OSINT stands for Open Source Intelligence, which refers to the collection, analysis, and dissemination of information that is publicly available and accessible. It involves using open source tools and techniques to gather and analyze information from a variety of sources, such as social media platforms, online forums, news articles, and government websites.

OSINT can be used for a wide range of purposes, such as conducting research, monitoring social trends, and gathering intelligence on individuals, organizations, or events. It is used by various entities, including governments, law enforcement agencies, private investigators, and journalists.

OSINT techniques typically involve searching for and analyzing publicly available information using various search engines, social media platforms, and other online tools. The information gathered can include text, images, and other media, which can be analyzed using various data analysis tools and techniques.

Step1: The Task Files must be downloaded before we can begin working in this room. By doing this, we may download the picture (WindowsXP.jpg) that is seen below.

Step2: Once we have an image, the first thing we will do is right-click it and select “image properties.” However, as the figure below demonstrates, it is not particularly useful.

Step3: Run apt-get install exiftool to obtain exiftool.

Now, this has disclosed some intriguing information, including the GPS coordinates and Image Copyright.

Step4: A fast Google search for “OWoodflint” returns 2 results, including 1 from Twitter and 2 from GitHub.

#1. What is this user avatar of?

Cat

Step5: Utilizing wigle.net, locate the BSSID that was found on the page. We can easily search for “BSSID Lookup” on Google using our BSSID (Basic Service Set Identifier, the MAC address of an Access Point or Wireless Router), and the first result is WiGLE. (Wireless Network Mapping).

Step6: Take the BSSID we copied from Twitter, and then perform a query. The query ought to return the WAP’s SSID. (Wireless Access Point).

#2 What city is this person in?

London

Step7: Zoom in all the way to view the SSID.

#4 What’s the SSID of the WAP he connected to?

UnileverWiFi

Step8: A Google search reveals two other websites where our target has accounts. It is possible to see his email address on the Github page.

#5 What is his personal email address?

OWoodflint@gmail.com

#6 What site did you find his email address on?

Github

Step9: We could try to locate the WAP’s location for the holiday destination, but I chose to conduct a second Google search for “OWoodflint,” and I was able to locate a WordPress blog.

#7 Where has he gone on holiday?

New York

Step10: In order to find the person’s password, if we closely inspect the source code of the blog, our victim’s password is visible. Sometimes if the text is the same colour as the, #FFFFFF (White), we might find something fascinating.

Web Crawlers:

Web crawlers, also known as spiders or robots, are automated software programs that systematically browse the internet, collecting data from websites. They are used to index websites for search engines and to extract data for various applications.

Web crawlers work by following links from one web page to another. They start by visiting a seed URL, which is the first page to be crawled, and then they extract all the links on that page. The crawler then follows each of those links to other pages, and the process continues recursively.

As the web crawler visits each page, it extracts various types of data, such as text, images, and links. This data is then stored in a database or index for later use. Web crawlers can also extract meta-data from web pages, such as page titles, descriptions, and keywords, which can be used by search engines to improve search results.

Web crawlers typically have to follow certain rules, such as the robots exclusion standard (robots.txt), which tells crawlers which pages they are allowed to crawl and which they should avoid. This is important to prevent crawlers from overwhelming websites with too many requests and to respect the privacy of website owners.

Web crawlers can be programmed to crawl websites at different frequencies, depending on the needs of the application. For example, a search engine may crawl popular websites more frequently to ensure the search results are up-to-date, while a research project may only need to crawl a small set of websites once.

Ref: https://www.techtarget.com/whatis/definition/crawler

There are some web crawlers active on the Internet:

Googlebot

Bingbot

Yandexbot

Alexabot

How Do Web Crawlers Work?

Since you have a basic idea about what a web crawler is, you may wonder how a web crawler works. There are a vast number of web pages available on the Internet and the number is growing fast every day. How does a web crawler go over all of them?

In fact, not all content on the Internet is indexed by web crawlers. Some pages are not open to search engine bots(#) and some just don’t have the opportunity to meet any of them.

Keywords play an important role in the process of web crawling because they help crawlers to identify relevant content on web pages. Keywords are specific words or phrases that are used to describe the content of a web page. For example, if a web page is about “dog food,” then the keywords associated with that page might include “dog,” “food,” “nutrition,” and so on.

When a web crawler visits a web page, it looks for keywords and other information that can help it to understand the content of the page. This information is then used by search engines to rank pages in search results based on their relevance to a user’s search query.

Ref: https://www.octoparse.com/blog/what-is-a-web-crawler-and-how-does-it-work-at-your-benefit#

Start from Seed URLs

Normally, a web crawler bot starts its journey from a set of known URLs, or what is called seed URLs. It browses the meta information of web pages (for example title, description) and also the body of the web page. As these pages are indexed, the crawler keeps going through the hyperlinks to visit web pages that are linked in the seed pages.

Hence, this is the basic route that a web crawler would take:

· Go to the list of known web pages

· Extract the URLs that are linked in these web pages and add them to the list

· Continue to visit the newly added pages

By visiting web pages constantly, web crawlers can discover new pages or URLs, update changes to existing pages, as well as mark those dead links.

#1 Name the key term of what a “Crawler” is used to do

Index

#2 What is the name of the technique that “Search Engines” use to retrieve this information about websites?

Crawling

#3
What is an example of the type of contents that could be gathered from a website?

Keywords

Search Engine Optimization

· SEO is about optimizing your website to improve its ranking in search engine results pages.

· Search engines use algorithms to determine a website’s relevance and authority.

· There are many factors that can influence a website’s ranking, including its content, structure, and backlinks.

· Key factors that can impact SEO include:

· Responsive design that works well on desktop and mobile devices.

· Use of relevant keywords in website content and metadata.

· High-quality content that provides value to users.

· Effective use of titles, headers, and meta descriptions.

· Good website architecture with easy-to-navigate menus and sitemaps.

· Secure and fast-loading websites.

· Quality backlinks from reputable websites.

· Search engines like Google do not disclose the exact factors they use to rank websites, but SEO experts use their knowledge and experience to improve website ranking.

· Paid advertising, such as Google Ads, can also help boost a website’s visibility in search results.

Examples of different scenarios where SEO can be important include:

· A local business, like a restaurant or retail store, wants to attract nearby customers searching for their services online.

· A blogger wants to increase traffic to their website and attract advertisers.

· An e-commerce site wants to improve its search rankings for specific product categories.

· A non-profit organization wants to increase visibility for its cause and attract more donations.

Robots.txt

Robots.txt is a file used to instruct web crawlers which parts of a website they are allowed to crawl and index. It’s a simple text file placed at the root of the website, accessible through the URL: http://www.yourwebsite.com/robots.txt. Here are some key points about robots.txt:

· It is used to prevent crawlers from accessing certain files or directories of a website.

· It is a voluntary protocol, meaning that crawlers can choose to ignore it.

· The file is typically created by website owners or administrators, and it can be customized to fit the specific needs of the website.

Here are some examples of robots.txt commands:

User-agent: *

Disallow: /admin/

This command disallows all web crawlers (*) from accessing the /admin/ directory.

User-agent: *

Disallow: /*.pdf$

This command disallows crawler to index any file that has an extention of .pdf.

User-agent: Googlebot

Disallow: /private/

This command only disallows Googlebot from accessing the /private/ directory.

User-agent: *

Disallow: /*.pdf$

This command disallows all web crawlers from accessing any file that ends in “.pdf”.

User-agent: *

Crawl-delay: 10

This command instructs all web crawlers to wait 10 seconds between each page crawl.

User-agent: Googlebot

Disallow:

User-agent: *

Disallow: /

This command allows Googlebot to crawl all directories and pages on our site, while disallowing all other crawlers.

#1 Where would “robots.txt” be located on the domain “ablog.com”

ablog.com/robots.txt

#2 If a website was to have a sitemap, where would that be located?

Sitemap.xml

#3 How would we only allow “Bingbot” to index the website?

User-Agent:Bingbot

#4 How would we prevent a “Crawler” from indexing the directory “/dont-index-me/”?

disallow:/dont-index-me/

#5 What is the extension of a Unix/Linux system configuration file that we might want to hide from “Crawlers”?

.conf

Sitemaps

A sitemap is a file that lists all the pages and content on a website, which helps search engine crawlers to understand the structure and hierarchy of a website’s content. Sitemaps are usually submitted to search engines to aid in the crawling and indexing process.

Sitemaps are favourable for search engines for several reasons:

1. Improved crawling: Sitemaps provide a complete list of pages and content on a website, making it easier for search engine crawlers to find and index all of a site’s content.

2. Better indexing: Sitemaps provide additional information about each page, such as its last update, its priority, and its relationship to other pages on the site. This information helps search engines to understand the site’s structure and prioritize the most important pages for indexing.

3. Discovery of new content: Sitemaps can include links to pages that may not be easily discoverable by crawlers, such as pages with dynamic content or pages that are not linked from other pages on the site.

4. Faster indexing: Sitemaps can help search engines to quickly discover and index new or updated content on a website, reducing the time it takes for changes to appear in search results.

Here is an example of what a basic sitemap might look like in XML format:

In this example, the sitemap includes three URLs from a hypothetical website, each with a last modification date, a change frequency, and a priority level. This information helps search engines to understand the site’s content and structure and prioritize the most important pages for indexing.

#1 What is the typical file structure of a “Sitemap”?

Xml

#2 What real life example can “Sitemaps” be compared to?

Map

#3 Name the keyword for the path taken for content on a website

Route

Google Dorking:

Google Dorking is a technique that involves using advanced search operators and search techniques to find sensitive information that is not readily available through a regular search. This technique can be used to uncover vulnerabilities or access hidden content on websites.

Using Google Dorking for Advanced Searching:

Using Google for advanced searching involves the use of advanced search operators or search syntax to refine our search results. Here are some examples of advanced search operators and their functions:

“site:” — limits the search results to a specific site or domain.

Example: site:example.com

This will only show results from the website “example.com”.

“inurl:” — limits the search results to pages that contain a specific keyword in the URL.

Example: inurl:admin

This will show pages that contain “admin” in their URL.

“intitle:” — limits the search results to pages that contain a specific keyword in the title.

Example: intitle:”index of”

This will show pages that have “index of” in their title.

“-” — excludes a specific keyword from the search results.

Example: apple -fruit

This will show results that contain the word “apple”, but not the word “fruit”.

“filetype:” — limits the search results to a specific file type.

Example: filetype:pdf

This will show results that are only in PDF format.

Google Dorking is appealing because it allows us to find sensitive information that is not readily available through regular search methods. It can be used for a variety of purposes, including finding vulnerable websites, locating confidential information, and conducting research. However, it is important to use this technique responsibly and ethically, as it can be used for malicious purposes.

#1 What would be the format used to query the site bbc.co.uk about flood defences

site:bbc.co.uk flood defences

#2 What term would you use to search by file type?

Filetype:

#3 What term can we use to look for login pages?

intitle: login

Active Directory: Active Directory (AD) is a centralized database that stores information about users, computers, printers, and other network resources in a domain. Active Directory is designed to provide a centralized authentication and authorization mechanism for network resources. It allows administrators to manage and control access to resources on a network by creating and managing user accounts, groups, and computer accounts. AD provides a variety of features including user and group management, access control, authentication, and single sign-on.

Windows Domain: A Windows domain is a grouping of computers, users, and other network resources that are managed as a single unit using Active Directory. In a Windows domain, a central server called a domain controller authenticates users and allows them to access network resources based on their permissions and policies defined by administrators.

In a Windows domain, credentials are stored in a centralized repository called…

Active Directory

The server in charge of running the Active Directory services is called…

Domain Controller

Active Directory Objects: Objects refer to the various entities that are stored within the directory service database. Objects represent resources such as users, groups, computers, printers, and other network devices that are managed by Active Directory.

· User: A user object represents an individual user account that has access to network resources, and it contains properties like username, password, and group membership.

· Machine: A computer object represents a network device, and it has properties like hostname, operating system, and group membership.

· Security groups: They represent collections of users and computers that share common access permissions. A security group object has properties like name, description, and group membership.

In Active Directory, objects are organized into a hierarchical structure based on their properties, which allows administrators to manage and delegate control over network resources. Objects can be placed into containers or organizational units (OUs) based on their properties, and administrators can apply policies and permissions to these containers to manage the resources within them.

Practical 1: Creating new OU named Students under THM:

Which group normally administrates all computers and resources in a domain?

Domain Admins

What would be the name of the machine account associated with a machine named TOM-PC?

TOM-PC$

Suppose our company creates a new department for Quality Assurance. What type of containers should we use to group all Quality Assurance users so that policies can be applied consistently to them?

Organizational Units

Practical 2: Deleting extra users and OUs

The additional department OU in our current AD configuration is Research and Development that doesn’t appear in the chart. We’ve been told it was closed due to budget cuts and should be removed from the domain. If we try to right-click and delete the OU, we will get the following error:

By default, OUs are protected against accidental deletion. To delete the OU, we need to enable the Advanced Features in the View menu:

Practical 3: Delegation Steps

· To delegate control over an OU, we can right-click it and select Delegate Control

· This should open a new window where we will first be asked for the users to whom you want to delegate control

· To avoid mistyping the user’s name, write “phillip” and click the Check Names button. Windows will autocomplete the user for you.

· Click OK, and on the next step, select the option, “Read user passwords and force password change at next logon”.

· Now Phillip should be able to reset passwords for any user in the sales department.

· Now let’s use Phillip’s account to try and reset Sophie’s password.

· When we may be tempted to go to Active Directory Users and Computers to try and test Phillip’s new powers, he doesn’t really have the privileges to open it, so we’ll have to use other methods to do password resets. In this case, we will be using Powershell to do so:

· Log into Sophie’s account with your new password and retrieve a flag from Sophie’s desktop.

· After changing Sophie’s account password, we can log in as Sophie using the password specified by the PowerShell command.

What was the flag found on Sophie’s desktop?

THM{thanks_for_contacting_support}

The process of granting privileges to a user over some OU or other AD Object is called…

Delegation

Managing Computers in AD: Managing computers in Active Directory involves several tasks, such as joining computers to the domain, managing computer accounts, and configuring policies and permissions for computers.

Practical 4: Tidying up our AD

Create two separate OUs for Workstations and Servers directly under the thm.local domain container.

After creations of separate OUs, we will have following number of workstations and servers.

Workstations OU:

Servers OUs:

Group Policy Object: A Group Policy Object (GPO) is a collection of settings that define how computers and users behave in an Active Directory domain. GPOs are used to enforce security policies, software installation and configuration, and other settings that affect computer and user behavior.

GPOs can be linked to domains, OUs, and sites in Active Directory to apply settings to specific groups of computers and users. GPOs can be used to manage both computer and user settings, and can be used to apply policies to multiple levels of the Active Directory hierarchy.

Group Policies: A Group Policy Object (GPO) is a collection of settings that define how computers and users behave in an Active Directory domain. GPOs are used to enforce security policies, software installation and configuration, and other settings that affect computer and user behavior. GPOs can be linked to domains, OUs, and sites in Active Directory to apply settings to specific groups of computers and users. GPOs can be used to manage both computer and user settings, and can be used to apply policies to multiple levels of the Active Directory hierarchy.

There are three policies defined and their scope are as shown:

1. The Default Domain Policy is a GPO that contains settings that apply to all computers and users in the domain. It can be used to configure security policies, password policies, and other domain-wide settings.

2. The Default Domain Controller Policy is a GPO that contains settings that apply specifically to domain controllers in the domain. It can be used to configure security policies, audit policies, and other settings that are specific to domain controllers.

3. The RDP policy is a GPO that contains settings that apply specifically to Remote Desktop Protocol (RDP) connections. It can be used to control access to RDP, configure authentication settings, and other settings that are specific to RDP connections.

Practical 5: Changing the length of Password

· Any modification to this GPO would have an impact on all computers because it pertains to the entire domain. Change the minimal password length policy to demand that users use passwords with at least 10 characters.

· Right-click the GPO and choose Edit to complete this.

· By doing so, a new window will appear, allowing us to browse and edit each of the configurations that are offered.

· Go to

Computer Configurations -> Policies -> Windows Setting -> Security Settings -> Account Policies -> Password Policy

· Modify the necessary policy value to change the minimum password length.

Practical 6: Create and apply Restrict Control Panel Access GPO

The restrict control panel access policy was implemented to three OUs of thm.local, including Management, Marketing, and Sales, using Group Policy Management Editor.

Practical 7: Create and use a GPO for the Auto Lock Screen.

The root domain of thm.local was subject to the auto screen lock regulation.

The linked accounts were unable to access the Control Panel after applying the GPO to particular OUs. When a user tries to carry out an illegal activity, an error message is shown.

What is the name of the network share used to distribute GPOs to domain machines?

SYSVOL

Authentication Methods: Authentication methods are used to verify a user’s identity when accessing a service or resource in a Windows domain. Two protocols that can be used for network authentication in Windows domains are Kerberos and NetNTLM.

· Kerberos is the default protocol used in recent versions of Windows and is considered more secure than NetNTLM. When a user attempts to authenticate using Kerberos, the Domain Controller verifies their identity and issues a ticket that is used to access the requested resource.

· NetNTLM is a legacy authentication protocol kept for compatibility purposes. It is less secure than Kerberos and should be considered obsolete, but it may still be enabled in many networks.

When referring to Kerberos, what type of ticket allows us to request further tickets known as TGS?

Ticket Granting Ticket

Trees, Forests and Trusts: Companies and their networks expand together. A business can get by with just one domain at first, but as time goes on, you might find that you need more than one.

Trees:

As networks grow, multiple domains may be needed.

Active Directory allows integration of multiple domains into trees.

A tree consists of domains that share the same namespace.

IT teams can manage their respective domains independently.

Forests:

Domains in a network can be configured in different namespaces.

A forest is a union of several domain trees with different namespaces.

Each domain in a forest can have its own IT department and policies.

An Enterprise Admins group controls everything in the enterprise.

Trust Relationships:

Trust relationships allow domains to authorize users from other domains.

One-way trusts and two-way trusts can be established.

One-way trusts authorize access in one direction only.

Two-way trusts authorize mutual access between domains.

What is a group of Windows domains that share the same namespace called?

Tree

What should be configured between two domains for a user in Domain A to access a resource in Domain B?

A trust relationship

Scenario: As a SOC Analyst for a major Juice Shop, you have been tasked with identifying the methods and tools used by an attacker who has breached your network, determining which endpoints were vulnerable, and identifying any sensitive data that may have been compromised. You have been provided with a zip file containing server logs by the IT team, and you need to start analyzing the logs immediately. To begin your investigation, please type “I am ready!” and begin your analysis without delay, as time is of the essence.

Reconnaissance

Analyze the provided log files.

Look carefully at:

· What tools the attacker used

· What endpoints the attacker tried to exploit

· What endpoints were vulnerable

Step1: So, download the attached file, type in I am ready. So, we can see, logs.zip file. So, unzip logs.zip. And as we can see, we get provided with three files called the access.log, auth.log and vsftpd.log.

Step2: What tools did the attacker use? So, I think we’ll have to access the access.log because here they are talking about the tools that the attacker has used. So, most of the tools are made, are made against the website. So, the first one that seems to be used, as we can see, this is Mozilla 50. So, we’ll be looking basically for the headers. So, the first is Nmap scripting engine.

So basically, in order to brute force the login credentials, they used Hydra. As you can see it is accessing /rest/user/login every time. So, I think this is what they did to brute force the account credentials. So, the second tool is Hydra.

The next thing after this, they use the browser to access and just after the browser there’s sqlmap. So sqlmap is for finding out SQL injection attacks. So, with that, this is the third tool that was used. And as we can see, there are a lot of queries made using sqlmap.

Then we have Curl over here just after the Mozilla, our fourth tool.

The next is just after the curl, which is ferroxbuster.

Step3: Which endpoint was vulnerable to brute force attacks? So just as we saw that they used Hydra for brute forcing and /rest/user/login was the end point which was vulnerable to brute force attacks.

Step4: So which endpoint was vulnerable to SQL injection? So we’ll have to look for SQL queries over here. So just as we saw that they used sqlmap for finding out SQL Injection Attacks, and /rest/products/search was the end point which was vulnerable to SQL Injections.

Step5: So which parameter? So, the parameter is again, as we can see, after the question mark, the parameter is “q”.

Step6: And what endpoint did the attacker try to use to retrieve files? So, let’s see, and if we see towards the end point which it used to fetch the files. So, FTP, which is for file transfer protocol, and for some reason they had it in the directory or in the website as well. So, they downloaded two files which was www-data.back and coupons_2013.md.bak.

Step7: So, what section of the website did the attacker used to scrap user email addresses? So basically, I would do reconnaissance from an attacker’s perspective, and basically if we go to sites like Amazon and Flipcart, mostly you will find the usernames, not the email addresses, only the usernames in the product categories, in the comments. As we can see, it is products and reviews. So, I think it will be product reviews.

Step8: So, was there brute force attack successful? If so, what timestamp of the successful login? So again, we’ll have to look for Hydra. So, the last query of the Hydra I think will show us or will give us the login credentials or it will prove that the login was successful. As we can see, 500 says that the service is not reachable, the request was not acceptable. And the 401 is for unauthorized. So, let’s look at the last request from Hydra. And as we can see, the last request from Hydra and just after that the user got admitted to rest/admin. So, I think this is the query, or this is the last brute force attempt that they did and yeah, it was successful.

Step9: What user information was the attacker able to retrieve from the endpoint vulnerable to SQL injection? Okay, so let’s look for sqlmap. So, as we can see it says query union select. So, it is a union attack on ID, email and password. So, I think it tried to fetch the email and the password.

Step10: So, what files did they try to download from the vulnerable endpoint? So, we know that it downloaded two files, one of them was coupon_2013.md.bak and the second was www-data.bak.

Step11: So, what service and account name were used to retrieve the file from the previous question? Whenever we try to log in using FTP, it will not show in the access log directory or in the access.log file because this is the general web server. So, we have to look into vsftpd.log. It tried to connect to the clients and as we can see anonymous. It tried to log in as anonymous and the service used is FTP.

Step12: What service and username were used to gain shell. So again, for shell we look for ssh and for ssh we can look for auth.log. So, it says failed password for www-data. So service is going to be ssh and the username is as usual www-data because it says that failed password for www data.

Scenario: Some employees from your company reported that they can’t log into Outlook. The Exchange system admin also reported that he can’t log in to the Exchange Admin Center. After initial triage, they discovered some weird readme

Task: You are assigned to investigate this situation. Use Splunk to answer the questions below regarding the Conti ransomware. files settled on the Exchange server.

To perform my investigation, I have the option to access the Splunk instance through either the Attack Box or OpenVPN. The IP address for the Splunk instance is MACHINE_IP:8000.

Step1: We will first connect to OpenVPN in order to access Splunk.

Step2: Then, we will click on start machine button in order to start our machine. Active machine information with Title, IP address, and time for expires will be shown. We can always add 1 hour to practice and explore more.

Step3: We will then navigate to the IP address, a separate browser window with the dashboard of splunk interface will be shown.

Step4: So, we go to Splunk here, we select all time. And since we don’t have an index. Here for the data, we’re going to choose star indicating retrieve all of the data that has been ingested into Splunk. So, we have around 17,078 events with different source types.

Step5: Okay, so now let’s see the first question. Can you identify the location of the ransomware? Okay, so the first thing we identify the data set and next we need to select a source. So, the source type for such a question is to select the Wind event log, Microsoft Windows, Sysmon/Operational. We select that and we see how many events we’ve got, its 2664.

To narrow the search even further, we specify that we’re looking for exe files. We’re looking to find directory of the ransomware so that’s also on the list. Now, some of the interesting fields which we want are CurrentDirectory, CommandLine, Image, Hashes, ParentCommandLine and ParentImage. So, we’re going to compile all of these fields, reserve the values using a table. In order to find the ransomware we have to look at directory & executable name. These would be the ideal judgment factors to find ransomware. It would be actually sometimes possible that some ransomware hides some data in the systems, but that’s unlikely to happen. So, we’re going to dedup current directory. I’m going to remove duplicate fields or duplicate values. Now, we have administrator documents, sys32, Mozilla firefox, and lastly we have this splunk. So among these directories, the only one that’s weird actually is this. So, normally when we launch the command line, yes, the parent image and the parent command line would be here, but the location of the command prompt executable would not be in the user administrator. That’s weird occurrence of this application. So, we’re going to actually answer with this question because it is the only thing that’s weird here.

Step6: What’s the system event ID for the related file curation event? We don’t need the splunk for this question. The system or event ID for file creation is 11. We can find that in the documentation of Sysmon Events.

Step7: Can you find the Md5 hash of the ransomware? So that’s why I selected to outline the hashes in the table here because I want to see the hash of all the executables.

So, we can copy MD5 hash and just use Virus Total to search this hash and as we can see, the search confirms or the results confirm the thought that this is ransomware and specifically it is Conti ransomware.

Step8: So now we are trying to find out what is the file name saved to multiple locations. So, let’s reset. Now the command go back and keep only the source type as sysmon. So, since this is a file creation event, we’re going to filter according to the file event. So, we go to event code and we highlight 11.

Okay, so as we can see, we have got several results. Of course, we’re not interested in the Clean Manager. So, we’re going to skip to the next page. We have powershell. We are looking to see if there are any files that have been saved by the CMD. We can now see, the ransomware saved several files in several locations, readme.txt in several locations, as we can see with the same image name. So that would be the answer for the question.

Step9: What was the command attacker used to add a new user to the compromised system? So again, here we’re looking to filter by events. Normally when a user is added to the system, an event is created in Windows events. We’re going to change the source type to Windows event log security.

So, we are filtering according to the EventCode. The event ID for Windows user creation, its 4720. Let’s analyze, a file creation event and the user’s name was security ninja. Now we know the account name.

So, what we’re going to do here, we’re going to copy that and switch back to the original view. And here we select back the sysmon. So, we’re going to put our security ninja to include all of the event logs captured by Sysmon and had the security ninja end up. And of course, we look also at the parent command line to see the first process that executed the command or invoked the command. So, we see we have here two instances or three instances of CMD. If you take a look at the first command, net user security ninja, hard to hack. That’s the first one. But if you also take a look at the next one, net locally group administrator, security ninja, it’s adding the user to administrator to elevate the privileges. And the last one, which actually adds the user security ninja to the remote desktop users so that security ninja or the attacker would be able to log in remotely using the RDP protocol.

Step10: Next one. The attacker migrated the process for better persistence. What’s the migrated process image and what’s the original process image? So, we have to find out what was the process used when the attacker first got into the system. And then we have to find out what was the process that were used for migration or persistence purposes. We can find the clue from the question that it asking about an event. The event is process migration. Process migration is kind of remote thread. And we can filter all the remote thread events using sysmon. So, for remote thread, the event ID is 8.

Normally a process migration contains two fields a source process and target process. A source process is the original process and the target process is the process to which the migration or to which the original process migrated. It’s telling us that powershell launched on the system and then we’re migrated to unsecapp. Unsecapp then somewhat migrated into lsass to retrieve the hashes of the users.

Step11: What’s the process image used for getting the system hashes? So, we’re going to stay with sysmon and now we’re going to filter the results to aspx. Why aspx? Because actually aspx is the shell. If we want to deploy op shell into an Exchange server, we would have to do it with aspx. That’s the extension of any web shell that would be deployed into IAS server. And we see here the full command. And you see a weird file name. So, it’s the only instance of an aspx file and it’s actually being executed by a command.

Step12: What’s the command line that executed this webshell?

Step13: What three CVEs did this exploit leverage? For this, we have to go out of the box of tryhackme and do some external research.

Next Steps: Assessing few Things!

Step1: Identify the threat

Understand the operation of the attack: The MSHTML browser rendering engine used by Office documents, which is part of Internet Explorer, contains the vulnerability. When opened, Office documents from the attackers render a specially crafted malicious web page and use an ActiveX control to download malware payload.

Step2: Find out if your company is affected by the vulnerability

It’s crucial to find out if any systems in your organization that use Office documents are vulnerable because the vulnerability affects systems that use the MSHTML rendering engine used by Internet Explorer, which is used by Office documents.

Step3: Recognize the effects

Determine whether the vulnerability will have an impact on your organization: An attacker could remotely execute code on the victim machine and even take full control if the vulnerability is exploited. Data loss, system disruption, and unauthorized access to sensitive information could result from this.

Step4: Choose mitigation

Verify whether there are any existing mitigations: Check to see if your company has put in place any security measures that can help identify and stop the attack, such as antivirus software, firewalls, and email gateways.

Choose the most effective line of action: If the assessment indicates that your organization is at danger, it is critical to move quickly to implement the Microsoft fix.

Step5: Discuss with the management

Give a general description of the vulnerability and how it can affect the organization. Describe the current mitigations in place and the suggested path of action. Until the patch is released, present management with a strategy that includes a timetable for executing the workaround.

Understanding the Threat and its Operations!

The threat is a zero-day vulnerability (CVE-2021–40444) that affects systems using the MSHTML rendering engine for Internet Explorer, which is used by Office documents. This vulnerability gives a potential attacker the opportunity to remotely execute code on the target computer and take full control.

The attack renders a specifically crafted malicious website utilizing Office documents that load MSHTML when accessed, and it uses an ActiveX control to download malware payload. When a user accesses a malicious Office document that has been sent to them via email or another method by the attackers, MSHTML loads the malicious website that is included in the document and the ActiveX control downloads the malware payload. As a result, the attacker can potentially take full control of the victim machine by remotely running code on it. Users with administrator privileges are more vulnerable than non-users. The attack necessitates user participation; attackers would probably send targeted emails to their targets or try to take advantage of recent occurrences to boost their success rate.

Is the threat applicable to the Organization?

As a Senior Security Analyst, it is important to determine if the vulnerabilities described in the article apply to my organization. According to the article, the attack takes use of a vulnerability in the MSHTML engine, which is utilized by both Microsoft Office documents and Internet Explorer. It is likely that the vulnerability affects my company if it uses Windows 10 and any version of Microsoft Office that makes use of the MSHTML engine.

Are the vulnerabilities applicable to the Organization?

We should check to see if Windows 10 is installed, as well as the Microsoft Office version, to see if our company is exposed. It’s likely that the company is vulnerable if it employs any version of Office that makes use of the MSHTML engine.

Impact on Organization

If the company has a vulnerability, an attacker may be able to take advantage of it to get remote code execution on the target computer. By doing this, the attacker might be able to take control of the impacted machine and possibly access sensitive information. Targeted phishing campaigns are probably used to distribute the exploit because the attack does require user input, such as opening a fraudulent Office document.

Are there any mitigations?

As a Senior Security Analyst, I will check if my company has put any mitigations in place for this issue. As an illustration, if my company has put in place security measures like firewalls, intrusion detection and prevention systems, and antivirus software.

Recommendations

· Until a patch is released, we should use the suggested mitigations offered by Microsoft and CISA. These mitigations consist of turning off the rendering of HTML in Office documents as well as the use of ActiveX controls in Office documents.

· When opening Office documents from unexpected emails or unidentified sources, exercise extreme caution.

· Teach staff members how to spot and deal with suspicious emails and attachments.

· On company networks and systems, monitor for any suspicious activity.

· To identify and stop malware from running on work machines, think about adopting endpoint security software.

· Maintain the most recent security patches and upgrades on all systems and applications.

It is crucial to remember that while following these suggestions can reduce the risk of an exploit, they could not work entirely until a patch is made available. It is important to stay informed on any updates and to keep taking the essential precautions to safeguard the company.

Definition of terms

· Zero-day vulnerability: A previously unknown security vulnerability that has not yet been patched by the software vendor.

· ActiveX: ActiveX is a deprecated software framework created by Microsoft that adapts its earlier Component Object Model (COM) and Object Linking and Embedding (OLE) technologies for content downloaded from a network, particularly from the World Wide Web.

· MSHTML: The Microsoft HTML rendering engine used in Internet Explorer and Microsoft Office documents.

· Remote code execution: The ability for an attacker to execute code on a targeted computer remotely.

Executive Summary

A zero-day vulnerability (CVE-2021–40444) has been discovered in the Internet Explorer browser rendering engine, MSHTML, which is also used in Microsoft Office documents. Cybercriminals have taken advantage of this vulnerability, which enables remote code execution and potentially total control of the targeted computer. Users are urged to take mitigating steps up until a patch is provided by Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA).

Scenario: As a SOC Analyst for TryNotHackMe, I have been assigned a task by my manager to investigate a concern raised by a new customer, Widget LLC. Widget LLC has recently joined the managed Splunk service provided by the company, and their endpoint events are now visible on my end. However, they have expressed worry about a specific endpoint used by a Financial Analyst who was recently hired. Apparently, the endpoint security product was turned off during December 2021, but no official investigation was conducted at that time. My manager has asked me to thoroughly review the Splunk instance of Widget LLC to determine if any potential security issues exist that should be brought to the attention of the customer.

To perform my investigation, I have the option to access the Splunk instance through either the Attack Box or OpenVPN. The IP address for the Splunk instance is MACHINE_IP.

Step1: We will first connect to OpenVPN in order to access Splunk.

Step2: Then, we will click on start machine button in order to start our machine. Active machine information with Title, IP address, and time for expires will be shown. We can always add 1 hour to practice and explore more.

Step3: We will then navigate to the IP address, a separate browser window with the dashboard of Splunk interface will be shown.

Step4: So, we go to Splunk here, we select all time. And since we don’t have an index. Here for the data, we’re going to choose star indicating retrieve all of the data that has been ingested into Splunk. So, we have around 17,078 events with different source types.

Step5: Alright, first question, a web browser password viewer execute on the effective machine. What is the name of the binary? Enter the full path. For this, in the search bar, search for “password viewer” and you will see the binary in ImageLoaded field. And then, what is listed as the company name? You can see the answer in Company field.

Step6: Another suspicious binary running from the same folder was executed on the workstation. What is the name of the binary? All right, so what we will do is just copy the path of binary right in the search bar, because we’re only looking in the temp directory as shown in screen capture. All right, go and look for image because image will tell you the things that were executed, like the binaries.

Step7: Now, what is listed as its original filename? For this, in the search bar type down the following command, “IonicLarge.exe OriginalFileName”, and you will have your answer.

Step8: All right, next question. The binary from the previous question made two outbound connections to a malicious IP. What was the IP address? So, it’s asking for the main one basically. Now, type down the filename in search bar and look for destination IP because that’s going to show you the outbound connection. The first is not even a real IP address, so don’t worry about that. And the second one right here, this is the one we should be worrying about.

Step9: Okay, the same next question, the same binary made some change to a registry key. What was the key path? Now, in the search bar search for “IonicLarge.exe TargetObject”. It says Windows Defender disable anti Spyware. That is really bad. And if we see the other ones, it’s the same thing. We see a disabled routine taking action for the second one. And it also says real time protection, all that stuff relating to that registry key path.

Step10: All right. It says some processes were killed and the associated binaries were deleted. What were the names of the two binaries? Now, go on and search for “taskkill”. Let’s look at the command line because usually in the command line, it would give us more information that will show us what tasks were killed. So, I see two command lines that are really suspicious. You will see the two killed processes.

Step11: All right, next question. The attacker ran several commands within PowerShell session to change the behavior of Windows Defender. What was the last command executed in the series of similar commands? Let’s search for PowerShell. Okay. And then what we want to do is go to ParentCommandLine. Always look at the command line when you’re looking at PowerShell or CMD, and it’s going to show you everything.

Step12: All right, next question. Based on the previous answer, what were the four IDs set by the attacker? So, let’s see ID number.

Step13: And then let’s see the next question. Another malicious binary was executed on the infected workstation from another app data location. What was the full path to the binary? Search for appdata and then go to image, because image is going to tell us what was executed. And we see fiddler exe. Right? But that is a network monitoring tool, so don’t worry about that. But under it we see easycalc exe. That one is weird. The Easycalc is executing from the appdata.

Step14: And then it says, what were the DLLs that were loaded from this executable right here? Image loaded will show us the DLLs that were loaded.

Threat intelligence is the practice of gathering, analyzing, and sharing information about potential or actual cyber threats to help organizations identify and mitigate these threats. This information can come from a variety of sources, including internal security logs, public and private security research, dark web monitoring, and intelligence agencies.

Threat intelligence can be classified in several ways, including:

· Tactical threat intelligence: This type of threat intelligence focuses on the technical indicators of a specific threat, such as malware hashes, IP addresses, domain names, or other artifacts that can be used to identify and block malicious activity.

· Strategic threat intelligence: This type of threat intelligence provides a broader view of the threat landscape and focuses on understanding the motivations, goals, and tactics of threat actors, as well as their methods of attack and potential targets.

· Operational threat intelligence: This type of threat intelligence is more focused on the day-to-day operations of an organization’s security team and provides actionable information that can be used to respond to specific threats in real-time.

· Technical threat intelligence: Technical threat intelligence is a type of tactical threat intelligence that focuses specifically on the technical details of a threat. This includes information such as the specific tools, techniques, and procedures (TTPs) used by threat actors, the vulnerabilities they are exploiting, and the specific indicators of compromise (IOCs) associated with their attacks.

URLSCAN.IO

Urlscan.io is a free online tool that allows users to scan and analyze URLs for potential security threats. The tool works by taking a screenshot of the webpage, collecting metadata such as server response headers and WHOIS information, and analyzing the page’s HTML, JavaScript, and other resources for potential security issues.

Activity:

ABUSE.CH

abuse.ch is a non-profit project that aims to help identify and combat various forms of cybercrime. The project was founded in 2006 by Swiss security researcher and malware analyst Roman Hüssy.

Abuse.ch provides a number of free, community-driven services and resources to help protect individuals and organizations from online threats, including:

· URLhaus: a platform that collects, tracks, and shares URLs associated with malware distribution, phishing, and other malicious activity.

· Feodo Tracker: a tool that monitors and tracks command-and-control (C2) servers associated with the Feodo malware botnet.

· SSL Blacklist: a list of SSL certificates that have been associated with malicious activity.

· Threat Fox: ThreatFox is an online tool that allows users to analyze URLs and domains for malicious activity.

· Malware Bazaar: MalwareBazaar is a platform that collects and shares samples of malware files. It allows security researchers and analysts to access and analyze malware samples, as well as contribute their own samples to the platform.

Activity:

Threat Fox

SSL Blacklist

URL HAUS:

FEEDOTRACKER:

PHISHTOOLS:

PhishTools refers to a set of tools and techniques used by cybercriminals to carry out phishing attacks, which is a type of social engineering attack that aims to trick individuals into giving away sensitive information, such as login credentials or financial information. Phishing attacks typically involve sending fraudulent emails or text messages that appear to come from a legitimate source, such as a bank, social media site, or online retailer. The goal is to get the recipient to click on a link or open an attachment that leads them to a fake website or login page where they are prompted to enter their personal information.

CISCO TALOS INTELLIGENCE:

Cisco Talos Intelligence is a security research group that is part of Cisco Systems, Inc. Talos provides threat intelligence, research, analysis, and protection to Cisco customers and the broader security community. They work to identify and analyze the latest threats and develop methods to detect, prevent, and respond to them.

Talos Intelligence specializes in identifying and analyzing emerging threats, such as malware, vulnerabilities, and other cyber threats. They collect and analyze data from various sources, including global malware networks, honeypots, and sensors that are deployed around the world. Based on this analysis, they create threat intelligence reports, advisories, and alerts that help organizations to better understand and defend against cyber threats.

Activity:

SCENARIO 1:

You are a SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email to triage the incidents reported.

Task: Using the tools analyze Email2.eml

Scenario 2:

You are a SOC Analyst. Several suspicious emails have been forwarded to you from other coworkers. You must obtain details from each email to triage the incidents reported.

Task: Using the tools analyze Email3.eml.

What is SIEM?

SIEM stands for Security Information and Event Management. It is a technology used to centralize and analyze security-related data from a variety of sources such as network devices, operating systems, applications, and more. The goal of SIEM is to provide a unified view of an organization’s security posture and to identify potential security threats and incidents.

Network Visibility through SIEM

Network visibility is the ability to monitor and understand the flow of network traffic, including the type of traffic, the source and destination of the traffic, and the behavior of the traffic. SIEM systems collect logs from endpoints such as laptops, smartphones as well as network devices such as firewalls, switches, and routers. These logs provide valuable information about network activity and can be analyzed to identify potential security threats and incidents.

Host-centric and network-centric are two different approaches to security monitoring and incident response in a computing environment.

· Host-centric approach: This approach focuses on monitoring and analyzing data from individual hosts or endpoint devices, such as laptops, servers, and smartphones. This approach is useful for detecting and responding to security incidents that originate from individual hosts, such as malware infections, unauthorized access, and data breaches.

· Network-centric approach: This approach focuses on monitoring and analyzing network-level data, such as network traffic, logs from network devices, and security events. This approach is useful for detecting and responding to security incidents that occur at the network level, such as network-based attacks, unauthorized access to network resources, and data exfiltration.

Log Sources and Log Ingestion

Log sources refer to the various devices, systems, and applications that generate log data, such as network devices, operating systems, applications, and security devices. Log data provides valuable information about an organization’s security posture, including user activity, system events, and potential security incidents.

Log sources:

· Network devices: Routers, switches, firewalls, and intrusion detection/prevention systems (ID/IPS)

· Operating systems: Windows, Linux, and Unix

For Linux: Some of the common locations where Linux store logs are:

/var/log/httpd : Contains HTTP Request / Response and error logs.

/var/log/cron : Events related to cron jobs are stored in this location.

/var/log/auth.log and /var/log/secure : Stores authentication related logs.

/var/log/kern : This file stores kernel related events.

· Applications: Databases, web servers, and email servers

· Endpoint devices: Laptops, smartphones, and servers

· Security devices: Firewalls, intrusion detection/prevention systems (ID/IPS), and security information and event management (SIEM) systems

· Cloud services: Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform

Log ingestion is the process of collecting log data from log sources and importing it into a central repository, such as a SIEM system. The log data is typically collected using agents or syslog protocols, and is then parsed, normalized, and stored in the central repository.

Methods for log ingestion:

· Syslog: Syslog is a standard protocol for logging system events that is supported by a wide range of log sources. Log data can be sent to a SIEM system using syslog.

· Agents: Agents are software components that are installed on log sources to collect log data and transmit it to the SIEM system. Agents can provide more detailed and accurate log data compared to syslog, as they can collect log data at the source.

· APIs: Some log sources, such as cloud services, may provide APIs for log data collection. A SIEM system can use APIs to collect log data from these sources in real-time.

· File-based collection: Some log sources may write log data to files that can be collected and ingested into the SIEM system.

· Direct database connection: In some cases, log data may be stored in databases, and a SIEM system can collect log data by connecting directly to the database.

Why SIEM?

SIEM aims to give organizations an overall view of their security posture and enable fast response to security incidents.

Capabilities of SIEM:

· Collects and analyzes security events.

· Provides real-time security monitoring.

· Detects potential security threats.

· Helps respond to security incidents.

· Monitors compliance with regulations.

· Sends customizable alerts.

· Offers reporting and analysis capabilities.

· Integrates with other security tools.

· Includes threat intelligence.

Analyzing Logs and Alerts

The analysis of logs and alerts using correlation rules is a key component of a Security Information and Event Management (SIEM) system. A correlation rule is a set of conditions that are used to identify a specific security incident. The SIEM system uses the correlation rule to analyze events from various log sources and detect security incidents that meet the conditions specified in the rule.

For example, a correlation rule may specify that an alert should be generated when there are multiple failed logins attempts from the same IP address within a specific time frame. This rule would be used to detect potential brute-force attacks on a network.

When a security incident is detected, the SIEM system generates an alert, which is reviewed by security teams. The alert provides information about the security incident, including the log data and the correlation rule that triggered the alert. This information can be used to quickly respond to the security incident and prevent further damage.

Alert Investigation

Alert investigation is the process of reviewing and responding to security alerts generated by a Security Information and Event Management (SIEM) system. The goal of alert investigation is to determine the cause of the alert, assess the potential impact on the organization, and determine the appropriate response to the security incident.

· Review of Alert

·Gathering Information

· Assessment of impact

· Determining the cause

· Response

· Resolution

As a SOC analyst working for TryNotHackMe, a Managed Security Service Provider company, I have received a request from a client to investigate an issue on a device belonging to Keegan. The customer reported that the machine is functioning normally, but some files have unusual file extensions and they suspect a ransomware attack. My manager has instructed me to use Splunk to examine the events that took place on Keegan’s device on Monday, May 16th, 2022 to determine the cause of the problem.

To perform my investigation into the events on Keegan’s device, I have the option to access the Splunk instance through either the Attack Box or OpenVPN. The IP address for the Splunk instance is MACHINE_IP.

Step1: We will first connect to OpenVPN in order to access Splunk.

Step2: Then, we will click on start machine button in order to start our machine. Active machine information with Title, IP address, and time for expires will be shown. We can always add 1 hour to practice and explore more.

Step3: We will then navigate to the IP address, a separate browser window with the dashboard of Splunk interface will be shown.

Step4: So, we go to Splunk here, we select all time. And since we don’t have an index. Here for the data, we’re going to choose star indicating retrieve all of the data that has been ingested into Splunk. So, we have around 17,078 events with different source types.

Step5: So, now we have other sources, we have event logs from Windows. We’re required to find out the source of the infection, the files, and if any, we need to point down all the servers. So typically, that’s what we do when we investigate an event. So let’s see, we have some 191 interesting fields that are required by us to investigate the attack. Let’s take a look at these fields and check mark the fields that we may need.

Step6: Let’s take a look at the destination IP. So, as we can see the destination IP, we have two IP addresses hitting the most events.

Step7: Let’s take a look at destination port. We have 3 values, i.e., 443, 80 and 445. So, as you can see, we can have a clue on the activity we are investigating. Mainly we are investigating network connections here in the machine, specifically the network connections happening over protocol https, http as well. So it means the machine, the source machine we are investigating has been downloading stuff from the Internet and retrieving stuff from the Internet.

Step8: If we click on the first IP address, as we can see there, we have 206 events, and we can see there is an executable called Outstanding Gutter under the temp directory. So, this seems fishy as well. All right, so let’s go here and find the questions. The question states that the binary was downloaded. So, it has been downloaded either through port 80, 443 or 445. In port 80, we have four events. In port 443, we have 296 events. So, the way to go is we can go to 443. Here, we see a weird name, weird binary name.

Step9: We have to find more clues. So, if we scroll down we see protocol TCP not https, scrolling more, we have only this source IP image. So, in the image we have, as we can see, three paths are involved. We have the OUTSTANDING_GUTTER under Temp, we have the Windows defender, and we have one drive. Okay, now, as we can see, we have only three executables when it comes to portfolio.

Step10: If we scroll more, we can see that PowerShell was used to connect over port 80 to destination server. We just don’t know the command that was used. If we go back and write PowerShell, we have 291 events involved with PowerShell. So, if we go to command line, we see 13 command lines, and one seems a bit fishy again. So, we have PowerShell used and we have the Base 64 string.

Step11: Now, we will decode the Base64 to text in order to understand the commands.

Step12: As we can see from decoded text, after the download of the file scheduled task was created to execute the OUTSTANDING_GUTTER.exe with elevated privileges. So, create the task and run the task. Okay, so we have many things to answer here. So first, as we can see, this is the weird executable name, or the Wield executable file retrieved from the destination and the executable was scheduled to run a system using scheduled tasks. Most probably this is the ransomware, or it could be the executable that will retrieve the ransomware. Now, as we can observe, we have domain name or the destination from which the executable was downloaded after we defang the URL.

Step13: In order to answer the next question, what permissions will the suspicious binary run as? What was the command to run the binary with elevated privileges? Who was the user? The user is system, but the correct format is NT authority system followed by semicolon and the command used to run the binary. Let’s look at query name. This is interesting. If we click on query name here we get five events and let’s take a look at one of the events. So, the user has not translated query name. As we can see, it looks part of the main two servers or the domain name from which the original binary name was retrieved.

This ends with ngrok.io and it has another extension in our sub domain from which or to which the executable connected to after it has been downloaded. So, to answer the question, the suspicious binary connected to a remote server, what address does it connect to? This is the address. It becomes clear now through the query name. So to answer just do the defang on the URL.

Step14: A partial script was downloaded to the same location as the suspicious binary. What was the name of the file? So basically, this file was downloaded and then it has downloaded another file. The other file is partial script. Probably the partial script is the script that actually has encrypted the files on the system. The file look is located under the temp directory. So, if we want to search for the partial script what we can do, we can make our life easier by typing “.ps” one of the extensions for the partial files. By doing that we look for all of the partial scripts in the events. So, we have around 36 events now to make things easier. So, if we go back and investigate the files, in one of the files we can see target file name, image, etc. So, as we can see, this partial script has been downloaded through PowerShell, which actually narrows down the suspicions if we investigate other files, maybe this script here. So, if we look at the message, all of the messages carry file delete archived.

Step15: What do you think was the actual name of the script? So basically, after the script here was downloaded, it was flagged as malicious. So, to find out how, let’s go back and we can grab the MD5 hash. By grabbing the MD5 hash, we can find out the real name of the script by using virustotal. We go to details and we see the names suggested for this partial script. The real name is Black Sun. That was the real name based on the hash.

Step16: So, what’s the full path to which the ransom note was saved? We want to look for a ransomware note. Look for the ransomware note. We can use .txt as the file extension because the ransomware notes are normally stored as text files. So, we look for all the text files or all the files that have the text extension. And we have three events probably we have three notes, one under the downloads, two under the temp directory.

Step17: And the last question, the script saved an image file to disk to replace the user’s desktop wallpaper, which can also serve as an indicated compromise. What’s the full path of the image? Basically, when the ransomware is downloaded to the system, they replaced the desktop background or wallpaper with a different image, we have to find out that image. So how to find out the image? We can search for image files. We start with maybe .png or .webp.