THM – Sysmon

Sysmon is an add-on tool for Microsoft windows for logging. With Sysmon you will be able to see detect malicious activity by tracking code and network traffic. Below you will find a link to Microsoft’s page in regards to Sysmon.


Cutting out the noise

How many event ID 3 events are in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx?

Answer: 73,591
Context: Open the Filtering.evtx file and in the Event Viewer App under Saved logs, click Filtering, and then you can filter the current log by id 3. The number of events will be displayed at the top of the middle panel as shown below:

What is the UTC time created of the first network event in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx?

Answer: 2021-01-06 01:35:50.464
Context: Scroll to the bottom of the list, click on the last row, in the middle bottom panel under General you will find the UTC time for the event.

Practical Investigations

What is the full registry key of the USB device calling svchost.exe in Investigation 1? 

Answer: HKLM\System\CurrentControlSet\Enum\WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_8.01#4054910EF19005B3&0#\FriendlyName
Context: In Event Viewer if you look at the logs there is a category called Registry value set (rule: registryEvent) and there are 2 events. If you click on each event, one of them will have the image ../svchost.exe. the answer is the TargetObject which contains the registry key.

What is the device name when being called by RawAccessRead in Investigation 1?

Answer: \Device\HarddiskVolume3
Context: If you look at the 4 task categories RawAccessRead, 3 of them are related to the image svhost.exe, and the answer is under the device when looking at the details tab

What is the first exe the process executes in Investigation 1?

Answer: rundll32.exe
Context: Look at the first event and under the details, you will see the ParentImage

What is the full path of the payload in Investigation 2?

Answer: C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta
Context: Looking closely at the 3 events only one makes references to a HTML file in the ParentCommandLine and the full payload path can be found next to the CommandLine that reference hta file and in a temp folder “Temporary Internet Files” which is the most likely file in an attempt to avoid detection.

What is the full path of the file the payload masked itself as in Investigation 2?

Answer: C:\Users\IEUser\Downloads\update.html
Context: This will be the HTML file path referenced in the ParentCommandLine of the event details

What signed binary executed the payload in Investigation 2?

Answer: C:\Windows\System32\mshta.exe
Context: Looking at the event details and image.

What is the IP of the adversary in Investigation 2?

Answer: 10.0.2.18
Context: Look at the Event with the Network connection detected task category and under details next to DestinatioIP.

What back connect port is used in Investigation 2?

Answer: 4443
Context: In the details of the same event, look at the DestinationPort

What is the IP of the suspected adversary in Investigation 3.1?

Answer: 172.30.1.253
Context: Take a look at the Netowrok connection category events and the DestinationIP in the details

What is the hostname of the affected endpoint in Investigation 3.1?

Answer: DESKTOP-O153T4R
Context: If you look at the events from the previous question, the SourceHostname has the answer.

What is the hostname of the C2 server connecting to the endpoint in Investigation 3.1?

Answer: empirec2
Context: Under details of the event look at the DestinationHostname

Where in the registry was the payload stored in Investigation 3.1?

Answer: HKLM\SOFTWARE\Microsoft\Network\debug
Context: Take a look at the TargetObject for the first Registry Value set event.

What PowerShell launch code was used to launch the payload in Investigation 3.1?

Answer: “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -c “$x=$((gp HKLM:Software\Microsoft\Network debug).debug);start -Win Hidden -A \”-enc $x\” powershell”;exit;
Context: The second Registry value set event shows under Details the code used.

What is the IP of the adversary in Investigation 3.2?

Answer: 172.168.103.188
Context: Looking at the first network connection detected event details

What is the full path of the payload location in Investigation 3.2?

Answer: c:\users\q\AppData:blah.txt
Context: The first Process Create (rule: Processcreate) event the command line shows the full payload location at the end.

What was the full command used to create the scheduled task in Investigation 3.2?

Answer: “C:\WINDOWS\system32\schtasks.exe” /Create /F /SC DAILY /ST 09:00 /TN Updater /TR “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \”IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String($(cmd /c ”more < c:\users\q\AppData:blah.txt”’))))\””
Context: If you look through the process create, you will find one of them with the image schtasks.exe which tells us that this is a task scheduler. The answer is the CommandLine.

What process was accessed by schtasks.exe that would be considered suspicious behavior in Investigation 3.2?

Answer: lsass.exe
Context: Taking a look further into the vents, you will find one of the events that shows schtasks.exe accessed the lsass process (Local Security Authority Subsystem Service)

What is the IP of the adversary in Investigation 4?

Answer: 172.30.1.253
Context: Just like the other questions, look at the first network event and the Destinationip

What port is the adversary operating on in Investigation 4?

Answer: 80
Context: The destination port in the details

What C2 is the adversary utilizing in Investigation 4?

Answer: Empire
Context: This one was tricky and I just tried dropping the c2 from the hostname.