1. Sysmon is a Windows system monitoring tool that logs detailed events like process creation, network connections, file changes, DLL loads, and registry modifications into Windows Event Logs for threat hunting and forensics.

2. Sysmon don’t collect everything: it collected based on its configuration rules(XML) to filter what to monitor or ignore, reducing noise and improving relevance.

3. Configs like SwiftOnSecurity focus on noise reduction, while ION-Storm is more aggressive with inclusions. Alerts are not built-in; logs are typically analyzed via SIEM or security tools.

   https://github.com/SwiftOnSecurity/sysmon-config see: rules, we are telling sysmon; include and exclude logs based on the conditions met: it logs only specified events

4. Key Event IDs include 1 (process creation), 3 (network connections), 7 (DLL loads), 8 (CreateRemoteThread), 11 (file creation), 12–14 (registry changes), 15 (alternate data streams), and 22 (DNS queries).

   Sysmon includes 29 different types of Event IDs

   Below we will go over a few of the most important Event IDs and show examples of how they are used within config files.

   read all config files discussed in task2 : is it excluding or including : and what it is : and why

5. Install Sysmon and its config file

6. Example usage in both EventViewer and Powershell

Event Viewer — run as administrator

Events within Sysmon are stored in Applications and Services Logs/Microsoft/Windows/Sysmon/Operational

• Event Viewer:

Take for example : EventId=1 (process creation)

we get details of both parent and child process relations with hashes, commandline, image path executing with username and time.

Task 4: Cutting out the Noise

Answer the questions below

1. Read the above and practice filtering events.

2. How many event ID 3 events are in C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Filtering.evtx?

Ans: 73,591

3. What is the UTC time of the first network event in the same logfile? Note that UTC time is shown only in the "Details" tab.

Ans: 2021-01-06 01:35:50.464

• Event Viewer:

Task 5: Hunting Metasploit

• Event Viewer

  

  There is no Network event that has DestinationPort=4444

• Get-WinEvent

To display full event details, use | Format-List *.
However, the filter We used for port 4444 isn’t an exact match — it also matches any event containing 4444 (like 14444 or 44445).

Use an exact match condition to filter only events where the destination port equals 4444.

Logging or alerting only on port 4444 (default port) is insufficient — attackers can change ports, so always monitor process context, command-line, and related network indicators instead.

Task 6: Detecting Mimikatz

1. Mimikatz is a credential-dumping tool (targets LSASS) often detected by AV but can be obfuscated.

2. Simple hunt: alert on file creations with names containing “mimikatz”.(SourceImage)

3. Better hunt: monitor TargetImage accessing lsass.exe (Sysmon EventID 10).

4. Reduce noise by excluding known sources (e.g., svchost.exe) in your Sysmon config.

5. Quick query example: Get-WinEvent -Path <log> -FilterXPath '*/System/EventID=10 and */EventData/Data[@Name="TargetImage"]="C:\Windows\system32\lsass.exe"'.

• Event Viewer:

Look for lsass.exe or mimikatz.exe

Task 7: Hunting Malware

• Hunt RATs/backdoors by logging suspicious back-connect ports (e.g., 1034, 1604, 8080) via Sysmon NetworkConnect rules.

• Use include rules for ports you want to catch and exclude rules for noisy benign apps (e.g., OneDrive) to reduce alerts.

• Be careful: blindly excluding ports (like 53) can hide real attacks—attackers can use any port.

• Correlate port findings with process context, command-line, and packet captures before concluding compromise.

We are detecting a custom RAT that operates on port 8080. This is a perfect example of why you want to be careful when excluding events in order to not miss potential malicious activity.

The malware bigbadrat.exe executed and made an outbound network connection to IP 10.13.4.34 on port 8080.

Task 8: Hunting Persistence

Using Startup or StartMenu Directories:

EventID = 11 [file creation]

1. Persistence allows attackers to maintain access to a compromised machine, commonly via registry modifications or startup scripts.

2. Hunt startup persistence by monitoring files created in \Startup\ or \Start Menu\ folders (MITRE T1023 and T1165 ) using Sysmon and SwiftOnSecurity rules.

Example: a malicious EXE (persist.exe) placed in Startup folder can be flagged with TargetFilename

Using Registry Keys :

• Event ID 12 logs creation and deletion of registry objects (both keys and values)

• Event ID 13 Captures changes to existing registry values. Helps detect tampering with configuration, credential theft setups, or disabling security features.

• Event ID 14 tracks renaming of registry keys and values

1. Hunt registry AutoRuns by monitoring modifications to keys like

   • HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

   • HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce

   • HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run

   • HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce

2. Example: malicious.exe added to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Persistence can be tracked using TargetObject rules in Sysmon.

   

Task 9: Detecting Evasion Techniques

Hunting Alternate Data Streams(ADS):

• Malware evasion includes Alternate Data Streams (ADS) and code injection (DLL/PE injection) to hide or run malicious code.

• Sysmon EventID 15 (FileCreateStreamHash) detects NTFS ADS (e.g., files in Downloads, Temp, .hta, .bat).

• Use SwiftOnSecurity rules to include suspicious stream paths/extensions so ADS are logged and hashed.

  CMD: dir /r

Detecting Remote Threads

• Sysmon EventID 8 (CreateRemoteThread) detects remote-thread creation used for DLL injection, thread hijacking, or process hollowing.

• Reduce noise by excluding known benign SourceImage→TargetImage pairs (example: svchost.exe → chrome.exe) in your config file.

• Example detection: PowerShell creating a remote thread into notepad.exe (reflective PE injection) is strongly suspicious and needs investigation.

Task 10: Practical Investigations

Event files used within this task have been sourced from the EVTX-ATTACK-SAMPLES and SysmonResources Github repositories.

You can download the event logs used in this room from this task or you can open them in the Investigations folder on the provided machine.

Answer the questions below

Investigation 1 - ugh, BILL THAT'S THE WRONG USB!

In this investigation, your team has received reports that a malicious file was dropped onto a host by a malicious USB. They have pulled the logs suspected and have tasked you with running the investigation for it.

Logs are located in C:\Users\THM-Analyst\Desktop\Scenarios\Investigations\Investigation-1.evtx.

What is the full registry key of the USB device calling svchost.exe in Investigation 1?

Ans:

EventID=12,13,14

What is the device name when being called by RawAccessRead in Investigation 1?

Ans: \Device\HarddiskVolume3

What is the first exe the process executes in Investigation 1?

Ans: rundll32.exe

What happened:

USB inserted → explorer.exe and two svchost.exe instances triggered (Registry key).
Under Explorer.exe rundll32.exe was launched (probably calling a DLL from the USB )
rundll32.exe spawned calc.exe — common “proof of execution” behavior.
rundll32.exe was killed (its process terminated)

rundll32.exe is legit window process BUT it is abused by malwares

Investigation 2 - This isn't an HTML file?

Another suspicious file has appeared in your logs and has managed to execute code masking itself as an HTML file, evading your anti-virus detections. Open the logs and investigate the suspicious file.

Logs are located in C:\Users\THM-Analyst\Desktop\Scenarios\Investigations\Investigation-2.evtx.

What is the full path of the payload in Investigation 2?

Ans: C:\Users\IEUser\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\S97WTYG7\update.hta

User downloaded update.html → iexplore.exe launched mshta.exe to run update.hta (AccessDataStream) → mshta.exe (PID 652) executed the HTA and later opened a network callback to attacker IP:PORT → correlate Sysmon/Windows events for that same PID to prove the callback.

What is the full path of the file the payload masked itself as in Investigation 2?

Ans: C:\Users\IEUser\Downloads\update.html

What signed binary executed the payload in Investigation 2?

Ans: C:\Windows\System32\mshta.exe

What is the IP of the adversary in Investigation 2?

Ans: 10.0.2.18

What back connect port is used in Investigation 2?

Ans: 4443

Investigation 3.1 - 3.2 - Where's the bouncer when you need him

Your team has informed you that the adversary has managed to set up persistence on your endpoints as they continue to move throughout your network. Find how the adversary managed to gain persistence using logs provided.

Logs are located in C:\Users\THM-Analyst\Desktop\Scenarios\Investigations\Investigation-3.1.evtx

and C:\Users\THM-Analyst\Desktop\Scenarios\Investigations\Investigation-3.2.evtx.

What is the IP of the suspected adversary in Investigation 3.1?

Ans: 172.30.1.253

What is the hostname of the affected endpoint in Investigation 3.1?

Ans: DESKTOP-O153T4R

What is the hostname of the C2 server connecting to the endpoint in Investigation 3.1?

Ans: empirec2

Where in the registry was the payload stored in Investigation 3.1?

Ans: HKLM\SOFTWARE\Microsoft\Network\debug

What PowerShell launch code was used to launch the payload in Investigation 3.1?

Ans: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp HKLM:Software\Microsoft\Network debug).debug);start -Win Hidden -A "-enc $x" powershell";exit;

• PowerShell put a hidden (Base64) script into the Registry.

• How it will run: it changed Sticky Keys (sethc.exe) settings so Windows will run PowerShell with that hidden script.

• What that means: pressing Sticky Keys (or the system triggering sethc.exe) will silently run the attacker’s code.

• Why it’s bad: this gives the attacker a hidden, restart‑persistent way to run code on the machine — high risk.

What happened:

• Network callback: Single process (same PID) opened outbound connections to ATTACKER_IP:PORT 3 times — indicates the process (launched PowerShell) performed repeated callbacks.

• Staging to disk: That process launched child process cmd.exe which wrote the Base64 PowerShell payload to c:\users\q\AppData:blah.txt.

• Cmd terminated: cmd.exe terminated after writing the file.

• Persistence: A scheduled task was created. to run the same blah.txt encoded data/payload

• Execution via task: The scheduled task executed and launched lsass.exe (suspicious — legitimate LSASS normally started by system).

• Task stopped/terminated: The scheduled task process was terminated (task stopped).

What is the IP of the adversary in Investigation 3.2?

Ans: 172.168.103.188

What is the full path of the payload location in Investigation 3.2?

Ans: c:\users\q\AppData:blah.txt

What was the full command used to create the scheduled task in Investigation 3.2?

Ans:

What process was accessed by schtasks.exe that would be considered suspicious behavior in Investigation 3.2?

Ans: lsass.exe

Investigation 4 - Mom look! I built a botnet!

As the adversary has gained a solid foothold onto your network it has been brought to your attention that they may have been able to set up C2 communications on some of the endpoints. Collect the logs and continue your investigation.

Logs are located in C:\Users\THM-Analyst\Desktop\Scenarios\Investigations\Investigation-4.evtx.

What is the IP of the adversary in Investigation 4?

Ans: 172.30.1.253

What port is the adversary operating on in Investigation 4?

Ans: 80

What C2 is the adversary utilizing in Investigation 4?

Ans: empire

Congratulations on completing the room

Happy Hunting!