Professional Documents
Culture Documents
Trend Micro, the Trend Micro t-ball logo, InterScan, VirusWall, ScanMail, ServerProtect, and TrendLabs
are trademarks or registered trademarks of Trend Micro Incorporated. All other product or company
names may be trademarks or registered trademarks of their owners.
Portions of this manual have been reprinted with permission from other Trend Micro documents. The
names of companies, products, people, characters, and/or data mentioned herein are fictitious and are
in no way intended to represent any real individual, company, product, or event, unless otherwise noted.
Information in this document is subject to change without notice.
No part of this publication may be reproduced, photocopied, stored in a retrieval system, or transmitted
without the express prior written consent of Trend Micro Incorporated.
Table of Contents
Introduction.................................................................................................. 5
About this Book .................................................................................................................... 7
Laboratory Introduction ....................................................................................................... 7
Trend Micro Training Cloud Access ...................................................................................... 7
Virtual Environment ............................................................................................................. 9
User Credentials .............................................................................................................................10
Accessing the Virtual Machines ...................................................................................................10
It only contains the instructions for all exercises and labs discussed throughout this part of the
Advanced Threat Defense course.
Laboratory Introduction
This workshop manual refers to a pre-configured environment which is provided by Certified Trainers
during the course.
As the environment is hosted on the Trend Micro Training Cloud, a host computer with an active
internet connection is required for access.
Ensure to read all information carefully in this chapter, as it outlines how to access and use the
environment.
In order to access the vApp assigned by the Certified Trainer, follow the guidelines below:
1. Open an invitation email sent from noreply-productcloud@trendmicro.com
2. Click the link in an invitation email.
4. Make sure that the status is [Powered On]. Then, click [Enter Lab View] icon.
If the status is [Powered Off], tick the checkbox □ on the left and click ▶icon.
Virtual Environment
The virtual environment contains the following virtual machines:
The following table lists additional information about the virtual machines:
Note: The time of the virtual machines have been frozen to a fixed date; this is required in order to
preserve the availability and integrity of any logs discussed throughout this course.
User Credentials
The following credentials should be used to log in to each virtual machine:
Virtual Machine Username Password
Host - -
All - Domain Administrator ATD\Administrator Pa$$w0rd
All - Domain User ATD\Jack_Fisher Pa$$w0rd
CLASS SETUP: USER CREDENTIALS
The following table lists all user accounts for the different Trend Micro web consoles:
Note: The screenshots in this section are indicative only; some attributes, such as name, will
depend on the vApp currently assigned to your student account.
1. On [Lab View] window, make sure the [Status] column for all the virtual machines indicates
Powered On
2. Select a virtual machine you would like to access and click [Remote Control] icon.
3. The screen like below appears after [Remote Control] icon is clicked.
4. Logon screen will appear several seconds after above screen appears.
Note: Throughout this chapter, we will investigate an incident which happened in November 2015.
Therefore, the indicators discovered during the exercises will refer to this time frame.
You may notice that when using Process Explorer, most process images are highlighted in blue or
pink. Images with a light-blue highlight, by default, are processes running using the same user
account as Process Explorer. Images with a light-pink highlight are Windows Service processes.
Despite having an obvious suspicious name, take a look at the path of the image as well. It is
located in the Windows root folder, which is normally reserved for Windows applications. Those
reserved folders are known hiding spots for malicious processes.
Image Path: The Windows root folder and other locations reserved for Windows applications are
known hiding spots for malicious processes.
TCP/IP: Processes that use the Network can also be suspicious as they may be communicating to
a Command and Control server.
8. Switch to the “TCP/IP” tab:
9. Expand the Local Address column and take note of any unusual ports.
10. Click on “Cancel” to close the Properties window.
11. Back in the main window of Process Explorer, go through the list of processes and look for an
instance of svchost.exe running out of scope. This can be easily identified by the color; it has a
light-blue background rather than light-pink:
Based on the definition of the colors, images with a light-blue background are launched by the
current user. The svchost.exe image is a service that is run by services.exe to “host” instructions
coming from registered Microsoft DLLs, so by default, it should have a pink background color and
should be under listed below services.exe.
12. Right-click the out-of-scope svchost.exe and click on Properties…
13. Similar to the backdoor.exe process, check the “Image” and the “TCP/IP” tabs.
The valid svchost.exe is located in the “C:\Windows\System32\” folder; however, the path for this
specific process is listed as “C:\Windows\”:
16. The DLLs registered to and used by a process image is listed on the lower panel. Enabling the
View DLLs option allows us to search and identify injected malicious DLL files:
17. On the bottom panel where the DLLs are listed, click on the “Description” header to sort the list
ascending alphabetically according to the DLL descriptions. This allows you to see all files that
don't have a description or a company name listed in its Metadata.
Additionally, sorting the list according to the “Verified Signer” column allows you to identify
unsigned or incorrectly signed suspicious files:
Best Practice: When looking for malicious DLLs, start with the ones that have no descriptions,
company names or verified signatures. Scroll through all images of svchost.exe and
you will notice, that some suspicious files are actually commonly used and can
therefore be crossed off your list. For items that are suspicious and unique, get as
much details as you can; those are possibly malicious.
18. Click through all instances of svchost.exe and look for any suspicious DLLs that don't have
descriptions, company names, or file signatures.
You will eventually find a malicious DLL with a randomly generated filename that has no Metadata
information for the description and company name, as well as having no digital signature:
PROCESS EXPLORER: MALICIOUS DLL WITH RANDOM NAME
19. Right-click on the svchost.exe process that uses the malicious DLL and click on Properties...
20. Click on the “Services” tab to view more information about the service:
TCPVIEW: OVERVIEW
This port number is not commonly used and can be flagged as suspicious. However, we cannot
immediately assume that a connection to a non-common port is malicious in nature so further
investigation is needed.
From inspection of the process image that attempted to connect to a remote host, we can identify
a possible Command and Control server, 192.168.10.1, which uses port 8000.
7. Close TCPView.
AUTORUNS: READY
Note: The CURRENT_USER hive also contains this registry key. Items listed in here are specific to
the currently logged-in user.
7. Right-click on javaupdate and click on Jump to Entry... This opens the Registry Editor at the
location where the registry entry is stored:
The suspicious registry entry loads a VBS script located in the “C:\Windows”.
Best Practice: When investigating suspicious entries, it is important to take note of the time when the
entry was created. Do take note that the “Date Created” is more important than the
“Date Modified”, as the “Date Created” tells us when the file was copied or
transferred to the current machine. There may be instances when the “Date
Modified” is earlier than the “Date Created”, so when tracking incidents ensure to
use the “Date Created”.
The start.vbs file is selected by default. Looking at the details of the file at the bottom of Windows
Explorer, we know that the file was created on the 19th of November 2015. This date can be used
as an anchor point for other investigations.
11/19/2015 6:10AM: Possible date of attack; Files were created on the infected machine.
10. Right-click on start.vbs and click on Edit. This opens the VBS script in Notepad:
This gives an indication, what the VBS script does when executed. It instructs Windows to launch
both of the malicious processes we found from the previous activities, backdoor.exe and
svchost.exe.
11. Switch back to the Autoruns window.
Inspect the items under the HKLM\System\CurrentControlSet\Services hive. Entries in this
section contain parameters for the device drivers, file system drivers, and Win32 service drivers
used by Windows.
From this view, we can already see the location of the items listed.
12. Right-click MediaCenter and select Properties…
This should show us the location of the service. However, a known bug in Autoruns prevents the
Properties dialog to be displayed properly. But from the warning we can identify the location of
the DLL file.
Upon inspection, this service is already suspicious as:
• It is not signed by Microsoft
• the “Publisher” field is empty
• The properties of the service DLL can't be displayed as it points to rdmytxc.dll located in
C:\windows\system32\
13. Right-click on MediaCenter again and click on Jump to Entry…
This opens the Registry Editor at the location of the suspicious entry.
14. Select the Parameters sub-key on the left navigation pane:
4. In the list of Advanced settings, uncheck “Hide extensions for known file types” and “Hide
protected operating system files (Recommended)”.
Choosing this option produces a warning message, click “Yes” to proceed:
5. Below the Hidden files and folders sub-setting, switch the radio button to “Show hidden files,
folders, and drives”:
6. Click “OK”.
By choosing to show all hidden files, folders and drives, we can see all of the files referenced in
this activity.
7. Open an elevated Command Prompt to restart Windows Explorer with admin privileges.
Click on Start > type cmd and right-click cmd > Run as Administrator to open cmd with
elevated permissions.
8. On the command prompt, launch the Task Manager by typing:
taskmgr
9. In the Task Manager window, switch to the “Processes” tab and select explorer.exe:
explorer
datecreated:11/19/2015
Note: If you don't see “mi.exe” and “dump.txt” in the search results, repeat steps 7 to 11 as
explorer.exe requires administrator privileges. Otherwise Windows Explorer does not have
the correct permissions to search the “temp” folder, where both files are located.
15. To easily analyze the search results, switch Windows Explorer's view to Details using the controls
below the search box.
16. Right-click on the header in the Details view and select Date created from the list of available
options. This will add the “Date created” column to the view.
17. Sort the list chronologically descending according to the “Date created” field by clicking on the
Date created header:
18. Look for the malicious files we've identified from the previous activities. We will see a list of other
possible malicious files, as they were created within the same timeframe:
Name Date Created Type
dump.txt 11/19/2015 6:10 AM Text Document
start.vbs 11/19/2015 6:10 AM VBScript Script File
backdoor.reg 11/19/2015 6:09 AM Registry Entries
backdoor.exe 11/19/2015 6:09 AM Application
svchost.exe 11/19/2015 6:09 AM Application
Microsoft-Windows… 11/19/2015 6:09 AM Event Log
dump.cmd 11/19/2015 6:08 AM Windows Command Script
mi.exe 11/19/2015 6:08 AM Application
WINDOWS EXPLORER: SUSPICIOUS FILES CREATED WITHIN THE SAME TIMEFRAME
Upon inspection, we can see another possible malicious executable file, mi.exe, created within
the same timeframe of the start.vbs file. If we investigate this file further, we can determine that
the executable, mi.exe, is a password dump tool called Mimikatz which can dump plain-text
passwords directly from the memory.
19. Double-click on dump.txt to open it in Notepad:
net user
3. Confirm the members of the local administrators group using the command:
4. Above commands will give an overview of all local users, and the list of local administrators:
NET COMMAND: LIST ALL USERS AND MEMBERS OF LOCAL ADMINISTRATOR GROUP
7. You should be able to identify the suspicious accounts on the right panel:
10. The results will give additional information about this user:
11. Check the details of the suspicious hacker account with the command:
16. Again, the command provides more information about that specific account:
3. Within the Create Custom View window, click the Logged drop-down and select “Custom
Range...”. Specify the following values:
• From: Events On 11/19/2015 6:00:00 AM
• To: Events On 11/19/2015 6:15:00 AM
4. Click “OK”.
5. Back in the Create Custom View window, ensure that By Log is selected.
6. Select Windows Logs > System and Security in the Event Logs dropdown:
7. Click “OK”.
8. When asked to save the custom view, specify “Exercise 6” as Name.
9. The new custom view will be automatically displayed. Click on the “Event ID” header to sort the
list according to the Event Type. You will notice that there are a lot of Event IDs 4776 and 4625.
Of interest for the investigation example are the following 3 Event IDs:
• 4624: An account was successfully logged on.
• 4625: An account failed to log on.
• 4776: The computer attempted to validate the credentials for an account.
10. Click on the “Date and Time” header to sort the results by the time of occurrence.
Starting at 6:05:04 AM, it should become evident from the event logs, that there are several
attempts to validate account credentials which resulted with failed logins.
11. Double-click on any of the 4625 events and analyze the details in the text panel.
Inspecting this event shows that an attempt to validate the credentials of the Administrator
account failed. The Failure Information shows the reason Unknown user name or bad password.
12. Scroll down in the top panel to the Network Information section. The following details can be
seen:
• Workstation Name: \\192.168.10.1
• Source Network Address: 192.168.10.1
The Network Information field indicates where a remote logon request originated. This shows
that the attempt to log in came from workstation 192.168.10.1.
13. Close the Event Properties window for Event 4625.
14. Back in the filtered results, scroll to the end of the alternating 4776 and 4625 events.
You will notice that an event 4624 occurred. This is worth taking note of since this indicates a
successful login.
15. Scroll further down and look for entries with a 7045 Event ID. There should be two events. This
tells us that services were installed after the successful log in. Double-click the first 7045 entry:
The first service installed is for the PSEXESVC Service that has the following details:
• Service Name: PSEXESVC
• Service File Name: %SystemRoot%\PSEXESVC
• Service Type: user mode service
• Service Start Type: demand start
• Service Account: LocalSystem
This potentially allows remote execution of programs which could be utilized by attackers.
18. This event log shows that a second service got installed: MS Media Control Center.
• Service Name: MS Media Control Center
• Service File Name: %SystemRoot%\System32\svchost.exe -k krnlsrvc
• Service Type: user mode service
• Service Start Type: auto start
• Service Account: LocalSystem
From our previous activities, we already established that this service may be malicious.
19. Close the Event Properties - Event 7045 window.
20. Scroll further down and double-click the Event ID 7009:
Inspecting this event log shows A timeout was reached (3000 milliseconds) while waiting for
the MS Media Control Center service to connect.
Since we've previously identified this service to be malicious, we can verify from the logs that it is
running.
21. As we do not require the Host virtual machine for the remainder of this course, click Start >
Shut down to power off the virtual machine.
Note: For all upcoming exercises, including the optional activities in Appendix A, we will now switch
to the “ATD” domain environment. The Host virtual machine is no longer required and can be
shut down.
1. Open the virtual machine SVR-DC and log in using user jack_fisher (default password:
Pa$$w0rd).
See: Introduction > User Credentials on page 10 for details.
2. Open an elevated command prompt and start Sysmon using the commands:
cd \shares\tools\sysmon
sysmon.exe -i
Note: The -i option will install the Sysmon service and driver. Ensure to accept the EULA on the
first execution:
cd \shares\tools\psexec
PsExec \\staff-pc1 cmd /k ipconfig
5. Open the Event Viewer via right-click on Start > Run > eventvwr.
6. In the Event Viewer window, expand Application and Services Log > Microsoft > Windows >
Sysmon and double-click Operational.
7. Click on the “Date and Time” header to sort the list ascending chronologically. You should be able
to identify the Event ID “1” for PsExec:
We can see that the command line we executed on the command prompt is also recorded on the
event logs. Sysmon monitors and logs system activity to the Windows Event Log, it also provides
detailed information about process creations, network connections and changes to file creation
time.
In this exercise, we utilize an email client “Mozilla Thunderbird” to identify a spoofed email from suspicious
sender.
1. Access the STAFF-PC1 machine and log in using user atd\administrator. (default password:
Pa$$w0rd).
See: Introduction > User Credentials on page 10 for details.
2. Double-Click Mozilla Thunderbird icon on Desktop.
3. An email item exists in [Inbox] folder. Point to this email item and select More > View Source
4. Email header information appears on pop-up window. Now we can see “Received” header in the
email.
6. Refer to the DNS MX record to confirm the validity of the sender email server.
Type the command as below:
7. The DNS server responded 192.168.203.204 as the MX record. This is obviously different from
the received header in the email (172.16.100.200).
8. Back to the email source window of Mozilla Thunderbird. Scroll down to email body.
As we can see, there is a suspicious link navigates to the spoofed email sender source.
If the user is tricked into this email and clicks on the HERE link above, he / she will download
the suspicious executable "update.exe" from 172.16.100.200.
Note: If you wish to avoid automatic timeout and log-off from the DDI management console, navigate
to Administration > System Settings > Session Timeout and change the settings accordingly.
Best Practice: It is recommended to focus on high severity events first, which allow to identify
high risk events without the distraction of possible non-malicious events. Once
high risk events have been identified, the slider can then be used to identify other,
lower risk items around the same time frame.
9. Select the drop-down list and click “Custom Range”, which will open a calendar:
10. Change the time frame to the 6th February 2020, 00:00 to 23:59 only:
The reason to limit the date & time range in this case is to reduce the output of events for a
better understanding.
11. Click “OK”.
12. You should see a high risk entry for the specified time and date range. Select the Details icon for
the entry:
13. This will open a new tab, displaying the Detection Details:
This page provides a quick link to “Threat Connect”. If the machine accessing the DDI console has
an active internet connection, this page would display all known information about this specific
threats.
In addition, the Detection Details page gives all necessary information about a specific detection,
separated into different sections.
• Detection Information
This section lists generic information of the detection, such as severity, detection rule ID,
description etc:
From this information we can already identify, that the known malware “TSPY_TINCLEX.SM1”
has been transferred on the network.
• Connection Summary
This section gives detailed information about the network activity in relation to the
detection:
From this section, it becomes clear that the malware has been transferred from the machine at
192.168.203.201 toward the machine at 192.168.203.202.
DDI also displays the network zone in this section, which is an important setting of DDI. The
network setting is set to “Trusted”, as it is located in the Network Group “Internal”.
• Protocol Information
This section shows information about the protocol used.
• File Information
This section shows information about files being transferred, if any:
This screen shows, that the specific malware was detected in a file called update.exe. It also
displays the hashes of this file, allowing for further investigation.
• Additional Information
This section displays information about which module of DDI has detected the specific item.
14. Copy the File SHA-1 from the File Information section to the clipboard.
15. Open Notepad and paste the contents from the clipboard.
This is in preparation for exercise 11.
16. Minimize Notepad.
17. Back in the web browser, close the tab with the Detection Details.
18. Back in the DDI web console, expand the columns “Timestamp”, “Source Host”, “Destination
Host” and “Interested Host” to see the full details:
Another very important column is “Interested Host”. This column will display the host based on
detection and direction.
20. Back in the All Detections overview of DDI, Change the time frame to the 18th February 2020,
00:00 to 23:59 only and move the slider for Detection severity to the 2nd step to list high and
medium severity events.
21. With the new list of detections, we can see a lot of “SQLINJECT - HTTP (Request)” events:
Again, note the item Notable Object, listing the full URL of the SQL injection attack.
24. Close the Detection Details tab.
“TSPY_TINCLEX.SM1” (Quasar RAT), once executed on a target machine, has the characteristics of
creating a reverse connection back to the C&C host. However, as DDI has not detected any C&C
communication, we don’t know for sure whether the malicious software has been executed.
Unfortunately, DDI in this environment has not been set up properly. There is no virtual analyzer
registered (neither internal nor an external Deep Discovery Analyzer), therefore we require some
manual investigation for the next steps.
Let’s try to find the “update.exe” on one of the target machines, Staff-PC1:
25. Open STAFF-PC1 and log in using user Administrator.
26. Open Windows Explorer and use the search box to search for “update.exe”.
28. As we haven’t seen any other detections with DDI in regards to the “update.exe”, we’re going to
analyze this file using DDAn. Open Google Chrome and navigate to https://av-ddan.atd.corp.
29. Click on Advanced > Proceed to av-ddan.atd.corp (unsafe) and log in using user admin (default
password: Admin1234!).
30. Once logged in, the Dashboard will be displayed:
DDAN: DASHBOARD
33. In the Submit Objects pop up, leave Type “File” selected and select the file
“C:\Users\Administartor.ATD\Download\update.exe”.
34. Click “Submit”.
35. Back in the Submissions screen, check the tab “Processing”. This should list the file being
processed right now:
36. It might take some time to finish processing the file. You may want to switch between tab
“Completed (0)” and “Processing (1)”. After few minutes, the results should be shown in the
“Completed (1)” tab:
37. Click on the line for the analyzed file to reveal information about the analysis:
DDAn has assigned a high risk to the file “update.exe”. We can straight away spot, in the Notable
characteristics section, which suspicious behavior has been observed during the analysis.
38. Click on either icon next to Report to open a detailed overview of what the file does when
executed:
Reading through the report, we can identify that update.exe is a known malware
“TSPY_TINCLEX.SM1”
Best Practice: The DDI in this lab environment is not configured to automatically send suspicious files
to Virtual Analyzer. It is always best practice to integrate all existing products, as with
DDAn not only DDI could have notified on this file, but Apex One could have been
used to prevent further infiltration and damage using the Suspicious Object List
synchronization capabilities.
DS: DASHBOARD
5. As we want to investigate server-side threats on the webserver, navigate to Events & Reports.
6. Select Intrusion Prevention in the left navigation pane:
7. By default, Deep Security displays all events from within the “Last Hour”. Change the Period
Drop-down to “Custom Range:”
8. This will add another line to the Period section. Change the Custom Range to:
As we previously identified with DDI, a possible SQL Injection happened on 18th February 2020.
For this reason, we will try to identify any other events which might have happened before.
11. Identify events related to the “Reason” 1000608 - Generic SQL Injection Prevention. You will
notice, that each events have different icons:
This icon means that the log contains the data information.
This icon means that the log does not contain the data information.
Deep Security by default does not log the data every time, only at certain intervals. This can be
changed in the configuration of Deep Security.
12. Double-click the event which happened at 10:17:49. This will open the Event Viewer:
13. Take note of the Source IP in the Event. This again links 192.168.203.202 (Staff-PC2) into this attack.
14. Switch to the tab “Data”. This will open the data of the packet identified by Deep Security:
The Event Viewer highlights characters in red, which lead to the Event being detected.
Take note of the GET parameter in the bottom panel. This lists the full URL, which had been
accessed by 192.168.203.202. The parameter “@@datadir” allows to display the location of the data of
the SQL server.
15. Close the Event Viewer.
16. Back in the overview of events, double-click the event 10:31:12.
17. The Event Viewer will open, displaying the details of this event:
18. This event has been logged due to a Suspicious User Agent in HTTP Request. To get more
information, switch to the “Data” tab.
19. When carefully analyzing the Bytes per line section, it becomes clear, that the Suspicious User
Agent refers to “Havij”:
This event points out, that a request made using multipart content-type was detected by DS since
it is a commonly used evasion.
24. Close both, the Event Viewer pop up and the Deep Security management console.
All collected information can now be added in to our investigation timeline, giving a better indication
as to what has happened:
Source Time Stamp Interesting Host Description
Staff-PC1 C:\Users\administrator.ATD\Downloa
DDAn 5 Feb 2020 13:59 ds\update.exe dropped detected as
high risk
DDI 6 Feb 2020 14:04 Staff-pc1 “TSPY_TINCLEX.SM1” file transfer
via SMB
DS 14 Feb 2020 10:30 – 12:59 Staff-pc2 SQL Injection
DS 18 Feb 2020 09:52 – 10:39 Staff-pc2 SQL Injection
DS 18 Feb 2020 10:31 Staff-pc1 Havij user agent detected
DS 18 Feb 2020 10:46 – 11:53 Staff-pc1 Multipart HTTP Requests detected
Staff-pc2
DDI 18 Feb 2020 09:19 - 10:39 Staff-pc1 SQL Injection
Staff-pc2
Within this exercise, we will focus on analyzing a file, which was identified during exercise 8:
updater.exe.
1. If not there already, open the virtual machine apexone and log in using Administrator.
2. Navigate to drive Z: and double-click the shortcut Apex Central.
Once the certificate warning appears, select Advanced > Proceed to av-apc.atd.corp (unsafe) to
proceed.
3. Login using user root (default password: Admin1234!).
4. This will open the Dashboard of Apex Central:
16. Drag Analysis chain to find “update.exe” created by “svchost.exe” at 2020/02/05 14:02:39
Of interest here is, that upadte.exe was created using the user
ATD\administrator. We can also see, that update.exe was located on the
following path:
C:\Users\Administrator.ATD\Downloads\update.exe
Now, we can guess that update.exe was downloaded from the link in the email analyzed in Exercise 8.
We can also see, that psexec.exe was executed with following options:
Now, we can identify that update.exe was executed also on staff-pc2 via psexec.exe on staff-
pc1.
21. Press [Esc] key to exit full screen. Close “update.exe” tab on the browser.
22. Select Response > Detailed Investigation in the top menu.
Detailed Investigation perform Investigation on the current state of the system.
It also support wider set of criteria through the use of OpenIOC and YARA Rules.
27. The context of Trend Micro.ioc is shown as below, which basically search for update.exe on
c:\windows\system32 folder.
30. In order to proceed investigation, you need to click on Start Investigation button.
However, since such operation may take several minutes or more, we already have an
investigation result named update.exe to save time. Click on Cancel button.
31. Click update.exe Under Name column of the previously completed scan.
33. There are over 1,000 matched objects listed. Type update.exe on text box to filter matched
objects.
34. The only matched object is baaupdate.exe which contains the search string update.exe. If you click
on bauupdate.exe,it will display the hash of the file.
We can con that update.exe is NOT located on the windows system folder C:\WINDOWS\System32.
Click the Close button.
35. Back in the Investigation Result window, click STAFF-PC1 under Endpoint column.
36. This will display information like Security Threats Overtime among other information. We can see
summary of network-related activities/threats logged by DDI. We can also see Behavioral
Monitoring Violation detected by Apex One on the local machine.
Hovering your mouse on the first column allows you to view the complete path of the executable.
Click on View on the lower right to see more details of this event.
37. On the right side of the window, click on Task, and then select isolate, which disconnects the
machine from the network as part of Containment.
38. A pop up warning will appear. As noted, you can control allowed traffic even on isolated endpoint but It is
recommended to allow only essential traffic.
39. While a machine is disconnected, click on Task again the right to see options.
As we can see, we can modify which traffic to be allowed and once investigation is done, we can click Restore to
reconnect the machine to the network.
With these new evidences, we can further update our investigation timeline:
Note: A real-life investigation obviously does not end here. Exercises 9, 10 and 11 have been designed
to give an overview of how Trend Micro products can support Incident Investigations.
However, not every detail has been taken into evidence - as this will be done in teams during
the Final Challenge of this course.
In the final challenge for Advanced Threat Defense - Advanced Threat Response,
the student will demonstrate the ability of:
• Investigation of a security incident
• Creating incident report
Task
Perform a detailed Incident Investigation, utilizing all tools and techniques learned throughout
the course.
Your team will be required to present your findings at the end of this Lab.
Environment
The final challenge uses the following environment:
Login Credentials
Use the following credentials to log in the specific machines:
Background Information
The IT admin of Aerospace Technology & Design LLC (ATD), Jack Fisher, has noticed a suspicious
email received on Staff-PC1
Aerospace Technology & Design LLC has therefore requested your support with this case. Your
task is to investigate this email, and analyze whether this might be part of a bigger scenario. As
the company is fresh on the market, you will only need to look back as far as 1st February 2020.
Objectives:
Use any of the methodologies and techniques learned throughout the course to
• Perform an incident investigation in this environment
• Create a time-line of the events
• Create an incident investigation report, answering as many guide questions as possible
Guide Questions:
• How did attackers gain access to the environment?
• What did attackers do within the environment? What methods and techniques were used
to move laterally across the network?
• Was there any successful data exfiltration? What methods were used to collect data and
exfiltrate them?
• What tools have the attackers used during their attack? Can you create IOC, YARA or
Suspicious Objects for those tools?
• Is there any obvious misconfiguration of Trend Micro products, which could have
prevented this incident?
• Are there any recommendations to make for the customer’s environment?
Note:
We can ignore file transfer activities between x-unknown and z-unknown via SMB at 2020-
02-13 11:22 because these activities are attacker’s computer migration and DDI accidentally
captured these activities.
In the real world, such operation might be done in the attacker’s local network and there is
no possibility that DDI captures such activities.
A.1.1 Powershell
1. Access the SVR-DC virtual machine and log in as atd\jack_fisher (default password:
Pa$$w0rd).
2. Open an elevated Powershell console window.
3. On the Powershell console, type the command:
set-executionpolicy remotesigned
9. Run the script by pressing <F5> or selecting Debug > Run / Continue.
10. You will notice on the bottom “output” pane, that your code has reached the breakpoint.
Press <F10> to “step over” the breakpoint.
11. Stepping over means the code will execute the code where the breakpoint is located without
giving details of function calls itself. In our case, it will stop after md $path and therefore will
create 2 new folders (which are stored in the variable $path):.
12. To check if the folder were created, open Windows Explorer and navigate to “C:”. The 2 folders
“sample_folder” and “sample_folder1” should be created:
13. Switch back to Powershell ISE. To trace your script, select Debug from the main menu.
14. Other Tools for Debugging include:
• Step Into
Press F11, this executes the current statement and then stops at the next statement. If
the current statement is a function or script call, then the debugger steps into that
function or script, otherwise it stops at the next statement.
• Step Over
Press F10, this executes the current statement and then stops at the next statement. If
the current statement is a function or script call, then the debugger executes the whole
function or script, and it stops at the next statement after the function call.
• Step out
Shift+F11, this steps out of the current function and up one level if the function is nested.
If in the main body, the script is executed to the end, or to the next breakpoint. The
skipped statements are executed, but not stepped through.
15. Press <F10> or select Debug > Step Over to execute line 5, which creates a file within the
folder “C:\sample_folder”.
16. Open “C:\sample_folder”, you should there is also a created text file named trender.txt.
17. Switch back to Powershell ISE and press <F10> or select Debug > Step Over until you reached
the last breakpoint:
18. Once we hit the last breakpoint on the line 9, the script creats a new registry entry.
19. To exit debugger mode in Powershell ISE, press <Shift>+<F5> or select Debug > Stop
Debugger.
20. To delete your all breakpoints, press <CTRL>+<Shift>+<F9> or select Debug > Remove All
Breakpoints.
21. Exit Powershell ISE.
A.1.2 JavaScript
1. Still on SVR-DC, open Internet Explorer by right-click on Start > run > iexplore.
2. Once IE has started, navigate to the URL:
file://C:/Users/jack_fisher/desktop/Script_Debugging_Exercise/JS_Debug.html
3. When the notification about restricted contents pops up, press <F12> to show the debugging
tools.
4. Select the tab “Debugger”:
7. After pressing <F11> twice, an alert window will appear. Press “OK”.
8. Press F11 you move from line 17 to 43.
9. Check the Watches panel:
The Watches panel allows to identify any variables, which are passed through the Javascript
code. In our example, we could identify a variable “url” with the value http://hackernet.com.
10. Press Step Into or <F11> twice and take note of the next alert window.
By click on “Yes”, it allows the function of the script to execute commands.
11. Once the alert was accepted, the Debugger shows the next lines of code:
fldr = fso.CreateFolder(“c:\\tmp”);
f1 = fso.CreateTextFile(“c:\\testfile.txt”, true);
f1.Write(“This is a test.”);
f1.Close();
The above lines, in our example, create a new folder “C:\tmp” and a new textfile with the
contents “This is a test.”. However, with malicious intents, other code could potentially
introduce dangerous files or code into the environment.
12. Press Step Into or <F11> until after line 27.
13. The next lines of code will move the file from “C:\testfile.txt” to “C:\tmp\testfile.txt”.
14. Press <F11> or Step Into until line 34.
15. Using Windows Explorer, confirm whether the folder “C:\tmp” exists and if the file testfile.txt
is located in that folder:
16. Switch back to Internet Explorer and press Step Into or <F11> until line 45:
Above code also shows, that we just went through a function called “DeleteFile()”, which is
responsible for deleting the folder “C:\tmp” and testfile.txt.
17. Press <F11> or Step Into to receive the alert message.
18. Press “OK” to close the alert.
19. To confirm whether the DeleteFile() function was run correctly, check if the folder “C:\tmp”
and the file “C:\tmp\testfile.txt” are still existing.
20. Close Internet Explorer.
Note: This activity focuses on analysing the code in Office Macros, which are often password
protected in real-life investigations. A very good tool to circumvent password protection
in Office Macros is olevba, which can be downloaded from:
https://github.com/decalage2/oletools/wiki/olevba.
1. Access the virtual machine STAFF-PC1 and log in using user atd\jack_fisher.
2. Open Microsoft Word and create a new document.
3. Save the word file document with the filename manual.docx
4. To record a macro in Word, select View > Macros > Record Macro.
5. In the Record Macro dialog box, enter the name AutoExec and click “OK”:
\\svr-dc\c$\users\jack_fisher\desktop\script_debugging_exercise\
17. The principle of breakpoints is exactly the same as with debugging Powershell or JavaScript.
To add breakpoints, click to the left of the line where you want to place a breakpoint:
When executing the Macro now via Run > Run Sub / Userform or pressing <F5>, the macro
will stop executing at this breakpoint.
18. An important option within the Visual Basic for Application is called “Add Watch”. This allows
for easy investigation of values for variables.
Right-click the variable “outFile” and select Add Watch...:
19. This option then allows for watch for the expression or even break the macro if the value
changes:
//Sample: Dummy
rule dummy {
strings:
$string1 = “ABC” nocase ascii wide
$string2 = “DEF” nocase ascii wide
$string3 = “123” nocase ascii wide
condition:
//all of ($string*)
10 //part1
11 //$string1 or $string2 or $string3 //note:ABC
12 //part2
13 //$string1 or ($string2 and $string3) //note:ABC then change to DEF123
14 //part3
15 //$string1 and ($string2 and $string3) //note:DEF123 this should contain [...]
16 //part4
17 $string1 and $string2 and $string3 //note:DEF123 add ABC
18 //note: if the condition is all AND the parenthesis is not required
19
20
21
Note that above code has only 1 condition enabled, which is line 17. All other conditions have a
leading “//”, which indicates those lines are comments.
8. Press <CTRL>+<S> to save the file.
9. Open a command prompt and navigate to “Desktop\YARA_Exercise\YARA_Files”.
10. Type the following comand, but do no press <Enter> yet:
13. This will add the proper path of the samples to the command:
From above output, we can identify the following schema: <rule name> <file name>.
15. Switch back to Notepad++.
16. Check the enabled conditions of rule dummy, which matched the file “sample.txt”:
[...]
16 $string1 and $string2 and $string3
[...]
Above condition means, that we are matching all 3 strings with the file. The strings have been
declared in line 4, 5 and 6 - so we’re looking with this rule for “ABC” and “DEF” and “123” (not
case sensitive).
17. Open the file “YARA_Exercise\YARA_Samples\sample1.txt” in Notepad++. You should be able to
identify, that contents indeed include all 3 strings:
DEF123ABC
Note that our condition does not require a specific order of the 3 strings, it just requires all 3 of
them to be in the file.
18. Switch back to rules.yara in Notepad++.
19. Scroll down to line 39 ff.
The above will identify files, where all of the below conditions are met:
• Executable files only (“uint16(0) == 0x5AD)
• File size smaller than 5KB
• Either containing “CreateFile”, “OpenFile” or “ReadFile”
• Either containing “CloseHandle” or “WriteFile”
Note: This example relies on the Windows API function names. Those, however, are quite generic; in
real-life investigation scenarios this could lead to an increased number of false positives, if
not used with other, less generic conditions.
21. In order to confirm whether the rule “file_search” is matching those files correctly, open
Windows Explorer and navigate to the folder “YARA_Exercise\YARA_Samples”.
22. The list of files should indicate, that all of the 3 files are indeed below the 5KB limit:
As indicated above, sample2b.exe will not be detected with the rule file_search, as it is above the
size limit.
23. Switch to the command prompt.
24. Still in the “YARA_Exercise\YARA_Files” folder, run:
bintext.exe
28. BinText will display APIs used by the program itself. We should be able to identify the specific text
we were searching with rule “file_search”:
29. Try to identify the APIs searched for in the other 2 sample files, sample3a.exe and sample3b.exe.
Best Practice: You can also use the textbox at the bottom of BinText to search for particular
functions.
When analyzing suspicious files, above information can be utilized to quickly identify other files with
similar behavior using YARA rules.
Note: An alternative tool for above analysis is “strings” from the Sysinternal Suite. This however
does not provide a GUI; it will be run from command line only.
Introduction
Class Setup: Virtual Machine Descriptions ........................................................................ 9
Class Setup: User Credentials ........................................................................................... 10
Class Setup: Trend Micro Console Logins ......................................................................... 10
Final Challenge
Final Challenge: Login Credentials .......................................................................................... 71
Final Challenge: Trend Product Logins............................................................................... 72
Final Challenge: Server & Endpoint Directory ................................................................... 72
Introduction
Trend Micro Training Cloud Access: Training Area ........................................................... 7
Trend Micro Training Cloud Access: List of RDP Files ................................................... 8
Trend Micro Training Cloud Access: Unknown Publisher Warning ................................... 8
Trend Micro Training Cloud Access: vApp Overview ......................................................... 8
Class Setup: Virtual Environment ...................................................................................... 9
Accessing The Virtual Machines: Open the vApp .............................................................. 10
Accessing the Virtual Machines: vApp Startup ..................................................................... 11
Accessing The Virtual Machines: “Virtual Machines” Tab .................................................... 11
Net Command: List All Users and Members of Local Administrator Group ...................... 29
Computer Management Console: Suspicious User Accounts............................................ 30
Net Command: Display Details of User Account “Guest” .................................................. 30
Net Command: Display Details of User Account “Hacker” .................................................... 31
Net Command: Display Details of User Account “Shadow$” ........................................... 31
Event Viewer: Create Custom View ................................................................................... 33
Event Viewer: Select Date Range For Custom View .......................................................... 33
Event Viewer: Specify Sources for Custom View ......................................................... 34
Event Viewer: EventID 4625 - Failed Logins ...................................................................... 34
Event Viewer: Network Information .................................................................................. 35
Event Viewer: EventID 7045. ............................................................................................. 35
Event Viewer: 2nd EventID 7045 ....................................................................................... 36
Event Viewer: EventID 7009 .............................................................................................. 36
Sysmon: Install Sysmon as Service ..................................................................................... 37
Event Viewer Enhancement: Execute Command Remotely .............................................. 37
Event Viewer: Sysmon Details Command Line Parameters .............................................. 38
Final Challenge
Final Challenge: Environment ................................................................................................. 71
Final Challenge: Unidentified Log Entry ............................................................................. 73