In this post, we covered investigating a compromised Windows machine with WMI Backdoors. This was part of TryHackMe Investigating Windows 2.0 lab.

Investigating windows machines is part of the incident response process. In this tutorial, we conducted live forensic on the machine which is typically done after you perform a bit by bit copy of the disk and RAM since compromised machines are not reliable for forensic investigation and the output of every command can be altered by the malware or rootkit.

The machine we are investigating is infected with WMI (Windows Management Instrumentation ) backdoor. WMI Backdoors rely on event filters and event consumers. Event filters are the conditions that if met event consumers get executed which normally are specific actions performed on windows.

The Scenario: What We’re Dealing With

The machine I’m looking at has a few nasty surprises waiting for me:

  • A WMI Backdoor: This is the main problem. The backdoor is set up to do two things:
    • Kill Processes: It’s designed to shut down certain programs, like Process Explorer, to make it harder to see what’s going on.
    • Fetch Payloads: It can also reach out to a command and control (C2) server to download and run other malicious files.
  • Scheduled Tasks: There are a couple of scheduled tasks that are up to no good:
    • One task dumps passwords from the SAM database every five minutes.
    • Another task runs a listener on port 1348, which gives an attacker a way to connect to the machine.
  • Malicious Files: I also found a couple of malicious executable files: a Trojan and an Advanced Persistent Threat (APT).

My Toolkit: The Tools of the Trade

Before I started poking around, I made sure to take memory and disk images of the system. This is a crucial step to make sure I don’t accidentally change anything. Then, I used a variety of tools to investigate:

  • Process Hacker, Process Monitor, Autoruns, and Process Explorer: These are all great tools for looking at running processes, what starts up with the system, and what’s happening in real-time.
  • Loki: This is a Yara scanner that helps me find malicious files based on signatures.
  • Registry Editor and Task Scheduler: I used these to look at the scheduled tasks and see how they were configured.

The Investigation: Uncovering the Malware’s Secrets

Here’s what I found as I dug into the system:

  • Scheduled Tasks: I found three suspicious scheduled tasks:
    • “Flash Update 22”: This one was a bit of a red herring. It just ran a blank PowerShell command every two minutes.
    • “Game Over”: This was the password dumper. It ran a program called mim.exe (a version of Mimikatz) to steal passwords and save them to a file.
    • “Clean File System”: This task ran a Netcat PowerShell script to open up that listener on port 1348.
  • The Temp Directory: The temp directory was a treasure trove of malicious files, including mim.exe, the WMI backdoor script (wmi_backdoor.vbs), and the scheduled task script (schedule_task_backdoor.ps1).
  • The WMI Backdoor Script: The VBScript file was the heart of the backdoor. It had two main parts:
    • “Kill Process”: I was able to query the WMI objects and see that this part of the script was specifically designed to kill process_explorer_64.exe.
    • “Launch Beacon Backdoor”: This part of the script was supposed to connect to a C2 server, but it wasn’t fully implemented in this case.
  • Malicious Executables: I also found mbtscan.exe and p.exe, which were the Trojan and APT files. These would normally be sent off for reverse engineering to see exactly what they do.

Answering the Challenge Questions

As part of my investigation, I answered a series of questions to make sure I had a full understanding of the attack:

  • I found the registry key that stored the command for the password-dumping scheduled task.
  • I confirmed that Process Explorer 64 was the tool that was being killed by the backdoor.
  • I found the WQL query that the backdoor was using to find and kill Process Explorer.
  • I identified the language of the backdoor script as VBScript.
  • I found the name of the other script launched by the backdoor: “Launch Beacon Backdoor.”
  • I even found the name of a software company, “Motobit Software,” mentioned in the script.
  • I located the WMI backdoor file in the temp directory.
  • I identified the two processes that were opening and closing quickly: mim.exe and powershell.exe.
  • I found that the parent process for mim.exe was svchost.exe.
  • I observed that the first operation of mim.exe was “Process Start.”
  • I noted the four pieces of information displayed in the event tab for mim.exe: Parent PID, Command Line, Current Directory, and Environment.
  • I found an unusual process in the disk operations: “No Process.”
  • I used Loki to scan the system and found a lot of interesting things:
    • The first module to initialize was “WMI Scan.”
    • The name of the event filter in the second warning was “Process Start Trigger.”
    • The class name in the fourth warning was “FilterToConsumerBinding.”
    • I got a binary alert for mbtscan.exe because it matched a known malicious file name.
    • I got an APT alert for p.exe because it also matched a known malicious file name.
    • I found a PowerShell script that was performing task scheduling.
    • I found an encrypted binary, xcmd.exe, that was using XOR encryption.
  • I found a malicious svchost.exe file in C:\Users\Public, which is not where it should be. The legitimate path is C:\Windows\System32.
  • The reason for the alert on this file was that it was “stuff running where it normally shouldn’t.”
  • I found a malicious JavaScript file in the same folder.
  • I even created a custom Yara rule to detect mim.exe, since it wasn’t being picked up by the existing rules.

I hope this detailed walkthrough gives you a good idea of how to investigate a compromised Windows system. It’s a lot of work, but with the right tools and a systematic approach, you can uncover even the most sophisticated attacks.

TryHackMe Investigating Windows 2.0 Answers

What registry key contains the same command that is executed within a scheduled task?
HKCU\Environment\UserIntMprLogonScript
What analysis tool will immediately close if/when you attempt to launch it?

procexp64.exe
What is the full WQL Query associated with this script?

SELECT * FROM Win32_ProcessStartTrace WHERE ProcessName = ‘procexp64.exe’
What is the script language?

VBScript
What is the name of the other script?

LaunchBeaconingBackdoor
What is the name of the software company visible within the script?

Motobit Software
What 2 websites are associated with this software company? (answer, answer)

http://www.motobit.com, http://motobit.cz
Search online for the name of the script from Q5 and one of the websites from the previous answer. What attack script comes up in your search?

WMIBackdoor.ps1
What is the location of this file within the local machine?

C:\TMP
Which 2 processes open and close very quickly every few minutes? (answer, answer)
mim.exe, powershell.exe
What is the parent process for these 2 processes?

svchost.exe
What is the first operation for the first of the 2 processes?

Process Start
Inspect the properties for the 1st occurrence of this process. In the Event tab what are the 4 pieces of information displayed? (answer, answer, answer, answer)

Parent PID, Command line, Current directory, Environment
Inspect the disk operations, what is the name of the unusual process?

No process
Run Loki. Inspect the output. What is the name of the module after Init?

WMIScan
Regarding the 2nd warning, what is the name of the eventFilter?
ProcessStartTrigger
For the 4th warning, what is the class name?

__FilterToConsumerBinding
What binary alert has the following 4d5a90000300000004000000ffff0000b8000000 as FIRST_BYTES?

nbtscan.exe
According to the results, what is the description listed for reason 1?
Known Bad / Dual use classics
Which binary alert is marked as APT Cloaked?

p.exe
What are the matches? (str1, str2)

psexesvc.exe, Sysinternals PsExec
Which binary alert is associated with somethingwindows.dmp found in C:\TMP?

schtasks-backdoor.ps1
Which binary is encrypted that is similar to a trojan?

xCmd.exe
There is a binary that can masquerade itself as a legitimate core Windows process/image. What is the full path of this binary?

C:\Users\Public\svchost.exe
What is the full path location for the legitimate version?

C:\Windows\System32
What is the description listed for reason 1?

Stuff running where it normally shouldn’t
There is a file in the same folder location that is labeled as a hacktool. What is the name of the file?

en-US.js
What is the name of the Yara Rule MATCH?

CACTUSTORCH
Which binary didn’t show in the Loki results?

mim.exe
Complete the yar rule file located within the Tools folder on the Desktop. What are 3 strings to complete the rule in order to detect the binary Loki didn’t hit on? (answer, answer, answer)

mk.ps1, mk.exe, v2.0.50727

Video Walk-Through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles