T1197 Lab

Q1) What is the framework used to create the backdoors?

In this scenario, an employee received multiple Windows Defender alerts indicating the presence of malicious files on their PC. Let's use Event ID 1116 to examine Windows Defender event logs.

index="mitre-t1197" event.code=1116

The detection of Trojan:Win32/Meterpreter.O!MTB indicates that the backdoor is linked to Meterpreter, a popular payload used by the Metasploit framework.

Answer: Metasploit

Q2) What is the name of the scheduled task that the attacker tried to create?

index="mitre-t1197" event.code=4698 
| table winlog.event_data.SubjectUserName, winlog.event_data.TaskName

Event Id 4698: scheduled task was created

Answer: eviltask

Q3) What is the LOLBAS used by the malicious actor to move the backdoors to the targeted machine?

index="mitre-t1197" "event.code"=4688
| stats count by winlog.event_data.ParentProcessName, winlog.event_data.NewProcessName
| sort -count

The use of bitsadmin 32 times, with PowerShell as the parent process, is highly indicative of malicious activity. Attackers often use PowerShell to execute commands stealthily and BITSAdmin to transfer files without raising alarms.

index="mitre-t1197" "event.code"=1116 "winlog.event_data.Threat Name"="Trojan:Win32/Meterpreter.O"

Answer: bitsadmin.exe

Q4) When was the first attempt made by the attacker to execute the LOLBAS? (Format: 24H UTC)

index="mitre-t1197" event.code=4688 winlog.event_data.NewProcessName="*bitsadmin.exe"
| table _time, winlog.event_data.NewProcessName
| sort _time

Answer: 2023-07-31 17:39:45

Q5) What is the IP address of the attacker?

index="mitre-t1197" (event.code=59 OR event.code=60) 
| table _time, winlog.event_data.url, event.code

• Event ID 59: Job creation.

• Event ID 60: Job modification (e.g., adding files).

Answer: 192.168.190.136

Q6) When was the most recent file downloaded by the attacker to the targeted machine? (Format: 24H UTC)

Answer: 2023-07-31 18:16:48