This is the continuation of the Investigating Windows ...Here is the situation,A windows server has been hacked and we have to analyse the malware and find out what's happening on the pc. Here we have been given a servers remote access with IP,username and password.So first let's login to the system here i am using reminna. First task is
Task 1:What registry key contains the same command that is executed within a scheduled task?
Answer: For this task we can go 2 ways. Firstly we can use Autoruns tool to find out the registry key of that process. Or we can go manually to the regedir and search for the string of the command` on task scheduler. The answer is ---> HKCU\Environment\UserInitMprLogonScript
Task 2: What analysis tool will immediately close if/when you attempt to launch it?
Answer: When we tried a bunch of tool from the toolbox procexp64.exe didn't open. The answer is --> procexp64.exe
Task 3: What is the full WQL Query associated with this script?
Answer: To answer this question we need to run a tools called loki.This would be in the toolbox that you have been given in this box. After running a while we get the answer.It is ---> SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = 'procexp64.exe'
Task 4: What is the script language?
Answer: Go to the tmp folder and open the "schtasks-backdoor" and notice the syntax you would get this.This script is written in visual basic script or ---> vbscript language.
Task 5:What is the name of the other script?
Answer: If we open the other backdoor named "WMIBackdoor.ps1" and read the script we can see there are mentioned two script's one is 'KillProcess' which we have already seen and the other one is ----> 'LaunchBeaconingBackdoor'
Task 6: What is the name of the software company visible within the script?
Answer: If we look back the previous script and read through the script we will get the answer ---> Motobit Software
Task 7: What 2 websites are associated with this software company? (answer, answer)
Answer : One is ---> http://www.motobit.com and the other one is --> http://Motobit.cz
Task 8:Search online for the name of the script from Q5 and one of the websites from the previous answer. What attack script comes up in your search?
Answer: It is the exact same backdoor you will find. the answer is -->WMIBackdoor.ps1
Task 9:What is the location of this file within the local machine?
Answer: It was C:\TMP
Task 10:Which 2 processes open and close very quickly every few minutes?
Answer: mim.exe , powershell.exe
Task 11:What is the parent process for these 2 processes?
Answer: If we can match the PID of 'mim.exe' with the process Id of another we would get the mother process. The answer is --> svchost.exe
Task 12: What is the first operation for the first of the 2 processes?
Answer: We can see in the process monitor the first process is --> Process Start
Task 13:Inspect the properties for the 1st occurrence of this process. In the Event tab what are the 4 pieces of information displayed?
Answer: Go to the process start > properties . you would find four elements ----> Parent PID , Command line , Current directory, Environment
Task 14: Inspect the disk operations, what is the name of the unusual process?
Answer: Go to 'Process Hacker' and click to 'Disk' from there. You will see there is a process called ---> No process
Task 15: Run Loki. Inspect the output. What is the name of the module after `Init`?
Answer: WMIScan
Task 16:Regarding the 2nd warning, what is the name of the eventFilter?
Answer: ProcessStartTrigger
Task 17: For the 4th warning, what is the class name?
Answer: FilterToConsumerBinding
Task 18:What binary alert has the following 4d5a90000300000004000000ffff0000b8000000 as FIRST_BYTES?
Answer: nbtscan.exe . Here the reason is ioc(inversion of control) got triggered by two reason. 1.filename as nbtscan.exe which is 'Known Bad/Dual use Classics' and 2.The hash value of the file matches with an 'Emissary Panda Tool and Malware'
Task 19: According to the results, what is the description listed for reason 1?
Answer: Known Bad/Dual use Classics
Task 20: Which binary alert is marked as APT Cloaked?
Answer: p.exe
Task 21:What are the matches? (str1, str2)
Answer: psexesvc.exe , Sysinternals PsExec
Task 22: Which binary alert is associated with somethingwindows.dmp found in C:\TMP?
Answer: schtasks-backdoor.ps1. This is a power shell script that is used for task scheduling.
Task 23: Which binary is encrypted that is similar to a Trojan?
Answer: xCmd.exe. read the reason and you will understand why it's similar to a Trojan.
Task 24:There is a binary that can masquerade itself as a legitimate core Windows process/image. What is the full path of this binary?
Answer: C:\Users\Public\svchost.exe . Again if you see the reasoning given by loki you would get the idea.
Task 25: What is the full path location for the legitimate version?
Answer: The svchost is main host process in windows. Normally it would run under ---> C:\Windows\System32
Task 26:What is the description listed for reason 1?
Answer: Stuff running where it normally shouldn't
Task 27: There is a file in the same folder location that is labeled as a hacktool. What is the name of the file?
Answer: Go to C:> Users > Public and you would find a malacious "svchost.exe" but other than that you would see a file named "en-US" which is a javascript file.
Task 28:What is the name of the Yara Rule MATCH?
Answer: CACTUSTORCH(Yara rule match for en-US)
Task 29:Which binary didn't show in the Loki results?
Answer: mim.exe. There is a reason for that firstly yara rules doesn't have any creds for mim.exe that's why it isn't showing any binary in the loki result. secondly we have to impliment a custom yara rules for mim.exe so that further investigation continues.
Task 30:Complete the yar rule file located within the Tools folder on the Desktop. What are 3 strings to complete the rule in order to detect the binary Loki didn't hit on?
Answer: So let's create a Mimikatz detector rule for yara. first open cmd and we have to find the strings for the mim.exe file. we will use SysinternalsSuite for this especially strings for this. as you can see in the picture below we find some strings as version,extension,name etc to add our rule book.
next step is go to This PC > Desktop > Tools > loki_033.0 > loki > signature-base > yara . create a new document and add the rules as the picture below.
Now we have created our custom yara rules.From now on loki scan can detect Mimikatz file and show it's binary also.so the answer is ---> mk.ps1,mk.exe,v2.0.50727 .