Lab: https://blueteamlabs.online/home/investigation/dot-ac0dcf86ac
Category: Incident Response
Tools Used: ProcDOT, ProcMon, Wireshark
Difficulty: Medium
Scenario
Investigate the host(procmon) and network(pcap) logs captured from a compromised machine. Use ProcDot to corelate both logs and answer the following questions.
Q&A
Q1) Attacker downloaded a tool from github.com. What is the process initiated the connection and What is the file name it is saved as? (8 points)
If you are new to ProcDOT, I recommend watching this video first to familiarise with the tool.
This lab was very confusing for me because the order of the questions does not follow the graph from left to right as you might expect. Instead, you constantly have to navigate back and forth throughout the graph. Anyway, let's get started.
According to the ReadME.txt file from the Desktop folder, SBT has guided us to use ProcDOT.
I opened ProcDOT64.exe from the Desktop and populated the Procmon and Windump areas as shown in the image below.
Next, I launched the process explorer to see the available processes to start the investigation with, and I immediately noticed that “explorer.exe” appeared unusual. Upon closer inspection, it was actually “expIorer.exe,” with the “L” replaced by a capital “I.” This is a clear example of process masquerading, which indicates malicious activity. So, I double-clicked on that process (PID 3900) and clicked “Refresh” to generate the graph.
After generating the graph, I prepared the following settings to play at 1 frame per second. This allows me to quickly pause whenever I see something interesting.
The question is about downloading a tool from GitHub, which indicates network interaction. In ProcDOT, network activities (such as those captured by Wireshark logs) are represented by blue circles. I began searching through the blue circles and eventually identified activities interacting with GitHub, with the parent process being “powershell.exe.”
Then, “powershell.exe” created a new thread, and that thread pointed to a file located at “C:\Windows\Temp\svchost.exe” which means the file has been downloaded to the disk. Normally, “svchost.exe” should only reside in either “C:\Windows\System32” or “C:\Windows\SysWOW64“. If found elsewhere, especially in directories like Temp, it is considered process masquerading combined with Living-Off-the-Land Binaries (LOLBins).
A: powershell.exe, C:\Windows\Temp\svchost.exeQ2) PowerShell is used to download files from the attacker machine. What is the process ID of the PowerShell process that downloaded the first file? Also what is the attacker machine IP? (8 points)
This question is quite straightforward. While I was playing the frames one by one in ProcDOT, I discovered that a PowerShell process started downloading PowerShell files, the PID was 2740. According to the images below, the source of these downloads was IP address 192.168.1.5.
A: 2740, 192.168.1.5
Q3) What is the port from which the second file was downloaded and what is the full path of the downloaded file? (8 points)
While playing frames one by one in ProcDOT, I observed that powershell.exe was receiving SSH traffic from IP address 192.168.1.5, indicating some form of communication occurring via port 22. At the end of this traffic, the data was written to the disk at C:\ProgramData\Microsoft\rundII32.exe, masquerading as rundll32.exe, with the “L” replaced by a capital “I”. Again, this is process masquerading, where attackers use similar-looking file names to disguise malicious activities, making it appear as a legitimate system process.
A: 22, C:\ProgramData\Microsoft\rundII32.exe
Q4) What is the PID of the victim process on which the injection happened. (8 points)
The evidence shows that notepad.exe (PID 1768) was the victim of code injection, as a thread within it loaded shell32.dll from the suspicious location C:\Windows\Temp rather than the typical system directory. This abnormal loading suggests that the DLL was maliciously injected, which is a common tactic attackers use to execute code covertly. Following this, the same thread created another process, rundll32.exe (PID 1188), further indicating that the injected code was used to launch additional malicious actions, confirming that notepad.exe was the initial target of the attack.
A: 1768
Q5) Attacker got control over the system after the injection, assuming he used Meterpreter, what is the payload he would have used (written as selected in Metasploit) and what is the port? (10 points)
A: reverse_tcp, 53
Q6) What is pid and location of the main malware which initiated these actions? (8 points)
For this question, let’s revisit Q1, where we identified that expIorer.exe (PID 3900) is a process masquerading technique. To find the full path of this file, open the procmon.csv file in Notepad++ and search for “expIorer.exe.” You will quickly find the complete file path.
A: 3900, C:\Users\IEUser\Downloads\expIorer.exe
This concludes the DOT lab investigation. I hope you enjoyed the journey as much as I did.