RangeForce Challenge : Windows- Process Injection IR(using Splunk)

Start with the name of Allah, The most Gracious and The Most Merciful.

4 min readAug 13, 2021

Hey Folks,

In this writeup I'm gonna publishing the “Rangeforce Challenge- Windows Process Injection IR (using splunk)” writeup.

So the challenge begin with the windows 10 which became infected by two malwares. To complete this challenge we need to successfully stop and delete both the malware from the system.
After login we can analyze the Desktop is filled with different images and at the specific time interval there will be a new image created at Desktop.
So our first task is to find out the file extension of the images that are being created.

Question :- What is the file extension of the created files?
Answer :- .jpg

Second task required splunk for further investigation.
Open splunk and login with admin:knocknock.

Search “.jpg” in splunk search & reporting app, spunk start filtering for this query and shows up with some logs in the result.

Expand the first log you will see the Process name that writing the image files to the desktop.

Question :- What is the file extension of the created files?
Answer :- spoolsv.exe

Just below you can also see the name of the source for that log.

Question :- Which log provider is the source of the events?
Answer :- WinEventLog:Microsoft-Windows-Sysmon/Operational

Third task is to determine the behavior of that process.
In this task splunk pivot can be helpful.

In pivot page extract the EventCode Field and find out which Event occurs when this process running.

Question :- What are the two most common Sysmon event IDs from the offending process?
Answer :- 3 11

After idenfiying the EventCodes task requires to Find parent process
For finding parent process we need to download the tool called “ProcessExplorer.exe”.you can downlaod the tool from https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
After Download run it as administrator and find the process spoolsv.exe
right click on it and go to Properties. In Image tab you can see Parent process name.

Question :- What is the parent process?
Answer :- services.exe

Our last task is to stop the malware. To stop it go to Processexplorer.exe and than right click on spoolsv.exe then click on Kill Process Tree.

Now time to find second malware

For this process, our first task is to update sysmon template using powershell.
First go to “http://192.168.0.254/sysmon-cat-tracker.xml” and download the xml file.
Now open powershell with administrator permission then type the following command “sysmon.exe -c “C:\Users\ContosoAdmin\Desktop\sysmon-basic.xml”.

You can see the configuration updated message.

Now go to splunk and type “.jpg” in search app.
Analyze the first log, you can see the ctfmon.exe process is creating the image files.

Question :- What is the new affected process?
Answer :- ctfmon.exe

Expand the log and you can see the location where ctfmon.exe is writing images.

Question :- Where is the second infected process writing the image files? Write the full path.
Answer :- C:\WindowsAzure\Logs

Now go to processexplorer and find out the processid of ctfmon.exe
In my case the process id is 5320. Note down the ProcessId and EventId(from splunk). it will help us to find further investigation regarding the malware.

Our next task is to find the source of the process. for it again we need to run command in powershell.
command :- ((get-winevent -LogName Microsoft-Windows-Sysmon/Operational) | ?{ $_.message -match ‘.*Proces
sId: 7540.*’}).message

Question :- What is the name of the source script?
Answer :- cats.bat