My job is to look through Event Logs and locate something suspicious
The answer format is: W0rd{s0me-very-0bscur3-gu1d-5tr1ng}.
I started off by downloading the material. It was an .evtx file. I use Linux, so I had to find a way to read the file. I ended up finding https://github.com/omerbenamram/evtx. I was now able to read the file:
I think my first step should be locating any USB activity on the system. I can then try to drill down on the location where the malicious event is occurring. I was doing research and stumbled upon https://www.csoonline.com/article/3561889/the-most-important-windows-10-security-event-log-ids-to-monitor.html. Here they mention, looking for the following IDs: 1936, 1937, 1938. I searched for 1936 (./evtx_dump-v0.8.1-x86_64-unknown-linux-gnu WinEvents.evtx | grep "1936" -A 30 -B 15) and ended up getting the following:
At the bottom, I noticed a Binary tag with a hexadecimal string. I entered the string online, and the output was the following: SystemEventsBroker/4. I think I might be onto something here. My plan now is to look for more binary strings. Searching just for the "Binary" tag ended with me getting 1525 results. I want to write a bash command that will decode all of this line by line for me. I ended up using /evtx_dump-v0.8.1-x86_64-unknown-linux-gnu WinEvents.evtx | grep "Binary" | sed -e 's///g' -e 's/</Binary>//g' | xxd -r -p. The output was a chunk of data:
This is human-readable, so I need to drill down on what I am actually looking for. I did not see anything too usable from that. I went back to the same article I mentioned previously and ran the command/evtx_dump-v0.8.1-x86_64-unknown-linux-gnu WinEvents.evtx | grep "1102" -A 20 -B 20. I then saw something interesting in the output:
I notice that Windows Explorer is being used here. By looking around, I ended up finding a host that might be the victim: WIN-BPIG0DE7217. At this point, I was just searching around to see what I can find, with no strategy, if I am being honest. I did see winlogon being used 2 times:
There seems to be a base64 string encoded in this command. I used the command line to base64 decode this one as well...but the result turned out to be not human-readable. I then assumed it was a command you can run in PowerShell and see the output. I used https://tio.run/#powershell and got the flag:
The flag was H4ckt0ria{a24304dd-1209-4f2f-a926-a3a1140f3989}.