Try Hack Me: Windows Event Logs
HTML-код
- Опубликовано: 10 июл 2024
- This is the continuation of our Cyber Defense path! This is a very entry level and great way to start learning defense! This is a box all about how to view event logs on windows and how to investigate them.
If you want to see exclusive content and have the opportunity to game and chat with me about anything check out the patreon!
Patreon to help support the channel! Thank you so much!
/ stuffy24
Hacker Discord
/ discord
Task 1 (00:00:00 - 00:01:20)
Task 2 (00:01:20 - 00:15:30)
Task 3 (00:15:30 -00:22:50)
Task 4 (00:22:50 - 00:34:00)
Task 5 (00:34:00 - 00:42:45)
Task 6 (00:42:45 - 00:45:25)
Task 7 (00:45:25 - 00:54:00)
Task 8 (00:54:00 - 00:55:00) Наука
Powershell is my favorite way to pull logs! whats yours?!
just a question how to copy and paste code into vm of windows I tried and doesn't work
@@Surya000Bhakti-xv4xw ctl c to copy and ctl v to paste
XPath really did a number on my head 😅
this is so helpful!!! thank you! i was so confused with the room alone
Great content!
Thank you man, it was really discouraging room until i found your video. Great Work!
Thanks so much
Super helpful! its far better to spend 1 hour learning and watching this way then spending multiple hours just on the box itself
Thank you so much!
I recently had been hacked - or at least caught the start of it, and I know nearly nothing about the Windows Event Logs, this really helped me see how to read them and I think I'd like to actually work in this area.
That's awesome! So cool to see people learn and progress! Hit me up on the discord and I can give you some paths to get started!
these are actually helpful!!!
Thank you!
I completed this room but it was tough for me. Thank you for your walk through and I am going through it again because I want to better understand what Im doing and how to query these longs. Your walkthrough is super duper helpful and now the material makes way more sense the second time around.
Glad it helped! That's all I care about
Make sure to check out the discord as well for further help
Thanks, Room would have taken forever if you probably didn't upload this. Glad you also explained some extra stuff.
Thank you!
Thank you for the support!
really like your videos
Thank you!
@Mr Robot I can try and take a look at it tonight
@@stuffy24 Do you resolve the question? 💪
@@pograva I will try to look tonight. Can you hop on the discord and remind me?
@@stuffy24 yes don't warry 😊 . I'm find to do the combinaton of the commands, but I think that the question is not very understandable 😔
Thank you. I was so stumped on Task 7 mainly because I'm always hesitant to Google, and there were SO many sources at once- some of which no longer work...
I wasn't sure what I was meant to already know and what I was "allowed" to look up, if that makes sense. So I really avoided doing it for a few days.
But once I actually knew what to filter it wasn't so bad. With finding the downgrade attack, the version being 2.0 was also a giveaway IIRC
Thank you! I def understand what you mean! That's tough to know when you know something well enough!
@@stuffy24 It was literally making me so stressed for days LMFAO then it was so simple.
@@mallorii86110 literally hacking in a nutshell lol
I noticed TryHackMe doesnt' do this, but in the LogName section of the query, it's not listed on this Details View on the XML chart. So how do we know when to use "Application" versus "Security", etc? Is it solely due to the data we are looking to retrieve? Is there a comprehensive list of the LogNames we can look at? Tried searching but no luck. (and BTW I thought that all of this info would be on the Event Viewer XML Details tab, but TryHackMe doesn't really explain why we needed to use "Application" when it first teaches the command in the modules. Thanks for helping me understand.
Application logs are going to corelate to Applications where security corelates to security actions such as access logs
Where did you find log clear evet id 104. I also searched and just found 1102. Task 7 q3
Just a quick bit of research and this was one of my first google responses if you want to check it out kb.eventtracker.com/evtpass/evtpages/EventId_104_Microsoft-Windows-Eventlog_64337.asp#:~:text=The%20%253%20log%20file%20was%20cleared.&text=This%20event%20is%20logged%20when%20the%20log%20file%20was%20cleared.&text=This%20is%20a%20normal%20condition.
@@stuffy24 Thanks for quick response bro
27736
task 3 question "What event files would be read when using the query-events command?" does anyone had an issue with submitting the answer "Read events from an event log, log file, or using structured query"? it keeps saying this is wrong answer!!!
I know this is late but the answer is "event log, log file, or structured query" they shortened the answer.
@@tunechilee15 just tried it and it works
Network Security and Traffic Analyst was way more interesting then going through EndPoint Security Monitoring( it was kinda boring).
I hope that Siem and Phishing will be more interesting.
Someone with simlar thinking?
Haha well to be fair most SIEM's will ingest these logs and then you can search for them but the reality is you have to know how to do this for offensive and defensive because you have to understand what is getting logged and how it appears to avoid it. Endpoint security is insanely fun just not reading logs lol
@stuffy24 could you tell me CDSA or CCD cert?
That depends on you and what your trying to get them for.
@@stuffy24 thanks stuffy, what interests me is to acquire skills, and after that to be able to ASK for Job.
@@johnvardy9559 Well those both will provide skills to you. Neither will get you a job.
@@stuffy24 I agree, that's why I asked you which of the 2 will give me more stuff and more value.
@johnvardy9559 that entirely depends on you though. What your goals are and what you want to get out of them. I can't tell you what skills you need to learn since idk your current skillsets.
Task 3 /if:true does not work.
Feel free to join the discord and throw your questions with screenshots in there
It’s /lf:true (it was an L)
@@dited555dited7 I put I as well until I heard on the video as L