EVTX
...

Pasted image 20231216212332.png

chainsaw hunt -s /opt/sigma --skip-errors -r /opt/chainsaw/rules -m /opt/chainsaw/mappings/sigma-event-logs-all.yml -o chainsaw.hunt.log /home/nakul/Desktop/ctf/htb-sherlocks/ticktock/Collection/C/Windows/System32/winevt/logs/

for log in $(ls /home/nakul/Desktop/ctf/htb-sherlocks/ticktock/Collection/C/Windows/System32/winevt/logs); do

chainsaw dump --skip-errors -o $log.json --json "/home/nakul/Desktop/ctf/htb-sherlocks/ticktock/Collection/C/Windows/System32/winevt/logs/$log"

done

cat Microsoft-Windows-Sysmon%4Operational.evtx.json | grep EventID | sort -n | uniq -c | sort -n
      1       "EventID": 16,
      1       "EventID": 4,
      1       "EventID": 8,
      6       "EventID": 15,
     44       "EventID": 2,
     76       "EventID": 5,
    198       "EventID": 12,
    296       "EventID": 1,
    432       "EventID": 22,
    448       "EventID": 3,
    881       "EventID": 13,
   1376       "EventID": 11,

SYSMON id's ->
https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

jq -c '.[]' Microsoft-Windows-Sysmon%4Operational.evtx.json| grep 'EventID":16'|jq .

Event ID 16 is for ServiceConfigurationChange
Pasted image 20231217013900.png

Installed sysmon

Event ID 22 is for DNS

jq -c '.[]' Microsoft-Windows-Sysmon%4Operational.evtx.json| grep 'EventID":16'|jq . | grep QueryName

jq -c '.[]' Microsoft-Windows-Sysmon%4Operational.evtx.json| grep powershell  | jq .

 "Event": {                                                                                                   
    "EventData": {                                     
      "CommandLine": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -e JABTAGUAYwB1AHIAZQBTAHQ
AcgBpAG4AZwAgAD0AIABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAAIgByAGUAYQBsAGwAeQBsAG8AbgBnAH
AAYQBzAHMAdwBvAHIAZAAiACAALQBBAHMAUABsAGEAaQBuAFQAZQB4AHQAIAAtAEYAbwByAGMAZQAKAEUAbgBhAGIAbABlAC0AQgBpAHQATABvA
GMAawBlAHIAIAAtAE0AbwB1AG4AdABQAG8AaQBuAHQAIAAiAEMAOgAiACAALQBFAG4AYwByAHkAcAB0AGkAbwBuAE0AZQB0AGgAbwBkACAAQQBl
AHMAMgA1ADYAIAAtAFUAcwBlAGQAUwBwAGEAYwBlAE8AbgBsAHkAIAAtAFAAaQBuACAAJABTAGUAYwB1AHIAZQBTAHQAcgBpAG4AZwA=",     
      "Company": "Microsoft Corporation",                                                                      
      "CurrentDirectory": "C:\\Users\\gladys\\Desktop\\",                                                      
      "Description": "Windows PowerShell",

decoded command ->

$SecureString = ConvertTo-SecureString "reallylongpassword" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString%

Answer 3 -> reallylongpassword

EVTX...

EVTX
...