This lab continues to build on the previous two exercises Model 3 and Powerfall Convo. It should only require the installation of Docker and Docker Compose.
This lab is based on real data containing actual malicious indicators. If you attempt to do things such as find and run files, or visit network entities that occur in these logs, you do so at your own risk.
- Download and install Docker.
- Download and install Docker Compose (On Windows Docker Compose should be bundled with the Docker installer, so this step shouldn't be required).
- Download or clone this repository.
- Open up a command prompt, make your way to this repository folder on your local machine and run
docker-compose up. - When
docker-compose upis finished bringing the containers up, open a browser and navigate tohttp://localhost:5601to access the Kibana instance.
This lab continues with the use of Kibana for identifying and investigating signs of a compromise. The VT Hunting dashboard should provide you the information you need to get started. If you're struggling or things aren't clear, make sure to look at the previous two labs in this introductory series.
- What is the name of the malicious file that has executed?
- What did the associated process do? Were there any other malicious indicators?
- What was the parent process that launched the malicious image? What does this tell you? Are there other indicators that confirm that?
- What process created the ddpp file? Did it create or delete any other files?
- What appears to be process that started all of this activity, when did it occur, on what computer and by what user?
Bonus: What advanced persistent threat (APT) has been discussed as being the group behind these indicators?
- VirusTotal
- Sysmon Events List
- Sysmon Event ID 23
- Kibana Query Language
- MITRE - ATT&CK
- MITRE - ATT&CK - Scheduled Task/Job
Available here.