Scenario:
You experience a ransomware attack and the attacker leaves a message in your machine.
Steps:
- Try to check first the message and path of that message file using powershell and time of execution using sysmon.
- Note: When you check the execution time in sysmon, make sure that the file is associated in the file that you’re finding. For example, you want to know the time of execution of a file sophie.txt located in desktop. You may search notepad because that is the app that used by an attacker and there so many notepad in sysmon that you can see, but make sure that the notepad that you’re finding is associated in sophie.txt
- Now, we need to find the payload that you downloaded and run that cause the incident to happen.
- We need to find in download folder, or open the browser and check the download tabs
- When payload was run, there are extension name added to the end of all file. To find this, we need to check it in the sysmon. With the keyword of installer (antivirus.exe), we can see the every extension name added in each file.
- The downloaded file reach out an IP address and we need to find that IP address. Since EventID 3 is for network connection, we’ll use that for filter and search for the Keyword ‘Download’ and find the destination IP.
- Now we need to get information about the threat actor.
- We can find the IP of threat actor in EventID 3 in sysmon. Find the source IP in the details, preferabbly in the communication after the download process happened.
- We also found another download, we need to investigate it by filtering EVENTID 1 in sysmon and find the details of when was this executed.