Skip to main content

Event-Viewing

  • Description: One of the employees at your company has their computer infected by malware! Turns out every time they try to switch on the computer, it shuts down right after they log in. The story given by the employee is as follows:
  1. They installed software using an installer they downloaded online
  2. They ran the installed software but it seemed to do nothing
  3. Now every time they bootup and login to their computer, a black command prompt screen quickly opens and closes and their computer shuts down instantly. See if you can find evidence for the each of these events and retrieve the flag (split into 3 pieces) from the correct logs!
  • Difficulty: Medium

🔎 Solution

We were provided with the Windows_Logs.evtx file - a native Windows Event Log file. To make the log data more accessible and easier to parse, we first converted the .evtx file into .xml format (it's also fully viewable using the built-in Event Viewer in Windows)

from Evtx.Evtx import Evtx

def parse_evtx_file(file_path, output_file):
    try:
        with Evtx(file_path) as log:
            xml_records = [record.xml() for record in log.records()]
        with open(output_file, "w", encoding="utf-8") as f:
            f.write("<Events>\n")
            for rec in xml_records:
                f.write(rec + "\n")
            f.write("</Events>")
        print(f"[+] Successfully saved to: {output_file}")

    except FileNotFoundError:
        print("[!] Error: File not found. Please check the file path and try again.")
    except Exception as e:
        print(f"[!] An unexpected error occurred: {e}")

if __name__ == "__main__":
    evtx_file = "Windows_Logs.evtx"
    output_xml = "result.xml"
    parse_evtx_file(evtx_file, output_xml)

Action 1: Software installation

Our investigation begins with Event ID 1033, which records the installation of a program named Totally Legit Software - though its legitimacy is questionable at best.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="MsiInstaller"></Provider>
<EventID Qualifiers="0">1033</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x0080000000000000</Keywords>
<TimeCreated SystemTime="2024-07-15 15:55:57.729797+00:00"></TimeCreated>
<EventRecordID>2373</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></Correlation>
<Execution ProcessID="0" ThreadID="0"></Execution>
<Channel>Application</Channel>
<Computer>DESKTOP-EKVR84B</Computer>
<Security UserID="S-1-5-21-3576963320-1344788273-4164204335-1001"></Security>
</System>
<EventData><Data>&lt;string&gt;Totally_Legit_Software&lt;/string&gt;
&lt;string&gt;1.3.3.7&lt;/string&gt;
&lt;string&gt;0&lt;/string&gt;
&lt;string&gt;0&lt;/string&gt;
&lt;string&gt;cGljb0NURntFdjNudF92aTN3djNyXw==&lt;/string&gt;
&lt;string&gt;(NULL)&lt;/string&gt;
&lt;string&gt;&lt;/string&gt;
</Data>
<Binary>ezNEM0MzODMzLURFRDYtNDAyMi1CNUExLUU3RjM3Nzg5QzM5MH0wMDAwNzY1MzdiOTcwMjM5ZjlhMDc1MGM0MWI4ODY0ZmRhYzkwMDAwMDAwMA==</Binary>
</EventData>
</Event>

Embedded within the log is a suspicious Base64-encoded string. Decoded, it reveals the beginning of a flag: picoCTF{Ev3nt_vi3wv3r_

Action 2: Program execution

Next, Event ID 4657 indicates a possible registry modification - a common tactic used by malicious software to persist on a system. The changes appear to reference a shutdown utility named custom_shutdown.exe.

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}"></Provider>
<EventID Qualifiers="">4657</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12801</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2024-07-15 15:56:19.103197+00:00"></TimeCreated>
<EventRecordID>168656</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></Correlation>
<Execution ProcessID="4" ThreadID="1084"></Execution>
<Channel>Security</Channel>
<Computer>DESKTOP-EKVR84B</Computer>
<Security UserID=""></Security>
</System>
<EventData><Data Name="SubjectUserSid">S-1-5-21-3576963320-1344788273-4164204335-1001</Data>
<Data Name="SubjectUserName">user</Data>
<Data Name="SubjectDomainName">DESKTOP-EKVR84B</Data>
<Data Name="SubjectLogonId">0x000000000005a428</Data>
<Data Name="ObjectName">\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</Data>
<Data Name="ObjectValueName">Immediate Shutdown (MXNfYV9wcjN0dHlfdXMzZnVsXw==)</Data>
<Data Name="HandleId">0x0000000000000208</Data>
<Data Name="OperationType">%%1904</Data>
<Data Name="OldValueType">-</Data>
<Data Name="OldValue">-</Data>
<Data Name="NewValueType">%%1873</Data>
<Data Name="NewValue">C:\Program Files (x86)\Totally_Legit_Software\custom_shutdown.exe</Data>
<Data Name="ProcessId">0x0000000000001bd0</Data>
<Data Name="ProcessName">C:\Program Files (x86)\Totally_Legit_Software\Totally_Legit_Software.exe</Data>
</EventData>
</Event>

Another Base64 string is found, decoded to 1s_a_pr3tty_us3ful_

Action 3: System reboot

Examining Event ID 1074, we observe two shutdown events:

  • The first initiated by the legitimate RuntimeBroker.exe process.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="User32" Guid="{b0aa8734-56f7-41cc-b2f4-de228e98b946}" EventSourceName="User32"></Provider>
<EventID Qualifiers="32768">1074</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2024-07-15 16:46:14.079933+00:00"></TimeCreated>
<EventRecordID>3668</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></Correlation>
<Execution ProcessID="436" ThreadID="564"></Execution>
<Channel>System</Channel>
<Computer>DESKTOP-EKVR84B</Computer>
<Security UserID="S-1-5-21-3576963320-1344788273-4164204335-1001"></Security>
</System>
<EventData><Data Name="param1">C:\Windows\System32\RuntimeBroker.exe (DESKTOP-EKVR84B)</Data>
<Data Name="param2">DESKTOP-EKVR84B</Data>
<Data Name="param3">Other (Unplanned)</Data>
<Data Name="param4">0x0</Data>
<Data Name="param5">restart</Data>
<Data Name="param6"></Data>
<Data Name="param7">DESKTOP-EKVR84B\user</Data>
</EventData>
</Event>
  • Shortly after, a forced reboot triggered by custom_shutdown.exe. This second event contains the final Base64 fragment, decode and we have t00l_81ba3fe9}
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"><System><Provider Name="User32" Guid="{b0aa8734-56f7-41cc-b2f4-de228e98b946}" EventSourceName="User32"></Provider>
<EventID Qualifiers="32768">1074</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8080000000000000</Keywords>
<TimeCreated SystemTime="2024-07-15 17:01:05.393583+00:00"></TimeCreated>
<EventRecordID>3801</EventRecordID>
<Correlation ActivityID="" RelatedActivityID=""></Correlation>
<Execution ProcessID="432" ThreadID="3496"></Execution>
<Channel>System</Channel>
<Computer>DESKTOP-EKVR84B</Computer>
<Security UserID="S-1-5-21-3576963320-1344788273-4164204335-1001"></Security>
</System>
<EventData><Data Name="param1">C:\Windows\system32\shutdown.exe (DESKTOP-EKVR84B)</Data>
<Data Name="param2">DESKTOP-EKVR84B</Data>
<Data Name="param3">No title for this reason could be found</Data>
<Data Name="param4">0x800000ff</Data>
<Data Name="param5">shutdown</Data>
<Data Name="param6">dDAwbF84MWJhM2ZlOX0=</Data>
<Data Name="param7">DESKTOP-EKVR84B\user</Data>
</EventData>
</Event>

Combining the 3 decoded parts, we recover the complete flag.

🚩Flag

picoCTF{Ev3nt_vi3wv3r_1s_a_pr3tty_us3ful_t00l_81ba3fe9}