Event-Viewing

Description

Solution

1. Step 1Extract Event ID 1033
   The Windows Installer log for Totally_Legit_Software includes `Manufacturer: cGljb0NURntFdjNudF92aTN3djNyXw==`. Decode it to get the first third of the flag.
   Learn more

   Windows Event Log (.evtx) files are binary logs that record system activity, security events, and application messages. The EVTX format replaced the older .evt format in Windows Vista and stores events in a structured binary format with XML-encoded content inside each record. Each event is identified by an Event ID number that describes the type of activity recorded.

   Event ID 1033 is generated by the Windows Installer (MSI) subsystem when a product installation completes. It records the product name, version, language, manufacturer, and installation result code. Attackers who install malicious software on a compromised host will generate Event ID 1033 entries, making it a useful forensic artifact for detecting unauthorized software installations.

   Tools for parsing EVTX files without Windows Event Viewer include python-evtx (pure Python EVTX parser), EvtxEcmd (Eric Zimmerman's command-line tool that exports to CSV/JSON/XML), and Chainsaw (a Rust-based tool designed for threat hunting in EVTX files). On Linux, python-evtx is the most accessible option.

2. Step 2Review Event ID 4657
   The registry modification event stores `Immediate Shutdown (MXNfYV9wcjN0dHlfdXMzZnVsXw==)`, which is the second flag chunk.
   Learn more

   Event ID 4657 - "A registry value was modified" - is logged by the Security audit subsystem when a monitored registry key is changed. This event requires the Audit Registry policy to be enabled and the specific registry key to have SACL (System Access Control List) auditing configured. It records the key path, old value, new value, and the process that made the change.

   Registry modifications are a key indicator of compromise. Attackers use the registry for persistence (adding run keys like HKCU\Software\Microsoft\Windows\CurrentVersion\Run), for storing payloads, and for disabling security features. Event ID 4657 allows defenders to detect and timeline these changes, making it one of the most valuable Security log events for incident response.

   The Windows Registry is a hierarchical database storing configuration for the OS and applications. Understanding its structure - hives like HKLM (local machine), HKCU (current user), and HKCR (class root), along with key paths for persistence, services, and security settings - is foundational knowledge for both offensive and defensive Windows security work.

3. Step 3Capture Event ID 1074
   The shutdown log contains `Comment: dDAwbF84MWJhM2ZlOX0=`. Concatenate the decoded pieces to assemble picoCTF{...}.
   Learn more

   Event ID 1074 - "The process X has initiated the restart / shutdown of computer Y on behalf of user Z for the reason: reason" - is logged when a shutdown or restart is initiated programmatically. It records the initiating process, the reason code, and a free-text comment field. Unexpected shutdowns are often a sign of ransomware, destructive malware, or an attacker clearing tracks.

   The challenge hides flag segments in the Manufacturer and Comment fields of events - fields that are free-text and controlled by whoever generates the event. This mirrors a real attacker technique: embedding exfiltration data or command-and-control signals in log fields that are less likely to be scrutinized. Defenders should treat unexpected Base64 strings in event fields as suspicious.

   Assembling the flag from three separate events teaches the forensic skill of timeline correlation: linking events across different log sources and event types to reconstruct an attacker's actions. Tools like Plaso (log2timeline) and Timesketch automate this correlation across dozens of artifact types simultaneously, giving investigators a unified timeline of system activity.

Flag

picoCTF{Ev3nt_vi3wv3r_1s_a_pr3tty_us3ful_t00l_81b...}

Any Base64 decoding method works; the challenge is recognizing which events hide the chunks.