Sysmon TryHackMe Walkthrough

TL;DR Walkthrough of the TryHackMe Sysmon room, part of the Cyber Defense pathway.

THM Walkthroughs:

A full list of our TryHackMe walkthroughs and cheatsheets is here.

Background

There are other good walkthroughs of the Sysmon room out there, this was a good one for example.

However they used Event Viewer instead of PowerShell. In a small evtx file such as TryHackMe provided for this one can get away with that approach. However given live logs in even a small home lab environment that tactic quickly becomes unworkable. That is why we used PowerShell to set the SACLs to define what gets logged, trigger the event, and then query the logs to pull meaningful data here.

We will start by running through the questions, our query to find the relevant data, and the answers.

It is quite helpful to keep a quick & dirty cheatsheet of Sysmon Event Ids handy while creating these queries. TryHackMe didn’t include one in the room and didn’t list all Event Ids, so I’ll put ours here.

Sysmon Event Id cheatsheet

+----+----------------------------------------+
| #  |              Sysmon Event              |
+----+----------------------------------------+
|  1 | Process creation                       |
|  3 | Network connection                     |
|  5 | Process terminated                     |
|  7 | Image loaded                           |
|  8 | CreateRemoteThread                     |
|  9 | RawAccessRead                          |
| 10 | ProcessAccess                          |
| 11 | FileCreate                             |
| 12 | RegistryEvent (Object create & delete) |
| 13 | RegistryEvent (Value Set)              |
| 14 | RegistryEvent (Key & Value Rename)     |
| 15 | FileCreateStreamHash                   |
| 22 | DNSEvent (DNS query)                   |
+----+----------------------------------------+

Important Admin Note

I downloaded the task files from TryHackMe and found the answers using them. The Message Property in the Events from the task files were all blank.

If you query the evtx files on THM’s VM in the C:\Users\THM-Analyst\Desktop\Scenarios\Investigations folder then the Event Ids have data in their Message Property.

Hence I used the Properties below. I spot checked a couple of these and they work fine on THM’s VM’s files as well. You might just prefer to use the Message if you complete this room on THM’s VM.

Task 4 Cutting out the Noise

How many event ID 3 events are in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx?

$Network_Events = Get-WinEvent -Path “C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx” | Where-Object {$_.Id -eq “3”}

$Network_Events.Count

73,591

What is the UTC time created of the first network event in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx?

$LastOne = $Network_Events | Select-Object -Last 1

$LastOne.Properties[1].Value

2021–01–06 01:35:50.464

THM wants the UtcTime, not the TimeCreated.

Task 10 Practical Investigations

— — Investigation 1 — -

What is the full registry key of the USB device calling svchost.exe in Investigation 1?

We are looking for Event Id 12, 13, or 14 that reference svchost.exe

$Registry_Event = Get-WinEvent -Path .\Investigation-1.evtx | Where-Object {(($_.Id -eq "12") -or ($_.Id -eq "13") -or ($_.Id -eq "14")) -and ($_.Properties[4].Value -like "*svchost.exe*")} | Select-Object *

$Registry_Event.Properties[5]

HKLM\System\CurrentControlSet\Enum\WpdBusEnumRoot\UMB\2&37c186b&0&STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_SANDISK&PROD_U3_CRUZER_MICRO&REV_8.01#4054910EF19005B3&0#\FriendlyName

What is the device name when being called by RawAccessRead in Investigation 1?

We are looking for an Event Id 9 that references svchost.exe

$Read_Event = Get-WinEvent -Path .\Investigation-1.evtx | Where-Object {($_.Id -eq "9") -and ($_.Properties.Value -like "*svchost.exe*")} | Select-Object *

($Read_Event | Select-Object -First 1).Properties[4].Value

\Device\HarddiskVolume3

What is the first exe the process executes in Investigation 1?

We are looking for the first Event Id 1 that happened after the Event Id 9 from the last question.

$Time = ($Read_Event | Select-Object -First 1).TimeCreated

(Get-WinEvent -Path .\Investigation-1.evtx | Where-Object {($_.Id -eq "1") -and ($_.TimeCreated -ge $Time)} | Select-Object -Last 1).Properties[8].Value

rundll32.exe

— — Investigation 2 — -

What is the full path of the payload in Investigation 2?

We took an educated guess that the payload was an hta file as THM used them for reverse shells previously.

(Get-WinEvent -Path .\Investigation-2.evtx | Where-Object {($_.Id -eq “1”) -and ($_.Properties.Value -like “*hta*”)}).Properties.Value

(Get-WinEvent -Path .\Investigation-2.evtx | Where-Object {($_.Id -eq "1") -and ($_.Properties.Value -like "*hta*")}).Properties.Value[9]

C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta

What is the full path of the file the payload masked itself as in Investigation 2?

(Get-WinEvent -Path .\Investigation-2.evtx | Where-Object {($_.Id -eq "1") -and ($_.Properties.Value -like "*hta*")}).Properties[20].Value

C:\Users\IEUser\Downloads\update.html

What signed binary executed the payload in Investigation 2?

We already found this in the first question’s query; it’s the legitimate executable than ran opened the *.hta file.

(Get-WinEvent -Path .\Investigation-2.evtx | Where-Object {($_.Id -eq "1") -and ($_.Properties.Value -like "*hta*")}).Properties[4].Value

C:\Windows\System32\mshta.exe

What is the IP of the adversary in Investigation 2?

(Get-WinEvent -Path .\Investigation-2.evtx | Where-Object {$_.Id -eq "3"}).Properties[14].Value

10.0.2.18

What back connect port is used in Investigation 2?

To pull just the IP use [16]

(Get-WinEvent -Path .\Investigation-2.evtx | Where-Object {$_.Id -eq "3"}).Properties.Value[16]

4443

— — Investigation 3.1 — -

What is the IP of the suspected adversary in Investigation 3.1?

There’s only three Event Id 3 instances in this evtx file, and one can tell at a glance that it’s the attacker & compromised system talking back & forth. We can pull the specific data point of the attacker’s IP via:

(Get-WinEvent -Path .\Investigation-3.1.evtx | Where-Object {$_.Id -eq "3"} | Select-Object -First 1).Properties.Value[13]

172.30.1.253

What is the hostname of the affected endpoint in Investigation 3.1?

(Get-WinEvent -Path .\Investigation-3.1.evtx | Where-Object {$_.Id -eq "3"} | Select-Object -First 1).Properties.Value[9]

DESKTOP-O153T4R.localdomain

What is the hostname of the C2 server connecting to the endpoint in Investigation 3.1?

(Get-WinEvent -Path .\Investigation-3.1.evtx | Where-Object {$_.Id -eq "3"} | Select-Object -First 1).Properties.Value[14]

empirec2

Where in the registry was the payload stored in Investigation 3.1?

There’s only two Event Id 13 entries in the evtx, and one will notice at a glance that the first one runs the second one.

(Get-WinEvent -Path .\Investigation-3.1.evtx | Where-Object {$_.Id -eq "13"} | Select-Object -Last 1).Properties.Value[5]

HKLM\SOFTWARE\Microsoft\Network\debug

What PowerShell launch code was used to launch the payload in Investigation 3.1?

(Get-WinEvent -Path .\Investigation-3.1.evtx | Where-Object {$_.Id -eq "13"} | Select-Object -First 1).Properties.Value[6]

“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -c “$x=$((gp HKLM:Software\Microsoft\Network debug).debug);start -Win Hidden -A \”-enc $x\” powershell”;exit;

Notice that ‘gp’ is an alias for ‘Get-ItemProperty’, in other words it is pulling a value from HKLM:Software\Microsoft\Network\debug and executing it in a hidden PowerShell window. This is obviously suspicious. We will return to this after the questions are all answered.

— — Investigation 3.2 — -

What is the IP of the adversary in Investigation 3.2?

$Events = Get-WinEvent -Path .\Investigation-3.2.evtx | Where-Object {$_.Id -eq "3"}

$Events[0].Properties

$Events[0].Properties[13].Value

172.168.103.188

What is the full path of the payload location in Investigation 3.2?

(Get-WinEvent -Path .\Investigation-3.2.evtx | Where-Object {($_.Id -eq "1") -and ($_.Properties.Value -like "*schtasks.exe*")}).Properties.Value[8]

“C:\WINDOWS\system32\schtasks.exe” /Create /F /SC DAILY /ST 09:00 /TN Updater /TR “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \”IEX ([Text.Encoding]::UNICODE.Get

String([Convert]::FromBase64String($(cmd /c ‘’more < c:\users\q\AppData:blah.txt’’’))))\””

We’re looking for just the path to the payload itself, so just copy/paste the text file path that cmd.exe is reading and then passing the contents of to PowerShell to execute. On a side note, it’s a nifty obfuscation technique

c:\users\q\AppData:blah.txt

What was the full command used to create the scheduled task in Investigation 3.2?

We just copy/pasted the path from it above, so the answer to this one is simply the full scheduled task.

“C:\WINDOWS\system32\schtasks.exe” /Create /F /SC DAILY /ST 09:00 /TN Updater /TR “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \”IEX ([Text.Encoding]::UNICODE.Get

String([Convert]::FromBase64String($(cmd /c ‘’more < c:\users\q\AppData:blah.txt’’’))))\””

What process was accessed by schtasks.exe that would be considered suspicious behavior in Investigation 3.2?

We are looking for Event Id 10 ProcessAccess and schtasks.

(Get-WinEvent -Path .\Investigation-3.2.evtx | Where-Object {($_.Id -eq "10") -and ($_.Properties.Value -like "*schtasks.exe*")}).Properties.Value[4]

C:\WINDOWS\system32\lsass.exe

TryHackMe only wants the process, not the full path so:

lsass.exe

— — Investigation 4 — -

What is the IP of the adversary in Investigation 4?

$Network_Events = Get-WinEvent -Path .\Investigation-4.evtx | Where-Object {$_.Id -eq "3"}

$Network_Events[3].Properties

$Network_Events[3].Properties[13].Value

172.30.1.253

What port is the adversary operating on in Investigation 4?

$Network_Events[3].Properties[10].Value

80

What C2 is the adversary utilizing in Investigation 4?

$Network_Events[2].Properties[16].Value

empire

Base64 PowerShell commands

Remember the last question in Investigation 3.1? The command pulls a value from the registry and executes it in PowerShell?

TryHackMe didn’t ask about the command itself but I was curious.

$Registry_Events = Get-WinEvent -Path .\Investigation-3.1.evtx | Where-Object {$_.Id -eq "13"}

$Base64 = $Registry_Events[1].Properties.Value[6]

$DecodedCommand = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("$Base64"))

$DecodedCommand

IEX is an alias for Invoke-Expression, which runs a string as a command. If you Google “Invoke-Expression” the first thing that comes up is about using it to obfuscate PowerShell execution flow.

I broke the one liner up into the if else statements, multiple commands, etc and made some sense of it. It appears to create a connection to http://empire2:80/admin/get.php using a hard coded cookie value, download something, and then pass it to Invoke-Expression.

Microsoft Defender wasn’t fooled by the way.

Summary

Together with the Windows Event Logs room this was really good practice at analyzing logs and parsing data in general.

If this walkthrough helps anyone else then that’s a bonus, but I mostly took these notes so I could refer back to them rather than memorizing how to query Sysmon logs.

We covered the attacker TTP of using Base64 encoded commands briefly before here. I’m not sure why running Base64 commands is even a feature in Windows, but then I don’t know why automatically downloading Office templates from the Internet was either. Needless to say your SIEM should be screening for Base64 and obfuscated commands in general.

References

Good Sysmon writeup, uses Event Viewer instead of PowerShell: https://medium.com/@laupeiip/tryhackme-sysmon-write-up-50a7043c86cf

CredentailCache.DefaultNetwork Credentials Property: https://learn.microsoft.com/en-us/dotnet/api/system.net.credentialcache.defaultnetworkcredentials?view=net-7.0

Sysmon Event Id list: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon

Get-ItemProperty: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-itemproperty?view=powershell-7.3

Attacker TTPs RE obfuscating Invoke-Expression: https://www.securonix.com/blog/hiding-the-powershell-execution-flow/#:~:text=%E2%80%9CInvoke%20expressions%E2%80%9D%20(IEX),both%20local%20and%20remote%20payloads.

Invoke-Expression: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-7.3

Macro injection from a remote template: https://www.ired.team/offensive-security/initial-access/phishing-with-ms-office/inject-macros-from-a-remote-dotm-template-docx-with-macros

ASCII Table Creator: https://ozh.github.io/ascii-tables/