Windows Incident Response: Detect and delete backdoor malware in windows



In this post we are going to learn how to detect and remove a backdoor malware which is listening through some TCP connection and later we will learn to detect and delete that malware which is listening through a periodic connection from its C2 domain.
For this i am going to use a non-malicious program name "504lab" created by SANS institute it will create a backdoor on my system and my task is to find it and delete it from my system. I will attach link below so that you can practice it yourself.

Before doing this we need to make sure our firewall is completely off so first we will stop our firewall, to do this go to your command prompt and type "netsh advfirewall set allprofiles state off

 Now go to directory where the program is located and start it through cmd prompt


After executing, it will ask us to start another command prompt and execute netstat -aon command so that we can see what service are running on our network so start another command prompt and type netstat -aon .-a will list all currently active connections and their listening port , -o will display the process id of the connection .


After this we will press enter in the 504 console


Now it is asking us to find the port number of the backdoor through which its listening to do this go to your second command prompt and type " netstat -aonb" here i added "-b" option so that we can also get list of those executable process which was responsible for creating  a connection and listening port in our network. After executing these command we got something like below.


We can see above the only process which is looking malicious is a powershell process because we know powershell is now a favorite tool for hackers to exploit a windows system beacuse it feature task automation and also lot of powershell attack tool are used to target windows system. So go to the lab console and enter the port address.


After entering this it will ask us to identify the process id and enter it in the console.


Again to get PID of this connection we will execute "netsh -aonb" then enter and we can see the powershell process with its PID as shown below. 


Now go back to lab console and enter the process id number


After this it will ask us to get its parent process id


To get the parent process id i am going to use wmic which is a very easy tool to get lots of information about the windows system so to do this go to your second command prompt ant type " wmic process where processid=2228 get parentprocessid "and enter. It will show you the parent process id . 


Ater entering the parent process id it will ask us to use netcat and connect to this backdoor tcp post as shown below.


Now go to your netcat directory and type " nc.exe localhost 2857 " here localhost is the address of our backdoor and 2857 is the port address of the backdoor.


We got the flag now go to the lab console and enter this on the console.


As we can see above it is asking for the tcp port again i assume this time the port address should be change. So we will execute the same command " netsh -aonb


Enter the new port address in the lab console


Now it's asking us to delete the process using wmic so go to second command prompt and type " wmic process where processid=2228 delete " and this will delete the backdoor process


Now go back to lab console and press return


Now it is going to start a powershell process which is not listening on port address that means its on some C2 domain which makes periodically to connection to this C2 domain and we have to find this process (click on the pic to enlarge). To find this process we are going to us wmic again so type " wmic process where name="powershell.exe get processid" and we will get the process id of this powershell process.


After entering the PID of this process we can see below (click to enlarge) it is asking to run wmic to retrieve the command line and get the flag in the script.


So now go to second command prompt and type " wmic process where name="powershell.exe" get commandline "  and press enter


By closely looking at the above character set  given by the backdoor (click to enlarge) i got that it's base64 encoding so now i will use bas64decode.org and enter the output as shown in above screenshot and select decode.


We can see above their is a flag between double quotes with space between them written as "s a s q u a c h e 8 7 1 4 1 9 2 1 0 0" so remove the space between them and enter this text on lab console and press enter.


Now its asking us to kill this process using wmic so we will use the same command we used earlier to kill this process but instead of process name we will delete it by using it's process id, go to second command prompt and type " wmic process where processid=3036 delete "


After deleting the malicious process go to the lab console and press enter.


As we can see above we have completely removed all the malicious process and successfully completed this task.

You can also practice this by yourself just download the 504lab file from link given below and run as admin.

504lab SANS Institute

Comments

  1. Excellent site you have got here.. It’s difficult to find valuable information on incident response. I seriously appreciate individuals like you!

    ReplyDelete

Post a Comment

Popular posts from this blog

USB forensic : Find the history of every connected USB device on your computer

Crawling pastebin to find specific pastedump

Hack WinRAR password by using Brute force attack

Fileless malware Analysis with Cuckoo sandbox

Web application penetration testing: Tools and Techniques for web security auditing