Terminal: Windows-Event-Logs

Tolkien Ring Area

Objectives

Recover the Tolkien Ring

Task 3: Windows Event Logs

Difficulty: 2/5 Christmas Trees Description: Investigate the Windows event log mystery in the terminal or offline. Get hints for this challenge by typing hint in the upper panel of the Windows Event Logs terminal.

Terminal Details
Task: Analyze the PowerShell Event Log And Answer the Elf's Questions!
To help you complete your task, download the file from Dusty Giftwrap or use the command line to answer teh questions.
Tips:
1. 'grep' is a very useful tool when completing terminal challenges.
2. Keep this link handy https://linuxcommand.org/lc3_man_pages/grep1.html
3. Each question may have hints. If you want another hint from the elf, just type 'hint' in the upper pane.
Solution
Grinchum successfully downloaded his keylogger and has gathered the admin credentials!
We think he used PowerShell to find the Lembanh recipe and steal our secret ingredient.
Luckily, we enabled PowerShell auditing and have exported the Windows PowerShell logs to a glat text file.
Please help me analyze this file and answer my questions.
Ready to begin?

To work with the downloaded file on MacOS, first download the evtx_dump utility and run it on the powershell.evtx file.

wget https://github.com/omerbenamram/evtx/releases/download/v0.8.0/evtx_dump-v0.8.0-x86_64-apple-darwin
chmod +x evtx_dump-v0.8.0-x86_64-apple-darwin
./evtx_dump-v0.8.0-x86_64-apple-darwin -f powershell.evtx.log powershell.evtx

Enter yes in the upper pane to continue to the first question.

1. What month/day/year did the attack take place? For example, 09/05/2021.

The logs seem to cover the time period between 10/13/2022 and 12/24/2022.

grep Time powershell.evtx.log| head                                                                           ─╯
    <TimeCreated SystemTime="2022-10-13T23:12:29.944278Z">
    </TimeCreated>
    <TimeCreated SystemTime="2022-10-13T23:12:29.956578Z">
    </TimeCreated>
    <TimeCreated SystemTime="2022-10-13T23:12:30.018736Z">
    </TimeCreated>
    <TimeCreated SystemTime="2022-10-13T23:12:30.018899Z">
    </TimeCreated>
    <TimeCreated SystemTime="2022-10-13T23:12:30.582705Z">
    </TimeCreated>

grep Time powershell.evtx.log| tail                                                                           ─╯
    <TimeCreated SystemTime="2022-12-24T18:44:53.865977Z">
    </TimeCreated>
    <TimeCreated SystemTime="2022-12-24T18:44:53.866204Z">
    </TimeCreated>
    <TimeCreated SystemTime="2022-12-24T18:44:53.866260Z">
    </TimeCreated>
    <TimeCreated SystemTime="2022-12-24T18:44:53.872977Z">
    </TimeCreated>
    <TimeCreated SystemTime="2022-12-24T18:44:53.874227Z">
    </TimeCreated>

Scrolling through the log file, there are references to Payload, which appear to be commands entered into a PS session. There are 942 instances of Payload in the file.

Just below the first occurence, Event Record 3 shows an actual command being run on the machine as the ScriptBlockText object. This occurred on 10/13/2022.

Record 3
<?xml version="1.0" encoding="utf-8"?>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-PowerShell" Guid="A0C1853B-5C40-4B15-8766-3CF1C58F985A">
    </Provider>
    <EventID>4104</EventID>
    <Version>1</Version>
    <Level>5</Level>
    <Task>2</Task>
    <Opcode>15</Opcode>
    <Keywords>0x0</Keywords>
    <TimeCreated SystemTime="2022-10-13T23:12:30.018736Z">
    </TimeCreated>
    <EventRecordID>495</EventRecordID>
    <Correlation ActivityID="54BDC5C1-F7AB-0000-23B3-BE54ABF7D801">
    </Correlation>
    <Execution ProcessID="1216" ThreadID="4080">
    </Execution>
    <Channel>Microsoft-Windows-PowerShell/Operational</Channel>
    <Computer>DESKTOP-R65OKRB</Computer>
    <Security UserID="S-1-5-21-3359507890-24144431-3438718502-1002">
    </Security>
  </System>
  <EventData>
    <Data Name="MessageNumber">1</Data>
    <Data Name="MessageTotal">1</Data>
    <Data Name="ScriptBlockText">ipconfig /all</Data>
    <Data Name="ScriptBlockId">bb3dc549-3b65-4b72-bf9b-4e69ec694880</Data>
    <Data Name="Path"></Data>
  </EventData>
</Event>

The initial lines of interest appear to be journal entries.

    <Data Name="ScriptBlockText">echo &quot;Oct 31 2022 `nHalloween is the worst holiday ever. Everything is so spooky! And some elves get way too into it, especially Smilegol this year. It&apos;s very unlike him. He&apos;s been acting kind of strange...&quot; &gt;&gt; mydiary.txt</Data>

    <Data Name="ScriptBlockText">echo &quot;P.S. `nDon&apos;t tell anybody, but I do like all the tasty candy we get. So I guess Halloween isn&apos;t all that bad.&quot; &gt;&gt; .\mydiary.txt</Data>

    <Data Name="ScriptBlockText">echo &quot;Nov 25 2022 `nI love Thanksgiving because it means Christmas is almost here! That&apos;s what I&apos;m thankful for this year... and every year. Smilegol was such a glutton at Thanksgiving dinner. He kept sticking his hand in everyone&apos;s food and yelling &apos;MY GERMS!&apos; and then coughing onto it with that yucky cough he has now. He&apos;s like a whole different elf lately. Everyone is really starting to become worried about him.&quot; &gt;&gt; mydiary.txt</Data>

    <Data Name="ScriptBlockText">echo &quot;Dec 18 2022 `nLembanh! Santa wants us to try making some this year. We searched everywhere for this recipe that&apos;s supposed to have the secret ingredient to really make it authentic. It&apos;s gonna be delicious, I&apos;m so excited!&quot; &gt;&gt; mydiary.txt</Data>

This is followed by what appears to be some initial enumeration commands.

    <Data Name="ScriptBlockText">ipconfig</Data>
    <Data Name="ScriptBlockText">pwd</Data>
    <Data Name="ScriptBlockText">whoami</Data>
    <Data Name="ScriptBlockText">cd..</Data>
    <Data Name="ScriptBlockText">ls</Data>
    <Data Name="ScriptBlockText">cd ..</Data>
    <Data Name="ScriptBlockText">ls</Data>
    <Data Name="ScriptBlockText">cd ..</Data>
    <Data Name="ScriptBlockText">ls</Data>
    <Data Name="ScriptBlockText">cd .\User\</Data>
    <Data Name="ScriptBlockText">{ Set-StrictMode -Version 1; $_.PSMessageDetails }</Data>
    <Data Name="ScriptBlockText">{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }</Data>
    <Data Name="ScriptBlockText">get-executionpolicy</Data>
    <Data Name="ScriptBlockText">Write-Host &apos;Final result: 1&apos;;</Data>
    <Data Name="ScriptBlockText">$global:?</Data>
    <Data Name="ScriptBlockText">ipconfig</Data>
    <Data Name="ScriptBlockText">pwd</Data>
    <Data Name="ScriptBlockText">whoami</Data>
    <Data Name="ScriptBlockText">cd..</Data>
    <Data Name="ScriptBlockText">ls</Data>
    <Data Name="ScriptBlockText">cd ..</Data>
    <Data Name="ScriptBlockText">ls</Data>
    <Data Name="ScriptBlockText">cd ..</Data>
    <Data Name="ScriptBlockText">ls</Data>
    <Data Name="ScriptBlockText">cd .\User\</Data>
    <Data Name="ScriptBlockText">{ Set-StrictMode -Version 1; $_.PSMessageDetails }</Data>
    <Data Name="ScriptBlockText">{ Set-StrictMode -Version 1; $_.ErrorCategory_Message }</Data>
    <Data Name="ScriptBlockText">{ Set-StrictMode -Version 1; $_.OriginInfo }</Data>
    <Data Name="ScriptBlockText">cd .\Users\</Data>
    <Data Name="ScriptBlockText">ls</Data>
    <Data Name="ScriptBlockText">cd &apos;.\Chris Massey\&apos;</Data>
    <Data Name="ScriptBlockText">ls</Data>
    <Data Name="ScriptBlockText">cd .\Documents\</Data>
    <Data Name="ScriptBlockText">ls</Data>
    <Data Name="ScriptBlockText">cd .\HMI\</Data>
    <Data Name="ScriptBlockText">ls</Data>

This is followed by cat'ing out the contents of the Recipe file, replacing the honey ingredient for fish oil, then deleting the temporary files created during the attack.

    <Data Name="ScriptBlockText">cat .\Recipe</Data>
    <Data Name="ScriptBlockText">$foo = Get-Content .\Recipe| % {$_ -replace &apos;honey&apos;, &apos;fish oil&apos;} $foo | Add-Content -Path &apos;recipe_updated.txt&apos;
    <Data Name="ScriptBlockText">{$_ -replace &apos;honey&apos;, &apos;fish oil&apos;}</Data>
    <Data Name="ScriptBlockText">ls</Data>
    <Data Name="ScriptBlockText">cat .\recipe_updated.txt
    <Data Name="ScriptBlockText">$foo = Get-Content .\Recipe| % {$_-replace &apos;honey&apos;,&apos;fish oil&apos;} $foo | Add-Content -Path &apos;recipe_updated.txt&apos;</Data>
    <Data Name="ScriptBlockText">{$_-replace &apos;honey&apos;,&apos;fish oil&apos;}</Data>
    <Data Name="ScriptBlockText">cat .\recipe_updated.txt</Data>
    <Data Name="ScriptBlockText">$foo = Get-Content .\Recipe| % {$_-replace &apos;honey&apos;,&apos;fish oil&apos;}</Data>
    <Data Name="ScriptBlockText">{$_-replace &apos;honey&apos;,&apos;fish oil&apos;}</Data>
    <Data Name="ScriptBlockText">$foo | Add-Content -Path &apos;recipe_updated.txt&apos;</Data>
    <Data Name="ScriptBlockText">cat .\recipe_updated.txt</Data>
    <Data Name="ScriptBlockText">ls</Data>
    <Data Name="ScriptBlockText">$foo | Add-Content -Path &apos;Recipe.txt&apos;</Data>
    <Data Name="ScriptBlockText">cat .\Recipe</Data>
    <Data Name="ScriptBlockText">$foo = Get-Content .\Recipe| % {$_-replace &apos;honey&apos;,&apos;fish oil&apos;}</Data>
    <Data Name="ScriptBlockText">{$_-replace &apos;honey&apos;,&apos;fish oil&apos;}</Data>
    <Data Name="ScriptBlockText">$foo | Add-Content -Path &apos;Recipe.txt&apos;</Data>
    <Data Name="ScriptBlockText">cat .\Recipe</Data>
    <Data Name="ScriptBlockText">$foo = Get-Content .\Recipe| % {$_ -replace &apos;honey&apos;, &apos;fish oil&apos;}</Data>
    <Data Name="ScriptBlockText">{$_ -replace &apos;honey&apos;, &apos;fish oil&apos;}</Data>
    <Data Name="ScriptBlockText">$foo | Add-Content -Path &apos;Recipe.txt&apos;</Data>
    <Data Name="ScriptBlockText">ls</Data>
    <Data Name="ScriptBlockText">$foo | Add-Content -Path &apos;Recipe&apos;</Data>
    <Data Name="ScriptBlockText">ls</Data>
    <Data Name="ScriptBlockText">cat .\Recipe</Data>
    <Data Name="ScriptBlockText">ls</Data>
    <Data Name="ScriptBlockText">del .\Recipe.txt</Data>
    <Data Name="ScriptBlockText">del .\recipe_updated.txt</Data>
    <Data Name="ScriptBlockText">ls</Data>

Searching for cat .\Recipe in the full evtx file shows this event is Record 7409 and occured on December 24th, 2022. Entering 12/24/2022 continues to the next question.

2. An attacker got a secret from a file. What was teh original file's name?

As seen earlier, the secret ingredient was located in the file named Recipe. Entering this continues to the next question.

3. The contents of the previous file were retrieved, changed, and stored to a variable by the attacker. This was done multiple times. Submit the last full PowerShell line that performed only these actions.

The last full line meeting this conditions is:

$foo = Get-Content .\Recipe| % {$_ -replace &apos;honey&apos;, &apos;fish oil&apos;}

This line has a space after the comma between honey and fish oil, while the other line entries do not. After converting the special characters, the line entered in to the upper pane is:

$foo = Get-Content .\Recipe| % {$_ -replace 'honey', 'fish oil'} $foo | Add-Content -Path 'recipe_updated.txt'

Entering the above line continues to the next question.

4. After storing the altered file contents into the variable, the attacker used the variable to run a separate command that wrote the modified data to a file. This was done multiple times. Submit the last full PowerShell line that performed only this action.

As seen earlier, the last occurence of this command was:

$foo | Add-Content -Path &apos;Recipe&apos;

After editing the control characters, the line is:

$foo | Add-Content -Path 'Recipe'

Entering the above line continues to the next question.

5. The attacker ran the previous command against a file multiple times. What is the name of this file?

As seen earilier, the name of this file is Recipe.txt. Entering this filename in the upper pane continues to the next question.

6. Were any files deleted? (Yes/No)

As seen earlier, files were deleted. Entering Yes continues to the next question.

7. Was the original file (from question 2) deleted? (Yes/No)

As seen in the commands listed above, this file was not deleted. Entering No continues to the next question.

8. What is the Event ID of the log that shows the actual command line used to delete the file?

Record 7936 shows this event. It cant be easily found by searching for the string del . within the full log file. The Event ID is 4104. Entering this ID continues to the next question.

9. Is teh secret ingredient compromised (Yes/No)?

As seen in the commands listed above, the secret ingredient was changed, therefore it has been compromised. Enter Yes to continue to the next question.

10. What is the secret ingredient?

Searching the full log file for cat .\Recipe returns Record 7409. Scrolling down, Records 7410, 7411, and 7412 provide further events related to the execution of this command. Record 7413 provides the output of the command. The full original Recipe file can be seen below.

Recipe from Mixolydian, the Queen of Dorian
Lembanh Original Recipe

2 1/2 all purpose flour
1 Tbsp baking powder
1/4 tsp salt
1/2 c  butter
1/3 c brown sugar
1 tsp cinnamon
1/2 tsp honey (secret ingredient)
2/3 c heavy whipping cream
1/2 tsp vanilla extract

Preheat oven to 425F. Mix the flour, baking powder and salt into a large bowl. Add the butter and mix with a well till fine granules (easiest way is with an electric mixer). Then add the sugar and cinnamon, and mix them thoroughly.

Finally add the cream, honey, and vanilla and stir them in with a fork until a nice, thick dough forms.

Roll the dough out about 1/2 in thickness. Cut out 3-inch squares and transfer the dough to a cookie sheet. Criss-cross each square from corner-to-corner with a knife, lightly (not cutting through the dough).

Bake for about 12 minutes or more (depending on the thickness of the bread) until it is set and lightly golden.

Let cool completely before eating, this bread tastes better room temperature and dry. Also for more flavor you can add more cinnamon or other spices.

Entering honey in the upper pane completes the task.


Return to the Tolkien Ring Area.