Intro Lab 3: Getting Personal

Publish date: Sep 27, 2020

Tags:

For this question, we can start working our way backwards from PID 8304. First, let’s remove or disable all of our filters, and do a query for winlog.event_data.ProcessId: 8304. We can see from the process create event that its parent PID was 9572. Let’s add that to our query to make it winlog.event_data.ProcessId: 8304 OR winlog.event_data.ProcessId: 9572.

Identifying PID 9572 as the parent process of 8304.

For PID 9572, we see it had a parent PID of 7640, so we’ll add that to our query as well winlog.event_data.ProcessId: 8304 OR winlog.event_data.ProcessId: 9572 OR winlog.event_data.ProcessId: 7640.

Identifying PID 7640 as the parent process of 9572.

Building out the query to generate the process tree for PID 8304.

You can keep repeating this process to make your up the process tree. If you go to the VERY beginning you should have the following:

2020-09-19T16:19:54.306Z
- PID: 8304
- Command Line: “C:\Windows\System32\cscript.exe” “C:\Users\lab-admin\AppData\Local\Microsoft\Credentials\MediaPlayer\VideoManager\media.js”
2020-09-19T16:19:51.782Z
- PID: 9572
- Command Line: wscript “C:\Users\lab-admin\AppData\Local\Temp\0.js”
2020-09-19T16:19:51.543Z
- PID: 7640
- Command Line: “C:\Windows\System32\cmd.exe” /c path=C:\windows\system32&move “PersonalKYC.pdf.lnk” “C:\Users\lab-admin\AppData\Local\Temp\1.lnk”&type “C:\Users\lab-admin\AppData\Local\Temp\1.lnk”|find “END2”>“C:\Users\lab-admin\AppData\Local\Temp\0.js”&wscript “C:\Users\lab-admin\AppData\Local\Temp\0.js”
2020-09-19T16:18:56.294Z
- PID: 5584
- Command Line: C:\windows\Explorer.EXE
2020-09-19T16:18:56.034Z
- PID: 5552
- Command Line: C:\windows\system32\userinit.exe
2020-09-19T16:18:52.286Z
- PID: 1028
- Command Line: winlogon.exe
2020-09-19T16:18:52.226Z
- PID: 3416
- Command Line: \SystemRoot\System32\smss.exe 000000d0 00000084

Based on the logs, the process that started the malicious activity was PID 7640 at 2020-09-19T16:19:51.543Z on 30218972-wsw10.windomain.local by 30218972-wsw10\lab-admin. Although the process tree continues past 7640, the rest is just benign Windows activity. It is possible more sophisticated malware could hook into those processes (for instance maybe a rootkit or using DLL hijacking), or the logs were manipulated. However, before I would start going down those rabbit holes, I would try to determine where PersonalKYC.pdf.lnk came from and begin attempting to get copies of the various files that we’ve identified throughout the analysis.

Process trees are incredibly useful and something you will find yourself looking at frequently to determine if something was malicious or not. Unfortunately, as we saw above, enumerating them through Kibana can get tedious. Instead, it’s worth looking at doing that sort of analysis outside of Kibana, potentially by creating a script that interacts with Elasticsearch directly.

Spending some time getting comfortable with scripting and interacting directly with things like APIs will pay huge dividends in terms of your analysis capability. Often if you find yourself doing lots of copy and pasting, or repeating the same steps over and over, it’s worth thinking about if there might be a way you could automate some of that workflow instead.

Lab Link

Intro Lab 3: Getting Personal

What is the name of the malicious file that has executed?

What did the associated process do? Were there any other malicious indicators?

What was the parent process that launched the malicious program? What does this tell you? Are there other indicators that may indicate this is true?

What process created the ddpp.exe file? Did it create or delete any other files?

What appears to be process that started all of this activity, when did it occur, on what computer and by what user?

Bonus: What advanced persistent threat (APT) has been discussed as being the potential group behind these malicious indicators?