In this post, I would like to share some walkthroughs on the Sherlock Challenges such as Logjammer can be considered a Easy Difficulty

Case Study of Logjammer Sherlock

You have been presented with the opportunity to work as a junior DFIR consultant for a big consultancy. However, they have provided a technical assessment for you to complete. The consultancy Forela-Security would like to gauge your knowledge of Windows Event Log Analysis. Please analyse and report back on the questions they have asked.

Introduction to Logjammer Sherlock Challenge

Firstly, we need to download the file into our machine to analyze it more deeply.

For Windows Users:

After we extracted the zip file, we managed to retrieve five(5) files which show the challenge on Windows Logs which looks like an EVTX file.

The file explanation would be shown as below:

  • Powershell-Operational: Logs detailed records of PowerShell activities on the system, encompassing executed commands, run scripts, and any errors or warnings encountered during execution.
  • Security: Contains records about security events on the system, including user authentication, privilege modifications, account management activities, and changes to security policies.
  • System: Captures system-level events such as startup and shutdown processes, driver and service failures, hardware configuration modifications, and system resource usage.
  • Windows Defender-Operational: Tracks activities and status updates of Windows Defender, including malware detections, scans, updates, and other security-related events managed by Windows Defender.
  • Windows Firewall-Firewall: Logs events related to firewall operations, including permitted and blocked network connections, rule modifications, and the startup and shutdown events of the firewall service.

For those who are not familiar with the EVTX file, you can read the details below:

The Windows XML Event Log (EVTX) format is a structured file format used by Microsoft Windows operating systems to record system, application, and security events. These logs are crucial for diagnosing system problems, monitoring application behavior, and conducting security audits. The EVTX format was introduced with Windows Vista and has since been used in all subsequent Windows versions, replacing the older EVT format used in Windows XP and earlier.

                                       Source: ChatGPT

There are a lot of methods and tools to analyze the file format such as

The screenshot show on how it look on Event Viewer interface

For Linux User:

1. When did user cyberjunkie successfully log into his computer? (UTC)

2. The user tampered with firewall settings on the system. Analyze the firewall event logs to find out the Name of the firewall rule added?

3.What’s the direction of the firewall rule?

4. The user changed audit policy of the computer. What’s the Subcategory of this changed policy?

5.The user “cyberjunkie” created a scheduled task. What’s the name of this task?

6.What’s the full path of the file which was scheduled for the task?

7.What are the arguments of the command?

8. The antivirus running on the system identified a threat and performed actions on it. Which tool was identified as malware by antivirus?

9.What’s the full path of the malware which raised the alert?

10. What action was taken by the antivirus?

11. The user used Powershell to execute commands. What command was executed by the user?

12. We suspect the user deleted some event logs. Which Event log file was cleared?