Windows Event Logs
The logs are categorized into different event logs, such as "Application", "System", "Security", and others, to organize events based on their source or purpose.
Event logs can be accessed using the Event Viewer application.
https://learn.microsoft.com/en-us/windows/win32/secauthz/privilege-constants
how to rdp:
install free rdp: sudo apt install freerdp2-x11
run command with syntax : $ xfreerdp /v:hostname_or_ip_address /u:username /dynamic-resolution
xfreerdp /u:Administrator /p:'HTB_@cad3my_lab_W1n10_r00t!@0' /v:10.129.53.86 /dynamic-resolution
OR
xfreerdp /u:Administrator /p:'password' /v:[Target IP] /dynamic-resolution
xfreerdp /v:10.129.224.250 /u:administrator
The full list of Sysmon event IDs can be found here.
comprehensive configuration, we can visit: https://github.com/SwiftOnSecurity/sysmon-config.
Another option is: https://github.com/olafhartong/sysmon-modular, which provides a modular approach.
To utilize a custom Sysmon configuration, execute the following after installing Sysmon. sysmon.exe -c filename.xml
To utilize the updated Sysmon configuration, execute the following.
sysmon.exe -c sysmonconfig-export.xml
With the modified Sysmon configuration, we can start observing image load events. To view these events, navigate to the Event Viewer and access "Applications and Services" -> "Microsoft" -> "Windows" -> "Sysmon." A quick check will reveal the presence of the targeted event ID
Exhaustive list of various DLL hijack techniques https://www.wietzebeukema.nl/blog/hijacking-dlls-in-windows
One specific command, "sekurlsa::logonpasswords", enables the dumping of password hashes or plaintext passwords by accessing the Local Security Authority Subsystem Service (LSASS). LSASS is responsible for managing user credentials and is a primary target for credential-dumping tools like Mimikatz
The attack can be executed as follows.
mimikatz.exe
privilege::debug
sekurlsa::logonpasswords
ETW - Event Tracing for Windows
https://bmcder.com/blog/a-begginers-all-inclusive-guide-to-etw
https://medium.com/threat-hunters-forge/threat-hunting-with-etw-events-and-helk-part-1-installing-silketw-6eb74815e4a0 logman.exe query -ets
the -ets parameter will allow for a direct investigation of the event tracing sessions, providing insights into system-wide tracing sessions
Please note that the “-ets” parameter is vital to the command. Without it, Logman will not identify the Event Tracing Session.
For each provider subscribed to the session, we can acquire critical data:
Name / Provider GUID: This is the exclusive identifier for the provider.Level: This describes the event level, indicating if it's filtering for warning, informational, critical, or all events.Keywords Any: Keywords create a filter based on the kind of event generated by the provider.
logman.exe query "EventLog-System" -ets
using the logman query providers command, we can generate a list of all available providers on the system, including their respective GUIDs
Due to the high number of providers, it's usually advantageous to filter them using findstr. For instance, you will see multiple results for "Winlogon" in the given example.
C:\Tools> logman.exe query providers | findstr "Winlogon"
By specifying a provider with Logman, we gain a deeper understanding of the provider's function. This will inform us about the Keywords we can filter on, the available event levels, and which processes are currently utilizing the provider.
C:\Tools> logman.exe query providers Microsoft-Windows-Winlogon
Insightful mind map introducing common parent-child relationships
https://twitter.com/SBousseaden/status/1195373669930983424/photo/1
Event Tracing for Microsoft-Windows-DotNETRuntime
SilkETW CLI
Last updated