LetsDefend — Log Analysis with Sysmon Walkthrough
An Endpoint Forensic Investigation with Sysmon, EvtxECmd, Timeline Explorer, and MITRE ATT&CK
Introduction:
Welcome to my weekly walkthrough! If you’ve stumbled across this blog searching for a comprehensive walkthrough of the Log Analysis with Sysmon challenge from LetsDefend, you’re in the right place. Prepare to dive into the world of digital forensics and incident response (DFIR).
In this scenario, a victim’s device has been compromised with malware, and we need to investigate what happened to contain the threat. Our objective is to analyze the Sysmon event logs to determine how the attacker gained initial access, escalated privileges, evaded the system’s defenses, and what tools they used to do it.
Sysmon is a utility that is part of the Microsoft Sysinternals suite. It runs as a system service and monitors detailed system activity, like process creation, file creation, and network connections, and logs it to the Windows Event Log. Sysmon also has its own event types that can be used to filter specific activity in the logs.
To analyze the Sysmon logs, we’ll leverage Eric Zimmerman’s EvtxECMD and Timeline Explorer. Then, we’ll map the adversary’s techniques and software to MITRE ATT&CK, a global knowledge base of adversary tactics and techniques, to gain a comprehensive view of the attack.
Sounds like fun, right? Let’s get into it!
And hey, if you find this walkthrough helpful — whether it levels-up your skills, gets you through a stumbling block, or serves as a handy reference — please give it a clap!
Thanks for reading and going on this investigation with me!
Challenge Link: https://app.letsdefend.io/challenge/log-analysis-with-sysmon
Challenge Scenario:
Our company has experienced a breach on one of its endpoints. Your task is to investigate the breach thoroughly by analyzing the Sysmon logs of the compromised endpoint to gather all necessary information regarding the attack.
Question 1: Which file gave access to the attacker?
Let’s kick off this challenge by extracting Sysmon_chall.zip. Inside of the archive, we’ll have two files: Sysmon.evtx and Sysmon.json.
The first file, Sysmon.evtx, is a Windows Event Log file that we can open and view in the Windows Event Viewer.
The second file, Sysmon.json, contains the same information as the first file, but in the JSON format so it can be imported into different data analytics tools for analysis.
For this investigation, we’ll start with Sysmon.evtx. Double-click it and it will open with the Windows Event Log Viewer as a saved log within our analysis environment.
But before we dive headfirst into the Event Logs, let’s back up a bit and get familiar with the Sysmon Events so we can analyze the logs more efficiently by filtering for the relevant event IDs. This is reference will be key to working through this investigation, so keep it handy:
Sysmon Events Reference:
Now, armed with some background knowledge, let’s jump into the Event Viewer and start hunting for the malicious file that gave the attacker access to the victim’s device. To narrow down the scope of our logs, let’s filter by Event ID 1: Process Creation and then sort descending order to look at the earliest event first.
Reviewing the processes, we stumble on the above event referencing unusual executable, IDM.exe. To investigate this process further, let’s use the Find button and analyze the other events referring to this executable.
To analyze the hits, switch over to the Details tab view, and after a couple of results, we’ll notice that first IDM.exe spawns a Windows Command Shell (cmd.exe) and then in the following event, a very suspicious command line…
These are enough red flags to determine that IDM.exe is the answer to Question 1. Let’s perform some further analysis on fodhelper.exe to better understand what the attacker is doing.
Question 2: What did the attacker use to bypass UAC? Mention the EXE.
Before we go too far, let’s give ourselves another option to analyze the Event Log. Sometimes, having a different view or method of analyzing data can be helpful to understand the relationships between processes.
Rather than manually searching the Event Viewer, we’re going to also parse the log using Eric Zimmerman’s EvtxECmd, export it to a CSV, then sort the results using another of his utilities, Timeline Explorer. This will allow us to search and filter the data more efficiently than manually browsing the Event Viewer.
Handily, both of the Eric Zimmerman utilities are already installed on the LetsDefend environment, so we simply need to open the Command Prompt as Administrator to launch the utility with the following syntax specifying the .evtx file and an output directory:
EvtxECmd.exe -f "C:\Users\LetsDefend\Desktop\ChallengeFile\Sysmon.evtx" --csv YOUR-OUTPUT-DIRECTORY
Once the output file is created, open it with Timeline Explorer. To start, we’ll replicate the method we used in Question 1 and filter by the ParentCommandLine (Payload Data6) column for IDM.exe:
This is a cleaner view of the information we found in the previous question, isn’t it?
Now, let’s take to Google for research to understand what fodhelper.exe is and if it can be used in an attack. For example, check out the research from Atomic Red Team about user account control (UAC) bypass techniques (MITRE ATT&CK — T1548.002) to see what we can discover.
From the research, we’ll see a couple of documented techniques abusing the Features on Demand Helper (fodhelper.exe) to bypass the UAC prompt. These techniques allow a threat actor to abuse the legitimate binary to execute a process as a privileged administrator without the user account control dialogue.
Atomic Test #3 — Bypass UAC using Fodhelper
Bypasses User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. Upon execution, “The operation completed successfully.” will be shown twice and command prompt will be opened.
Atomic Test #4 — Bypass UAC using Fodhelper — PowerShell
PowerShell code to bypass User Account Control using the Windows 10 Features on Demand Helper (fodhelper.exe). Requires Windows 10. Upon execution command prompt will be opened.
Since we have discovered a documented method of abusing the fodhelper binary to bypass UAC that is also present on the infected device, we’ve found the answer to Question 2!
Question 3: What registry path and value was used by the above EXE to gain higher privileges? (path\value)
Let’s continue to build off the research that we found in the Atomic Red Team report and look at the listed commands used to exploit fodhelper.exe.
The techniques involve some registry modification. With that in mind, let’s filter the CSV file in Timeline Explorer by Event ID 13: RegistryEvent (Value Set) and then filter by IDM.exe.
If you’re more comfortable in the Event Viewer, here is the same event that we located in Timeline Explorer:
Pulling back to a high-level overview, let’s simply search Timeline Explorer for fodhelper.exe. This not only gives us a better view of the sequence of events and relationships between the processes but also to see the Registry Key accessed by fodhelper.exe.
Because the This Registry location matches the location documented in the Atomic Red Team report, we can confidently say that we found the answer to Question 3!
Question 4: The attacker dropped a file. What is the file location?
Okay, let’s continue investigating within Timeline Explorer, this time, filtering on Event ID 11: File Create. According to the Sysmon documentation, this event captures file creation events and is “useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.”
Once we have the Event ID filter, scroll over to the RuleName column and type Downloads. Applying these two options will show us the audited file creation events and filter on the term downloads, including the downloads directory.
Right away, we see a red flag — mimikatz.exe. If you aren’t familiar with Mimikatz, here is a quick summary from the MITRE ATT&CK knowledge base:
Let’s submit the flag and learn more about what techniques Mimikatz uses.
Question 5: What are the technique name and ID used by the dropped EXE?
To answer Question 5, we need to first answer the question: What is Mimikatz used for? In the previous question, I linked the description from MITRE ATT&CK, but let’s focus on one detail: Mimikatz is a credential dumper.
This description of the tool gives us the answer — the most applicable MITRE ATT&CK technique is Credential Dumping (MITRE ATT&CK — T1003.)
Question 6: What is the name of the attack?
We’ve already determined that Mimikatz is a credential dumper, but to answer Question 6, we need to figure out what the adversary did with the stolen credentials. Let’s jump back to the Mimikatz software page on MITRE ATT&CK to learn more about any techniques associated with it.
We’ll focus on the Techniques Used section of the software page. Mimikatz has lots of listed capabilities but there is one it is infamous for facilitating. We can cheese this a little bit by looking at the answer format to narrow down the results, too.
Pass the Hash! This is a technique where an attacker can access and dump credential data, like NLTM hashes, from the Local Security Authority Subsystem Service (LSASS) process in Windows and then “pass” the stolen hash instead of providing the password to authenticate as that user. This way, it’s possible to elevate privileges or move laterally through the target environment.
Question 7: What EXE did the attacker run using elevated privileges from the above attack?
Now back to Timeline Explorer! We’ll approach Question 7 by searching for Mimikatz to determine if it spawned any child processes, potentially using the Pass the Hash technique to elevate privileges of the child process.
Once we enter “mimikatz” into the search, we’ll stumble on something interesting — mimikatz.exe has spawned a powershell.exe process. Let’s examine the payload contents:
Notice the IntegrityLevel with the value of High? Because mimikatz.exe (PID 4988) is the parent process, this tells us that PowerShell was executed with elevated, administrative level privileges — We’ve found the answer to Question 6!
Question 8: The attacker downloaded and ran a file. What is the filename?
Okay, we’ve made it to the last question! Let’s hunt for the next file the attacker downloaded. For this, we’ll set up the same filters that we did for Question 4 — filtering on Event ID 11: File Create and entering Downloads in the RuleName column.
Right below the mimikatz.exe that we found earlier, we’ll see evidence of second executable that’s created:
012e382049b88808e2d0b26e016dc189f608deea9b6cc993ce24a57c99dd93d1.exe
This seems promising. Now, we need to determine if the attacker ran it to confirm that we have found the correct answer. To do this, let’s filter the Event ID column by Event ID 1 (Process Creation) in and then search for:
012e382049b88808e2d0b26e016dc189f608deea9b6cc993ce24a57c99dd93d1.exe
With the filtering in place, we can confirm that the attacker leveraged PowerShell to download this second stage payload and used the Start-Process cmdlet to execute it. Great job! Let’s submit the flag and wrap up this investigation!
Conclusion:
There we have it! Using the Sysmon logs, we’ve successfully identified the binaries used for initial access, defense evasion, credential access, privilege escalation, and the second-stage malware. During the investigation, we turned to MITRE ATT&CK to reveal more details about each of these techniques to better understand how the adversary was attacking the victim’s device. Now that we have scoped the attack and completed our objectives let’s close out this walkthrough of the Log Analysis with Sysmon!
A big thank you to LetsDefend, for another engaging and challenging lab scenario. This was a really fun challenge for me as I’ve never had the opportunity to leverage Sysmon in an investigation despite testing and deploying it fairly often. I chose this one to get some reps in with the logging it provides so that when I need it in the real world, I’ll have that practice. I also really appreciated that this investigation required some use of MITRE ATT&CK to add context to the answers; in addition to being needed to answer one of the questions. Personally, thinking in terms of TTPs helps me organize my thoughts during an investigation, so this was also really good practice. Awesome stuff!
Thanks for the support and going through this investigation with me. Remember, if you found this walkthrough helpful don’t forget to give it a clap! Your feedback really is invaluable and helps fuel my commitment to support your journey in the security community. Cybersecurity is a team sport and we’re in this together!
Until next week’s challenge — stay curious and be safe out there!
Tools & References:
Sysmon: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon
Microsoft Sysinternals: https://learn.microsoft.com/en-us/sysinternals/
Eric Zimmerman’s Tools (EvtxECMD & Timeline Explorer): https://ericzimmerman.github.io/#!index.md
Sysmon Events Reference: https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events
Atomic Red Team — T1548.002 — Abuse Elevation Control Mechanism: Bypass User Account Control: https://www.atomicredteam.io/atomic-red-team/atomics/T1548.002#atomic-test-4---bypass-uac-using-fodhelper---powershell
MITRE ATT&CK — Abuse Elevation Control Mechanism: Bypass User Account Control (T1548.002): https://attack.mitre.org/techniques/T1548/002/
MITRE ATT&CK — Mimikatz (S0002): https://attack.mitre.org/software/S0002/
MITRE ATT&CK — OS Credential Dumping (T1003): https://attack.mitre.org/techniques/T1003/
MITRE ATT&CK — Use Alternate Authentication Material: Pass the Hash (T1550.002): https://attack.mitre.org/techniques/T1550/002/
