Home >

Cyber Defense CTF > Log_analysis

Back <> Next

An analyst noticed some suspicious account activity on a workstation. We think the device may be compromised – can you look into this?

For this challenge, we are given log_chall.evtx to download and investigate.

We can open the file using Event viewer. You will notice right away that all of the event ID’s are 4624 logon events.

We can simply use the ‘Find’ command to filter for leveleffect, and it will take us to the log with the flag in the TargetUserName field.

in_the_system

Back <> Next