Part one: Activating a Trojan
Following along with Lab 2. Browsing the file explorer to c:\GTSLABS brought me to a bunch of set up files. Running the file “setup” installed a piece of software, which turned out to be minesweeper, accepting the default settings, the lab asked me to check out if anything else had installed, in this case I’m guessing the Trojan. Scanning through the Task Manager processes which the lab tells you to check, all i could find that was unusual to me was the “nc (32-bit)”.
Further investigation is required.
The Lab required us to open up and view the event logs of the system to see if I could see anything unusual inside of the Application and System logs.
As soon as I clicked on the Application logs, I seen an error, the error was Security-SPP, which after a little research learnt that Security-SPP is a service related to windows licensing and activation. In the details it says that the license activation had failed, Unaware as to why, I think it may be due to this being a VM.
Looking further down the Application log list, I found a lot more of the Security-SPP but also a perflib 1008 error, unaware of what it is, I did some research. This event may occur for various applications. When the performance monitor reads all counters for the first time, the extension’s Open Procedure is called. A typical task for the Open procedure is to read what range of object indexes it supports from the registry. These index values are stored in the First Counter, First Help, Last Counter, and Last Help registry values under the application’s performance key. If this Open procedure fails to read the data (i.e. those entries don’t exist or have been deleted) the 1008 event is recorded in the event log.
Moving on to checking out the System logs now, I was first met with a warning that didn’t hold much value as it had already fixed itself. But moving further down the list I came across a Distributedcom 10010 error. Checking it out I found that these errors are just timing issues and are meaningless to the end user, the system is still working fine after all.
I found a critical error that was caused from the system not shutting down properly, I don’t think that is what I’m looking for, then again I’m not entirely sure what I am looking for. Still scanning down the system logs, I came across a Eventlog error that was caused due to an unexpected shutdown of the system and a volsnap error that was caused from a shadow copy of my C: being aborted due to limited storage.
Moving further down, I found a list of warnings with a particular error in between them, which had to do with Group Policy.
That was all that I could find while moving down the two lists.
The lab required us to open up the windows firewall and navigate to inbound rules to spot anything unusual, as soon as I had opened it, it was full of errors, well not full but their was a lot.
Part two: Exploiting the Trojan
This part of the lab was introducing how to exploit the backdoor from the Rogue VM. Following along with the lab, and I get to the point where we need to scan for the port number 4450, to listen for the Trojan currently accessing client at administrator level, but whenever I go to scan the only alive machine that shows up is the ROGUE which is the one I am running the IP scanner off, I have no idea why it won’t work properly with the lab.
So I’m going to have to skip this section and see if I am still able to carry on with this lab.
Part Three: Blocking the Trojan
Part three tells me to go through the firewall and disable any rule that has Firewall Service.
Part 4: Deploying Malware Protection
We are using group policy on the server vm to ensure that windows defender is active on each computer, by disabling Turn off windows defender, turn off routine remediation, and turn off real-time protection.
Part 5: Using the AntiVirus Software
This section was all about how to use the anti-virus software to detect and neutralize malware threats. Was really interesting because when I navigated to documents to run the file, it wasn’t even there but the in Windows defender the “DOS/Eicar_Test_File” was there in the history. I was able to follow along with this part of the lab.
Also I wasn’t able to revert anything back!! I can’t find the revert button!
I came back to this lab after I went through the class forum, and it had solutions to the problem I had earlier in this lab. So I did redo it.