Velociraptor P3
1. Introduction
In this exercise we will infect a windows client with a simple malware sample and investigate it with velocirpator. This time we will search for a BOT communication and also have to analyse a network dump with wireshark
Prerequisite:
Linux VM (https://livecd.hacking-lab.com/)
Windows 10 VM (https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/)
Malware sample (https://samsclass.info/152/proj/security.zip)
Password malware
If you need instructions how to setup velociraptor please go back to Part1 of this series.
Mitre Attack techniques used in this exercise:
T1574.001: Hijack Execution Flow: DLL Search Order Hijacking
T1053.005: Scheduled Task/Job: Scheduled Task
T1562.001: Impair Defenses: Disable or Modify Tools
Original Lab developed by SAM BOWNE:
2. Install the simulated botnet
1. Download this file: https://samsclass.info/152/proj/security.zip 2. Right-click security.zip. Click "Extract All...". Click Extract. Use the password "malware". 3. Run Bginfo64.exe as administrator. When it asks questions, just close it.
3. Ivestigation with velociraptor
First made sure that the windows box is connected to the velociraptor server:
First we want to capture some network traffic. For that we use the following artifact:
Windows.Network.PacketCapture
First let's run the artifact with default settings.
From the result tab copy the path of the etl file and run the artifact again.
This time we need to configure the collector:
Uncheck StartTrace.
Paste in the path to your TraceFile
Now it took some time before we can download the pcapng file from the uploaded files tab.
4. Wireshark analysis
Let's open the network capute file with wireshark:
Last updated