Thanks for this lab, it has been equal parts fun and educational! Found you through SimplyCyber's youtube channel, hope to see you back on there again!
Awesome guide, and great resources! I am not understanding one part on Part 4. When writing the rule why did you use "<<routing/parent>>" not the image path such as $SystemRoot$\explorer.exe or vssadmin.exe ?
For the last part, after setting up the D&R rule and running the command "vssadmin delete shadows /all" and then "whoami", the result was as followed:
PS C:\Windows\system32> whoami
Shell exited
But I decided to try another time and repeat the shell process. On my second attempt, it worked the way it was supposed to; hanging and failing to return anything from the whoami command.
So my question is, during my first attempt why was I exited from the shell?
Thanks for the lab and the blog, it was truly educational, I'm going to mess around to learn more.
This is exactly what we hoped would happen... Because your D&R rule was configured to terminate the parent process of whatever ran the vssadmin command, your shell was terminated by the EDR agent because you ran the offending command. Does that make sense?
The "Shell Exited" is functionally equivalent to it hanging and failing to return anything.
This is exactly what we hoped would happen... Because your D&R rule was configured to terminate the parent process of whatever ran the vssadmin command, your shell was terminated by the EDR agent because you ran the offending command. Does that make sense?
I Figured it out you need to do what the guy above says and download the obfuscated version of Quickbuck onto the victim VM that being your windows VM. Execute it by launching Sliver like in Part 2 and running shell like in Part 3 and going to the file directory C: Users/User/Downloads and executing the program by running quickbuck run on the command line it will run from there and you should see it execute and generate a ransomware .txt file. Success! Use the github as a reference on how to run it on the command line and how it should look like :) hope yall were about to figure out in the time frame but hopes this helps anyone else looking to learn this lab! :)
Hi Eric,
Thanks for this lab, it has been equal parts fun and educational! Found you through SimplyCyber's youtube channel, hope to see you back on there again!
Hello Eric,
Awesome guide, and great resources! I am not understanding one part on Part 4. When writing the rule why did you use "<<routing/parent>>" not the image path such as $SystemRoot$\explorer.exe or vssadmin.exe ?
By targeting the parent process, we kill the offending process that ran the bad command, e.g. the malware.
Hi Eric, Just wanted to write and ask if you can link Part 4 to your 3rd article to be able to find it more easily.
Done, thanks!
For the last part, after setting up the D&R rule and running the command "vssadmin delete shadows /all" and then "whoami", the result was as followed:
PS C:\Windows\system32> whoami
Shell exited
But I decided to try another time and repeat the shell process. On my second attempt, it worked the way it was supposed to; hanging and failing to return anything from the whoami command.
So my question is, during my first attempt why was I exited from the shell?
Thanks for the lab and the blog, it was truly educational, I'm going to mess around to learn more.
This is exactly what we hoped would happen... Because your D&R rule was configured to terminate the parent process of whatever ran the vssadmin command, your shell was terminated by the EDR agent because you ran the offending command. Does that make sense?
The "Shell Exited" is functionally equivalent to it hanging and failing to return anything.
I updated the post to reflect this possibility.
From where did you repeat the process again to get the same outcome as Eric explained.?
Hi Eric , Thanks for this labs walkthrough I really appreciate it. 1 question please,
For the last part, after setting up the D&R rule and running the command "vssadmin delete shadows /all" and then "whoami", the result was as followed:
PS C:\Windows\system32> whoami
Shell exited
Why is this happening?
What can I do . Thanks.
This is exactly what we hoped would happen... Because your D&R rule was configured to terminate the parent process of whatever ran the vssadmin command, your shell was terminated by the EDR agent because you ran the offending command. Does that make sense?
I updated the post to reflect this possibility.
Yes it does. Now I understand it better . I am grateful thank you..
I am a bit confused if we're supposed to download the ransomware simulator on the last part directly from the Windows VM? Run it using powershell?
It's an optional continuation for the reader to try, I don't prescribe any specific way to do it.
Hello Eric. Thanks for the well made guide. I had a lot of fun following along.
What kind of experience can i put down on a CV that would seem relevant to a SOC position after this lab? Thanks
hello Eric, how exactly do you download and execute Florian’s ransomware simulator ?
I am having a hard time with that, Thanks for the blogs
Hello Ruben,
At the Github site, look for QuickBuck 1.0.3 Obfuscated at the right side, download and run it.
Hope this help
hello Eric, how exactly do you download and execute Florian’s ransomware simulator ?
I am having a hard time with that, Thanks for the blogs
I Figured it out you need to do what the guy above says and download the obfuscated version of Quickbuck onto the victim VM that being your windows VM. Execute it by launching Sliver like in Part 2 and running shell like in Part 3 and going to the file directory C: Users/User/Downloads and executing the program by running quickbuck run on the command line it will run from there and you should see it execute and generate a ransomware .txt file. Success! Use the github as a reference on how to run it on the command line and how it should look like :) hope yall were about to figure out in the time frame but hopes this helps anyone else looking to learn this lab! :)