Exercise 1
For this exercise, we had to install our malware onto the WIN10-WS machine. It is disguised as Minesweeper, but as I noticed, there was a process I didn't recognise in the Task Manager called 'nc.exe'
This exercise highlighted the importance of minimum privilege and knowledge of what looks suspicious.
Exercise 2
In this exercise, I learned how to exploit the trojan using the port open to Netcat. As the scan below shows, port 4450 is open on the WIN10-WS machine. This port will be used to access the machine's terminal with PuTTy.
With PuTTY, I ran some commands to allow me to remote into the Windows 10 machine
As I went through the steps, I had some issues getting remote access to work.
For the command: "reg add “HKLM\SYSTEM\CurentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f" I forgot to add the space between "Terminal" and "Server" when writing out the command. There was also misspelling where "Curent" should be "Current" which I noticed as I typed.
Here we can see I successfully got remote access:
I also got the keylogger installed and hidden, then restarted the machine:
Exercise 3
In this exercise, I had to take measures against the malware. As is seen in the screenshot, the firewall rules that were allowing the PuTTY connection are no longer enabled, the .ini file that was auto configuring the malware is deleted, and nc.exe is stopped. This is ok as a temporary fix because the computer is now safe from remote access, but we now need to stop further issues.
Exercise 4
In this exercise, I changed some GPOs that don't allow Windows Defender to be turned off, and some of its features cannot be disabled either. This should mean that Windows defender is always on so it can stop malware such as the one we installed from getting through.
Exercise 5
In this exercise, I first looked using the Window Defender antivirus. With the group policy forcing it to not be closed, it now works. When I try reinstalling the malware, it picks up an inserted virus signature in the the malware. It doesn't pick up the Netcat exploit though.
Because Defender didn't pick up the Netcat exploit, I can still PuTTY in, so I now had to make a firewall rule that would stop any inbound connections to Netcat.
Here is the rule in the firewall, and PuTTY failing to connect with the rule blocking it.
Reflection
This lab didn't present any major blocks to me luckily. I know that many other students had lots of issues getting their machines to communicate over the port groups, but I was fortunate enough to have zero issues in that area :) (And yes, I rubbed it in their faces)
No comments:
Post a Comment