🔓 Sherlock Scenario#
In this Sherlock, you will familiarize yourself with Sysmon logs and various useful EventIDs for identifying and analyzing malicious activities on a Windows system. Palo Alto’s Unit42 recently conducted research on an UltraVNC campaign, wherein attackers utilized a backdoored version of UltraVNC to maintain access to systems. This lab is inspired by that campaign and guides participants through the initial access stage of the campaign.
🔍 Evidence Overview#
┌──(kali㉿kali)-[~/Desktop/HTB/Sherlock/Unit42]
└─$ unzip -l unit42.zip
Archive: unit42.zip
Length Date Time Name
--------- ---------- ----- ----
1118208 02-14-2024 08:43 Microsoft-Windows-Sysmon-Operational.evtx
--------- -------
1118208 1 fileEVTX File#
EVTX is the file extension for Microsoft Windows Event Log files. Windows uses event logs to record and store system events, application events, and security events. These logs are important for system administrators and IT professionals because they help diagnose system issues, monitor security, and perform troubleshooting.
Windows Event Viewer can be used to inspect and analyze these log files through a graphical interface. Event logs usually include timestamps, event IDs, event sources, event types such as information, warnings, and errors, and detailed event descriptions.
Event logs can also be accessed and processed through command-line tools such as wevtutil, or through programming interfaces such as Windows Management Instrumentation (WMI).
Windows Sysmon#
Windows Sysmon, or System Monitor, is a Windows system service and driver designed to monitor and record system activity to improve security visibility. Sysmon captures detailed system events that help administrators and security analysts identify suspicious behavior, intrusion attempts, and other security-relevant activity.
In Windows Sysmon logs, each event has a unique Event ID, which helps classify different types of system activity. The Event ID descriptions are documented in Sysmon.
The Event IDs present in this case are:
1: Process creation2: A process changed a file creation time3: Network connection5: Process terminated11: FileCreate12: RegistryEvent (Object create and delete)13: RegistryEvent (Value Set)22: DNSEvent (DNS query)23: FileDelete (File Delete archived)26: FileDeleteDetected (File Delete logged)
Parse EVTX File#
Reading EVTX files is probably easiest on Windows, but I solved this on Kali, so I looked for another parser.
I used the cross-platform EVTX parser (evtx_dump), exported the data as JSON, and then used jq to organize the results. This was also my first time using jq in a more complete workflow, so it was a good chance to learn it while solving the lab.
First, convert the EVTX file to JSON. I added --dont-show-record-number so evtx_dump would not output record numbers, otherwise jq would fail to parse the result.
┌──(kali㉿kali)-[~/Desktop/HTB/Sherlock/Unit42]
└─$ ./evtx_dump --dont-show-record-number -o json -f sysmon.json Microsoft-Windows-Sysmon-Operational.evtxPrint the first record to inspect the structure. During analysis, the main fields to focus on are EventID and the details inside EventData.
┌──(kali㉿kali)-[~/Desktop/HTB/Sherlock/Unit42]
└─$ cat sysmon.json | jq -s '.[0]'
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"EventData": {
"Image": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
"ProcessGuid": "817BDDF3-3514-65CC-0802-000000001900",
"ProcessId": 4292,
"QueryName": "uc2f030016253ec53f4953980a4e.dl.dropboxusercontent.com",
"QueryResults": "type: 5 edge-block-www-env.dropbox-dns.com;::ffff:162.125.81.15;198.51.44.6;2620:4d:4000:6259:7:6:0:1;198.51.45.6;2a00:edc0:6259:7:6::2;198.51.44.70;2620:4d:4000:6259:7:6:0:3;198.51.45.70;2a00:edc0:6259:7:6::4;",
"QueryStatus": "0",
"RuleName": "-",
"User": "DESKTOP-887GK2L\\CyberJunkie",
"UtcTime": "2024-02-14 03:41:25.269"
},
"System": {
"Channel": "Microsoft-Windows-Sysmon/Operational",
"Computer": "DESKTOP-887GK2L",
"Correlation": null,
"EventID": 22,
"EventRecordID": 118747,
"Execution": {
"#attributes": {
"ProcessID": 3028,
"ThreadID": 4452
}
},
"Keywords": "0x8000000000000000",
"Level": 4,
"Opcode": 0,
"Provider": {
"#attributes": {
"Guid": "5770385F-C22A-43E0-BF4C-06F5698FFBD9",
"Name": "Microsoft-Windows-Sysmon"
}
},
"Security": {
"#attributes": {
"UserID": "S-1-5-18"
}
},
"Task": 22,
"TimeCreated": {
"#attributes": {
"SystemTime": "2024-02-14T03:41:26.444119Z"
}
},
"Version": 5
}
}
}🙋 Questions#
Question 1#
How many Event logs are there with Event ID 11?
Group the records by EventID and count them. A simpler approach would also be to use grep with wc -l.
┌──(kali㉿kali)-[~/Desktop/HTB/Sherlock/Unit42]
└─$ cat sysmon.json | jq -sc 'group_by(.Event.System.EventID) | map({EventID: .[0].Event.System.EventID, count: length}) | .[]'
{"EventID":1,"count":6}
{"EventID":2,"count":16}
{"EventID":3,"count":1}
{"EventID":5,"count":1}
{"EventID":7,"count":15}
{"EventID":10,"count":1}
{"EventID":11,"count":56}
{"EventID":12,"count":14}
{"EventID":13,"count":19}
{"EventID":15,"count":2}
{"EventID":17,"count":7}
{"EventID":22,"count":3}
{"EventID":23,"count":26}
{"EventID":26,"count":2}Ans: 56
Question 2#
Whenever a process is created in memory, an event with Event ID 1 is recorded with details such as command line, hashes, process path, parent process path, etc. This information is very useful for an analyst because it allows us to see all programs executed on a system, which means we can spot any malicious processes being executed. What is the malicious process that infected the victim’s system?
After filtering for EventID 1, this record is the most suspicious. Preventivo24.02.14.exe.exe was executed from the Downloads folder by explorer.exe, which suggests the user double-clicked it. Then I searched the file hash on VirusTotal, confirming that it is malware.
┌──(kali㉿kali)-[~/Desktop/HTB/Sherlock/Unit42]
└─$ cat sysmon.json | jq -c 'select(.Event.System.EventID == 1)' | jq -s '.[1].Event.EventData'
{
"CommandLine": "\"C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe\" ",
"Company": "Photo and Fax Vn",
"CurrentDirectory": "C:\\Users\\CyberJunkie\\Downloads\\",
"Description": "Photo and vn Installer",
"FileVersion": "1.1.2",
"Hashes": "SHA1=18A24AA0AC052D31FC5B56F5C0187041174FFC61,MD5=32F35B78A3DC5949CE3C99F2981DEF6B,SHA256=0CB44C4F8273750FA40497FCA81E850F73927E70B13C8F80CDCFEE9D1478E6F3,IMPHASH=36ACA8EDDDB161C588FCF5AFDC1AD9FA",
"Image": "C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe",
"IntegrityLevel": "Medium",
"LogonGuid": "817BDDF3-311E-65CC-A7AE-1B0000000000",
"LogonId": "0x1baea7",
"OriginalFileName": "Fattura 2 2024.exe",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE",
"ParentImage": "C:\\Windows\\explorer.exe",
"ParentProcessGuid": "817BDDF3-311F-65CC-0A01-000000001900",
"ParentProcessId": 1116,
"ParentUser": "DESKTOP-887GK2L\\CyberJunkie",
"ProcessGuid": "817BDDF3-3684-65CC-2D02-000000001900",
"ProcessId": 10672,
"Product": "Photo and vn",
"RuleName": "technique_id=T1204,technique_name=User Execution",
"TerminalSessionId": 1,
"User": "DESKTOP-887GK2L\\CyberJunkie",
"UtcTime": "2024-02-14 03:41:56.538"
}Ans: C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
Question 3#
Which Cloud drive was used to distribute the malware?
To determine how the malware entered the system, first search for EventID 11 records where TargetFilename contains Preventivo24. This confirms that the file was downloaded by Firefox.
┌──(kali㉿kali)-[~/Desktop/HTB/Sherlock/Unit42]
└─$ cat sysmon.json | jq -c 'select(.Event.System.EventID == 11) | select(.Event.EventData.TargetFilename | strings | test("Preventivo24"))' | jq -s '.[0].Event.EventData'
{
"CreationUtcTime": "2024-02-14 03:41:26.459",
"Image": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
"ProcessGuid": "817BDDF3-3514-65CC-0802-000000001900",
"ProcessId": 4292,
"RuleName": "-",
"TargetFilename": "C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe",
"User": "DESKTOP-887GK2L\\CyberJunkie",
"UtcTime": "2024-02-14 03:41:26.459"
}Next, filter Firefox DNS queries. DNS query events use EventID 22, and Firefox’s ProcessId is 4292, so we can query both conditions together. The first record matches the download time from the previous step, so the cloud drive was Dropbox.
┌──(kali㉿kali)-[~/Desktop/HTB/Sherlock/Unit42]
└─$ cat sysmon.json | jq -c 'select(.Event.System.EventID == 22)' | grep 4292 | jq -s '.[].Event.EventData'
{
"Image": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
"ProcessGuid": "817BDDF3-3514-65CC-0802-000000001900",
"ProcessId": 4292,
"QueryName": "uc2f030016253ec53f4953980a4e.dl.dropboxusercontent.com",
"QueryResults": "type: 5 edge-block-www-env.dropbox-dns.com;::ffff:162.125.81.15;198.51.44.6;2620:4d:4000:6259:7:6:0:1;198.51.45.6;2a00:edc0:6259:7:6::2;198.51.44.70;2620:4d:4000:6259:7:6:0:3;198.51.45.70;2a00:edc0:6259:7:6::4;",
"QueryStatus": "0",
"RuleName": "-",
"User": "DESKTOP-887GK2L\\CyberJunkie",
"UtcTime": "2024-02-14 03:41:25.269"
}
{
"Image": "C:\\Program Files\\Mozilla Firefox\\firefox.exe",
"ProcessGuid": "817BDDF3-3514-65CC-0802-000000001900",
"ProcessId": 4292,
"QueryName": "d.dropbox.com",
"QueryResults": "type: 5 d.v.dropbox.com;type: 5 d-edge.v.dropbox.com;162.125.8.20;205.251.192.57;2600:9000:5300:3900::1;",
"QueryStatus": "0",
"RuleName": "-",
"User": "DESKTOP-887GK2L\\CyberJunkie",
"UtcTime": "2024-02-14 03:41:43.924"
}Ans: dropbox
Question 4#
The initial malicious file time-stamped (a defense evasion technique, where the file creation date is changed to make it appear old) many files it created on disk. What was the timestamp changed to for a PDF file?
The Event ID for file creation time changes is 2. Filter for EventID 2 and records containing .pdf; there is only one result.
┌──(kali㉿kali)-[~/Desktop/HTB/Sherlock/Unit42]
└─$ cat sysmon.json | jq -c 'select(.Event.System.EventID == 2)' | grep '.pdf' | jq -s '.[].Event.EventData'
{
"CreationUtcTime": "2024-01-14 08:10:06.029",
"Image": "C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe",
"PreviousCreationUtcTime": "2024-02-14 03:41:58.404",
"ProcessGuid": "817BDDF3-3684-65CC-2D02-000000001900",
"ProcessId": 10672,
"RuleName": "technique_id=T1070.006,technique_name=Timestomp",
"TargetFilename": "C:\\Users\\CyberJunkie\\AppData\\Roaming\\Photo and Fax Vn\\Photo and vn 1.1.2\\install\\F97891C\\TempFolder\\~.pdf",
"User": "DESKTOP-887GK2L\\CyberJunkie",
"UtcTime": "2024-02-14 03:41:58.404"
}Ans: 2024-01-14 08:10:06
Question 5#
The malicious file dropped a few files on disk. Where was “once.cmd” created on disk? Please answer with the full path along with the filename.
Filter for EventID 11, where EventData.Image contains Preventivo24, and then search for records containing once.cmd.
┌──(kali㉿kali)-[~/Desktop/HTB/Sherlock/Unit42]
└─$ cat sysmon.json | jq -c 'select(.Event.System.EventID == 11) | select(.Event.EventData.Image | strings | test("Preventivo24"))' | grep 'once.cmd' | jq -s '.[].Event.EventData'
{
"CreationUtcTime": "2024-02-14 03:41:58.404",
"Image": "C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe",
"ProcessGuid": "817BDDF3-3684-65CC-2D02-000000001900",
"ProcessId": 10672,
"RuleName": "-",
"TargetFilename": "C:\\Users\\CyberJunkie\\AppData\\Roaming\\Photo and Fax Vn\\Photo and vn 1.1.2\\install\\F97891C\\WindowsVolume\\Games\\once.cmd",
"User": "DESKTOP-887GK2L\\CyberJunkie",
"UtcTime": "2024-02-14 03:41:58.404"
}Ans: C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\once.cmd
Question 6#
The malicious file attempted to reach a dummy domain, most likely to check the internet connection status. What domain name did it try to connect to?
We can confirm this by finding DNS queries made by the malicious process. Filter for EventID 22 where EventData.Image contains Preventivo24.
┌──(kali㉿kali)-[~/Desktop/HTB/Sherlock/Unit42]
└─$ cat sysmon.json | jq -c 'select(.Event.System.EventID == 22) | select(.Event.EventData.Image | strings | test("Preventivo24"))' | jq -s '.[].Event.EventData'
{
"Image": "C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe",
"ProcessGuid": "817BDDF3-3684-65CC-2D02-000000001900",
"ProcessId": 10672,
"QueryName": "www.example.com",
"QueryResults": "::ffff:93.184.216.34;199.43.135.53;2001:500:8f::53;199.43.133.53;2001:500:8d::53;",
"QueryStatus": "0",
"RuleName": "-",
"User": "DESKTOP-887GK2L\\CyberJunkie",
"UtcTime": "2024-02-14 03:41:56.955"
}Ans: www.example.com
Question 7#
Which IP address did the malicious process try to reach out to?
Network connection events use Event ID 3. Filtering for EventID 3 returns only one record, and its Image is the malicious process.
┌──(kali㉿kali)-[~/Desktop/HTB/Sherlock/Unit42]
└─$ cat sysmon.json | jq -c 'select(.Event.System.EventID == 3)' | jq -s '.[].Event.EventData'
{
"DestinationHostname": "-",
"DestinationIp": "93.184.216.34",
"DestinationIsIpv6": false,
"DestinationPort": 80,
"DestinationPortName": "-",
"Image": "C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe",
"Initiated": true,
"ProcessGuid": "817BDDF3-3684-65CC-2D02-000000001900",
"ProcessId": 10672,
"Protocol": "tcp",
"RuleName": "technique_id=T1036,technique_name=Masquerading",
"SourceHostname": "-",
"SourceIp": "172.17.79.132",
"SourceIsIpv6": false,
"SourcePort": 61177,
"SourcePortName": "-",
"User": "DESKTOP-887GK2L\\CyberJunkie",
"UtcTime": "2024-02-14 03:41:57.159"
}Ans: 93.184.216.34
Question 8#
The malicious process terminated itself after infecting the PC with a backdoored variant of UltraVNC. When did the process terminate itself?
Process termination events use Event ID 5. Filtering for EventID 5 also returns only this malicious process record.
┌──(kali㉿kali)-[~/Desktop/HTB/Sherlock/Unit42]
└─$ cat sysmon.json | jq -c 'select(.Event.System.EventID == 5)' | jq -s '.[].Event.EventData'
{
"Image": "C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe",
"ProcessGuid": "817BDDF3-3684-65CC-2D02-000000001900",
"ProcessId": 10672,
"RuleName": "-",
"User": "DESKTOP-887GK2L\\CyberJunkie",
"UtcTime": "2024-02-14 03:41:58.795"
}Ans: 2024-02-14 03:41:58