Investigate the Windows event log mystery in the terminal or offline. Get hints for this challenge by typing hint
in the upper panel of the Windows Event Logs terminal.
Let's open the terminal:
Grinchum successfully downloaded his keylogger and has gathered the admin credentials!
We thing he used PowerShell to find the Lembanh recipe and steal our secret ingredient.
Luckily, we enable PowerShell auditing and have exported the Windows PowerShell logs to a flat text file.
Please help me analyze this file and answer my questions.
Ready to begin?
yes
We see the first question:
1. What month/day/year did the attack take place? For example, 09/05/2021.
12/24/2022
Using Windows Events we convert the evtx
file to a plain txt
file. We group the events, please be aware the regex depends on the language, this example is using German language settings:
PS C:\Temp> Get-Content .\powershell.txt | Where-Object {$_ -match "[0-9]{1,2}\.[0-9]{1,2}\.[0-9]{4}"} | ForEach-Object {($_ -split "\s+")[1]} | Group-Object
Count Name Group
----- ---- -----
3540 24.12.2022 {24.12.2022, 24.12.2022, 24.12.2022, 24.12.2022...}
...
46 14.10.2022 {14.10.2022, 14.10.2022, 14.10.2022, 14.10.2022...}
The second question appears:
2. An attacker got a secret from a file. What was the original file's name?
Recipe
We'll sort the event log in reverse order. As we are looking for files a search for parameter assignments and Content
could be a good idea.
PS C:\Temp> $chrono | Select-String "^\$" | Select-String "Content"
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'} $foo | Add-Content -Path 'recipe_updated.txt'
$foo = Get-Content .\Recipe| % {$_-replace 'honey','fish oil'} $foo | Add-Content -Path 'recipe_updated.txt'
$foo = Get-Content .\Recipe| % {$_-replace 'honey','fish oil'}
$foo | Add-Content -Path 'recipe_updated.txt'
$foo | Add-Content -Path 'Recipe.txt'
$foo = Get-Content .\Recipe| % {$_-replace 'honey','fish oil'}
$foo | Add-Content -Path 'Recipe.txt'
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'}
$foo | Add-Content -Path 'Recipe.txt'
$foo | Add-Content -Path 'Recipe'
The third question appears:
3. The contents of the previous file were retrieved, changed, and stored to a variable by the attacker. This was done multiple times. Submit the last full PowerShell line that performed only these actions.
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'} $foo | Add-Content -Path
Let's look at the last/first (reverse chronological order) which contains our keyword Recipe
:
PS C:\Temp> $chrono | Select-String "^\$" | Select-String "Recipe"
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'} $foo | Add-Content -Path
'recipe_updated.txt'
...
The fourth questions appears:
4. After storing the altered file contents into the variable, the attacker used the variable to run a separate command that wrote the modified data to a file. This was done multiple times. Submit the last full PowerShell line that performed only this action.
$foo | Add-Content -Path 'Recipe'
This can also be evaluated from the output above. The fifth question appears:
5. The attacker ran the previous command against a file multiple times. What is the name of this file?
Recipe.txt
Same here. The sixth question appears:
6. Were any files deleted? (Yes/No)
Yes
Let's look for a del
command:
PS C:\Temp> $chrono | Select-String "del "
del .\Recipe.txt
del .\recipe_updated.txt
The seventh question appears:
7. Was the original file (from question 2) deleted? (Yes/No)
No
The original file Recipe
was not listed above. The eight question appears:
8. What is the Event ID of the log that shows the actual command line used to delete the file?
4104
We'll print some lines before/after the del
command:
PS C:\Temp> $chrono | Select-String "del " -Context 1,1
> del .\Recipe.txt
Ausführlich 24.12.2022 11:05:42 Microsoft-Windows-PowerShell 4104 Remotebefehl ausführen "ScriptBlock-Text (1 von 1) wird erstellt:
> del .\recipe_updated.txt
Ausführlich 24.12.2022 11:05:51 Microsoft-Windows-PowerShell 4104 Remotebefehl ausführen "ScriptBlock-Text (1 von 1) wird erstellt:
The ninth question appears:
9. Is the secret ingredient compromised (Yes/No)?
Yes
Let's look for secret ingredients:
PS C:\Temp> $chrono | Select-String "secret"
...
ParameterBinding(Out-Default): name=""InputObject""; value=""1/2 tsp honey (secret ingredient)""
...
PS C:\Temp> $chrono | Select-String "honey" | Select-String "replace"
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'} $foo | Add-Content -Path 'recipe_updated.txt'
...
$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'}
...
The tenth question appears:
10. What is the secret ingredient?
honey
This can also be evaluated from the output above.
We have solved that challenge and get the confirmation:
Find the Next Objective
Talk to Fitzy Shortstack for the next objective.
We get following hints:
This is the official source for Suricata rule creation!