Windows Endpoint Analysis: SOC 101

Instructions:

You've been assigned to remotely investigate a compromised Windows workstation as part of a live incident response scenario. The affected system has been imaged and all necessary forensic artifacts have been gathered. Your objective now is to investigate the scope of the compromise and identify any persistence mechanisms installed by the attacker.

Use your endpoint analysis skills to conduct the investigation and answer the questions below.

Challenge File:

03_Endpoint_Security/Windows/Challenges/challenge.exe

To start the challenge, execute challenge.exe in an Administrator-level command prompt. Make sure to not close the program or window until after you've completed the challenge. However, you can temporarily minimize it. After running the executable, you can open additional command prompt windows to complete the investigation.

After completing the challenge, you can clean up and restore the system by terminating the challenge.exe process (Press Ctrl + C). Then, run challenge.exe -revert.

Simulate the compromise by running challenge.exe in an Administrator-level command prompt. Make sure to not close the program or window until after you've completed the challenge. However, you can temporarily minimize it. Enter "done" to continue.

What port is the challenge.exe malware listening on?

Ans: 50050

To get the a file or executable, PID, local address and port, remote address and port, status

we can either use CMD line : netstat or GUI: TCPView

netstat -anob

TCP View

What is the Process ID (PID) of the malware? This answer cannot be verified, but it's required for the next question(s).

Ans: 8696

You can view the image in the above answer

List all of the loaded DLL modules for the listener's associated process. What are the names of the two DLLs that start with the letter m?

Ans: mswsock.dll, msvcrt.dll

What is the name of the malware's parent process?

Ans: cmd.exe

Process Explorer

List all the shared resources on the local system. What is the name of the share that the attacker created?

Ans: xkalibur

What path or resource does the attacker's share point to? Note: If you created a user account with any name other than tcm, make sure to replace your username in the output with tcm to ensure a correct answer!

Ans: C:\Users\tcm\AppData\Local\Temp\46d5b8556d0d3e30ec1

You can view the answer in the above image

The attacker created a Run entry to establish persistence on the system. What is the full path of the registry key?

Ans: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Auto runs:

Registry Editor:
CMD

What is the name of the malicious entry the attacker created in the previously identified registry key?

Ans: CleanUpController

What is the full file or image path that this registry entry points to? Note: If you created a user account with any name other than tcm, make sure to replace your username in the output with tcm to ensure a correct answer!

Ans: C:\Users\tcm\Downloads\wininit.exe

What is the name of the backdoor service installed by the attacker?

Ans: windowsactiveservice

Autoruns:

CMD:

What is the START_TYPE configuration of the service?

Ans: automatic

What is the full path to the service binary? Note: If you created a user account with any name other than tcm, make sure to replace your username in the output with tcm to ensure a correct answer!

Ans: C:\Users\tcm\Documents\svcbackdoor.exe

What is the name of the scheduled task created by the attacker?

Ans: ayttpnzc

autoruns

Select the suspicous scheduled task —> Right Click —> click on “Jump to Extry”

it will take us to Task Scheduler : In here..we can have more details about the task attacker scheduled

CMD:

Task Scheduler:

What is the full path to the executable that the scheduled task runs? Note: If you created a user account with any name other than tcm, make sure to replace your username in the output with tcm to ensure a correct answer!

Ans: C:\Users\tcm\Downloads\beac0n.exe