Introduction: Penetration Test
Hey there.
I'm Aloge, and I will be working with you on conducting threat simulation and detection engineering tests. I will attempt to execute malware samples on a simulated compromised user account to see if DTSecure's security tools can detect the attacks.
This will be an iterative process; as your detection methods become more sophisticated, I will upgrade my malware samples to increase the difficulty of detection.
I will start with something simple, using "sample1.exe".
Scan this file using the Malware Sandbox tool and review the generated report. Maybe there's a unique way for you to distinguish this file and add a detection rule to block it. Once you manage to do so, I'll be in touch again.
-Aloge
Scan with Malware Sandbox
Update: You Blocked sample1.exe!
Good work. That detection you added blocked my malware from executing. Since file hashes and digests are unique to each file, they are, by far, the highest confidence indicators out there.
However, by design, that is also one of the significant downfalls of simply relying on hashes. I only need to alter a single bit of the file, and the detection rule you added will fail. I recompiled the malware and generated a new file hash. Try to detect sample2.exe!
Huh. Stumped again... for now!
Huh. It seems like you stopped me again. You must have found the IP address to which my malware sample connected. Clever!
This method isn't bulletproof, though, as it's trivial for a motivated adversary to get around it using a new public IP address. I now have access to many more public IPs! Next time, detect sample3.exe another way. Good luck. 😈
New Tactic! DNS Intercepted!
You must have found the domain emudyn.bresonicz.info. Clever work! Blocked my C2 again.
But DNS and IPs are cheap. Let's move up the pyramid. I'm deploying a specialized penetration testing tool in sample4.exe to scrape credentials. Let's see you stop my Tooling entirely!
Toolkit Dead! Level 5...
Wow! You blocked my custom tool binary entirely. That hurts. I had to spend weeks developing that!
Let's see how you handle a live behavioral method. For my final act, I am launching sample5.exe to hijack a native system process. Can you detect the TTP?
The Final Test: Mission Complete!!!
Incredible. You blocked my process injection method. You have successfully conquered the entire Pyramid of Pain and defended DobreTechSecure!
Please navigate to the "Forensic Assessment" tab on your sidebar to finalize the audit and complete your paperwork!
Malware Sandbox
Upload Sample
Select a file from the drop-down menu to detect malware and malicious behaviour. The automated analysis engine will execute the suspicious file on the target sandbox system.
Status: Running ...
System: Windows 10x64 v1803
Phase: Executing the file on the analysis machine
General Info - sample1.exe
| File Name | sample1.exe |
| File Size | 202.50 KB |
| File Type | PE32+ executable (GUI) x86-64, for MS Windows |
| Analysis Date | September 5, 2023 |
| OS | Windows 10x64 v1803 |
| MD5 | cbda8ae000aa9cbe7c8b982bae006c2a |
| SHA256 | 9c550591a25c6228cb7d74d970d133d75c961ffed2ef7180144859cc09efca8c |
| SHA1 | 83d2791ca93e58688598485aa62597c0ebbf7610 |
Behaviour
General Info - sample2.exe
| File Name | sample2.exe |
| File Size | 202.73 KB |
| File Type | PEXE - PE32+ executable (GUI) x86-64, for MS Windows |
| Analysis Date | September 5, 2023 |
| MD5 | 4d661bf605d6b0b15915a533b572a6bd |
| SHA256 | d576245e85e6b752b2fdffa43abaab1b2e1383556b0169fd04924d6cebc1cdf9 |
Behaviour Analysis
- sample2.exe (PID: 1927)
- sample2.exe (PID: 1927)
- sample2.exe (PID: 1927)
Network Activity
Connections
| PID | Process | IP | ASN |
|---|---|---|---|
| 1927 | sample2.exe | 154.35.10.113:4444 | Intrabuzz Hosting Limited |
| 1927 | sample2.exe | 40.97.128.3:443 | Microsoft Corporation |
General Info - sample3.exe
| File Name | sample3.exe |
| File Size | 207.12 KB |
| MD5 | e31f0c62927d9d5a897b4c45e3c64dbc |
| SHA256 | acb9b1260bcd08a465f9f300ac463b9b1215c097ebe44610359bb80881fe6a05 |
Behaviour Analysis
- sample3.exe (PID: 1021)
- backdoor.exe (PID: 2712)
- sample3.exe (PID: 1021)
Network Activity
HTTP requests
| PID | Process | Method | URL |
|---|---|---|---|
| 1021 | sample3.exe | GET | http://emudyn.bresonicz.info:1337/kzn293la |
| 1021 | sample3.exe | GET | http://emudyn.bresonicz.info/backdoor.exe |
Connections
| PID | Process | IP | Domain | ASN |
|---|---|---|---|---|
| 1021 | sample3.exe | 40.97.128.4:443 | services.microsoft.com | Microsoft Corporation |
| 1021 | sample3.exe | 62.123.140.9:1337 | emudyn.bresonicz.info | XplorIta Cloud Services |
General Info - sample4.exe
| File Name | sample4.exe |
| File Size | 450.12 KB |
| Tags | Credential-Dumper.Tool |
Behaviour Analysis
- Identified strings matching toolkit: Mimikatz
- sekurlsa::logonpasswords command invoked (PID: 3042)
General Info - sample5.exe
| File Name | sample5.exe |
| Tags | Evasion.Injection |
Behaviour Analysis
- The process created a suspended thread in a legitimate Windows binary.
- Technique pattern detected: Process Hollowing
- Targeted system process: svchost.exe (PID: 4112)
Manage Hashes
Detect Hashes
Manually add a hash to the blocklist
If you've discovered a hash value related to a malicious file or executable, you can submit it here.
MD5 SHA1 SHA256
Blocklist
| SHA256 | cd3c59eedabaa12e1e85068bd687eb23b97aaafd869b9c7b16a96c2e906aa0bf | |
| MD5 | c5a20611630c6fdfdf1c2a53fcb00e17 | |
| SHA1 | 350930418162cfe2027ab53c99001f0082fed41b | |
| SHA256 | b0657d3289bae5be59176613e794ae1bf696c7e2ee529058760fe0b17b0d448f | |
| MD5 | f054bbd2f5ebab9cb5571000b2c50c02 |
Firewall Rule Manager
Create Rule
Active Rules
| Enabled | Direction | Source | Destination | Action |
|---|---|---|---|---|
| Yes | Egress | 10.10.23.45 | 142.56.78.90 | Allow |
| Yes | Ingress | 88.90.123.45 | Any | Deny |
| Yes | Ingress | 203.56.78.90 | Any | Deny |
| Yes | Egress | Any | 205.78.90.12 | Allow |
| Yes | Ingress | 121.111.13.14 | Any | Deny |
| Yes | Ingress | 187.123.45.67 | 10.10.32.45 | Allow |
| Yes | Ingress | 154.67.89.23 | 10.10.56.78 | Allow |
| Yes | Egress | Any | 95.123.45.67 | Deny |
DNS Rule Manager
Create DNS Rule
Active Rules
| Rule Name | Category | Domain | Action | Settings |
|---|---|---|---|---|
| Cryptomining proxy server | Cryptomining | proxy4crypto.net | Deny | |
| Gambling referral site | Gambling | luckylottoaffiliates.com | Deny | |
| Anonymous browsing service | Anonymizer | cloakandbrowseanon.xyz | Deny | |
| Conspiracy theorist cat blog | Other | catsknowthetruth.info | Allow | |
| Suspicious file-sharing domain | Malware | downloadmyfilez.biz | Deny | |
| C2 server associated subdomain | Botnet | commandn.ctrl.xyz | Deny | |
| Fake software updates | Malware | legitsoft-updates.info | Deny | |
| Bill's wedding invite | Other | billrsvp.myweddings.io | Allow | |
| Deny known phishing domain | Phishing | parrotp0st.thm | Deny | |
| Ransomware associated domain | Malware | matrixlucky.sytes.net | Deny | |
| No more cat videos | Other | youtube.com | Deny | |
| Domain with Mirai association | Botnet | fungoods.xyz | Deny |
Endpoint Security (Tools)
Block Malicious Tool
Banned Software Kits
| Enabled | Tool Signature | Action |
|---|---|---|
| Yes | Rubeus | Deny |
| Yes | BloodHound | Deny |
Behavioral Heuristics (TTPs)
Intercept TTP Pattern
Prohibited Behaviors
| Enabled | Behavior Pattern | Action |
|---|---|---|
| Yes | DLL Injection | Intercept |
| Yes | Scheduled Task Creation | Alert |
Forensic Assessment Workspace
Provide answers based on your threat hunt findings. Maintain strict formatting and character structure constraints.