Training for New Analyst
Log into VM to test
Start Machine
Log into Machine at machine_ip
Username: Maveris
Password: Lab
In this scenario you are an unwitting Maveris employee who routinely works with folks outside of the organization. You received an email compelling you to import some contact information. Let's pretend for a moment the sharing of contact info is not completely out of the ordinary for you to support your mission.
To play along, open up the Lab folder on the desktop. There is a file within called "My Contacts.eml", click on the file to open. You should see an email that looks like the picture below:
Go ahead and follow the instructions in the email, click on the attachment, open the file and import the contacts!
Uh oh..... Looks like something did not go as expected.
This system has sysmon and powershell logging enabled. Feel free to use "Event Viewer" to investigate. (Google provides some good tips on how to look at logs in event viewer)
Answer the questions below
What type of file was the malware smuggled in?
The file suffix attached to the email will tell you!
html
What MITRE ATT&CK Technique is this an example of? (Use Sub-Technique name if applicable)
html smuggling
What type of file was downloaded to the system?
.iso
What is the name of the windows executable leveraged to execute malicious code on the system?
Please research the MITRE ATT&CK technique "Signed Binary Proxy Execution" before attempting answer.
System Binary Proxy Execution, Technique T1218 - Enterprise | MITRE ATT&CK®
rundll32
Please provide the complete command line run by the shortcut file.
Use logs or file properties to find the answer
This malware initiated a network connection to download additional malicious code, what was the URL with URI of the first file downloaded?
https://github.com/P4BNS/THM/raw/main/ReflectiveLoad.ps1
What is the name of the second file downloaded? ClassLibrary1.dll
What is the name of the process that opens the picture? **
[[Tokyo Ghoul]]
Last updated