UNIT42 (SYSMON/EVENT LOGS)
Last updated
Last updated
PS C:\> BROWSER > https://app.hackthebox.com/tracks/Intro-to-Blue-Team
https://labs.hackthebox.com/api/v4/challenges/632/cdn/redirect?auth_user_id=126831&expires=1748777450&signature=1c2bc2bbc7fd64787a190144a16e29a13edddf2dec87b94382d9b3767b7ed3cc
PS C:\> Invoke-WebRequest -Uri https://www.7-zip.org/a/7z2409-x64.exe -OutFile 7zip.exe
...
* install 7zip if required
PS C:\> GUI > BFT.zip > 7-zip > extract files
...
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" -MaxEvents 1 | Format-List *
* display all fields prior to filtering
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" | Where-Object {$_.Id -eq 11} | Measure-Object | Select-Object -ExpandProperty Count
56PS C:\> BROWSER > https://app.hackthebox.com/tracks/Intro-to-Blue-Team
https://labs.hackthebox.com/api/v4/challenges/632/cdn/redirect?auth_user_id=126831&expires=1748777450&signature=1c2bc2bbc7fd64787a190144a16e29a13edddf2dec87b94382d9b3767b7ed3cc
PS C:\> Invoke-WebRequest -Uri https://www.7-zip.org/a/7z2409-x64.exe -OutFile 7zip.exe
...
* install 7zip if required
PS C:\> GUI > BFT.zip > 7-zip > extract files
...
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" -MaxEvents 1 | Format-List *
* display all fields prior to filtering
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" |
Where-Object { $_.Id -eq 1 } |
ForEach-Object {
$xml = [xml]$_.ToXml()
$eventData = $xml.Event.EventData.Data
# Output all Name/Value pairs in the event
$eventData | ForEach-Object {
[PSCustomObject]@{
Name = $_.Name
Value = $_.'#text'
}
}
# Optional: separator between events
Write-Host "`n--- Next Event ---`n"
} | Format-List
RuleName technique_id=T1204,technique_name=User Execution
UtcTime 2024-02-14 03:41:56.538
ProcessGuid {817bddf3-3684-65cc-2d02-000000001900}
ProcessId 10672
Image C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
FileVersion 1.1.2
Description Photo and vn Installer
Product Photo and vn
Company Photo and Fax Vn
OriginalFileName Fattura 2 2024.exe
CommandLine "C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe"
CurrentDirectory C:\Users\CyberJunkie\Downloads\
User DESKTOP-887GK2L\CyberJunkie
LogonGuid {817bddf3-311e-65cc-a7ae-1b0000000000}
LogonId 0x1baea7
TerminalSessionId 1
IntegrityLevel Medium
Hashes SHA1=18A24AA0AC052D31FC5B56F5C0187041174FFC61,MD5=32F35B78A3DC5949CE3C99F2981DEF6B,SHA256=0CB44C4F8273750FA40497FCA81E850F73927E70B13C8F80CDCFEE9D1478E6F3,IMPHASH=36ACA8EDDDB161C588FCF5AFDC1AD9FA
ParentProcessGuid {817bddf3-311f-65cc-0a01-000000001900}
ParentProcessId 1116
ParentImage C:\Windows\explorer.exe
ParentCommandLine C:\Windows\Explorer.EXE
ParentUser DESKTOP-887GK2L\CyberJunkie
...
* display event id 1 specific fields
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" | Where-Object {$_.Id -eq 1} |
ForEach-Object {
$xml = [xml]$_.ToXml()
[PSCustomObject]@{
TimeCreated = $_.TimeCreated
Image = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "Image" }).'#text'
ParentImage = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "ParentImage" }).'#text'
CommandLine = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "CommandLine" }).'#text'
Hashes = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "Hashes" }).'#text'
ProcessId = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "ProcessId" }).'#text'
User = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "User" }).'#text'
}
} | Format-List
TimeCreated : 2/13/2024 10:41:58 PM
Image : C:\Windows\SysWOW64\msiexec.exe
ParentImage : C:\Windows\System32\msiexec.exe
CommandLine : C:\Windows\syswow64\MsiExec.exe -Embedding 5250A3DB12224F77D2A18B4EB99AC5EB
Hashes : SHA1=9AB9B12901E1EA2DF943B45AD20D8732618608CD,MD5=898277AC5894C4E1412A49040053B0D3,SHA256=445A2E800DC68DF89ABF713F3B4B632D40AE6310EF3660B42D974BB582426BC5,IMPHASH=E4E40938E4BF6C66424859ED02171C41
ProcessId : 10280
User : DESKTOP-887GK2L\CyberJunkie
TimeCreated : 2/13/2024 10:41:57 PM
Image : C:\Windows\SysWOW64\msiexec.exe
ParentImage : C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
CommandLine : "C:\Windows\system32\msiexec.exe" /i "C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe SETUPEXEDIR=C:\Users\CyberJunkie\Downloads\
EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1707880560 "
Hashes : SHA1=9AB9B12901E1EA2DF943B45AD20D8732618608CD,MD5=898277AC5894C4E1412A49040053B0D3,SHA256=445A2E800DC68DF89ABF713F3B4B632D40AE6310EF3660B42D974BB582426BC5,IMPHASH=E4E40938E4BF6C66424859ED02171C41
ProcessId : 10324
User : DESKTOP-887GK2L\CyberJunkie
TimeCreated : 2/13/2024 10:41:57 PM
Image : C:\Windows\SysWOW64\msiexec.exe
ParentImage : C:\Windows\System32\msiexec.exe
CommandLine : C:\Windows\syswow64\MsiExec.exe -Embedding 5364C761FA9A55D636271A1CE8A6742D C
Hashes : SHA1=9AB9B12901E1EA2DF943B45AD20D8732618608CD,MD5=898277AC5894C4E1412A49040053B0D3,SHA256=445A2E800DC68DF89ABF713F3B4B632D40AE6310EF3660B42D974BB582426BC5,IMPHASH=E4E40938E4BF6C66424859ED02171C41
ProcessId : 6996
User : DESKTOP-887GK2L\CyberJunkie
TimeCreated : 2/13/2024 10:41:57 PM
Image : C:\Windows\System32\msiexec.exe
ParentImage : C:\Windows\System32\services.exe
CommandLine : C:\Windows\system32\msiexec.exe /V
Hashes : SHA1=32B8B2E3B3ECD8E194ACE65A5E5052C326D7CCAA,MD5=3A8464F2CECDF1D89430C64237949F20,SHA256=8CA4B8B7A2F8E6E7D1DF1AE46437FC252CD9C4B78CA3C7ADCAB721BD0F68B358,IMPHASH=0990A9500FF8DF93E0E059EE13E7C796
ProcessId : 10220
User : NT AUTHORITY\SYSTEM
TimeCreated : 2/13/2024 10:41:56 PM
Image : C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
ParentImage : C:\Windows\explorer.exe
CommandLine : "C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe"
Hashes : SHA1=18A24AA0AC052D31FC5B56F5C0187041174FFC61,MD5=32F35B78A3DC5949CE3C99F2981DEF6B,SHA256=0CB44C4F8273750FA40497FCA81E850F73927E70B13C8F80CDCFEE9D1478E6F3,IMPHASH=36ACA8EDDDB161C588FCF5AFDC1AD9FA
ProcessId : 10672
User : DESKTOP-887GK2L\CyberJunkie
TimeCreated : 2/13/2024 10:41:45 PM
Image : C:\Program Files\Mozilla Firefox\pingsender.exe
ParentImage : C:\Program Files\Mozilla Firefox\firefox.exe
CommandLine : "C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/cb88145b-129d-471c-b605-4fdf09fec680/event/Firefox/122.0.1/release/20240205133611?v=4
C:\Users\CyberJunkie\AppData\Roaming\Mozilla\Firefox\Profiles\avsa4d81.default-release\saved-telemetry-pings\cb88145b-129d-471c-b605-4fdf09fec680 https://incoming.telemetry.mozilla.org/submit/telemetry/6fcd92a2-cc60-4df6-b6fb-66356dd011c1/main/Firefox/122.0.1/release/20240205133611?v=4
C:\Users\CyberJunkie\AppData\Roaming\Mozilla\Firefox\Profiles\avsa4d81.default-release\saved-telemetry-pings\6fcd92a2-cc60-4df6-b6fb-66356dd011c1
Hashes : SHA1=282F855BEB4FACF0726E13ECCADB7D3411B30B85,MD5=A1F5FF25E3D0F160BC7CE7CA57349D83,SHA256=B412C45DE423534D85F121ABC348FB38020FDA804EA0A972708B7447B0E7325D,IMPHASH=F84029681F81FED23E3E067364DA1699
ProcessId : 5584
User : DESKTOP-887GK2L\CyberJunkie
* Look for any suspicious files being run on weird directory
- the rich event details such as command line, image path, parent process,
etc. are inside the Message property as a big text blob, or inside the
event’s XML
- Must view using xml as sysmon event details such as Image path are
not exposed as separate properties in PowerShell’s default event
object; they’re embedded inside the event’s XML or Message field.PS C:\> BROWSER > https://app.hackthebox.com/tracks/Intro-to-Blue-Team
https://labs.hackthebox.com/api/v4/challenges/632/cdn/redirect?auth_user_id=126831&expires=1748777450&signature=1c2bc2bbc7fd64787a190144a16e29a13edddf2dec87b94382d9b3767b7ed3cc
PS C:\> Invoke-WebRequest -Uri https://www.7-zip.org/a/7z2409-x64.exe -OutFile 7zip.exe
...
* install 7zip if required
PS C:\> GUI > BFT.zip > 7-zip > extract files
...
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" -MaxEvents 1 | Format-List *
* display all fields prior to filtering
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" |
Where-Object { $_.Id -eq 22 } |
ForEach-Object {
$xml = [xml]$_.ToXml()
$eventData = $xml.Event.EventData.Data
# Output all Name/Value pairs in the event
$eventData | ForEach-Object {
[PSCustomObject]@{
Name = $_.Name
Value = $_.'#text'
}
}
# Optional: separator between events
Write-Host "`n--- Next Event ---`n"
} | Format-List
Name Value
---- -----
RuleName -
UtcTime 2024-02-14 03:41:56.955
ProcessGuid {817bddf3-3684-65cc-2d02-000000001900}
ProcessId 10672
QueryName www.example.com
QueryStatus 0
QueryResults ::ffff:93.184.216.34;199.43.135.53;2001:500:8f::53;199.43.133.53;2001:500:8d::53;
Image C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
User DESKTOP-887GK2L\CyberJunkie
* display event id 22 specific fields
#display DNS queries
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" | Where-Object {$_.Id -eq 22} | ForEach-Object {[xml]$xml = $_.ToXml(); $xml.Event.EventData.Data | ForEach-Object {"$($_.Name): $($_.'#text')"}}
RuleName: -
UtcTime: 2024-02-14 03:41:56.955
ProcessGuid: {817bddf3-3684-65cc-2d02-000000001900}
ProcessId: 10672
QueryName: www.example.com
QueryStatus: 0
QueryResults: ::ffff:93.184.216.34;199.43.135.53;2001:500:8f::53;199.43.133.53;2001:500:8d::53;
Image: C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
User: DESKTOP-887GK2L\CyberJunkie
RuleName: -
UtcTime: 2024-02-14 03:41:43.924
ProcessGuid: {817bddf3-3514-65cc-0802-000000001900}
ProcessId: 4292
QueryName: d.dropbox.com
QueryStatus: 0
QueryResults: type: 5 d.v.dropbox.com;type: 5 d-edge.v.dropbox.com;162.125.8.20;205.251.192.57;2600:9000:5300:3900::1;
Image: C:\Program Files\Mozilla Firefox\firefox.exe
User: DESKTOP-887GK2L\CyberJunkie
RuleName: -
UtcTime: 2024-02-14 03:41:25.269
ProcessGuid: {817bddf3-3514-65cc-0802-000000001900}
ProcessId: 4292
QueryName: uc2f030016253ec53f4953980a4e.dl.dropboxusercontent.com
QueryStatus: 0
QueryResults: type: 5 edge-block-www-env.dropbox-dns.com;::ffff:162.125.81.15;198.51.44.6;2620:4d:4000:6259:7:6:0:1;198.51.45.6;2a00:edc0:6259:7:6::2;198.51.44.70;2620:4d:4000:6259:7:6:0:3;198.51.45.70;2a00:edc0:6259:7:6::4;
Image: C:\Program Files\Mozilla Firefox\firefox.exe
User: DESKTOP-887GK2L\CyberJunkie
#correlate w/ event ID 11 - file creation
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" | Where-Object {$_.Id -eq 11} | ForEach-Object {[xml]$xml = $_.ToXml(); $xml.Event.EventData.Data | ForEach-Object {"$($_.Name): $($_.'#text')"}}
RuleName: -
UtcTime: 2024-02-14 03:41:30.472
ProcessGuid: {817bddf3-3514-65cc-0802-000000001900}
ProcessId: 4292
Image: C:\Program Files\Mozilla Firefox\firefox.exe
TargetFilename: C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe:Zone.Identifier
CreationUtcTime: 2024-02-14 03:41:26.459
User: DESKTOP-887GK2L\CyberJunkie
RuleName: -
UtcTime: 2024-02-14 03:41:26.459
ProcessGuid: {817bddf3-3514-65cc-0802-000000001900}
ProcessId: 4292
Image: C:\Program Files\Mozilla Firefox\firefox.exe
TargetFilename: C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
CreationUtcTime: 2024-02-14 03:41:26.459
User: DESKTOP-887GK2L\CyberJunkie
RuleName: -
UtcTime: 2024-02-14 03:41:26.459
ProcessGuid: {817bddf3-3514-65cc-0802-000000001900}
ProcessId: 4292
Image: C:\Program Files\Mozilla Firefox\firefox.exe
TargetFilename: C:\Users\CyberJunkie\Downloads\skZdsnwf.exe.part
CreationUtcTime: 2024-02-14 03:41:26.459
User: DESKTOP-887GK2L\CyberJunkie
RuleName: -
UtcTime: 2024-02-14 03:41:26.459
ProcessGuid: {817bddf3-3514-65cc-0802-000000001900}
ProcessId: 4292
Image: C:\Program Files\Mozilla Firefox\firefox.exe
TargetFilename: C:\Users\CyberJunkie\Downloads\skZdsnwf.exe.part
CreationUtcTime: 2024-02-14 03:41:26.459
User: DESKTOP-887GK2L\CyberJunkie
RuleName: -
UtcTime: 2024-02-14 03:41:26.459
ProcessGuid: {817bddf3-3514-65cc-0802-000000001900}
ProcessId: 4292
Image: C:\Program Files\Mozilla Firefox\firefox.exe
TargetFilename: C:\Users\CYBERJ~1\AppData\Local\Temp\skZdsnwf.exe
CreationUtcTime: 2024-02-14 03:41:26.459
User: DESKTOP-887GK2L\CyberJunkie
PS C:\> BROWSER > https://app.hackthebox.com/tracks/Intro-to-Blue-Team
https://labs.hackthebox.com/api/v4/challenges/632/cdn/redirect?auth_user_id=126831&expires=1748777450&signature=1c2bc2bbc7fd64787a190144a16e29a13edddf2dec87b94382d9b3767b7ed3cc
PS C:\> Invoke-WebRequest -Uri https://www.7-zip.org/a/7z2409-x64.exe -OutFile 7zip.exe
...
* install 7zip if required
PS C:\> GUI > BFT.zip > 7-zip > extract files
...
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" -MaxEvents 1 | Format-List *
* display all fields prior to filtering
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" |
Where-Object { $_.Id -eq 2 } |
ForEach-Object {
$xml = [xml]$_.ToXml()
$eventData = $xml.Event.EventData.Data
# Output all Name/Value pairs in the event
$eventData | ForEach-Object {
[PSCustomObject]@{
Name = $_.Name
Value = $_.'#text'
}
}
# Optional: separator between events
Write-Host "`n--- Next Event ---`n"
} | Format-List
RuleName technique_id=T1070.006,technique_name=Timestomp
UtcTime 2024-02-14 03:41:58.389
ProcessGuid {817bddf3-3684-65cc-2d02-000000001900}
ProcessId 10672
Image C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
TargetFilename C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Gam...
CreationUtcTime 2024-01-10 18:12:27.357
PreviousCreationUtcTime 2024-02-14 03:41:58.389
User DESKTOP-887GK2L\CyberJunkie
* display event id 2 specific fields
PS C:\> Get-WinEvent -Path "T:\00.HTB\SHERLOCK\INTRO TO BLUE TEAM\Microsoft-Windows-Sysmon-Operational.evtx" | Where-Object { $_.Id -eq 2 } |
ForEach-Object {
$xml = [xml]$_.ToXml()
[PSCustomObject]@{
TimeCreated = $_.TimeCreated
Image = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "Image" }).'#text'
PreviousCreationUtcTime = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "PreviousCreationUtcTime" }).'#text'
CreationUtcTime = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "CreationUtcTime" }).'#text'
RuleName = ($xml.Event.EventData.Data | Where-Object {$_.Name -eq "RuleName"}).'#text'
User = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "User"}).'#text'
}
} | Format-List
TimeCreated : 2/13/2024 10:41:57 PM
Image : C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
PreviousCreationUtcTime : 2024-02-14 03:41:57.545
CreationUtcTime : 2024-01-14 08:10:06.029
RuleName : technique_id=T1070.006,technique_name=Timestomp
User : DESKTOP-887GK2L\CyberJunkie
...
* the PreviousCreationUtcTime is the real time the file was written or created.
* the CreationUtcTime is the suspicious backdated timestamp (e.g., from the 1990s, or aligning with legitimate system files).PS C:\> BROWSER > https://app.hackthebox.com/tracks/Intro-to-Blue-Team
https://labs.hackthebox.com/api/v4/challenges/632/cdn/redirect?auth_user_id=126831&expires=1748777450&signature=1c2bc2bbc7fd64787a190144a16e29a13edddf2dec87b94382d9b3767b7ed3cc
PS C:\> Invoke-WebRequest -Uri https://www.7-zip.org/a/7z2409-x64.exe -OutFile 7zip.exe
...
* install 7zip if required
PS C:\> GUI > BFT.zip > 7-zip > extract files
...
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" -MaxEvents 1 | Format-List *
* display all fields prior to filtering
PS C:\> Get-WinEvent -Path "T:\00.HTB\SHERLOCK\INTRO TO BLUE TEAM\Microsoft-Windows-Sysmon-Operational.evtx" |
Where-Object { $_.Id -eq 11 } |
ForEach-Object {
$xml = [xml]$_.ToXml()
$eventData = $xml.Event.EventData.Data
# Output all Name/Value pairs in the event
$eventData | ForEach-Object {
[PSCustomObject]@{
Name = $_.Name
Value = $_.'#text'
}
}
# Optional: separator between events
Write-Host "`n--- Next Event ---`n"
} | Format-List
Name : RuleName
Value : -
Name : UtcTime
Value : 2024-02-14 03:41:58.404
Name : ProcessGuid
Value : {817bddf3-3684-65cc-2d02-000000001900}
Name : ProcessId
Value : 10672
Name : Image
Value : C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
Name : TargetFilename
Value : C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\once.cmd
Name : CreationUtcTime
Value : 2024-02-14 03:41:58.404
Name : User
Value : DESKTOP-887GK2L\CyberJunkie
* display event id 11 specific fields
PS C:\> BROWSER > https://app.hackthebox.com/tracks/Intro-to-Blue-Team
https://labs.hackthebox.com/api/v4/challenges/632/cdn/redirect?auth_user_id=126831&expires=1748777450&signature=1c2bc2bbc7fd64787a190144a16e29a13edddf2dec87b94382d9b3767b7ed3cc
PS C:\> Invoke-WebRequest -Uri https://www.7-zip.org/a/7z2409-x64.exe -OutFile 7zip.exe
...
* install 7zip if required
PS C:\> GUI > BFT.zip > 7-zip > extract files
...
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" -MaxEvents 1 | Format-List *
* display all fields prior to filtering
PS C:\> Get-WinEvent -Path "T:\00.HTB\SHERLOCK\INTRO TO BLUE TEAM\Microsoft-Windows-Sysmon-Operational.evtx" |
Where-Object { $_.Id -eq 22 } |
ForEach-Object {
$xml = [xml]$_.ToXml()
$eventData = $xml.Event.EventData.Data
# Output all Name/Value pairs in the event
$eventData | ForEach-Object {
[PSCustomObject]@{
Name = $_.Name
Value = $_.'#text'
}
}
# Optional: separator between events
Write-Host "`n--- Next Event ---`n"
} | Format-List
Name : RuleName
Value : -
Name : UtcTime
Value : 2024-02-14 03:41:56.955
Name : ProcessGuid
Value : {817bddf3-3684-65cc-2d02-000000001900}
Name : ProcessId
Value : 10672
Name : QueryName
Value : www.example.com
Name : QueryStatus
Value : 0
Name : QueryResults
Value : ::ffff:93.184.216.34;199.43.135.53;2001:500:8f::53;199.43.133.53;2001:500:8d::53;
Name : Image
Value : C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
Name : User
Value : DESKTOP-887GK2L\CyberJunkie
* display event id 22 specific fields
