T1197 Lab
Last updated
Last updated
Q1) What is the framework used to create the backdoors?
In this scenario, an employee received multiple Windows Defender alerts indicating the presence of malicious files on their PC. Let's use Event ID 1116 to examine Windows Defender event logs.
The detection of Trojan:Win32/Meterpreter.O!MTB indicates that the backdoor is linked to Meterpreter, a popular payload used by the Metasploit framework.
Answer: Metasploit
Q2) What is the name of the scheduled task that the attacker tried to create?
Event Id 4698: scheduled task was created
Answer: eviltask
Q3) What is the LOLBAS used by the malicious actor to move the backdoors to the targeted machine?
The use of bitsadmin
32 times, with PowerShell as the parent process, is highly indicative of malicious activity. Attackers often use PowerShell to execute commands stealthily and BITSAdmin to transfer files without raising alarms.
Answer: bitsadmin.exe
Q4) When was the first attempt made by the attacker to execute the LOLBAS? (Format: 24H UTC)
Answer: 2023-07-31 17:39:45
Q5) What is the IP address of the attacker?
Event ID 59: Job creation.
Event ID 60: Job modification (e.g., adding files).
Answer: 192.168.190.136
Q6) When was the most recent file downloaded by the attacker to the targeted machine? (Format: 24H UTC)
Answer: 2023-07-31 18:16:48