Working a recent incident, I came across something very unusual. I started by going back into a previous investigation run against the endpoint that had been conducted a month ago, and extracting the WEVTX files collected as part of that investigation. So, the WEVTX files were retrieved from the endpoint on 30 Apr, and when I created the timeline, I found that the four most recent time segments were from 1 June 2024…that’s right, 2024!
As I was using some of the indicators we already had (file and process names) to pivot into the timeline, I saw that I had Security Event Log records from 2020…now, that is weird! After all, it’s not often that I see Security Event Log records going back a week or month, let alone 3 years!
Another indicator was the sessions.pl output from Events Ripper; I had logins lasting 26856 hours (1119 days), and others lasting -16931 hours (over 705 days). Given how the session span is calculated, I knew some was “off” in the Security (and very likely, other) Event Logs, particular the records associated with logon and logoff events.
I knew something was up, but I also knew that finding the “what was up” was also based largely on my experience, and might not be something a new or more junior analyst would be familiar with. After all, if an analyst was to create a timeline (and I’m seeing everyday that’s a pretty big “if”), and if they were pivoting off of known indicators to build context, then how likely would it be that they had the experience to know that something was amiss?
So, naturally, I wrote an Events Ripper plugin
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: