ThreatBreach Labs ThreatBreach Labs
About Labs Tags Blog
Hero Image of content
> Windows > Memory Forensic > Disk Forensic
Developer Mistake Or Insider Risk
10 Sep 2024
338 words
2 mins

Lab Description:

In this lab, you will explore how attackers can exploit user trust. A seemingly legitimate script is executed by the user without proper verification, unknowingly opening a backdoor for threat actors. You will investigate how attackers perform system enumeration and establish persistence using a Command and Control (C2) framework. Through this exercise, you will identify key tactics and techniques used by attackers, analyze system behaviors, and uncover the steps taken by threat actors to maintain access to compromised systems.

Lab Objectives:

  • Script Execution: Analyze how the script was executed and determine its origin (email, download, etc.).

  • Backdoor Creation: Identify the backdoor the script creates, including any new services, processes, or registry keys. Investigate network connections to suspicious IPs or domains.

  • Command and Control (C2) Communication: Track communication with external C2 servers.

  • System Enumeration: Monitor actions performed by the attacker after gaining access, such as listing files, gathering system information, or probing for additional vulnerabilities.

  • Persistence Mechanisms: Investigate methods used by the attacker to maintain access, such as scheduled tasks, startup items, or modified system files.

  • Privilege Escalation: Check if the attacker escalated privileges, modified user permissions, or exploited vulnerabilities for system-wide control.

  • Log Analysis: Review system, security, application and other logs for unusual activity or errors related to the attackerโ€™s actions.

  • File and Process Activity: Identify any dropped files, created processes, or modified binaries related to the script or attacker activity.

  • Impact Assessment: Assess the extent of system compromise, including any stolen data or further exploitation.

Tools and Techniques:

  • Disk Forensic: FTK Imager, Sleuth Kit
  • Log Analysis : Any Preferred Tool or SIEM
  • Memory Forensic: Volatility

Lab Evidence:

You will get access to all the evidence collected from the breached host.

Password: threatbreach.io

Download any one of the memory dump either dmp or mem. dmp is captured using RamCapture and mem using DumpIt

Link To Evidence SHA1
๐Ÿ”— TB-CorpServer.E01 e2d9d9dba8dbbf7872d77da4602f2579e9bcdbd1
๐Ÿ”— TB-CORPSERVER-20240909.mem f057f88efb88688da8d168a0d7845eac2dee13a5
๐Ÿ”— TB-CORPSERVER-20240909-121403.dmp c028b42a9dffe692e2bd2ed47a6bc941c90e37b6
๐Ÿ”— Kape.7z 45e07adc5fe1fb2eada193b9dae048434de3f621

Writeup

Writeup will be published soon, If you want to send your writeup to be evaluated share it on labs[@]threatbreach.io

#Windows #C2 #Malicious Script #DFIR #Memory Forensic