Scenario

A medium-sized corporation has experienced a ransomware attack, first identified when a user reported a ransom note on their screen alongside a Windows Defender alert indicating malicious activity. Your task is to analyze logs provided from the compromised machines and identify the ransomware’s entry point.

Questions

DC01

Q1. Windows Defender flagged a suspicious executable. Can you identify the name of this executable?

I first transformed the logs to csv using EXTECmd.exe and the following command:

.\EvtxECmd.exe -d "C:\Users\Administrator\Desktop\Start here\Artifacts\DC01\Windows\System32\winevt\logs" --csv C:\Users\Administrator\Desktop

I then opened the csv file using TimeLineExplorer and searched for Defender and found:

file:_\\DC01\ADMIN$\8fe9c39.exe

Q2. What’s the path that was added to the exclusions of Windows Defender?

While searching for Defender in the csv file, we find the registry exclusion for C:\:

New Value: HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\ = 0x0

Q3. What’s the IP of the machine that initiated the remote installation of the malicious service?

Filtering on Sysmon Event ID 3 (Network Connection), we find:

192.168.170.142

Machine: SQL Server

Q1. What’s the name of the process that had suspicious behavior as detected by Windows Defender?

Searching for Defender in the csv file for SQLServer logs, we find an event generated for:

cmd.exe

Q2. What’s the parent process name of the detected suspicious process?

Filtering on Sysmon Event ID 1 (Process Create), we find the parent process is:

sqlservr.exe

Q3. Initial access often involves compromised credentials. What is the SQL Server account username that was compromised?

In file \MSSQL15.MSSQLSERVER\MSSQL\Log\ERRORLOG (not in logs), we can find a brute force attempts against :

sa

Q4. Following the compromise, a critical server configuration was modified. What feature was enabled by the attacker?

In \MSSQL15.MSSQLSERVER\MSSQL\Log\ERRORLOG also, we find modification to:

xp_cmdshell

Q5. What’s the command executed by the attacker to disable Windows Defender on the server?

Can be found by filtering on Sysmon Event ID 1:

Set-MpPreference -DisableRealtimeMonitoring 1

Q6. What’s the name of the malicious script that the attacker executed upon disabling AV?

As question 2, filtering on Sysmon Event ID 1, we find the command line that contains the malicious script:

fJSYAso.ps1

Q7. What’s the PID of the injected process by the attacker?

Filtering on Sysmon Event ID 8 (CreateRemoteThread), we find:

596

Q8. Attackers often maintain access by the creation of scheduled tasks. What’s the name of the scheduled task created by the attacker?

Can be found also by filtering on Sysmon Event ID 1:

UpdateCheck

Q9. What’s the PID of the malicious process that dumped credentials?

Filtering on Sysmon Event ID 10 (ProcessAccess), we find:

5456

Q10. What’s the command used by the attacker to disable Windows Defender remotely on FileServer?

Filtering on Sysmon Event ID 1 (Process Create), we find an encoded PowerShell command. Once encoded using cyberchef, the command is:

Invoke-Command -ComputerName FileServer -ScriptBlock { reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f }

Machine: FileServer

Q1. What’s the name of the malicious service executable blocked by Windows Defender?

Filtering on Defender in this csv file, we find:

ceabe99.exe

Machine:DevPC

Q1. What’s the name of the ransomware executable dropped on the machine?

Filtering on Symon Event ID 11 (File Create), we find the following process creating files and launched from temp:

vmware.exe

Q2. What’s the full path of the first file dropped by the ransomware?

The first log for this process is:

C:\Users\dmiller\Downloads\HHuYRxB06.README.txt