Windows Forensics 2.0

Identify persistent threats on a comrpomised Windows machine, and create the Yara rule for furture preventation

By Ren Sie
Posted on November 21, 2024

Refer to Investigating Windows 2.0 for the challenge room on TryHackMe.
Refer to Investigating Windows for the challenge room on TryHackMe

Tool

  • Task Scheduler: For viewing and analyzing scheduled tasks.
  • Registry Editor: For searching registry keys related to scheduled tasks.
  • Sysinternals Suite:
    • Autoruns: Identify WMI entries and processes.
    • Process Explorer: Investigating parent processes and process details.
    • Process Monitor: Capturing and analyzing process operations.
    • Strings.exe: For extracting strings from binaries.
  • Loki: IOC (Indicator of Compromise) scanner.
  • Process Hacker: Inspecting disk operations and identifying unusual processes.
  • Yara: Creating and running custom rules to detect suspicious binaries and files.

#1 Which registry key matches the command in the scheduled task?

Open the "Task Scheduler" to view the scheduled tasks. Then, check each task's command under the Actions tab.

Open "Registry Editor" and search (CTRL+F) for the command keyword from each scheduled task. One matching registry key will appear.

#2 Which analysis tool closes immediately when launched?

The available tools are Sysinternals tools on the machine. Since there are many options, we shouldn't open each one.
Open Desktop\Tools\SysinternalsSuite\Autoruns.exe to find WMI entries. One, called "KillProcess," likely stops processes, helping us identify which binary is affected.

#3 What is the full WQL Query associated with this script?

Refer to the previous screenshot.

Note: WQL is a language used to query WMI for system management and monitoring.

#4 What is the script language?

Refer to the previous screenshot.

#5 What is the name of the other script?

Refer to the previous screenshot.

#6 What is the software company name found in the script?

Double-click the other script to find the software company in the source code.

#7 What websites are associated with this company?

Use the search function (CTRL+F) for "http://" to find URLs linked to the company.

#8 Search online for the script name from Q5 from the previous answer. What attack script appears in the results?

Search for the script name online, and we will find a GitHub page with the script name.

#9 What is the location of this file within the local machine?

Search for the file name in Windows Explorer to find the full path.

#10 Which processes open and close every few minutes?

Refer to the screenshot from question #1 to see two scheduled tasks running periodically. The executable name is in the Actions tab.

#11 What is the parent process for these 2 processes?

To learn more about the processes, open Process Explorer. Since we identified the script that terminates the executable, we can delete or disable it. Press the space bar to pause process capture and easily spot the parent process for the two processes.

#12 What is the first operation for the first of the 2 processes?

To capture the first operation, open Process Monitor and add the process name to the filter. When the target process runs, Procmon will capture it, and we can retrieve the operation.

#13 Inspect the properties of the first occurrence of the process. In the Event tab, what are the four pieces of information displayed?

Open the properties of the first occurrence to find the required information.

#14 What is the name of the unusual process in the disk operations?

After opening the Disk tab in Process Hacker, we will see some unusual process names.

#15 Run Loki and check the output. What is the module name after `Init`?

After running Loki for 5-10 minutes, logs will be generated in the same directory.

Open one of the logs to find the next module name after Init.

#16 Regarding the 2nd warning, what is the name of the eventFilter?

The process output can be large as it scans the entire disk. We can redirect the result to a text file. And we will use this text file for the following questions.

C:\Users\Desktop\Tools\loki_0.33.0\loki > loki.exe > OUTPUT.txt

Search for keyword "WARNING" in the output file to find the second warning and its name.

#17 For the 4th warning, what is the class name?

Refer to the previous screenshot.

#18 What binary alert has the following 4d5a90000300000004000000ffff0000b8000000 as FIRST_BYTES?

By searching for the keyword, we can identify the binary that caused the alert.

Note: The first_bytes indicate the signature of the file, specifically the MZ header. Loki highlights the first bytes because they help identify suspicious executable files for efficient threat detection.

#19 According to the results, what is the description listed for reason 1?

Refer to the DESC in the previous screenshot.

#20 Which binary alert is marked as APT Cloaked?

Search for the keyword "APT" to find the binary that triggered the alert.

#21 What are the matches?

Refer to the previous screenshot.

#22 Which binary alert is associated with somethingwindows.dmp found in C:\TMP?

Search for the keyword "somethingwindows" to find the binary that triggered the alert.

#23 Which binary is encrypted that is like a trojan?

Search for the keyword "encrypt" to find the binary.

Note: Derusbi is a backdoor Trojan. It encrypts its executable code using a XOR operation with a 4-byte key to evade signature-based detection and prevent analysis by security tools.

#24 What is the binary that can masquerade itself as a legitimate core Windows process/image.

After question #27, we know the directory to find the binary masked as a legitimate Windows process.

#25 What is the full path location for the legitimate version?

After researching online, we can find its full path.

#26 What is the description listed for reason 1?

Since we know the malicious binary name, we can use it as a keyword to search the output file.

#27 What is the file in the same location that is labeled as a hacktool?

Search for "hacktool" to find the binary. Use the path to answer question #24.

#28 What is the name of the Yara Rule MATCH?

Refer to the previous screenshot.

#29 Which binary didn't show in the Loki results?

I found the directory (C:\TMP) with several suspicious binaries flagged by Loki. After searching for the binary name in the Loki output, the missed one is identified.

#30 Complete the YAR rule file in the Tools folder on the Desktop. What are the 3 strings needed to detect the binary Loki missed?

After running the Yara against the /TMP, but it only pickup the dmp file.

C:\Users\Desktop\Tools\yara > yara64.exe test.yar C:\TMP

Open the yara file with text editor, we can learn there are strings missing in one of the rules.

We will use SysinternalsSuite to extract the strings and complete the missing rule. The file extension "??1" is likely ".ps1," and "?x?" is likely ".exe." The 3rd string appears to be a version, so I started with "v1" and found with "v2."

C:\Users\Desktop\SysinternalsSuite > strings.exe C:\TMP\mim.exe | findstr /C:".ps1" /C:".exe" /C:"v2."

Share: X (Twitter) Facebook LinkedIn