├── 504lab.exe ├── README.md ├── _config.yml └── docs ├── _config.yml └── solution.md /504lab.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/MarkBaggett/504lab/74f194b9dd9c864132093f1a61665ce7ff270de0/504lab.exe -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # The SANS SEC504 Windows Cheat Sheet Lab 2 | 3 | ## Introduction 4 | This lab is designed to show how a few simple commands documented on the SANS SEC504 Windows Incident Response Cheat Sheet can be used to identify unusual processes running on your host. This lab will launch non-persistent, benign processes on your host that listen on network ports and establish communications using common malware techniques. It will then ask you various questions about those processes. The process id number, TCP ports and other information is chosen randomly so you can run this lab multiple times for practice. 5 | 6 | ## Download 7 | There are two ways to get a copy of this lab. First, Attend SANS SEC504 for this lab and many other awesome labs. Second, you can download it [here](https://github.com/MarkBaggett/504lab/releases/download/1.0/504lab.exe). 8 | 9 | 10 | ## Usage 11 | First, make sure your antivirus software and firewall are disabled. The tool will launch benign processes on your host that mimic the typical behavior of malware. Firewalls and antivirus products may prevent this tool from functioning properly. Once a malware behavior has launched you will be asked to find and investigate it. This tool will present you with questions about the "malware" that you will need to answer to move on to the next step. If you are stuck you submit an answer of "help" and it will give you a hint. Alternatively you can look at the walk-through on the link provided below. To begin run this program and then open a second command prompt that is running as an Administrator. Use the second window to investigate the "malware" and the first window to submit your answers. 12 | 13 | 14 | ## Answers 15 | If you get stuck you can type "help" as the answer to your question to receive a hint. 16 | Click [HERE](docs/solution.md) for a walk-through. 17 | 18 | 19 | ## More Information 20 | Click [here](https://www.sans.org/course/hacker-techniques-exploits-incident-handling) for more information on [SANS SEC504 - Hacker Tools, Techniques, Exploits, and Incident Handling](https://www.sans.org/course/hacker-techniques-exploits-incident-handling) 21 | 22 | This tool was developed by [Mark Baggett](https://twitter.com/markbaggett) course author of [SEC573 Automating Information Security with Python](https://www.sans.org/course/automating-information-security-with-python) 23 | 24 | Updates for this tool can be downloaded from [HERE](https://markbaggett.github.io/504lab) 25 | 26 | This binary is distributed as part of SANS SEC504 Hacker Tools, Techniques, Exploits and Incident Response course. You may download and use this tool without modification as you see fit. 27 | All Rights Reserved. 28 | -------------------------------------------------------------------------------- /_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-hacker -------------------------------------------------------------------------------- /docs/_config.yml: -------------------------------------------------------------------------------- 1 | theme: jekyll-theme-hacker 2 | markdown: kramdown 3 | -------------------------------------------------------------------------------- /docs/solution.md: -------------------------------------------------------------------------------- 1 | # One Possible Solution 2 | 3 | There are many different techniques you could use to solve this challenge. Here is one way you could answer each question. 4 | 5 | ``` 6 | KNOW THY SYSTEM! 7 | 8 | Open a second CMD prompt as an Administrator and run netstat -nao on your host so you know what your system looks like before it is "infected." 9 | Verify your firewall and AV are disabled. I am about to start a non-malicious backdoor for you to find. 10 | 11 | After you have run netstat press ENTER to continue 12 | ``` 13 | You could as the question suggests just look at netstat, press enter, run netstat a second time and then compare the results manually. 14 | But you could also let your system do the hard part for you. Open up a Powershell prompt running as administrator then record the results of `netstat -nao` into a variable called net1. Then press enter in the other window to let the lab start the backdoor. 15 | Then, back in PowerShell type `$net2 = netstat -nao` to capture the updated netstat into another variable named net2. Then you can use PowerShell's compare-objects applet to show you the differences between the two results. 16 | 17 | ``` 18 | PS C:\Users\mark\Documents\504lab_internal> $net1 = netstat -nao 19 | PS C:\Users\mark\Documents\504lab_internal> $net2 = netstat -nao 20 | PS C:\Users\mark\Documents\504lab_internal> Compare-Object $net1 $net2 21 | 22 | InputObject SideIndicator 23 | ----------- ------------- 24 | TCP 0.0.0.0:50985 0.0.0.0:0 LISTENING 6392 => 25 | ``` 26 | 27 | You can see that we now have a new listening port listening on 50985. Your port number will likely be different because the backdoor chooses a port randomly. Type the port number in to answer the question. 28 | 29 | ``` 30 | What TCP port is the backdoor listening on? 50985 31 | 32 | What is the process id number of the backdoor? 33 | ``` 34 | 35 | Now you need to know its process ID number. That is the other number that was displayed in the compare-objects output. The Process ID number was displayed because we used the -o option when we called netstat. In the example above the process ID number was 6392. Enter that as the answer to the question. 36 | 37 | ``` 38 | What is the process id number of the backdoor? 6392 39 | 40 | What is the Parent process id number of the backdoor? 41 | ``` 42 | 43 | Now you need to find out what the Parent Process ID is. The easiest way to see this is to use a graphical tool such as process explorer or process hacker. But installing a tool on a system for incident response in sloppy. Instead you can use wmic to query the information. For example, `wmic process where (processid = 1234) get parentprocessid` would show you the parent processid for process 1234. Run wmic command in a command prompt rather than your PowerShell prompt. Change `processid = 1234` to reflect the correct process id and run in at your command prompt. If you would like to get this same information from PowerShell you still need to query WMI. That can be done using the Get-WmiObject applet. 44 | 45 | ``` 46 | C:\Windows\system32> wmic process where (processid = 6392) get parentprocessid 47 | ParentProcessId 48 | 7220 49 | ``` 50 | 51 | Now you know the parent process ID number is 7220 and you can answer the next question! 52 | 53 | ``` 54 | What is the Parent process id number of the backdoor? 7220 55 | 56 | Use netcat to connect to the backdoors TCP port. 57 | What is flag printed when you connect to the backdoor? 58 | ``` 59 | 60 | Now use netcat to connect to the TCP port that we identified in step 1 of this lab and retrieve the flag. 61 | 62 | ``` 63 | C:\Windows\system32> nc 127.0.0.1 50985 64 | TheFlagisBlack197168254 65 | 66 | ``` 67 | 68 | Once netcat connects, the backdoor prints "TheFlagisBlack" followed by a random number. Hmm, perhaps this backdoor must have been created by a 1980s punk rock band. Regardless, now you can answer the next question. 69 | 70 | ``` 71 | What is flag printed when you connect to the backdoor? TheFlagisBlack197168254 72 | 73 | What TCP port is the backdoor listening on now? 74 | ``` 75 | 76 | The backdoor must have changed ports because we are asking for the new port number. Well, if it is the same backdoor then the process id number must be the same. We can use netstat with findstr to look for the process. 77 | 78 | ``` 79 | C:\Windows\system32>netstat -nao | findstr 6392 80 | TCP 0.0.0.0:51274 0.0.0.0:0 LISTENING 6392 81 | TCP 127.0.0.1:50985 127.0.0.1:51273 ESTABLISHED 6392 82 | ``` 83 | 84 | If you are following the commands as outlined in this walk-through then you most likely see two entries here. The bottom one is "ESTABLISHED" meaning someone is connected to it. That is the netcat connection that you made to the backdoor to get the flag. If you don't close netcat it will keep that connection open. If you closed netcat you may only see one entry. The first line says that it is "LISTENING". This is the new port that backdoor is listening on. You have the next answer to the questions! 85 | 86 | ``` 87 | What TCP port is the backdoor listening on now? 51274 88 | 89 | Now use wmic to kill the process. 90 | Press enter after you have killed the process. 91 | ``` 92 | 93 | To kill the process with wmic I like to do it in two steps. The first step just displays the process to confirm to me that I typed my syntax properly. Then, once I know my syntax is correct, I press up arrow and change the word "list brief" to "delete". This two step process allows me to confirm I am killing the correct process. 94 | 95 | ``` 96 | C:\Windows\system32>wmic process where (processid = 6392) list brief 97 | HandleCount Name Priority ProcessId ThreadCount WorkingSetSize 98 | 486 powershell.exe 8 6392 8 44756992 99 | 100 | 101 | C:\Windows\system32>wmic process where (processid = 6392) delete 102 | Deleting instance \\MarksComputer\ROOT\CIMV2:Win32_Process.Handle="6392" 103 | Instance deletion successful. 104 | ``` 105 | 106 | Alternatively you could do this with the Get-Process and Stop-Process PowerShell applets. 107 | ``` 108 | PS C:\Users\mark\Documents\504lab_internal> get-process -PID 6392 | stop-process 109 | ``` 110 | Once the backdoor has been killed go back to the lab and press ENTER. 111 | 112 | ``` 113 | Press enter after you have killed the process. 114 | 115 | This Powershell backdoor was easy to find because it listened on a TCP port. A more typical Powershell backdoor will not. Instead it makes periodic client connections to a command and control server. Now I'm creating a new Powershell process that does not listen on a port. 116 | 117 | What is the process id number of the backdoor? 118 | ``` 119 | 120 | The next backdoor is more difficult to find. Now it is not listening on a TCP port. Had we known this was going to happen we could have recorded a list of running processes in a variable and compared it after the process was launched similar to what we did with netstat to find the TCP Port. But it is too late for that. The process is already running. Fortunately the question does tell us that it is a PowerShell process. You could brute force the answer. You could get a list of all PowerShell processes and submit their process id numbers until you find out which one is the backdoor. To get a list of all PowerShell processes you could type `wmic process where (name like "powershell%") list brief` or with PowerShell like this `Get-Process -name powershell`. But brute-forcing seems rather inelegant. How could we determine which PowerShell Process was launched by the tool? We could examine the command line of each process. We will do that in a few questions. We could look to see what was launched by the 504lab.exe program. Another option would be the process start time. Since it just started a few minutes ago we can ask PowerShell to show us the process start times. The command `Get-Process -name powershell | Select-Object -Property id,starttime` will show you the start time of the PowerShell processes. That should make one of your processes stand out from the rest. One of the processes should have a very recent start time. Enter that Process ID number to get the next question. 121 | 122 | ``` 123 | What is the process id number of the backdoor? 6512 124 | 125 | Use wmic to retrieve the CommandLine and answer the following. 126 | 127 | What is the flag contained in the script executed by the backdoor? 128 | ``` 129 | Now we need to retrieve the command line that was used to launch the backdoor. 130 | 131 | ``` 132 | C:\Windows\system32>wmic process where (processid = 6512) get commandline 133 | CommandLine 134 | powershell.exe -nop -exec bypass -enc dwBoAGkAbABlACgAJAB0AHIAdQBlACkAewAkAGYAbABhAGcAIAA9ACAAIgBTAGEAcwBxAHUAYQBjAGgAZQAzADAAMwAyADEAMQA4ADIAMwAyACIAOwAgAFsAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADEAMAAwADAAMAApAH0AOwA= 135 | ``` 136 | 137 | Ok, we can see the command line, but no flag. PowerShell backdoors are quite often BASE64 encoded. Anytime you see the "-enc" option it will be followed by a base64 encoded payload. With most PowerShell malware you must decode the script from the command line to see what the malware is doing to you host. So let's decode that thing using PowerShell. Typing "help" as your answer will give you a nice hint and some PowerShell syntax you can copy, paste and modify. Let's plug the BASE64 string from the command line above into that syntax to decode it. 138 | 139 | ``` 140 | PS C:\Users\mark_\Documents\504lab_internal> [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String("dwBoAGkAbABlACgAJAB0AHIAdQBlACkAewAkAGYAbABhAGcAIAA9ACAAIgBTAGEAcwBxAHUAYQBjAGgAZQAzADAAMwAyADEAMQA4ADIAMwAyACIAOwAgAFsAUwB5AHMAdABlAG0ALgBUAGgAcgBlAGEAZABpAG4AZwAuAFQAaAByAGUAYQBkAF0AOgA6AFMAbABlAGUAcAAoADEAMAAwADAAMAApAH0AOwA=")) 141 | while($true){$flag = "Sasquache3032118232"; [System.Threading.Thread]::Sleep(10000)}; 142 | ``` 143 | Now you have the final flag! It is "Sasquache" followed by a large number. Perhaps the backdoor author was a 9 foot reclusive hairy beast. No matter. Now you can answer the next question! 144 | 145 | ``` 146 | What is the flag contained in the script executed by the backdoor? Sasquache3032118232 147 | 148 | 149 | Now use wmic to kill the process. 150 | Press enter after you have killed the process. 151 | ``` 152 | 153 | Last you need to kill the backdoor process. Last time we used wmic. Let's use PowerShell here. Again, I like to do this in two steps. The first one confirms I have the correct process. The second step kills it. Alternatively, you could use the --confirm option and do it in one set. 154 | 155 | ``` 156 | PS C:\Users\mark_\Documents\504lab_internal> Get-Process -pid 6512 157 | 158 | Handles NPM(K) PM(K) WS(K) CPU(s) Id SI ProcessName 159 | ------- ------ ----- ----- ------ -- -- ----------- 160 | 468 23 48684 50880 0.31 6512 1 powershell 161 | 162 | 163 | PS C:\Users\mark_\Documents\504lab_internal> Get-Process -pid 6512 |stop-process 164 | ``` 165 | 166 | Then press enter in the lab to receive your fabulous prizes. 167 | 168 | ``` 169 | You have done well. The evil hackers have been thwarted. 170 | Press enter to end this lab. 171 | ``` 172 | 173 | Well done! --------------------------------------------------------------------------------