Execute the steps below on your Windows machine.
1. Next to the Start button, search for "Defender". Open "Windows Security settings" or "Windows Defender settings".
2. Click "Virus & threat protection".
3. Under "Virus & threat protection settings", click "Manage settings".
4. Turn off "Tamper Protection".
5. Under Exclusions, click "Add or remove exclusions". Click "Add an exclusion", Folder. Double-click C:\. Click "Select Folder". At the top left, click the back-arrow.
6. Turn off "Cloud-delivered protection" and "Automatic sample submission".
T1574.001: Hijack Execution Flow: DLL Search Order Hijacking
T1053.005: Scheduled Task/Job: Scheduled Task
T1562.001: Impair Defenses: Disable or Modify Tools
In the Velociraptor GUI, at the top center, click the "Show All" button.
Click your client's Client ID, which appears in blue text, as shown below.
First, execute these commands on your Linux machine to install Wireshark.
sudo apt update
sudo apt install wireshark -y
When Wireshark asks a question, just press
Enter to accept the default option.
Find this collector, as shown below.
Windows.Network.PacketCapture
Launch the collector without changing the parameters.
In the results, copy the path to the .etl file, as shown below.
Wait a minute and add the same collector again.
Adjust the parameters as shown below.
When it finishes, click the "Uploaded Files" tab. A link appears to a .pcapng file, as shown below.
Click the link, download the .pcapng file, and open it in Wireshark.
Troubleshooting
You may see the error message shown below.To fix that, on your Windows system, open this Web page:
https://github.com/microsoft/etl2pcapng/releases
Download the etl2pcapng.exe file into your Downloads folder.Open a Administrator Command Prompt and execute these commands:
Now open the trace.pcapng file in your Downloads folder in Wireshark.
cd %USERPROFILE% cd Downloads ./etl2pcapng\etl2pcapng\x64\etl2pcapng.exe C:\Windows\SystemTemp\NetTraces\NetTrace.etl trace.pcapng
IR 373.1: User-Agent (10 pts)
In Wireshark, enter this display filter:Find the requests to a subdomain of "samsclass.info".http.request.method == "GET"Expand the packet details to find the User-Agent. That's the flag, as shown below.
IR 373.2: DNS Cache (5 pts)
On some networks, the DNS cache is always empty.If that happens, change the DNS server on your Windows machine to 8.8.8.8 and collect another PCAP.
Launch this collector, with no parameter changes.
Windows.System.DNSCacheThe DNS cache usually contains the C & C domain name, outlined in red in the image below. You may have to try again to see it.The flag is covered by a green rectangle in the image below.
IR 373.3: Beaconing EXE (10 pts)
Find this collector:Windows.Search.YaraUse this YARA rule, which will find files referencing the C & C domain name:Use a nameRegex of
rule secrep { strings: $s = "securityreport" ascii wide condition: $s }exe$as shown below.Launch the collector.
It finds the file responsible for the beacons, as shown below.
The flag is covered by a green rectangle in the image below.
IR 373.4: Using Sysmon to find a Persistence Mechanism (10 pts)
First examine the date and time on your Windows machine. Make sure it is correct.Launch this collector to install Sysmon on the client:
Windows on ARM
If you are using Windows on ARM (a Mac M1 or M2 host), you need to use a different sysmon binary. On your Windows machine, in a browser, from this URL, download Sysmon.zip:https://learn.microsoft.com/en-us/sysinternals/downloads/sysmonUnzip the Sysmon.zip file and find the Sysmon64a.exe file.Move that file to your desktop.
Then go to this URL and click the down-arrow icon on the right to download the sysmonconfig-export.xml file:
https://github.com/SwiftOnSecurity/sysmon-config/blob/master/sysmonconfig-export.xmlMove that file to your desktop.In an Administrator Command Prompt or Terminal, execute these commands, as shown below. Use the correct user name for your system instead of "student".
The installation should succeed, as shown below.
cd C:\Users\student\Desktop .\Sysmon64a.exe -i .\sysmonconfig-export.xmlSkip the "Windows.Sysinternals.SysmonInstall" collector below and proceed with "Windows.EventLogs.EvtxHunter".
Windows.Sysinternals.SysmonInstallExamine the Results. This installation must succeed to complete this flag.Then launch this collector to collect the sysmon event logs:
Windows.EventLogs.EvtxHunterUse these parameters:In the Results page, click the icon at the top left and clear the EventData and Message fields, as shown below.
- IocRegex securitytest
- ChannelRegex Sysmon
- DateAfter: set to five minutes before current time
- IdRegex 1
Now you can see the times of these events, showing that a new process is created exactly on the start of every minute, as shown below. This suggests the use of Scheduled tasks.
Click the icon at the top left and show all the fields again.
Scroll down and look in the ParentCommandLine for the flag, covered by a green rectangle in the image below.
IR 373.5: Scheduled Tasks (5 pts)
Launch this collector, with no changes to the parameters:Windows.System.TaskSchedulerFind the beaconing command, outlined in red in the image below.The flag is covered by a green rectangle in the image below.
In the column that appears, click "Hunt Manager", as shown below.
At the top left, click the plus-sign, outlined in green in the image below.
Enter a Description of Detect securitytest beaconer, as shown below.
At the bottom left, click the blue "Select Artifacts" button.
Find these collectors, and click each one to highlight it.
Then search for the next one and highlight it.
Windows.Sysinternals.SysmonInstall (Omit for Windows on ARM)At the bottom left, click the blue "Configure Parameters" button.
Windows.EventLogs.EvtxHunter
Windows.System.TaskScheduler
Windows.System.DNSCache
You see four artifacts, as shown below.
Configure these parameters by clicking the appropriate wrench icons:
Windows.Sysinternals.SysmonInstallAt the bottom right, click Launch.
No parameter changesWindows.EventLogs.EvtxHunter
IocRegex: securitytest DateAfter: set to a time five minutes in the pastWindows.System.TaskScheduler
TasksPath: c:/Windows/System32/Tasks/SecurityScriptWindows.System.DNSCache
No parameter changes
In the next page, in the center pane, click the hunt's name to select it.
At the top left, click the right-arrow to run the hunt, outlined in green in the image below.
Click Run It!.
IR 373.6: TaskScheduler/Analysis (10 pts)
In the center pane, click the hunt's name to select it.In the lower pane, click the Notebook tab.
Find the Windows.SystemTaskScheduler/Analysis section.
The flag is covered by a green rectangle in the image below.
schtasks /delete /tn SecurityScript /f
rmdir /s "%userprofile%\downloads\security" /q
Posted 7-30-2021
Wireshark install added 8-2-2021
Number at top corrected 10-21-21
Flag 4 changed 10-22-21
Tips added 11-9-22
Many images and instructions updated 3-15-24
Video added 4-17-24