IR 373: Investigating a Bot with Velociraptor (50 pts)

What You Need for This Project

Purpose

To infect a Windows machine with a simple malware sample, and investigate the infection from a Linux Velociraptor server.

Task 1: Infecting the Windows Machine

This sample simulates a PUP (Potentially Unwanted Program).

Execute the steps below on your Windows machine.

Disable Windows Defender

If you are using our private cloud machines, skip this section.
Defender is already disabled.

1. Next to the Start button, search for "Defender". Open "Windows Security settings" or "Windows Defender settings".
2. Click "Virus & threat protection".
3. Under "Virus & threat protection settings", click "Manage settings".
4. Turn off "Tamper Protection".
5. Under Exclusions, click "Add or remove exclusions". Click "Add an exclusion", Folder. Double-click C:\. Click "Select Folder". At the top left, click the back-arrow.
6. Turn off "Cloud-delivered protection" and "Automatic sample submission".

Install the Simulated Botnet

1. Download this file: https://samsclass.info/152/proj/security.zip
2. Right-click security.zip. Click "Extract All...". Click Extract. Use the password "malware".
3. Run Bginfo64.exe as administrator. When it asks questions, just close it.

ATT&CK Techniques

This simulated PUP infection demonstrates these ATT&CK techniques:

T1574.001: Hijack Execution Flow: DLL Search Order Hijacking
T1053.005: Scheduled Task/Job: Scheduled Task
T1562.001: Impair Defenses: Disable or Modify Tools

Task 2: Investigating the Incident with Velociraptor

Connecting to the Client

You should have a Linux machine with Velociraptor installed, with the Windows machine as a client.

In the Velociraptor GUI, at the top center, click the "Show All" button.

Click your client's Client ID, which appears in blue text, as shown below.

Capturing Network Traffic Remotely and Finding Beacons

We'll capture network traffic from the client.

First, execute these commands on your Linux machine to install Wireshark.

sudo apt update
sudo apt install wireshark -y
When Wireshark asks a question, just press Enter to accept the default option.

Find this collector, as shown below.

Windows.Network.PacketCapture

Launch the collector without changing the parameters.

In the results, copy the path to the .etl file, as shown below.

Wait a minute and add the same collector again.

Adjust the parameters as shown below.

Launch this collector.

When it finishes, click the "Uploaded Files" tab. A link appears to a .pcapng file, as shown below.

Click the link, download the .pcapng file, and open it in Wireshark.

In Wireshark, click Statistics, Conversations. Click the TCP tab.

Several conversations appear, as shown below.

The traffic to port 8000 is velociraptor. The traffic to port 80 is the beacons.

Right-click a conversation to port 80 and click "Apply as Filter", Selected.

The main Wireshark window shows beacon traffic, as shown below.

IR 373.1: User-Agent (10 pts)

Right-click a beacon packet and click Follow, "TCP Stream".

The flag is covered by a green rectangle in the image below.

IR 373.2: User-Agent (5 pts)

Launch this collector, with no parameter changes.
Windows.System.DNSCache
The DNS cache usually contains the C & C domain name, outlined in red in the image below. You may have to try again to see it.

The flag is covered by a green rectangle in the image below.

IR 373.3: Beaconing EXE (10 pts)

Create a text file containing this YARA rule, which will find files referencing the C & C domain name:
rule secrep
{
    strings:
        $s = "securityreport" ascii wide

    condition:
        $s
}
Find this collector:
Windows.Search.Yara
On the right side, click the link and upload your YARA rule.

Configure parameters to look for exe files.

Launch the collector.

It finds the file responsible for the beacons, as shown below.

The flag is covered by a green rectangle in the image below.

IR 373.4: Using Sysmon to find a Persistence Mechanism (10 pts)

Launch this collector to install Sysmon on the client:
Windows.Sysinternals.SysmonInstall
Then launch this collector to collect the sysmon event logs:
Windows.EventLogs.EvtxHunter
Use these parameters:
  • IocRegex securitytest
  • ChannelRegex Sysmon
  • DateAfter: set to five minutes before current time
  • IdRegex 1
In the Results page, click the icon at the top left and clear the EventData and Message fields, as shown below.

Now you can see the times of these events, showing that a new process is created exactly on the start of every minute, as shown below. This suggests the use of Scheduled tasks.

Click the icon at the top left and show all the fields again.

Scroll down and look in the ParentCommandLine for the flag, covered by a green rectangle in the image below.

IR 373.5: Scheduled Tasks (5 pts)

Launch this collector, with no changes to the parameters:
Windows.System.TaskScheduler
Find the beaconing command, outlined in red in the image below.

The flag is covered by a green rectangle in the image below.

Hunts

At the top left of Velociraptor, click the three-bar icon.

In the column that appears, click "Hunt Manager", as shown below.

At the top left, click the plus-sign, outlined in green in the image below.

Enter a Description of Detect securitytest beaconer, as shown below.

At the bottom left, click the blue "Select Artifacts" button.

Find these collectors, and click each one to highlight it.

Then search for the next one and highlight it.

Windows.Sysinternals.SysmonInstall
Windows.EventLogs.EvtxHunter
Windows.System.TaskScheduler
Windows.System.DNSCache
At the bottom left, click the blue "Configure Parameters" button.

You see four artifacts, as shown below.

Configure these parameters by clicking the appropriate wrench icons:

Windows.Sysinternals.SysmonInstall
      No parameter changes

Windows.EventLogs.EvtxHunter
      IocRegex: securitytest       DateAfter: set to a time five minutes in the past

Windows.System.TaskScheduler
      TasksPath: c:/Windows/System32/Tasks/SecurityScript

Windows.System.DNSCache
      No parameter changes

At the bottom right, click Launch.

In the next page, in the center pane, click the hunt's name to select it.

At the top left, click the right-arrow to run the hunt, outlined in green in the image below.

Click Run It!.

IR 373.6: TaskScheduler/Analysis (10 pts)

In the center pane, click the hunt's name to select it.

In the lower pane, click the Notebook tab.

Find the Windows.SystemTaskScheduler/Analysis section.

The flag is covered by a green rectangle in the image below.

Remediation

On your Wincows machine, in an Administrator Command Prompt, execute these commands:
schtasks /delete /tn SecurityScript /f
rmdir /s "%userprofile%\downloads\security" /q

Posted 7-30-2021
Wireshark install added 8-2-2021
Number at top corrected 10-21-21
Flag 4 changed 10-22-21