INTRO: In this Sherlock, you will familiarize yourself with Sysmon logs and various useful EventIDs for identifying and analyzing malicious activities on a Windows system. Palo Alto’s Unit42 recently conducted research on an UltraVNC campaign, wherein attackers utilized a backdoored version of UltraVNC to maintain access to systems. This lab is inspired by that campaign and guides participants through the initial access stage of the campaign.
We have a file containing Windows event logs that capture suspicious activity. These logs are accompanied by well-defined rules for detection.
Upon filtering, we discovered that there are 56 occurrences of Event ID 11, which is highly suspicious because this ID typically signifies file creation events.
Event ID 1 provides detailed records of processes, including their names, hashes, and parent paths. This information can be instrumental in identifying malware.
Event ID 22 presents domain records, indicating that the file was downloaded from Dropbox, which raises suspicion.
Event ID 2 indicates a process altering file creation times, a behavior that is often indicative of malicious activity.
For Task 5, the instruction is to search for Event ID 11 alongside the presence of “once.cmd”, suggesting a specific detection scenario.
Task 6 involves utilizing Event ID 22 to uncover domain names associated with potentially malicious activities.
Task 7 entails leveraging Event ID 3, which typically indicates network connections, to identify suspicious connections, particularly those involving TCP connections to suspicious IP addresses.
Finally, Task 8 involves using Event ID 5 to compile a list of terminated processes, which could provide insights into potentially malicious activities that have been halted.
In summary, by analyzing specific event IDs and their associated details, we can effectively detect and investigate suspicious activities within the Windows event logs.