Upon install, Sysmon will be running in the background. The next step is to install and start our tools. PE32+ executable (GUI) x86-64, for MS Windows Let’s first take a look at the metadata of the ‘level3.exe’ payload that we are investigating using ‘exiftool’, the ‘file’ command, and generating hash values:įd4f25567498032e3f4dd75a211c4729a895abadb5609345b52c469f4d99dc31 Additional tools and commands are mentioned as well however, they were largely used to validate data and to present it in a friendlier format. Sysmon records this and much more (network connections, file and registry modifications) and logs to Microsft-Windows-Sysmon%4Operational.evtx. ![]() Turning on process and command-line auditing provides process execution information and the command-line arguments used at the time of process start (EID 4688 in Security.evtx). Windows Event Logs contain a wealth of information. Sysmon and Wireshark are the primary tools needed, but Procmon can be of great help to visualize process activity. The VM had the hostname set to 'SANS-SIFT' with username 'SANSDFIR'. The optional take-away challenge was to further examine the ‘level3.exe’ payload and submit a report on the findings.Ī Windows 10 virtual machine was used with SysInternals Sysmon and Procmon installed, as well as Wireshark. Spanning three levels, the exercise provided a breadth of insight into malicious payload execution and how to go about analyzing the activity using tools such as Sysmon and Wireshark. UniCon 2020 included an excellent NetWars-style CTF that involved executing payloads and observing behaviour. ![]() Many thanks to Scythe for providing such great content to the community. ![]() ![]() Check out the other excellent winners here. **UPDATE** This entry ended up winning the first-place grand prize as announced by Scythe.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |