# Events Ripper

## Download and unzip Events Ripper

<https://github.com/keydet89/Events-Ripper>

<div align="left"><figure><img src="/files/uBlF4bt8WnQ3Q01mIqNz" alt=""><figcaption></figcaption></figure></div>

This took about 5 minutes to process all the events logs from our original image (mounted as G: using AIM). The result is a \~200MB text file.

<div align="left"><figure><img src="/files/WBw1xaRBdc818KDi6Spb" alt=""><figcaption></figcaption></figure></div>

Trawling through 948,134 lines in a text file isn't the most efficient use of time. Events Ripper also includes erip.exe to parse/identify specific events and provide some kind of context to the data. From the GitHub repo;

```
Similar to RegRipper, you can run a single plugin against the events file:

erip -f c:\cases\events.txt -p failedlogins

Or, you can run all plugins (you're so very welcome, Dray) against the events file:

erip -f c:\cases\events.txt -a
```

<div align="left"><figure><img src="/files/M4HoFmMIFPPHJvXwmQyx" alt=""><figcaption></figcaption></figure></div>

After we run erip, the resultant refined file is \~560KB with 7,134 lines.

## Locating relevant entries

Given the nature of our incident, Events Ripper allows us to quickly identify relevant artefacts. Let's look at RDP activity and failed/successful account authentication.

<div align="left"><figure><img src="/files/UUJA8D1kBM7QbF7QDxea" alt=""><figcaption></figcaption></figure></div>

Add these to our accounts of interest, and IPs of interest.

<div align="left"><figure><img src="/files/IziLvdSUCeMCRs6m6KKE" alt=""><figcaption></figcaption></figure></div>

We can see that network type 3 (network based login) has a significant quantity of events. We can also see IP addresses associated with those logins. Further, 36.133.110.87 also appears in the list again. Update our running list of IPs.

<div align="left"><figure><img src="/files/pjFNzCosHsHnyZppXPbt" alt=""><figcaption></figcaption></figure></div>

Type 10 logins (remote interactive - RDP).

Source host machine (kali).

More logins from the same remote IP addresses.

<div align="left"><figure><img src="/files/tq2Zn6jJMIL3mubik5Hz" alt=""><figcaption></figcaption></figure></div>

Based on the following artefacts/entries, we should be able to refine our initial assessment to activity from the source IP addresses, focusing on the 4 user accounts (if they all exist), around 5th February 2024 \~23:02 Z/UTC.

## Running tally of indicators

Accounts:

* admin
* root
* user
* administrator

Hostnames:

* WIN-NI8FBK23SLO
* kali  :eyes:

IPs:

* 185.229.66.183 (failed login source, type 10 login source)
* 36.133.110.87 (failed login source, successful login source)
* 31.220.85.162 (successful login source)
* 195.21.1.97 (type 3 and 10 logins)

{% embed url="<https://windowsir.blogspot.com/2024/07/what-is-events-ripper.html>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.iblue.team/ctf-challenges/compromised-windows-server-2022-simulation/events-ripper.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.