Cyber Polygon Part 1 - Forensic Analysis CTF
Intro
The first in a two part series CyberDefenders.org, have a fun forensic CTF. The objective is to answer a series of typical incident response questions surrounding a malware infection.
You are provided with the followiing files to aid in your analysis:
- memory dump
- partial registry dump
- copy of the NTFS $MFT
- 2x packet captures
- Windows event logs (evtx)
Walkthrough
1) What is the build number (in the format ddddd, where each d is a single decimal number, for example - 12345) of the installed Windows version?
python2 ./vol.py -f ~/Downloads/CyberPolygon_Forensic_Artifacts/memdump.mem imageinfo
Suggested Profile(s) : Win10x64_17134, Win10x64_14393, Win10x64_10586, Win10x64_16299, Win2016x64_14393, Win10x64_17763, Win10x64_15063 (Instantiated with Win10x64_15063)
AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
AS Layer2 : FileAddressSpace (/Users/apdavies03/Downloads/CyberPolygon_Forensic_Artifacts/memdump.mem)
PAE type : No PAE
DTB : 0x1aa002L
KDBG : 0xf8002003a520L
Number of Processors : 2
Image Type (Service Pack) : 0
KPCR for CPU 0 : 0xfffff8001ed49000L
KPCR for CPU 1 : 0xffff9c01cb3e0000L
KUSER_SHARED_DATA : 0xfffff78000000000L
Image date and time : 2020-06-20 19:48:43 UTC+0000
Image local date and time : 2020-06-20 12:48:43 -0700
Moving forward we need to apply the following profile to the vol.py command to correct parse the memory image
--profile=Win10x64_17134
Answer:
17134
2) What is the parent process PID of the process, that accepts incoming network connections on the port 1900/UDP?
$ python2 ./vol.py -f ~/Downloads/CyberPolygon_Forensic_Artifacts/memdump.mem --profile=Win10x64_17134 netscan
...
0xcd83ffc3a2f0 UDPv6 ::1:1900 *:* 4688 svchost.exe 2020-06-20 18:36:22 UTC+0000
But we are after the parent of 4688:
python2 ./vol.py -f ~/Downloads/CyberPolygon_Forensic_Artifacts/memdump.mem --profile=Win10x64_17134 pstree > ps.txt
grep 4688 ps.txt
.. 0xffffcd83ffc5c580:svchost.exe 4688 648 6 0 2020-06-20 18:36:22 UTC+0000
Answer:
648
3) What is the IP address of the attacker command and control center, the connection with which was still active at the time of forensic artifacts acquisition?
From the netstat dump, we are looking for established connections to foreign IPs
0xcd840169d2f0 TCPv4 192.168.184.130:50133 196.6.112.70:443 ESTABLISHED -1
Answer:
196.6.112.70
4) What is the PID of the process where malicious code was located at the moment of forensic artifacts acquisition?
$ python2 ./vol.py -f ~/Downloads/CyberPolygon_Forensic_Artifacts/memdump.mem --profile=Win10x64_17134 pstree
0xffffcd840106d580:winlogon.exe 3232 6064 7 0 2020-06-20 19:28:44 UTC+0000
. 0xffffcd84012a84c0:cmd.exe 5224 3232 0 ------ 2020-06-20 19:29:54 UTC+0000
. 0xffffcd8401109580:fontdrvhost.ex 4852 3232 5 0 2020-06-20 19:28:44 UTC+0000
. 0xffffcd83ffef2580:userinit.exe 1748 3232 0 ------ 2020-06-20 19:28:55 UTC+0000
...
... 0xffffcd84020d0580:powershell.exe 9188 5472 12 0 2020-06-20 19:38:52 UTC+0000
.... 0xffffcd84020e9580:conhost.exe 9204 9188 5 0 2020-06-20 19:38:52 UTC+0000
... 0xffffcd8401779580:MSASCuiL.exe 1012 5472 3 0 2020-06-20 19:29:09 UTC+0000
... 0xffffcd84005de580:WINWORD.EXE 7312 5472 0 ------ 2020-06-20 19:47:01 UTC+0000
... 0xffffcd84010ba080:OneDrive.exe 4572 5472 24 0 2020-06-20 19:29:12 UTC+0000
... 0xffffcd83fe8b2580:vmtoolsd.exe 6624 5472 9 0 2020-06-20 19:29:10 UTC+0000
. 0xffffcd83febcf580:cmd.exe 3928 3232 0 ------ 2020-06-20 19:34:27 UTC+0000
. 0xffffcd8400e37080:cmd.exe 288 3232 0 ------ 2020-06-20 19:33:00 UTC+0000
. 0xffffcd83fecff080:dwm.exe 8100 3232 11 0 2020-06-20 19:28:44 UTC+0000
Answer:
3232
5) On a compromised system, malicious code, discovered in the previous step, is launched every system start, since the attacker has used one of the persistence techniques. So, what is the name of the autostart entry (those part, that is directly responsible for code execution), used by the attacker for persistence?
Use the Logs - WMI-Activity-Operational, search for the malware path to id the service (EventID 5861)
To make this question even easier, we even patched and made a pull request to Sans-DeepBlueCLI
Answer:
LogRotate Consumer
6) The autostart entry from the previous step is used to launch the script, which in turn leads to the malicious code execution in the memory of the process, which is discussed in question 4. This code is extracted by script from some system place in the encoded form. The decoded value of this string is executable PE-file. How did Microsoft Antivirus detect this file on 2020-06-21?
Easy enough - once you’ve answered question 8
Upload the samples hash to VirusTotal
Trojan:Win64/Meterpreter.E
7) The process, mentioned in the question 4, isn’t the initial process, where malicious code, described in the previous question, was executed by script from autostart. What is the name of the initial process (in the format program.exe), that is spawned by autostart script and used for further malicious code execution, that subsequently migrates to the address space of the process, mentioned in the question 4.
Look back at the pstree (Process Tree) from earlier
. 0xffffcd83fecff080:dwm.exe 8100 3232 11 0 2020-06-20 19:28:44 UTC+0000
Answer:
dwm.exe
8) The autostart entry from the previous step is used to launch the script, which in turn leads to the malicious code execution in the memory of the process, which is discussed in question 4. Provide the URL, which was used to download this script from the Internet during the host compromise. The script that runs at each system star (which is described in question 6) was downloaded to the compromised system from the Internet. Provide the URL, which was used to download this script
This was more difficult, first we dumped the memory of the child powershell processes (knowing the loader was a powershell script in memory), then we grepped for odd URL strings
egrep "https://...\..................\..../.*"
...
https://raw.githubusercontent.com/xia33F/APT/master/payloads/wrapper_page
9) The system was compromised as the result of a Microsoft Office document opening, received by email. What is MD5 hash of this document (for example, d41d8cd98f00b204e9800998ecf8427e)?
For this challenge, we utilised Wireshark, used the filter “SMTP”, and traversed all the SMTP streams until we found several attachments (word doc, zip file, pdf) as a base64 encoded attatchment. Simply copy and paste the base64 code to file and base64 decode, check the file type and further unwrap the contintainers
base64 -d b64_file > filedecoded
file filedecoded
ZIP
mv filededcoded filedecoded.zip
unzip filedecoded.zip
Why Saudi Arabia Will Lose The Next Oil Price War.docx
md5 Why Saudi Arabia Will Lose The Next Oil Price War.docx
Answer:
aa7ee7f712780aebe9136cabc24bf875
10) The document, that was initially opened by user, didn’t contain anything malicious itself. It downloaded another document from the Internet as a Microsoft Word template. Malicious code, which has led to the system compromise, is located inside this template directly. What link was used by the first document to download the second document as a template (for example, https://address/file.com)?
Open the pdf in a sandbox or use Didier Stevens ole tools
http://75.19.45.11/Supplement.dotm
11) During the post-exploitation attacker delivered to the compromised host a special Active Directory Enumeration utility. Which link did the attacker use to download this utility (for example, https://address/file.com)?
Using the Mitre att&ck matrix, a common tool is certutil, there are two ways to attack this question
- 1) Look at the pcap (traffic_2.pcapng) - HTTP filter and look for the following useragent
Useragent "Microsoft-CryptoAPI/10.0" (http.user_agent == "Microsoft-CryptoAPI/10.0") Follow stream: tcp.sream eq 102 Note the destination IP/URL
- 2) Carve the powershell process memory dump for certutil
$ strings 3232.dmp|grep certutil 4certutil -decode %tmp%\disco.jpg:sh %tmp%\sh.exe ;from the open (netstat) connections we know the IP is 196.6.112.70
Answer:
http://196.6.112.70/disco.jpg
12) As described in the previous question utility has created several files in the compromised system, that subsequently were deleted by an attacker. One of the created files had a bin extension. What is the name of this file (for example, name.bin)?
Two ways todo this:
- 1)Parse the MFT and grep for .bin files analyzeMFT
virtualenv -p /opt/local/bin/python2.7 venv python ./setup.py build python ./setup.py install python ./analyzeMFT.py -f ~/Downloads/CyberPolygon_Forensic_Artifacts/\$MFT.copy0 -o dump.csv grep -v -i microsoft|grep ".bin" ... 2020-06-20|19:31:38.501654|TZ|...B|FILE|NTFS $MFT|$FN [...B] time|user|host|/Windows/Temp/ODNhN2YwNWUtYWFmYy00MDVmLWFhYTQtNGMzM2Q3NmYwMWM4.bin|desc|version|/Windows/Temp/ODNhN2YwNWUtYWFmYy00MDVmLWFhYTQtNGMzM2Q3NmYwMWM4.bin|7||format|extra
- 2)Analyse the prefetch files with PECmd.exe
On Windows:
PECMD -f Prefetch\SH.EXE-89D7F45B.pf
...
113: \VOLUME{... \TEMP\ODNHN2YWNWUTYWFMYY00MDVMLWFHYTQTNGMZM2Q3NMYWMWM4.BIN
Answer:
ODNHN2YWNWUTYWFMYY00MDVMLWFHYTQTNGMZM2Q3NMYWMWM4.BIN
13) As described in the previous question utility has created several files in the compromised system, that subsequently were deleted by an attacker. One of the created files had a bin extension. What is the name of this file (for example, name.bin)?
During the post-exploitation attacker has compromised a privileged user account. What is its password?
python2 ./vol.py -f ~/Downloads/CyberPolygon_Forensic_Artifacts/memdump.mem --profile=Win10x64_17134 hashdump > hashes.txt
Volatility Foundation Volatility Framework 2.6.1
Administrator:500:63424d100a5717b0661f84ae789b82bd:34103925bb9f07248d0b3d3df50c9d4c:::
Guest:501:eddee9c278b95cf3880300ca22eddda0:06adfd21dc6db22b5ef3743b1b8c022b:::
DefaultAccount:503:3ac68f2d31f869d98fa5db8b9c405af1:b80c069e17138971f4d183f9d575ccb4:::
WDAGUtilityAccount:504:8c1c4c3110d3075c5e1b33fc5e3b30f0:899aa6ec601d70d34fb994c27ed93123:::
John Goldberg:1001:7d80c4bfe8857c6ec676aa3577e89e68:f7b1dce8a4445aea38d6a735ae0bf754:::
backupsrv:1003:291f7bc51dde8a64063b565c68579d95:0e651bf56065b19f5783bb59ad6e8bfc:::
Then use your cracking program or search the cracked hashes online we used https://crackstation.net/
Answer:
!!feb15th2k6!!
14) What is the name of the tool (for example, program.exe), that probably was used by an attacker to compromise the user account?
Since we know the powershell script, loads a registry value from the registry, we can assume the attacker used the following command:
Answer:
reg.exe
15) The attacker used a compromised account for unauthorized Domain Controller access. What is the IP address of this Domain Controller?
Again two ways to do this:
- 1) Wireshark with SMB filter (traffic_2.pcapng)
- 2) Use volatility as we know the workstation is domain joined there is likely an established connection over SMB(445)
$ python2 ./vol.py -f ~/Downloads/CyberPolygon_Forensic_Artifacts/memdump.mem --profile=Win10x64_17134 netscan|grep 192.168.184.100 0xcd83fec7f700 TCPv4 192.168.184.130:50368 192.168.184.100:445 ESTABLISHED -1
Answer
192.168.184.100
Tools
Here is the list of tools used in our analysis:
- Volatility 2 Python2.7 version
- Volatility-autoruns
- Volatility-Winesap
- PECmd.exe
- analyzeMFT
- Wireshark
- DeepBlueCLI
Share on: