HawkEye Blue Team Challenge

# HawkEye Blue Team Challenge :::success https://cyberdefenders.org/blueteam-ctf-challenges/91#nav-questions ::: :::info Scenario: An accountant at your organization received an email regarding an invoice with a download link. Suspicious network traffic was observed shortly after opening the email. As a SOC analyst, investigate the network trace and analyze exfiltration attempts. Tools: Wireshark BrimSecurity Apackets MaxMind Geo IP VirusTotal ::: #### 1. How many packets does the capture have? ``` 4003 ``` 檢視 Capture File Properties。 ![截圖 2023-11-27 上午9.07.29](https://hackmd.io/_uploads/SJ1J2v-Ha.jpg) #### 2. At what time was the first packet captured? ``` 2019-04-10 20:37:07 UTC ``` 檢視 Capture File Properties 會看到UTC+8的時間。 ![截圖 2023-11-27 上午9.08.42](https://hackmd.io/_uploads/SyDXhP-S6.jpg) 檢視第一個封包，時間是原始UTC(UTC+0)的時間。 ![截圖 2023-11-27 上午9.09.29](https://hackmd.io/_uploads/SyUU3wbra.jpg) #### 3. What is the duration of the capture? ``` 01:03:41 ``` 檢視 Capture File Properties。 ![截圖 2023-11-27 上午9.17.52](https://hackmd.io/_uploads/rknHCDWST.jpg) #### 4. What is the most active computer at the link level? ``` 00:08:02:1c:47:ae ``` 檢視 Conversations，發現 00:08:02:1c:47:ae 主機活動數量最多。 ![截圖 2023-11-27 上午9.19.48](https://hackmd.io/_uploads/H1-TAvbHp.jpg) #### 5. Manufacturer of the NIC of the most active system at the link level? ``` Hewlett-Packard ``` MAC address 共48bits，前24bits代表製造商，可以利用線上工具查詢。參考資料： https://dnschecker.org/mac-lookup.php https://www.jannet.hk/mac-address-vendor-lookup-zh-hant/ ![截圖 2023-11-27 上午9.25.11](https://hackmd.io/_uploads/B14-lO-r6.jpg) #### 6. Where is the headquarter of the company that manufactured the NIC of the most active computer at the link level? ``` Palo Alto ``` 查詢HP wiki，Hewlett-Packard總部位在 Palo Alto, California, United States ![截圖 2023-11-27 上午9.36.29](https://hackmd.io/_uploads/rJniGOZra.jpg) #### 7. The organization works with private addressing and netmask /24. How many computers in the organization are involved in the capture? ``` 3 ``` 檢視 Endpoints，發現網段10.4.10.0/24 共有10.4.10.2、10.4.10.4、10.4.10.132 三台主機。 ![截圖 2023-11-27 上午9.40.44](https://hackmd.io/_uploads/H1ojQd-Sa.jpg) #### 8. What is the name of the most active computer at the network level? ``` beijing-5cd1-pc ``` 可以利用工具NeyworkMinier快速顯示主機名稱。 ![截圖 2023-11-27 上午9.47.42](https://hackmd.io/_uploads/SynSBdWHT.jpg) 封包內容中有SMTP的封包，也可以在EHLO看到10.4.10.132的主機名稱。 ![截圖 2023-11-27 上午11.20.32](https://hackmd.io/_uploads/SyC-jYWH6.jpg) #### 9. What is the IP of the organization's DNS server? ``` 10.4.10.4 ``` Filter查詢dns，可以發現10.4.10.4是環境內的DNS主機。 ![截圖 2023-11-27 下午3.51.25](https://hackmd.io/_uploads/HkqFca-Hp.jpg) #### 10. What domain is the victim asking about in packet 204? ``` proforma-invoices.com ``` 檢視packet 204 ![截圖 2023-11-27 下午3.55.08](https://hackmd.io/_uploads/B1cPspZrp.jpg) #### 11. What is the IP of the domain in the previous question? ``` 217.182.138.150 ``` 檢視dns回覆，在packet 206 ![截圖 2023-11-27 下午3.56.19](https://hackmd.io/_uploads/ry1hoTWST.jpg) #### 12. Indicate the country to which the IP in the previous section belongs. ``` France ``` 查詢GEOIP ![截圖 2023-11-27 下午3.58.52](https://hackmd.io/_uploads/SyFB2pbSp.jpg) 參考資料： https://www.maxmind.com/en/geoip-demo #### 13. What operating system does the victim's computer run? ``` Windows NT 6.1 ``` 作業系統資訊可以從http請求中的User-Agent來判斷: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) ![截圖 2023-11-27 下午4.46.00](https://hackmd.io/_uploads/By3UvCWB6.jpg) #### 14. What is the name of the malicious file downloaded by the accountant? ``` tkraw_Protected99.exe ``` 從wireshark file-->export object 中可以看到檔案tkraw_Protected99.exe ![截圖 2023-11-29 下午12.16.20](https://hackmd.io/_uploads/HkXmiEVSp.jpg) 從NetworkMinier中也可以看到檔案tkraw_Protected99.exe下載的行為。 ![截圖 2023-11-27 下午5.02.54](https://hackmd.io/_uploads/BkASjC-Bp.jpg) 在packet 210也可以看到http GET下載tkraw_Protected99.exe ![截圖 2023-11-27 下午5.05.49](https://hackmd.io/_uploads/BJsx20-r6.jpg) #### 15. What is the md5 hash of the downloaded file? ``` 71826ba081e303866ce2a2534491a2f7 ``` 承上題，利用wireshark file-->export object可以將檔案匯出，丟到VT上查詢可得到惡意程式相關資訊，包含雜湊。 ![截圖 2023-11-29 下午12.18.27](https://hackmd.io/_uploads/HkZiiE4BT.jpg) #### 16. What software runs the webserver that hosts the malware? ``` litespeed ``` 用NetworkMiner查詢可以發現217.182.138.150使用的web server軟體是litespeed ![截圖 2023-11-29 下午1.50.05](https://hackmd.io/_uploads/S1jzb84H6.jpg) 用wireshark去follow整段下載的tcp封包，裡面也會顯示server端使用的軟體。 ![截圖 2023-11-29 下午1.54.24](https://hackmd.io/_uploads/ryRfMU4Ha.jpg) #### 17. What is the public IP of the victim's computer? ``` 173.66.146.112 ``` 用NetworkMiner查詢可以發現10.4.10.132的public ip 是173.66.146.112。 ![截圖 2023-11-29 下午2.09.17](https://hackmd.io/_uploads/S1sqHLVSa.jpg) 或利用wireshark去觀察smtp的封包，也可以在smtp server 回覆hello的地方找到public ip。 ![截圖 2023-11-29 下午2.38.58](https://hackmd.io/_uploads/rkQc3UNS6.jpg) #### 18. In which country is the email server to which the stolen information is sent? ``` United States ``` 用線上工具查詢email server的ip 23.229.162.69 ![截圖 2023-11-29 下午2.55.25](https://hackmd.io/_uploads/SJ5vgPNr6.jpg) 參考資料： https://www.maxmind.com/en/geoip-demo #### 19. Analyzing the first extraction of information. What software runs the email server to which the stolen data is sent? ``` Exim 4.91 ``` 觀察smtp的封包在三向交握後，server端會先提供自身資訊。 #### 20. To which email account is the stolen information sent? ``` sales.del@macwinlogistics.in ``` 觀察smtp封包，攻擊者利用sales.del@macwinlogistics.in將資料寄給自己。 ![截圖 2023-11-29 下午3.04.47](https://hackmd.io/_uploads/rJnqMvEra.jpg) #### 21. What is the password used by the malware to send the email? ``` Sales@23 ``` 承上題，可以看到登入的密碼是U2FsZXNAMjM=，smtp內容用base64 encode，解開之後得到密碼為Sales@23 ![截圖 2023-11-29 下午3.09.00](https://hackmd.io/_uploads/H19c7vNS6.jpg) #### 22. Which malware variant exfiltrated the data? ``` Reborn v9 ``` 將信件內容decode，可以看到是利用keylogger工具reborn v9來偷取資料。 ![截圖 2023-11-29 下午3.15.56](https://hackmd.io/_uploads/SktESw4r6.jpg) #### 23. What are the bankofamerica access credentials? (username:password) ``` roman.mcguire:P@ssw0rd$ ``` 承上題，找尋bankofamerica的資料。 ![截圖 2023-11-29 下午3.18.07](https://hackmd.io/_uploads/S1nhBDNrT.jpg) #### 24. Every how many minutes does the collected data get exfiltrated? ``` 10 ``` 檢視smtp封包，發現頻率為約10分鐘一次 ![截圖 2023-11-29 下午3.24.04](https://hackmd.io/_uploads/S1QEDD4HT.jpg)