Hack The Box - Sherlocks\Logjammer
Sherlocks are defensive investigatory scenarios within Hack the Box’s Dedicated Labs, designed enhance digital forensics and incident response (DFIR) capabilities, provide a deeper understanding of security tools and technologies, improved ability to prioritize during real investigations and proficiency in technical analysis. This writeup is for Logjammer (DFIR easy), aimed at familiriazing with Windows Event log analysis.
Sherlock Information
Scenario
Forela-Security, a consultancy firm has prepared a technical assessment to evalue proficiency in Windows Event Log Analysis. The scenario is structured to test a DFIR consultant’s ability to scrutinize, interpret and report on specific event logs provided.
Artifacts
- Logjammer/System.evtx
- Logjammer/Powershell-Operational.evtx
- Logjammer/Security.evtx
- Logjammer/Windows Firewall-Firewall.evtx
- Logjammer/Windows Defender-Operational.evtx
Initial Review and Inference
Artifact Review and Research
Windows Event Log files with the .evtx extension store records of system, application, and security events on Windows operating systems. System.evtx (often found in %SystemRoot%\System32\Winevt\Logs) is an event log file that records system-level events from Windows components including device drivers, hardware changes and system services. Powershell-Operational.evtx (often found in %SystemRoot%\System32\Winevt\Logs) similarily contains details about Powershell activity including script execution, module loading and command invocation.
Security.evtx, Windows Firewall-Firewall.evtx and Windows Defender-Operational.evtx all log security related events, however they focus on different aspects of Windows security system. Security event log file primarily logs user authentication, access control and system auditing (logons/logoff events, privilege escalation, file and object access, policy changes). Windows Firewall event log file similarily primarily logs network traffic and communication (allowed/blocked inbound & outbound connections, changes to firewall rules, dropped packets due to security policies, application-specific network restrictions). Windoes Defender event log file primarily focuses on malware and threat detection (malware detections and actions taken, scanning results, threat remediation status). Each log plays a crucial role in defense-in-depth security monitoring. By correlating events across these logs, security teams can better detect, investigate, and respond to threats!
All the referenced evtx files are binary and evtx_dump utility can be used to prepare txt file for analysis on a Linux Distro. The utility is part of the python-evtx library, and is a python script designed to parse and extract data from Windows Event Log(.evtx) files. The command evtx_dump.py file.evtx > file_evtx.txt is used to convert the contents of the binary file to readable txt file for further analysis.
Tasks
Task 1: When did the cyberjunkie user first successfully log into his computer?
Security.evtx file contains logons/logoff events with Event ID 4624 corresponding to successful login. We can use the referenced awk file analysis of security_evtx.txt file to identify the first successful login
Awk File analysis for successful login
awk '
BEGIN {
RS="</Event>";
FS="\n";
IGNORECASE=1;
print "=== Login Events (4624) for CyberJunkie ===\n"
}
/4624/ && /CyberJunkie/ {
found_event = 0
event_output = ""
# Find the TimeCreated and EventID
for (i=1; i<=NF; i++) {
if (match($i, /<TimeCreated SystemTime="[^"]+"/)) {
event_output = $i "\n"
}
if (match($i, /<EventID Qualifiers="">4624<\/EventID>/)) {
found_event = 1
event_output = event_output $i "\n"
}
}
# Get all Data fields if we found EventID 4624
if (found_event) {
print "\n---New Event---\n"
print event_output
for (i=1; i<=NF; i++) {
if (match($i, /<Data Name="[^"]*">[^<]+<\/Data>/)) {
print $i
}
}
}
}
' security_evtx.txt
# Output of the above command execution
=== Login Events (4624) for CyberJunkie ===
---New Event---
<TimeCreated SystemTime="2023-03-27 14:37:09.879890"></TimeCreated>
<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-887GK2L$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x00000000000003e7</Data>
<Data Name="TargetUserSid">S-1-5-21-3393683511-3463148672-371912004-1001</Data>
<Data Name="TargetUserName">CyberJunkie</Data>
<Data Name="TargetDomainName">DESKTOP-887GK2L</Data>
<Data Name="TargetLogonId">0x0000000000025f28</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32 </Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">DESKTOP-887GK2L</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0000000000000570</Data>
<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0000000000025f9f</Data>
<Data Name="ElevatedToken">%%1842</Data>
---New Event---
<TimeCreated SystemTime="2023-03-27 14:37:09.879940"></TimeCreated>
<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-887GK2L$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x00000000000003e7</Data>
<Data Name="TargetUserSid">S-1-5-21-3393683511-3463148672-371912004-1001</Data>
<Data Name="TargetUserName">CyberJunkie</Data>
<Data Name="TargetDomainName">DESKTOP-887GK2L</Data>
<Data Name="TargetLogonId">0x0000000000025f9f</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32 </Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">DESKTOP-887GK2L</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0000000000000570</Data>
<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0000000000025f28</Data>
<Data Name="ElevatedToken">%%1843</Data>
---New Event---
<TimeCreated SystemTime="2023-03-27 14:38:32.937424"></TimeCreated>
<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-887GK2L$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x00000000000003e7</Data>
<Data Name="TargetUserSid">S-1-5-21-3393683511-3463148672-371912004-1001</Data>
<Data Name="TargetUserName">CyberJunkie</Data>
<Data Name="TargetDomainName">DESKTOP-887GK2L</Data>
<Data Name="TargetLogonId">0x000000000022b1af</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32 </Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">DESKTOP-887GK2L</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0000000000000570</Data>
<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x000000000022b1df</Data>
<Data Name="ElevatedToken">%%1842</Data>
---New Event---
<TimeCreated SystemTime="2023-03-27 14:38:32.937458"></TimeCreated>
<EventData><Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DESKTOP-887GK2L$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x00000000000003e7</Data>
<Data Name="TargetUserSid">S-1-5-21-3393683511-3463148672-371912004-1001</Data>
<Data Name="TargetUserName">CyberJunkie</Data>
<Data Name="TargetDomainName">DESKTOP-887GK2L</Data>
<Data Name="TargetLogonId">0x000000000022b1df</Data>
<Data Name="LogonType">2</Data>
<Data Name="LogonProcessName">User32 </Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">DESKTOP-887GK2L</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x0000000000000570</Data>
<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">-</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x000000000022b1af</Data>
<Data Name="ElevatedToken">%%1843</Data>
Task 2: The user tampered with firewall settings on the system. Analyze the firewall event logs to find out the Name of the firewall rule added?
Firewall Event IDs 2004/2005 correspond to Firewall rule added/changed and we can employ a malicious keyword search to further pivot over looking through all events. Referenced is an awk file analysis of firewall_evtx.txt file to identify potentially malicious events
Awk File keyword analysis for suspicious firewall rules
awk '
BEGIN {
RS="</Event>";
FS="\n";
IGNORECASE=1;
# Common suspicious keywords
split("metasploit,backdoor,bypass,c2,command,control,remote,shell,tunnel,bind,reverse,payload,exploit,malware,rat,trojan,hack", suspicious, ",")
print "=== Potentially Malicious Firewall Rules (Event ID 2004/2005) ===\n"
}
/EventID.*(2004|2005)/ {
rulename = ""
timestamp = ""
direction = ""
action = ""
profiles = ""
eventid = ""
# Extract fields
for (i=1; i<=NF; i++) {
if (match($i, /<EventID.*>([^<]+)/, e)) eventid = e[1]
if (match($i, /<TimeCreated SystemTime="([^"]+)"/, t)) timestamp = t[1]
if (match($i, /<Data Name="RuleName">([^<]+)/, r)) rulename = r[1]
if (match($i, /<Data Name="Direction">([^<]+)/, d)) direction = d[1]
if (match($i, /<Data Name="Action">([^<]+)/, a)) action = a[1]
if (match($i, /<Data Name="Profiles">([^<]+)/, p)) profiles = p[1]
}
# Check rulename against suspicious keywords
for (s in suspicious) {
if (tolower(rulename) ~ suspicious[s]) {
if (!(rulename SUBSEP eventid in seen)) {
seen[rulename SUBSEP eventid] = 1
print "SUSPICIOUS RULE FOUND:"
print "Rule Name:", rulename
print "Event:", (eventid == "2004" ? "Created" : "Modified")
print "Timestamp:", timestamp
if (direction) print "Direction:", (direction == "2" ? "Outbound" : "Inbound")
if (action) print "Action:", (action == "3" ? "Allow" : "Block")
if (profiles) print "Applies to All Profiles:", (profiles == "2147483647" ? "Yes" : "No")
print "Matched keyword:", suspicious[s]
print "---\n"
}
break
}
}
}
' firewall_evtx.txt
# Output of the above command execution
=== Potentially Malicious Firewall Rules (Event ID 2004/2005) ===
SUSPICIOUS RULE FOUND:
Rule Name: @{Microsoft.AccountsControl_10.0.19041.1023_neutral__cw5n1h2txyewy?ms-resource://Microsoft.AccountsControl/Resources/DisplayName}
Event: Created
Timestamp: 2023-02-01 00:59:09.123047
Direction: Inbound
Action: Block
Applies to All Profiles: Yes
Matched keyword: control
---
SUSPICIOUS RULE FOUND:
Rule Name: @{Microsoft.Windows.CallingShellApp_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy?ms-resource://WindowsInternal.Shell.Experiences.Calling/resources/AppDisplayName}
Event: Created
Timestamp: 2023-02-01 00:59:09.816219
Direction: Inbound
Action: Block
Applies to All Profiles: Yes
Matched keyword: shell
---
SUSPICIOUS RULE FOUND:
Rule Name: @{Microsoft.Windows.ParentalControls_1000.19041.1023.0_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ParentalControls/resources/DisplayName}
Event: Created
Timestamp: 2023-02-01 00:59:10.893904
Direction: Inbound
Action: Block
Applies to All Profiles: Yes
Matched keyword: control
---
SUSPICIOUS RULE FOUND:
Rule Name: @{Microsoft.Windows.NarratorQuickStart_10.0.19041.1023_neutral_neutral_8wekyb3d8bbwe?ms-resource://Microsoft.Windows.NarratorQuickStart/Resources/AppDisplayName}
Event: Created
Timestamp: 2023-02-01 00:59:11.046520
Direction: Inbound
Action: Block
Applies to All Profiles: Yes
Matched keyword: rat
---
SUSPICIOUS RULE FOUND:
Rule Name: ByteCodeGeneration
Event: Created
Timestamp: 2023-02-01 00:59:13.739763
Direction: Inbound
Action: Block
Applies to All Profiles: Yes
Matched keyword: rat
---
SUSPICIOUS RULE FOUND:
Rule Name: @{Microsoft.Windows.ShellExperienceHost_10.0.19041.1949_neutral_neutral_cw5n1h2txyewy?ms-resource://Microsoft.Windows.ShellExperienceHost/resources/PkgDisplayName}
Event: Created
Timestamp: 2023-03-22 08:23:08.593330
Direction: Inbound
Action: Block
Applies to All Profiles: Yes
Matched keyword: shell
---
SUSPICIOUS RULE FOUND:
Rule Name: Metasploit C2 Bypass
Event: Created
Timestamp: 2023-03-27 14:44:43.415701
Direction: Outbound
Action: Allow
Applies to All Profiles: Yes
Matched keyword: metasploit
---
Task 3: Whats the direction of the firewall rule?
Reviewing the Metasploit C2 Bypass event from the previous command, we observe direction as 2 which corresponds to outbound connection as opposed to 1 that corresponds to inbound connections.
Task 4: The user changed audit policy of the computer. Whats the Subcategory of this changed policy?
Audit policy changes are security-relevant events and should be logged through security.evtx file, primarily Event ID 4719 (System audit policy change). Pivoting off of security.evtx extracted events file through grep -B1 -A22 '<EventID Qualifiers="">4719</EventID>' security_evtx.txt we observe Category ID %%8274(Object Access), Subcategory ID %%12804(Other Object Access Events) and AuditPolicyChanges %%8449(Success Added).
The above log can be interpreted as SYSTEM account (SubjectUserSid of S-1-5-18) modified the audit policy to enable successful event loggin for “Other Object Access Events” under the “Object Access” category, thereby recording successful access attempts to objects that don’t fall under more specific auditing categories.
Task 5: The user “cyberjunkie” created a scheduled task. Whats the name of this task?
Scheduled Task creation, modification and deletion events are logged in Security Event Log. The relevant IDs are 4698/4699(Scheduled task created/deleted), 4700/4701(Scheduled task enabled/disabled) and 4702(Scheduled task was updated). Pivoting off of security.evtx extracted events file through grep -B 1 -A 40 "<EventID Qualifiers=\"\">4698</EventID>" security_evtx.txt | grep -C 22 "CyberJunkie" | grep TaskName we observe TaskName as HTB-AUTOMATION.
Task 6: Whats the full path of the file which was scheduled for the task?
Reviewing the corresponding scheduled task creation event identified through the previous grep command, we observe the path as C:\Users\CyberJunkie\Desktop\Automation-HTB.ps1
Scheduled task creation event
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
<EventID Qualifiers="">4698</EventID>
<Version>1</Version>
<Level>0</Level>
<Task>12804</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2023-03-27 14:51:21.481720"></TimeCreated>
<EventRecordID>13103</EventRecordID>
<Correlation ActivityID="{986a053f-60b9-0002-5b05-6a98b960d901}" RelatedActivityID=""></Correlation>
<Execution ProcessID="780" ThreadID="4180"></Execution>
<Channel>Security</Channel>
<Computer>DESKTOP-887GK2L</Computer>
<Security UserID=""></Security>
</System>
<EventData><Data Name="SubjectUserSid">S-1-5-21-3393683511-3463148672-371912004-1001</Data>
<Data Name="SubjectUserName">CyberJunkie</Data>
<Data Name="SubjectDomainName">DESKTOP-887GK2L</Data>
<Data Name="SubjectLogonId">0x0000000000025f28</Data>
<Data Name="TaskName">\HTB-AUTOMATION</Data>
<Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Date>2023-03-27T07:51:21.4599985</Date>
<Author>DESKTOP-887GK2L\CyberJunkie</Author>
<Description>practice</Description>
<URI>\HTB-AUTOMATION</URI>
</RegistrationInfo>
<Triggers>
<CalendarTrigger>
<StartBoundary>2023-03-27T09:00:00</StartBoundary>
<Enabled>true</Enabled>
<ScheduleByDay>
<DaysInterval>1</DaysInterval>
</ScheduleByDay>
</CalendarTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<RunLevel>LeastPrivilege</RunLevel>
<UserId>DESKTOP-887GK2L\CyberJunkie</UserId>
<LogonType>InteractiveToken</LogonType>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>false</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>P3D</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>C:\Users\CyberJunkie\Desktop\Automation-HTB.ps1</Command>
<Arguments>-A cyberjunkie@hackthebox.eu</Arguments>
</Exec>
</Actions>
</Task></Data>
<Data Name="ClientProcessStartKey">4222124650660162</Data>
<Data Name="ClientProcessId">9320</Data>
<Data Name="ParentProcessId">6112</Data>
<Data Name="RpcCallClientLocality">0</Data>
<Data Name="FQDN">DESKTOP-887GK2L</Data>
</EventData>
</Event>
Task 7: What are the arguments of the command?
Similarly, reviewing the event as referenced in previous task we observe the argument as “-A cyberjunkie@hackthebox.eu” which potentially appears to be an email parameter. Reviewing the command and argument, the scheduled task appears to be possibly an automation for HackTheBox for automated interactions or submissions to the platform.
Task 8: The antivirus running on the system identified a threat and performed actions on it. Which tool was identified as malware by antivirus?
Reference to antivirus can be infered as a prompt to review the Microsoft Defender event log. Reviewing Defender Event IDs documentation, we observe Event IDs 1116 and 1117 corresponding to MALWARE_DETECTED and MALWARE_ACTION_TAKEN respectively. Referenced is an awk file analysis of defender_evtx.txt file to identify potentially malicious events.
Defender detections awk analysis
awk '
BEGIN {
RS="</Event>";
FS="\n";
IGNORECASE=1;
print "=== Windows Defender Events (1116/1117) and Associated Threats ===\n"
}
/111[67]/ {
found_threat = 0
event_info = ""
# Process each line in the event
for (i=1; i<=NF; i++) {
# Clean up the line by removing XML tags and quotes
gsub(/<[^>]*">|<\/Data>/, "", $i)
# Capture Event ID
if ($i ~ /1116|1117/) {
event_info = "\n--- New Detection Event ---\nEventID: " $i "\n"
}
# Capture Threat Name
if ($i ~ /^HackTool|^Trojan/) {
found_threat = 1
event_info = event_info "Threat: " $i "\n"
}
# Capture Source
if ($i ~ /^(Real-Time Protection|System|Downloads and attachments)$/) {
event_info = event_info "Source: " $i "\n"
}
# Capture Action
if ($i ~ /^(Quarantine|Not Applicable)$/) {
event_info = event_info "Action: " $i "\n"
}
# Capture Additional Actions
if ($i ~ /^(No additional actions required|To finish removing)/) {
event_info = event_info "Additional: " $i "\n"
}
}
# Only store if we found a threat
if (found_threat) {
events[event_info] = 1
}
}
END {
# Print unique events
for (event in events) {
print event
}
}
' defender_evtx.txt
# Output of the above command execution
=== Windows Defender Events (1116/1117) and Associated Threats ===
--- New Detection Event ---
EventID: 1117</EventID>
Threat: HackTool:MSIL/SharpHound!MSR
Source: Downloads and attachments
Action: Quarantine
Additional: No additional actions required
--- New Detection Event ---
EventID: 1116</EventID>
Threat: Trojan:Win64/Meterpreter.B
Threat: Trojan
Source: System
Action: Not Applicable
Additional: No additional actions required
--- New Detection Event ---
EventID: 1117</EventID>
Threat: Trojan:Win64/Meterpreter.B
Threat: Trojan
Source: Real-Time Protection
Action: Quarantine
Additional: To finish removing malware and other potentially unwanted software, restart the device.
--- New Detection Event ---
EventID: 1117</EventID>
Threat: Trojan:Win64/Meterpreter.B
Threat: Trojan
Source: System
Action: Quarantine
Additional: To finish removing malware and other potentially unwanted software, restart the device.
--- New Detection Event ---
EventID: 1116</EventID>
Threat: Trojan:Win64/Meterpreter.B
Threat: Trojan
Source: Real-Time Protection
Action: Not Applicable
Additional: No additional actions required
--- New Detection Event ---
EventID: 1116</EventID>
Threat: HackTool:MSIL/SharpHound!MSR
Source: Downloads and attachments
Action: Not Applicable
Additional: No additional actions required
--- New Detection Event ---
EventID: 1116</EventID>
Threat: HackTool:PowerShell/SharpHound.B
Source: Downloads and attachments
Action: Not Applicable
Additional: No additional actions required
--- New Detection Event ---
EventID: 1117</EventID>
Threat: Trojan:Win64/Meterpreter.B
Threat: Trojan
Source: Real-Time Protection
Action: Quarantine
Additional: No additional actions required
Task 9: Whats the full path of the malware which raised the alert?
Reviewing the events corresponding to SharpHound, which is a data collector for BloodHound(an Active Directory (AD) reconnaissance tool) we observe the path as C:\Users\CyberJunkie\Downloads\SharpHound-v1.1.0.zip
Task 10: What action was taken by the antivirus?
There are primarily 4 events for SharpHound, a single event for HackTool:PowerShell/SharpHound.B and three events for HackTool:MSIL/SharpHound!MSR with a single instance of quarantined event.
Task 11: The user used Powershell to execute commands. What command was executed by the user?
Looking through the Microsoft Firewall Event Log, we observe the useraccount CyberJunkie under field User = DESKTOP-887GK2L\CyberJunkie. Subsequently, we can perform a timeline analysis of all events performed by this user account by filtering out all events executed by the user.
Powershell detections user analysis
awk '
BEGIN {
RS = "</Event>"
event_id = ""
event_data = ""
user_found = 0
}
{
# Reset variables for each event
event_id = ""
event_data = ""
user_found = 0
# Look for EventID
if (match($0, /<EventID Qualifiers="">[^<]+<\/EventID>/, id_match)) {
event_id = id_match[0]
}
# Check if this event contains our target user
if (index($0, "User = DESKTOP-887GK2L\\CyberJunkie") > 0) {
user_found = 1
}
# Extract EventData
if (match($0, /<EventData>.*<\/EventData>/, data_match)) {
event_data = data_match[0]
}
# Output if the user was found in this event
if (user_found && event_id != "" && event_data != "") {
print event_id
print event_data
print ""
}
}
' powershell_evtx.txt
# Output of the above command execution
<EventID Qualifiers="">4100</EventID>
<EventData><Data Name="ContextInfo"> Severity = Warning
Host Name = ConsoleHost
Host Version = 5.1.19041.2673
Host ID = ea6820bb-bdaf-427a-aaa8-194e90fdf77b
Host Application = C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe
Engine Version = 5.1.19041.2673
Runspace ID = 2d645886-47ce-45f9-a32c-7d37699247d5
Pipeline ID = 12
Command Name = Invoke-WebRequest
Command Type = Cmdlet
Script Name =
Command Path =
Sequence Number = 15
User = DESKTOP-887GK2L\CyberJunkie
Connected User =
Shell ID = Microsoft.PowerShell
</Data>
<Data Name="UserData"></Data>
<Data Name="Payload">Error Message = Unable to connect to the remote server
Fully Qualified Error ID = WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
</Data>
</EventData>
<EventID Qualifiers="">4100</EventID>
<EventData><Data Name="ContextInfo"> Severity = Warning
Host Name = ConsoleHost
Host Version = 5.1.19041.2673
Host ID = 827d22d5-2334-468e-9f11-ca1883dcbc6b
Host Application = C:/Windows/SysWOW64/WindowsPowerShell/v1.0/powershell.exe
Engine Version = 5.1.19041.2673
Runspace ID = 95248d9e-5fce-4afc-b802-dd5cd93c3842
Pipeline ID = 12
Command Name = Invoke-WebRequest
Command Type = Cmdlet
Script Name =
Command Path =
Sequence Number = 15
User = DESKTOP-887GK2L\CyberJunkie
Connected User =
Shell ID = Microsoft.PowerShell
</Data>
<Data Name="UserData"></Data>
<Data Name="Payload">Error Message = Unable to connect to the remote server
Fully Qualified Error ID = WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
</Data>
</EventData>
<EventID Qualifiers="">4103</EventID>
<EventData><Data Name="ContextInfo"> Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.19041.2673
Host ID = 014a1fde-4c3a-4658-9521-5933850cff3e
Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Engine Version = 5.1.19041.2673
Runspace ID = d2a1cce6-8566-442d-a53b-d92bd22fa362
Pipeline ID = 3
Command Name = Set-StrictMode
Command Type = Cmdlet
Script Name = C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\PSReadLine.psm1
Command Path =
Sequence Number = 16
User = DESKTOP-887GK2L\CyberJunkie
Connected User =
Shell ID = Microsoft.PowerShell
</Data>
<Data Name="UserData"></Data>
<Data Name="Payload">CommandInvocation(Set-StrictMode): "Set-StrictMode"
ParameterBinding(Set-StrictMode): name="Off"; value="True"
</Data>
</EventData>
<EventID Qualifiers="">4103</EventID>
<EventData><Data Name="ContextInfo"> Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.19041.2673
Host ID = 014a1fde-4c3a-4658-9521-5933850cff3e
Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Engine Version = 5.1.19041.2673
Runspace ID = d2a1cce6-8566-442d-a53b-d92bd22fa362
Pipeline ID = 4
Command Name = Get-Variable
Command Type = Cmdlet
Script Name =
Command Path =
Sequence Number = 18
User = DESKTOP-887GK2L\CyberJunkie
Connected User =
Shell ID = Microsoft.PowerShell
</Data>
<Data Name="UserData"></Data>
<Data Name="Payload">CommandInvocation(Get-Variable): "Get-Variable"
ParameterBinding(Get-Variable): name="Name"; value="host"
ParameterBinding(Get-Variable): name="ValueOnly"; value="True"
</Data>
</EventData>
<EventID Qualifiers="">4103</EventID>
<EventData><Data Name="ContextInfo"> Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.19041.2673
Host ID = 014a1fde-4c3a-4658-9521-5933850cff3e
Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Engine Version = 5.1.19041.2673
Runspace ID = d2a1cce6-8566-442d-a53b-d92bd22fa362
Pipeline ID = 7
Command Name = Resolve-Path
Command Type = Cmdlet
Script Name =
Command Path =
Sequence Number = 20
User = DESKTOP-887GK2L\CyberJunkie
Connected User =
Shell ID = Microsoft.PowerShell
</Data>
<Data Name="UserData"></Data>
<Data Name="Payload">CommandInvocation(Resolve-Path): "Resolve-Path"
ParameterBinding(Resolve-Path): name="ErrorAction"; value="Ignore"
ParameterBinding(Resolve-Path): name="WarningAction"; value="Ignore"
ParameterBinding(Resolve-Path): name="InformationAction"; value="Ignore"
ParameterBinding(Resolve-Path): name="Verbose"; value="False"
ParameterBinding(Resolve-Path): name="Debug"; value="False"
ParameterBinding(Resolve-Path): name="Path"; value="DE*"
</Data>
</EventData>
<EventID Qualifiers="">4103</EventID>
<EventData><Data Name="ContextInfo"> Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.19041.2673
Host ID = 014a1fde-4c3a-4658-9521-5933850cff3e
Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Engine Version = 5.1.19041.2673
Runspace ID = d2a1cce6-8566-442d-a53b-d92bd22fa362
Pipeline ID = 10
Command Name = Resolve-Path
Command Type = Cmdlet
Script Name =
Command Path =
Sequence Number = 22
User = DESKTOP-887GK2L\CyberJunkie
Connected User =
Shell ID = Microsoft.PowerShell
</Data>
<Data Name="UserData"></Data>
<Data Name="Payload">CommandInvocation(Resolve-Path): "Resolve-Path"
ParameterBinding(Resolve-Path): name="ErrorAction"; value="Ignore"
ParameterBinding(Resolve-Path): name="WarningAction"; value="Ignore"
ParameterBinding(Resolve-Path): name="InformationAction"; value="Ignore"
ParameterBinding(Resolve-Path): name="Verbose"; value="False"
ParameterBinding(Resolve-Path): name="Debug"; value="False"
ParameterBinding(Resolve-Path): name="Path"; value=".\Desktop\aU*"
</Data>
</EventData>
<EventID Qualifiers="">4103</EventID>
<EventData><Data Name="ContextInfo"> Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.19041.2673
Host ID = 014a1fde-4c3a-4658-9521-5933850cff3e
Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Engine Version = 5.1.19041.2673
Runspace ID = d2a1cce6-8566-442d-a53b-d92bd22fa362
Pipeline ID = 3
Command Name = PSConsoleHostReadLine
Command Type = Function
Script Name =
Command Path =
Sequence Number = 24
User = DESKTOP-887GK2L\CyberJunkie
Connected User =
Shell ID = Microsoft.PowerShell
</Data>
<Data Name="UserData"></Data>
<Data Name="Payload">CommandInvocation(PSConsoleHostReadLine): "PSConsoleHostReadLine"
</Data>
</EventData>
<EventID Qualifiers="">4103</EventID>
<EventData><Data Name="ContextInfo"> Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.19041.2673
Host ID = 014a1fde-4c3a-4658-9521-5933850cff3e
Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Engine Version = 5.1.19041.2673
Runspace ID = d2a1cce6-8566-442d-a53b-d92bd22fa362
Pipeline ID = 11
Command Name = Resolve-Path
Command Type = Cmdlet
Script Name = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1
Command Path =
Sequence Number = 26
User = DESKTOP-887GK2L\CyberJunkie
Connected User =
Shell ID = Microsoft.PowerShell
</Data>
<Data Name="UserData"></Data>
<Data Name="Payload">CommandInvocation(Resolve-Path): "Resolve-Path"
ParameterBinding(Resolve-Path): name="Path"; value=".\Desktop\Automation-HTB.ps1"
CommandInvocation(ForEach-Object): "ForEach-Object"
ParameterBinding(ForEach-Object): name="MemberName"; value="ProviderPath"
ParameterBinding(ForEach-Object): name="InputObject"; value="C:\Users\CyberJunkie\Desktop\Automation-HTB.ps1"
</Data>
</EventData>
<EventID Qualifiers="">4103</EventID>
<EventData><Data Name="ContextInfo"> Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.19041.2673
Host ID = 014a1fde-4c3a-4658-9521-5933850cff3e
Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Engine Version = 5.1.19041.2673
Runspace ID = d2a1cce6-8566-442d-a53b-d92bd22fa362
Pipeline ID = 11
Command Name = Test-Path
Command Type = Cmdlet
Script Name = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1
Command Path =
Sequence Number = 28
User = DESKTOP-887GK2L\CyberJunkie
Connected User =
Shell ID = Microsoft.PowerShell
</Data>
<Data Name="UserData"></Data>
<Data Name="Payload">CommandInvocation(Test-Path): "Test-Path"
ParameterBinding(Test-Path): name="LiteralPath"; value="C:\Users\CyberJunkie\Desktop\Automation-HTB.ps1"
ParameterBinding(Test-Path): name="PathType"; value="Container"
</Data>
</EventData>
<EventID Qualifiers="">4103</EventID>
<EventData><Data Name="ContextInfo"> Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.19041.2673
Host ID = 014a1fde-4c3a-4658-9521-5933850cff3e
Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Engine Version = 5.1.19041.2673
Runspace ID = d2a1cce6-8566-442d-a53b-d92bd22fa362
Pipeline ID = 11
Command Name = GetStreamHash
Command Type = Function
Script Name = C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psm1
Command Path =
Sequence Number = 30
User = DESKTOP-887GK2L\CyberJunkie
Connected User =
Shell ID = Microsoft.PowerShell
</Data>
<Data Name="UserData"></Data>
<Data Name="Payload">CommandInvocation(GetStreamHash): "GetStreamHash"
ParameterBinding(GetStreamHash): name="InputStream"; value="System.IO.FileStream"
ParameterBinding(GetStreamHash): name="RelatedPath"; value="C:\Users\CyberJunkie\Desktop\Automation-HTB.ps1"
ParameterBinding(GetStreamHash): name="Hasher"; value="System.Security.Cryptography.MD5CryptoServiceProvider"
</Data>
</EventData>
<EventID Qualifiers="">4103</EventID>
<EventData><Data Name="ContextInfo"> Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.19041.2673
Host ID = 014a1fde-4c3a-4658-9521-5933850cff3e
Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Engine Version = 5.1.19041.2673
Runspace ID = d2a1cce6-8566-442d-a53b-d92bd22fa362
Pipeline ID = 11
Command Name = Get-FileHash
Command Type = Function
Script Name =
Command Path =
Sequence Number = 32
User = DESKTOP-887GK2L\CyberJunkie
Connected User =
Shell ID = Microsoft.PowerShell
</Data>
<Data Name="UserData"></Data>
<Data Name="Payload">CommandInvocation(Get-FileHash): "Get-FileHash"
ParameterBinding(Get-FileHash): name="Algorithm"; value="md5"
ParameterBinding(Get-FileHash): name="Path"; value=".\Desktop\Automation-HTB.ps1"
</Data>
</EventData>
<EventID Qualifiers="">4103</EventID>
<EventData><Data Name="ContextInfo"> Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.19041.2673
Host ID = 014a1fde-4c3a-4658-9521-5933850cff3e
Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Engine Version = 5.1.19041.2673
Runspace ID = d2a1cce6-8566-442d-a53b-d92bd22fa362
Pipeline ID = 11
Command Name =
Command Type = Script
Script Name =
Command Path =
Sequence Number = 34
User = DESKTOP-887GK2L\CyberJunkie
Connected User =
Shell ID = Microsoft.PowerShell
</Data>
<Data Name="UserData"></Data>
<Data Name="Payload">CommandInvocation(Out-Default): "Out-Default"
ParameterBinding(Out-Default): name="InputObject"; value="@{Algorithm=MD5; Hash=36E606E249065E2BDFCA950DBB549C63; Path=C:\Users\CyberJunkie\Desktop\Automation-HTB.ps1}"
</Data>
</EventData>
<EventID Qualifiers="">4103</EventID>
<EventData><Data Name="ContextInfo"> Severity = Informational
Host Name = ConsoleHost
Host Version = 5.1.19041.2673
Host ID = 014a1fde-4c3a-4658-9521-5933850cff3e
Host Application = C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Engine Version = 5.1.19041.2673
Runspace ID = d2a1cce6-8566-442d-a53b-d92bd22fa362
Pipeline ID = 13
Command Name = Set-StrictMode
Command Type = Cmdlet
Script Name = C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\PSReadLine.psm1
Command Path =
Sequence Number = 36
User = DESKTOP-887GK2L\CyberJunkie
Connected User =
Shell ID = Microsoft.PowerShell
</Data>
<Data Name="UserData"></Data>
<Data Name="Payload">CommandInvocation(Set-StrictMode): "Set-StrictMode"
ParameterBinding(Set-StrictMode): name="Off"; value="True"
</Data>
</EventData>
Looking at the sequence of events in chronological order, we can interpret the users actions as failed web requests through Invoke-WebRequest command (EventID 4100), followed by file search using wildcards (DE* and .\Desktop\aU) through Resolve-Path commands (EventID 4103), accessing and testing if file .\Desktop\Automation-HTB.ps1 exists through Resolve-Path and Test-Path commands followed by finally executing Get-FileHash command to calculate the MD5 hash of the file.
This suggests the user was attempting to download something, failed, then located and possibly verified a local script file through its MD5 hash.
Task 12: We suspect the user deleted some event logs. Which Event log file was cleared?
Security Event Log and Firewall Event Log don’t by themselves track any changes to other event logs being cleared, however they do maintain Event ID 1102 and 104 respectively should security or firewall logs be attempted to be cleared. System Event Log on the other hand does capture key system events including clearing of logs in subcomponents like sysmon and firewall. Clearing a log is recorded as Event ID 104, but it specifies which log was cleared and not necessarily the System log itself which can be infered to be cleared for Event ID 104 without a
Pivoting off of system.evtx extracted events file through referenced awk analysis we observe multiple instances of Microsoft-Windows-Sysmon/Operational and a single instance of Microsoft-Windows-Windows Firewall With Advanced Security/Firewall being cleared.
System Event LogFileCleared awk analysis
awk '
BEGIN {
RS = "</Event>"
}
/<EventID Qualifiers="">104<\/EventID>/ && /<UserData><LogFileCleared/ {
# Extract EventID
if (match($0, /<EventID Qualifiers="">104<\/EventID>/)) {
printf "%s\n", substr($0, RSTART, RLENGTH)
}
# Extract TimeCreated
if (match($0, /<TimeCreated SystemTime="[^"]*"[^>]*>/)) {
printf "%s\n", substr($0, RSTART, RLENGTH)
}
# Extract LogFileCleared section with all its elements
if (match($0, /<LogFileCleared xmlns="http:\/\/manifests.microsoft.com\/win\/2004\/08\/windows\/eventlog">.*<\/LogFileCleared>/, arr)) {
print arr[0]
}
print "\n"
}' system_evtx.txt
# Output of the above command execution
<EventID Qualifiers="">104</EventID>
<TimeCreated SystemTime="2023-03-24 19:42:30.058228">
<LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"><SubjectUserName>CyberJunkie</SubjectUserName>
<SubjectDomainName>DESKTOP-887GK2L</SubjectDomainName>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<BackupPath></BackupPath>
</LogFileCleared>
<EventID Qualifiers="">104</EventID>
<TimeCreated SystemTime="2023-03-24 20:06:20.439674">
<LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"><SubjectUserName>CyberJunkie</SubjectUserName>
<SubjectDomainName>DESKTOP-887GK2L</SubjectDomainName>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<BackupPath></BackupPath>
</LogFileCleared>
<EventID Qualifiers="">104</EventID>
<TimeCreated SystemTime="2023-03-24 20:09:34.573000">
<LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"><SubjectUserName>CyberJunkie</SubjectUserName>
<SubjectDomainName>DESKTOP-887GK2L</SubjectDomainName>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<BackupPath></BackupPath>
</LogFileCleared>
<EventID Qualifiers="">104</EventID>
<TimeCreated SystemTime="2023-03-24 20:15:30.946386">
<LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"><SubjectUserName>CyberJunkie</SubjectUserName>
<SubjectDomainName>DESKTOP-887GK2L</SubjectDomainName>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<BackupPath></BackupPath>
</LogFileCleared>
<EventID Qualifiers="">104</EventID>
<TimeCreated SystemTime="2023-03-24 20:17:38.613035">
<LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"><SubjectUserName>CyberJunkie</SubjectUserName>
<SubjectDomainName>DESKTOP-887GK2L</SubjectDomainName>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<BackupPath></BackupPath>
</LogFileCleared>
<EventID Qualifiers="">104</EventID>
<TimeCreated SystemTime="2023-03-24 20:45:03.953278">
<LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"><SubjectUserName>CyberJunkie</SubjectUserName>
<SubjectDomainName>DESKTOP-887GK2L</SubjectDomainName>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<BackupPath></BackupPath>
</LogFileCleared>
<EventID Qualifiers="">104</EventID>
<TimeCreated SystemTime="2023-03-24 20:50:22.895147">
<LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"><SubjectUserName>CyberJunkie</SubjectUserName>
<SubjectDomainName>DESKTOP-887GK2L</SubjectDomainName>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<BackupPath></BackupPath>
</LogFileCleared>
<EventID Qualifiers="">104</EventID>
<TimeCreated SystemTime="2023-03-24 20:50:54.269999">
<LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"><SubjectUserName>CyberJunkie</SubjectUserName>
<SubjectDomainName>DESKTOP-887GK2L</SubjectDomainName>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<BackupPath></BackupPath>
</LogFileCleared>
<EventID Qualifiers="">104</EventID>
<TimeCreated SystemTime="2023-03-24 20:56:01.044802">
<LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"><SubjectUserName>CyberJunkie</SubjectUserName>
<SubjectDomainName>DESKTOP-887GK2L</SubjectDomainName>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<BackupPath></BackupPath>
</LogFileCleared>
<EventID Qualifiers="">104</EventID>
<TimeCreated SystemTime="2023-03-24 20:58:18.939980">
<LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"><SubjectUserName>CyberJunkie</SubjectUserName>
<SubjectDomainName>DESKTOP-887GK2L</SubjectDomainName>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<BackupPath></BackupPath>
</LogFileCleared>
<EventID Qualifiers="">104</EventID>
<TimeCreated SystemTime="2023-03-24 20:59:03.444580">
<LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"><SubjectUserName>CyberJunkie</SubjectUserName>
<SubjectDomainName>DESKTOP-887GK2L</SubjectDomainName>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<BackupPath></BackupPath>
</LogFileCleared>
<EventID Qualifiers="">104</EventID>
<TimeCreated SystemTime="2023-03-24 21:10:32.374207">
<LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"><SubjectUserName>CyberJunkie</SubjectUserName>
<SubjectDomainName>DESKTOP-887GK2L</SubjectDomainName>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<BackupPath></BackupPath>
</LogFileCleared>
<EventID Qualifiers="">104</EventID>
<TimeCreated SystemTime="2023-03-24 21:22:42.853712">
<LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"><SubjectUserName>CyberJunkie</SubjectUserName>
<SubjectDomainName>DESKTOP-887GK2L</SubjectDomainName>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<BackupPath></BackupPath>
</LogFileCleared>
<EventID Qualifiers="">104</EventID>
<TimeCreated SystemTime="2023-03-24 21:31:57.360546">
<LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"><SubjectUserName>CyberJunkie</SubjectUserName>
<SubjectDomainName>DESKTOP-887GK2L</SubjectDomainName>
<Channel>Microsoft-Windows-Sysmon/Operational</Channel>
<BackupPath></BackupPath>
</LogFileCleared>
<EventID Qualifiers="">104</EventID>
<TimeCreated SystemTime="2023-03-27 15:01:56.515837">
<LogFileCleared xmlns="http://manifests.microsoft.com/win/2004/08/windows/eventlog"><SubjectUserName>CyberJunkie</SubjectUserName>
<SubjectDomainName>DESKTOP-887GK2L</SubjectDomainName>
<Channel>Microsoft-Windows-Windows Firewall With Advanced Security/Firewall</Channel>
<BackupPath></BackupPath>
</LogFileCleared>