KimbakiS Portfolio

This is a collection of some of the projects I've worked on during my ventures into the Cybersecurity world.

View on GitHub

Scenario:

SOC analysis for any IoCs on endpoints using Splunk

Skills:

Questions

  1. Path of the binary “Web Browser Password Viewer”
  2. Company Name
  3. Name of suspicious binary running from same folder
  4. The IP the binary made an outbound connection to
  5. The path of the registry key the binary made a change to
  6. Two binary names of processes that were killed
  7. Last command executed when attacker ran commands in PowerShell to change the behavior of Windows Defender
  8. The four IDs set by the attacker
  9. Full path to the malicious binary executed from another AppData location
  10. The DLLs loaded from that binary

PREPARATION:

First, we have to narrow down our search to December 2021, which is when the security endpoint solutions were widely turned off. There are 27,378 events during this month across all indexes:

image

The ‘main’ index will be our focus for this room.

QUESTION 1 & 2: suspicious binary

Our starting point is a binary known as “Web Browser Password Viewer,” so let’s just assume that an alert went off for it and that we are beginning our investigation here.

image

The binary was an executable called 11111.exe that loaded from an AppData path of the user FINANC~1, and both of these names are obviously strange enough to warrant further investigation.

Question 3: suspicious binary from same location

Our next step is to look for other files that executed from the same location. There are 27 different matches, so I switched to a graph view to see the list of executables better:

image

Many of these matches seem to be maybe archives containing either DLLs or EXEs:

image

It turns out I was going about this the wrong way and was looking at the Image Loaded field, which is the physical location of the executable, instead of the Current Directory, which is the actual working directory at the time the process was launched:

On those lines, I had to switch my search:

image

And on those lines, we did find an executable that was launched from that directory:

image

image

Here, the CommandLine field is the actual command used to execute the process, and the ParentCommandLine field would be the one used to execute the process responsible for spawning that process. So we should probably turn out attention to the parent process here.

There were 189 events associated with the process IonicLarge.exe, and I ended up looking at the earliest events to see how it was created. An executable Setup.exe was responsible for its creation, and the second earliest event showed the original file name:

image

QUESTION 4: outbound communication

Now, we have to focus our attention on the network connections that were associated with this executable IonicLarge.exe. Since we’re dealing with network events and Sysmon, I filtered the results by event code 3, which returned 87 results:

image

There were 8 destination IPs:

image

And the majority of the packets went to a port 8888, which is odd:

image

I investigated the second IP in the list (naturally forwent the loopback address): 2.56.59.42

QUESTION 5: registry key changes

The Sysmon code for registry changes would be ‘13’, so I filtered the results accordingly, which returned 9 log entries:

image

There were several changes made within the Windows Defender key, including disabling anti-spyware and real-time protection, which is common practice for malware:

image

QUESTION 6: killed processes

There were 2 processes that were killed via the CMD command “taskkill” (shared one here):

image

QUESTION 7 & 8: changes to Defender with PowerShell

Beyond the changes made in the associated registry key, the attacker apparently also used PowerShell to make 4 more configuration changes to Defender:

image

The latest of these changes was reflected in the code: powershell WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ThreatIDDefaultAction_Ids=2147737394 ThreatIDDefaultAction_Actions=6 Force=True

Upon outside research, I discovered that this command, in short, adds a rule to the Defender’s preferences that allows a specific threat with the given ID. In this case, this is a malicious action to enable the attacker to bypass yet another security layer.

The four threat IDs that were enabled were: 2147735503, 2147737010, 2147737007, 2147737394

QUESTION 9 & 10: suspicious binary and its DLLs

Filtered for other binaries that executed from the AppData location and came across one particular binary that had the majority of events associated with it, indicating a lot of activity: EasyCalc.exe

image

And then filtered for the binary (and variations of it) and DLL files in particular and discovered 3 DLLs that were created by the EasyCalc License Agreement.exe file:

image

image

And with that, this room is completed! If I find time, I’ll try to go back and do some more investigation to put the pieces we’ve gathered here in a more cohesive timeline.