📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page

Was this helpful?

Last updated 2 years ago

1. Introduction

In this exercise we will infect a windows client with a simple malware sample and investigate it with velocirpator. This time we will search for a BOT communication and also have to analyse a network dump with wireshark

Prerequisite:

    • Password malware

Mitre Attack techniques used in this exercise:

T1574.001: Hijack Execution Flow: DLL Search Order Hijacking

T1053.005: Scheduled Task/Job: Scheduled Task

T1562.001: Impair Defenses: Disable or Modify Tools

2. Install the simulated botnet

3. Ivestigation with velociraptor

First made sure that the windows box is connected to the velociraptor server:

First we want to capture some network traffic. For that we use the following artifact:

Windows.Network.PacketCapture

First let's run the artifact with default settings.

From the result tab copy the path of the etl file and run the artifact again.

This time we need to configure the collector:

  • Uncheck StartTrace.

  • Paste in the path to your TraceFile

Now it took some time before we can download the pcapng file from the uploaded files tab.

4. Wireshark analysis

Let's open the network capute file with wireshark:

Linux VM ()

Windows 10 VM ()

Malware sample ()

If you need instructions how to setup velociraptor please go back to of this series.

developed by SAM BOWNE:

1. Download this file: 2. Right-click security.zip. Click "Extract All...". Click Extract. Use the password "malware". 3. Run Bginfo64.exe as administrator. When it asks questions, just close it.

https://livecd.hacking-lab.com/
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/
https://samsclass.info/152/proj/security.zip
Original Lab
https://samsclass.info/152/proj/security.zip
  • 1. Introduction
  • 2. Install the simulated botnet
  • 3. Ivestigation with velociraptor
  • 4. Wireshark analysis
Part1
PreviousVelociraptor P2NextWindows Response LAB
  1. Live Response

Velociraptor P3

Logosamsclass.info: Sam Bowne Class Information