IR 374: Investigating a Two-Stage RAT with Velociraptor (35 pts)

What You Need for This Project

• A Debian 10-12 Linux machine, running a Velociraptor server.
• A Windows 10 or 11 machine, 64-bit, connected to the server as a Velociraptor client.

Purpose

Task 1: Installing Sysmon on the Windows Machine

Connecting to the Client

In the Velociraptor GUI, at the top center, click the "Show All" button.

Click your client's Client ID, which appears in blue text, as shown below.

Installing Sysmon

Windows.Sysinternals.SysmonInstall

Examine the Results. This installation should succeed.

Windows on Apple Silicon (ARM) If you are using Windows on ARM (a Mac M1 or later host), you need to manually install sysmon. At the top right of the Velociraptor page, click the green button labelled DESKTOP. Click >_Shell. Select a shell type of Powershell and execute these commands, one by one, as shown below: mkdir c:\sysmon Invoke-WebRequest https://live.sysinternals.com/tools/ARM64/Sysmon64a.exe -O c:\sysmon\sysmon.exe Invoke-WebRequest https://raw.githubusercontent.com/SwiftOnSecurity/sysmon-config/master/sysmonconfig-export.xml -O c:\sysmon\config.xml Select a shell type of Cmd and execute the command below: c:\sysmon\sysmon.exe -i c:\sysmon\config.xml -accepteula At the bottom of the page, in the last command section, click the eye icon to see the output. Sysmon should install and start successfully, as outlined in red in the image below.

Task 2: Installing 7-Zip on the Windows Machine

https://7-zip.org/

Download and install the appropriate version of 7-Zip for your hardware.

Task 3: Infecting the Windows Machine

Execute the steps below on your Windows machine.

Install the Malware

Task 4: Investigating the Incident with Velociraptor

IR 374.1: Auditing Network Connections (5 pts) Launch this collector, with no parameter changes. Windows.Network.Netstat The flag is the port the "shellbind" process is listening on, covered by a green rectangle in the image below.

IR 374.2: Auditing Autoruns (10 pts) Launch this collector, with no parameter changes. Windows.Sysinternals.Autoruns There are more than 1000 results. Use the button outlined in red in the image below to download a JSON file. Search that file for shellbind. The flag is the path to the "shellbind.exe" file, covered by a green rectangle in the image below. Make a note of this path--you'll need it later.

IR 374.3: Creation Time (5 pts) Note: you must first find the path in 374.2 Launch this collector: Windows.System.PowerShell In "Confgure Parameters", do a directory of the folder containing the "shellbind.exe" file. That folder contains two files, with different timestamps. Find the more recent timestamp, outlined in red in the image below. This is the time of the attack, which will be helpful when examining logs later. The flag is covered by a green rectangle in the image below.

IR 374.4: Prefetch (5 pts) Launch this collector: Windows.Forensics.Prefetch In "Confgure Parameters", enter a "binaryRegex" of shellbind.exe Note the LastRunTimes, in red font in the image below. This is the time of the attack, which will be helpful when examining logs later. I ran it twice, so I have two run times--you will only have one time. The flag is covered by a green rectangle in the image below.

IR 373.5: Sysmon Logs (10 pts) Launch this collector to collect the sysmon event logs: Windows.EventLogs.EvtxHunter Use this parameter: IocRegex shellbind Look through the Message column for the events until you find the event shown below, with the command line outlined in red. This command was used to extract and decrypt the shellcode. The flag is covered by a green rectangle in the image below.

Remediation

Posted 9-30-21
Updated for Win 11 on 11-29-24