Get-WinEvent @{Path="C:\labs\valkyrie-system.evtx";id=7040} | Where-Object {$_.Message -like "*Remote Desktop*"} | fl
```

<figure><img src="/files/URyx9BPiyaq1YZdTHgo3" alt=""><figcaption></figcaption></figure>

The change in the start type of the Remote Desktop Services (RDP) service from demand start to auto start could indicate an attempt to persistently enable RDP for remote access, potentially signaling suspicious activity.

Q6) Identify the event that references "A new self-signed certificate..." in valkyrie-system.evtx

```powershell
Get-WinEvent @{Path="C:\labs\valkyrie-system.evtx"; Id=1056} | fl
```

<figure><img src="/files/cSdpncDCoem2raTCCgvo" alt=""><figcaption></figcaption></figure>

Q7) Identify the user creation event for the account NumberSix in pegasus-security.evtx

```powershell
Get-WinEvent @{Path="C:\labs\pegasus-security.evtx"; Id=4720} | fl
```

<figure><img src="/files/GKACmbE0cx3Ay1lEb5kb" alt=""><figcaption></figcaption></figure>

Q8) Identify the event where users were added to the domain administrators group in pegasus-security.evtx

```powershell
Get-WinEvent @{Path="\labs\\pegasus-security.evtx"; Id=4728} | fl
```

<figure><img src="/files/AWygzaZAgvOh950K0MPz" alt=""><figcaption></figcaption></figure>

```powershell
 Get-WinEvent @{Path="\labs\\pegasus-security.evtx"; Id=4737} | fl
```

<figure><img src="/files/3QybNvsMvnxWi28XbSF8" alt=""><figcaption></figcaption></figure>

Security event 4737 is particularly critical and should be closely monitored. Any changes should be immediately reviewed by the SOC to confirm if they are authorized. Unauthorized changes must be escalated to incident handlers without delay.

Q9) Identify all events in valkyrie-defender.evtx that reference "Microsoft Defender Antivirus has taken action to protect this machine from malware or other potentially unwanted software."

```powershell
Get-WinEvent @{Path="C:\labs\valkyrie-defender.evtx"; Id=1117} | fl | more
```

<figure><img src="/files/OqpiF12aGFWZa3uuSXh2" alt=""><figcaption></figcaption></figure>

Q10) Identify the event in in valkyrie-defender.evtx where Microsoft Defender Antivirus Real-time Protection was disabled

```powershell
Get-WinEvent @{Path="C:\labs\valkyrie-defender.evtx"; Id=5001} | fl
```

<figure><img src="/files/ufYHQ58cAawkNh7PPtYD" alt=""><figcaption></figcaption></figure>

Q11) Identify the events in both valkyrie-system.evtx and valkyrie-security.evtx where the event log was cleared

```powershell
Get-WinEvent @{Path="C:\labs\valkyrie-security.evtx"; Id=1102} | fl
```

<figure><img src="/files/2olYt4vuNYi2Tz0XuGPt" alt=""><figcaption></figcaption></figure>

```powershell
Get-WinEvent @{Path="C:\labs\valkyrie-system.evtx"; Id=104} | fl
```

<figure><img src="/files/ShHb9r9v5XPaLh9udoFH" alt=""><figcaption></figcaption></figure>

Clear the logs for Event ID 1102 in the security log and Event ID 104 in the system log.

Q12) Bonus step: count the number of failed logons in valkyrie-security-logons.evtx

```powershell
Get-WinEvent -Path C:\labs\valkyrie-security-logons.evtx | Group-Object Id -NoElement | sort count
```

<figure><img src="/files/BkNTq8JHaVRwWezRI6xg" alt=""><figcaption></figcaption></figure>

Event 4624 indicates a successful account logon, while Event 4625 represents a failed logon attempt. In this case, there were 18,311 failed logon attempts.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/sans-sec511-and-labs/book-five/part-two-lab.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.