Skip to content

Sysmon

Task 1 Introduction

Sysmon, a tool used to monitor and log events on Windows, is commonly used by enterprises as part of their monitoring and logging solutions. Part of the Windows Sysinternals package, Sysmon is similar to Windows Event Logs with further detail and granular control.

No answer needed

Task 2 Sysmon Overview

From the Microsoft Docs, “System Monitor (Sysmon) is a Windows system service and device driver that, once installed on a system, remains resident across system reboots to monitor and log system activity to the Windows event log. It provides detailed information about process creations, network connections, and changes to file creation time. By collecting the events it generates using Windows Event Collection or SIEM agents and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.”

Event IDs

  • Event ID 1: Process creation
  • Event ID 2: Process changed a file creation time
  • Event ID 3: Network connection
  • Event ID 4: Sysmon service state changed
  • Event ID 5: Process terminated
  • Event ID 6: Driver loaded
  • Event ID 7: Image loaded
  • Event ID 8: CreateRemoteThread
  • Event ID 9: RawAccessRead
  • Event ID 10: ProcessAccess
  • Event ID 11: FileCreate
  • Event ID 12: RegistryEvent (Creation and Deletion)
  • Event ID 13: RegistryEvent (Value set)
  • Event ID 14: Registry Event (Key and Value rename)
  • Event ID 15: FileCreateStreamHash
  • Event ID 16: ServiceConfigurationChange
  • Event ID 17: PipeEvent (Creation)
  • Event ID 18: PipeEvent (Connected)
  • Event ID 19: WmiEvent (WmiEventFilter activity)
  • Event ID 20: WmiEvent (WmiEventConsumer activity)
  • Event ID 21: WmiEvent (WmiEventConsumerToFilter activity)
  • Event ID 22: DNSEvent (DNS Query)
  • Event ID 23: FileDelete
  • Event ID 255: Error
No answer needed

Task 3 Installing and Preparing Sysmon

I already had Sysmon installed by installing SysInternals but the PowerShell command to install is Download-SysInternalsTools C:\Sysinternals.

The command to run sysmon with config needs to be with Administrator privileges.

I have my config files saved at C:\tools\SysinternalsSuite\Sysmon_configs. I navigated there in PowerShell, then ran sysmon.exe -accepteula -i SwiftOnSecurity.xml

No answer needed

Task 4 Cutting out the Noise

Read the above and practice filtering events.

No answer needed

How many event ID 3 events are in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx?

I ran the command Get-WinEvent -Path Filtering.evtx -FilterXPath '*/System/EventID=3' to find the logs for EventID=3 but ran into way too many events as you can see below.

I ran the command a second time, this time wrapping it in a ().Count to get PowerShell to count the output for me. This command took a few minutes to run so I had to be patient while it counted all 73,591.

73,591

What is the UTC time created of the first network event in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx?

First, I had to find the Event ID number for network events. Task 2 gave a breakdown of the common event IDs.

Network Events are EventID=3 as well as the previous question. This meant I was able to reuse the command from last time. I did not need the ().Count from last time so I took that off. Also the question only wanted the first event so I added -MaxEvents 1 at the end of the command.

This gave me one event (and also returned a result immediately, unlike before). This event showed the TimeCreated but I needed the UTC Time Created to fit the formatting for this question. I then reused the command but piped the result to format-list, showing all properties by adding | fl -property *.

This time I found the UtcTime inside the Message property. However I discovered this answer was not correct. I then realized the list was given to me in reverse-chronological order starting with the most recent event. I managed to obtain the last event when I needed the first. I needed a way to reverse the order of the list.

Looking through theGet-WinEvent cmdlet documentation I found the -Oldest Parameter will reverse the list. I added this into the command from before to find the answer.

2021-01-06 01:35:50.464

Task 5 Hunting Metasploit

For this task I was given the event log file HuntingMetasploit.evtx.

I ran the given command Get-WinEvent -Path HuntingMetasploit.evtx -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444' which did the following:

  1. Filtered down to just EventID=3 to obtain only network events
  2. Filtered to just events where Data=”DestinationPort”
  3. Filtered to just events where Port=4444

This command gave just one event:

Running this command again, through fl -property * gave me all the properties of the event.

This tells me someone opened a shell connection using port 4444.

No answer needed

Task 6 Detecting Mimikatz

First I went to my Sysmon config file and added the above rules to include ProcesssAccess events that contain lsass.exe but exclude ones that used svchost.exe.

I then ran sysmon.exe -c PATH_TO_CONFIG to update the configuration.

To find a mimikatz event in the given event log file I ran the following command:
Get-WinEvent -Path HuntingMimikatz.evtx -FilterXPath '*/System/EventID=10 and */EventData/Data[@Name="TargetImage"] and */EventData/Data="C:\Windows\system32\lsass.exe"'

This filters out events to just EventID=10 which is the ProcessAccess event. Next It filters down to just records where TargetImage="C:\Windows\system32\lsass.exe".

This event log had just one record with such criteria. Opening it to look at the properties, I got:

No answer needed

Task 7 Hunting Malware

I ran the given command Get-WinEvent -Path HuntingRats.evtx -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=8080' on the given event log to find network events using destination port 8080.

I found several entries.

No answer needed

Task 8 Hunting Persistence

The SwiftOnSecurity sysmon config file uses the rules below to detect files being placed in \Startup\ or \Start Menu

<RuleGroup name="" groupRelation="or">  
    <FileCreate onmatch="include">  
        <TargetFilename name="T1023" condition="contains">\Start Menu</TargetFilename>  
        <TargetFilename name="T1165" condition="contains">\Startup\</TargetFilename>  
    </FileCreate>  
</RuleGroup>
<RuleGroup name="" groupRelation="or">  
    <RegistryEvent onmatch="include">  
        <TargetObject name="T1060,RunKey" condition="contains">CurrentVersion\Run</TargetObject>  
        <TargetObject name="T1484" condition="contains">Group Policy\Scripts</TargetObject>  
        <TargetObject name="T1060" condition="contains">CurrentVersion\Windows\Run</TargetObject>  
    </RegistryEvent>  
</RuleGroup>

Task 9 Detecting Evasion Techniques

Alternate Data Streams:
Get-WinEvent -Path Hunting_ADS.evtx -FilterXPath '*/System/EventID=15'

Remote Thread Creation
Get-WinEvent -Path Detecting_Remote_Threads.evtx -FilterXPath '*/System/EventID=8'

No answer needed

Task 10 Practical Investigations

Investigation 1 – ugh, BILL THAT’S THE WRONG USB!

In this investigation, your team has received reports that a malicious file was dropped onto a host by a malicious USB. They have pulled the logs suspected and have tasked you with running the investigation for it.

What is the full registry key of the USB device calling svchost.exe in Investigation 1? 

I opened the given log file and found two RegistryEvents (EventID=13).

I clicked into the first one and found a Registry key listed as a TargetObject.

HKLM\System\CurrentControlSet\Enum\WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_8.01#4054910EF19005B3&0#\FriendlyName

What is the device name when being called by RawAccessRead in Investigation 1?

I found a few events listed as RawAccessRead in the same log file as the previous question. Clicking into the event, I found the device name under the EventData.

\Device\HarddiskVolume3

What is the first exe the process executes in Investigation 1?

I sorted the events by chronological order, then looked through the ProcessCreate events. The first option shows it was calling rundll32.exe from commandline.

rundll32.exe

Investigation 2 – This isn’t an HTML file? 

Another suspicious file has appeared in your logs and has managed to execute code masking itself as an HTML file, evading your anti-virus detections. Open the logs and investigate the suspicious file.

What is the full path of the payload in Investigation 2?

In the first event in the log I found a path to a file in a folder for temporary internet files.

C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta

What is the full path of the file the payload masked itself as in Investigation 2?

In that same event I found a path listed in ParentImage that goes to the downloads folder. The file is named update.html which sounds somewhat unsuspicious.

C:\Users\IEUser\Downloads\update.html

What signed binary executed the payload in Investigation 2?

The path that came before the payload earlier is the binary that executed the payload.

C:\Windows\System32\mshta.exe

What is the IP of the adversary in Investigation 2?

Since this question is asking about an IP address, I clicked into the NetworkConnect EventID=3 event. Here I found the destination IP address the workstation was talking to.

10.0.2.18

What back connect port is used in Investigation 2?

The above screenshot also shows the attacker using port 4443

4443

Investigation 3.1 – 3.2 – Where’s the bouncer when you need him

Your team has informed you that the adversary has managed to set up persistence on your endpoints as they continue to move throughout your network. Find how the adversary managed to gain persistence using logs provided.

What is the IP of the suspected adversary in Investigation 3.1?

I looked at the first event with Network Connect EventID=3 and found the Destination IP address.

172.30.1.253

What is the hostname of the affected endpoint in Investigation 3.1?

Further down on that same event I found the infected computer’s name.

DESKTOP-O153T4R

What is the hostname of the C2 server connecting to the endpoint in Investigation 3.1?

The Destination Hostname is also listed in the previous event.

empirec2

Where in the registry was the payload stored in Investigation 3.1?

To find this I went to the first Registry value set event. Inside I found a registry location at TargetObject.

HKLM\SOFTWARE\Microsoft\Network\debug

What PowerShell launch code was used to launch the payload in Investigation 3.1?

In the next Registry value set event I found a PowerShell command that looked like a payload.

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp HKLM:Software\Microsoft\Network debug).debug);start -Win Hidden -A \"-enc $x\" powershell";exit;

What is the IP of the adversary in Investigation 3.2?

In the first NetworkConnect event I found the destination IP address that belongs to the adversary.

172.168.103.188

What is the full path of the payload location in Investigation 3.2?

In the first ProcessCreate event I found what appears to be an encoded payload being saved to the file c:\users\q\AppData:blah.txt.

c:\users\q\AppData:blah.txt

What was the full command used to create the scheduled task in Investigation 3.2?

I looked through the ProcessCreate events until I found one with a commandline item that looked to be involved in scheduling tasks.

"C:\WINDOWS\system32\schtasks.exe" /Create /F /SC DAILY /ST 09:00 /TN Updater /TR "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String($(cmd /c ''more < c:\users\q\AppData:blah.txt'''))))\""

What process was accessed by schtasks.exe that would be considered suspicious behavior in Investigation 3.2?

Further down the event stack I found schtasks.exe interacting with lsass.exe.

lsass.exe

Investigation 4 – Mom look! I built a botnet!

As the adversary has gained a solid foothold onto your network it has been brought to your attention that they may have been able to set up C2 communications on some of the endpoints. Collect the logs and continue your investigation.

What is the IP of the adversary in Investigation 4?

Looking at the oldest network event in the log I found the destination IP address that belongs to the adverary.

172.30.1.253

What port is the adversary operating on in Investigation 4?

The above screenshot also shows the port number in use.

80

What C2 is the adversary utilizing in Investigation 4?

One of the events mentioned a hostname for the attacker called empirec2

empire

Leave a Reply

Your email address will not be published. Required fields are marked *