Part Four Lab
Lab 4.4 - Merlin Sysmon Analysis
Objectives:
Analyze artifacts of an attack using the Merlin post-exploitation framework.
Analyze Sysmon DNS logs
Gain experience using PowerShell to analyze Windows Event Logs
Challenges:
We previously investigated an exploit involving the Merlin post-exploitation framework and identified several Indicators of Compromise (IoCs), including:
e7zzxen3x6.ryanic.com
HxuT0y1GjO.exe
Along with the PCAP previously analyzed using Zeek and Wireshark, we also have Windows event logs, including Sysmon logs, from the same compromise.
View suspicious processes in the Sysmon log and determine the SHA256 hash of HxuT0y1GjO.exe
View suspicious DNS queries in the Sysmon log
Determine the date and time of the compromise using Sysmon DNS logs
Determine the name of the file deleted by the malware
1) View suspicious processes in the Sysmon log and determine the SHA256 hash of HxuT0y1GjO.exe
Let's use PowerShell to search for Sysmon Event ID 1 that includes the string "HxuT0y1GjO.exe".
This can also be resolved using Event Log Explorer
Next, let's filter for Event ID 1 and the process HxuT0y1GjO.exe
.
SHA256 of HxuT0y1GjO.exe: 730F0988CC88FC95A2809978B2BB3198283234E2A73F557A64E1F4A30BB85F56
2) View suspicious DNS queries in the Sysmon event log:
Let's filter by Event ID 22 in Event Log Explorer.
The first few entries seem suspicious, using the same DNS name analyzed earlier: e7zzxen3x6.ryanic.com. The DNS query was made by svchost.exe.
From a threat-hunting perspective, the most valuable information is often the DNS query (QueryName) and the program making the query (ImageName). Sysmon excels at linking these two.
Let's focus on these two details: the QueryName and ImageName. We'll use a PowerShell script called sysmon-dns.ps1
to extract and display this information from Sysmon EVTX files.
This code processes Event ID 22 from a specified event log file, extracts specific XML data fields (QueryName
and ImageName
), converts them to lowercase, and outputs the selected fields for each event.
Note that the sysmon-dns.ps1
script converts both the QueryName and ImageName to lowercase (using ToLower()). This ensures that duplicates are avoided when sorting and using the Get-Unique cmdlet in PowerShell, as it is case-sensitive.
We can see that c:\users\ieuser\desktop\autoruns\autoruns64.exe
also resolves to e7zzxen3x6.ryanic.com
.
Let's look at the unique DNS queries.
This command instructs PowerShell to take the output from sysmon-dns.ps1
, extract only the QueryName
field, sort it by QueryName
, and treat it as a string.
Next, let's see the unique ImageNames.
3) Determine the date and time of the compromise using Sysmon DNS logs
Let's open the Sysmon.evtx file in Event Log Explorer, then filter for Event ID 22 and the QueryName e7zzxen3x6.ryanic.com
.
The first sign of compromise involving e7zzxen3x6.ryanic.com was detected on September 17, 2021, at 7:38:43 PM.
The malicious file HxuT0y1GjO.exe sent a DNS request to e7zzxen3x6.ryanic.com less than a minute later.
4) Determine the name of the file deleted by the malware.
Let's filter by Event ID 23 (FileDelete) for entries containing the string e7zzxen3x6.ryanic.com
.
The IMPHASH (Import Hash) is blank because it applies only to executables; it represents a hash of the DLL names loaded by a process.
Answer: Battlestar.pdf
Last updated