CrateCTF 2025 Writeup: Evenemang

The is a forensics challenge where a user accidentally ran a mal program hidden among 1000 other numbered programs (1.exe to 1000.exe) in a folder on their desktop. Instead of manually checking each program, they ran all of them and captured the system logs to analyze which one behaved suspiciously.

j3rry

j3rry

5 min read
CrateCTF 2025 Writeup: Evenemang

The Files Provided:

  • system.evtx - Windows System Event Log
  • security.evtx - Windows Security Event Log
  • system_1033.MTA - Message Table Archive files
  • security_1033.MTA - Message Table Archive files
security
security.evtx
2 MB
download-circle
system
system.evtx
68 KB
download-circle
security_1033
security_1033.MTA
5 MB
download-circle
system_1033
system_1033.MTA
36 KB
download-circle

What Are Windows Event Logs?

Windows Event Logs (.evtx files) are binary files that record important system events, including:

  • System Log: Hardware events, driver issues, service installations
  • Security Log: Login attempts, process creation/termination, privilege usage

These logs are crucial for forensic investigations because they provide a timeline of what happened on a system.

Initial Analysis

Step 1: Understanding the Challenge

The scenario tells us:

  1. There are 1000 programs numbered from 1.exe to 1000.exe
  2. One of them is malicious
  3. All programs were executed
  4. We need to analyze the logs to find the suspicious one

Step 2: Setting Up the Environment

To analyze Windows Event Logs on Linux, I used the python-evtx library:

pip install python-evtx --break-system-packages

This library allows us to parse binary .evtx files and extract the XML-formatted event records.

Deep Dive: Parsing Windows Event Logs

Understanding Event IDs

Windows uses specific Event IDs to categorize different types of events. The most relevant ones for this challenge:

Event ID Description Log Type
4688 Process Creation Security
4689 Process Termination Security
7045 Service Installation System
1000 Application Error System
1001 Application Crash System

Step 3: Writing the Parser

First, I wrote a Python script to parse the event logs and extract information:

import Evtx.Evtx as evtx
import xml.etree.ElementTree as ET

def parse_evtx(file_path):
    """Parse EVTX file and extract relevant events"""
    events = []
    
    with evtx.Evtx(file_path) as log:
        for record in log.records():
            xml_str = record.xml()
            root = ET.fromstring(xml_str)
            
            # Extract event ID
            event_id_elem = root.find('.//{http://schemas.microsoft.com/win/2004/08/events/event}EventID')
            event_id = event_id_elem.text if event_id_elem is not None else None
            
            # Extract timestamp
            time_elem = root.find('.//{http://schemas.microsoft.com/win/2004/08/events/event}TimeCreated')
            timestamp = time_elem.get('SystemTime') if time_elem is not None else None
            
            events.append({
                'event_id': event_id,
                'timestamp': timestamp,
                'xml': xml_str
            })
    
    return events

Finding the Anomaly

Step 4: Looking for Suspicious Patterns

I analyzed the logs looking for several indicators:

1. Mismatched Process Creation/Termination

Normal programs should have:

  • 1 Process Creation event (4688)
  • 1 Process Termination event (4689)

I wrote code to count these events for each program:

for prog in creations:
    create_count = len(creations[prog])
    term_count = len(terminations.get(prog, []))
    if create_count != term_count:
        print(f"{prog}: {creates} creations, {terms} terminations")

Finding: 756.exe had 2 creation events but only 1 termination event!

2. Service Installation Events

Malware often installs Windows services for persistence. Event ID 7045 indicates a new service was installed.

if event_id == '7045':
    print("Service Installation Found!")

Finding: A service called PSEXESVC was installed around the same time 756.exe was running.

Step 5: Detailed Analysis of 756.exe

I extracted all events related to 756.exe to understand the timeline:

Event 1 - Process Creation (4688)
Time: 2025-10-10 11:28:36.667421
- NewProcessName: C:\Users\Administrator\Desktop\program\756.exe
- ParentProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- ProcessId: 0x2cfc

Event 2 - Process Creation (4688)
Time: 2025-10-10 11:28:36.672235
- NewProcessName: C:\Users\Administrator\Desktop\PsExec64.exe
- ParentProcessName: C:\Users\Administrator\Desktop\program\756.exe
- ProcessId: 0x2d10

Event 3 - Process Termination (4689)
Time: 2025-10-10 11:28:36.673496
- ProcessName: C:\Users\Administrator\Desktop\program\756.exe
- ProcessId: 0x2cfc

Event 4 - Service Installation (7045)
Time: 2025-10-10 11:28:36.860695
- ServiceName: PSEXESVC
- ImagePath: %SystemRoot%\PSEXESVC.exe
- StartType: demand start
- AccountName: LocalSystem

Understanding the Attack

What is PsExec?

PsExec (Process Execute) is a legitimate Microsoft Sysinternals tool that allows administrators to execute processes on remote systems. However, it's also commonly used by attackers for:

  1. Lateral Movement: Moving between systems in a network
  2. Remote Command Execution: Running commands without being physically present
  3. Privilege Escalation: Running processes with SYSTEM-level privileges
  4. Persistence: Installing services that survive reboots

Attack Chain Analysis

Here's what 756.exe did:

  1. Initial Execution: PowerShell launched 756.exe (along with all other programs)
  2. Malicious Payload: 756.exe spawned PsExec64.exe as a child process
  3. Service Installation: PsExec installed PSEXESVC service with LocalSystem privileges
  4. Cleanup: The original 756.exe terminated, but PsExec remained running
  5. Persistence: The PSEXESVC service stays installed for future use

This is a classic example of Living off the Land (LotL) techniques, where attackers use legitimate system tools to avoid detection.

Red Flags Identified

  1. Unbalanced Process Events: 2 creations vs 1 termination
  2. Parent-Child Process Relationship: 756.exe spawned PsExec
  3. Service Installation: New service created (PSEXESVC)
  4. Elevated Privileges: Service running as LocalSystem
  5. Suspicious Tool: PsExec is often abused by malware

Solution

The malicious program is 756.exe... And the flag: cratectf{756.exe}

Technical Details

Tools Used:

  • Python 3 - Scripting and automation
  • python-evtx - Parsing Windows Event Logs
  • xml.etree.ElementTree - XML parsing
  • Regular Expressions - Pattern matching for .exe filenames

Event Log Structure:

Windows Event Logs use XML format internally. Each event contains:

<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="..." Guid="..." />
    <EventID>4688</EventID>
    <TimeCreated SystemTime="2025-10-10T11:28:36.667421Z"/>
    ...
  </System>
  <EventData>
    <Data Name="NewProcessName">C:\...\756.exe</Data>
    <Data Name="ParentProcessName">C:\...\powershell.exe</Data>
    ...
  </EventData>
</Event>

Python Code Snippet for Finding the Malicious Program:

import Evtx.Evtx as evtx
import xml.etree.ElementTree as ET
from collections import defaultdict

def find_malicious_program(security_log_path):
    process_creations = defaultdict(int)
    process_terminations = defaultdict(int)
    
    with evtx.Evtx(security_log_path) as log:
        for record in log.records():
            xml_str = record.xml()
            root = ET.fromstring(xml_str)
            
            event_id = root.find('.//{...}EventID').text
            
            # Extract process name
            for data in root.findall('.//{...}Data'):
                if data.get('Name') == 'NewProcessName':
                    process_name = data.text.split('\\')[-1]
                    
                    if event_id == '4688':
                        process_creations[process_name] += 1
                    elif event_id == '4689':
                        process_terminations[process_name] += 1
    
    # Find mismatches
    for prog in process_creations:
        if process_creations[prog] != process_terminations[prog]:
            print(f"Suspicious: {prog}")
            return prog

Conclusion

This challenge demonstrates the importance of Windows Event Log analysis in digital forensics. By understanding how to parse and correlate events, we can identify malicious behavior even when it's hidden among legitimate activity.

The key was recognizing that:

  1. Process creation/termination events should balance out
  2. Service installations are high-risk events
  3. Legitimate tools (like PsExec) can be used maliciously
  4. Timeline analysis reveals the complete attack chain

Key Takeaways

For CTF Players:

  1. Event Correlation: Don't look at events in isolation - correlate them by time, process ID, and relationships
  2. Know Your Event IDs: Familiarize yourself with common Windows Event IDs
  3. Look for Anomalies: Normal behavior patterns help identify abnormal ones
  4. Parent-Child Relationships: Process spawning behavior can reveal malicious activity

For Security Analysts:

  1. Enable Logging: Process creation auditing (4688/4689) is critical for forensics
  2. Baseline Normal: Understanding normal system behavior helps spot anomalies
  3. Tool Awareness: Know legitimate tools (like PsExec) that can be weaponized
  4. Timeline Analysis: Creating an event timeline reveals the attack chain

References I used

Read more