unit42
 | Released | 2024-04-04 |
| Retired | 2024-04-04 | |
| Author | CyberJunkie |
Scenario
Task 01
Question: How many Event logs are there with Event ID 11?
Using Get-WinEvent, the given EVTX file (Windows event log) can be searched. To count individual events, the Group-Object cmdlet can be used to group and count by event ID.
Get-WinEvent -Path .\Microsoft-Windows-Sysmon-Operational.evtx | Group-Object -Property Id | Select-Object Count, Name
Count Name
----- ----
6 1
16 2
1 3
1 5
15 7
1 10
56 11
14 12
19 13
2 15
7 17
3 22
26 23
2 26
Answer: 56
Task 02
Question: Whenever a process is created in memory, an event with Event ID 1 is recorded with details such as command line, hashes, process path, parent process path, etc. This information is very useful for an analyst because it allows us to see all programs executed on a system, which means we can spot any malicious processes being executed. What is the malicious process that infected the victim’s system?
From the query in Task 01, it is known that there are only 6 events with the ID 1 (Process Creation) in the event log. Using Where-Object, only these events can be filtered. Afterwards, the nested properties of the Sysmon Event must be read. In this case, a process stands out that was started from a .exe file in the \Downloads\ folder.
Get-WinEvent -Path .\Microsoft-Windows-Sysmon-Operational.evtx | Where-Object {($_.ID -eq "1")} | Select-Object @{Name="UtcTime"; Expression={$_.Properties[1].Value }}, @{Name="Image"; Expression={$_.Properties[4].Value }}
UtcTime Image
------- -----
2024-02-14 03:41:58.178 C:\Windows\SysWOW64\msiexec.exe
2024-02-14 03:41:57.905 C:\Windows\SysWOW64\msiexec.exe
2024-02-14 03:41:57.787 C:\Windows\SysWOW64\msiexec.exe
2024-02-14 03:41:57.604 C:\Windows\System32\msiexec.exe
2024-02-14 03:41:56.538 C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
2024-02-14 03:41:45.304 C:\Program Files\Mozilla Firefox\pingsender.exe
Answer: C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
Task 03
Question: Which Cloud drive was used to distribute the malware?
Based on the search in Task 01, it is known that Sysmon generated a DNS Event (22) three times. This event contains the DNS query that was made. Among these, a request to a well-known file hosting service stands out.
Get-WinEvent -Path .\Microsoft-Windows-Sysmon-Operational.evtx | Where-Object {($_.ID -eq "22")}| Select-Object @{Name="UtcTime"; Expression={$_.Properties[1].Value }}, @{Name="QueryName"; Expression={$_.Properties[4].Value }}
UtcTime QueryName
------- ---------
2024-02-14 03:41:56.955 www.example.com
2024-02-14 03:41:43.924 d.dropbox.com
2024-02-14 03:41:25.269 uc2f030016253ec53f4953980a4e.dl.dropboxusercontent.com
Answer: dropbox
Task 04
Question: The initial malicious file time-stamped (a defense evasion technique, where the file creation date is changed to make it appear old) many files it created on disk. What was the timestamp changed to for a PDF file?
Sysmon logs changes to “Creation Time” timestamps with EventID 2. According to the overview, this event was logged 16 times.
Get-WinEvent -Path .\Microsoft-Windows-Sysmon-Operational.evtx | Where-Object {($_.ID -eq "2")}| Select-Object @{Name="UtcTime"; Expression={$_.Properties[1].Value }}, @{Name="TargetFilename"; Expression={$_.Properties[5].Value }}, @{Name="PreviousCreationUtcTime"; Expression={$_.Properties[6].Value }}
UtcTime TargetFilename PreviousCreationUtcTime
------- -------------- -----------------------
2024-02-14 03:41:58.420 C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.inf 2024-01-10 18:12:27.013
2024-02-14 03:41:58.420 C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\uvncvirtualdisplay.cat 2024-01-10 18:12:26.889
2024-02-14 03:41:58.420 C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\vnchooks.dll 2024-01-10 18:12:26.686
2024-02-14 03:41:58.420 C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UVncVirtualDisplay\UVncVirtualDisplay.dll 2024-01-10 18:12:26.905
2024-02-14 03:41:58.420 C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\ddengine.dll 2024-01-10 18:12:26.406
2024-02-14 03:41:58.420 C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\viewer.exe 2024-01-10 18:12:26.670
2024-02-14 03:41:58.404 C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\taskhost.exe 2024-01-10 18:12:26.513
2024-02-14 03:41:58.404 C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\TempFolder\~.pdf 2024-01-14 08:10:06.029
2024-02-14 03:41:58.404 C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\UltraVNC.ini 2024-01-10 18:12:26.530
2024-02-14 03:41:58.404 C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmd.txt 2024-01-10 18:12:26.326
2024-02-14 03:41:58.404 C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\once.cmd 2024-01-10 18:12:26.458
2024-02-14 03:41:58.404 C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\on.cmd 2024-01-10 18:12:26.436
2024-02-14 03:41:58.404 C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\cmmc.cmd 2024-01-10 18:12:26.373
2024-02-14 03:41:58.404 C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\c.cmd 2024-01-10 18:12:26.295
2024-02-14 03:41:58.389 C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\powercfg.msi 2024-01-10 18:12:27.357
2024-02-14 03:41:57.545 C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi 2024-01-14 08:14:23.713
Among the modified files is also a PDF located at C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\TempFolder\~.pdf with the old timestamp 2024-01-14 08:10:06.029.
Answer: 2024-01-14 08:10:06
Task 05
Question: The malicious file dropped a few files on disk. Where was “once.cmd” created on disk? Please answer with the full path along with the filename.
The existing event log records file creations under EventID 11. These 56 new files were identified in Task 01. To narrow down the data to the sought-after once.cmd, a Where-Object filter is applied.
Get-WinEvent -Path .\Microsoft-Windows-Sysmon-Operational.evtx | Where-Object {($_.ID -eq "11")}| Select-Object @{Name="UtcTime"; Expression={$_.Properties[1].Value }}, @{Name="Image"; Expression={$_.Properties[4].Value }}, @{Name="TargetFilename"; Expression={$_.Properties[5].Value }} | Where-Object {$_.TargetFilename -like '*once.cmd'}
UtcTime Image TargetFilename
------- ----- --------------
2024-02-14 03:41:58.577 C:\Windows\system32\msiexec.exe C:\Games\once.cmd
2024-02-14 03:41:58.404 C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\once.cmd
The query returns 2 results; apparently, two files named once.cmd were created on the system. However, only the second one was created by the previously identified Preventivo24.02.14.exe.exe.
Answer: C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\once.cmd
Task 06
Question: The malicious file attempted to reach a dummy domain, most likely to check the internet connection status. What domain name did it try to connect to?
The query for EventID 22 from Task 02 shows all DNS requests. By adding the Image column, the first request can be attributed to the malicious process.
Get-WinEvent -Path .\Microsoft-Windows-Sysmon-Operational.evtx | Where-Object {($_.ID -eq "22")}| Select-Object @{Name="UtcTime"; Expression={$_.Properties[1].Value }}, @{Name="QueryName"; Expression={$_.Properties[4].Value }}, @{Name="Image"; Expression={$_.Properties[7].Value }}
UtcTime QueryName Image
------- --------- -----
2024-02-14 03:41:56.955 www.example.com C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
2024-02-14 03:41:43.924 d.dropbox.com C:\Program Files\Mozilla Firefox\firefox.exe
2024-02-14 03:41:25.269 uc2f030016253ec53f4953980a4e.dl.dropboxusercontent.com C:\Program Files\Mozilla Firefox\firefox.exe
Answer: www.example.com
Task 07
Question: Which IP address did the malicious process try to reach out to?
Sysmon EventID 3 logs network connections that are created. It also records the corresponding destination IP addresses.
Get-WinEvent -Path .\Microsoft-Windows-Sysmon-Operational.evtx | Where-Object {($_.ID -eq "3")}| Select-Object @{Name="UtcTime"; Expression={$_.Properties[1].Value }}, @{Name="Image"; Expression={$_.Properties[4].Value }}, @{Name="DestinationIp"; Expression={$_.Properties[14].Value }}
UtcTime Image DestinationIp
------- ----- -------------
2024-02-14 03:41:57.159 C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe 93.184.216.34
Answer: 93.184.216.34
Task 08
Question: The malicious process terminated itself after infecting the PC with a backdoored variant of UltraVNC. When did the process terminate itself?
The termination of processes is logged by Sysmon with EventID 5. According to the list from Task 01, this event occurred only once during the logging period:
Get-WinEvent -Path .\Microsoft-Windows-Sysmon-Operational.evtx | Where-Object {($_.ID -eq "5")}| Select-Object @{Name="UtcTime"; Expression={$_.Properties[1].Value }}, @{Name="Image"; Expression={$_.Properties[4].Value }}
UtcTime Image
------- -----
2024-02-14 03:41:58.795 C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
Answer: 2024-02-14 03:41:58