This is a very easy Sherlock from Hack The Box. Official walkthroughs do exist.

Files:

  • Microsoft-Windows-Powershell.evtx
  • Windows-Powershell-Operational.evtx

Looks like I will need a way to parse Windows Event Viewer logs. After a brief amount of of searching I settled on this gem of a blog post DFIR – Analyze Windows Event Logs (evtx) from a Linux machine using sigma rules, chainsaw and evtx dump.

Things I grabbed:

A quick note. The blog linked uses git clones for what at the time was the latest repos. I don’t like doing that for a few of reasons.

  1. Is the repo legit?
  2. Is this the newest version?
  3. Is it still maintained? Has something “better” taken its place?

Remember to do yourself a favor and investigate things before pulling the trigger.

I shamelessly used the initial command shown by the Tech Anditdote blog.

./chainsaw hunt ~/Downloads/Sherlocks/ -s ~/Downloads/sigma --mapping ~/Downloads/chainsaw/mappings/sigma-event-logs-all.yml -r ~/Downloads/sigma/rules

The output was nice, but given that I like things boring, let’s try formatting this into a CSV.

./chainsaw hunt ~/Downloads/Sherlocks/ -s ~/Downloads/sigma --mapping ~/Downloads/chainsaw/mappings/sigma-event-logs-all.yml -r ~/Downloads/sigma/rules --csv --output phantomcheck.csv

The results of the CSV conversion were underwhelming. The vast majority of data was placed in the ‘Event Data’ column and was overloaded with text. Performing a word wrap made things difficult to read.

Pushing Ahead

The .csv conversion may seem clunky, but let’s forge ahead and touch base with our first question to see how much we should care about making the output more readable.

Question #1

Which WMI class did the attacker use to retrieve model and manufacturer information for virtualization detection?

So we are looking for a WMI (Windows Management Instrumentation) class. Using ctrl+f and searching for wmi in our document we can see six references. Time to go exploring.

It just so happens that the first hit contains our first answer.

MessageNumber: 1
ScriptBlockText: $Manufacturer = Get-WmiObject -Class Win32_ComputerSystem | select-object -expandproperty "Manufacturer"
ScriptBlockId: 293a0637-1894-4f0e-835c-08c726623ace
MessageTotal: 1
Path: ''

#1 Answer

Win32_ComputerSystem

Question #2

Which WMI query did the attacker execute to retrieve the current temperature value of the machine?

Once more, ctrl+f and searching for the word temperature gives us a clear path to the answer.

#2 Answer

SELECT * FROM MSAcpi_ThermalZoneTemperature

Question #3

The attacker loaded a PowerShell script to detect virtualization. What is the function name of the script?

At this point I did some reading. The first thing to search for was virtual which lead me to the following:

ScriptBlockText: “function Check-VM\n{\n\n<# \n.SYNOPSIS \nNishang script which detects whether it is in a known virtual machine.\n \n.DESCRIPTION \nThis script uses known parameters or ‘fingerprints’ of Hyper-V, VMWare, Virtual PC, Virtual Box,\nXen and QEMU for detecting the environment

It looks like his was a script from Nishang. More specifically, the Check-VM function.

#3 Answer

Check-VM

Question #4

Which registry key did the above script query to retrieve service details for virtualization detection?

It looks like the function continually calls on HKLM:\SYSTEM\ControlSet001\Services and searches through it for known virtualization software. Of course, the same could be said for a few other registry keys. I won’t lie. Despite this being very easy I was briefly flummoxed.

At this point the poor formatting of my .csv was giving me issues. I found it much easier to visit the Nishang repo on GitHub and review the source for Check-VM.ps1

#4 Answer

HKLM:\SYSTEM\ControlSet001\Services

Question #5

The VM detection script can also identify VirtualBox. Which processes is it comparing to determine if the system is running VirtualBox?

Visiting the repo paid off. A quick search through Check-VM.ps1 for the word box and the following snippet of code shows us which two processes it is looking for.

   #Virtual Box

    $vb = Get-Process
    if (($vb -eq "vboxservice.exe") -or ($vb -match "vboxtray.exe"))
        {
    
        $vbvm = $true

#5 Answer

vboxservice.exe, vboxtray.exe

Question #6

The VM detection script prints any detection with the prefix 'This is a'. Which two virtualization platforms did the script detect?

This is where I had to change tack. Up until this point I was able to answer the questions rather easily with Chainsaw and the .csv that was generated from the two .evtx files. But the .csv only contains 33 rows. It’s time to get more data.

Using evtx dump

./evtx_dump-v0.9.0-x86_64-unknown-linux-gnu -o json ~/Downloads/Sherlocks/Microsoft-Windows-Powershell.evtx >> MS_PS.txt
  • I probably should have used a .json extension instead of .txt.

I would suggest reading the documentation for EVTX dump. It has some options to run with FD to process all of the .evtx files in a directory. In my case I only ran it against Microsoft-Windows-Powershell.evtx

The question clearly states that the output from the script will be This is a. That sounds like an easy grep search.

cat MS_PS.txt | grep "This is a" -A10 -B20
  • When searching through logs I like to fine tune the lines before and after the find. This allows me to glean additional information such as SystemTime and EventIDs.

#6 Answer

Hyper-V, Vmware

Things to Note

There are a few things I would do differently here and chief among them involves formatting and visualization. I watched a couple videos afterwards and to be honest… I liked both of the approaches they took. Mine was clunky, but effective.

Ben Folland’s OP Blackout Walkthrough - YouTube

  • I’ll be setting up a Flare VM. I think it will be handy to have additional Windows specific tooling for Blueteam challenges.

Hack The Box - Official Walkthrough - YouTube

  • An interesting idea to use a SIEM to parse the logs. This is probably the most realistic approach.