UNIT42 (SYSMON/EVENT LOGS)
How many Event logs are there with Event ID 11?
PS C:\> Invoke-WebRequest -Uri https://www.7-zip.org/a/7z2409-x64.exe -OutFile 7zip.exe
...
* install 7zip if required
PS C:\> GUI > BFT.zip > 7-zip > extract files
...
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" -MaxEvents 1 | Format-List *
* display all fields prior to filtering
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" | Where-Object {$_.Id -eq 11} | Measure-Object | Select-Object -ExpandProperty Count
56Whenever a process is created in memory, an event with Event ID 1 is recorded with details such as command line, hashes, process path, parent process path, etc. This information is very useful for an analyst because it allows us to see all programs executed on a system, which means we can spot any malicious processes being executed. What is the malicious process that infected the victim's system?
PS C:\> Invoke-WebRequest -Uri https://www.7-zip.org/a/7z2409-x64.exe -OutFile 7zip.exe
...
* install 7zip if required
PS C:\> GUI > BFT.zip > 7-zip > extract files
...
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" -MaxEvents 1 | Format-List *
* display all fields prior to filtering
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" |
Where-Object { $_.Id -eq 1 } |
ForEach-Object {
$xml = [xml]$_.ToXml()
$eventData = $xml.Event.EventData.Data
# Output all Name/Value pairs in the event
$eventData | ForEach-Object {
[PSCustomObject]@{
Name = $_.Name
Value = $_.'#text'
}
}
# Optional: separator between events
Write-Host "`n--- Next Event ---`n"
} | Format-List
RuleName technique_id=T1204,technique_name=User Execution
UtcTime 2024-02-14 03:41:56.538
ProcessGuid {817bddf3-3684-65cc-2d02-000000001900}
ProcessId 10672
Image C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
FileVersion 1.1.2
Description Photo and vn Installer
Product Photo and vn
Company Photo and Fax Vn
OriginalFileName Fattura 2 2024.exe
CommandLine "C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe"
CurrentDirectory C:\Users\CyberJunkie\Downloads\
User DESKTOP-887GK2L\CyberJunkie
LogonGuid {817bddf3-311e-65cc-a7ae-1b0000000000}
LogonId 0x1baea7
TerminalSessionId 1
IntegrityLevel Medium
Hashes SHA1=18A24AA0AC052D31FC5B56F5C0187041174FFC61,MD5=32F35B78A3DC5949CE3C99F2981DEF6B,SHA256=0CB44C4F8273750FA40497FCA81E850F73927E70B13C8F80CDCFEE9D1478E6F3,IMPHASH=36ACA8EDDDB161C588FCF5AFDC1AD9FA
ParentProcessGuid {817bddf3-311f-65cc-0a01-000000001900}
ParentProcessId 1116
ParentImage C:\Windows\explorer.exe
ParentCommandLine C:\Windows\Explorer.EXE
ParentUser DESKTOP-887GK2L\CyberJunkie
...
* display event id 1 specific fields
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" | Where-Object {$_.Id -eq 1} |
ForEach-Object {
$xml = [xml]$_.ToXml()
[PSCustomObject]@{
TimeCreated = $_.TimeCreated
Image = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "Image" }).'#text'
ParentImage = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "ParentImage" }).'#text'
CommandLine = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "CommandLine" }).'#text'
Hashes = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "Hashes" }).'#text'
ProcessId = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "ProcessId" }).'#text'
User = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "User" }).'#text'
}
} | Format-List
TimeCreated : 2/13/2024 10:41:58 PM
Image : C:\Windows\SysWOW64\msiexec.exe
ParentImage : C:\Windows\System32\msiexec.exe
CommandLine : C:\Windows\syswow64\MsiExec.exe -Embedding 5250A3DB12224F77D2A18B4EB99AC5EB
Hashes : SHA1=9AB9B12901E1EA2DF943B45AD20D8732618608CD,MD5=898277AC5894C4E1412A49040053B0D3,SHA256=445A2E800DC68DF89ABF713F3B4B632D40AE6310EF3660B42D974BB582426BC5,IMPHASH=E4E40938E4BF6C66424859ED02171C41
ProcessId : 10280
User : DESKTOP-887GK2L\CyberJunkie
TimeCreated : 2/13/2024 10:41:57 PM
Image : C:\Windows\SysWOW64\msiexec.exe
ParentImage : C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
CommandLine : "C:\Windows\system32\msiexec.exe" /i "C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\main1.msi" AI_SETUPEXEPATH=C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe SETUPEXEDIR=C:\Users\CyberJunkie\Downloads\
EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1707880560 "
Hashes : SHA1=9AB9B12901E1EA2DF943B45AD20D8732618608CD,MD5=898277AC5894C4E1412A49040053B0D3,SHA256=445A2E800DC68DF89ABF713F3B4B632D40AE6310EF3660B42D974BB582426BC5,IMPHASH=E4E40938E4BF6C66424859ED02171C41
ProcessId : 10324
User : DESKTOP-887GK2L\CyberJunkie
TimeCreated : 2/13/2024 10:41:57 PM
Image : C:\Windows\SysWOW64\msiexec.exe
ParentImage : C:\Windows\System32\msiexec.exe
CommandLine : C:\Windows\syswow64\MsiExec.exe -Embedding 5364C761FA9A55D636271A1CE8A6742D C
Hashes : SHA1=9AB9B12901E1EA2DF943B45AD20D8732618608CD,MD5=898277AC5894C4E1412A49040053B0D3,SHA256=445A2E800DC68DF89ABF713F3B4B632D40AE6310EF3660B42D974BB582426BC5,IMPHASH=E4E40938E4BF6C66424859ED02171C41
ProcessId : 6996
User : DESKTOP-887GK2L\CyberJunkie
TimeCreated : 2/13/2024 10:41:57 PM
Image : C:\Windows\System32\msiexec.exe
ParentImage : C:\Windows\System32\services.exe
CommandLine : C:\Windows\system32\msiexec.exe /V
Hashes : SHA1=32B8B2E3B3ECD8E194ACE65A5E5052C326D7CCAA,MD5=3A8464F2CECDF1D89430C64237949F20,SHA256=8CA4B8B7A2F8E6E7D1DF1AE46437FC252CD9C4B78CA3C7ADCAB721BD0F68B358,IMPHASH=0990A9500FF8DF93E0E059EE13E7C796
ProcessId : 10220
User : NT AUTHORITY\SYSTEM
TimeCreated : 2/13/2024 10:41:56 PM
Image : C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
ParentImage : C:\Windows\explorer.exe
CommandLine : "C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe"
Hashes : SHA1=18A24AA0AC052D31FC5B56F5C0187041174FFC61,MD5=32F35B78A3DC5949CE3C99F2981DEF6B,SHA256=0CB44C4F8273750FA40497FCA81E850F73927E70B13C8F80CDCFEE9D1478E6F3,IMPHASH=36ACA8EDDDB161C588FCF5AFDC1AD9FA
ProcessId : 10672
User : DESKTOP-887GK2L\CyberJunkie
TimeCreated : 2/13/2024 10:41:45 PM
Image : C:\Program Files\Mozilla Firefox\pingsender.exe
ParentImage : C:\Program Files\Mozilla Firefox\firefox.exe
CommandLine : "C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/cb88145b-129d-471c-b605-4fdf09fec680/event/Firefox/122.0.1/release/20240205133611?v=4
C:\Users\CyberJunkie\AppData\Roaming\Mozilla\Firefox\Profiles\avsa4d81.default-release\saved-telemetry-pings\cb88145b-129d-471c-b605-4fdf09fec680 https://incoming.telemetry.mozilla.org/submit/telemetry/6fcd92a2-cc60-4df6-b6fb-66356dd011c1/main/Firefox/122.0.1/release/20240205133611?v=4
C:\Users\CyberJunkie\AppData\Roaming\Mozilla\Firefox\Profiles\avsa4d81.default-release\saved-telemetry-pings\6fcd92a2-cc60-4df6-b6fb-66356dd011c1
Hashes : SHA1=282F855BEB4FACF0726E13ECCADB7D3411B30B85,MD5=A1F5FF25E3D0F160BC7CE7CA57349D83,SHA256=B412C45DE423534D85F121ABC348FB38020FDA804EA0A972708B7447B0E7325D,IMPHASH=F84029681F81FED23E3E067364DA1699
ProcessId : 5584
User : DESKTOP-887GK2L\CyberJunkie
* Look for any suspicious files being run on weird directory
- the rich event details such as command line, image path, parent process,
etc. are inside the Message property as a big text blob, or inside the
event’s XML
- Must view using xml as sysmon event details such as Image path are
not exposed as separate properties in PowerShell’s default event
object; they’re embedded inside the event’s XML or Message field.Which Cloud drive was used to distribute the malware?
PS C:\> Invoke-WebRequest -Uri https://www.7-zip.org/a/7z2409-x64.exe -OutFile 7zip.exe
...
* install 7zip if required
PS C:\> GUI > BFT.zip > 7-zip > extract files
...
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" -MaxEvents 1 | Format-List *
* display all fields prior to filtering
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" |
Where-Object { $_.Id -eq 22 } |
ForEach-Object {
$xml = [xml]$_.ToXml()
$eventData = $xml.Event.EventData.Data
# Output all Name/Value pairs in the event
$eventData | ForEach-Object {
[PSCustomObject]@{
Name = $_.Name
Value = $_.'#text'
}
}
# Optional: separator between events
Write-Host "`n--- Next Event ---`n"
} | Format-List
Name Value
---- -----
RuleName -
UtcTime 2024-02-14 03:41:56.955
ProcessGuid {817bddf3-3684-65cc-2d02-000000001900}
ProcessId 10672
QueryName www.example.com
QueryStatus 0
QueryResults ::ffff:93.184.216.34;199.43.135.53;2001:500:8f::53;199.43.133.53;2001:500:8d::53;
Image C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
User DESKTOP-887GK2L\CyberJunkie
* display event id 22 specific fields
#display DNS queries
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" | Where-Object {$_.Id -eq 22} | ForEach-Object {[xml]$xml = $_.ToXml(); $xml.Event.EventData.Data | ForEach-Object {"$($_.Name): $($_.'#text')"}}
RuleName: -
UtcTime: 2024-02-14 03:41:56.955
ProcessGuid: {817bddf3-3684-65cc-2d02-000000001900}
ProcessId: 10672
QueryName: www.example.com
QueryStatus: 0
QueryResults: ::ffff:93.184.216.34;199.43.135.53;2001:500:8f::53;199.43.133.53;2001:500:8d::53;
Image: C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
User: DESKTOP-887GK2L\CyberJunkie
RuleName: -
UtcTime: 2024-02-14 03:41:43.924
ProcessGuid: {817bddf3-3514-65cc-0802-000000001900}
ProcessId: 4292
QueryName: d.dropbox.com
QueryStatus: 0
QueryResults: type: 5 d.v.dropbox.com;type: 5 d-edge.v.dropbox.com;162.125.8.20;205.251.192.57;2600:9000:5300:3900::1;
Image: C:\Program Files\Mozilla Firefox\firefox.exe
User: DESKTOP-887GK2L\CyberJunkie
RuleName: -
UtcTime: 2024-02-14 03:41:25.269
ProcessGuid: {817bddf3-3514-65cc-0802-000000001900}
ProcessId: 4292
QueryName: uc2f030016253ec53f4953980a4e.dl.dropboxusercontent.com
QueryStatus: 0
QueryResults: type: 5 edge-block-www-env.dropbox-dns.com;::ffff:162.125.81.15;198.51.44.6;2620:4d:4000:6259:7:6:0:1;198.51.45.6;2a00:edc0:6259:7:6::2;198.51.44.70;2620:4d:4000:6259:7:6:0:3;198.51.45.70;2a00:edc0:6259:7:6::4;
Image: C:\Program Files\Mozilla Firefox\firefox.exe
User: DESKTOP-887GK2L\CyberJunkie
#correlate w/ event ID 11 - file creation
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" | Where-Object {$_.Id -eq 11} | ForEach-Object {[xml]$xml = $_.ToXml(); $xml.Event.EventData.Data | ForEach-Object {"$($_.Name): $($_.'#text')"}}
RuleName: -
UtcTime: 2024-02-14 03:41:30.472
ProcessGuid: {817bddf3-3514-65cc-0802-000000001900}
ProcessId: 4292
Image: C:\Program Files\Mozilla Firefox\firefox.exe
TargetFilename: C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe:Zone.Identifier
CreationUtcTime: 2024-02-14 03:41:26.459
User: DESKTOP-887GK2L\CyberJunkie
RuleName: -
UtcTime: 2024-02-14 03:41:26.459
ProcessGuid: {817bddf3-3514-65cc-0802-000000001900}
ProcessId: 4292
Image: C:\Program Files\Mozilla Firefox\firefox.exe
TargetFilename: C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
CreationUtcTime: 2024-02-14 03:41:26.459
User: DESKTOP-887GK2L\CyberJunkie
RuleName: -
UtcTime: 2024-02-14 03:41:26.459
ProcessGuid: {817bddf3-3514-65cc-0802-000000001900}
ProcessId: 4292
Image: C:\Program Files\Mozilla Firefox\firefox.exe
TargetFilename: C:\Users\CyberJunkie\Downloads\skZdsnwf.exe.part
CreationUtcTime: 2024-02-14 03:41:26.459
User: DESKTOP-887GK2L\CyberJunkie
RuleName: -
UtcTime: 2024-02-14 03:41:26.459
ProcessGuid: {817bddf3-3514-65cc-0802-000000001900}
ProcessId: 4292
Image: C:\Program Files\Mozilla Firefox\firefox.exe
TargetFilename: C:\Users\CyberJunkie\Downloads\skZdsnwf.exe.part
CreationUtcTime: 2024-02-14 03:41:26.459
User: DESKTOP-887GK2L\CyberJunkie
RuleName: -
UtcTime: 2024-02-14 03:41:26.459
ProcessGuid: {817bddf3-3514-65cc-0802-000000001900}
ProcessId: 4292
Image: C:\Program Files\Mozilla Firefox\firefox.exe
TargetFilename: C:\Users\CYBERJ~1\AppData\Local\Temp\skZdsnwf.exe
CreationUtcTime: 2024-02-14 03:41:26.459
User: DESKTOP-887GK2L\CyberJunkie
For many of the files it wrote to disk, the initial malicious file used a defense evasion technique called Time Stomping, where the file creation date is changed to make it appear older and blend in with other files. What was the timestamp changed to for the PDF file?
PS C:\> Invoke-WebRequest -Uri https://www.7-zip.org/a/7z2409-x64.exe -OutFile 7zip.exe
...
* install 7zip if required
PS C:\> GUI > BFT.zip > 7-zip > extract files
...
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" -MaxEvents 1 | Format-List *
* display all fields prior to filtering
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" |
Where-Object { $_.Id -eq 2 } |
ForEach-Object {
$xml = [xml]$_.ToXml()
$eventData = $xml.Event.EventData.Data
# Output all Name/Value pairs in the event
$eventData | ForEach-Object {
[PSCustomObject]@{
Name = $_.Name
Value = $_.'#text'
}
}
# Optional: separator between events
Write-Host "`n--- Next Event ---`n"
} | Format-List
RuleName technique_id=T1070.006,technique_name=Timestomp
UtcTime 2024-02-14 03:41:58.389
ProcessGuid {817bddf3-3684-65cc-2d02-000000001900}
ProcessId 10672
Image C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
TargetFilename C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Gam...
CreationUtcTime 2024-01-10 18:12:27.357
PreviousCreationUtcTime 2024-02-14 03:41:58.389
User DESKTOP-887GK2L\CyberJunkie
* display event id 2 specific fields
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" | Where-Object { $_.Id -eq 2 } |
ForEach-Object {
$xml = [xml]$_.ToXml()
[PSCustomObject]@{
TimeCreated = $_.TimeCreated
Image = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "Image" }).'#text'
PreviousCreationUtcTime = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "PreviousCreationUtcTime" }).'#text'
CreationUtcTime = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "CreationUtcTime" }).'#text'
RuleName = ($xml.Event.EventData.Data | Where-Object {$_.Name -eq "RuleName"}).'#text'
User = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "User"}).'#text'
}
} | Format-List
TimeCreated : 2/13/2024 10:41:57 PM
Image : C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
PreviousCreationUtcTime : 2024-02-14 03:41:57.545
CreationUtcTime : 2024-01-14 08:10:06.029
RuleName : technique_id=T1070.006,technique_name=Timestomp
User : DESKTOP-887GK2L\CyberJunkie
...
* the PreviousCreationUtcTime is the real time the file was written or created.
* the CreationUtcTime is the suspicious backdated timestamp (e.g., from the 1990s, or aligning with legitimate system files).The malicious file dropped a few files on disk. Where was "once.cmd" created on disk? Please answer with the full path along with the filename.
PS C:\> Invoke-WebRequest -Uri https://www.7-zip.org/a/7z2409-x64.exe -OutFile 7zip.exe
...
* install 7zip if required
PS C:\> GUI > BFT.zip > 7-zip > extract files
...
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" -MaxEvents 1 | Format-List *
* display all fields prior to filtering
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" |
Where-Object { $_.Id -eq 11 } |
ForEach-Object {
$xml = [xml]$_.ToXml()
$eventData = $xml.Event.EventData.Data
# Output all Name/Value pairs in the event
$eventData | ForEach-Object {
[PSCustomObject]@{
Name = $_.Name
Value = $_.'#text'
}
}
# Optional: separator between events
Write-Host "`n--- Next Event ---`n"
} | Format-List
Name : RuleName
Value : -
Name : UtcTime
Value : 2024-02-14 03:41:58.404
Name : ProcessGuid
Value : {817bddf3-3684-65cc-2d02-000000001900}
Name : ProcessId
Value : 10672
Name : Image
Value : C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
Name : TargetFilename
Value : C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\once.cmd
Name : CreationUtcTime
Value : 2024-02-14 03:41:58.404
Name : User
Value : DESKTOP-887GK2L\CyberJunkie
* display event id 11 specific fields
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" | Where-Object {$_.Id -eq 11} |
ForEach-Object {
$xml = [xml]$_.ToXml()
[PSCustomObject]@{
TimeCreated = $_.TimeCreated
UtcTime = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "UtcTime" }).'#text'
ProcessId = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "ProcessId" }).'#text'
Image = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "Image" }).'#text'
TargetFilename = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "TargetFilename" }).'#text'
CreationUtcTime = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "CreationUtcTime" }).'#text'
User = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "User" }).'#text'
}
} | Format-List
TimeCreated : 2/13/2024 10:41:58 PM
UtcTime : 2024-02-14 03:41:58.404
ProcessId : 10672
Image : C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
TargetFilename : C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\once.cmd
CreationUtcTime : 2024-02-14 03:41:58.404
User : DESKTOP-887GK2L\CyberJunkie
The malicious file attempted to reach a dummy domain, most likely to check the internet connection status. What domain name did it try to connect to?
PS C:\> Invoke-WebRequest -Uri https://www.7-zip.org/a/7z2409-x64.exe -OutFile 7zip.exe
...
* install 7zip if required
PS C:\> GUI > BFT.zip > 7-zip > extract files
...
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" -MaxEvents 1 | Format-List *
* display all fields prior to filtering
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" |
Where-Object { $_.Id -eq 22 } |
ForEach-Object {
$xml = [xml]$_.ToXml()
$eventData = $xml.Event.EventData.Data
# Output all Name/Value pairs in the event
$eventData | ForEach-Object {
[PSCustomObject]@{
Name = $_.Name
Value = $_.'#text'
}
}
# Optional: separator between events
Write-Host "`n--- Next Event ---`n"
} | Format-List
Name : RuleName
Value : -
Name : UtcTime
Value : 2024-02-14 03:41:56.955
Name : ProcessGuid
Value : {817bddf3-3684-65cc-2d02-000000001900}
Name : ProcessId
Value : 10672
Name : QueryName
Value : www.example.com
Name : QueryStatus
Value : 0
Name : QueryResults
Value : ::ffff:93.184.216.34;199.43.135.53;2001:500:8f::53;199.43.133.53;2001:500:8d::53;
Name : Image
Value : C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
Name : User
Value : DESKTOP-887GK2L\CyberJunkie
* display event id 22 specific fields
#drill down
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" | Where-Object {$_.Id -eq 22} |
ForEach-Object {
$xml = [xml]$_.ToXml()
[PSCustomObject]@{
TimeCreated = $_.TimeCreated
UtcTime = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "UtcTime" }).'#text'
ProcessId = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "ProcessId" }).'#text'
Image = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "Image" }).'#text'
QueryName = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "QueryName" }).'#text'
QueryResults = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "QueryResults" }).'#text'
User = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "User" }).'#text'
}
} | Format-List
TimeCreated : 2/13/2024 10:41:58 PM
UtcTime : 2024-02-14 03:41:56.955
ProcessId : 10672
Image : C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
QueryName : www.example.com
QueryResults : ::ffff:93.184.216.34;199.43.135.53;2001:500:8f::53;199.43.133.53;2001:500:8d::53;
User : DESKTOP-887GK2L\CyberJunkie
Which IP address did the malicious process try to reach out to?
PS C:\> Invoke-WebRequest -Uri https://www.7-zip.org/a/7z2409-x64.exe -OutFile 7zip.exe
...
* install 7zip if required
PS C:\> GUI > BFT.zip > 7-zip > extract files
...
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" -MaxEvents 1 | Format-List *
* display all fields prior to filtering
#identify specific fields
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" |
Where-Object { $_.Id -eq 3 } |
ForEach-Object {
$xml = [xml]$_.ToXml()
$eventData = $xml.Event.EventData.Data
# Output all Name/Value pairs in the event
$eventData | ForEach-Object {
[PSCustomObject]@{
Name = $_.Name
Value = $_.'#text'
}
}
# Optional: separator between events
Write-Host "`n--- Next Event ---`n"
} | Format-List
Name : RuleName
Value : technique_id=T1036,technique_name=Masquerading
Name : UtcTime
Value : 2024-02-14 03:41:57.159
Name : ProcessGuid
Value : {817bddf3-3684-65cc-2d02-000000001900}
Name : ProcessId
Value : 10672
Name : Image
Value : C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
Name : User
Value : DESKTOP-887GK2L\CyberJunkie
Name : Protocol
Value : tcp
Name : Initiated
Value : true
Name : SourceIsIpv6
Value : false
Name : SourceIp
Value : 172.17.79.132
Name : SourceHostname
Value : -
Name : SourcePort
Value : 61177
Name : SourcePortName
Value : -
Name : DestinationIsIpv6
Value : false
Name : DestinationIp
Value : 93.184.216.34
Name : DestinationHostname
Value : -
Name : DestinationPort
Value : 80
Name : DestinationPortName
Value : -
PS C:\> Get-WinEvent -Path "\Microsoft-Windows-Sysmon-Operational.evtx" | Where-Object {$_.Id -eq 3} |
ForEach-Object {
$xml = [xml]$_.ToXml()
[PSCustomObject]@{
TimeCreated = $_.TimeCreated
UtcTime = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "UtcTime" }).'#text'
ProcessId = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "ProcessId" }).'#text'
Image = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "Image" }).'#text'
SourceIp = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "SourceIp" }).'#text'
SourcePort = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "SourcePort" }).'#text'
DestinationIp = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "DestinationIp" }).'#text'
DestinationPort = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "DestinationPort" }).'#text'
User = ($xml.Event.EventData.Data | Where-Object { $_.Name -eq "User" }).'#text'
}
} | Format-List
TimeCreated : 2/13/2024 10:41:58 PM
UtcTime : 2024-02-14 03:41:57.159
ProcessId : 10672
Image : C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
SourceIp : 172.17.79.132
SourcePort : 61177
DestinationIp : 93.184.216.34
DestinationPort : 80
User : DESKTOP-887GK2L\CyberJunkie The malicious process terminated itself after infecting the PC with a backdoored variant of UltraVNC. When did the process terminate itself?
PS C:\> Invoke-WebRequest -Uri https://www.7-zip.org/a/7z2409-x64.exe -OutFile 7zip.exe
...
* install 7zip if required
PS C:\> GUI > BFT.zip > 7-zip > extract files
...
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" -MaxEvents 1 | Format-List *
* display all fields prior to filtering
#identify specific fields
PS C:\> Get-WinEvent -Path "Microsoft-Windows-Sysmon-Operational.evtx" |
Where-Object { $_.Id -eq 5 } |
ForEach-Object {
$xml = [xml]$_.ToXml()
$eventData = $xml.Event.EventData.Data
# Output all Name/Value pairs in the event
$eventData | ForEach-Object {
[PSCustomObject]@{
Name = $_.Name
Value = $_.'#text'
}
}
# Optional: separator between events
Write-Host "`n--- Next Event ---`n"
} | Format-List
Name : RuleName
Value : -
Name : UtcTime
Value : 2024-02-14 03:41:58.795
Name : ProcessGuid
Value : {817bddf3-3684-65cc-2d02-000000001900}
Name : ProcessId
Value : 10672
Name : Image
Value : C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
Name : User
Value : DESKTOP-887GK2L\CyberJunkie
* drill down further if/when there are more than one events
Last updated