Lab 04 — Windows Artifacts¶
Hands-on lab · ← Back to the module concept
Setup¶
This is a reference lab — its environment lives in the companion
plaintext-labs repo:
git clone https://github.com/plaintext-security/plaintext-labs
cd plaintext-labs/forensics/04-windows-artifacts
make up # build the chainsaw + python-registry container
make fetch-data # download the real EVTX-ATTACK-SAMPLES .evtx files into data/
make demo # parse the bundled EVTX and registry hive; print key findings
make shell # drop in to explore interactively
make down # stop when done
The container includes chainsaw and python-registry. The primary artifact is real: make
fetch-data pulls Windows .evtx from the public
EVTX-ATTACK-SAMPLES corpus (by sbousseaden,
~200 real .evtx mapped to MITRE ATT&CK). See PROVENANCE.md for the exact files and URLs. The
samples cover the lab's three questions:
- a logon sample (EID 4624) — who authenticated
- a process-creation sample (EID 4688) — what ran
- Defense Evasion/DE_1102_security_log_cleared.evtx (real EID 1102 log-clear) — how the attacker covered tracks
Supporting seed files (offline fallback / registry, so make demo works before fetch-data):
- data/security-events.jsonl — pre-shaped Security events for the offline demo
- data/ntuser-parsed.json — a small synthetic registry hive with persistence and MRU entries
Everything runs locally against bundled or downloaded public data. No authorization needed.
Scenario¶
This module is anchored to the Lunar Spider intrusion (The DFIR Report, 2025) — a single
malicious JavaScript click that grew into a near-two-month domain compromise. The IR team has
triaged the initially compromised workstation (BEACHHEAD-WS01) and collected two key artifacts:
a Security event log and the user's registry hive. The endpoint was running for approximately 12
hours after the anomalous outbound connection before the IR team arrived. Your task is to parse
both artifacts and answer three questions: Who authenticated? What ran? How did it persist?
Only examine evidence you are authorised to handle. In a real case, these files would arrive with a verified hash from Module 01.
Do¶
-
[ ] Hunt the real event logs with chainsaw. After
make fetch-data, runchainsaw huntagainst the downloadeddata/*.evtxwith Sigma rules:If Sigma rules are unavailable, usechainsaw hunt data/ --sigma /opt/sigma-rules/ --mapping /opt/chainsaw/mappings/sigma-event-logs-all.ymlchainsaw searchto find logon and process events:Document: which accounts authenticated? Which processes were created? Note any 4688 events with suspicious parent-child relationships (e.g.,chainsaw search --event-id 4624 data/ # who authenticated chainsaw search --event-id 4688 data/ # what rancmd.exespawned byoutlook.exe). -
[ ] Find the log clear event. Search the real
Was the log cleared? If so, who cleared it and when? What does this tell you about the attacker's post-exploitation behavior?Defense Evasion/DE_1102_security_log_cleared.evtxsample for Event ID 1102 (Security log cleared): -
[ ] Parse the registry hive for persistence. Use
What autorun entries are present? Are any suspicious (unexpected paths, encoded commands, or unknown executables)?python-registryto enumerate the run keys indata/ntuser.dat: -
[ ] Extract MRU (Most Recently Used) entries. Look for recently opened files and typed paths in the hive:
What files were recently opened? Do the paths (e.g.# RecentDocs MRU key = reg.open('Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs') # TypedPaths MRU (Explorer address bar) key = reg.open('Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths')\\FILESHARE-SRV01\finance\restricted) align with the exfiltration scenario from Module 01? -
[ ] Document your findings. Write
windows-artifact-findings.mdwith: - Table of authentication events (Event ID 4624): account name, logon type, source IP, timestamp
- Table of process creation events (Event ID 4688): process name, parent process, command line, timestamp
- List of autorun persistence entries from the registry
- MRU entries that are relevant to the investigation
- Short paragraph: attacker timeline reconstruction based on log + registry evidence combined
Success criteria — you're done when¶
- [ ] At least three Event ID 4624 or 4688 events are documented with fields extracted.
- [ ] Persistence entries from the registry are identified and noted as suspicious or benign.
- [ ] MRU entries are extracted and correlated with the intrusion scenario.
- [ ]
windows-artifact-findings.mdincludes a timeline narrative. - [ ] You can explain what Event ID 1102 means and why finding it is significant.
Deliverables¶
Commit windows-artifact-findings.md to your fork. Do not commit any modified versions of the seed EVTX or hive files.
Automate & own it¶
Required. Write a Python script parse-windows-artifacts.py that:
1. Takes paths to an EVTX file and a registry hive as arguments.
2. Extracts all 4624, 4625, and 4688 events from the EVTX using python-evtx or chainsaw's JSON output.
3. Extracts all run key values from the hive.
4. Produces a Markdown report with a timeline section and a persistence section.
Have a model draft the script; read every line and run it against the seed data before committing. This is the automation move for Windows triage — a first-pass report that tells you within 60 seconds what a machine was doing and what persisted.
AI acceleration¶
Feed chainsaw's JSON output to a model and ask it to identify the three most suspicious events and explain why. For the registry, describe the value you found and ask whether it's a known persistence technique. Cross-check every ATT&CK technique ID the model names against attack.mitre.org before including them in your report — models confuse technique IDs.
Connects forward¶
The execution and authentication events you surface here feed directly into the super-timeline in Module 07 (plaso ingests EVTX and the timeline correlates events across sources). The persistence mechanisms you identify connect to Module 08 (triage and live response — detecting persistence at scale) and Module 12 (malware artifacts in IR).
Marketable proof¶
"I parse Windows event logs and registry hives offline using chainsaw and python-registry — surfacing authentication anomalies, execution chains, and persistence mechanisms from raw forensic artifacts."
Stretch¶
- Install
MFTECmd(Eric Zimmerman) in the container and parse the$MFTfrom a test image — compare the execution timestamps to what you see in the EVTX. - Research Amcache: write a Python snippet using
python-registryto enumerateAmcache.hve'sInventoryApplicationFileentries and extract SHA-1 hashes of executed files.
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).