TL;DR Walkthrough of the Auditing & Monitoring TryHackMe room, part of the Security Engineer pathway.
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
The Security Engineer pathway is new to TryHackMe. It’s a good pathway overall so far, however it has really glazed over some details. This room is another example of that. Tasks 1 through 4 had typos and misspelled “organization” in the questions. Task 7 only mentioned Event Viewer for viewing and querying Windows logs and completely neglected to mention PowerShell.
Most of the room was simply Googling and finding the answers. I’ll show how we queried to get the answers using the provided VMs in Tasks 6 and 7.
Let’s get to it.
— — Task 1 — -
What do you call the systematic review of an organization’s technological infrastructure, policies and operations?
Auditing
What do you call the continuous observation of an organization’s computer technologies and related resources?
Monitoring
— — Task 2 — -
Which type of audit is conducted by independent auditors?
External audit
Which type of audit is conducted by an organization’s own personnel?
Internal audit
— — Task 3 — -
What is the standard used by organization’s that process card payments?
PCI DSS
Yes, “PCI DSS”, not “PCI-DSS” as I have seen it written everywhere else. TryHackMe is wonky sometimes with the exact verbiage in their answers.
Who developed ITIL?
CCTA
(British Government’s Central Computer and Telecommunications Agency)
Who developed COBIT?
ISACA
(Information Systems Audit & Control Association)
— — Task 4 — -
Which step do we present our findings about non-conformities, weaknesses and issues noted?
4
At which stage does an organisation review the steps based on recommendations for proper and satisfactory implementation?
5
At which stage do the auditors establish the audit scope and define its objectives?
1
— — Task 5 — -
Check the Intro to Logs room for more detailed logging coverage.
No answer needed
— — Task 6 — -
Connect to the VM:
ssh maxine@10.10.58.255Password = AuditMe!
Using aureport, how many failed logins have occurred so far?
sudo aureport --failed263
Using ausearch, how many failed logins are related to the username mike?
sudo ausearch --message USER_LOGIN --success no --interpret | grep acct=mike | wc -l4
Using ausearch, how many failed logins are related to the username root?
sudo ausearch --message USER_LOGIN --success no --interpret | grep acct=root | wc -l227
— — Task 7 — -
Connect to the VM:
xfreerdp /v:10.10.173.144 /u:dawn /p:AuditMe! /dynamic-resolutionWhat is the event ID for a failed login attempt?
4625
How many failed login attempts do you have under the security events?
(Get-EventLog -LogName Security -InstanceId 4625).Count2
How many failed login attempts took place in 2021?
(Get-EventLog -LogName Security -InstanceId 4625 | Where-Object {$_.TimeGenerated -like “*2021*”}).Count1
Alt method to answer both questions with one query:
Get-EventLog -LogName Security -InstanceId 4625 | Select-Object TimeGenerated
— — Task 8 — -
Ensure you have read and taken note of the difference between logging and monitoring.
No answer needed
— — Task 9 — -
Consider joining one of the recommended information for an in-depth exploration of a SIEM.
No answer needed
— — Task 10 — -
Ensure you have noted the main concepts presented in this room.
No answer needed
Summary
We wrote howtos on configuring logging in Windows here, here, and here.
We went over how to query logs and some things to look for here.
TryHackMe has a really good room on logs in the Cyber Defense Pathway called ‘Windows Event Logs’. We wrote a walkthrough of it here.
This room really just skims over logging, so I would highly recommend looking at other sources as well. I am also a big fan of PowerShell for this stuff as querying in Event Viewer quickly becomes unworkable as logs get larger.
References
Get-WinEvent vs Get-EventLog: https://www.reddit.com/r/PowerShell/comments/69kbkd/getwinevent_vs_geteventlog_performance/
Get events between two dates: https://www.reddit.com/r/PowerShell/comments/16obstu/how_can_i_output_event_viewer_data_of_a_specific/
