# RedLine Blue Team Challenge :::success https://cyberdefenders.org/blueteam-ctf-challenges/106#nav-questions ::: :::info Scenario: As a member of the Security Blue team, your assignment is to analyze a memory dump using Redline and Volatility tools. Your goal is to trace the steps taken by the attacker on the compromised machine and determine how they managed to bypass the Network Intrusion Detection System "NIDS". Your investigation will involve identifying the specific malware family employed in the attack, along with its characteristics. Additionally, your task is to identify and mitigate any traces or footprints left by the attacker. Tools: Volatility ::: #### 1. What is the name of the suspicious process? ``` oneetx.exe ``` 使用windows.info確認記憶體的OS版本，該主機使用的是windows10。  使用windows.malfind指令可以快速列舉出可能是惡意程式的檔案(僅參考用)，使用後volatility顯示oneetx.exe(pid 5896)、smartscreen.ex(pid 7540)可能是惡意程式。  將檔案dump下來用virustotal查詢，發現oneetx.exe是惡意程式(piperazine)    參考資料： https://cpuu.hashnode.dev/an-introduction-to-volatility-3 https://volatility3.readthedocs.io/en/latest/vol2to3.html https://volatility3.readthedocs.io/en/v2.0.1/volatility3.plugins.html https://dfir.science/2022/02/Introduction-to-Memory-Forensics-with-Volatility-3 #### 2. What is the child process name of the suspicious process? ``` rundll32.exe ``` 用windows.pstree查詢，可以看到oneetx會執行rundll32.exe  #### 3. What is the memory protection applied to the suspicious process memory region? ``` PAGE_EXECUTE_READWRITE ``` 承第1題，oneetx.exe的memory protection是PAGE_EXECUTE_READWRITE  參考資料： https://learn.microsoft.com/zh-tw/windows/win32/memory/memory-protection-constants #### 4. What is the name of the process responsible for the VPN connection? ``` Outline.exe ``` 用windows.netscan查詢，可以看到有一個process tun2socks.exe(pid 4628)，從檔名上看起來疑似和網路連線有關。  用windows.pstree查詢，發現tun2socks.exe是由Outline.exe執行起來的。  搜尋Outline.exe發現他是VPN軟體  #### 5. What is the attacker's IP address? ``` 77.91.124.20 ``` 用windows.netscan查詢，grep剛剛發現的幾個process，會看到ip 77.91.124.20與惡意程式oneetx.exe有關，另外ip 38.121.43.65與VPN有關。  #### 6. Based on the previous artifacts. What is the name of the malware family? ``` RedLine Stealer ``` 這一題沒辦從既有的證據去找出來，依據剛剛virustotal的結果，用piperazine.exe去搜尋會看到一筆anyrun的報告，其中threats資訊中有將它定義成redline stealer。  #### 7. What is the full URL of the PHP file that the attacker visited? ``` http://77.91.124.20/store/games/index.php ``` 在知道該主機有使用執行惡意程式oneetx.exe(pid 5896)後，利用windows.vadyarascan來查詢的相關紀錄。 首先需要寫一支yara檔，從答案輸入的格式提示我們可以知道url應該是http開頭，另外題目說明是php所以我們條件設定是php結尾，yara rules file如下： ```json rule with_urls { strings: $http_url_regex = /http?:\/\/([\w\.-]+)([\/\w \.-]*).php./ condition: all of them } ``` 因為輸出會是hex dump，所以要再利用xxd將格式轉轉換 ``` | awk ' /^0x/{ S="" for(i=5; i<NF; i++) { S=S sprintf("%s", $i) } print "PID:" $2 "\tRule:" $3 "\tComponent:" $4 system("echo " S " | xxd -r -ps | xxd -o " $1 " | sed \"s/^/0x/\"") print "" next } /^Offset/{next} {print} ' ```  和前面的題目發現的符合，有向http://77.91.124.20/store/games/index.php 連線的行為。 #### 8. What is the full path of the malicious executable? ``` C:\Users\Tammam\AppData\Local\Temp\c3912af058\oneetx.exe ``` 用windows.filescan查詢，grep 我們已知的惡意程式名稱oneetx.exe