Unit42
https://app.hackthebox.com/sherlocks/Unit42
Task 0
Install sysmon manifest to make reading events easier
Task 1
How many Event logs are there with Event ID 11?
We can easily find this by filtering down the current list to only Event ID 11
Now we can look at the filtered log info and see the number of events is 56
56
Task 2
Whenever a process is created in memory, an event with Event ID 1 is recorded with details such as command line, hashes, process path, parent process path, etc. This information is very useful for an analyst because it allows us to see all programs executed on a system, which means we can spot any malicious processes being executed. What is the malicious process that infected the victim’s system?
The first thing we need to do is clear the filter we created in the step above
Now we can sort by Date and Time and then find event ID 1. We can also filter, but with us not having too many events, we should be able to find this event easily and get context if needed.
Here we can see the process created as well as some useful information about the process including directory, file name, command line arguments, hashes, parent process, user, etc
C:\Users\CyberJunkie\Downloads\Preventivo24.02.14.exe.exe
Task 3
Which Cloud drive was used to distribute the malware?
We can actually see this at the very beginning of the log through a dns query to dropbox.com, but that would just be a guess.
The actual location of this answer will be looking at event ID 15 and seeing the file stream being created for Preventivo from dropbox
dropbox
Task 4
The initial malicious file time-stamped (a defense evasion technique, where the file creation date is changed to make it appear old) many files it created on disk. What was the timestamp changed to for a PDF file?
Since we know we are looking for a pdf file, we can look through the logs for a pdf file, but a better way to do this is to search for the MITRE technique.
We know the timestamp of a file is being changes, so if we look up the MITRE technique for this, we can then do a search for any log using the technique.
https://attack.mitre.org/techniques/T1070/006/
If we do a search for 1070.006, we can quickly jump between all logs that have this technique.
Then we can look for the pdf file that was stomped.
2024-01-14 08:10:06
Task 5
The malicious file dropped a few files on disk. Where was “once.cmd” created on disk? Please answer with the full path along with the filename.
We can look through all the events with ID 11 or, again, since we are given the filename, we can be lazy and just look for the file name.
C:\Users\CyberJunkie\AppData\Roaming\Photo and Fax Vn\Photo and vn 1.1.2\install\F97891C\WindowsVolume\Games\once.cmd
Task 6
The malicious file attempted to reach a dummy domain, most likely to check the internet connection status. What domain name did it try to connect to?
Looking through DNS queries (Event ID 22), we can see a query from Preventivo to example.com
Task 7
Which IP address did the malicious process try to reach out to?
Similar to the previous question, we can look at event ID 3 (Network Connection) coming from Preventivo. Here we see the process reaching out (Destination) to 93.184.216.34
93.184.216.34
Task 8
The malicious process terminated itself after infecting the PC with a backdoored variant of UltraVNC. When did the process terminate itself?
We can look for process termination events (ID 5) for the timestamp that Preventivo was terminated.
2024-02-14 03:41:58
Killian Sherer 