jingle bell writeup

content/post/3/jinglebell.md

@@ -0,0 +1,112 @@
+---
+title: "Jingle Bell HackTheBox Sherlock Writeup"
+summary: "Explore Windows artifact analysis focusing on notification artifacts in this Jingle Bell HackTheBox Sherlock writeup."
+tags: ["HackTheBox", "Sherlock", "DFIR", "Windows Artifacts", "Notification Artifacts"]
+author: "Katana"
+description: "Explore Windows artifact analysis focusing on notification artifacts in this Jingle Bell HackTheBox Sherlock writeup."
+canonicalURL: "https://h3xkatana.github.io/Blog/post/Jingle-Bell/"
+---
+
+## Introduction
+
+In this Sherlock writeup, we delve into analyzing Windows artifacts, specifically focusing on notification artifacts. All notifications in Windows are stored in a SQLite database within a notification table, typically in XML format.
+
+![Notification Artifact](https://github.com/H3xKatana/Blog/blob/main/content/post/3/1.png?raw=true)
+
+To facilitate analysis, you can use the following Python script to import the database file as a CSV file or utilize any online SQLite viewer.
+
+```python
+# Python script for exporting Windows 10 notification data to CSV
+# Usage: python WPNtoCSV.py inputDB outputCSV
+
+import sqlite3
+import csv
+import sys
+
+def generateCSV(csr, outputfilename):
+    csr.execute("""SELECT n.'Order', n.Id, n.Type, nh.PrimaryId AS HandlerPrimaryId, nh.CreatedTime AS HandlerCreatedTime, nh.ModifiedTime AS HandlerModifiedTime, n.Payload,
+                          CASE WHEN n.ExpiryTime != 0 THEN datetime((n.ExpiryTime/10000000)-11644473600, 'unixepoch') ELSE n.ExpiryTime END AS ExpiryTime,
+                          CASE WHEN n.ArrivalTime != 0 THEN datetime((n.ArrivalTime/10000000)-11644473600, 'unixepoch') ELSE n.ArrivalTime END AS ArrivalTime
+                   FROM Notification n
+                   INNER JOIN NotificationHandler nh ON n.HandlerID = nh.RecordID""")
+    result = csr.fetchall()
+    with open(outputfilename, "w", newline='', encoding="utf-8") as f:
+        writer = csv.writer(f, delimiter='\t')
+        writer.writerow(list(map(lambda x: x[0], csr.description)))
+        for line in result:
+            lst = list(line)
+            lst[-2] = "" if lst[-2] == 0 else lst[-2]
+            lst[-1] = "" if lst[-1] == 0 else lst[-1]
+            writer.writerow(lst)
+
+def printMetainfo(csr):
+    csr.execute("SELECT * FROM Metadata")
+    result = csr.fetchall()
+    print("""\n            
+        Notifications - Metadata
+        ------------------------
+        """)
+    for line in result:
+        print("\t" + line[0] + ":  " + str(line[1]))
+    print()
+
+if __name__ == "__main__":
+    if len(sys.argv) == 3:
+        conn = sqlite3.connect(sys.argv[1])
+        csr = conn.cursor()
+        printMetainfo(csr)
+        generateCSV(csr, sys.argv[2])
+    else:
+        print("""\n            
+        Windows 10 Notifications to CSV 
+        -------------------------------
+        This script processes the wpndatabase.db notifications database from Windows 10 
+        and gives a truncated, tab-delimited file as output.
+        File location:  %APPDATA%\Local\Microsoft\Windows\\Notifications\wpndatabase.db
+            
+        Usage: 
+        WPNtoCSV.py   inputDB   outputCSV 
+            
+        Example:
+        WPNtoCSV.py   wpndatabase.db  notifications.csv
+        """)
+
+```
+![Notification Artifact](https://github.com/H3xKatana/Blog/blob/main/content/post/3/2.png?raw=true)
+
+
+## Task Analysis
+
+1. **Identify Sender:** Analyze the URL to identify the sender of the notification.
+
+2. **Title Examination:** Examine the titles of the notifications.
+
+3. **Message Sender Identification:** Determine who is sending the messages.
+
+4. **Room Number Analysis:** Investigate the significance of room numbers in the notifications.
+
+5. **Password Detection:** Detect potentially easy-to-find passwords within the messages.
+
+6. **Drive URL Analysis:** Examine plain URLs related to drives.
+
+7. **Timestamp Conversion:** Utilize the provided script to convert timestamps for message delivery.
+
+
+```python
+ import datetime
+
+# Define the timestamp value from the message
+timestamp_str = "1681986889.660179"
+
+# Convert the timestamp string to a float (assuming it's in seconds since Unix epoch)
+timestamp_seconds = float(timestamp_str)
+
+# Convert the timestamp to a datetime object in UTC timezone
+utc_datetime = datetime.datetime.utcfromtimestamp(timestamp_seconds)
+
+# Print the UTC datetime in a readable format
+print("Message Delivered at (UTC):", utc_datetime)
+```
+
+
+8. **Monetary Value Assessment:** Analyze monetary values mentioned, e.g., "10000".

public/post/2/unit42/index.html

@@ -1,6 +1,6 @@
 <!doctype html><html lang=en dir=auto><head><script src="/livereload.js?mindelay=10&amp;v=2&amp;port=1313&amp;path=livereload" data-no-instant defer></script><meta charset=utf-8><meta http-equiv=X-UA-Compatible content="IE=edge"><meta name=viewport content="width=device-width,initial-scale=1,shrink-to-fit=no"><meta name=robots content="index, follow"><title>Unit42 writeup | Katana</title>
 <meta name=keywords content="Post,hackthebox,sherlocks,DFIR"><meta name=description content="Unit42 hack the box  sherlock writeup"><meta name=author content="Katana"><link rel=canonical href=https://h3xkatana.github.io/Blog/post/unit42/><link crossorigin=anonymous href=/assets/css/stylesheet.4599eadb9eb2ad3d0a8d6827b41a8fda8f2f4af226b63466c09c5fddbc8706b7.css integrity="sha256-RZnq256yrT0KjWgntBqP2o8vSvImtjRmwJxf3byHBrc=" rel="preload stylesheet" as=style><link rel=icon href=http://localhost:1313/favicon.ico><link rel=icon type=image/png sizes=16x16 href=http://localhost:1313/favicon-16x16.png><link rel=icon type=image/png sizes=32x32 href=http://localhost:1313/favicon-32x32.png><link rel=apple-touch-icon href=http://localhost:1313/apple-touch-icon.png><link rel=mask-icon href=http://localhost:1313/safari-pinned-tab.svg><meta name=theme-color content="#2e2e33"><meta name=msapplication-TileColor content="#2e2e33"><link rel=alternate hreflang=en href=http://localhost:1313/post/2/unit42/><noscript><style>#theme-toggle,.top-link{display:none}</style><style>@media(prefers-color-scheme:dark){:root{--theme:rgb(29, 30, 32);--entry:rgb(46, 46, 51);--primary:rgb(218, 218, 219);--secondary:rgb(155, 156, 157);--tertiary:rgb(65, 66, 68);--content:rgb(196, 196, 197);--code-block-bg:rgb(46, 46, 51);--code-bg:rgb(55, 56, 62);--border:rgb(51, 51, 51)}.list{background:var(--theme)}.list:not(.dark)::-webkit-scrollbar-track{background:0 0}.list:not(.dark)::-webkit-scrollbar-thumb{border-color:var(--theme)}}</style></noscript><meta property="og:title" content="Unit42 writeup"><meta property="og:description" content="Unit42 hack the box  sherlock writeup"><meta property="og:type" content="article"><meta property="og:url" content="http://localhost:1313/post/2/unit42/"><meta property="og:image" content="http://localhost:1313/img/"><meta property="article:section" content="post"><meta property="og:site_name" content="katana"><meta name=twitter:card content="summary_large_image"><meta name=twitter:image content="http://localhost:1313/img/"><meta name=twitter:title content="Unit42 writeup"><meta name=twitter:description content="Unit42 hack the box  sherlock writeup"><script type=application/ld+json>{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Posts","item":"http://localhost:1313/post/"},{"@type":"ListItem","position":2,"name":"Unit42 writeup","item":"http://localhost:1313/post/2/unit42/"}]}</script><script type=application/ld+json>{"@context":"https://schema.org","@type":"BlogPosting","headline":"Unit42 writeup","name":"Unit42 writeup","description":"Unit42 hack the box  sherlock writeup","keywords":["Post","hackthebox","sherlocks","DFIR"],"articleBody":"INTRO: In this Sherlock, you will familiarize yourself with Sysmon logs and various useful EventIDs for identifying and analyzing malicious activities on a Windows system. Palo Alto’s Unit42 recently conducted research on an UltraVNC campaign, wherein attackers utilized a backdoored version of UltraVNC to maintain access to systems. This lab is inspired by that campaign and guides participants through the initial access stage of the campaign.\nWe have a file containing Windows event logs that capture suspicious activity. These logs are accompanied by well-defined rules for detection.\nUpon filtering, we discovered that there are 56 occurrences of Event ID 11, which is highly suspicious because this ID typically signifies file creation events.\nEvent ID 1 provides detailed records of processes, including their names, hashes, and parent paths. This information can be instrumental in identifying malware.\nEvent ID 22 presents domain records, indicating that the file was downloaded from Dropbox, which raises suspicion.\nEvent ID 2 indicates a process altering file creation times, a behavior that is often indicative of malicious activity.\nFor Task 5, the instruction is to search for Event ID 11 alongside the presence of “once.cmd”, suggesting a specific detection scenario.\nTask 6 involves utilizing Event ID 22 to uncover domain names associated with potentially malicious activities.\nTask 7 entails leveraging Event ID 3, which typically indicates network connections, to identify suspicious connections, particularly those involving TCP connections to suspicious IP addresses.\nFinally, Task 8 involves using Event ID 5 to compile a list of terminated processes, which could provide insights into potentially malicious activities that have been halted.\nIn summary, by analyzing specific event IDs and their associated details, we can effectively detect and investigate suspicious activities within the Windows event logs.\n","wordCount":"285","inLanguage":"en","image":"http://localhost:1313/img/","datePublished":"0001-01-01T00:00:00Z","dateModified":"0001-01-01T00:00:00Z","author":{"@type":"Person","name":"Katana"},"mainEntityOfPage":{"@type":"WebPage","@id":"http://localhost:1313/post/2/unit42/"},"publisher":{"@type":"Organization","name":"Katana","logo":{"@type":"ImageObject","url":"http://localhost:1313/favicon.ico"}}}</script></head><body id=top><script>localStorage.getItem("pref-theme")==="dark"?document.body.classList.add("dark"):localStorage.getItem("pref-theme")==="light"?document.body.classList.remove("dark"):window.matchMedia("(prefers-color-scheme: dark)").matches&&document.body.classList.add("dark")</script><header class=header><nav class=nav><div class=logo><a href=http://localhost:1313/ accesskey=h title="Home (Alt + H)"><img src=http://localhost:1313/apple-touch-icon.png alt aria-label=logo height=35>Home</a><div class=logo-switches><button id=theme-toggle accesskey=t title="(Alt + T)"><svg id="moon" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><path d="M21 12.79A9 9 0 1111.21 3 7 7 0 0021 12.79z"/></svg><svg id="sun" xmlns="http://www.w3.org/2000/svg" width="24" height="18" viewBox="0 0 24 24" fill="none" stroke="currentcolor" stroke-width="2" stroke-linecap="round" stroke-linejoin="round"><circle cx="12" cy="12" r="5"/><line x1="12" y1="1" x2="12" y2="3"/><line x1="12" y1="21" x2="12" y2="23"/><line x1="4.22" y1="4.22" x2="5.64" y2="5.64"/><line x1="18.36" y1="18.36" x2="19.78" y2="19.78"/><line x1="1" y1="12" x2="3" y2="12"/><line x1="21" y1="12" x2="23" y2="12"/><line x1="4.22" y1="19.78" x2="5.64" y2="18.36"/><line x1="18.36" y1="5.64" x2="19.78" y2="4.22"/></svg></button></div></div><ul id=menu><li><a href=http://localhost:1313/archives/ title=Archive><span>Archive</span></a></li><li><a href=http://localhost:1313/categories/ title=categories><span>categories</span></a></li><li><a href=http://localhost:1313/search/ title="Search (Alt + /)" accesskey=/><span>Search</span></a></li><li><a href=http://localhost:1313/tags/ title=tags><span>tags</span></a></li></ul></nav></header><main class=main><article class=post-single><header class=post-header><div class=breadcrumbs><a href=http://localhost:1313/>Home</a>&nbsp;»&nbsp;<a href=http://localhost:1313/post/>Posts</a></div><h1 class="post-title entry-hint-parent">Unit42 writeup</h1><div class=post-description>Unit42 hack the box sherlock writeup</div><div class=post-meta>2 min&nbsp;·&nbsp;285 words&nbsp;·&nbsp;Katana&nbsp;|&nbsp;<a href=https://github.com/%3cpath_to_repo%3e/content/post/2/Unit42.md rel="noopener noreferrer" target=_blank>Suggest Changes</a></div></header><div class=post-content><p>INTRO:
-In this Sherlock, you will familiarize yourself with Sysmon logs and various useful EventIDs for identifying and analyzing malicious activities on a Windows system. Palo Alto&rsquo;s Unit42 recently conducted research on an UltraVNC campaign, wherein attackers utilized a backdoored version of UltraVNC to maintain access to systems. This lab is inspired by that campaign and guides participants through the initial access stage of the campaign.</p><p><img loading=lazy src="https://github.com/H3xKatana/Blog/blob/main/content/post/2/1.png?raw=true" alt="your picture"></p><p>We have a file containing Windows event logs that capture suspicious activity.
+In this Sherlock, you will familiarize yourself with Sysmon logs and various useful EventIDs for identifying and analyzing malicious activities on a Windows system. Palo Alto&rsquo;s Unit42 recently conducted research on an UltraVNC campaign, wherein attackers utilized a backdoored version of UltraVNC to maintain access to systems. This lab is inspired by that campaign and guides participants through the initial access stage of the campaign.</p><p><img loading=lazy src="https://github.com/H3xKatana/Blog/blob/main/content/post/2/1.png?raw=true" alt=achivment></p><p>We have a file containing Windows event logs that capture suspicious activity.
 These logs are accompanied by well-defined rules for detection.</p><p>Upon filtering, we discovered that there are 56 occurrences of Event ID 11,
 which is highly suspicious because this ID typically signifies file creation events.</p><p>Event ID 1 provides detailed records of processes, including their names,
 hashes, and parent paths. This information can be instrumental in identifying malware.</p><p>Event ID 22 presents domain records,