IDA
CyberCorp2
⛔️ Spoiler alert!
Case Details
This is not an investigation like the previous one. This is threat hunting. So, we have only logs via Kibana available. To harden my knowledge with this technologies I’ve had a very quick overview on ElasticStack website and enrolled in this course. Basically, I will have to answer questing having a loads of logs and a query engine available.
Questions
1. WMI Event Consumer name?
✅ The Threat Hunting process usually starts with the analyst making a hypothesis about a possible compromise vector or techniques used by an attacker. In this scenario, your initial hypothesis is as follows: “The attacker used the WMI subscription mechanism to obtain persistence within the infrastructure”. Verify this hypothesis and find the name of the WMI Event Consumer used by the attacker to maintain his foothold.
Process Injections
Windows
Most information is taken from here, but more visualisation is added. The screenshots from IDA Pro are also copied from that blog post.
){kind=link}
Classic
This one is one of the simplest to explain and not that simple to actually use in a real attack (see Caveats). A malicious DLL’s path is copied in the memory space of a legitimate running process to be loaded in runtime.
Below is the anatomy of this function call.