Hunting Malware in Sysmon Logs with Splunk
Hello Medium,
Today my story is about finding malicious activities after an infection brought to a company network by a malicious document .
Few words about the Tools I will be using__________
1. A sample EVTX log file created by Sysmon. (file name: 5295-win82-sysmon.evtx)
Sysmon is a Microsoft Windows system activity logging tool. It’s logs can be viewed and analyzed using the Windows integrated Event Viewer or various SIEM (Security Information and Event Management) tools, such as Splunk or ELK (Elasticsearch, Logstash, and Kibana).
You can click here for more about Sysmon.
2.Splunk — is a tool for analysis of machine-generated data,including logs, events, and other data sources, that has option to use for free with limitation of 500mb per day to be uploaded .
More about Splunk you can find on official website .
Installing splunk _____________________________
To download you will need to create a free account in their website .
To get the free version First you need to download and install Splunk Enterprise trial version then going into Settings→Licensing→Change license group and select Free license
UPLOADING THE LOG FILE INTO SPLUNK________________________
To upload the log file to Splunk (in my case this is 5295-win82-sysmon.evtx) I need to find and click add data button. It supposed to be somewhere on Splunk main page but when I have chosen free license the contents of the left side panel became unavailable . Nothing to worry as everything still works fine accessing whatever we need from drop down menu buttons. If I click on Settings I have Add data button from where I can upload my logs.
So all steps to upload are as follow:
Settings → Add Data → Upload files from my computer→ Select file ( or just drag and drop ) → Next → Next→ Review→ Submit → Start searching
After all this steps done and pressed start searching we end up on the following window with automatically generated first search query and no results. This is because Splunk has converted the SysmonEvtx file to a readable text and this queries marked with red in the screenshot below , not needed and I am going to delete them leaving only the source query , We also need to check the Time range — by default it is set to show logs from Last 24hours. I have changed to show all logs by setting it to All time.
Now we have all the logs loaded and everything is ready to start searching and investigating.
THE HYPOTHESIS______________________________
Having hypothesis is a solid starting point for investigating a potential security incident involving logs. It outlines a common attack scenario involving a document with a malicious macro and the victim being tricked into enabling the macro, resulting in the execution of malicious commands and system infection.
In a couple of my previous blog posts, I delved into the characteristics of malicious macro codes and explored how attackers can create documents embedded with such codes. Feel free to check them out for a more in-depth understanding.You can check them out by clicking here and here .
What I will be looking to discover?
1. Initial access — What is the time when Any malicious file or process appeared for first time in victims system?
2. Malware installation — What malicious files and processes Attacker has used?
3. Communications — What IP addresses or domains he has used to infect the system?
INVESTIGATION_______________________________
Because I suspect the system has been compromised by a malicious macro within a Microsoft Office document, the first thing i am going to search for will be the ‘winword.exe’ process, which is commonly associated with opening Microsoft Office documents, especially Word documents. Also I would like to add EventCode=1 to filter the search results to show only process create logs.
Sysmon categorizes different types of events in its logs and associates them with specific event ID numbers for easy reference, as illustrated in the table below:
So my first query will look like this :
source="5295-win82-sysmon.evtx" winword.exe EventCode=1
Couple of events returned as a result and both events showing that winword.exe has been involved opening a document file named 0714_6656030531.doc from this location: C:\Users\jerry.knapp\Downloads
Splunk by defaults displays the newest events first, I will use the ‘| reverse’ command to view events in chronological order.
source="5295-win82-sysmon.evtx" winword.exe EventCode=1
| reverse I proceeded to expand the logs and take a more detailed look for additional information.
What I have discovered so far :
the document named 0714_6656030531.doc has been opened from C:\Users\jerry.knapp\Downloads → Rundll32.exe has been executed (when a macro has been enabled by the victim)→ rundll32.exe process has been created with a specific command line that includes the path to ier.dll
But these are not the initial malicious activities. The document must have made its way to the victims computer on an earlier stage .I have searched for this document with EventCode=11 to see when exactly this file has created.
source="5295-win82-sysmon.evtx" 0714_6656030531.doc EventCode=11 Splunk returned a single event log ,where I can find the answer.Document has been downloaded using msedge.exe (Microsoft Edge Browser).Then i set time range to see logs only after this time as shown on the screenshots below.
Next I decided to find more about ier.dll
source="5295-win82-sysmon.evtx" ier.dll
| reverseResults returned couple of events showing that RUNDLL32.EXE has first been created as process “EventCode=1”-(this is the same log i have seen earlier). The other log shows EventCode=7 (image loaded — according to Event IDs table ) and No information available when checked it’s hash on VirusTotal as can be seen in screenshots below:
It is very common Attackers to obfuscate their malicious code by modifying legitimate Windows components . I have been wondering if there are other processes created and executed in same way . Searched for process creation events(EventCode=1) with rundll32.exe.
source="5295-win82-sysmon.evtx" rundll32.exe EventCode=1
| reverseFound that the rundll32.exe created cmd.exe process with a command to copy Gas.exe to location on another internal network ip (another pc) on the next log the Gas.exe has been executed. Also By quick search for Gas.exe alone i found that it is created by svhost.exe - another windows application that might have been employed by attacker.
Following events happened in sequence:
“Net view” has been used to get a list of computers and network devices on the network . The “net group“ ”command has been used to add, delete, or manage groups on servers:
C:\Windows\system32\cmd.exe /C net view /domain C:\Windows\system32\cmd.exe /C net group /domain
In the The next event log I can see cmd .exe has executed zero.exe then some command argument has been given to zero.exe — seems like an IP address , DomainController , domain name then possibly passed some other command or script to be completed by powershell.exe
C:\Windows\system32\cmd.exe /C zero.exe 10.100.100.20 DC1 lakestatebank.local administrator -c “powershell.exe”
Remote command for listing directory of the root of the C drive has been executed with this command :
C:\Windows\system32\cmd.exe /C dir \\10.100.100.20\c$
The next bunch of commands that I have collected from rest of the event logs from the last search results , the Attacker is copying cor.dll and cor.bat files to different machines in same network. This actions looks like lateral movement.
C:\Windows\system32\cmd.exe /C copy cor.dll \\10.100.100.20\C$\programdata
C:\Windows\system32\cmd.exe /C copy cor.bat \\10.100.100.20\C$\programdata
C:\Windows\system32\cmd.exe /C copy cor.bat \\10.100.100.62\C$\programdata
C:\Windows\system32\cmd.exe /C copy cor.dll \\10.100.100.62\C$\programdata
C:\Windows\system32\cmd.exe /C copy cor.dll \\10.100.100.67\C$\programdata
C:\Windows\system32\cmd.exe /C copy cor.bat \\10.100.100.67\C$\programdata
C:\Windows\system32\cmd.exe /C copy cor.bat \\10.100.100.21\C$\programdata
C:\Windows\system32\cmd.exe /C copy cor.dll \\10.100.100.21\C$\programdata
C:\Windows\system32\cmd.exe /C copy cor.dll \\10.100.100.68\C$\programdata
C:\Windows\system32\cmd.exe /C copy cor.bat \\10.100.100.68\C$\programdata
Taken notes of some suspicious files and I am going to investigate the ones i found recently. Starting with Zero.exe :
source="5295-win82-sysmon.evtx" zero.exeThere are 14 events with zero.exe in them.On the left panel in SPLUNK there is a list of Interesting fields. In there when I click on EventCode i can see all the available event codes for this file and also just by clicking on one of them can easily add it to search query. So I clicked on 11 (file creation event) to add it to search . In theresults I saw two separate events creating the zero.exe file into two separate locations — one created by rundll32.exe other one by svhost.exe.
This proves my theory i mentioned earlied that attacker has abused both legitimate Windows components rundll32.exe and svhost.exe and he is using them to execute his commands remotely avoidinf Antivirus and EDR detections.Lets fully uncover this file and its activities . Checking all event codes associated to this file i have found following information:
EventCode 3- Network connection — communications between the victims computer and domain controller 1(DC1 — IP 10.100.100.20)
EventCode 1- process create - multiple ways executing cmd.exe with command string:
C:\Windows\system32\cmd.exe /C zero.exe 10.100.100.20 DC1 lakestatebank.local administrator -c “powershell.exe”
EventCode 22-DNS Query - zero.exe made couple of time dns requests to DC1 ip address
EventCode 7- image loaded — not much information available in the log itself , but there are hashes of the zero.exe file and that has been detected in Virus total as malware. Splunk has associated the process with:
technique_id=T1073,technique_name=DLL Side-Loading
more about attacker’s TTPs(Tactics, Techniques, and Procedures) can be found in MITRE ATT&CK website.
___NETWORK COMMUNICATIONS___
To find out network communications events i use this query
source=”5295-win82-sysmon.evtx” EventCode=3
| reverse
And by scrolling throw the events i want to see which ip addresses have been connected to from the victim’s machine and from from any other computer in the local network.I put all the external Ip and domains that i find in my notes for further investigation later.
It seems like all communications happens through the victims computer :
“IP= 10.100.100.28 , ComputerName=Win82.lakestatebank.local”
In Virus total two detected as malicious and two appear “clean”. But the ones that not detected still look suspicious to me, one of which is associated to AWS cloud platform and attacker may have used virtual machine instance to send his malware
I wanted to find out bit more about this two undetected Ips , so have placed this query in the search bar
source="5295-win82-sysmon.evtx" 8.211.241.0 OR 50.16.216.118
| reverseFrom the results i went on available EventCodes and have chosen the 22 as 3 i had already seen . Checked on my Event IDs table to see what 22 represents. And this is DNS query.
What i understood is the rundll32.exe made DNS query these two IPs reaching out to some malicious domains.
Final thoughts
A lot more can still be discovered in this Log file . But now i can say i have enough pieces of the puzzle to be able to see the basic picture .
source="5295-win82-sysmon.evtx" 194.147.78.155 OR 190.114.254.116 OR 8.211.241.0 OR 50.16.216.118 OR 0714_6656030531.doc
| reverseWith this Query that includes all external IPs and the initial malicious document , then reverse command all the malicious activities should have been displayed in chronological order. Scrolling through the logs i can make the story of what happened and how exactly it is happened .
CONCLUSION________________________________
The story begins with downloading a malicious document ,then malicious code has run by enabling macro, rundll32.exe and svhost.exe have been abused to create additional malicious processes , download and execute malware. Process is going through communicating to the attackers domains establishing command and control centre , lateral movement inside company network and executing remote commands.
