Day 4: I’m all atomic inside!

• Open powershell and use the command Invoke-AtomicTest T1566.001 -ShowDetails to get the details about MITRE ATT&CK technique T1566.001 Spearphishing.
  
  It is downloading 2 files, we have to find and do analysis on thoes files using sysmon.
• Open event viewer. Goto Applications and Services logs >> Microsoft >> Windows >> Sysmon >> Operational. It would look similar like
  
  ( Remember the Clear log and Refresh options in right hand side )
• Now start the attack emulation in Powershell using the command Invoke-AtomicTest T1566.001 -TestNumbers 1
• In event viewer, do refresh. You will see some events
  
  ( In this command you can see the path of the stored file.)
• Navigate to the file C:\Users\Administrator\AppData\Local\Temp\, and open the file PhishingAttachment.txt and get the flag out.

By reading the challenge. There is a hint for this question.

After dong some google search , i got the technique

Open the technique which one you got in previous question. There are many sub techniques. One for Windows Command Shell is T1059.003

Its time to explore the details about the technique T1059.003 . Using the powershell command Invoke-AtomicTest T1059.003 -ShowDetails. In search for the malware, We can see that test number 4 is related to a ransomware malware.

• To find the name of the file that was used in this test. First open sysmon in event manager, Goto Applications and Services logs >> Microsoft >> Windows >> Sysmon >> Operational. Clear the logs

• Now run the test in powershell using the command Invoke-AtomicTest T1059.003 -TestNumber 4
  
• Refresh the sysmon, in an event I find the name and full path of a suspicious file.
  

Now we know the full path of the file. Open the file to get out the flag.