HTB-Unit42

Level ：Very Easy

Description

In this Sherlock, you will familiarize yourself with Sysmon logs and various useful EventIDs for identifying and analyzing malicious activities on a Windows system. Palo Alto’s Unit42 recently conducted research on an UltraVNC campaign, wherein attackers utilized a backdoored version of UltraVNC to maintain access to systems. This lab is inspired by that campaign and guides participants through the initial access stage of the campaign.

Task 1

用 Windows 自带的时间查看器打开，筛选一下 ID 就知道了

How many Event logs are there with Event ID 11?
:56

Task 2

筛选事件 ID 为 1 的日志，一个一个查看详细信息，可以发现下载了 Preventivo24.02.14.exe.exe

Whenever a process is created in memory, an event with Event ID 1 is recorded with details such as command line, hashes, process path, parent process path, etc. This information is very useful for an analyst because it allows us to see all programs executed on a system, which means we can spot any malicious processes being executed. What is the malicious process that infected the victim's system
:C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe

Task 3

筛选 DNS 事件，ID 为 22，可用于查找系统发出的任何 DNS 查询

Which Cloud drive was used to distribute the malware?
:dropbox

Task 4

筛选 ID 为 2 的事件，此事件 ID 记录系统上任何文件的任何文件创建时间变化。

For many of the files it wrote to disk, the initial malicious file used a defense evasion technique called Time Stomping, where the file creation date is changed to make it appear older and blend in with other files. What was the timestamp changed to for the PDF file?
:2024-01-14 08:10:06

Task 5

筛选 ID 为 11 的事件

The malicious file dropped a few files on disk. Where was "once.cmd" created on disk? Please answer with the full path along with the filename.
: C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\once.cmd 

Task 6

筛选 DNS 事件，ID 为 22

The malicious file attempted to reach a dummy domain, most likely to check the internet connection status. What domain name did it try to connect to?
:www.example.com

Task 7

Which IP address did the malicious process try to reach out to?
:93.184.216.34

Task 8

一条一条看，然后看到有关于 UVncVirtualDisplay 的路径

The malicious process terminated itself after infecting the PC with a backdoored variant of UltraVNC. When did the process terminate itself?
:2024-02-14 03:41:58

Analysis

Sysmon 生成的每种事件类型的示例

事件 ID 1:有关新创建进程的扩展信息
事件 ID 2:记录更改文件创建时间事件
事件 ID 3:网络连接事件记录计算机上的 TCP/UDP 连接
事件 ID 11:当创建或覆盖文件时，会记录文件创建操作
事件 ID 22:DNSEvent（DNS 查询）

具体事件 ID 详解：Events