search

Hunting .Net Malware

To hunt for msbuild execution, focus on Sysmon logs where the image of the process contains "msbuild.exe". Msbuild is being used by attackers to compile and execute code (https://lolbas-project.github

hashtag
Task 1. Has msbuild executed malware on the machine?

A generic hunt is to look for any process creation, where the image of the process contains "msbuild.exe":

To parse the logs using PowerShell and search for the presence of MSBuild, use the following PowerShell command ("$_Properties[4]"

refers to the Image name field in Sysmon log with Event ID 1):

Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational"; id=1} | Where-Object {$_.Properties[4].Value -like "*msbuild*"} | fl

The output:

PowerShell returns no results. Was this it?

The filename itself, alone, is a weak indicator as its easy to circumvent by simply renaming it. There are other options available, ranging from the file hash, other known fields or parameters. Observing MSBuild on a regular Windows 10 machine,

well notice that the "Description" field is set to "MSBuild.exe". Let's utilize PowerShell and look for that in our data set ("$_Properties[6]" represents to the Description field in Sysmon log with Event ID 1):

Note that the binary image is "C:\Users\Public\Downloads\Windows_Reporting.exe" which starts with a command line parameter of "Windows_Reporting.xml".

hashtag
Task 2. What was the initial stager?

Search for the presence of CMD (Command Prompt), use the following PowerShell command ("$_Properties[4]" refers to the Image name field in Sysmon log with Event ID 1): now focusing on the ParentImage and ParentCommandLine parameters:

The parent image is "mshta.exe", which has executed "report.hta". Based on the temporary location (of Microsoft Edge), we can conclude that the file was executed in a browser, which then started Windows_Reporting.exe.

The initial stager is an HTA file, however we are still not sure how and/or why MSBuild is renamed to Windows_Reporting.exe and located in an odd location.

hashtag
Task 3. How was the malware downloaded? Why did the attacker choose this method?

we know that MSBuild is present in an odd location under different name, and that an HTA file was used to execute the file. Since we know the file is called "Windows_Reporting.exe", let's look at all process creation events that have referenced this file with the following command ("$_.Properties[10]" represents to the CommandLine field in Sysmon log with Event ID 1):

event entry has logged the same HTA file copying MSBuild to C:\Users\Public\Downloads\Windows_Reporting.exe.

From the first task, we know that Windows_Reporting.exe was executed with command line argument of "Windows_Reporting.xml". To find out how that XML file was created, we will look into Sysmon event 11 - File create event. Execute the following command ("$_.Properties[5]" represents to the TargetFilename field in Sysmon log with Event ID 11):

the file was created by "certutil.exe"

Let's review the information that Att&ck has on certutil.exe herearrow-up-right. It states "certutil can be used to download files from a given URL". Following this information, we can dig up process creation events with certutil.exe with the following command:

It appears that certuti.exel was utilized to download the XML file from http://52.77.211.51:8443arrow-up-right.

hashtag
Task 4. What was the attacker's IP and Port?

Reviewing the discovered Windows_Reporting.xml reveals the attacker's C2 IP and Port:

The same can be observed by Sysmon logs, in particular event id 3 filtering for Windows_Reporting.exe with the following command

Overall, there are 51 connections.

PreviousSysinternals cyberdefendersNextUnattended TryHackMe

Last updated