I recently had been hacked - or at least caught the start of it, and I know nearly nothing about the Windows Event Logs, this really helped me see how to read them and I think I'd like to actually work in this area.
I completed this room but it was tough for me. Thank you for your walk through and I am going through it again because I want to better understand what Im doing and how to query these longs. Your walkthrough is super duper helpful and now the material makes way more sense the second time around.
Thank you. I was so stumped on Task 7 mainly because I'm always hesitant to Google, and there were SO many sources at once- some of which no longer work... I wasn't sure what I was meant to already know and what I was "allowed" to look up, if that makes sense. So I really avoided doing it for a few days.
THM is frustrating sometimes. I wrote the xpath query for the second question but it didn't work in the answer slot or the PS. I restarted the VM, it didn't work. restarted the room, it didn't work. Looked up this video, went back and still didn't work. Copied the value to my clipboard and gave up. at a later time, I went back and all I did was paste the same thing from my clipboard and it worked in both the answer and the PS.
I noticed TryHackMe doesnt' do this, but in the LogName section of the query, it's not listed on this Details View on the XML chart. So how do we know when to use "Application" versus "Security", etc? Is it solely due to the data we are looking to retrieve? Is there a comprehensive list of the LogNames we can look at? Tried searching but no luck. (and BTW I thought that all of this info would be on the Event Viewer XML Details tab, but TryHackMe doesn't really explain why we needed to use "Application" when it first teaches the command in the modules. Thanks for helping me understand.
task 3 question "What event files would be read when using the query-events command?" does anyone had an issue with submitting the answer "Read events from an event log, log file, or using structured query"? it keeps saying this is wrong answer!!!
Just a quick bit of research and this was one of my first google responses if you want to check it out kb.eventtracker.com/evtpass/evtpages/EventId_104_Microsoft-Windows-Eventlog_64337.asp#:~:text=The%20%253%20log%20file%20was%20cleared.&text=This%20event%20is%20logged%20when%20the%20log%20file%20was%20cleared.&text=This%20is%20a%20normal%20condition.
Network Security and Traffic Analyst was way more interesting then going through EndPoint Security Monitoring( it was kinda boring). I hope that Siem and Phishing will be more interesting. Someone with simlar thinking?
Haha well to be fair most SIEM's will ingest these logs and then you can search for them but the reality is you have to know how to do this for offensive and defensive because you have to understand what is getting logged and how it appears to avoid it. Endpoint security is insanely fun just not reading logs lol
@johnvardy9559 that entirely depends on you though. What your goals are and what you want to get out of them. I can't tell you what skills you need to learn since idk your current skillsets.
Powershell is my favorite way to pull logs! whats yours?!
just a question how to copy and paste code into vm of windows I tried and doesn't work
@@Surya000Bhakti-xv4xw ctl c to copy and ctl v to paste
Thank you man, it was really discouraging room until i found your video. Great Work!
Thanks so much
Super helpful! its far better to spend 1 hour learning and watching this way then spending multiple hours just on the box itself
Thank you so much!
this is so helpful!!! thank you! i was so confused with the room alone
I recently had been hacked - or at least caught the start of it, and I know nearly nothing about the Windows Event Logs, this really helped me see how to read them and I think I'd like to actually work in this area.
That's awesome! So cool to see people learn and progress! Hit me up on the discord and I can give you some paths to get started!
I completed this room but it was tough for me. Thank you for your walk through and I am going through it again because I want to better understand what Im doing and how to query these longs. Your walkthrough is super duper helpful and now the material makes way more sense the second time around.
Glad it helped! That's all I care about
Make sure to check out the discord as well for further help
Very very helpful around ~19:30. Enjoy the commentary.
@@ShadowNoIT thanks so much!
Thanks, Room would have taken forever if you probably didn't upload this. Glad you also explained some extra stuff.
XPath really did a number on my head 😅
Thank you. I was so stumped on Task 7 mainly because I'm always hesitant to Google, and there were SO many sources at once- some of which no longer work...
I wasn't sure what I was meant to already know and what I was "allowed" to look up, if that makes sense. So I really avoided doing it for a few days.
But once I actually knew what to filter it wasn't so bad. With finding the downgrade attack, the version being 2.0 was also a giveaway IIRC
Thank you! I def understand what you mean! That's tough to know when you know something well enough!
@@stuffy24 It was literally making me so stressed for days LMFAO then it was so simple.
@@mallorii86110 literally hacking in a nutshell lol
How did you toggle between the previous commands at this point 41:58 ?
Great content!
these are actually helpful!!!
Thank you!
really like your videos
Thank you!
@Mr Robot I can try and take a look at it tonight
@@stuffy24 Do you resolve the question? 💪
@@pograva I will try to look tonight. Can you hop on the discord and remind me?
@@stuffy24 yes don't warry 😊 . I'm find to do the combinaton of the commands, but I think that the question is not very understandable 😔
Thank you!
Thank you for the support!
THM is frustrating sometimes. I wrote the xpath query for the second question but it didn't work in the answer slot or the PS. I restarted the VM, it didn't work. restarted the room, it didn't work. Looked up this video, went back and still didn't work. Copied the value to my clipboard and gave up. at a later time, I went back and all I did was paste the same thing from my clipboard and it worked in both the answer and the PS.
@JoeCarter-p4d most likely there was a small difference such as a blank space or something that you couldn't see. It's common unfortunately
I noticed TryHackMe doesnt' do this, but in the LogName section of the query, it's not listed on this Details View on the XML chart. So how do we know when to use "Application" versus "Security", etc? Is it solely due to the data we are looking to retrieve? Is there a comprehensive list of the LogNames we can look at? Tried searching but no luck. (and BTW I thought that all of this info would be on the Event Viewer XML Details tab, but TryHackMe doesn't really explain why we needed to use "Application" when it first teaches the command in the modules. Thanks for helping me understand.
Application logs are going to corelate to Applications where security corelates to security actions such as access logs
task 3 question "What event files would be read when using the query-events command?" does anyone had an issue with submitting the answer "Read events from an event log, log file, or using structured query"? it keeps saying this is wrong answer!!!
I know this is late but the answer is "event log, log file, or structured query" they shortened the answer.
@@tunechilee15 just tried it and it works
Where did you find log clear evet id 104. I also searched and just found 1102. Task 7 q3
Just a quick bit of research and this was one of my first google responses if you want to check it out kb.eventtracker.com/evtpass/evtpages/EventId_104_Microsoft-Windows-Eventlog_64337.asp#:~:text=The%20%253%20log%20file%20was%20cleared.&text=This%20event%20is%20logged%20when%20the%20log%20file%20was%20cleared.&text=This%20is%20a%20normal%20condition.
@@stuffy24 Thanks for quick response bro
27736
Network Security and Traffic Analyst was way more interesting then going through EndPoint Security Monitoring( it was kinda boring).
I hope that Siem and Phishing will be more interesting.
Someone with simlar thinking?
Haha well to be fair most SIEM's will ingest these logs and then you can search for them but the reality is you have to know how to do this for offensive and defensive because you have to understand what is getting logged and how it appears to avoid it. Endpoint security is insanely fun just not reading logs lol
@stuffy24 could you tell me CDSA or CCD cert?
That depends on you and what your trying to get them for.
@@stuffy24 thanks stuffy, what interests me is to acquire skills, and after that to be able to ASK for Job.
@@johnvardy9559 Well those both will provide skills to you. Neither will get you a job.
@@stuffy24 I agree, that's why I asked you which of the 2 will give me more stuff and more value.
@johnvardy9559 that entirely depends on you though. What your goals are and what you want to get out of them. I can't tell you what skills you need to learn since idk your current skillsets.
Task 3 /if:true does not work.
Feel free to join the discord and throw your questions with screenshots in there
It’s /lf:true (it was an L)
@@dited555dited7 I put I as well until I heard on the video as L