banner
lca

lca

真正的不自由,是在自己的心中设下牢笼。

hackthebox Unit42 Target Record of Sherlocks

Category: DFIR
Sherlocks Range is a defensive range, where you, as an incident responder, search for clues from the given log files and submit them as flags.

image

Download attachment

image

After decompression, an evtx log file is obtained.

The evtx_dump tool is used here, and the usage can refer to the previous Windows XML Event Log (EVTX) Parsing.

EVTX is the format of Windows event log files, which stands for Event Log File. It is a log file format used by Microsoft starting from Windows Vista, replacing the earlier EVT format. EVTX files store system, application, security, and other event log information, used for system administrators and users for troubleshooting and auditing.

Task 1 How many records with Event ID 11 are there in the event log?

evtx_dump Microsoft-Windows-Sysmon-Operational.evtx | grep "EventID" | grep "11" | wc -l

56

image

Task 2 Whenever a new process is generated in the computer's memory, a record with Event ID 1 is generated, which includes detailed information such as command line, file hash, process path, parent process path, etc. This information is extremely valuable for analysts because it allows us to see all the programs running in the system, helping us identify any malicious programs running. So, which malicious program has invaded the victim's system?

evtx_dump Microsoft-Windows-Sysmon-Operational.evtx -o jsonl | jq '.Event.System.EventID=1' | grep "Image"

C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe

image

Task 3 Which cloud drive was used to distribute the malicious software?

Event ID 22 can be used to find any DNS queries issued by the system.

evtx_dump Microsoft-Windows-Sysmon-Operational.evtx -o jsonl | jq '.Event.EventData.QueryName'

dropbox

Task 4 The initial malicious file used a defense evasion technique, which modified the timestamps of the files it created on the disk to make them appear as old files. So, what is the new timestamp set for the PDF file?

evtx_dump Microsoft-Windows-Sysmon-Operational.evtx -o jsonl | jq '.Event.System.EventID=11' | jq '.Event.EventData'

2024-01-14 08:10:06

image

Task 5 The malicious file placed some files on the hard disk. Where exactly is the "once.cmd" file located on the hard disk? Please provide the complete path including the file name.

evtx_dump Microsoft-Windows-Sysmon-Operational.evtx -o jsonl | jq '.' | grep "once.cmd"

C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\once.cmd

Task 6 This malicious file attempts to access a fake website, most likely to verify network connectivity. Which website does it try to connect to?

The Event ID for network connection is 5, so we can filter out records with Event ID 5.

evtx_dump Microsoft-Windows-Sysmon-Operational.evtx -o jsonl | jq '.Event.System.EventID=5'

image

We can also filter by the keyword "QueryName".

Task 7 Which IP address does this malicious program attempt to contact?

evtx_dump Microsoft-Windows-Sysmon-Operational.evtx -o jsonl | jq '.Event.System.EventID=5'

image

93.184.216.34

Task 8 After implanting a version of UltraVNC with backdoor functionality, this malicious program terminated itself. When did it stop activity?

Search for VNC-related records, as shown, there are only three.

image

evtx_dump Microsoft-Windows-Sysmon-Operational.evtx -o jsonl | jq '.Event.EventData.TargetFilename','.Event.EventData.UtcTime'

2024-02-14 03:41:58

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.