# Part Four Lab
## Lab 4.4 - Merlin Sysmon Analysis
**Objectives:**
* Analyze artifacts of an attack using the Merlin post-exploitation framework.
* Analyze Sysmon DNS logs
* Gain experience using PowerShell to analyze Windows Event Logs
**Challenges:**
We previously investigated an exploit involving the Merlin post-exploitation framework and identified several Indicators of Compromise (IoCs), including:
* **e7zzxen3x6.ryanic.com**
* **HxuT0y1GjO.exe**
Along with the PCAP previously analyzed using Zeek and Wireshark, we also have Windows event logs, including Sysmon logs, from the same compromise.
1. View suspicious processes in the Sysmon log and determine the SHA256 hash of HxuT0y1GjO.exe
2. View suspicious DNS queries in the Sysmon log
3. Determine the date and time of the compromise using Sysmon DNS logs
4. Determine the name of the file deleted by the malware
1\) View suspicious processes in the Sysmon log and determine the SHA256 hash of HxuT0y1GjO.exe
Let's use PowerShell to search for Sysmon Event ID 1 that includes the string "HxuT0y1GjO.exe".
```powershell
Get-WinEvent @{Path="c:\labs\merlin\Sysmon.evtx"; Id=1} | Where-Object { $_.Properties[10].Value -Match "HxuT0y1GjO.exe" }
| Select-Object -Property TimeCreated, Id, @{Name="CommandLine"; Expression={$_.Properties[10].Value}}
| fl
```
This can also be resolved using Event Log Explorer
Next, let's filter for Event ID 1 and the process `HxuT0y1GjO.exe`.
**SHA256 of HxuT0y1GjO.exe:** 730F0988CC88FC95A2809978B2BB3198283234E2A73F557A64E1F4A30BB85F56
2\) View suspicious DNS queries in the Sysmon event log:
Let's filter by Event ID 22 in Event Log Explorer.
The first few entries seem suspicious, using the same DNS name analyzed earlier: **e7zzxen3x6.ryanic.com**. The DNS query was made by **svchost.exe**.
From a threat-hunting perspective, the most valuable information is often the DNS query (QueryName) and the program making the query (ImageName). Sysmon excels at linking these two.
Let's focus on these two details: the **QueryName** and **ImageName**. We'll use a PowerShell script called `sysmon-dns.ps1` to extract and display this information from Sysmon EVTX files.
```bash
notepad C:\labs\merlin\sysmon-dns.ps1
```
This code processes Event ID 22 from a specified event log file, extracts specific XML data fields (`QueryName` and `ImageName`), converts them to lowercase, and outputs the selected fields for each event.
Note that the `sysmon-dns.ps1` script converts both the **QueryName** and **ImageName** to lowercase (using **ToLower()**). This ensures that duplicates are avoided when sorting and using the **Get-Unique** cmdlet in PowerShell, as it is case-sensitive.
```powershell
C:\labs\merlin\sysmon-dns.ps1 C:\labs\merlin\Sysmon.evtx | more
```
We can see that `c:\users\ieuser\desktop\autoruns\autoruns64.exe` also resolves to `e7zzxen3x6.ryanic.com`.
Let's look at the unique DNS queries.
```powershell
C:\labs\merlin\sysmon-dns.ps1 C:\labs\merlin\Sysmon.evtx
| Select-Object QueryName | Sort-Object QueryName | Get-Unique -AsString | more
```
This command instructs PowerShell to take the output from `sysmon-dns.ps1`, extract only the `QueryName` field, sort it by `QueryName`, and treat it as a string.
Next, let's see the unique ImageNames.
```powershell
C:\labs\merlin\sysmon-dns.ps1 C:\labs\merlin\Sysmon.evtx
| Select-Object ImageName | Sort-Object ImageName | Get-Unique -AsString
```
3\) Determine the date and time of the compromise using Sysmon DNS logs
Let's open the **Sysmon.evtx** file in Event Log Explorer, then filter for **Event ID 22** and the **QueryName** `e7zzxen3x6.ryanic.com`.
The first sign of compromise involving **e7zzxen3x6.ryanic.com** was detected on **September 17, 2021, at 7:38:43 PM**.
The malicious file **HxuT0y1GjO.exe** sent a DNS request to **e7zzxen3x6.ryanic.com** less than a minute later.
4\) Determine the name of the file deleted by the malware.
Let's filter by Event ID 23 (FileDelete) for entries containing the string `e7zzxen3x6.ryanic.com`.
The IMPHASH (Import Hash) is blank because it applies only to executables; it represents a hash of the DLL names loaded by a process.
Answer: Battlestar.pdf
.png?alt=media&token=3616db83-235b-4f44-af4d-9b0630d35c7c)
.png?alt=media&token=3bba0371-d934-4e60-b027-82afcc82716b)
.png?alt=media&token=412b6ae9-38f5-4b2d-b772-e0c9434df4a3)
.png?alt=media&token=418a7479-10d5-44e7-9d82-22913a97aebb)
.png?alt=media&token=305e02e4-7748-4fc2-8ccd-26ebaaf8a6dc)
.png?alt=media&token=8d8b39d1-5f92-4495-b335-4773c021628f)
.png?alt=media&token=aa5b8a8f-3a8d-46e9-b0ad-1d08f2e71217)
.png?alt=media&token=e664f610-7a8d-4520-b6bb-27e44b425e77)
.png?alt=media&token=78df0dc5-5bc0-4ea7-bb13-31b8d4a3cc59)
.png?alt=media&token=d679a5d6-73d2-4e7e-b39d-44be0c33f285)
.png?alt=media&token=77b634d4-9288-4c50-b54e-8352e2d70ee7)
.png?alt=media&token=6a0d49f7-affe-45ee-ba42-52bb4b035464)
.png?alt=media&token=372e83e4-166e-4e82-b758-7077336493a3)
.png?alt=media&token=3c9c2868-a4e4-4cdc-acca-0454f755a162)
.png?alt=media&token=818d92de-6589-4fbe-a836-91cafe263e99)
.png?alt=media&token=3b00b0f9-61a2-4a5e-ae9d-6dbb6c26a337)