Malware or Compromise Investigation

Malware or Compromised Investigation

Possible Indicators of Compromise

Unusual Activities:
Unusual Outbound Network Traffic (C2 activities)
Unusual DNS Requests
Unusual Processes
Unusual Ports
Unusual Services
Rogue Accounts
Anomalies in Privileged User Account Activity

Unusual Files (Executables in Download or Temp directories may be suspicious)
Autostart Locations
Log-In Red Flags
Large Numbers of Requests for the Same File
Mismatched Port-Application Traffic
Suspicious Registry or System File Changes

Identify Notable Processes

Spelled Correctly
Correct parent child relationship
Running from correct directory?
Are they suppose to have children?
Is it a singleton?

Review Running Programs

Get-CimInstance -ClassName win32_Product
Get-CimInstance -ClassName win32_Product | Select-Object Name, Version, Vendor, InstallDate, InstallSource, PackageName, LocalPackage

Get-ItemProperty "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | Select-Object DisplayName, DisplayVersion, InstallDate, Publishe

Get-ItemProperty "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | where DisplayName -Like "*Edge*" | Select-object DisplayName, DisplayVersion, InstallDate, Publisher

Note: OR use exclusion:
Get-ItemProperty "HKLM:\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" | where DisplayName -NotLike "*Edge*" | Select-object DisplayName, DisplayVersion, InstallDate, Publisher

Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" | Select-Object DisplayName, DisplayVersion, InstallDate, Publisher

Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" | where DisplayName -Like "*Microsoft*" | Select-object DisplayName, DisplayVersion, InstallDate, Publisher

Note: OR use exclusion:
Get-ItemProperty "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*" | where DisplayName -NotLike "*Microsoft*" | Select-object DisplayName, DisplayVersion, InstallDate, Published

Review Running Processes

Get-Process
Get-CimInstance -Class win32_process|select ProcessName,ParentProcessId,ProcessId,CommandLine,ExecutablePath,InstallDate
Get-CimInstance -Class win32_process | where Name -NotLike "svchost.exe" |select ProcessName,ParentProcessId,ProcessId,CommandLine,ExecutablePath,InstallDate

Note: OR use exclusion:
Get-CimInstance -Class win32_process | where Name -NotLike "svchost.exe" |select ProcessName,ParentProcessId,ProcessId,CommandLine,ExecutablePath,InstallDate

Note: Search Specific Process:
Get-CimInstance -Class win32_process -Filter "name like '%powershell.exe'" | select processId,commandline|FL
Get-CimInstance -Class win32_process | select name,processId,path,commandline|FL

Note: View Process and Owners:
Get-CimInstance -Class win32_process |FL ProcessID,ParentProcessID,CommandLine,@{e={$_.GetOwner().User}}

Get-CimInstance -Query "Select * from Win32_Process" | where {$_.Name -notlike "svchost*"} | Select Name, Handle, @{Label="Owner";Expression={$_.GetOwner().User}} | ft -AutoSize

Get-CimInstance -Class win32_process | Sort-Object -Property ProcessID | FL ProcessID,Path,CommandLine,ParentProcessID,@{n="User";e={$_.GetOwner().User}},@{n="ParentProcessPath";e={gps -Id $_.ParentProcessID|Select -exp Path}}

Review Installed Services

Get-Service | Sort-Object Status
get-service | where-object {$_.Status -eq 'Running'}

Note: Search Specific Service:
Get-Service "WMI"

Note: OR use exclusion:
Get-Service -Name "win*" -Exclude "WinRM"

Note: Service Status
Get-Service | Where-Object {$_.Status -eq "Running"}

Get-CimInstance -Class win32_service | select Name,ProcessId,Startmode,State,Status,DisplayName| ft -Autosize

Note: Stopping, starting, suspending, and restarting services
Stop-Service -Name spooler
start-Service -Name spooler
Suspend-Service -Name spooler
Restart-Service -Name spooler

Note: Get service on remote machine
get-service -computername Server64
Invoke-Command -ComputerName Server02 -ScriptBlock { Get-Service }

Review Recent Execution of Programs

Get-ItemProperty "REGISTRY::HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store"
Get-ItemProperty "REGISTRY::HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers"

If Malicious Process is Discovered (Get Malicious Process Details)

We identified that the malware .exe process is executing, but we need to know the complete path to identify if it’s running from the temp directory.

Get-Process malware.exe| Select-Object Id, ProcessName, Path, Company, StartTime | Format-Table

Get-CimInstance -Class win32_process -Filter "name like '%malware.exe'" | select processId,commandline|FL

Get-CimInstance -Class win32_process | where Name -NotLike "malware.exe" |select ProcessName,ParentProcessId,ProcessId,CommandLine,ExecutablePath,InstallDate

Only applicable for Windows PowerShell 5.1

Get-WmiObject -Class Win32_Process -Filter "name='malware.exe'" | Select-Object ProcessId, ProcessName, CommandLine`

But if Get-Wmiobject is deprecated, use Get-CimInstance for PowerShell 7

Get-CimInstance -Class Win32_Process | Format-Table -Property ProcessId, ProcessName, CommandLine -Autosize

Check for Files in $env:APPDATA\GUID\

Malware, for example, NanoCore creates a unique GUID DIR in $env:APPDATA to keep it’s copy and logs. We can Get-ChildItem cmdlet to list the directory; it’s like DIR cmd. This cmdlet can be used in file system directory, registry hive, or a certificate store. Recurse – Used to recursive list all the sub-dir Filter – You can use the parameter to filter the path, and it supports * and ? wildcards e.g. *.dat, .exe

Get-ChildItem -Path $Env:APPDATA -Force -Recurse -Filter run.dat
Instead of Get-ChildItem, we can Test-Path to check if the dir or file exists or not
Test-Path -Path $Env:APPDATA\*\run.dat

Test-Path & Get-ChildItem PowerShell cmdlets

After running the below command, you will be able to know the unique GUID directory name 0319B08F-2B65-4192-B2D2-1E2F62087064; this folder contains other artefacts

Get-ChildItem -Path C:\Users\admin\AppData\Roaming\0319B08F-2B65-4192-B2D2-1E2F62087064\ -Force -Recurse

Gather File hashes

Get-FileHash cmdlet can be used to get the hash using a different algorithm e.g. MD5. SHA1 , SHA256 etc. By default, the Get-FileHash cmdlet uses the SHA256 algorithm, although any hash algorithm that is supported by the target operating system can be used. SHA256

Get-FileHash -Path 'C:\Users\admin\AppData\Roaming\0319B08F-2B65-4192-B2D2-1E2F62087064\IMAP Service\imapsv.exe'

MD5

Get-FileHash -Algorithm MD5 -Path 'C:\Users\admin\AppData\Roaming\0319B08F-2B65-4192-B2D2-1E2F62087064\IMAP Service\imapsv.exe'

Copy artefacts for analysis Before removing the artefacts; we may want to copy them for further analysis if needed by other teams. Let’s use the New-Item cmdlet to create the directory and use Copy-Item to copy the files to IoCs dir

New-Item -ItemType Directory -Path C:\Users\admin\IoCs
Copy-Item C:\Users\admin\AppData\Roaming\0319B08F-2B65-4192-B2D2-1E2F62087064\ -Destination C:\Users\admin\IoCs\ -Recurse

Check Locates for Possible Signs of Malware

gci -path C:\Users\*\AppData\Roaming\*\Data -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Roaming\*\Modules -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Local\*\Data -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Local\*\Modules -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Roaming\*\*\Data -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Roaming\*\*\Modules -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Local\*\*\Data -recurse -force -ea SilentlyContinue
gci -path C:\Users\*\AppData\Local\*\*\Modules -recurse -force -ea SilentlyContinue
gci -path C:\Windows\System32\config\systemprofile\appdata\roaming -recurse -force -include *.exe

Delete Malware Artifacts

Terminate Malicious Process

Stop-Process can be used to terminate processes based on process name or process ID (PID), or pass a process object.

Get-Process RAVBg64 | Stop-Process

You may need to stop this process imapsv.exe instead of RAVBg64.exe, if the machine has already restarted as this filename is used in registry for persistence.

Remove Persistence

Get-ItemProperty cmdlet can be used for listing registry entries as shown below:

Get-ItemProperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' -Name 'IMAP Service'`*

Remove-ItemProperty can be used for removing malware-related persistence registry entry

Get-ItemProperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run' | Remove-ItemProperty -Name 'IMAP Service' Get-ItemProperty 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Run'*`

We have already removed the persistence mechanism; now we just need to delete the files from the infected machine using the Remove-Item cmdlet. Delete the complete dir recursively

Remove-Item -Path $env:APPDATA\0319B08F-2B65-4192-B2D2-1E2F62087064\ -Recurse -Force

Remove the copy of the malware

Remove-Item -Path $env:TEMP\malware.exe -Force

Delete the initial file

Remove-Item -Path $env:USERPROFILE\Desktop\Serial.exe

Remediate malicious files

Remove-Item [C:\Users\Public\*.exe]
Remove-Item -Path [C:\Users\Public\malware.exe] -Force
Get-ChildItem * -Include *.exe -Recurse | Remove-Item

PreviousPowerShell for Detection and Analysis NextLateral Movement Discovery

Last updated 4 months ago