We used Splunk to investigate the ransomware activity on a Windows machine. The ransomware was downloaded to the machine through Powershell and did a partial file system encryption. This was part of TryHackMe PS Eclipse
Scenario: You are a SOC Analyst for an MSSP (Managed Security Service Provider) company called TryNotHackMe.
A customer sent an email asking for an analyst to investigate the events that occurred on Keegan’s machine on Monday, May 16th, 2022. The client noted that the machine is operational, but some files have a weird file extension. The client is worried that there was a ransomware attempt on Keegan’s device.
Your manager has tasked you to check the events in Splunk to determine what occurred in Keegan’s device.
What is the address the binary was downloaded from? Add http:// to your answer & defang the URL.
What Windows executable was used to download the suspicious binary? Enter full path.
What command was executed to configure the suspicious binary to run with elevated privileges?
What permissions will the suspicious binary run as? What was the command to run the binary with elevated privileges? (Format: User + ; + CommandLine)
The suspicious binary connected to a remote server. What address did it connect to? Add http:// to your answer & defang the URL.
A PowerShell script was downloaded to the same location as the suspicious binary. What was the name of the file?
The malicious script was flagged as malicious. What do you think was the actual name of the malicious script?
A ransomware note was saved to disk, which can serve as an IOC. What is the full path to which the ransom note was saved?
The script saved an image file to disk to replace the user’s desktop wallpaper, which can also serve as an IOC. What is the full path of the image?