HTB Windows Sysmon Unit42
HTB Windows Sysmon Unit42
Scenario
In this Lab, you will be made familiar with Sysmon logs, various useful EventID
to identify and analyze malicious activities on a windows system. Palo Alto
Unit42 recently conducted research on an UltraVNC campaign in which attackers
used backdoor version of ultravnc to maintain access to systems. This lab is
based on that campaign and take players through the initial access stage of this
campaign.
Event ID 2 : File creation time changed. Includes the file making the change,
file to which change is being made,tampered timestamp and original timestamp
Event ID 3 : Network Connection . INcludes the process making the connection,
destination IP Address and port
Event ID 11 : File created. Includes the process creating the file, the file
being created and full path
Event ID 22 : DNS Query . Includes the process querying the domain, the target
domain name and the IP Address they resolve to
Artefacts provided
Skills Learnt
Timeline creation
Contextual Analysis
Tags
DFIR
Pre Reading
Prior to kicking into our analysis we need to ensure a basic understanding of Windows Event Logs
& Sysmon, inclusive of what they are, their use cases and why they are important for security
professionals and IT Admins alike.
Windows Event Logs are categorized into several types, each serving a specific purpose:
Application Logs: Record events related to Windows applications. These include errors,
warnings, and informational messages from software programs.
Security Logs: Contain records of security-related events specified by the system's audit
policy. Examples include successful and failed login attempts, changes to user privileges, and
other security-related changes.
System Logs: Document system events, such as driver failures, hardware issues, and other
system-level notifications.
Setup Logs: Log events related to the installation of Windows and other software
components.
Administrators and security teams use these logs to troubleshoot problems, monitor system
performance, and ensure that the system is secure against unauthorized access and other security
threats.
Windows Event Logs can be viewed using the Event Viewer, a graphical tool available in Windows
that allows users to see and analyze log entries. The Event Viewer categorises logs into different
sections, making it easier to navigate through the logs and find specific events.
Alternatively we can convert the Event Logs into json or CSV using a tool named EvtxEcmd. This will
not be completed during this Sherlock, however if you are intending to go "beyond" the
investigation an explanation of EvtxEcmd has been provided.
We start by opening the event log file in EventViewer. We can see the total Count of events.
Sysmon is designed to assist in detection and analysis of advanced threats and malware. It
extends the capabilities of Windows Event Logs by providing more detailed and specific
information about system behavior and activity.
Uses of Sysmon
Process Tracking: Logs process creation with full command line for both current and parent
processes, providing context on process execution.
File Creation Tracking: Monitors creation of files, allowing analysts to track the spread of
malware or the extraction of data by unauthorized processes.
Registry Events: Logs changes to the Windows registry, which can indicate malware
installation or configuration changes made by attackers.
Driver and DLL Loading: Monitors loading of drivers and DLLs, which can help identify the
use of exploit kits and rootkits.
Why They Are Helpful for Security Teams and Investigations?
Windows Event Logs and Sysmon data are invaluable resources for security teams and forensic
investigators. They provide a wealth of information that can be used to detect, investigate, and
respond to security incidents and breaches. Here are a few reasons why they are so helpful:
Detection of Malicious Activity: By analysing logs, security teams can identify suspicious
activities that may indicate a breach or an ongoing attack, such as unusual login attempts,
unexpected process creations, and unauthorized network connections.
Incident Response and Forensics: During a security incident, detailed logs are crucial for
understanding the scope of the breach, the methods used by the attackers, and the systems
and data affected. This information is critical for effectively containing and remediating the
incident.
System Troubleshooting: Beyond security, these logs are also useful for identifying and
resolving system errors and failures, improving system stability and performance.
As detailed in the scenario there are a variety of Sysmon Event IDs that may be useful to us. Lets
look at these in a bit more detail:
Key Fields:
Process Path: The full path of the executable file for the newly created process.
Parent Process Path: The full path of the executable file for the parent process that
created this process. This is crucial for understanding the chain of execution.
Command Line Arguments: The full command line used to execute the process,
including all parameters. This can reveal the intent behind the process execution,
especially if the process is malicious.
Security Relevance: By analysing process creation events, security professionals can identify
potentially malicious processes, understand attack chains, and detect the abuse of legitimate
system utilities for nefarious purposes.
Key Fields:
File Making the Change: The process responsible for altering the file's creation time.
File to Which Change is Being Made: The file whose creation time is being modified.
Key Fields:
Process Making the Connection: The process initiating the network connection.
Destination IP Address and Port: The external endpoint to which the process is
connecting. This includes both the IP address and the port number.
Key Fields:
Security Relevance: Knowing when and which processes are terminated can help in
understanding the behavior of malware (which may terminate security processes) or tracking
the lifecycle of a legitimate but compromised process.
Key Fields:
Process Creating the File: The process responsible for creating the new file.
File Being Created and Full Path: The name and full path of the newly created file.
Security Relevance: The creation of files is a common behavior in software execution, but in
a security context, monitoring file creation can help detect the dropping of malware payloads,
unauthorised data collection, or temporary files created as part of an attack.
Key Fields:
Process Querying the Domain: The process that initiated the DNS query.
IP Address They Resolve To: The IP addresses returned in response to the DNS query.
Security Relevance: DNS queries can reveal a lot about network behavior, including
potential contact with malicious domains, domain generation algorithms (DGA) used by
malware, and data exfiltration over DNS. Monitoring DNS queries can aid in early detection of
threat indicators.
Initial Analysis
Upon downloading the artefacts we unzip them using the password hacktheblue utilising 7zip,
and then view we are presented with an evtx file named Microsoft-Windows-Sysmon-
Operational.evtx .
We double click the file and it automatically opens in EventViewer. We are presented with 169
Sysmon events.
We will answer the questions by filtering for relevant Event ID to quickly get the answer. Its
important to note that the time showed in event log pane is your local configured time. The true
Event Timestamp is stored in log details itself. We will explore this soon.
Questions :
Hint : Go to Filter Current Log and in Event ID field type 1. Then click Apply.
Our task here is to confirm the number of event logs with the Event ID 11. Event ID 11 indicates a
file has been created on a host within Sysmon logs. We will use the Filter Current Log action within
Event Viewer, detailed below.
Next we enter the event ID 11 into the text field shown below.
We are able to confirm there are 56 events within the evtx file with the Event ID of 11.
Ans: 56
Q2 Whenever a process is created in memory an event with Event ID 1 is recorded with details as
command line,hashes,process path, parent process path etc. This all information is very useful for
an analyst because this let's us see all programs executed on a system which means we can spot
any malicious processes being executed. What is the malicious process which infected the Victim's
system?
Hint : Filter events for Event ID 1. Look for any suspicious file name executing from odd directory.
Our task here is to spot the malicious process which likely infected the compromised host. Using
the same process as detailed in question 1 we filter for Event ID 1, which is the event id for process
creation. We are looking for the event ID for process creation as it will detail the process names,
potentially highlighting what is suspicious or malicious.
We don't need to perform anything fancy due to the low amount of events, so we click through the
events reading through the logs. Please see below a breakdown of the fields within Event ID 1 -
Process Creation:
UtcTime: The timestamp of when the event was generated, in Coordinated Universal Time
(UTC). This is crucial for correlating events across different systems and time zones.
ProcessGuid: A unique identifier for the process. Sysmon generates this to track the process
uniquely across its lifetime, even if its process ID (PID) changes due to system restarts or
other factors.
ProcessId: The Process ID (PID) assigned by Windows. This is a numeric identifier that the
operating system uses to manage processes.
Image: The full path to the executable file of the process. This is essential for identifying
exactly what program ran.
FileVersion: The version number of the executable file. This can be useful for determining
whether a specific patch or version of an application, which may have vulnerabilities, was
running.
Description: A brief description of the executable file, often provided by the software
developer. This can help with identifying the purpose of the process at a glance.
Product: The name of the product this executable is part of. Like the description, this aids in
quickly understanding the process's origin and purpose.
Company: The company that created the executable. This information can be used to verify
the legitimacy of the process; processes from unknown or suspicious companies might
warrant further investigation.
OriginalFileName: The original name of the executable file as designated by the developer.
This can be useful for identifying processes that are masquerading as legitimate ones by
using misleading file paths or names.
CommandLine: The command line that was used to start the process, including any
parameters or arguments. This is critically important for understanding the context in which a
process was started, especially if it includes unusual or suspicious commands.
CurrentDirectory: The directory from which the process was started. Malware often
operates from temporary or unusual directories, so this can be a clue to malicious behavior.
User: The username under which the process is running. This can indicate whether the
process has elevated privileges or if it's running under the context of a regular user.
LogonGuid and LogonId: These fields provide information about the user session that
started the process. This can help determine if a process was started as a result of user
interaction or if it was automatically started by the system.
TerminalSessionId: Identifies the Terminal Services (Remote Desktop) session in which the
process is running. This can be particularly useful in analyzing remote access activities.
IntegrityLevel: Indicates the integrity level of the process, which is a measure of the
process's potential to harm the system. Higher integrity levels (like "System") have more
access to system resources, whereas lower levels (like "Low") are more restricted.
Hashes: Provides hashes (e.g., MD5, SHA1, SHA256) of the process executable. Hashes are
unique fingerprints of files and are indispensable for confirming the exact identity of the
executable, especially when comparing against known malicious files or verifying file integrity.
ParentProcessGuid and ParentProcessId: These fields identify the process that created (or
spawned) this process, providing insights into the chain of process creation that can reveal
malicious parent processes initiating seemingly legitimate ones.
ParentImage: The full path to the executable of the parent process. This helps in
understanding the relationship between processes and identifying suspicious chains of
process execution.
ParentCommandLine: The command line used by the parent process. This can give context
to how and why the process was started, which is useful in uncovering malicious activity
chains.
As detailed above, Sysmon provides an extremely granular amount of detail. When performing the
initial investigation we will focus on the Image, Parent Image and CommandLine fields. This is due
to being able to confirm the name of the executable that started the process and also any
CommandLine output generated. Malicious activity can often by confirmed by an unusual
process name or unusual CommandLine output.
When browsing through the 6 events we locate, as detailed below, an unusual event where a
Windows executable is executed.
Lets delve into why its suspicious:
As part of our analysis process we can also perform a brief Google search for the name of the
executable. We perform this activity to try and locate any potential low hanging fruit - has this file
name been seen in other campaigns? Is it known to be malicious or suspicious? Is it a legitimate
piece of software that we'd expect to see on our host?
The Google search further adds to our suspicion this is a malicious executable due to a wide
variety of analysis reports existing from various Analysis sites. Additionally, there are no
indications of this binary falling in line with the Description & Product field of our sysmon log,
which indicate this is a Photo and Fax vn based executable.
Due to Sysmon containing the SHA1, MD5 and ImpHash we are able to perform a search in
VirusTotal for the hash.
VirusTotal is a comprehensive online service that allows users to analyse files, URLs, domains, and
IP addresses for malicious content using a variety of antivirus engines and website scanners. It
aggregates multiple antivirus products and online scan engines to provide a high level of accuracy
in detecting potential threats. By submitting a file or a URL to VirusTotal, it is checked against
databases of known malware and suspicious behaviour patterns, making it a valuable resource for
cybersecurity professionals, researchers, and forensic investigators.
Using a browser of your choice, browse to https://www.virustotal.com and copy and paste the
MD5 hash found in the Event.
We confirm that the executable is a known malicious binary, based on the threat label likely
associated with a WinVNC based trojan. Within VirusTotal we can also click on the Community tab
for additional information. We can view community comments and analysis from other sandbox
sites such as JoeSandbox.
As detailed in the comments we see numerous users having reported this as an UltraVNC RAT,
with JaffaCakes even highlighting a similar file name to the one seen in our investigation.
Ans C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
Hint : Event ID 22 can be used to look for any DNS Queries made by the system. Do not filter for
any specific event id, start analysing the Events from oldest available event. If you see the events
related to the malicious file being created, look for Event ID 22 event surrounding that event.
Cloud services are a common method utilised by Threat Actors to distribute malware. These often
aren't flagged as malicious and won't often be dropped by company perimeter devices. Due to
Sysmon being installed on the host we are able to filter for Event ID 22, and view DNS queries
made by the host within a similar time period of the compromise.
Interestingly looking at the data within the event that occurred at 03:41:26 we are able to view
the utilisation of Dropbox, a cloud file storage site. Lets add an additional filter, EventID 11 and
view the combination of File Creation Events alongside our DNS queries to correlate the two in our
viewer.
We are now able to confirm the correlation of the download of our malicious binary from what we
believe is the Dropbox cloud storage location.
Interestingly, the three events prior to the FileCreation event of Prevntivo24.02.14.exe.exe are
events showcasing the Firefox functionality of a temporary "part" file.
Based on our analysis, with the timing of the download of the file we can conclude that Dropbox
was likely the delivery mechanism of the malware.
Ans: dropbox
Q4 The Initial malicious file time stomped (A defense evasion technique , where file creation date
is changed to make it appear old) many files it created on disk. What was the timestamp changed
to for a pdf file?
Hint : Filter for Event ID2. This event id records any file creation time change on any files on the
system.
The question indicates timestomping has been performed on the host, which would be detected
by EventID 2 within the Sysmon logs. This event records any file creation time changes on the
system. Timestomping is a technique often used by Threat Actors to manipulate the timestamps of
files within a computer system. These timestamps include the date and time a file was created, last
modified, and last accessed. By changing these details, someone can hide their tracks, making it
harder for investigators or security software to determine when the files were actually altered or
created.
Using our the same method of filtering as previously covered, we filter for EventID 2 and are able
to view the modification of the date & time of the malicious file dropped onto the host as detailed
below:
Q5 The malicious file dropped few files on disk. Where was once.cmd created on disk?
Hint :Filter for Event ID 11 and notice the files created where the Image name is the name of
malicious file.
We begin by filtering for Event ID 11, which corresponds to file creation events. Subsequently, we
utilise the find feature of event logs to search for the filename "once.cmd". This search yields two
results: one instance where the file was created by msiexec, and another where it was created by
preventivo24.02.14.exe. It is the latter instance in which we are particularly interested.
We can also observe from this event that the malicious file is depositing additional files along the
path: "C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn
1.1.2\install\F97891C\WindowsVolume\Games".
Q6 The malicious file tried to reach a dummy Domain, most probably to check internet connection
status. What domain name it tried to connect to?
Hint : Filter for event id 22 and look for the image field. The process name should be the malicious
file making the connection.
We need to refer back to our EventId22 again here, using our previously taught method of
filtering. We are able to ascertain that the malicious binary attempts to communicate to the www.e
xample.com domain.
Ans www.example.com
Q7 Which IP Address did the malicious process tried to reach out to?
Hint : Look for EventID3. It records the IP Address, port and the process trying to make the
connection
When hunting for IP addresses communicated with by a process, we must filter for EventId 3,
which is the event id for network connection detected. See below for a breakdown of the fields of
EventId3.
2. ProcessGuid: A unique identifier for the process that initiated the connection, allowing
correlation with other events.
5. User: The security context under which the process was running, often including the domain,
username, and logon ID.
6. Protocol: The protocol used for the connection, such as TCP or UDP.
7. Initiated: Indicates whether the connection was initiated by the process. A true value means
the process initiated the connection; false means it was receiving an incoming connection.
Whilst only one log exists within this Event Log file, this Find action would be useful had it being a
larger event log file with more events. We are able to locate the malicious process communicating
with 93.184.216.34 .
Ans 93.184.216.34
Q8 The malicious process terminated itself after infecting the pc with UltraVnc backdoored variant.
When did the process terminated itself?
Hint : Filter for event ID 5 and look for the Image name which should be the malicious process.
Event ID 5 within Sysmon logs indicates Process Termination. We will use an identical flow, Filter
for EventID 5 and locate the termination of Preventivo. We can confirm the process terminated at
2024-02-14 03:41:58.
Ans 2024-02-14 03:41:58