IR 373: Investigating a Bot with Velociraptor (50 pts)

What You Need for This Project

Purpose

To infect a Windows machine with a simple malware sample, and investigate the infection from a Linux Velociraptor server.

Task 1: Infecting the Windows Machine

This sample simulates a bot infection.

Execute the steps below on your Windows machine.

Disabling Windows Defender

If you are using our private cloud machines, skip this section.
Defender is already disabled.

Otherwise, follow the appropriate steps below for your Windows version:

Windows 10

1. Next to the Start button, search for "Defender". Open "Windows Security settings" or "Windows Defender settings".
2. Click "Virus & threat protection".
3. Under "Virus & threat protection settings", click "Manage settings".
4. Turn off "Tamper Protection".
5. Under Exclusions, click "Add or remove exclusions". Click "Add an exclusion", Folder. Double-click C:\. Click "Select Folder". At the top left, click the back-arrow.
6. Turn off "Cloud-delivered protection" and "Automatic sample submission".

Windows 11

1. Next to the Start button, search for "Virus". Open "Virus & threat protection".
2. Under "Virus & threat protection settings", click "Manage settings".
3. Turn off "Tamper Protection".
4. Under Exclusions, click "Add or remove exclusions". Click "Add an exclusion", Folder. Double-click C:\. Click "Select Folder". At the top left, click the back-arrow.
5. Turn off "Cloud-delivered protection" and "Automatic sample submission".

Install the Simulated Botnet

1. Download this file: https://samsclass.info/152/proj/security.zip
2. Open your Downloads folder. Right-click security.zip. Click "Extract All...". Click Extract. Use the password "malware".
3. Right-click Bginfo64.exe. Click "Run as administrator". If a "User Account Control" box pops up, click Yes. Agree to the license. Once it opens, just close it or click the Cancel button. If a box asks whether to save the configuration, click No.

ATT&CK Techniques

This simulated PUP infection demonstrates these ATT&CK techniques:

T1574.001: Hijack Execution Flow: DLL Search Order Hijacking
T1053.005: Scheduled Task/Job: Scheduled Task
T1562.001: Impair Defenses: Disable or Modify Tools

Task 2: Investigating the Incident with Velociraptor

Connecting to the Client

You should have a Linux machine with Velociraptor installed, with the Windows machine as a client.

In the Velociraptor GUI, at the top center, click the "Show All" button.

Click your client's Client ID, which appears in blue text, as shown below.

Installing Wireshark

On the machine you're using to control Valociraptor, in a Web browser, install Wireshark. If it's a Mac or Windows, download Wireshark from https://www.wireshark.org/.

If it's a Linux machine, execute these commands:

sudo apt update
sudo apt install wireshark -y

Capturing Network Traffic Remotely and Finding Beacons

Find this collector, as shown below.
Windows.Network.PacketCapture

Launch the collector without changing the parameters. This starts capturing packets on the Windows machine.

In the results, copy the path to the .etl file, as shown below.

Wait a minute and run the same collector again.

Adjust the parameters as shown below.

Launch this collector. This stops the packet capture.

When it finishes, click the "Uploaded Files" tab. A link appears to a .pcapng file, as shown below.

Click the link, download the .pcapng file, and open it in Wireshark.

Troubleshooting

You may see the error message shown below.

You can fix that with the online "pcapfix" tool here:

https://f00l.de/hacking/pcapfix.php

You can also fix it on your Windows system with Microsoft's "etl2pcapng" tool. Download the etl2pcapng.exe file from the link below and save it in your Downloads folder.

https://github.com/microsoft/etl2pcapng/releases

Open a Administrator Command Prompt and execute these commands:

cd %USERPROFILE%
cd Downloads
./etl2pcapng\etl2pcapng\x64\etl2pcapng.exe C:\Windows\SystemTemp\NetTraces\NetTrace.etl trace.pcapng
Now open the trace.pcapng file in your Downloads folder in Wireshark.

IR 373.1: User-Agent (10 pts)

First we'll find the network beacons, which tell the C & C server that the machine is pwned.

In Wireshark, enter this display filter:

http.request.method == "GET"
Find the requests to a subdomain of "samsclass.info".

Expand the packet details to find the User-Agent. That's the flag, as shown below.

IR 373.2: DNS Cache (5 pts)

Next, we'll find the domain name of the C &amn; C server in the DNS cache.

Launch this collector, with no parameter changes.

Windows.System.DNSCache
The DNS cache usually contains the C & C domain name, outlined in red in the image below. You may have to try again to see it.

Troubleshooting

On some networks, the DNS cache is always empty.

If that happens, change the DNS server on your Windows machine to 8.8.8.8 and collect another PCAP.

The flag is covered by a green rectangle in the image below.

IR 373.3: Beaconing EXE (10 pts)

Find this collector:
Windows.Search.Yara
Configure these parameters, as shown below:

Use a nameRegex of

exe$

Use the yaraRule shown below, which will find files referencing the C & C domain name:

rule Hit {
    strings:
      $a = "securityreport" nocase wide ascii
    condition:
      any of them
}

Launch the collector.

It finds the file responsible for the beacons, as shown below.

The flag is covered by a green rectangle in the image below.

IR 373.4: Using Sysmon to find a Persistence Mechanism (10 pts)

First examine the date and time on your Windows machine. Make sure it is correct.

Select this collector to install Sysmon:

Windows.Sysinternals.SysmonInstall
If you are using Windows on an Intel processor, launch this artifact without changing the parameters.

Examine the Results. This installation must succeed to complete this flag.

Windows on Apple Silicon (ARM)

If you are using Windows on ARM (a Mac M1 or later host), you need to manually install sysmon.

At the top right of the Velociraptor page, click the green button labelled DESKTOP.

Click >_Shell.

Select a shell type of Powershell and execute these commands, one by one, as shown below:

mkdir c:\sysmon

Invoke-WebRequest https://live.sysinternals.com/tools/ARM64/Sysmon64a.exe -O c:\sysmon\sysmon.exe

Invoke-WebRequest https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -O c:\sysmon\config.xml
Select a shell type of Cmd and execute the command below:
c:\sysmon\sysmon.exe -i c:\sysmon\config.xml -accepteula
At the bottom of the page, in the last command section, click the eye icon to see the output.

Sysmon should install and start successfully, as outlined in red in the image below.

Skip the "Windows.Sysinternals.SysmonInstall" collector below and proceed with "Windows.EventLogs.EvtxHunter".

Then launch this collector to collect the sysmon event logs:

Windows.EventLogs.EvtxHunter
Use these parameters, as shown below.
  • IocRegex securitytest
  • ChannelRegex Sysmon
  • IdRegex 1

In the Results page, click the "Show/Hide Columns" icon, outlined in red in the image below, and clear the EventData, Message, and OSPath fields, as shown below.

Now you can see the times of these events, showing that a new process is created every minute, as shown below. This suggests the use of Scheduled tasks.

Click the "Show/Hide Columns" icon and show the Message field again.

Make the Message column wider. Scroll down to look at the most recent event.

Look in the ParentCommandLine for the flag, covered by a green rectangle in the image below.

IR 373.5: Scheduled Tasks (5 pts)

Launch this collector, with no changes to the parameters:
Windows.System.TaskScheduler
In the Command column, find the beaconing command, outlined in red in the image below.

The flag is covered by a green rectangle in the image below.

Hunts

At the top left of Velociraptor, click the three-bar icon.

In the column that appears, click "Hunt Manager", as shown below.

At the top left, click the plus-sign, outlined in green in the image below.

Enter a Description of Detect securitytest beaconer, as shown below.

At the bottom left, click the blue "Select Artifacts" button.

Find these collectors, and click each one to highlight it.

Then search for the next one and highlight it.

Windows.Sysinternals.SysmonInstall (Omit for Windows on ARM)
Windows.EventLogs.EvtxHunter
Windows.System.TaskScheduler
Windows.System.DNSCache
At the bottom left, click the blue "Configure Parameters" button.

You see four artifacts, as shown below.

Configure these parameters by clicking the appropriate wrench icons:

Windows.Sysinternals.SysmonInstall
      No parameter changes

Windows.EventLogs.EvtxHunter
      IocRegex: securitytest

Windows.System.TaskScheduler
      TasksPath: c:/Windows/System32/Tasks/SecurityScript

Windows.System.DNSCache
      No parameter changes

At the bottom right, click Launch.

In the next page, in the center pane, click the hunt's name to select it.

At the top left, click the right-arrow to run the hunt, outlined in green in the image below.

Click Run It!.

IR 373.6: TaskScheduler/Analysis (10 pts)

In the center pane, click the hunt's name to select it.

In the lower pane, click the Notebook tab.

Find the Windows.SystemTaskScheduler/Analysis section.

The flag is covered by a green rectangle in the image below.

Remediation

On your Wincows machine, in an Administrator Command Prompt, execute these commands:
schtasks /delete /tn SecurityScript /f
rmdir /s "%userprofile%\downloads\security" /q

Posted 7-30-2021
Wireshark install added 8-2-2021
Number at top corrected 10-21-21
Flag 4 changed 10-22-21
Tips added 11-9-22
Many images and instructions updated 3-15-24
Video added 4-17-24
Updated for Win 11 11-29-24