Skills Assessment
By examining the logs located in the "C:\Logs\DLLHijack" directory, determine the process responsible for executing a DLL hijacking attack. Enter the process name as your answer. Answer format: _.exe
Steps:
edit /sysmon-config file. Under event ID 7 change include to exclude
start sysmon
cd C:\Tools\Sysmon
sysmon.exe -c sysmonconfig-export.xml
Open event viewer then open saved logs : DLLHijack
Files for Event 7: This event will look for DLLs loaded by processes, which is useful when hunting for DLL Injection and DLL Hijacking attacks
Open event viewer and load the log file "C:\Logs\DLLHijack"
file event by ID 7
search for WININET.dll as potential dll hijacks candidates
The process responsible for executing a DLL hijacking attack
Image C:\ProgramData\Dism.exe
ImageLoaded C:\Windows\System32\wininet.dll
By examining the logs located in the "C:\Logs\PowershellExec" directory, determine the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: _.exe
Open event viewer then open saved logs : C:\Logs\PowershellExec
search for clr.dll, and clrjit.dll as they are modules related to powershell
search for clr.dll
Results
Image C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe
ImageLoaded C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll
By examining the logs located in the "C:\Logs\PowershellExec" directory, determine the process that injected into the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: _.exe
Open event viewer then open saved logs : C:\Logs\PowershellExec
search for Calculator.exe
Asnwer
SourceImage C:\Windows\System32\rundll32.exe
TargetImage C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe
By examining the logs located in the "C:\Logs\Dump" directory, determine the process that performed an LSASS dump. Enter the process name as your answer. Answer format: _.exe
Open event viewer then open saved logs: C:\Logs\Dump
filter by Event ID 10: ProcessAccess
find lsass.exe : detecting credential dumping
Result
SourceImage C:\Users\waldo\Downloads\processhacker-3.0.4801-bin\64bit\ProcessHacker.exe
TargetImage C:\Windows\system32\lsass.exe
By examining the logs located in the "C:\Logs\StrangePPID" directory, determine a process that was used to temporarily execute code based on a strange parent-child relationship. Enter the process name as your answer. Answer format: _.exe
Open event viewer then open saved logs: C:\Logs\StrangePPID
filter by Event ID 10: ProcessAccess
Detecting Strange Parent-Child Relationships
find cmd
Result
SourceImage C:\Windows\System32\werfault.exe
TargetImage C:\Windows\System32\cmd.exe
Last updated