Windows Event Logs

What is the Event ID for the first recorded event?

40961

Filter on Event ID 4104. What was the 2nd command executed in the PowerShell session?

whoami

What is the Task Category for Event ID 4104?

Execute a Remote Command

Analyze the Windows PowerShell log. What is the Task Category for Event ID 800?

Pipeline Execution Details

How many log names are in the machine?

1071

What event files would be read when using the query-events command?

event log, log file, structured query

What option would you use to provide a path to a log file?

/lf:true

What is the VALUE for /q?

Xpath query

What is the log name?

Application

What is the /rd option for?

Event read direction

What is the /c option for?

Maximum number of events to read

Execute the command from Example 1 (as is). What are the names of the logs related to OpenSSH?

OpenSSH/Admin,OpenSSH/Operational

Execute the command from Example 8. Instead of the string *Policy* search for *PowerShell*. What is the name of the 3rd log provider?

Microsoft-Windows-PowerShell-DesiredStateConfiguration-FileDownloadManager

Execute the command from Example 9. Use Microsoft-Windows-PowerShell as the log provider. How many event ids are displayed for this event provider?

192

How do you specify the number of events to display?

-MaxEvents

When using the FilterHashtable parameter and filtering by level, what is the value for Informational?

Using Get-WinEvent and XPath, what is the query to find WLMS events with a System Time of 2020-12-15T01:09:08.940277500Z?

Get-WinEvent -LogName Application -FilterXPath '*/System/Provider[@Name="WLMS"] and */System/TimeCreated[@SystemTime="2020-12-15T01:09:08.940277500Z"]'

Using Get-WinEvent and XPath, what is the query to find a user named Sam with an Logon Event ID of 4720?

Get-WinEvent -LogName Security -FilterXPath '*/EventData/Data[@Name="TargetUserName"]="Sam" and */System/EventID=4720'

Based on the previous query, how many results are returned?

Based on the output from the question #2, what is Message?

A user account was created

Still working with Sam as the user, what time was Event ID 4724 recorded? (MM/DD/YYYY H:MM:SS [AM/PM])

12/17/2020 1:57:14 PM

What is the Provider Name?

Microsoft-Windows-Security-Auditing

What event ID is to detect a PowerShell downgrade attack?

400

What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])

12/18/2020 7:50:33 AM

A Log clear event was recorded. What is the 'Event Record ID'?

27736

What is the name of the computer?

PC01.example.corp

What is the name of the first variable within the PowerShell command?

$Va5w3n8

What is the Date and Time this attack took place? (MM/DD/YYYY H:MM:SS [AM/PM])

8/25/2020 10:09:28 PM

What is the Execution Process ID?

6620

What is the Group Security ID of the group she enumerated?

S-1-5-32-544

What is the event ID?

4799