Skip to main content
HashnodeSOC Analyst LabsSOC Analyst Labs

Command Palette

Search for a command to run...

Windows Events Challenge 1 | TCM Security Write-up

Updated
3 min read
U
Umamaheswari B
👋Hi, I’m Umamaheswari Through this blog, I share visual walkthroughs and hands-on investigations on PCAP, phishing, Splunk, ELK, malware, and digital forensics—based on labs from TryHackMe, HackTheBox and CyberDefenders. Feel free to connect or ask questions — I am more happy to help.

Instructions:

After noticing abnormal behavior on a Windows workstation, you have been provided with the challenge.evtx Security Event log file to analyze as part of an incident response investigation. Your task is to examine the log file and answer specific questions to understand the extent and nature of the security incident.

Challenge File:

  • 03_Endpoint_Security/Windows/Challenges/challenge.evtx
💡
When using Get-WinEvent, filter with XML fields (like ExecutionProcessID, TargetUsername, EventRecordID, Computer ) instead of plain text. If you’re unsure about the XML structure, first check the events in Event Viewer to see the field names and format — then apply your filter. Even though filtering is XML-based, the output is still in text format for readability.
  1. What is the hostname of the computer that generated the logs in the challenge.evtx file?

Ans: DESKTOP-1M5L0T9

check out the first event

Using Powershell (Get-WinEvent):

  1. What is the Process ID (PID) of the execution process that cleared the security event log?

Ans: 1104

EventID = 1102 for clearing “Security logs” only

Using Get-WinEvent:

  1. How many logon events are recorded in the logs?

Ans: 7

EventID= 4624

  1. In chronological order, list the names of the accounts that were created within the logs.

Ans: Sysadmin, Administraor, backd00r

  1. Which user account was disabled according to the event logs?

Ans: Sysadmin

  1. Which user account was deleted according to the event logs?

Ans: backd00r

  1. In chronological order, list the security-enabled local groups that the backdoor user account was added to.

Ans: Administrators, Remote Desktop Users

when we create user account: it assigns Security ID (You can see in the image above)You can track that user in event logs by matching this SID with the MemberSID in group addition events (4732), which are same, even if the username is not given

Listing every events , where any user is added to Security-enabled local groups: instead of username we got their Unique MemberSID

I Used chatgpt to help me with this: sort out every username created, and their SID’s

Get-WinEvent -Path .\challenge.evtx -FilterXPath '*/System/EventID=4720' | ForEach-Object { $.Message -match "Security ID" | Out-Null $.Message -split "`n" | Where-Object {$_ -match "Security ID|Account Name"} }

  • Different users can be added to different groups — these appear in Event ID 4732.

  • To view details for a specific group, filter by TargetUserName (the group name).

  • To view events for a specific user, filter by their SID (MemberSID).

So now lets list only group where backd00r user added to: we know his SID

backd00r is added to 2 groups , firstly to Administrators group and then to Remote Desktop Users

  1. Which user account was added to the Backup Operators group?

Ans: Sysmon

Above Member SID matches sysmon user SID

Happy Hunting!

#windows-event-logs#endpoint-security#tcm-security#challenge#soc101

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

S

SOC Analyst Labs

39 posts

Hands-on blue team journey covering phishing analysis, threat detection, threat intelligence, network and endpoint log analysis, web traffic analysis, and SIEM monitoring on TryHackMe and Let’s Defend

Windows Events Challenge Guide: TCM Security