Portfolio
  • whoami
  • Beginner
    • Bash and Linux Commands
    • Nmap
    • Tools
    • Metaspolit
    • Web Enumeration
    • What the Shell
    • Upload Vulnerabilities
    • Pickle Rick
    • Hashing-Crypt 101
    • John the Ripper
    • Encryption - Crypto 101
    • Windows Fundamentals 1
    • Active Directory
    • Blue Exploit
    • Common Privilege Escalation
    • Linux PrivEsc
    • Vulnversity
  • SOC
    • SIEM
    • Windows Event Logs
    • Skills Assessment
    • Get-WinEvent
    • Introduction to Threat Hunting
      • Threat Intelligence Fundamentals
      • Hunting For Stuxbot With The Elastic Stack
        • Skills Assesement
    • Introduction To Splunk & SPL
      • Splunk Applications
      • Intrusion Detection With Splunk (Real-world Scenario)
      • Detecting Attacker Behavior With Splunk Based On TTPs
  • Capture the Flags
    • CFT INE - Host & Network Penetration Testing: System-Host Based Attacks
    • Web Application Penetration Testing CTF
    • INE - The Metasploit Framework CTF
Powered by GitBook
On this page
  1. SOC

Skills Assessment

By examining the logs located in the "C:\Logs\DLLHijack" directory, determine the process responsible for executing a DLL hijacking attack. Enter the process name as your answer. Answer format: _.exe

Steps:

edit /sysmon-config file. Under event ID 7 change include to exclude

start sysmon

cd C:\Tools\Sysmon

sysmon.exe -c sysmonconfig-export.xml

Open event viewer then open saved logs : DLLHijack

Files for Event 7: This event will look for DLLs loaded by processes, which is useful when hunting for DLL Injection and DLL Hijacking attacks

Open event viewer and load the log file "C:\Logs\DLLHijack"

file event by ID 7

search for WININET.dll as potential dll hijacks candidates

The process responsible for executing a DLL hijacking attack

Image C:\ProgramData\Dism.exe

ImageLoaded C:\Windows\System32\wininet.dll

By examining the logs located in the "C:\Logs\PowershellExec" directory, determine the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: _.exe

Open event viewer then open saved logs : C:\Logs\PowershellExec

search for clr.dll, and clrjit.dll as they are modules related to powershell

search for clr.dll

Results

Image C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe

ImageLoaded C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll

By examining the logs located in the "C:\Logs\PowershellExec" directory, determine the process that injected into the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: _.exe

Open event viewer then open saved logs : C:\Logs\PowershellExec

search for Calculator.exe

Asnwer

SourceImage C:\Windows\System32\rundll32.exe

TargetImage C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe

By examining the logs located in the "C:\Logs\Dump" directory, determine the process that performed an LSASS dump. Enter the process name as your answer. Answer format: _.exe

Open event viewer then open saved logs: C:\Logs\Dump

filter by Event ID 10: ProcessAccess

find lsass.exe : detecting credential dumping

Result

SourceImage C:\Users\waldo\Downloads\processhacker-3.0.4801-bin\64bit\ProcessHacker.exe

TargetImage C:\Windows\system32\lsass.exe

By examining the logs located in the "C:\Logs\StrangePPID" directory, determine a process that was used to temporarily execute code based on a strange parent-child relationship. Enter the process name as your answer. Answer format: _.exe

Open event viewer then open saved logs: C:\Logs\StrangePPID

filter by Event ID 10: ProcessAccess

Detecting Strange Parent-Child Relationships

find cmd

Result

SourceImage C:\Windows\System32\werfault.exe

TargetImage C:\Windows\System32\cmd.exe

PreviousWindows Event LogsNextGet-WinEvent

Last updated 1 year ago