Part Four Lab

Lab 4.4 - Merlin Sysmon Analysis

Objectives:

• Analyze artifacts of an attack using the Merlin post-exploitation framework.

• Analyze Sysmon DNS logs

• Gain experience using PowerShell to analyze Windows Event Logs

Challenges:

We previously investigated an exploit involving the Merlin post-exploitation framework and identified several Indicators of Compromise (IoCs), including:

• e7zzxen3x6.ryanic.com

• HxuT0y1GjO.exe

Along with the PCAP previously analyzed using Zeek and Wireshark, we also have Windows event logs, including Sysmon logs, from the same compromise.

1. View suspicious processes in the Sysmon log and determine the SHA256 hash of HxuT0y1GjO.exe

2. View suspicious DNS queries in the Sysmon log

3. Determine the date and time of the compromise using Sysmon DNS logs

4. Determine the name of the file deleted by the malware

1) View suspicious processes in the Sysmon log and determine the SHA256 hash of HxuT0y1GjO.exe

Let's use PowerShell to search for Sysmon Event ID 1 that includes the string "HxuT0y1GjO.exe".

Get-WinEvent @{Path="c:\labs\merlin\Sysmon.evtx"; Id=1} | Where-Object { $_.Properties[10].Value -Match "HxuT0y1GjO.exe" } 
| Select-Object -Property TimeCreated, Id, @{Name="CommandLine"; Expression={$_.Properties[10].Value}} 
| fl

This can also be resolved using Event Log Explorer

Next, let's filter for Event ID 1 and the process HxuT0y1GjO.exe.

SHA256 of HxuT0y1GjO.exe: 730F0988CC88FC95A2809978B2BB3198283234E2A73F557A64E1F4A30BB85F56

2) View suspicious DNS queries in the Sysmon event log:

Let's filter by Event ID 22 in Event Log Explorer.

The first few entries seem suspicious, using the same DNS name analyzed earlier: e7zzxen3x6.ryanic.com. The DNS query was made by svchost.exe.

From a threat-hunting perspective, the most valuable information is often the DNS query (QueryName) and the program making the query (ImageName). Sysmon excels at linking these two.

Let's focus on these two details: the QueryName and ImageName. We'll use a PowerShell script called sysmon-dns.ps1 to extract and display this information from Sysmon EVTX files.

notepad C:\labs\merlin\sysmon-dns.ps1

This code processes Event ID 22 from a specified event log file, extracts specific XML data fields (QueryName and ImageName), converts them to lowercase, and outputs the selected fields for each event.

Note that the sysmon-dns.ps1 script converts both the QueryName and ImageName to lowercase (using ToLower()). This ensures that duplicates are avoided when sorting and using the Get-Unique cmdlet in PowerShell, as it is case-sensitive.

C:\labs\merlin\sysmon-dns.ps1 C:\labs\merlin\Sysmon.evtx | more

We can see that c:\users\ieuser\desktop\autoruns\autoruns64.exe also resolves to e7zzxen3x6.ryanic.com.

Let's look at the unique DNS queries.

C:\labs\merlin\sysmon-dns.ps1 C:\labs\merlin\Sysmon.evtx 
| Select-Object QueryName | Sort-Object QueryName | Get-Unique -AsString | more

This command instructs PowerShell to take the output from sysmon-dns.ps1, extract only the QueryName field, sort it by QueryName, and treat it as a string.

Next, let's see the unique ImageNames.

C:\labs\merlin\sysmon-dns.ps1 C:\labs\merlin\Sysmon.evtx 
| Select-Object ImageName | Sort-Object ImageName | Get-Unique -AsString 

3) Determine the date and time of the compromise using Sysmon DNS logs

Let's open the Sysmon.evtx file in Event Log Explorer, then filter for Event ID 22 and the QueryName e7zzxen3x6.ryanic.com.

The first sign of compromise involving e7zzxen3x6.ryanic.com was detected on September 17, 2021, at 7:38:43 PM.

The malicious file HxuT0y1GjO.exe sent a DNS request to e7zzxen3x6.ryanic.com less than a minute later.

4) Determine the name of the file deleted by the malware.

Let's filter by Event ID 23 (FileDelete) for entries containing the string e7zzxen3x6.ryanic.com.

The IMPHASH (Import Hash) is blank because it applies only to executables; it represents a hash of the DLL names loaded by a process.

Answer: Battlestar.pdf