Windows Event Logs
Difficulty:
Shown in Report
Dusty Giftwrap is standing next to a terminal.
Objective Image
Back
Challenge

Investigate the Windows event log mystery in the terminal or offline. Get hints for this challenge by typing hint in the upper panel of the Windows Event Logs terminal.

Solution

Let's open the terminal:

Grinchum successfully downloaded his keylogger and has gathered the admin credentials!
We thing he used PowerShell to find the Lembanh recipe and steal our secret ingredient.
Luckily, we enable PowerShell auditing and have exported the Windows PowerShell logs to a flat text file.
Please help me analyze this file and answer my questions.
Ready to begin?
yes

We see the first question:

1. What month/day/year did the attack take place? For example, 09/05/2021.
12/24/2022

Using Windows Events we convert the evtx file to a plain txt file. We group the events, please be aware the regex depends on the language, this example is using German language settings:

PS C:\Temp> Get-Content .\powershell.txt | Where-Object {$_ -match "[0-9]{1,2}\.[0-9]{1,2}\.[0-9]{4}"} | ForEach-Object {($_ -split "\s+")[1]} | Group-Object

Count Name                      Group
----- ----                      -----
3540 24.12.2022                {24.12.2022, 24.12.2022, 24.12.2022, 24.12.2022...}
...
46 14.10.2022                {14.10.2022, 14.10.2022, 14.10.2022, 14.10.2022...}

The second question appears:

2. An attacker got a secret from a file. What was the original file's name?
Recipe

We'll sort the event log in reverse order. As we are looking for files a search for parameter assignments and Content could be a good idea.

PS C:\Temp> $chrono | Select-String "^\$" | Select-String "Content"

$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'} $foo | Add-Content -Path 'recipe_updated.txt'
$foo = Get-Content .\Recipe| % {$_-replace 'honey','fish oil'} $foo | Add-Content -Path 'recipe_updated.txt'
$foo = Get-Content .\Recipe| % {$_-replace 'honey','fish oil'}
$foo | Add-Content -Path 'recipe_updated.txt'
$foo | Add-Content -Path 'Recipe.txt'
$foo = Get-Content .\Recipe| % {$_-replace 'honey','fish oil'}
$foo | Add-Content -Path 'Recipe.txt'
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'}
$foo | Add-Content -Path 'Recipe.txt'
$foo | Add-Content -Path 'Recipe'

The third question appears:

3. The contents of the previous file were retrieved, changed, and stored to a variable by the attacker. This was done multiple times. Submit the last full PowerShell line that performed only these actions.
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'} $foo | Add-Content -Path

Let's look at the last/first (reverse chronological order) which contains our keyword Recipe:

PS C:\Temp> $chrono | Select-String "^\$" | Select-String "Recipe"

$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'} $foo | Add-Content -Path
'recipe_updated.txt'
...

The fourth questions appears:

4. After storing the altered file contents into the variable, the attacker used the variable to run a separate command that wrote the modified data to a file. This was done multiple times. Submit the last full PowerShell line that performed only this action.
$foo | Add-Content -Path 'Recipe'

This can also be evaluated from the output above. The fifth question appears:

5. The attacker ran the previous command against a file multiple times. What is the name of this file?
Recipe.txt

Same here. The sixth question appears:

6. Were any files deleted? (Yes/No)
Yes

Let's look for a del command:

PS C:\Temp> $chrono | Select-String "del "

del .\Recipe.txt
del .\recipe_updated.txt

The seventh question appears:

7. Was the original file (from question 2) deleted? (Yes/No)
No

The original file Recipe was not listed above. The eight question appears:

8. What is the Event ID of the log that shows the actual command line used to delete the file?
4104

We'll print some lines before/after the del command:

PS C:\Temp> $chrono | Select-String "del " -Context 1,1


> del .\Recipe.txt
  Ausführlich   24.12.2022 11:05:42     Microsoft-Windows-PowerShell    4104    Remotebefehl ausführen  "ScriptBlock-Text (1 von 1) wird erstellt:

> del .\recipe_updated.txt
  Ausführlich   24.12.2022 11:05:51     Microsoft-Windows-PowerShell    4104    Remotebefehl ausführen  "ScriptBlock-Text (1 von 1) wird erstellt:

The ninth question appears:

9. Is the secret ingredient compromised (Yes/No)?
Yes

Let's look for secret ingredients:

PS C:\Temp> $chrono | Select-String "secret"

...
ParameterBinding(Out-Default): name=""InputObject""; value=""1/2 tsp honey (secret ingredient)""
...

PS C:\Temp> $chrono | Select-String "honey" | Select-String "replace"

$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'} $foo | Add-Content -Path 'recipe_updated.txt'
...
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'}
...

The tenth question appears:

10. What is the secret ingredient?
honey

This can also be evaluated from the output above.

We have solved that challenge and get the confirmation:
Find the Next Objective
Talk to Fitzy Shortstack for the next objective.

We get following hints:

The Tome of Suricata Rules

This is the official source for Suricata rule creation!