The SOC team got an alert regarding some illegal port scanning activity coming from an employee's system. The employee was not authorized to do any port scanning or any offensive hacking activity within the network. The employee claimed that he had no idea about that, and it is probably a malware acting on his behalf. The IR team managed to respond immediately and take a full forensic image of the user's system to perform some investigations.
There is a theory that the user intentionally installed illegal applications to do port scanning and maybe other things. He was probably planning for something bigger, far beyond a port scanning!
It all began when the user asked for a salary raise that was rejected. After that, his behavior was abnormal and different. The suspect is believed to have weak technical skills, and there might be an outsider helping him!
Your objective is to analyze the image and to either confirm or deny this theory.
Information
Category Name: Hunter
Files: c16-Hunter.zip 623.6 MB
–> Contains Hunter.ad1 636.2 MB
My Recommendations
This is my personal preference, I like being organized and deleting a folder when I’m done with it.
mkdir Documents/CyberDefenders/Hunter && cd Documents/CyberDefenders/HunterDownload it from the Cyber Defenders and verify the file with sha1sum:
sha1sum /path/to/c16-Hunter.zipSHA1: 88a22f6ad6d140c9151e6983b894c6eb6c64735d
Then extract it with the provided the password
Run it with:
wine '.wine/drive_c/Program Files/AccessData/FTK Imager/FTK Imager.exe'Select: Add Evidence item and select Hunter.ad1. Then, select root, “Export Files” and chose the Working Directory as the export destination. I recommend to rename the folder to make them more CLI-friendly:
mv '[root]' root
Walkthrough
1. What is the computer name of the suspect machine?
Using RegRipper:
rip.pl -r root/Windows/System32/config/SYSTEM -p compname
Answer: 4ORENSICS
2. What is the computer IP?
Using RegRipper:
rip.pl -r root/Windows/System32/config/SYSTEM -p ips
Answer: 10.0.2.15
3. What was the DHCP LeaseObtainedTime?
Using RegRipper:
rip.pl -r root/Windows/System32/config/SOFTWARE -p networklist
Key LastWrite is the LeaseObtained time:
Answer: 21/06/2016 02:24:12 UTC
4. What is the computer SID?
Using RegRipper:
rip.pl -r root/Windows/System32/config/SAM -p samparse
The last three or four digits is the RID, which is a unique user ID. The value before is the SID.
Answer: S-1-5-21-2489440558-2754304563-710705792
5. What is the Operating System(OS) version?
Using RegRipper:
rip.pl -r root/Windows/System32/config/SOFTWARE -p winver
Answer: 8.1
6. What was the computer timezone?
Using RegRipper:
rip.pl -r root/Windows/System32/config/SYSTEM -p timezone
The timezone is Pacific Standard Time. Bias is relative to Daylight Saving Time, in this case, it appears that the original acquisition was around July 2016, and so Daylight Saving time is applied.
Answer: UTC-07:00
7. How many times did this user log on to the computer?
Using RegRipper:
rip.pl -r root/Windows/System32/config/SAM -p samparse | grep Hunter -A 10
Answer: 3
8. When was the last login time for the discovered account?
Using RegRipper:
rip.pl -r root/Windows/System32/config/SAM -p samparse
Answer: 2016-06-21 01:42:40
9. There was a “Network Scanner” running on this computer, what was it?
And when was the last time the suspect used it? Format: program.exe,YYYY-MM-DD HH:MM:SS UTC
Listing Hunter’s directory, there is a folder for ‘.zenmap‘. It’s the only ‘Network Scanner’ folder that has evidence of user execution. The Network Scanner is zenmap.exe.
To find the exact time it was last executed, we need to look at prefetch files. Using prefetchruncounts:
prefetchruncounts.py root/Windows/Prefetch
cat Prefetch_run_count.csv | grep -i zenmap
The first value is ‘last_run_time‘, which is 2016-06-21 12:08:13.
Answer: zenmap.exe,2016-06-21 12:08:13 UTC
10. When did the port scan end?
(Example: Sat Jan 23 hh:mm:ss 2016)
Looking at the nmapscan.xml file with xmldump.py:
xmldump.py pretty root/Users/Hunter/Desktop/nmapscan.xml
On the last line, the value for ‘finished timestr’ is the time the scan ended.
Answer: Tue Jun 21 05:12:09 2016
11. How many ports were scanned?
Looking at the nmapscan.xml file, and with xmldump.py and grepping for ports:
xmldump.py pretty root/Users/Hunter/Desktop/nmapscan.xml | grep -i ports
Zenmap scanned 1000 ports in total:
Answer: 1000
12. What ports were found "open"?(comma-separated, ascending)
Looking at the nmapscan.xml file, and grepping for open:
xmldump.py pretty root/Users/Hunter/Desktop/nmapscan.xml | grep -i open
Four ports where open: ssh (22), http (80), nping-echo (9929) and ssl/ncat-chat (32337).
Answer: 22,80,9929,31337
13. What was the version of the network scanner running on this computer?
Looking at the nmapscan.xml file, and grepping for version:
xmldump.py pretty root/Users/Hunter/Desktop/nmapscan.xml | grep -i version
Answer: 7.12
14. The employee engaged in a Skype conversation with someone. What is the skype username of the other party?
The Skype database is called ‘main.db’, we can use find to find and copy it:
find . -name 'main.db' -exec cp "{}" . \;
sqlitebrowser main.db
Going into the table ‘Messages’, the only user hunterehpt had a conversation with is linux-rul3z.
Answer: linux-rul3z
15. What is the name of the application both parties agreed to use to exfiltrate data and provide remote access for the external attacker in their Skype conversation?
In the same table as above, Linux rul3z asks Hunter to install Team Viewer (message id 725).
Answer: Teamviewer
16. What is the Gmail email address of the suspect employee?
In the Accounts table of main.db, there is only one entry. The column email has the employee’s email, which is: ehptmsgs@gmail.com
Answer: ehptmsgs@gmail.com
17.It looks like the suspect user deleted an important diagram after his conversation with the external attacker.
What is the file name of the deleted diagram?
When we examined the ‘main.db’ database, and looked at the messages between linux-rul3z and Hunter, there were references to pictures sent by email:
We can try and find if a pst or ost file exists by running:
mkdir backup
find root/ -name "*.ost" -o -name "*.pst" -exec cp "{}" backup \;
readpst -S -o backup/ backup/backup.pst
Now, we can can try and find pictures in the backup directory, where we extracted the pst file:
find backup -name "*.jpg" -o -name "*.png" -o -name "*.jpeg"
The only file that doesn’t exist in Hunter’s User directory is ‘home-network-design-networking-for-a-single-family-home-case-house-arkko-1433-x-792.jpg’.
Answer: home-network-design-networking-for-a-single-family-home-case-house-arkko-1433-x-792.jpg
18. The user Documents' directory contained a PDF file discussing data exfiltration techniques. What is the name of the file?
Finding potential files:
ls -la root/Users/Hunter/Documents | grep pdf
There are multiple filenames that refer to ‘exfiltration’. The only file that actually discusses exfiltration techniques is Ryan Van Atwerp’s thesis:
Answer: Ryan_VanAntwerp_thesis.pdf
19. What was the name of the Disk Encryption application Installed on the victim system?
(two words space separated)
The only program Installed is BCWipe, in the ‘Program Files (x86)’/Jetico directory. In the Uninstall.log file, there is a reference to ‘Crypto Swap’:
cat 'root/Program Files (x86)/Jetico/BCWipe/UnInstall.log'
This record can also be found in the Prefetch_strings.csv file:
cat Prefetch_strings.csv | grep -i crypto
Answer: Crypto Swap
20. What are the serial numbers of the two identified USB storage?
Using RegRipper:
rip.pl -r root/Windows/System32/config/SYSTEM -p usbdevices
Answer: 07B20C03C80830A9,AAI6UXDKZDV8E9OU
21. One of the installed applications is a file shredder. What is the name of the application?
(two words space separated)
The only folder in ‘Program Files (x86)’ is Jetico. Jetico has a product called BCWipe for data wiping.
Grepping for BCWipe in the Jetico directory returns many matches. We can also double check which Jetico Software is installed by listing the Prefetch directory and grepping for BCWipe :
ls -la root/Windows/Prefetch | grep -i bcwipe
Answer: Jetico BCWipe
22. How many prefetch files were discovered on the system?
Using the previous csv output of PrefetchRunCounts:
cat Prefetch_run_count.csv | wc -l
#returns 175
The first line contains the ‘column names’, thus the total number of Prefetch files is 175 – 1: 174.
Answer: 174
23. How many times was the file shredder application executed?
Using PrefetchRunCounts:
cat Prefetch_run_count.csv | grep -i 'bcwipe'
The executable is BCWIPE.EXE, and it was executed five times.
Answer: 5
24. Using prefetch, determine when was the last time ZENMAP.EXE-56B17C4C.pf was executed?
Using PrefetchRunCounts:
cat Prefetch_run_count.csv | grep -i 'zenmap'
The first value is ‘last_run_time’, and it’s 2016-06-21 12:08:13.
Answer: 06/21/2016 12:08:13 PM
25. A JAR file for an offensive traffic manipulation tool was executed. What is the absolute path of the file?
Using PrefetchRunCounts:
cat Prefetch_strings.csv | grep -i jar
The JAR file in question, that is an offensive traffic manipulation tool is Burpsuite. Prefetch shows that its located in Hunter’s download directory.
To double check the path we can do:
find root/ -name "*.jar"
Answer: C:\Users\Hunter\Downloads\Burpsuite_free_v1.7.03.jar
26. The suspect employee tried to exfiltrate data by sending it as an email attachment. What is the name of the suspected attachment?
We can try and grep for ‘pictures’ in the backup directory, where we extracted the pst file:
grep -r -s -i 'pictures' backup/
As we can see, the string occuring in the emails is ‘Attached is a 7z archive of some of the pictures I told you about’, which relates to the message in main.db. The readpst option we used, -S, means ‘attachments for message $m are saved as $m-$name ‘. So we can list the parent directory of the matching messages to see if there’s related attachments:
ls -la 'backup/Outlook Data File/Inbox/'
#returns no attachments
ls -la 'backup/Outlook Data File/[Gmail]/Important/'
An attachment called ‘4-Pictures.7z’ was extracted, as part of the message 4. If we print message 4, the email which contains the attatchment , we can see that it is a conversation between linux-rul3z and Hunter’s employee email:
Answer: Pictures.7z
27. Shellbags shows that the employee created a folder to include all the data he will exfiltrate. What is the full path of that folder?
Using RegRipper:
Finding the path to UsrClass.dat, from which RegRipper retrieves Shellbag information:
find root/Users/Hunter -iname "USRCLASS.DAT"
#returns root/Users/Hunter/AppData/Local/Microsoft/Windows/UsrClass.dat
rip.pl -r root/Users/Hunter/AppData/Local/Microsoft/Windows/UsrClass.dat -p shellbags
In the Resource ‘column’, there is an entry for ‘My Computer\C:\Users\Hunter\Pictures\Exfil [Desktop\1\0\1\0\8\0\]’ who’s parent directory matches the archive’s name, ‘Pictures.7z’.
Answer: C:\Users\Hunter\Pictures\Exfil
28. The user deleted two JPG files from the system and moved them to $Recycle-Bin. What is the file name that has the resolution of 1920x1200?
Bash one-liner with exiftool:
find root/'$Recycle.Bin' -name "*.jpg" -exec exiftool "{}" \; | grep '1920' -B 20
The deleted file in question is $RP3TBNW.jpg’. There is no associated $I file, which stores the metadata of the file. First, we should open it to have an idea of what to look for:
It’s a picture of a kitten. Now, we just need to find where Hunter might have “*.jpg” files:
find root/Users/Hunter -name "*.jpg"
In Hunter’s Pictures directory, there is a folder named ‘Private’ containing various jpg files with kitten associated filenames. One of the filenames is called ‘ws_Small_cute_kitty_1920x1200.jpg’, matching the resolution of the file in the recycle bin. Opening the file:
It’s the same kitten as the file in the recycle bin.
Answer: ws_Small_cute_kitty_1920x1200.jpg
29. Provide the name of the directory where information about jump lists items (created automatically by the system) is stored?
Jump lists items are stored as “*.automaticDestinations-ms” files and can be found in ‘Users/(username)/AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations’.
Answer: AutomaticDestinations
30. Using JUMP LIST analysis, provide the full path of the application with the AppID of "aa28770954eaeaaa" used to bypass network security monitoring controls.
Since the format for Jump Lists is (AppID).customDestination-ms or (AppID).automaticDestination-ms we can try and find matching filenames:
find . -name "aa28770954eaeaaa*"
#returns ./root/Users/Hunter/AppData/Roaming/Microsoft/Windows/Recent/CustomDestinations/aa28770954eaeaaa.customDestinations-ms
strings ./root/Users/Hunter/AppData/Roaming/Microsoft/Windows/Recent/CustomDestinations/aa28770954eaeaaa.customDestinations-ms
The file path is C:\Users\Hunter\Desktop\Tor Browser\Browser\firefox.exe. We can double check if it exists by:
ls -la root/Users/Hunter/Desktop/'Tor Browser'/Browser/firefox.exe
#returns the path
Answer: C:\Users\Hunter\Desktop\Tor Browser\Browser\firefox.exe
TLDR
– This is a very interesting scenario of a Windows machine victim of data exfiltration.
– RegRipper, prefetch_run_countsand readpst are the best tools for the challenge.
