# T1197 Lab

Q1) What is the framework used to create the backdoors?

In this scenario, an employee received multiple Windows Defender alerts indicating the presence of malicious files on their PC. Let's use Event ID 1116 to examine Windows Defender event logs.

```xquery
index="mitre-t1197" event.code=1116
```

<figure><img src="/files/8weXdTZelatdi3ysT3Kh" alt=""><figcaption></figcaption></figure>

The detection of **Trojan:Win32/Meterpreter.O!MTB** indicates that the backdoor is linked to **Meterpreter**, a popular payload used by the Metasploit framework.

Answer:  Metasploit&#x20;

Q2) What is the name of the scheduled task that the attacker tried to create?

```xquery
index="mitre-t1197" event.code=4698 
| table winlog.event_data.SubjectUserName, winlog.event_data.TaskName
```

<figure><img src="/files/7R3ibFb0gcKCv92vaumG" alt=""><figcaption></figcaption></figure>

**Event Id 4698**: scheduled task was created

Answer:  eviltask

Q3) What is the LOLBAS used by the malicious actor to move the backdoors to the targeted machine?

```xquery
index="mitre-t1197" "event.code"=4688
| stats count by winlog.event_data.ParentProcessName, winlog.event_data.NewProcessName
| sort -count
```

<figure><img src="/files/QxcUk8cwzhfuIoQAiyMQ" alt=""><figcaption></figcaption></figure>

The use of **`bitsadmin`** 32 times, with **PowerShell** as the parent process, is highly indicative of malicious activity. Attackers often use PowerShell to execute commands stealthily and **BITSAdmin** to transfer files without raising alarms.

```xquery
index="mitre-t1197" "event.code"=1116 "winlog.event_data.Threat Name"="Trojan:Win32/Meterpreter.O"
```

<figure><img src="/files/g94vuIpGIMEKpSokvRDR" alt=""><figcaption></figcaption></figure>

Answer:  bitsadmin.exe

Q4) When was the first attempt made by the attacker to execute the LOLBAS? (Format: 24H UTC)

```xquery
index="mitre-t1197" event.code=4688 winlog.event_data.NewProcessName="*bitsadmin.exe"
| table _time, winlog.event_data.NewProcessName
| sort _time
```

<figure><img src="/files/uZwVPiVWrF3og5ouFJOd" alt=""><figcaption></figcaption></figure>

Answer:  2023-07-31 17:39:45

Q5) What is the IP address of the attacker?

```xquery
index="mitre-t1197" (event.code=59 OR event.code=60) 
| table _time, winlog.event_data.url, event.code
```

<figure><img src="/files/Q19pHh5XLb0af1tT703e" alt=""><figcaption></figcaption></figure>

* **Event ID 59**: Job creation.
* **Event ID 60**: Job modification (e.g., adding files).

Answer:  192.168.190.136

Q6) When was the most recent file downloaded by the attacker to the targeted machine? (Format: 24H UTC)

Answer:  2023-07-31 18:16:48


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://faresbltagy.gitbook.io/footprintinglabs/cyberdefenders/t1197-lab.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.