Advanced Threat Response Workshop Manual v3-2

Advanced Threat Defense
Advanced Threat Response

Workshop Manual
Copyright © 2020 Trend Micro Incorporated. All rights reserved.
Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect, and TrendLabs
are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company
names may be trademarks or registered trademarks of their owners.
Portions of this manual have been reprinted with permission from other Trend Micro documents. The
names of companies, products, people, characters, and/or data mentioned herein are fictitious and are
in no way intended to represent any real individual, company, product, or event, unless otherwise noted.
Information in this document is subject to change without notice.
No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted
without the express prior written consent of Trend Micro Incorporated.
Author: ATD Taskforce
Released: March 24, 2020

Version: 2.0
Table of Contents
Table of Contents
Introduction.................................................................................................. 5
About this Book .................................................................................................................... 7
Laboratory Introduction ....................................................................................................... 7
Trend Micro Training Cloud Access ...................................................................................... 7
Virtual Environment ............................................................................................................. 9
User Credentials .............................................................................................................................10
Accessing the Virtual Machines ...................................................................................................10
Host-based Investigation using basic Tools ...................................................... 13

Exercise 1: Analyzing unusual Processes with Process Explorer .......................................... 15
Exercise 2: Analyzing unusual Network Activity with TCPView ....................................... 20
Exercise 3: Analyzing unusual Registry Entries & Services using Autoruns ......................... 22
Exercise 4: Analyzing unusual Files using Windows Explorer & Task Manager ................25
Exercise 5: Analyzing unusual Accounts using net command .............................................. 29
Exercise 6: Analyzing unusual Log Entries using Event Viewer ....................................... 33
Exercise 7: Enhance Event Viewer Logs with Sysmon .......................................................... 37
Incident Investigation using Trend Micro Solutions ........................................... 39

Exercise 8: Investigate and Identify Threats using Deep Discovery ........................................41
Exercise 9: Identify Server-Side Threats with Deep Security................................................ 53
Exercise 10: Investigate Hosts using Trend Micro Endpoint Sensor ......................................58
Final Challenge ..............................................................................................69

Lab 1: Security Incident Investigation ................................................................................................ 71
Appendix A: Optional Activities ......................................................................... 75

A.1 Fileless Investigation........................................................................................................ 77
A.2 Using YARA to identify suspicious Files ...........................................................................84
Appendix B: Table of Contents .......................................................................... 89
© 2020 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 3

Advanced Threat Defense - Advanced Threat Response
4 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential

Introduction
This chapter gives information about the following items:

• Lab introduction
• Training environment
• Lab Setup
• Credentials
• Accessing the Virtual Machines
It also contains information about all pre-requisites, if required.

The content of this chapter is correct as of March 24, 2020.

Introduction
About this Book

This Workshop Manual accompanies the course Advanced Threat Defense: Advanced Threat
Response.
It only contains the instructions for all exercises and labs discussed throughout this part of the
Advanced Threat Defense course.
Laboratory Introduction
This workshop manual refers to a pre-configured environment which is provided by Certified Trainers
during the course.
As the environment is hosted on the Trend Micro Training Cloud, a host computer with an active
internet connection is required for access.
Ensure to read all information carefully in this chapter, as it outlines how to access and use the
environment.
Trend Micro Training Cloud Access

As this training makes use of different tools which might compromise security of live systems, the
virtual machines will have no access to any resources outside of the vApp itself.
In order to access the vApp assigned by the Certified Trainer, follow the guidelines below:
1. Open an invitation email sent from noreply-productcloud@trendmicro.com
2. Click the link in an invitation email.
Invitation email : example

3. On the “Training Area” page, click [Enter Training] icon.
TREND MICRO TRAINING CLOUD ACCESS: LIST OF all Trainings
4. Make sure that the status is [Powered On]. Then, click [Enter Lab View] icon.
If the status is [Powered Off], tick the checkbox □ on the left and click ▶icon.
5. Make sure that the [Lab View] window appears.
TREND MICRO TRAINING CLOUD ACCESS: Lab View

Introduction
Virtual Environment
The virtual environment contains the following virtual machines:
CLASS SETUP: VIRTUAL ENVIRONMENT
The following table lists additional information about the virtual machines:
Virtual Machine Description

This machine is used for Host-based Investigation; it is completely
Host isolated from the rest of the environment.
SVR-DC 2012R2; Domain Controller
SVR-SQL 2012R2; SQL Server for Deep Security & Apex Central
SVR-Web 2012R2; Web server, serving the intranet page
apexcntrl 2016; runs Apex Central
apexone 2016; runs Apex One
AV-DS 2012R2; runs Deep Security
AV-DDI pre-configured Deep Discovery Inspector
AV-DDAN pre-configured Deep Discovery Analyzer
Staff-PC1 Windows 10, typical endpoint
CLASS SETUP: VIRTUAL MACHINE DESCRIPTIONS
Note: The time of the virtual machines have been frozen to a fixed date; this is required in order to
preserve the availability and integrity of any logs discussed throughout this course.

User Credentials
The following credentials should be used to log in to each virtual machine:
Virtual Machine Username Password
Host - -
All - Domain Administrator ATD\Administrator Pa$$w0rd
All - Domain User ATD\Jack_Fisher Pa$$w0rd
CLASS SETUP: USER CREDENTIALS
The following table lists all user accounts for the different Trend Micro web consoles:
Trend Micro Product Username Password

Deep Discovery Inspector admin Admin1234!
Deep Discovery Analyzer admin Admin1234!
Deep Security MasterAdmin Admin1234!
Apex One / Apex Central root Admin1234!
CLASS SETUP: TREND MICRO CONSOLE LOGINS
Accessing the Virtual Machines
Note: The screenshots in this section are indicative only; some attributes, such as name, will
depend on the vApp currently assigned to your student account.
1. On [Lab View] window, make sure the [Status] column for all the virtual machines indicates
Powered On
ACCESSING THE VIRTUAL MACHINES: OPEN THE VAPP

0
Introduction
2. Select a virtual machine you would like to access and click [Remote Control] icon.
ACCESSING THE VIRTUAL MACHINES: “Remote Control” Icon
3. The screen like below appears after [Remote Control] icon is clicked.
4. Logon screen will appear several seconds after above screen appears.

Host-based Investigation using basic
Tools
This chapter demonstrates examples of host-based incident investigation using on-board
or 3rd party tools, such as:
• Process Explorer
• TCPView
• Autoruns
• Windows Explorer
• net command
• Event Viewer
Note: Throughout this chapter, we will investigate an incident which happened in November 2015.
Therefore, the indicators discovered during the exercises will refer to this time frame.


Host-based Investigation using basic Tools
Exercise 1: Analyzing unusual Processes with Process

Explorer
In this exercise, we will investigate incidents by analyzing unusual behavior and activities on hosts
running Microsoft Windows.
1. Access the Training Cloud environment.
See: Introduction > Trend Micro Training Cloud Access on page 7 for details.
2. Open the console window of the Host virtual machine.
You will be automatically logged in to the machine, there is no requirement for username or
password.
3. Open Process Explorer by double-clicking the procexp shortcut on the Desktop.
If this is your first time to run Process Explorer, a license agreement window appears. Click
“Agree” to proceed.
4. Click on File > Show Details for All Processes to display detailed information about the
processes.
Doing this will require elevated access. On the “User Account Control” window, click “Yes” to
proceed.
5. Click on Options > Verify Image Signatures to allow Process Explorer to verify and display the
process image's signature.
This will add a new column on the main window named “Verified Signer”, which displays the
signer information listed on the certificate:
PROCESS EXPLORER: VERIFIED SIGNER
You may notice that when using Process Explorer, most process images are highlighted in blue or
pink. Images with a light-blue highlight, by default, are processes running using the same user
account as Process Explorer. Images with a light-pink highlight are Windows Service processes.

6. Identify the process backdoor.exe in the list of running processes:
PROCESS EXPLORER: BACKDOOR.EXE
7. Right-click on backdoor.exe and select Properties…:
PROCESS EXPLORER: BACKDOOR.EXE PROPERTIES
Despite having an obvious suspicious name, take a look at the path of the image as well. It is
located in the Windows root folder, which is normally reserved for Windows applications. Those
reserved folders are known hiding spots for malicious processes.
Image Path: The Windows root folder and other locations reserved for Windows applications are
known hiding spots for malicious processes.
TCP/IP: Processes that use the Network can also be suspicious as they may be communicating to
a Command and Control server.
8. Switch to the “TCP/IP” tab:
PROCESS EXPLORER: BACKDOOR.EXE TCP/IP PROPERTIES
9. Expand the Local Address column and take note of any unusual ports.
10. Click on “Cancel” to close the Properties window.

11. Back in the main window of Process Explorer, go through the list of processes and look for an
instance of svchost.exe running out of scope. This can be easily identified by the color; it has a
light-blue background rather than light-pink:
PROCESS EXPLORER: SVCHOST.EXE
Based on the definition of the colors, images with a light-blue background are launched by the
current user. The svchost.exe image is a service that is run by services.exe to “host” instructions
coming from registered Microsoft DLLs, so by default, it should have a pink background color and
should be under listed below services.exe.
12. Right-click the out-of-scope svchost.exe and click on Properties…
13. Similar to the backdoor.exe process, check the “Image” and the “TCP/IP” tabs.
The valid svchost.exe is located in the “C:\Windows\System32\” folder; however, the path for this
specific process is listed as “C:\Windows\”:
PROCESS EXPLORER: SVCHOST.EXE PROPERTIES
14. Click on “Cancel” to close the Properties window.

15. Back in the main window of Process Explorer, press <CTRL>+<D> to view the DLLs along with the
processes.
Alternatively, use the “View DLLs” icon at the top menu, which is the 6th icon from the left.
PROCESS EXPLORER: VIEW DLL

16. The DLLs registered to and used by a process image is listed on the lower panel. Enabling the
View DLLs option allows us to search and identify injected malicious DLL files:
PROCESS EXPLORER: VIEW DLLS
17. On the bottom panel where the DLLs are listed, click on the “Description” header to sort the list
ascending alphabetically according to the DLL descriptions. This allows you to see all files that
don't have a description or a company name listed in its Metadata.
Additionally, sorting the list according to the “Verified Signer” column allows you to identify
unsigned or incorrectly signed suspicious files:
PROCESS EXPLORER: SORT BY DESCRIPTION
Best Practice: When looking for malicious DLLs, start with the ones that have no descriptions,
company names or verified signatures. Scroll through all images of svchost.exe and
you will notice, that some suspicious files are actually commonly used and can
therefore be crossed off your list. For items that are suspicious and unique, get as
much details as you can; those are possibly malicious.

18. Click through all instances of svchost.exe and look for any suspicious DLLs that don't have
descriptions, company names, or file signatures.
You will eventually find a malicious DLL with a randomly generated filename that has no Metadata
information for the description and company name, as well as having no digital signature:
PROCESS EXPLORER: MALICIOUS DLL WITH RANDOM NAME
19. Right-click on the svchost.exe process that uses the malicious DLL and click on Properties...
20. Click on the “Services” tab to view more information about the service:
PROCESS EXPLORER: SERVICE INFORMATION
To spot a possibly malicious DLL, check the name of the service.

• In this instance, the DLL is “MS Media Control Center” launched from RdmytxC.dll.
• For normal Microsoft files and processes, the “Description” and “Company Name” fields
should not be empty.
• It is also suspicious that for a “valid” Microsoft file, this DLL is not signed.
• The description of the service contains typos, e.g. “palyer” and “stoped”.
21. Click on the “TCP/IP” tab to view its Network properties.
In some instances, the TCP/IP tab may not have any thing listed at first, then after a minute or so,
items do appear on the list. This may be due to the service being restarted.
22. Click on “Cancel” to close the Properties window
23. Close Process Explorer and all other open windows.

Exercise 2: Analyzing unusual Network Activity with

TCPView
1. Still on the Host virtual machine, open TCPView using the Tcpview shortcut on the Desktop.
If this is your first time to run TCPView, a license agreement window appears. Click “Agree” to
proceed.
2. Click on Options and uncheck the Resolve Address option.
Doing this will display the original IP address and ports which is crucial for Incident Response
investigations:
TCPVIEW: OVERVIEW
3. Right-click on backdoor.exe, and click on Process Properties…

The location of the process' file is displayed under Path. Similar to using Process Explorer, this
can be used to identify possible malicious files:
TCPVIEW: PROCESS PROPERTIES
4. Click “OK” to close the Properties window.

5. Click on the “State” column header twice to sort the list descending alphabetically. This allows
easy identification of active connections and their current states.

6. This list constantly checks the states of each process.

At first, states may vary between TIME_WAIT and LISTENING. Wait for a few seconds and a state
of an instance of svchost.exe changes from LISTENING to SYN_SENT.
When investigating incidents, it is beneficial to check the details behind outgoing connections. In
this instance, a connection is being established with another machine where the destination port
is 8000:
TCPVIEW: SORT BY STATE COLUMN
This port number is not commonly used and can be flagged as suspicious. However, we cannot
immediately assume that a connection to a non-common port is malicious in nature so further
investigation is needed.
From inspection of the process image that attempted to connect to a remote host, we can identify
a possible Command and Control server, 192.168.10.1, which uses port 8000.
7. Close TCPView.

Exercise 3: Analyzing unusual Registry Entries &

Services using Autoruns
1. Still on the Host virtual machine, open Autoruns using the Autoruns shortcut on the Desktop.
If this is your first time to run Autoruns, a license agreement window appears. Click “Agree” to
proceed.
2. Click on File > Run as Administrator to elevate Autoruns’ privileges.
3. Click on Options and put a check on Hide Microsoft Entries.
This process may take a few seconds to finish. Check the status bar at the bottom to verify if the
scanning process is finished. It will display “Ready” once it is done:
AUTORUNS: READY
4. Click on Options > Scan Options…

5. Put a check on Verify code signatures and click Rescan. This process may take a few seconds to
finish as well. Check the status bar at the bottom to verify if the scanning process is finished:
AUTORUNS: VERIFY CODE SIGNATURES
6. Inspect the items listed under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Entries in this section are the processes that are automatically launched whenever Windows is
started, regardless of the user.
Most malware utilize this to run malicious programs on startup without the user’s consent. When
investigating incidents, this should be one of the locations being checked for suspicious programs.
Note: The CURRENT_USER hive also contains this registry key. Items listed in here are specific to
the currently logged-in user.

7. Right-click on javaupdate and click on Jump to Entry... This opens the Registry Editor at the
location where the registry entry is stored:
AUTORUNS: OPEN REGISTRY EDITOR VIA CONTEXT MENU
The suspicious registry entry loads a VBS script located in the “C:\Windows”.
Best Practice: When investigating suspicious entries, it is important to take note of the time when the
entry was created. Do take note that the “Date Created” is more important than the
“Date Modified”, as the “Date Created” tells us when the file was copied or
transferred to the current machine. There may be instances when the “Date
Modified” is earlier than the “Date Created”, so when tracking incidents ensure to
use the “Date Created”.
8. Switch back to the Autoruns window.

9. Right-click on javaupdate again and click on Jump to Image...
This opens Windows Explorer at the location where the suspicious start.vbs file is stored:
AUTORUNS: OPEN WINDOWS EXPLORER VIA CONTEXT MENU
The start.vbs file is selected by default. Looking at the details of the file at the bottom of Windows
Explorer, we know that the file was created on the 19th of November 2015. This date can be used
as an anchor point for other investigations.
11/19/2015 6:10AM: Possible date of attack; Files were created on the infected machine.

10. Right-click on start.vbs and click on Edit. This opens the VBS script in Notepad:
AUTORUNS: INVESTIGATE CONTENTS OF VBS FILE
This gives an indication, what the VBS script does when executed. It instructs Windows to launch
both of the malicious processes we found from the previous activities, backdoor.exe and
svchost.exe.
11. Switch back to the Autoruns window.
Inspect the items under the HKLM\System\CurrentControlSet\Services hive. Entries in this
section contain parameters for the device drivers, file system drivers, and Win32 service drivers
used by Windows.
From this view, we can already see the location of the items listed.
12. Right-click MediaCenter and select Properties…
This should show us the location of the service. However, a known bug in Autoruns prevents the
Properties dialog to be displayed properly. But from the warning we can identify the location of
the DLL file.
Upon inspection, this service is already suspicious as:
• It is not signed by Microsoft
• the “Publisher” field is empty
• The properties of the service DLL can't be displayed as it points to rdmytxc.dll located in
C:\windows\system32\
13. Right-click on MediaCenter again and click on Jump to Entry…
This opens the Registry Editor at the location of the suspicious entry.
14. Select the Parameters sub-key on the left navigation pane:
AUTORUNS: REGISTRY EDITOR
This displays the location of the real DLL file, “C:\Windows\system32\RdmytxC.dll”.

15. Close all open windows.

Exercise 4: Analyzing unusual Files using Windows

Explorer & Task Manager
1. Still on the Host virtual machine, click on Start > Computer to open Windows Explorer.
2. Click on Organize > Folder and search options.
3. Switch to the “View” tab:
WINDOWS EXPLORER: CHANGE DEFAULT VIEW SETTINGS
4. In the list of Advanced settings, uncheck “Hide extensions for known file types” and “Hide
protected operating system files (Recommended)”.
Choosing this option produces a warning message, click “Yes” to proceed:
WINDOWS EXPLORER: UNHIDE PROTECTED OPERATING SYSTEM FILES
5. Below the Hidden files and folders sub-setting, switch the radio button to “Show hidden files,
folders, and drives”:
WINDOWS EXPLORER: SHOW HIDDEN FILES, FOLDERS, AND DRIVES

6. Click “OK”.
By choosing to show all hidden files, folders and drives, we can see all of the files referenced in
this activity.
7. Open an elevated Command Prompt to restart Windows Explorer with admin privileges.
Click on Start > type cmd and right-click cmd > Run as Administrator to open cmd with
elevated permissions.
8. On the command prompt, launch the Task Manager by typing:
taskmgr
9. In the Task Manager window, switch to the “Processes” tab and select explorer.exe:
WINDOWS TASK MANAGER: END PROCESS OF EXPLORER.EXE
10. Click “End Process”.

11. Switch back to the elevated Command Prompt and re-launch Windows Explorer via:
explorer
If no new Windows Explorer opens, run the above command again.

12. In the new Windows Explorer window, navigate to “Local Disk (C:)”.
13. Using the search box on the upper-right corner of Windows Explorer, search for possible malicious
files using the datecreated: search string.
The “datecreated:” prefix allows us to search for files created on the date specified in the query
string.
Based on our previous exercises, we can determine that a possible infection occurred on the 19th
of November 2015. Using this data as an anchor point, we can search for other possible malicious
files that came along with it using the search term:
datecreated:11/19/2015

14. Wait for the search to finish:
WINDOWS EXPLORER: SEARCH FOR DATE CREATED
Note: If you don't see “mi.exe” and “dump.txt” in the search results, repeat steps 7 to 11 as
explorer.exe requires administrator privileges. Otherwise Windows Explorer does not have
the correct permissions to search the “temp” folder, where both files are located.
15. To easily analyze the search results, switch Windows Explorer's view to Details using the controls
below the search box.
16. Right-click on the header in the Details view and select Date created from the list of available
options. This will add the “Date created” column to the view.
17. Sort the list chronologically descending according to the “Date created” field by clicking on the
Date created header:
WINDOWS EXPLORER: SORT BY DATE CREATED

18. Look for the malicious files we've identified from the previous activities. We will see a list of other
possible malicious files, as they were created within the same timeframe:
Name Date Created Type
dump.txt 11/19/2015 6:10 AM Text Document
start.vbs 11/19/2015 6:10 AM VBScript Script File
backdoor.reg 11/19/2015 6:09 AM Registry Entries
backdoor.exe 11/19/2015 6:09 AM Application
svchost.exe 11/19/2015 6:09 AM Application
Microsoft-Windows… 11/19/2015 6:09 AM Event Log
dump.cmd 11/19/2015 6:08 AM Windows Command Script
mi.exe 11/19/2015 6:08 AM Application
WINDOWS EXPLORER: SUSPICIOUS FILES CREATED WITHIN THE SAME TIMEFRAME
Upon inspection, we can see another possible malicious executable file, mi.exe, created within
the same timeframe of the start.vbs file. If we investigate this file further, we can determine that
the executable, mi.exe, is a password dump tool called Mimikatz which can dump plain-text
passwords directly from the memory.
19. Double-click on dump.txt to open it in Notepad:
WINDOWS EXPLORER: DUMP.TXT CONTENTS
This is a password dump created by Mimikatz.

20. Close Notepad and all other open windows.

Exercise 5: Analyzing unusual Accounts using net

command
1. Switch to a command prompt on the Host virtual machine.
2. Use the net command to check for existing accounts:
net user
3. Confirm the members of the local administrators group using the command:
net localgroup administrators
4. Above commands will give an overview of all local users, and the list of local administrators:
NET COMMAND: LIST ALL USERS AND MEMBERS OF LOCAL ADMINISTRATOR GROUP
Inspect both of the results and look for unusual accounts:

• Notice that there is a user named “hacker”. In real life scenarios, the usernames of malicious
accounts are less suspicious; however, the users of the machine or administrators can easily
spot an account that isn't normally used.
• The “Guest” account is by default disabled.
• It is also unusual, that this “Guest” account and the system reserved “shadow$” account
belong to the administrators group.
5. Click on Start and right-click Computer > Manage.
The Computer Management Console is an alternative possibility to search for suspicious accounts
6. In the Computer Management Console, select Local Users and Groups > Users.

7. You should be able to identify the suspicious accounts on the right panel:
COMPUTER MANAGEMENT CONSOLE: SUSPICIOUS USER ACCOUNTS
8. Switch back to the command prompt.

9. Check the details of the suspicious “Guest” account using:
net user guest
10. The results will give additional information about this user:
NET COMMAND: DISPLAY DETAILS OF USER ACCOUNT “GUEST”
From the output, the following information is very important:

• Password last set: 11/19/2015 06:12:40 AM
• Password expires: Never
• Password changeable: 11/19/2015 06:12:40 AM
• Local Group Memberships: *Administrators *Guests
The Guest account is a valid built-in account; however, giving it administrator permissions defeats
the purpose of a “Guest” or an account with temporary access. Adding this account to the
Administrators group allows anyone to gain elevated access to the machine.
This information does fit along our timeline of suspicious events:
• 11/19/2015 6:10AM: Possible date of attack; Files were created on the infected machine.
• 11/19/2015 6:12AM: Suspicious accounts were created in preparation for the attack.

11. Check the details of the suspicious hacker account with the command:
net user hacker
12. Similar details are revealed:
NET COMMAND: DISPLAY DETAILS OF USER ACCOUNT “HACKER”
13. From the output, the following information is very important:

• Password expires: 12/31/2015 06:12:08 AM
• Local Group Memberships: *Users
14. The hacker account, in this scenario, is a newly created account. In real-life situations, accounts
will have less suspicious names. Most important is to cross-check the dates for “Password last set”,
as this allows investigators to link suspicious accounts with security incidents.
15. Check the details of the suspicious “shadow$” account:
net user shadow$
16. Again, the command provides more information about that specific account:
NET COMMAND: DISPLAY DETAILS OF USER ACCOUNT “SHADOW$”

17. From the output, the following information is very important:

• Password expires: 12/31/2015 06:12:25 AM
• Local Group Memberships: *Administrators *Users
The “shadow$” account, aside from being hidden, also belongs to the Administrators group,
making it at least suspicious. Not all accounts, however, are malicious and will need further
investigation.
18. Close all open windows.

Exercise 6: Analyzing unusual Log Entries using

Event Viewer
1. On the Host virtual machine, open Event Viewer via Start > type eventvwr.
2. In the Event Viewer window, click on Create Custom View… on the right panel:
EVENT VIEWER: CREATE CUSTOM VIEW
3. Within the Create Custom View window, click the Logged drop-down and select “Custom
Range...”. Specify the following values:
• From: Events On 11/19/2015 6:00:00 AM
• To: Events On 11/19/2015 6:15:00 AM
EVENT VIEWER: SELECT DATE RANGE FOR CUSTOM VIEW
4. Click “OK”.
5. Back in the Create Custom View window, ensure that By Log is selected.

6. Select Windows Logs > System and Security in the Event Logs dropdown:
EVENT VIEWER: SPECIFY SOURCES FOR CUSTOM VIEW
7. Click “OK”.
8. When asked to save the custom view, specify “Exercise 6” as Name.
9. The new custom view will be automatically displayed. Click on the “Event ID” header to sort the
list according to the Event Type. You will notice that there are a lot of Event IDs 4776 and 4625.
Of interest for the investigation example are the following 3 Event IDs:
• 4624: An account was successfully logged on.
• 4625: An account failed to log on.
• 4776: The computer attempted to validate the credentials for an account.
10. Click on the “Date and Time” header to sort the results by the time of occurrence.
Starting at 6:05:04 AM, it should become evident from the event logs, that there are several
attempts to validate account credentials which resulted with failed logins.
11. Double-click on any of the 4625 events and analyze the details in the text panel.
Inspecting this event shows that an attempt to validate the credentials of the Administrator
account failed. The Failure Information shows the reason Unknown user name or bad password.
EVENT VIEWER: EVENTID 4625 - FAILED LOGINS

12. Scroll down in the top panel to the Network Information section. The following details can be
seen:
• Workstation Name: \\192.168.10.1
• Source Network Address: 192.168.10.1
EVENT VIEWER: NETWORK INFORMATION
The Network Information field indicates where a remote logon request originated. This shows
that the attempt to log in came from workstation 192.168.10.1.
13. Close the Event Properties window for Event 4625.
14. Back in the filtered results, scroll to the end of the alternating 4776 and 4625 events.
You will notice that an event 4624 occurred. This is worth taking note of since this indicates a
successful login.
15. Scroll further down and look for entries with a 7045 Event ID. There should be two events. This
tells us that services were installed after the successful log in. Double-click the first 7045 entry:
EVENT VIEWER: EVENTID 7045
The first service installed is for the PSEXESVC Service that has the following details:
• Service Name: PSEXESVC
• Service File Name: %SystemRoot%\PSEXESVC
• Service Type: user mode service
• Service Start Type: demand start
• Service Account: LocalSystem
This potentially allows remote execution of programs which could be utilized by attackers.

16. Close the Event Properties - Event 7045 window.

17. Double-click the second 7045 event:
EVENT VIEWER: 2ND EVENTID 7045
18. This event log shows that a second service got installed: MS Media Control Center.
• Service Name: MS Media Control Center
• Service File Name: %SystemRoot%\System32\svchost.exe -k krnlsrvc
• Service Type: user mode service
• Service Start Type: auto start
• Service Account: LocalSystem
From our previous activities, we already established that this service may be malicious.
19. Close the Event Properties - Event 7045 window.
20. Scroll further down and double-click the Event ID 7009:
EVENT VIEWER: EVENTID 7009
Inspecting this event log shows A timeout was reached (3000 milliseconds) while waiting for
the MS Media Control Center service to connect.
Since we've previously identified this service to be malicious, we can verify from the logs that it is
running.
21. As we do not require the Host virtual machine for the remainder of this course, click Start >
Shut down to power off the virtual machine.

Exercise 7: Enhance Event Viewer Logs with Sysmon

In this exercise, we will use Sysmon to enhance the recorded and detailed information of the Windows
Event Logs.
Note: For all upcoming exercises, including the optional activities in Appendix A, we will now switch
to the “ATD” domain environment. The Host virtual machine is no longer required and can be
shut down.
1. Open the virtual machine SVR-DC and log in using user jack_fisher (default password:
Pa$$w0rd).
See: Introduction > User Credentials on page 10 for details.
2. Open an elevated command prompt and start Sysmon using the commands:
cd \shares\tools\sysmon
sysmon.exe -i
Note: The -i option will install the Sysmon service and driver. Ensure to accept the EULA on the
first execution:
SYSMON: INSTALL SYSMON AS SERVICE
3. Use PsExec.exe to remotely run ipconfig on a command prompt on Staff-PC1:
cd \shares\tools\psexec
PsExec \\staff-pc1 cmd /k ipconfig
Ensure to accept the EULA to be able to use PsExec.

4. Once executed, the IP configuration of Staff-PC1 should be displayed:
EVENT VIEWER ENHANCEMENT: EXECUTE COMMAND REMOTELY

5. Open the Event Viewer via right-click on Start > Run > eventvwr.
6. In the Event Viewer window, expand Application and Services Log > Microsoft > Windows >
Sysmon and double-click Operational.
7. Click on the “Date and Time” header to sort the list ascending chronologically. You should be able
to identify the Event ID “1” for PsExec:
EVENT VIEWER: SYSMON DETAILS COMMAND LINE PARAMETERS
We can see that the command line we executed on the command prompt is also recorded on the
event logs. Sysmon monitors and logs system activity to the Windows Event Log, it also provides
detailed information about process creations, network connections and changes to file creation
time.

Exercise 8: Analyzing unusual email header using

Mozilla Thunderbird
In this exercise, we utilize an email client “Mozilla Thunderbird” to identify a spoofed email from suspicious
sender.
1. Access the STAFF-PC1 machine and log in using user atd\administrator. (default password:
Pa$$w0rd).
2. Double-Click Mozilla Thunderbird icon on Desktop.
3. An email item exists in [Inbox] folder. Point to this email item and select More > View Source
4. Email header information appears on pop-up window. Now we can see “Received” header in the
email.

5. Open [Start] > [Windows System] > [Command Prompt]
6. Refer to the DNS MX record to confirm the validity of the sender email server.
Type the command as below:
nslookup –type=mx atd.corp
7. The DNS server responded 192.168.203.204 as the MX record. This is obviously different from
the received header in the email (172.16.100.200).
8. Back to the email source window of Mozilla Thunderbird. Scroll down to email body.
As we can see, there is a suspicious link navigates to the spoofed email sender source.

9. See what the email looks like to the user.

Back to the main window of Mozilla Thunderbird.
If the user is tricked into this email and clicks on the HERE link above, he / she will download
the suspicious executable "update.exe" from 172.16.100.200.

Incident Investigation using Trend
Micro Solutions
This chapter demonstrates how Trend Micro solutions can be utilized throughout the process of
incident investigations. The Trend Micro solutions covered are:
• Deep Discovery Inspector 5.1
• Deep Discovery Analyzer 6.1
• Deep Security 11
• Endpoint Sensor 1.6

The content of this chapter is correct as of September 12, 2019.

Incident Investigation using Trend Micro Solutions
Exercise 9: Investigate and Identify Threats using

Deep Discovery
In this exercise, we will be utilizing Deep Discovery Inspector 5.5 to analyze network threats. In
addition, we will also use Deep Discovery Analyzer 6.8 to run sandbox analysis on identified files.
1. Open the virtual machine apexone and log in using user Administrator.
2. Open Windows Explorer and open drive Z:.
This shared network drive is located on SVR-DC and contains links to all available Trend Micro
products in the environment.
3. Double-click the shortcut for Deep Discovery Inspector.
4. Your browser will show a certificate warning. Click Continue to this website (not
recommended) or Advanced > Proceed to av-ddi.atd.corp (unsafe), depending on your browser.
This is expected behavior, as DDI uses a self-signed certificate. You can also confirm the security
certificate, it should be signed by “Deep Discovery Inspector”.
5. Log in to the Deep Discovery web console using user admin (default password: Admin1234!)
6. The Dashboard Summary of Deep Discovery Inspector will be shown, by default displaying all
important events and detections over the past 24 hours:
DDI: DASHBOARD SUMMARY
Note: If you wish to avoid automatic timeout and log-off from the DDI management console, navigate
to Administration > System Settings > Session Timeout and change the settings accordingly.

7. Select Detections > All Detections.

8. By default, DDI displays “All Detections” for the last 24 hours, with severity Low, Medium and
High. Change the severity to “High Only” first by sliding the setting all the way to the left:
DDI: CHANGE SEVERITY OF DISPLAYED DETECTIONS
Best Practice: It is recommended to focus on high severity events first, which allow to identify
high risk events without the distraction of possible non-malicious events. Once
high risk events have been identified, the slider can then be used to identify other,
lower risk items around the same time frame.
9. Select the drop-down list and click “Custom Range”, which will open a calendar:
DDI: TIMEFRAME POPUP
10. Change the time frame to the 6th February 2020, 00:00 to 23:59 only:
DDI: ADJUST TIMEFRAME
The reason to limit the date & time range in this case is to reduce the output of events for a
better understanding.
11. Click “OK”.

12. You should see a high risk entry for the specified time and date range. Select the Details icon for
the entry:
DDI: HIGH RISK DETECTIONS ON 20TH FEB
13. This will open a new tab, displaying the Detection Details:
DDI: DETECTION DETAILS
This page provides a quick link to “Threat Connect”. If the machine accessing the DDI console has
an active internet connection, this page would display all known information about this specific
threats.
In addition, the Detection Details page gives all necessary information about a specific detection,
separated into different sections.
• Detection Information
This section lists generic information of the detection, such as severity, detection rule ID,
description etc:
DDI: DETECTION INFORMATION SECTION
From this information we can already identify, that the known malware “TSPY_TINCLEX.SM1”
has been transferred on the network.

• Connection Summary
This section gives detailed information about the network activity in relation to the
detection:
DDI: CONNECTION SUMMARY SECTION
From this section, it becomes clear that the malware has been transferred from the machine at
192.168.203.201 toward the machine at 192.168.203.202.
DDI also displays the network zone in this section, which is an important setting of DDI. The
network setting is set to “Trusted”, as it is located in the Network Group “Internal”.
• Protocol Information
This section shows information about the protocol used.
• File Information
This section shows information about files being transferred, if any:
DDI: FILE INFORMATION SECTION
This screen shows, that the specific malware was detected in a file called update.exe. It also
displays the hashes of this file, allowing for further investigation.
• Additional Information
This section displays information about which module of DDI has detected the specific item.
14. Copy the File SHA-1 from the File Information section to the clipboard.
15. Open Notepad and paste the contents from the clipboard.
This is in preparation for exercise 11.
16. Minimize Notepad.
17. Back in the web browser, close the tab with the Detection Details.

18. Back in the DDI web console, expand the columns “Timestamp”, “Source Host”, “Destination
Host” and “Interested Host” to see the full details:
DDI: EXPAND COLUMNS
19. From the list, we can identify that:

• 6th February 2020 14:04:31
staff-pc1 transferred malware to staff-pc2(192.168.203.202):
DDI: FILE TRANSFER DETECTIONS
Another very important column is “Interested Host”. This column will display the host based on
detection and direction.
20. Back in the All Detections overview of DDI, Change the time frame to the 18th February 2020,
00:00 to 23:59 only and move the slider for Detection severity to the 2nd step to list high and
medium severity events.
DDI: DETECTION SEVERITY HIGH & MEDIUM
21. With the new list of detections, we can see a lot of “SQLINJECT - HTTP (Request)” events:
DDI: NEW ENTRIES OF SQL INJECTION

22. Open the details of either of the new detection.

23. In the Detection Details tab, it should become clear that those new detections are in relation to
a potential SQL Injection, again linking the internal machine at 192.168.203.201, 192.168.203.202 into
the scenario:
DDI: SQL INJECTION
Again, note the item Notable Object, listing the full URL of the SQL injection attack.
24. Close the Detection Details tab.
For our investigation so far, we can note down the following:
Time Stamp Interested Host Description

6 Feb 2020 14:04 Staff-pc1 “TSPY_TINCLEX.SM1” file transfer via SMB
18 Feb 2020 09:19 - 10:39 Staff-pc1 SQL Injection
Staff-pc2
DDI: INVESTIGATION RESULT SO FAR
“TSPY_TINCLEX.SM1” (Quasar RAT), once executed on a target machine, has the characteristics of
creating a reverse connection back to the C&C host. However, as DDI has not detected any C&C
communication, we don’t know for sure whether the malicious software has been executed.
Unfortunately, DDI in this environment has not been set up properly. There is no virtual analyzer
registered (neither internal nor an external Deep Discovery Analyzer), therefore we require some
manual investigation for the next steps.
Let’s try to find the “update.exe” on one of the target machines, Staff-PC1:
25. Open STAFF-PC1 and log in using user Administrator.
26. Open Windows Explorer and use the search box to search for “update.exe”.

27. This file should be found in the “C:\Users\Administartor.ATD\Downloads”:
WINDOWS EXPLORER: UPDATE.EXE LOCATED IN C:\
28. As we haven’t seen any other detections with DDI in regards to the “update.exe”, we’re going to
analyze this file using DDAn. Open Google Chrome and navigate to https://av-ddan.atd.corp.
29. Click on Advanced > Proceed to av-ddan.atd.corp (unsafe) and log in using user admin (default
password: Admin1234!).
30. Once logged in, the Dashboard will be displayed:
DDAN: DASHBOARD
31. Navigate to Virtual Analyzer > Submissions.

32. Within the Submissions screen, select Submit Objects on the top right corner:
DDAN: MANUALLY SUBMIT OBJECTS
33. In the Submit Objects pop up, leave Type “File” selected and select the file
“C:\Users\Administartor.ATD\Download\update.exe”.
34. Click “Submit”.
35. Back in the Submissions screen, check the tab “Processing”. This should list the file being
processed right now:
DDAN: UPDATE.EXE BEING PROCESSED

36. It might take some time to finish processing the file. You may want to switch between tab
“Completed (0)” and “Processing (1)”. After few minutes, the results should be shown in the
“Completed (1)” tab:
DDAN: FINISHED PROCESSING UPDATE.EXE
37. Click on the line for the analyzed file to reveal information about the analysis:
DDAN: UPDATE.EXE IDENTIFIED AS HIGHLY SUSPICIOUS
DDAn has assigned a high risk to the file “update.exe”. We can straight away spot, in the Notable
characteristics section, which suspicious behavior has been observed during the analysis.
38. Click on either icon next to Report to open a detailed overview of what the file does when
executed:
DDAN: FILE ANALYSIS REPORT
Reading through the report, we can identify that update.exe is a known malware
“TSPY_TINCLEX.SM1”
DDAN: NOTABLE THREAT CARACTERISTICS

Best Practice: The DDI in this lab environment is not configured to automatically send suspicious files
to Virtual Analyzer. It is always best practice to integrate all existing products, as with
DDAn not only DDI could have notified on this file, but Apex One could have been
used to prevent further infiltration and damage using the Suspicious Object List
synchronization capabilities.
Above information can now be added in to our investigation timeline:
Source Time Stamp Interesting Host Description
DDAn 5 Feb 2020 13:59 Staff-pc1 C:\Users\administrator.ATD\Downloa

ds\update.exe dropped detected as
high risk
DDI 6 Feb 2020 14:04 Staff-pc1 “TSPY_TINCLEX.SM1” file transfer
via SMB
DDI 18 Feb 2020 09:19 - 10:39 Staff-pc1 SQL Injection
Staff-pc2
DDAN: INVESTIGATION RESULT SO FAR

Exercise 10: Identify Server-Side Threats with Deep

Security
In this exercise we will analyze server-side threats using Deep Security 12. We already have identified
some suspicious, if not malicious, events with DDI and DDAn, which we will now further investigate
with Deep Security.
1. Still using the virtual machine Staff-PC1, navigate to Z: using Windows Explorer.
2. Double-click the shortcut Deep Security to open the web console of DS.
3. Acknowledge the certificate warning and log in using user MasterAdmin (default password:
Admin1234!).
4. This will open the dashboard of Deep Security:
DS: DASHBOARD
5. As we want to investigate server-side threats on the webserver, navigate to Events & Reports.
6. Select Intrusion Prevention in the left navigation pane:
DS: INTRUSION PREVENTION EVENTS
7. By default, Deep Security displays all events from within the “Last Hour”. Change the Period
Drop-down to “Custom Range:”
8. This will add another line to the Period section. Change the Custom Range to:
From: February 1, 2020 00:00 to February 19, 2020 23:59
As we previously identified with DDI, a possible SQL Injection happened on 18th February 2020.
For this reason, we will try to identify any other events which might have happened before.

9. Click on the refresh button on the right side of the panel:
DS: REFRESH EVENTS
10. This should list a series of events:
DS: EVENTS DETECTED
11. Identify events related to the “Reason” 1000608 - Generic SQL Injection Prevention. You will
notice, that each events have different icons:
DS: SQL INJECTION EVENTS
This icon means that the log contains the data information.
This icon means that the log does not contain the data information.
This icon means that multiple identical events are aggregated.
Deep Security by default does not log the data every time, only at certain intervals. This can be
changed in the configuration of Deep Security.

12. Double-click the event which happened at 10:17:49. This will open the Event Viewer:
DS: EVENT VIEWER FOR SQL INJECTION EVENT
13. Take note of the Source IP in the Event. This again links 192.168.203.202 (Staff-PC2) into this attack.
14. Switch to the tab “Data”. This will open the data of the packet identified by Deep Security:
DS: EVENT VIEWER DATA TAB
The Event Viewer highlights characters in red, which lead to the Event being detected.
Take note of the GET parameter in the bottom panel. This lists the full URL, which had been
accessed by 192.168.203.202. The parameter “@@datadir” allows to display the location of the data of
the SQL server.
15. Close the Event Viewer.
16. Back in the overview of events, double-click the event 10:31:12.

17. The Event Viewer will open, displaying the details of this event:
DS: SUSPICIOUS USER AGENT
18. This event has been logged due to a Suspicious User Agent in HTTP Request. To get more
information, switch to the “Data” tab.
19. When carefully analyzing the Bytes per line section, it becomes clear, that the Suspicious User
Agent refers to “Havij”:
DS: HAVIJ DETECTED
20. Close the Event Viewer.

21. In the list of events, double click the event at 11:48:45.
22. Check the Source IP of this event. This should again point to 192.168.203.201 (Staff-PC1).

23. Switch to the tab “Data”:
DS: RESTRICT MULTIPART
This event points out, that a request made using multipart content-type was detected by DS since
it is a commonly used evasion.
24. Close both, the Event Viewer pop up and the Deep Security management console.

All collected information can now be added in to our investigation timeline, giving a better indication
as to what has happened:
Staff-PC1 C:\Users\administrator.ATD\Downloa
DDAn 5 Feb 2020 13:59 ds\update.exe dropped detected as
high risk
via SMB
DS 14 Feb 2020 10:30 – 12:59 Staff-pc2 SQL Injection
DS 18 Feb 2020 10:31 Staff-pc1 Havij user agent detected
DS 18 Feb 2020 10:46 – 11:53 Staff-pc1 Multipart HTTP Requests detected
Staff-pc2
Staff-pc2

Exercise 11: Investigate Hosts using Apex Central

After identifying events and detections as high-risk, suspicious items with DDI, DDAn and DS, we can
now utilize Endpoint Sensor to analyze how certain processes were dropped or invoked within the
environment.
Within this exercise, we will focus on analyzing a file, which was identified during exercise 8:
updater.exe.
1. If not there already, open the virtual machine apexone and log in using Administrator.
2. Navigate to drive Z: and double-click the shortcut Apex Central.
Once the certificate warning appears, select Advanced > Proceed to av-apc.atd.corp (unsafe) to
proceed.
3. Login using user root (default password: Admin1234!).
4. This will open the Dashboard of Apex Central:
APEX CENTRAL: DASHBOARD
5. Select Response > Preliminary Investigation in the top menu.

6. Specify the following criteria:
Hash value: BF2E0DA123F7A9FB75A6D41900CD6C434AB5FB0D (Copy it from notepad)
7. Click Asses data within the last 90 days:
APEX CENTRAL: PRELIMINARY INVESTIGATION

8. 3 endpoints appear within several seconds:
APEX CENTRAL: MATCHED ENDPOINTS
9. Select “STAFF-PC1” and click “Generate Root Cause Analysis(1)”:
APEX CENTRAL: MATCHED ENDPOINTS
10. Specify “update.exe” as “Name” and click “Generate”
APEX CENTRAL: ROOT CAUSE ANALYSIS

11. This operation may take several minutes or more. To save time, we already have a RCA report created
with the same conditions. Select update.exe and click Delete.
APEX CENTRAL: ROOT CAUSE ANALYSIS RESULTS

12. Click Delete
APEX CENTRAL: DELETE ROOT CAUSE ANALYSIS
13. Click “Original: update.exe” on “Completed” row:
APEX CENTRAL: ROOT CAUSE ANALYSIS RESULTS

14. This will open the Analysis Chains for the “update.exe” investigation:
APEX CENTRAL: ANALYSIS CHAINS
15. In the middle panel, click on icon to switch full-screen mode.

16. Drag Analysis chain to find “update.exe” created by “svchost.exe” at 2020/02/05 14:02:39
APEX CENTRAL: SVCHOST.EXE > UPDATE.EXE
17. Click on the icon update.exe.

18. This will open more details on this specific process:
TMES: PSEXESVC DETAILS PANE
Of interest here is, that upadte.exe was created using the user
ATD\administrator. We can also see, that update.exe was located on the
following path:
C:\Users\Administrator.ATD\Downloads\update.exe
Now, we can guess that update.exe was downloaded from the link in the email analyzed in Exercise 8.

19. Scroll-right to search psexec.exe created by cmd.exe at 2020/02/05 15:29:15.
20. Click on the “psexec.exe”.
We can also see, that psexec.exe was executed with following options:
Psexec.exe \\staff-pc2 –h –c update.exe
Now, we can identify that update.exe was executed also on staff-pc2 via psexec.exe on staff-
pc1.
21. Press [Esc] key to exit full screen. Close “update.exe” tab on the browser.
22. Select Response > Detailed Investigation in the top menu.
Detailed Investigation perform Investigation on the current state of the system.
It also support wider set of criteria through the use of OpenIOC and YARA Rules.

23. Click on + New Investigation button.

24. Type “test” in Name field.
25. Click on Use Existing OpenIOC file icon.
26. Select Trend Micro.ioc and click on Apply button.
27. The context of Trend Micro.ioc is shown as below, which basically search for update.exe on
c:\windows\system32 folder.
28. Click on Select Endpoints (0) button.

29. Check STAFF-PC1 and click on Select (1) button.
30. In order to proceed investigation, you need to click on Start Investigation button.
However, since such operation may take several minutes or more, we already have an
investigation result named update.exe to save time. Click on Cancel button.

31. Click update.exe Under Name column of the previously completed scan.
32. Click on 1000+ on Matched Objects column of STAFF-PC1 row.
33. There are over 1,000 matched objects listed. Type update.exe on text box to filter matched
objects.
34. The only matched object is baaupdate.exe which contains the search string update.exe. If you click
on bauupdate.exe,it will display the hash of the file.
We can con that update.exe is NOT located on the windows system folder C:\WINDOWS\System32.
Click the Close button.

35. Back in the Investigation Result window, click STAFF-PC1 under Endpoint column.
36. This will display information like Security Threats Overtime among other information. We can see
summary of network-related activities/threats logged by DDI. We can also see Behavioral
Monitoring Violation detected by Apex One on the local machine.
Hovering your mouse on the first column allows you to view the complete path of the executable.
Click on View on the lower right to see more details of this event.
37. On the right side of the window, click on Task, and then select isolate, which disconnects the
machine from the network as part of Containment.

38. A pop up warning will appear. As noted, you can control allowed traffic even on isolated endpoint but It is
recommended to allow only essential traffic.
Click on Isolate Endpoint.
39. While a machine is disconnected, click on Task again the right to see options.
As we can see, we can modify which traffic to be allowed and once investigation is done, we can click Restore to
reconnect the machine to the network.

With these new evidences, we can further update our investigation timeline:
DDAn 5 Feb 2020 13:59 Staff-PC1 C:\Users\administrator.ATD\Downloa

ds\update.exe dropped detected as
high risk
Apex 5 Feb 2020 14:02 Staff-PC1 update.exe was executed by
atd\administrator
Central
Staff-PC1 update.exe was executed by psexec
Apex 5 Feb 2020 15:29 on staff-pc2
Central
via SMB
DS 18 Feb 2020 10:31 Staff-pc1 Havij user agent detected
DS 18 Feb 2020 10:46 – 11:53 Staff-pc1 Multipart HTTP Requests detected
Staff-pc2
Staff-pc2
Note: A real-life investigation obviously does not end here. Exercises 9, 10 and 11 have been designed
to give an overview of how Trend Micro products can support Incident Investigations.
However, not every detail has been taken into evidence - as this will be done in teams during
the Final Challenge of this course.


Final Challenge
In the final challenge for Advanced Threat Defense - Advanced Threat Response,
the student will demonstrate the ability of:
• Investigation of a security incident
• Creating incident report
The final challenge will be performed in teams.

The content of this chapter is correct as of March 24, 2020.

Final Challenge
Lab 1: Security Incident Investigation
Task
Perform a detailed Incident Investigation, utilizing all tools and techniques learned throughout
the course.
Your team will be required to present your findings at the end of this Lab.
Environment
The final challenge uses the following environment:
FINAL CHALLENGE: ENVIRONMENT
Login Credentials
Use the following credentials to log in the specific machines:
Virtual Machine Account Password

SVR-Web jack_fisher Pa$$w0rd
SVR-NFS root Pa$$w0rd
All other atd\administrator Pa$$w0rd
FINAL CHALLENGE: LOGIN CREDENTIALS

Trend Micro Credentials

To login to the Trend Micro product web consoles, use the following details:
Products Account Password

DDI, DDAn admin Admin1234!
Apex One, Central root Admin1234!
Deep Security MasterAdmin Admin1234!
FINAL CHALLENGE: TREND PRODUCT LOGINS
Server & Endpoint Directory

The following table displays all virtual machines of the environment, including their IP addresses
and descriptions:
Virtual Machine IP Address Description

172.16.100.1 pfSense connecting internal (192.168.203.x)
ROUTER
192.168.203.1 with external network (172.16.100.x)
Windows 2012R2, which is the Domain
SVR-DC 192.168.203.100 Controller and DNS server for ATD.corp
Windows 2012R2 running Microsoft SQL used
SVR-SQL 192.168.203.101 by Apex Central, Deep Security, Apex One
SVR-NFS 192.168.203.190 CentOS-based File Server

Windows 2012R2 running as Web Server,
externally reachable through public IP of
SVR-WEB 192.168.203.10 ROUTER. This machine is not joined into the
domain.
apexcntrl 192.168.203.150 Windows 2016 running Apex Central
AV-DDI 192.168.203.153 Deep Discovery Inspector
AV-DDAn 192.168.203.155 Deep Discovery Analyzer
AV-DS 192.168.203.152 Windows 2012R2 running Deep Security
Windows 2016 running Apex One
apexone 192.168.203.151
STAFF-PC1 192.168.203.201 Windows 10 endpoint

MIS-PC 192.168.203.204 Windows 7 endpoint running mail server
FINAL CHALLENGE: SERVER & ENDPOINT DIRECTORY

Final Challenge
Background Information
The IT admin of Aerospace Technology & Design LLC (ATD), Jack Fisher, has noticed a suspicious
email received on Staff-PC1
FINAL CHALLENGE: SUSPICIOUS EMAIL
Aerospace Technology & Design LLC has therefore requested your support with this case. Your
task is to investigate this email, and analyze whether this might be part of a bigger scenario. As
the company is fresh on the market, you will only need to look back as far as 1st February 2020.
Objectives:
Use any of the methodologies and techniques learned throughout the course to
• Perform an incident investigation in this environment
• Create a time-line of the events
• Create an incident investigation report, answering as many guide questions as possible
Guide Questions:
• How did attackers gain access to the environment?
• What did attackers do within the environment? What methods and techniques were used
to move laterally across the network?
• Was there any successful data exfiltration? What methods were used to collect data and
exfiltrate them?
• What tools have the attackers used during their attack? Can you create IOC, YARA or
Suspicious Objects for those tools?
• Is there any obvious misconfiguration of Trend Micro products, which could have
prevented this incident?
• Are there any recommendations to make for the customer’s environment?

Note:
We can ignore file transfer activities between x-unknown and z-unknown via SMB at 2020-
02-13 11:22 because these activities are attacker’s computer migration and DDI accidentally
captured these activities.
In the real world, such operation might be done in the attacker’s local network and there is
no possibility that DDI captures such activities.


Optional Activities
A.1 Fileless Investigation

As most threats are now using malicious scripts (e.g. fileless attacks), this exercise will focus on
debugging script examples. Throughout this exercise we will discuss Powershell, JavaScript and Office
Macros.
A.1.1 Powershell
1. Access the SVR-DC virtual machine and log in as atd\jack_fisher (default password:
Pa$$w0rd).
2. Open an elevated Powershell console window.
3. On the Powershell console, type the command:
set-executionpolicy remotesigned
Once requested, type <Y> followed by <Enter>.

Only members of the Administrators group on the computer can change the execution policy.
This will allow running unsigned scripts, which have been written on the local machine, as well
as signed scripts from downloaded from trusted developers.
4. Close the Powershell console window.
5. Open the folder “Script_Debugging_Exercise” on the Desktop.
6. Right-click the PS_Debug.ps1 and select Edit.
This will open the Powershell ISE.
7. Place your cursor in line 2 and press <F9> to add a breakpoint to that line of code.
Alternatively, you can also right-click line 2 and select Toggle Breakpoint F9.
8. Add another breakpoint to line 9.
Adding breakpoints to the code means, that during the execution of the script it will stop at
those breakpoints, allowing to analyze the current code and memory of that particular script.
The Powershell code should look like the following, with line 2 and 9 highlighted:
POWERSHELL DEBUG: BREAKPOINTS ADDED
9. Run the script by pressing <F5> or selecting Debug > Run / Continue.
10. You will notice on the bottom “output” pane, that your code has reached the breakpoint.
Press <F10> to “step over” the breakpoint.

11. Stepping over means the code will execute the code where the breakpoint is located without
giving details of function calls itself. In our case, it will stop after md $path and therefore will
create 2 new folders (which are stored in the variable $path):.
POWERSHELL DEBUG: STEPPING OVER BREAKPOINT
12. To check if the folder were created, open Windows Explorer and navigate to “C:”. The 2 folders
“sample_folder” and “sample_folder1” should be created:
POWERSHELL DEBUG: FOLDERS HAVE BEEN CREATED
13. Switch back to Powershell ISE. To trace your script, select Debug from the main menu.
14. Other Tools for Debugging include:
POWERSHELL DEBUG: DEBUGGING OPTIONS
• Step Into
Press F11, this executes the current statement and then stops at the next statement. If
the current statement is a function or script call, then the debugger steps into that
function or script, otherwise it stops at the next statement.
• Step Over
Press F10, this executes the current statement and then stops at the next statement. If
the current statement is a function or script call, then the debugger executes the whole
function or script, and it stops at the next statement after the function call.
• Step out
Shift+F11, this steps out of the current function and up one level if the function is nested.
If in the main body, the script is executed to the end, or to the next breakpoint. The
skipped statements are executed, but not stepped through.

Optional Activities
15. Press <F10> or select Debug > Step Over to execute line 5, which creates a file within the
folder “C:\sample_folder”.
16. Open “C:\sample_folder”, you should there is also a created text file named trender.txt.
17. Switch back to Powershell ISE and press <F10> or select Debug > Step Over until you reached
the last breakpoint:
POWERSHELL DEBUG: STEP OVER UNTIL LAST BREAKPOINT
18. Once we hit the last breakpoint on the line 9, the script creats a new registry entry.
19. To exit debugger mode in Powershell ISE, press <Shift>+<F5> or select Debug > Stop
Debugger.
20. To delete your all breakpoints, press <CTRL>+<Shift>+<F9> or select Debug > Remove All
Breakpoints.
21. Exit Powershell ISE.
A.1.2 JavaScript
1. Still on SVR-DC, open Internet Explorer by right-click on Start > run > iexplore.
2. Once IE has started, navigate to the URL:
file://C:/Users/jack_fisher/desktop/Script_Debugging_Exercise/JS_Debug.html
3. When the notification about restricted contents pops up, press <F12> to show the debugging
tools.
4. Select the tab “Debugger”:
JAVASCRIPT DEBUG: IE DEBUGGER TOOLS
5. Once the “Debugger” tab is loaded, click “Allow blocked content”.

This will start the execution of the JavaScript code, however it will stop at line 6.
6. Click into the Debugger panel at the bottom and start debugging by pressing <F11> or by click
on Step Into:
JAVASCRIPT DEBUG: STEP INTO

7. After pressing <F11> twice, an alert window will appear. Press “OK”.
8. Press F11 you move from line 17 to 43.
9. Check the Watches panel:
JAVASCRIPT DEBUG: WATCHES PANEL
The Watches panel allows to identify any variables, which are passed through the Javascript
code. In our example, we could identify a variable “url” with the value http://hackernet.com.
10. Press Step Into or <F11> twice and take note of the next alert window.
By click on “Yes”, it allows the function of the script to execute commands.
11. Once the alert was accepted, the Debugger shows the next lines of code:
fldr = fso.CreateFolder(“c:\\tmp”);
f1 = fso.CreateTextFile(“c:\\testfile.txt”, true);
f1.Write(“This is a test.”);
f1.Close();
The above lines, in our example, create a new folder “C:\tmp” and a new textfile with the
contents “This is a test.”. However, with malicious intents, other code could potentially
introduce dangerous files or code into the environment.
12. Press Step Into or <F11> until after line 27.
13. The next lines of code will move the file from “C:\testfile.txt” to “C:\tmp\testfile.txt”.
14. Press <F11> or Step Into until line 34.
15. Using Windows Explorer, confirm whether the folder “C:\tmp” exists and if the file testfile.txt
is located in that folder:
JAVASCRIPT DEBUG: CONFIRM FILE SYSTEM MODIFICATION

Optional Activities
16. Switch back to Internet Explorer and press Step Into or <F11> until line 45:
JAVASCRIPT DEBUG: DELETE FUNCTION
Above code also shows, that we just went through a function called “DeleteFile()”, which is
responsible for deleting the folder “C:\tmp” and testfile.txt.
17. Press <F11> or Step Into to receive the alert message.
18. Press “OK” to close the alert.
19. To confirm whether the DeleteFile() function was run correctly, check if the folder “C:\tmp”
and the file “C:\tmp\testfile.txt” are still existing.
20. Close Internet Explorer.
A.1.3 Office Macros
Note: This activity focuses on analysing the code in Office Macros, which are often password
protected in real-life investigations. A very good tool to circumvent password protection
in Office Macros is olevba, which can be downloaded from:
https://github.com/decalage2/oletools/wiki/olevba.
1. Access the virtual machine STAFF-PC1 and log in using user atd\jack_fisher.
2. Open Microsoft Word and create a new document.
3. Save the word file document with the filename manual.docx
4. To record a macro in Word, select View > Macros > Record Macro.
MACRO DEBUG: RECORD MACROS

5. In the Record Macro dialog box, enter the name AutoExec and click “OK”:
MACRO DEBUG: CREATE NEW MACRO
6. Select View > Macros > Stop Recording.

7. Open your macro by selecting View > Macros > View Macros.
8. Select the macro AutoExec and click “Edit”.
Microsoft Visual Basic for Application will open.
9. Select Start > Run and navigate to:
\\svr-dc\c$\users\jack_fisher\desktop\script_debugging_exercise\
10. Open the file macros.txt, and copy all contents.

11. Switch back to the Visual Basic for Application window.
12. Paste the whole contents of macros.txt, replacing all current lines:
MACRO DEBUG: COPY SCRIPT CODE
This script allows to create any file in a specified location.

13. Save the file and close both, Microsoft Visual basic for Application and the Word document.
The macro has now been placed in the file “normal.dotm”, which is the default document
template.
14. Open Microsoft Word as Administrator.
Without even selecting a new document or opening a stored file, you should see an alert box.
Click “OK”.
15. Select a Blank Document and navigate to View > Macros > View Macros.
16. Click “Edit” for the macro AutoExec.

Optional Activities
17. The principle of breakpoints is exactly the same as with debugging Powershell or JavaScript.
To add breakpoints, click to the left of the line where you want to place a breakpoint:
MACRO DEBUG: ADD BREAKPOINT
When executing the Macro now via Run > Run Sub / Userform or pressing <F5>, the macro
will stop executing at this breakpoint.
18. An important option within the Visual Basic for Application is called “Add Watch”. This allows
for easy investigation of values for variables.
Right-click the variable “outFile” and select Add Watch...:
MACRO DEBUG: ADD WATCH TO VARIABLE
19. This option then allows for watch for the expression or even break the macro if the value
changes:
MACRO DEBUG: BREAK CODE WHEN VARIABLE CHANGES

A.2 Using YARA to identify suspicious Files

In this exercise, we utilize Yara to identify and classify malware samples.
1. Access the STAFF-PC1 machine and log in using user atd\jack_fisher.
2. Using Windows Explorer, navigate to “\\svr-dc\c$\users\jack_fisher\Desktop”.
3. Copy the folder “YARA_Exercise” to your desktop and close Windows Explorer.
4. Open the folder “YARA_Exercise\YARA_Files” on the Desktop.
5. Right-click on rules.yara and select Edit with Notepad++.
The file rules.yara is an example of how YARA rules are defined. You will notice that all of the
rules are currently commented out, as each rule is encapsulated within “/*” and “*/”.
6. To uncomment the rule dummy, remove “/*” from line 2 and “*/” from line 21.
7. The rule dummy should now look like this:
//Sample: Dummy
rule dummy {
strings:
$string1 = “ABC” nocase ascii wide
$string2 = “DEF” nocase ascii wide
$string3 = “123” nocase ascii wide
condition:
//all of ($string*)
10 //part1
11 //$string1 or $string2 or $string3 //note:ABC
12 //part2
13 //$string1 or ($string2 and $string3) //note:ABC then change to DEF123
14 //part3
15 //$string1 and ($string2 and $string3) //note:DEF123 this should contain [...]
16 //part4
17 $string1 and $string2 and $string3 //note:DEF123 add ABC
18 //note: if the condition is all AND the parenthesis is not required
19
20
21
Note that above code has only 1 condition enabled, which is line 17. All other conditions have a
leading “//”, which indicates those lines are comments.
8. Press <CTRL>+<S> to save the file.
9. Open a command prompt and navigate to “Desktop\YARA_Exercise\YARA_Files”.
10. Type the following comand, but do no press <Enter> yet:
yara32.exe rules.yara <Space>
11. Switch to the Windows Explorer and navigate to “Desktop\YARA_Exercise”.

12. Drag and drop the “YARA_Samples” folder into the command prompt.

Optional Activities
13. This will add the proper path of the samples to the command:
YARA: ADD SAMPLES PATH TO YARA COMMAND
Alternatively, you can also type the above command manually.

14. Press <Enter> in the command prompt to execute the command.
With the currently enabled rules, we will have a few files matching our rules:
YARA: RULES MATCH SAMPLE FILES
From above output, we can identify the following schema: <rule name> <file name>.
15. Switch back to Notepad++.
16. Check the enabled conditions of rule dummy, which matched the file “sample.txt”:
[...]
16 $string1 and $string2 and $string3
[...]
Above condition means, that we are matching all 3 strings with the file. The strings have been
declared in line 4, 5 and 6 - so we’re looking with this rule for “ABC” and “DEF” and “123” (not
case sensitive).
17. Open the file “YARA_Exercise\YARA_Samples\sample1.txt” in Notepad++. You should be able to
identify, that contents indeed include all 3 strings:
DEF123ABC
Note that our condition does not require a specific order of the 3 strings, it just requires all 3 of
them to be in the file.
18. Switch back to rules.yara in Notepad++.
19. Scroll down to line 39 ff.

20. You should be able to identify a second rule called “file_search”:
39 //Sample3: Detecting File Search Application

40
41 rule file_search{
42 strings:
43 $file1 = “CreateFile” nocase ascii wide
44 $file2 = “OpenFile” nocase ascii wide
45 $file3 = “ReadFile” nocase ascii wide
46 $file4 = “CloseHandle” nocase ascii wide
47 $file5 = “WriteFile” nocase ascii wide
48 condition:
[...]
60 filesize <= 5KB and uint16(0) == 0x5AD and ($file1 or $file2 or $file3) and ($file4 and
$file5)
61 }
The above will identify files, where all of the below conditions are met:
• Executable files only (“uint16(0) == 0x5AD)
• File size smaller than 5KB
• Either containing “CreateFile”, “OpenFile” or “ReadFile”
• Either containing “CloseHandle” or “WriteFile”
Note: This example relies on the Windows API function names. Those, however, are quite generic; in
real-life investigation scenarios this could lead to an increased number of false positives, if
not used with other, less generic conditions.
21. In order to confirm whether the rule “file_search” is matching those files correctly, open
Windows Explorer and navigate to the folder “YARA_Exercise\YARA_Samples”.
22. The list of files should indicate, that all of the 3 files are indeed below the 5KB limit:
YARA: SAMPLES FILE SIZE
As indicated above, sample2b.exe will not be detected with the rule file_search, as it is above the
size limit.
23. Switch to the command prompt.
24. Still in the “YARA_Exercise\YARA_Files” folder, run:
bintext.exe
25. Within the BinText 3.0.3 window, click “Browse”.

26. Select “YARA_Exercise\YARA_Samples\sample2a.exe”.
27. Back in BinText 3.0.3 window, click “Go”.

Optional Activities
28. BinText will display APIs used by the program itself. We should be able to identify the specific text
we were searching with rule “file_search”:
YARA: BINTEXT DISPLAYS APIS USED BY PROGRAMS
29. Try to identify the APIs searched for in the other 2 sample files, sample3a.exe and sample3b.exe.
Best Practice: You can also use the textbox at the bottom of BinText to search for particular
functions.
When analyzing suspicious files, above information can be utilized to quickly identify other files with
similar behavior using YARA rules.
Note: An alternative tool for above analysis is “strings” from the Sysinternal Suite. This however
does not provide a GUI; it will be run from command line only.



Table of Contents: Tables
Table of Contents: Tables
Introduction
Class Setup: Virtual Machine Descriptions ........................................................................ 9
Class Setup: User Credentials ........................................................................................... 10
Class Setup: Trend Micro Console Logins ......................................................................... 10

Windows Explorer: Suspicious files created within the same timeframe ......................... 28

DDI: Investigation Result So Far ......................................................................................... 49
DDAn: Investigation Result So Far ..................................................................................... 52
DS: Investigation Result So Far .................................................................................... 57
TMES: Investigation Result So Far ............................................................................... 67
Final Challenge
Final Challenge: Login Credentials .......................................................................................... 71
Final Challenge: Trend Product Logins............................................................................... 72
Final Challenge: Server & Endpoint Directory ................................................................... 72
Appendix: Optional Activities
Appendix: Table of Contents


Table of Contents: Images and Screenshots
Introduction
Trend Micro Training Cloud Access: Training Area ........................................................... 7
Trend Micro Training Cloud Access: List of RDP Files ................................................... 8
Trend Micro Training Cloud Access: Unknown Publisher Warning ................................... 8
Trend Micro Training Cloud Access: vApp Overview ......................................................... 8
Class Setup: Virtual Environment ...................................................................................... 9
Accessing The Virtual Machines: Open the vApp .............................................................. 10
Accessing the Virtual Machines: vApp Startup ..................................................................... 11
Accessing The Virtual Machines: “Virtual Machines” Tab .................................................... 11

Process Explorer: Verified Signer ...................................................................................... 15
Process Explorer: Backdoor.exe ........................................................................................ 16
Process Explorer: Backdoor.exe Properties ...................................................................... 16
Process Explorer: Backdoor.exe TCP/IP Properties .......................................................... 16
Process Explorer: Svchost.exe ................................................................................................ 17
Process Explorer: Svchost.exe Properties .............................................................................. 17
Process Explorer: View Dll ...................................................................................................... 17
Process Explorer: View DLLs .............................................................................................. 18
Process Explorer: Sort by Description ............................................................................... 18
Process Explorer: Malicious DLL with Random Name ....................................................... 19
Process Explorer: Service Information .............................................................................. 19
TCPView: Overview ............................................................................................................ 20
TCPView: Process Properties ....................................................................................... 20
TCPView: Sort by State Column ......................................................................................... 21
Autoruns: Ready ................................................................................................................ 22
Autoruns: Verify Code Signatures ..................................................................................... 22
Autoruns: Open Registry Editor Via Context Menu ........................................................... 23
Autoruns: Open Windows Explorer Via Context Menu ...................................................... 23
Autoruns: Investigate Contents of VBS File ...................................................................... 24
Autoruns: Registry Editor ............................................................................................. 24
Windows Explorer: Change Default View Settings ............................................................ 25
Windows Explorer: Unhide Protected Operating System Files ......................................... 25
Windows Explorer: Show Hidden Files, Folders, and Drives .............................................. 25
Windows Task Manager: End Process of Explorer.exe ...................................................... 26
Windows Explorer: Search For Date Created .................................................................... 27
Windows Explorer: Sort by Date Created .......................................................................... 27
Windows Explorer: Dump.txt Contents.............................................................................. 28

Net Command: List All Users and Members of Local Administrator Group ...................... 29
Computer Management Console: Suspicious User Accounts............................................ 30
Net Command: Display Details of User Account “Guest” .................................................. 30
Net Command: Display Details of User Account “Hacker” .................................................... 31
Net Command: Display Details of User Account “Shadow$” ........................................... 31
Event Viewer: Create Custom View ................................................................................... 33
Event Viewer: Select Date Range For Custom View .......................................................... 33
Event Viewer: Specify Sources for Custom View ......................................................... 34
Event Viewer: EventID 4625 - Failed Logins ...................................................................... 34
Event Viewer: Network Information .................................................................................. 35
Event Viewer: EventID 7045. ............................................................................................. 35
Event Viewer: 2nd EventID 7045 ....................................................................................... 36
Event Viewer: EventID 7009 .............................................................................................. 36
Sysmon: Install Sysmon as Service ..................................................................................... 37
Event Viewer Enhancement: Execute Command Remotely .............................................. 37
Event Viewer: Sysmon Details Command Line Parameters .............................................. 38

Google Chrome: Make Chrome Default Browser. .................................................................. 41
DDI: Dashboard Summary .................................................................................................. 42
DDI: Change Severity of Displayed Detections .................................................................. 42
DDI: Timeframe Popup ...................................................................................................... 43
DDI: Adjust Timeframe....................................................................................................... 43
DDI: High Risk Detections on 20th Feb .............................................................................. 43
DDI: Detection Details ........................................................................................................ 44
DDI: Detection Information Section................................................................................... 44
DDI: Connection Summary Section .................................................................................... 45
DDI: File Information Section ............................................................................................. 45
DDI: Expand Columns ......................................................................................................... 46
DDI: File Transfer Detections ............................................................................................. 46
DDI; DNS Response Detection ........................................................................................... 46
DDI: Open DNS Response Item .......................................................................................... 46
DDI: DNS Query Response URL .......................................................................................... 47
DDI: New Detections .......................................................................................................... 47
DDI: Open C99 PHP Shell Detections ................................................................................. 47
DDI: Detection Information C99 PHP Shell ........................................................................ 48
DDI: Detection Severity High & Medium ........................................................................... 48
DDI: New Entries of SQL Injection...................................................................................... 48
DDI: SQL Injection ......................................................................................................... 49
Windows Explorer: Updater.exe Located in C:\Users\Public ............................................ 50
Windows Explorer: Search Results Reveal Update.exe ................................................ 50
DDAn: Dashboard............................................................................................................... 50

DDAn: Manually Submit Objects. ............................................................................................ 51

DDAn: Update.exe Being Processed ....................................................................................... 51
DDAn: Finished Processing Update.exe ............................................................................ 51
DDAn: Update.exe Identified as Highly Suspicious ........................................................... 51
DDAn: File Analysis Report .......................................................................................... 52
DDAn: Uncommon Network Connection ........................................................................... 52
DS: Dashboard.................................................................................................................... 53
DS: Intrusion Prevention Events ........................................................................................ 53
DS: Refresh Events ........................................................................................................54
DS: Events Detected .....................................................................................................54
DS: SQL Injection Events .................................................................................................... 54
DS: Event Viewer For SQL Injection Event ......................................................................... 54
DS: Event Viewer Data Tab ................................................................................................ 55
DS: Suspicious User Agent ............................................................................................55
DS: Havij Detected ............................................................................................................. 56
DS: Restrict Multipart ...................................................................................................56
TMES: Dashboard ............................................................................................................... 58
TMES: List of Endpoints ..................................................................................................... 58
TMES: New Historical Investigation ................................................................................... 59
TMES: New Investigation ................................................................................................... 59
TMES: Investigation Values Specified ................................................................................ 60
TMES: Investigation Results Pending ................................................................................. 60
TMES: Investigation Results Refresh ................................................................................. 60
TMES: 2nd Investigation ................................................................................................... 61
TMES: Updater.exe Hash Investigation Finished .............................................................. 61
TMES: Staff-PC1 marked as Match .................................................................................... 62
TMES: Root Cause Chain .................................................................................................... 62
TMES: Psexesvc.exe > cmd.exe > updater.exe ................................................................................62
TMES: Psexesvc Details Pane ............................................................................................. 63
TMES: Cmd.exe Details Pane ............................................................................................. 63
TMES: Detailed Investigation Results ................................................................................ 64
TMES: Details for System .............................................................................................. 64
TMES: Svr-dc Marked as Match ....................................................................................65
TMES: Svr-dc False Positive ..........................................................................................65
TMES: New Investigation Psexesvc.exe ............................................................................. 66
TMES: Psexesvc.exe Investigation Finished ..................................................................66
TMES: Psexesvc.exe Details ..........................................................................................66
Final Challenge
Final Challenge: Environment ................................................................................................. 71
Final Challenge: Unidentified Log Entry ............................................................................. 73

Appendix: Optional Activities

Powershell Debug: Breakpoints Added ............................................................................. 77
Powershell Debug: Stepping Over Breakpoint................................................................... 78
Powershell Debug: Folders have been Created ................................................................. 78
Powershell Debug: Debugging Options ............................................................................. 78
Powershell Debug: Step Over Until Last Breakpoint ......................................................... 79
Javascript Debug: IE Debugger Tools ........................................................................... 79
Javascript Debug: Step Into.......................................................................................... 79
Javascript Debug: Watches Panel ...................................................................................... 80
Javascript Debug: Confirm File System Modification ........................................................ 80
Javascript Debug: Delete Function .................................................................................... 81
Macro Debug: Record Macros................................................................................................. 81
Macro Debug: Create New Macro ...................................................................................... 82
Macro Debug: Copy Script Code ................................................................................... 82
Macro Debug: Add Breakpoint ........................................................................................... 83
Macro Debug: Add Watch to Variable ............................................................................... 83
Macro Debug: Break Code When Variable Changes .......................................................... 83
YARA: Add Samples Path to Yara Command ................................................................ 85
YARA: Rules Match Sample Files ....................................................................................... 85
YARA: Samples File Size ............................................................................................... 86
YARA: BinText Displays APIs Used By Programs .......................................................... 87
Appendix: Table of Contents

Advanced Threat Response Workshop Manual v3-2

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Advanced Threat Response Workshop Manual v3-2

Uploaded by

Copyright:

Available Formats

Advanced Threat Defense

Advanced Threat Response

Author: ATD Taskforce

Released: March 24, 2020

Host-based Investigation using basic Tools ...................................................... 13

Incident Investigation using Trend Micro Solutions ........................................... 39

Final Challenge ..............................................................................................69

Appendix A: Optional Activities ......................................................................... 75

Appendix B: Table of Contents .......................................................................... 89

© 2020 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 3

4 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential

This chapter gives information about the following items:

It also contains information about all pre-requisites, if required.

© 2020 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 5

The content of this chapter is correct as of March 24, 2020.

6 © 2020 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential

About this Book

Trend Micro Training Cloud Access

Invitation email : example

© 2020 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 7

3. On the “Training Area” page, click [Enter Training] icon.

TREND MICRO TRAINING CLOUD ACCESS: LIST OF all Trainings

5. Make sure that the [Lab View] window appears.

TREND MICRO TRAINING CLOUD ACCESS: Lab View

8 © 2020 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential

CLASS SETUP: VIRTUAL ENVIRONMENT

Virtual Machine Description

© 2020 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 9

Trend Micro Product Username Password

Accessing the Virtual Machines

ACCESSING THE VIRTUAL MACHINES: OPEN THE VAPP

1 © 2020 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential

ACCESSING THE VIRTUAL MACHINES: “Remote Control” Icon

© 2020 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 11

© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 13

14 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential

Exercise 1: Analyzing unusual Processes with Process

PROCESS EXPLORER: VERIFIED SIGNER

© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 15

6. Identify the process backdoor.exe in the list of running processes:

PROCESS EXPLORER: BACKDOOR.EXE

7. Right-click on backdoor.exe and select Properties…:

PROCESS EXPLORER: BACKDOOR.EXE PROPERTIES

PROCESS EXPLORER: BACKDOOR.EXE TCP/IP PROPERTIES

16 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential

PROCESS EXPLORER: SVCHOST.EXE

PROCESS EXPLORER: SVCHOST.EXE PROPERTIES

14. Click on “Cancel” to close the Properties window.

PROCESS EXPLORER: VIEW DLL

© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 17

PROCESS EXPLORER: VIEW DLLS

PROCESS EXPLORER: SORT BY DESCRIPTION

18 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential

PROCESS EXPLORER: SERVICE INFORMATION

To spot a possibly malicious DLL, check the name of the service.

© 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential 19

Exercise 2: Analyzing unusual Network Activity with

3. Right-click on backdoor.exe, and click on Process Properties…

TCPVIEW: PROCESS PROPERTIES

4. Click “OK” to close the Properties window.

20 © 2019 Trend Micro Inc. Confidential - Release Pursuant to NDA - Confidential

6. This list constantly checks the states of each process.

TCPVIEW: SORT BY STATE COLUMN