PowerShell
CyberCorp2
βοΈ Spoiler alert!
Case Details
This is not an investigation like the previous one. This is threat hunting. So, we have only logs via Kibana available. To harden my knowledge with this technologies I’ve had a very quick overview on ElasticStack website and enrolled in this course. Basically, I will have to answer questing having a loads of logs and a query engine available.
Questions
1. WMI Event Consumer name?
β The Threat Hunting process usually starts with the analyst making a hypothesis about a possible compromise vector or techniques used by an attacker. In this scenario, your initial hypothesis is as follows: “The attacker used the WMI subscription mechanism to obtain persistence within the infrastructure”. Verify this hypothesis and find the name of the WMI Event Consumer used by the attacker to maintain his foothold.
CyberCorp1
βοΈ Spoiler alert!
Case Details
Artefacts in posession: memory dump, OS event logs, registry files, Prefetch files, $MFT file, ShimCache, AmCache, network traffic dumps. I’ve decided to analyse each artefact, what can I get from it in this specific case and how. Then, I am going to outline my strategy in approaching this case.
We are looking for indicators of compromise. There are no details as to what is the group and what was its aim. But itβs known that there was abnormal traffic detected that has launched this IR process. So, at least, we must have some suspicious traffic, possibly open or terminated connections. These should have been launched by some process, so we are looking for malware. Also, since the attacker needed an account to get in, I will be looking for an account take over attempts and possibly, new account creation.
π Windows RTFM
This is about … .
π Powershell BTFM
Settings
Association
It’s better to associate powershell scripts with notepad.exe that PowerShell for security reasons.
Execution Policy
Get Execution Policy. Powershell execution policy is applied to scripts only. Here are the main policies used:
Get-ExecutionPolicy
> Restricted # no scripts are allowed (default for desktop)
> RemoteSigned # downloaded scripts should be signed (preferred, default for WinServer). For local scripts no signature is required.
> Unrestricted # everything is allowed (dangerous)
> Undefined # Restricted for Win and RemoteSigned for WinServer
> AllSigned # Signatures are required for local scripts also
> ByPass # Nothing is blocked, no warnings and prompts
Other policies, official doc [2].