In the Velociraptor GUI, at the top center, click the "Show All" button.
Click your client's Client ID, which appears in blue text, as shown below.
Windows.Sysinternals.SysmonInstall
Download and install the 64-bit version of 7-Zip.
Execute the steps below on your Windows machine.
IR 374.1: Auditing Network Connections (5 pts)
Launch this collector, with no parameter changes.Windows.Network.NetstatThe flag is the port the "shellbind" process is listening on, covered by a green rectangle in the image below.
IR 374.2: Auditing Autoruns (10 pts)
Launch this collector, with no parameter changes.Windows.Sysinternals.AutorunsThere are more than 1000 results.Use the buttons outlined in red in the image below to get the results in a form that allows you to search for shellbind.
The flag is the path to the "shellbind.exe" file, covered by a green rectangle in the image below.
IR 374.3: Creation Time (5 pts)
Note: you must first find the path in 374.2Launch this collector:
Windows.System.PowerShellIn "Confgure Parameters", do a directory of the folder containing the "shellbind.exe" file.That folder contains two files, with different timestamps. Find the more recent timestamp, outlined in red in the image below. This is the time of the attack, which will be helpful when examining logs later.
The flag is covered by a green rectangle in the image below.
IR 374.4: Prefetch (5 pts)
Launch this collector:Windows.Forensics.PrefetchIn "Confgure Parameters", enter a "binaryRegex" of shellbind.exeNote the LastRunTimes, in red font in the image below. This is the time of the attack, which will be helpful when examining logs later. I ran it twice, so I have two run times--you will only have one time.
The flag is covered by a green rectangle in the image below.
IR 373.5: Sysmon Logs (10 pts)
Launch this collector to collect the sysmon event logs:Windows.EventLogs.EvtxUse these parameters:Scroll through the results to find the event shown below, when you ran the "pup5.bat" file.
- PathRegex sysmon
- Restrict the time to the time of the event you found in the last two flags, plus or minus five minutes.
Look through the events after that one until you find the event shown below, which was used to extract and decrypt the shellcode.
The flag is covered by a green rectangle in the image below.
Posted 9-30-21