Analyzing Sysmon From Backdoored UltraVNC Malware - HTB Sherlocks - Unit42

00:00 - Introduction 01:00 - Going over the Unit42 Research that was posted to GitHub 02:30 - Downloading Chainsaw which is what we will use to parse the eventlog 03:20 - Running the hunt operation with chainsaw and default sigma rules to see some suspicious events quickly 05:45 - Using the search functionality to show us events with the process guid to show us what the suspicious file did 12:55 - Question 1: How many event ID 11's are there, counting each Event ID 16:00 - Adding each Sysmon event name into our csv file 19:45 - Question 2: Identifying the malicious process, showing all process creation events and looking at what it does 21:00 - Question 3: Finding out how the malware was downloaded by looking at DNS Events and what process made them 24:23 - Question 4: Searching for file time stomping events to see the create time was set to an older time 25:45 - Question 5: Finding events related to once.cmd and seeing what created it 28:30 - Question 6: Looking at the DNS Queries for the malware to see the domain it uses to check if it has an internet connection 29:15 - Question 7: Searching network connections from the malware to see where it reached out to 29:45 - Question 8: Seeing where the process terminated itself 31:10 - Doing some bashful to see all the Sysmon rulenames a process triggered to get a high level understanding