Pepper Minstix: Yule Log Analysis
![](/hh2018//assets/img/elves/pepper/avatar.png)
The Elf's Request
![](/hh2018//assets/img/elves/pepper/question.png)
The Terminal Riddle
![](/hh2018//assets/img/elves/pepper/riddle.png)
The Solution
![](/hh2018/assets/img/elves/holly/1.png)
There was an attack and a password spray against a tareget.
Doing an ls, I see that there is a “evtx_dump.py” and the event trace file “ho-ho-no.evtx”
![](/hh2018/assets/img/elves/pepper/1.png)
With a spray, I am looking for lots of failed requests, and then a success. The users “HealthMailBoxXXXXXXX” can be ingored.
I ran the command:
python evtx_dump.py ho-ho-no.evtx > out.txt
I copy/pasted the info into an editor.
![](/hh2018/assets/img/elves/pepper/3.png)
Looking at the editor, I found the last failed login, and then the very next successful login.
Event ID 4625 is a failed login, and 4624 is a success. There were a couple of options. Ignoring all the “HealthMailbox” logons, I focused in on:
![](/hh2018/assets/img/elves/pepper/4.png)
minty.candycane
Terminal Success
![](/hh2018//assets/img/elves/pepper/success.png)
The Hint
![](/hh2018//assets/img/elves/pepper/hint.png)