Digital Forensics & Incident Response
  • Welcome
  • General Notes
    • Azure Blob storage with NGINX proxy
    • Install and Configure ZeroTier client
    • S3FS Fuse and MinIO
    • Enable nested VT-X/AMD-V
    • mitm proxy
    • Exploring Volume Shadow Copies Manually
    • Resize VMDK/VDI
    • Resize VMDK on ESXi
    • Convert raw to vmdk
    • Favicon hashing and hunting with Shodan
    • WinRM/RemotePS
    • MinIO/S3/R2 ghost files
    • Mount E01 containing VMDK/XFS from RHEL system
    • Disk images for various filesystems and configurations
      • ext4 with LVM and RAID5 (3 disks)
      • ZFS
      • UFS, FFS, BTRFS, XFS
      • ext4, LVM, and LUKS1/LUKS2
      • NTFS, FAT32, with BitLocker
      • NTFS, FAT32, exFAT with TrueCrypt, VeraCrypt
    • VirtualBox adapters greyed out
    • Exporting SQLite blob data from standalone SQLite database using command line tools
  • Microsoft Defender KQL
    • Introduction to KQL
  • Windows Forensics
    • PsExec
      • PsExec and NTUSER data
    • Security Patch/KB Install Date
  • Linux Forensics
    • Inspecting RPM/DEB packages
    • Common Locations
  • ESXi Forensics
    • Mount external USB device in ESXi hypervisor
    • Understanding ESXi
      • Partitions / Volumes
      • ESXi console / shell
      • Guest Virtual Machines
    • General Notes
    • Triage and Imaging
    • ESXi VMFS Exploration
    • Export OVF from ESXi using OVF Tool
    • Identification, acquisition, and examination of iSCSI LUNs and VMFS datastores
  • Memory Forensics
    • Volatility
      • Volatility3 core commands
      • Build Custom Linux Profile for Volatility
      • Generate custom profile using btf2json
      • Banners, isfinfo, and custom profiles
      • Volatility2 core commands
      • 3rd Party Plugins
    • Acquisition
      • ESXi / VMware Workstation snapshots
      • DumpIt
      • WinPMem
      • Linux / AVML
  • Incident Response
    • Ivanti Connect Secure Auth Bypass and Remote Code Authentication CVE-2024-21887
    • VirusTotal & hash lists
    • Unix-like Artifacts Collector (UAC)
      • Setup MinIO (object storage)
      • Create S3 pre-signed URL
      • UAC and pre-signed URLs
    • Acquiring Linux VPS via SSH
    • AVML dump to SMB / AWS
    • China Chopper webshell
    • Logging Powershell activities
    • Compromised UniFi Controller
    • AnyDesk Remote Access
    • Mounting UFS VMDK from NetScaler/Citrix ADC
  • iOS Forensics
    • Checkm8 / checkra1n acquisitions/extractions
  • CTF / Challenges
    • 13Cubed Linux memory forensics
    • Compromised Windows Server 2022 (simulation)
      • FTK Imager
      • Autopsy Forensics
      • Plaso
      • Events Ripper
      • EZ tools
    • DEFCON 2019 forensics
    • Tomcat shells
    • Magnet Weekly CTF
      • Magnet CTF Week 0
      • Magnet CTF Week 1
    • DFIR Madness CTF
      • Case 001 - Szechuan Sauce
  • Log Files
    • Windows
      • Generating Log Timelines
  • Malware Analysis
    • Identifying UPX packed ELF, decompressing, fixing, and analysing Linux malware
    • PDF Analysis
  • Walking the VAD tree
  • OpenCTI
    • What is CTI/OpenCTI?
    • Setting up OpenCTI
    • Container Management
    • Configure Connectors
  • Vulnerability Management
    • Setting Up Nessus (Essentials)
    • Troubleshooting
  • Privacy
Powered by GitBook
On this page
  • Download and unzip Events Ripper
  • Locating relevant entries
  • Running tally of indicators

Was this helpful?

  1. CTF / Challenges
  2. Compromised Windows Server 2022 (simulation)

Events Ripper

How to process Windows event logs from E01 using Events Ripper

PreviousPlasoNextEZ tools

Last updated 10 months ago

Was this helpful?

Download and unzip Events Ripper

This took about 5 minutes to process all the events logs from our original image (mounted as G: using AIM). The result is a ~200MB text file.

Trawling through 948,134 lines in a text file isn't the most efficient use of time. Events Ripper also includes erip.exe to parse/identify specific events and provide some kind of context to the data. From the GitHub repo;

Similar to RegRipper, you can run a single plugin against the events file:

erip -f c:\cases\events.txt -p failedlogins

Or, you can run all plugins (you're so very welcome, Dray) against the events file:

erip -f c:\cases\events.txt -a

After we run erip, the resultant refined file is ~560KB with 7,134 lines.

Locating relevant entries

Given the nature of our incident, Events Ripper allows us to quickly identify relevant artefacts. Let's look at RDP activity and failed/successful account authentication.

Add these to our accounts of interest, and IPs of interest.

We can see that network type 3 (network based login) has a significant quantity of events. We can also see IP addresses associated with those logins. Further, 36.133.110.87 also appears in the list again. Update our running list of IPs.

Type 10 logins (remote interactive - RDP).

Source host machine (kali).

More logins from the same remote IP addresses.

Based on the following artefacts/entries, we should be able to refine our initial assessment to activity from the source IP addresses, focusing on the 4 user accounts (if they all exist), around 5th February 2024 ~23:02 Z/UTC.

Running tally of indicators

Accounts:

  • admin

  • root

  • user

  • administrator

Hostnames:

  • WIN-NI8FBK23SLO

IPs:

  • 185.229.66.183 (failed login source, type 10 login source)

  • 36.133.110.87 (failed login source, successful login source)

  • 31.220.85.162 (successful login source)

  • 195.21.1.97 (type 3 and 10 logins)

kali

👀
https://github.com/keydet89/Events-Ripper
What is "Events Ripper"?
Logo