August 13, 2024
In this challenge we will be analyzing Sysmon Logs and a PCAP to uncover the actions taken by a threat actor throughout several stages of the Cyber Kill Chain.
In this incident, you will act as an Incident Responder from an alert triaged by one of your Security Operations Center analysts. The analyst has confirmed that the alert has a CRITICAL severity that needs further investigation.
As reported by the SOC analyst, the intrusion started from a malicious document. In addition, the analyst compiled the essential information generated by the alert as listed below:
We’ll prepare by parsing the event logs with EvtxECmd.
The command syntax is EvtxECmd.exe -f <filename> --csv <output directory> --csvf <output filename>
EvtxECmd.exe -f <filename> --csv <output directory> --csvf <output filename>
Note: For this challenge, EvtxECmd.exe is located in C:\Tools\EvtxECmd, you will need to navigate to this path or provide the full path when executing the command
We’ll parse both logs now so that we’re ready for analysis later.
The user of this machine was compromised by a malicious document. What is the file name of the document?
We were provided with some significant starting points in our briefing.
We were told that the malicious document has a .doc extension, was downloaded by Chrome, and executed commands. We will use this information to track down the document and start our investigation.
With the parsed Sysmon logs opened in Timeline Explorer, we can filter for file creation events originating from Chrome.
To do this, we’ll filter for the Sysmon EventID 11 and Images containing Chrome. Note: These are columns Event Id and Payload Data3 respectively.
Only two events match our filters, and one of them is the Zone.Identifier for a .doc file.
What is the name of the compromised user and machine?
Format: username-machine name
The Username and Machine name are present in our current filtered, results.
What is the PID of the Microsoft Word process that opened the malicious document?
To find the PID, we will filter for EventID 1 (process creation) and filter for the executable name winword.
With our filters in place, there is only one result.
We can find the PID in the Payload Data1 column
Based on Sysmon logs, what is the IPv4 address resolved by the malicious domain used in the previous question?
Sysmon Event ID 22 logs DNS Queries. We can use this event code, in combination with the PID, to discover domains queried by the process and what the responses were.
We’ll filter for Event ID 22 and PID 496.
The results show queries for office.com domains and a suspicious phishteam.xyz domain.
What is the base64 encoded string in the malicious payload executed by the document?
We’ll pivot now and search for process creations that are the children of the Word process we discovered earlier.
To do this, we’ll set the Event ID to 1 and the parent process ID to 496.
In our results, we can see one very long and obfuscated command.
Decoding the base64 reveals a command to download, extract, and remove a zip file into the startup directory.
What is the CVE number of the exploit used by the attacker to achieve a remote code execution?
The malicious code is leveraging msdt.exe via a malicious document. By researching this combination we can discover the CVE in question.
The malicious execution of the payload wrote a file on the system. What is the full target path of the payload?
We discovered the path and filename in Q6, but we can confirm it by filtering for Event ID 11 and filenames that contain zip.
As expected, the zip file was created in the Startup directory.
The implanted payload executes once the user logs into the machine. What is the executed command upon a successful login of the compromised user?
Knowing that Autostart process execution reflects Explorer.exe as its parent process, we can filter for process creation events started by Explorer.
Within the results, we can see powershell execution including the previously discovered malicious domain and another executable.
Based on Sysmon logs, what is the SHA256 hash of the malicious binary downloaded for stage 2 execution?
We know this executable was saved in the Downloads directory as first.exe, so we’ll filter for processes containing this name.
The results show various stages of the previously discovered command. We want the hash of the executable, so we’ll be looking at the entry that represents that event.
Stages of command executionHashes
The stage 2 payload downloaded establishes a connection to a c2 server. What is the domain and port used by the attacker?
With this new process discovered, we’ll pivot by using its PID to discover more about its behavior.
The results for the PID reveal multiple network connections (Event ID 3) and DNS requests (Event ID 22)
We can see the IP address resolved for these connections/queries was 167.71.222.162 and the domain was resolvecyber.xyz.
To discover the port we can use Wireshark and filter for this IP address.
We can see that the communications are going to port 80, but we’ll check for any other ports used by going to wireshark’s Conversations statistics. Note: Be sure to check the “Limit to display filter” box.
We can see that the communications were on port 80 and 8080, but for now, we’re only concerned with port 80.
We could further confirm that it is port 80 by comparing the timestamps of execution to the timestamps of the packets.
What is the URL of the malicious payload embedded in the document?
We can determine this by finding the first URL, hosted by the malicious domain, that was accessed by the victim.
To do this we’ll filter wireshark for GET requests to the phisteam.xyz domain.
We can specify the host with the filter http.host == <site.tld>
We can see the first request to download the malicious document followed by a request to index.html.
What is the encoding used by the attacker on the c2 connection?
Analyzing the C2 Traffic, it appears that the C2 traffic is being sent through GET requests to the malicious web server.
The requests appear to be base64 encoded, so we’ll try decoding one of them in CyberChef to see what we uncover.
And, with the help of CyberChef, we’ve confirmed that the requests are encoded in Base64.
The malicious c2 binary sends a payload using a parameter that contains the executed command results. What is the parameter used by the binary?
Analyzing the GET requests, we can see that the Base64 is set as a value to the variable “q”.
The malicious c2 binary connects to a specific URL to get the command to be executed. What is the URL used by the binary?
We’ve seen that the GET requests are going to the /9ab62b5 endpoint. We can ensure this conclusion by filtering Wireshark to only show us GET requests.
What is the HTTP method used by the binary?
We’ve already discovered this in the previous questions.
Based on the user agent, what programming language was used by the attacker to compile the binary?
We can check the user-agent in Wireshark.
The attacker was able to discover a sensitive file inside the machine of the user. What is the password discovered on the aforementioned file?
We can filter Wireshark for frames containing command output from the victim by using frame contains “?q=".
Decoding the various requests reveals numerous activities by the attacker. One of them, however, shows the contents of an automation script that contains the user’s password.
The attacker then enumerated the list of listening ports inside the machine. What is the listening port that could provide a remote shell inside the machine?
Among the commands decoded from the packet capture is a netstat command.
This command lists multiple open ports.Netstat command listing ports
Research shows that port 5985 can be abused as a remote shell.
The attacker then established a reverse socks proxy to access the internal services hosted inside the machine. What is the command executed by the attacker to establish the connection?
Another command discovered within the C2 traffic downloaded an executable named ch.exe.
We’ll pivot and search our Sysmon logs for any process execution including this executable.
There are only two results for this query, and one clearly shows a socks connection.
What is the SHA256 hash of the binary used by the attacker to establish the reverse socks proxy connection?
We can locate the hashes of the executable within the current Timeline Explorer results.
What is the name of the tool used by the attacker based on the SHA256 hash? Provide the answer in lowercase.
A quick search on VirusTotal reveals the executable is chisel.exe.
The attacker then used the harvested credentials from the machine. Based on the succeeding process after the execution of the socks proxy, what service did the attacker use to authenticate?
We can check for process creation events occurring after the ch.exe began the socks proxy.
The command that immediately follows ch.exe is wsmprovhost.exe.
A little bit of research shows that this service uses WinRM for authentication. This result is in line with our previous research into port 5985.
After discovering the privileges of the current user, the attacker then downloaded another binary to be used for privilege escalation. What is the name and the SHA256 hash of the binary?
Filtering for file creation events that took place around the time of the reverse socks proxy, we see an executable created in the Downloads directory.
Filtering for the process creations containing the executable name shows us that this binary was used to execute another file named final.exe.
We can find the hashes within these results.
Based on the SHA256 hash of the binary, what is the name of the tool used?
We can search this hash on VirusTotal and find the real name of the binary. Answer printspoofer
The tool exploits a specific privilege owned by the user. What is the name of the privilege?
Researching this executable explains how this tool works. https://github.com/itm4n/PrintSpoofer
Then, the attacker executed the tool with another binary to establish a c2 connection. What is the name of the binary?
We already discovered this execution in Q23.
The binary connects to a different port from the first c2 connection. What is the port used?
We discovered this earlier when first analyzing the PCAP.
Upon achieving SYSTEM access, the attacker then created two users. What are the account names?
We know the attacker has SYSTEM access and that the final stage of their malware is named final.exe.
Using this information we will filter Timeline Explorer to see relevant command execution.
We can see in the filtered results that two users were created, shion and shuna Answer shion,shuna
Prior to the successful creation of the accounts, the attacker executed commands that failed in the creation attempt. What is the missing option that made the attempt fail?
Looking through the results we see that the attacker forgot the /add switch in the net user commands.
Based on windows event logs, the accounts were successfully created. What is the event ID that indicates the account creation activity?
A quick check on Windows Event IDs can get us the answer to this one.
One useful resource for checking the meaning of IDs and their various field is https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
The attacker added one of the accounts in the local administrator’s group. What is the command used by the attacker?
The command is within the filtered output we’ve been analyzing.
Based on windows event logs, the account was successfully added to a sensitive group. What is the event ID that indicates the addition to a sensitive local group?
We can get this by reading about Windows Event IDs at https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
After the account creation, the attacker executed a technique to establish persistent administrative access. What is the command executed by the attacker to achieve this?
This command is within the filtered output we’ve been analyzing.
Previous post
Next post