Attacks // inksec.io

ATTACKS is a straightforward MITRE ATT&CK mapping lab built around a compromised Windows host. The scenario provides firewall logs, Windows Event Logs, and Sysmon telemetry, and tasks you with tracing the full attack chain from initial reconnaissance through to malware persistence. It’s a solid exercise in correlating events across multiple log sources while mapping each action to the ATT&CK framework.

Reconnaissance

Active Scanning

The firewall log on the Desktop is the starting point. Reviewing it reveals the source IP 192[.]168[.]1[.]33 systematically probing ports on the target — classic active scanning behaviour.

To confirm what ports are exposed on the endpoint from the victim’s perspective, the command netstat -an lists all listening ports and active connections without resolving hostnames — a quick way to see the attack surface.

Reviewing the output reveals SSH on port 22 is open, which becomes the attacker’s entry point.

Initial Access & Credential Access

Brute Force SSH

With SSH exposed, the attacker targeted the Administrator account with a brute force attack. Filtering the Windows Security logs reveals repeated failed logon attempts followed by a successful authentication at:

11/18/2022 5:14:08 PM

The credential access technique is T1110 — Brute Force. Once the password was obtained, the attacker authenticated using those credentials, making the initial access technique T1078 — Valid Accounts. The distinction matters: T1110 describes how the credentials were obtained, T1078 describes how they were used to gain entry.

Persistence — Account Creation

New Local Account

Filtering Security Event logs for Event ID 4720 (user account created) reveals the attacker created a new local account: sysadmin.

Following that, Event ID 4732 (user added to local group) confirms the sysadmin account was added to the Administrators group at:

Impact — Account Deletion

Deleting User drb

Filtering for Event ID 4726 (user account deleted) shows the attacker deleted the account drb — likely to remove a legitimate user and limit recovery options or cover tracks.

The relevant MITRE detection data source for account-based activity is DS0002 — User Account.

Execution — Malware Deployment

Keylogger Extraction

Filtering Sysmon for Event ID 1 (Process Create) and looking for 7-Zip activity reveals the command:

7z e keylogger.rar

The compressed file keylogger.rar was extracted using 7-Zip, producing two files dropped into C:\Users\Administrator\AppData\Roaming\WPDNSE\:

Sysmon Event ID 11 (File Created) confirms both file creation events in that path.

The keylogger maps to T1056 — Input Capture, specifically sub-technique T1056.001 — Keylogging.

atapi.sys

Also visible in the Event ID 11 entries is the creation of atapi.sys — a driver file dropped by the malware, mimicking the legitimate Windows ATAPI storage driver name.

Defense Evasion — Defender Tampering

Disabling WdNisDrv

Sysmon Event ID 13 (Registry Value Set) at 11/18/2022 5:24:18 PM reveals a modification to:

The value was set to DWORD 0x00000003 (Manual), effectively disabling automatic startup of the Windows Defender Network Inspection Service — a targeted defense evasion move to reduce detection capability.

Persistence — Registry Run Keys

Malware Autostart Entries

Continuing through the Event ID 13 entries reveals two registry values written to the CurrentVersion\Run key, establishing persistence across reboots. In order of creation:

Both use legitimate-sounding names to blend in during casual registry inspection.

MITRE: T1547.001 — Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Malware Attribution

IOCs

MITRE ATT&CK

Type	Value
Attacker IP	`192[.]168[.]1[.]33`
Malicious Archive	`keylogger.rar`
Dropped Executable	`rundell33.exe`
Dropped Executable	`svchost.exe` (fake)
Dropped Driver	`atapi.sys`
Drop Path	`C:\Users\Administrator\AppData\Roaming\WPDNSE\`
C2 / Attribution	`hxxps[://]github[.]com/ajayrandhawa/Keylogger`

Technique	ID	Tactic
Active Scanning	T1595	Reconnaissance
Brute Force	T1110	Credential Access
Valid Accounts	T1078	Initial Access
Create Account	T1136	Persistence
Account Access Removal	T1531	Impact
Input Capture: Keylogging	T1056.001	Collection
Masquerading	T1036	Defense Evasion
Impair Defenses: Disable or Modify Tools	T1562.001	Defense Evasion
Boot or Logon Autostart Execution: Registry Run Keys	T1547.001	Persistence

sing the firewall log image on the Desktop, what MITRE ATT&CK reconnaissance technique was used?

Click flag to reveal active scanning, T1595

We can see from the firewall image in Q1 that the IP address 192.168.1.33 checked to see what ports were listening on the other system. What command can we use in CMD to check which ports are listening on the endpoint?

Click to reveal answer netstat -an

here are ports listening on the endpoint that would enable remote connection, this could potentially make the system vulnerable to intrusion. It's time to check the logs! Which protocol and port have been used by the attacker to gain access to the system?

Click flag to reveal ssh, 22

What user account has been accessed by the attacker?

Click to reveal answer administrator

What time did the attacker first gain access to this account?

Click flag to reveal 11/18/2022 5:14:08 PM

What MITRE ATT&CK initial access technique did the attacker use?

Click to reveal answer Valid Accounts, T1078

What MITRE ATT&CK credential access technique did the attacker use to gain access to the endpoint?

Click flag to reveal Brute Force, T1110

What account did the attacker create after gaining access?

Click to reveal answer sysadmin

What MITRE ATT&CK persistence technique is this?

Click flag to reveal Create Account, T1136

What time did the attacker add his created account to the Administrators group?

Click to reveal answer 11/18/2022 5:15:33 PM

What account did the attacker delete?

Click flag to reveal drb

What MITRE ATT&CK impact technique is this?

Click to reveal answer Account Access Removal, T1531

What MITRE ATT&CK detection ID applies to the attacker's actions here?

Click flag to reveal DS0002

What's the name of the compressed file that was extracted?

Click to reveal answer keylogger.rar

What MITRE ATT&CK collection technique would this file use?

Click flag to reveal Input Capture, T1056

What sub-technique of the previous answer would this file use?

Click to reveal answer Keylogging, T1056.001

What two files were created from this file extraction

Click flag to reveal rundell33.exe, svchost.exe

What's the file path of the folder these two files created?

Click to reveal answer c:\users\administrator\appdata\roaming\WPDNSE

What's the name of the .sys file created by the malware?

Click flag to reveal atapi.sys

What time was a registry value first set by the malware?

Click to reveal answer 11/18/2022 5:24:18 PM

What two registry values has the malware created

Click flag to reveal Windows Atapi x86_64 Driver, Windows SCR Manager

What MITRE ATT&CK persistence technique has the malware used?

Click to reveal answer Boot or Logon Autostart Execution, T1547.001

What sub-technique of the previous answer has the malware used?

Click flag to reveal Registry Run Keys / Startup Folder, T1547.001

What's the name of the user on GitHub who created this malware?

Click to reveal answer ajayrandhawa

Attacks

Overview