Category: DFIR
Sherlocks Range is a defensive range, where you, as an incident responder, search for clues from the given log files and submit them as flags.
Download attachment
After decompression, an evtx log file is obtained.
The evtx_dump tool is used here, and the usage can refer to the previous Windows XML Event Log (EVTX) Parsing.
EVTX is the format of Windows event log files, which stands for Event Log File. It is a log file format used by Microsoft starting from Windows Vista, replacing the earlier EVT format. EVTX files store system, application, security, and other event log information, used for system administrators and users for troubleshooting and auditing.
Task 1 How many records with Event ID 11 are there in the event log?
evtx_dump Microsoft-Windows-Sysmon-Operational.evtx | grep "EventID" | grep "11" | wc -l
56
Task 2 Whenever a new process is generated in the computer's memory, a record with Event ID 1 is generated, which includes detailed information such as command line, file hash, process path, parent process path, etc. This information is extremely valuable for analysts because it allows us to see all the programs running in the system, helping us identify any malicious programs running. So, which malicious program has invaded the victim's system?
evtx_dump Microsoft-Windows-Sysmon-Operational.evtx -o jsonl | jq '.Event.System.EventID=1' | grep "Image"
C:\\Users\\CyberJunkie\\Downloads\\Preventivo24.02.14.exe.exe
Task 3 Which cloud drive was used to distribute the malicious software?
Event ID 22 can be used to find any DNS queries issued by the system.
evtx_dump Microsoft-Windows-Sysmon-Operational.evtx -o jsonl | jq '.Event.EventData.QueryName'
dropbox
Task 4 The initial malicious file used a defense evasion technique, which modified the timestamps of the files it created on the disk to make them appear as old files. So, what is the new timestamp set for the PDF file?
evtx_dump Microsoft-Windows-Sysmon-Operational.evtx -o jsonl | jq '.Event.System.EventID=11' | jq '.Event.EventData'
2024-01-14 08:10:06
Task 5 The malicious file placed some files on the hard disk. Where exactly is the "once.cmd" file located on the hard disk? Please provide the complete path including the file name.
evtx_dump Microsoft-Windows-Sysmon-Operational.evtx -o jsonl | jq '.' | grep "once.cmd"
C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\once.cmd
Task 6 This malicious file attempts to access a fake website, most likely to verify network connectivity. Which website does it try to connect to?
The Event ID for network connection is 5, so we can filter out records with Event ID 5.
evtx_dump Microsoft-Windows-Sysmon-Operational.evtx -o jsonl | jq '.Event.System.EventID=5'
We can also filter by the keyword "QueryName".
Task 7 Which IP address does this malicious program attempt to contact?
evtx_dump Microsoft-Windows-Sysmon-Operational.evtx -o jsonl | jq '.Event.System.EventID=5'
93.184.216.34
Task 8 After implanting a version of UltraVNC with backdoor functionality, this malicious program terminated itself. When did it stop activity?
Search for VNC-related records, as shown, there are only three.
evtx_dump Microsoft-Windows-Sysmon-Operational.evtx -o jsonl | jq '.Event.EventData.TargetFilename','.Event.EventData.UtcTime'
2024-02-14 03:41:58