Hunter Blue Team Lab
====================
https://cyberdefenders.org/blueteam-ctf-challenges/hunter/#nav-questions
Category: Endpoint Forensics
Case Overview:
The SOC team got an alert regarding some illegal port scanning activity coming from an employee's system. The employee was not authorized to do any port scanning or any offensive hacking activity within the network. The employee claimed that he had no idea about that, and it is probably a malware acting on his behalf. The IR team managed to respond immediately and take a full forensic image of the user's system to perform some investigations.
There is a theory that the user intentionally installed illegal applications to do port scanning and maybe other things. He was probably planning for something bigger, far beyond a port scanning!
It all began when the user asked for a salary raise that was rejected. After that, his behavior was abnormal and different. The suspect is believed to have weak technical skills, and there might be an outsider helping him!
Your objective as a soc analyst is to analyze the image and to either confirm or deny this theory.
Supportive Tools:
- [AccessData\_FTK\_Imager](https://accessdata.com/product-download/ftk-imager-version-4-3-1-1)
- [Registry Explorer/RECmd](https://ericzimmerman.github.io/#!index.md)
- [Reg Ripper "Windows"](https://github.com/keydet89/RegRipper3.0)
- [Reg Ripper "Linux"](https://tools.kali.org/forensics/regripper)
- [DCode](https://www.digital-detective.net/dcode/)
- [ShellBags Explorer](https://ericzimmerman.github.io/#!index.md)
- [DB Browser for SQLlite](https://sqlitebrowser.org/dl/)
- [WinPrefetchView](https://www.nirsoft.net/utils/win_prefetch_view.html)
- [JumpList Explorer](https://ericzimmerman.github.io/#!index.md)
- [010 Editor](https://www.sweetscape.com/download/010editor/)
- [SysTools Outlook PST Viewer 4.5.0.0.](https://www.majorgeeks.com/mg/getmirror/systools_outlook_pst_viewer,1.html)
- [Autopsy](https://www.autopsy.com/download/)
- [Hindsight](https://github.com/obsidianforensics/hindsight)
- [ Arsenal Image Mounter](https://arsenalrecon.com/downloads/)[ ](https://4discovery.com/our-tools/link-parser/)
- [ LinkParser v1.3](https://4discovery.com/our-tools/link-parser/)
Dump một số hive quan trọng, load vào Registry Explorer.
- SAM
- SECURITY
- SOFTWARE
- SYSTEM
(/root/Windows/System32/config)
- ntuser.dat(/root/Windows/System32/systemprofile)
- usrClass.dat(/root/Users/Hunter/AppData/Local/Microsoft/Windows)
# Q1 - What is the computer name of the suspect machine?
System/Controlset001/Control/ComputerName
=> 4ORENSICS
# Q2 - What is the computer IP?
System\\Controlset001\\Services\\TCPIP\\Parameters\\Interfaces{8CB9FBF6-AE23-4E1C-AA0A-EE23CB4FE736}
=> 10.0.2.15
# Q3 - What was the DHCP LeaseObtainedTime?
Cùng đường dẫn lúc nãy
Sau đó vào trang [epochconverter](https://www.epochconverter.com/)
=> 21/06/2016 02:24:12 UTC
# Q4 - What is the computer SID?
SAM\\Domains\\Account\\Aliases\\Members\ S-1–5–21–2489440558–2754304563–710705792
SID (security indentifier) **là một mã định dạng cho mỗi đối tượng trong windows (user, group)**
=> S-1-5-21-2489440558-2754304563-710705792
# Q5 - What is the Operating System(OS) version?
Chúng ta có thể lấy OS version từ software hive
Microsoft\\Windows NT\\CurrentVersion
=> 8.1
# Q6 - What was the computer timezone?
SYSTEM\\ControlSet001\\Control\\TimeZoneInformation\
Pacific Standard Time
=> UTC-07:00
# Q7 - How many times did this user log on to the computer?
Sử dụng Reg Ripper để phân tích file SAM hoặc đi theo đường dẫn **C:Windows\\System32\\config\\SYSTEM**
hoặc
=> 3
# Q8 - When was the last login time for the discovered account? Format: one-space between date and time
=> 2016-06-21 01:42:40
# Q9 - There was a “Network Scanner” running on this computer, what was it? And when was the last time the suspect used it? Format: program.exe,YYYY-MM-DD HH:MM:SS UTC
Các network scanner thông thường là nmap.exe, zenmap.exe, nessus.exe. Mình sẽ thử zenmap.exe, dùng pecmd.exe để đọc prefetch file.
=> zenmap.exe,2016-06-21 12:08:13 UTC
# Q10 - When did the port scan end? (Example: Sat Jan 23 hh:mm:ss 2016)
Mở /root/Users/Hunter/Desktop, dump nmapscan.xml file
sau đó mở file trong https://jsonformatter.org/xml-viewer
=> Tue Jun 21 05:12:09 2016
# Q11 - How many ports were scanned?
=> 1000
# Q12 - What ports were found "open"?(comma-separated, ascending)
=> 22,80,9929,31337
# Q13 - What was the version of the network scanner running on this computer?
=> 7.12
# Q14 - The employee engaged in a Skype conversation with someone. What is the skype username of the other party?
> [Skyperious](https://suurjaak.github.io/Skyperious/) tool to do skype forensics , a [resource](https://www.dataforensics.org/skype-forensic-analysis/) that may help you with your investigation.
Đầu tiên mình sẽ dump skype database, đi đến /root/Users/Hunter/AppData/Roaming/skype và dump skype folder, sau đó mở main Database (Root/Users/Hunter/AppData/Roaming/Skype/hunterehpt/main.db) bằng [Skyperious](https://suurjaak.github.io/Skyperious/) và đi đến chat section
=> linux-rul3z
# Q15 - What is the name of the application both parties agreed to use to exfiltrate data and provide remote access for the external attacker in their Skype conversation?
=> Teamviewer
# Q16 - What is the Gmail email address of the suspect employee?
Đi đến information section:
=> ehptmsgs@gmail.com
# Q17 - It looks like the suspect user deleted an important diagram after his conversation with the external attacker. What is the file name of the deleted diagram?
=> home-network-design-networking-for-a-single-family-home-case-house-arkko-1433-x-792.jpg
# Q18 - The user Documents’ directory contained a PDF file discussing data exfiltration techniques. What is the name of the file?
root/Users/Hunter/Documents
=> Ryan\_VanAntwerp\_thesis.pdf
# Q19 - What was the name of the Disk Encryption application Installed on the victim system? (two words space separated)
> _BCWipe_ is a file shredder tool designed to selectively remove all traces of unwanted files beyond recovery. _BCWipe_ can wipe files, folders, Data Remanence, Wipe ...
/root/Program Files\[x86\]/Jetico/BCWIPE/UnInstall.log
=> Crypto Swap
# Q20 - What are the serial numbers of the two identified USB storage?
SYSTEM\\ControlSet001\\Enum\\USB
=> 07B20C03C80830A9,AAI6UXDKZDV8E9OU
# Q21 - One of the installed applications is a file shredder. What is the name of the application? (two words space separated)
Như câu 19
=> Jetico BCWipe
# Q22 - How many prefetch files were discovered on the system?
PECmd.exe -d "C:\\Users\\user\\Desktop\\New folder\\Prefetch"
=> 174
# Q23 - How many times was the file shredder application executed?
`PECmd.exe -d "C:\Users\Admin\OneDrive\Desktop\hunter\Prefetch" --csv "C:\Users\Admin\OneDrive\Desktop"`
=> 5
# Q24 - Using prefetch, determine when was the last time ZENMAP.EXE-56B17C4C.pf was executed?
Như câu 9
=> 06/21/2016 12:08:13 pm
# Q25 - A JAR file for an offensive traffic manipulation tool was executed. What is the absolute path of the file?
Check ở mục downloads
Offensive traffic manipulation tool:
(...)
=> C:\\Users\\Hunter\\Downloads\\Burpsuite\_free\_v1.7.03.jar
# Q26 - The suspect employee tried to exfiltrate data by sending it as an email attachment. What is the name of the suspected attachment?
=> Pictures.7z
# Q27 - Shellbags shows that the employee created a folder to include all the data he will exfiltrate. What is the full path of that folder?
C:\\Users\\Hunter\\Pictures\\Exfil
# Q28 - The user deleted two JPG files from the system and moved them to $Recycle-Bin. What is the file name that has the resolution of 1920x1200?
Check $Recycle-Bin
Sau đó qua Users\\Hunter\\Picture\\Private
=> ws\_Small\_cute\_kitty\_1920x1200.jpg
# Q29 - Provide the name of the directory where information about jump lists items (created automatically by the system) is stored?
> Within the Windows framework, the Jump Lists files can be found here:
>
> - Automatically generated: **\\Users\ %USERNAME% \\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations**
>
> The files to be found in this catalogue have a complex structure. As a rule, data of these files are stored in OLE containers.
>
> - Created by Users: **\\Users\\%USERNAME%\\AppData\\Roaming\\Microsoft\\Windows\\Recent\ CustomDestinations**
>
> The files located in this catalogue possess a simpler structure. Among other things, these files indicate where the user pinned a certain Jump List, i.e. whether it is ‘**Start Menu**’ of ‘**Task Bar**’.
>
/root/Users/Hunter/AppData\\Roaming\\Microsoft\\Windows\\Recent
=> AutomaticDestinations
# Q30 - Using JUMP LIST analysis, provide the full path of the application with the AppID of “aa28770954eaeaaa” used to bypass network security monitoring controls.
Load aa28770954eaeaaa file vào [JumpListExplorer](https://f001.backblazeb2.com/file/EricZimmermanTools/JumpListExplorer.zip)
=> C:\\Users\\Hunter\\Desktop\\Tor Browser\\Browser\\firefox.exe
# References and Further Readings
https://medium.com/@m0_4de1/hunter-blue-team-challenge-writeup-cyberdefender-bd4227e1a368
https://ahmed-naser.medium.com/hunter-blue-team-challenge-walkthrough-write-up-843de197aa29
https://medium.com/@laupeiip/tryhackme-windows-forensics-2-write-up-331ad47bd063
https://belkasoft.com/analyzing_jump_lists_with_belkasoft_evidence_center
Sign in with Wallet
Connect another wallet