Unit42

CHALLENGE DESCRIPTION

In this Sherlock, you will familiarize yourself with Sysmon logs and various useful EventIDs for identifying and analyzing malicious activities on a Windows system. Palo Alto’s Unit42 recently conducted research on an UltraVNC campaign, wherein attackers utilized a backdoored version of UltraVNC to maintain access to systems. This lab is inspired by that campaign and guides participants through the initial access stage of the campaign.

SET UP

python3 -m venv myenv
source myenv/bin/activate
pip install python-evtx

wget https://raw.githubusercontent.com/williballenthin/python-evtx/refs/heads/master/evtx_scripts/evtx_dump.py
python3 evtx_dump.py Microsoft-Windows-Sysmon-Operational.evtx > log.txt 

SOLUTION

How many Event logs are there with Event ID 11?

grep -i '11</EventID' log.txt | wc

Answer

56

Whenever a process is created in memory, an event with Event ID 1 is recorded with details such as command line, hashes, process path, parent process path, etc. This information is very useful for an analyst because it allows us to see all programs executed on a system, which means we can spot any malicious processes being executed. What is the malicious process that infected the victim’s system?

grep -a10 -i '>1</EventID' log.txt 

We will see some files start with C:\ and end with .exe

Answer

C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe

Which Cloud drive was used to distribute the malware?

Hint: Event ID 22 can be used to look for any DNS Queries made by the system. If you see events related to the malicious file being created, look for an Event ID 22 event surrounding that event.

grep -a20 -i '>22</EventID' log.txt 

Look at QueryName

Answer

dropbox

For many of the files it wrote to disk, the initial malicious file used a defense evasion technique called Time Stomping, where the file creation date is changed to make it appear older and blend in with other files. What was the timestamp changed to for the PDF file?

grep -a5 -i 'pdf' log.txt

Looking for PDF files and search around them.

Answer

2024-01-14 08:10:06

The malicious file dropped a few files on disk. Where was “once.cmd” created on disk? Please answer with the full path along with the filename.

grep -i 'once.CMD' log.txt 

Answer

C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\once.cmd

The malicious file attempted to reach a dummy domain, most likely to check the internet connection status. What domain name did it try to connect to?

> **Hint:** Filter for Event ID 22 and look for the image field. ```bash grep -a20 -i '>22</EventID' log.txt ```

Answer

www.example.com

Which IP address did the malicious process try to reach out to?

We can get the answer from the above by looking at QueryResults

Answer

93.184.216.34

The malicious process terminated itself after infecting the PC with a backdoored variant of UltraVNC. When did the process terminate itself?

grep -a5 -i 'UltraVNC' log.txt 

Answer

2024-02-14 03:41:58