# Events Ripper ## Download and unzip Events Ripper

This took about 5 minutes to process all the events logs from our original image (mounted as G: using AIM). The result is a \~200MB text file.

Trawling through 948,134 lines in a text file isn't the most efficient use of time. Events Ripper also includes erip.exe to parse/identify specific events and provide some kind of context to the data. From the GitHub repo; ``` Similar to RegRipper, you can run a single plugin against the events file: erip -f c:\cases\events.txt -p failedlogins Or, you can run all plugins (you're so very welcome, Dray) against the events file: erip -f c:\cases\events.txt -a ```

After we run erip, the resultant refined file is \~560KB with 7,134 lines. ## Locating relevant entries Given the nature of our incident, Events Ripper allows us to quickly identify relevant artefacts. Let's look at RDP activity and failed/successful account authentication.

Add these to our accounts of interest, and IPs of interest.

We can see that network type 3 (network based login) has a significant quantity of events. We can also see IP addresses associated with those logins. Further, 36.133.110.87 also appears in the list again. Update our running list of IPs.

Type 10 logins (remote interactive - RDP). Source host machine (kali). More logins from the same remote IP addresses.

Based on the following artefacts/entries, we should be able to refine our initial assessment to activity from the source IP addresses, focusing on the 4 user accounts (if they all exist), around 5th February 2024 \~23:02 Z/UTC. ## Running tally of indicators Accounts: * admin * root * user * administrator Hostnames: * WIN-NI8FBK23SLO * kali :eyes: IPs: * 185.229.66.183 (failed login source, type 10 login source) * 36.133.110.87 (failed login source, successful login source) * 31.220.85.162 (successful login source) * 195.21.1.97 (type 3 and 10 logins) {% embed url="" %}