Gravwell is an enterprise data fusion platform that enables security teams to investigate, collaborate, and analyze data from any source, on demand, all with unlimited data collection and retention. Ingest everything. Investigate anything.
In our first part of the WTF Windows!?!?! Query of the Week, we are going to jump into a fun hunt. Long story short, we had some system applications that were hanging, Windows has an event for this 1002. Great, lets go see why they were hanging!
The Raw Log
<Provider Name='Application Hang'/>
<Data>C:\Program Files (x86)\Internet Explorer\iexplore.exe</Data>
Ok, we have an application, some unstructured execution parameters, version strings, some opaque hex numbers. Cool cool... OOOOH Binary. Clearly that is where all the secrets lie! Lets decode it!
tag=windows winlog Computer Provider=="Application Hang" EventID==1002
| regex -e EventData "<Data>(?P<exe>[^<]+)</Data>"
| hexlify -d Binary
| table TIMESTAMP Computer exe Binary
Soo... 55006E006B006E006F0077006E0000000000 decodes to "Unknown" in UTF-16. Thanks... And double thanks for the multiple NULL characters at the end.
Next week we'll look at removable storage events; you know, the things that make your air gap NOT an airgap!