# Skills Assessment #### Overview To keep you sharp, your SOC manager has assigned you the task of analyzing older attack logs and providing answers to specific questions. #### Question 1 By examining the logs located in the "C:\Logs\DLLHijack" directory, determine the process responsible for executing a DLL hijacking attack. Enter the process name as your answer. Answer format: \_.exe * To detect a DLL hijacking, we need to focus on `Event Type 7` which corresponds to module loading events. * After loading the log file into the "Event Viewer" we apply a filter for `Event Type 7`

*** #### Question 2 By examining the logs located in the "C:\Logs\PowershellExec" directory, determine the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: \_.exe
* Managed code is not executed directly as an assembly; instead, it is compiled into a bytecode format that the runtime processes and executes. Consequently, a managed process relies on the CLR to execute C# code. * We filter for type 7 events and search for `clr.dll`, which likely returns the managed process.

*** #### Question 3 By examining the logs located in the "C:\Logs\PowershellExec" directory, determine the process that injected into the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: \_.exe ```powershell Get-WinEvent -Path 'C:\Logs\PowershellExec\*' | Where-Object{$_.ID -like "8"} | Where-Object{$_.Message -like "*Calculator.exe*"} | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message ```

* We can search for event ID 8 (Powershell Events)

#### Question 4 By examining the logs located in the "C:\Logs\Dump" directory, determine the process that performed an LSASS dump. Enter the process name as your answer. Answer format: \_.exe * To detect this activity, we can rely on a different Sysmon event. Instead of focusing on DLL loads, we shift our attention to process access events. By checking for Sysmon event ID 10, which represents "ProcessAccess" events, we can identify any suspicious attempts to access LSASS. * I filtered for events with [ID](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events) 10 (ProcessAccess) and searched for entries targeting lsass.exe. While there were several results, only one was launched by a suspicious executable file. ```powershell Get-WinEvent -Path 'C:\Logs\Dump\*' | Where-Object{$_.ID -like "10"} | Where-Object{$_.Message -like "*TargetImage*lsass.exe*"} | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message ```

*** #### Question 5 By examining the logs located in the "C:\Logs\Dump" directory, determine if an ill-intended login took place after the LSASS dump. Answer format: Yes or No ``` no ``` *** #### Question 6 By examining the logs located in the "C:\Logs\StrangePPID" directory, determine a process that was used to temporarily execute code based on a strange parent-child relationship. Enter the process name as your answer. Answer format: \_.exe * Finally, I filtered by events with [ID](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events) 1 (Process Creation). There were limited results, and only one of them looked suspicious.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://savitar.gitbook.io/mynotes/certifications-and-notes/blue-team/cdsa/windows-event-logs-and-finding-evil/skills-assessment.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.