:( ·

Author: ilyree

As I look back at my RUSEC memories, I remembered the time that I met my mentor! Seems like he accidently kept sending my machine a payload that made my screen go blue…

We were given Challenge.evtx and from the description told to look for BSOD events

A quick internet search led me to this forum answer that highlighted the relevant event IDs 6008, 41, 1001

There are various ways to interact with .evtx files on linux and I used to be partial to evtx_dump

omerbenamram/evtx

A Fast (and safe) parser for the Windows XML Event Log (EVTX) format

Rust

875

Here’s an example of an evtx record dumped with evtx_dump

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Application">
    </Provider>
    <EventID Qualifiers="0">6008</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2026-01-10T21:38:11.404357Z">
    </TimeCreated>
    <EventRecordID>45652</EventRecordID>
    <Correlation>
    </Correlation>
    <Execution ProcessID="15648" ThreadID="0">
    </Execution>
    <Channel>Application</Channel>
    <Computer>Delphinus</Computer>
    <Security>
    </Security>
  </System>
  <EventData>
    <Data>The previous system shutdown at 10:00:00 PM on ?1/?10/?2026 was unexpected.</Data>
    <Binary>44734B78544467576C37517351324A4F7245726A654D3147356D303D</Binary>
  </EventData>
</Event>

There are also ways of programmatically accessing relevant information with python-evtx

williballenthin/python-evtx

Pure Python parser for Windows Event Log files (.evtx)

Python

760

168

And we can make use of that to check the “Binary” field of all these BSOD related events, (those are b64 encoded so we add another layer of decoding)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import Evtx.Evtx as evtx
import xmltodict
import json
import base64
from string import printable

def parse_evtx(file_path, target_event_id=None):
    with evtx.Evtx(file_path) as log:
        for record in log.records():
            entry = xmltodict.parse(record.xml())
            
            system_data = entry.get('Event', {}).get('System', {})
            event_id = int(system_data.get('EventID', {}).get('#text', 0))

            if target_event_id and event_id != target_event_id:
                continue

            decode = base64.b64decode(json.dumps(entry.get('Event', {}).get('EventData')['Binary'], indent=2)[1:-1])
            flag = base64.b64decode(decode)
            try:
                for ch in flag.decode():
                    if ch in printable:
                        print(ch, end='')
            except:
                continue

parse_evtx('./Challenge.evtx', target_event_id=1001) # reboot from bugcheck
parse_evtx('./Challenge.evtx', target_event_id=41)   # unclean shutdown
parse_evtx('./Challenge.evtx', target_event_id=6008) # unexpected shutdown

❯ python solve.py
RUSEC{3ternal_blu3_s@d_fac3_smbv1_3890cn2k29}

There were also a lot of NTP events idk what those were about. Also not that anyone cares but i don’t like information being hidden in the binary section of evtx logs, aren’t those system generated? can an actual attacker really manipulate those to hide information there? idk

Reply by Email

ViruS Camp

14 February 2025

dfir 205pt 143 solves vscode extension

vscode extension

Baby DFIR

11 February 2025

dfir 50pt 258 solves disk ad1

basic ad1

Related