[Cyberdefenders] Sysinternals Blue Team Lab

Sysinternals Blue Team Lab ========================== Category: Endpoint Forensics https://cyberdefenders.org/blueteam-ctf-challenges/sysinternals/#nav-questions Scenario: A user thought they were downloading the SysInternals tool suite and attempted to open it, but the tools did not launch and became inaccessible. Since then, the user has observed that their system has gradually slowed down and become less responsive. As a soc analyst, analyze the artifacts and answer the questions. Helpful Tools: - [Registry Explorer](https://ericzimmerman.github.io/#!index.md) - [Event Log Explorer](https://eventlogxp.com/) - [AppCompatCachParser](https://www.sans.org/tools/appcompatcacheparser/) - [VirusTotal](https://www.virustotal.com/) - [Web Cache View](https://www.nirsoft.net/utils/ie_cache_viewer.html) - [FTK Imager](https://www.exterro.com/ftk-imager#:~:text=FTK%C2%AE%20Imager%20is%20a,(FTK%C2%AE)%20is%20warranted.) - [Autopsy](https://www.autopsy.com/) # Q1 - What was the malicious executable file name that the user downloaded? > AmCache.hve is **a Windows system file that is created to store information related to program executions.** The artifacts in this file can serve as a huge aid in an investigation, it records the processes recently run on the system and lists the paths of the files executed. C:Windows\\AppCompat\\Programs\\Amcache and extract the Amcache Sau đó mở nó trong register explorer, vì user đã download nó nên mình sẽ tìm đường dẫn có downloads. ![image](https://hackmd.io/_uploads/Hk1CT4fzR.png) => SysInternals.exe # Q2 - When was the last time the malicious executable file was modified? 12-hour format ![image](https://hackmd.io/_uploads/BJVu0EMMA.png) Đáp án có ở timestamp, đổi sang 12-hours format => 11/15/2022 09:18:51 PM # Q3 - What is the SHA1 hash value of the malware? ![image](https://hackmd.io/_uploads/H1WxkBGMA.png) => fa1002b02fc5551e075ec44bb4ff9cc13d563dcf # Q4 - What is the malware’s family? Sử dụng [Virous Total](https://www.virustotal.com/gui/file/72e6d1728a546c2f3ee32c063ed09fa6ba8c46ac33b0dd2e354087c1ad26ef48/detection) và search bằng hash mình tìm được ở câu 3. ![image](https://hackmd.io/_uploads/HJlaJHff0.png) => Rozena # Q5 - What is the first mapped domain’s Fully Qualified Domain Name (FQDN)? Check files Users\\IEUser\\AppData\\Roaming\\Microsoft\\Windows\\PowerShell\\PSReadLine Check ConsoleHost_history.txt ![image](https://hackmd.io/_uploads/HyU6gHfz0.png) => [**www.malware430.com**](http://www.malware430.com/) # Q6 - The mapped domain is linked to an IP address. What is that IP address? ![image](https://hackmd.io/_uploads/S1yQ-SfzC.png) # Q7 - What is the name of the executable dropped by the first-stage executable? Từ Tab behaviour của virustotal ![image](https://hackmd.io/_uploads/Bk6fQHffC.png) Dựa trên lệnh được cung cấp, chúng ta biết rằng `C:\Windows\vmtoolsIO.exe` là tệp thực thi được đề cập và được thực thi bởi lệnh `cmd.exe`. => 192.168.15.10 # Q8 - What is the name of the service installed by 2nd stage executable? Tương tự như câu 8 ![image](https://hackmd.io/_uploads/BkForSGMR.png) => VMwareIOHelperService # Q9 - What is the extension of files deleted by the 2nd stage executable? C:\\Windows\\System32\\winevt\\Logs. deletion of files (EventId=26) # References and Further Readings https://medium.com/@m0_4de1/sysinternals-challenge-writeup-cyberdefender-2ff9ee543c27 https://medium.com/@C3TUS/cyberdefenders-sysinternals-walkthrough-a9a8526543c8 https://0xmedhat.gitbook.io/whoami/sysinternals-cyberdefenders https://medium.com/@amanyashraf938/sysinternals-write-up-fce524bbf1eb