Velociraptor P3

1. Introduction

In this exercise we will infect a windows client with a simple malware sample and investigate it with velocirpator. This time we will search for a BOT communication and also have to analyse a network dump with wireshark

Prerequisite:

• Linux VM (https://livecd.hacking-lab.com/)

• Windows 10 VM (https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/)

• Malware sample (https://samsclass.info/152/proj/security.zip)

  • Password malware

If you need instructions how to setup velociraptor please go back to Part1 of this series.

Mitre Attack techniques used in this exercise:

T1574.001: Hijack Execution Flow: DLL Search Order Hijacking

T1053.005: Scheduled Task/Job: Scheduled Task

T1562.001: Impair Defenses: Disable or Modify Tools

Original Lab developed by SAM BOWNE:

samsclass.info: Sam Bowne Class Information

2. Install the simulated botnet

1. Download this file: https://samsclass.info/152/proj/security.zip 2. Right-click security.zip. Click "Extract All...". Click Extract. Use the password "malware". 3. Run Bginfo64.exe as administrator. When it asks questions, just close it.

3. Ivestigation with velociraptor

First made sure that the windows box is connected to the velociraptor server:

First we want to capture some network traffic. For that we use the following artifact:

Windows.Network.PacketCapture

First let's run the artifact with default settings.

From the result tab copy the path of the etl file and run the artifact again.

This time we need to configure the collector:

• Uncheck StartTrace.

• Paste in the path to your TraceFile

Now it took some time before we can download the pcapng file from the uploaded files tab.

4. Wireshark analysis

Let's open the network capute file with wireshark: