0️⃣ BackgroundTimelineAI Infused Hunting1️⃣ Triaging the scoping notesQuestion 1 (Hint used)Question 22️⃣ Patient ZeroQuestion 1Question 23️⃣Delivering the payloadQuestion 1Question 2Question 3Question 4Question 5Question 64️⃣ Infection TimeQuestion 1Question 2Question 3Question 4Question 5Question 6Question 7Question 85️⃣ Attacking VirusVipersQuestion 1Question 2Question 3Question 4Question 5Question 66️⃣ Attacking SyntheticPartnersQuestion 1Question 2Question 37️⃣ Supply Chain AttackQuestion 1Question 2Question 3Question 4Question 5Question 6Question 7Question 88️⃣ Exploring the New NetworkQuestion 1Question 2Question 3Question 4Question 59️⃣ TimestompingQuestion 1Question 2Question 3🔟 ExfiltrationQuestion 1 (Hint used)Question 2Question 3 (Hint used)CompletionLearning PointsErrors
0️⃣ Background
An MSSP
Virus Vipers has been compromised by APT10This lead to the compromise of one of their clients
SyntheticPartnersAn RDP connection was made from an internal VPN range of
Virus Vipers to SP-PC-01 using the account Andy Sanders (CFO)Timeline
Datetime | Event |
October 2023 | Breach occured |
2023-10-14 | Suspicious RDP connection was made from VPN subnet 10.0.3.0 to SP-PC-01 192.168.0.5 |
AI Infused Hunting
🕵🏼: Prompt 🤖: LLM Guidance
1️⃣ Triaging the scoping notes
Question 1 (Hint used)
Can you identify the timestamp of the suspicious RDP connection SyntheticPartners mentioned?
We open ELK and set the date filter to cover the entire date of
October 14 2023Change the log source to
Event LogsQuery successful logons (event id
4624) of type RDP Logon Type 10 onto the machine sp-pc-01Answer: 2023-10-14 22:49:20
Question 2
What was the source IP address of this specific RDP connection?
Look at the data in the entry, and it corresponds to the internal network IP of
Virus Vipers 10.0.3.0/24Answer:
10.0.3.22️⃣ Patient Zero
Question 1
What was the patient zero host in this incident?
Find processes that spawned
mstsc.exe which indicates an RDP connection starting by finding event code 4688 (Process Creation)We investigate the first entry as it has the closest time to the time of incident above
The machine’s hostname is
VV-PC-02 and the user account being virusvipers/c.mckayWe investigate other processes being spawned on
VV-PC-02 by virusvipers/c.mckayhost.name : "VV-PC-02" and event.code : 4688 and winlog.event_data.SubjectUserName : "c.mckay"
We see several process being spawned running malicious software like
pingcastle.exe WinShareEnum.exe and CopyCatv2.vbsand they are only seen on VV-PC-02Also a privilege escalation command to start a new session as
sp-adminWe select the column
winlog.event_data.CommandLine and spot a suspicious file SecureLauncher.bat and SecureDocs.ps1We search for instances of this file across all hosts. We extend the timeframe to October 10th, and see the first sign of infection happening on October 13
Navigating to that period, we see that the host is
VV-PC-01Answer:
VV-PC-01Question 2
What was the patient zero account in this incident?
Select
winlog.event_data.SubjectUserName and see that the user logged in was w.stanleyAnswer:
virusvipers\w.stanley3️⃣Delivering the payload
Question 1
What IP was the patient zero account using when they were visiting the Exchange OWA portal?
🕵🏼: On a Windows machine, where are logs for Exchange being stored when a user visits the site? 🤖: … log files are stored in C:\Program Files\Microsoft\Exchange Server\V15\Logging …
Microsoft HTTP logs are stored in
C\Program Files\Microsoft\Exchange Server\V15\Logging\We open up the log files in
VV-EX-01Use
bstrings to search for stanley in all the logsbstrings.exe -d <path to OWA logs> --ls stanley -o results.txt
Looking at a sample output of 1 row:
DateTime,RequestId,MajorVersion,MinorVersion,BuildVersion,RevisionVersion,ClientRequestId,Protocol,UrlHost,UrlStem,ProtocolAction,AuthenticationType,IsAuthenticated,AuthenticatedUser,Organization,AnchorMailbox,UserAgent,ClientIpAddress,ServerHostName,HttpStatus,BackEndStatus,ErrorCode,Method,ProxyAction,TargetServer,TargetServerVersion,RoutingType,RoutingHint,BackEndCookie,ServerLocatorHost,ServerLocatorLatency,RequestBytes,ResponseBytes,TargetOutstandingRequests,AuthModulePerfContext,HttpPipelineLatency,CalculateTargetBackEndLatency,GlsLatencyBreakup,TotalGlsLatency,AccountForestLatencyBreakup,TotalAccountForestLatency,ResourceForestLatencyBreakup,TotalResourceForestLatency,ADLatency,SharedCacheLatencyBreakup,TotalSharedCacheLatency,ActivityContextLifeTime,ModuleToHandlerSwitchingLatency,ClientReqStreamLatency,BackendReqInitLatency,Backe
2023-10-09T05:59:13.534Z,24103fd0-d699-413f-8d1a-90b6a8b9b72b,15,2,1258,12,,Owa,vv-ex-01.virusvipers.local,/owa/prem/15.2.1258.12/resources/images/0/bg_gradient_login.png,,FBA,true,virusvipers\w.stanley,,Sid~S-1-5-21-1715215520-1575623317-906580763-1104,Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.60,10.1.0.6,VV-EX-01,200,200,,GET,Proxy,vv-ex-01.virusvipers.local,15.02.1258.000,IntraForest,WindowsIdentity,Database~6ca337cd-281d-4dea-8f19-37e440d92c41~~2023-11-
With the help of LLMs, we dump the two text blocks above and prompt it
Answer:
10.1.0.6Question 2
What user agent was the patient zero account using when they were visiting the Exchange OWA?
Also from the data above
Answer:
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.60Question 3
What is the email address of the threat actor?
Logs of emails are in
C\Program Files\Microsoft\Exchange Server\V15\Mailbox\Mailbox Database 0132633920\...edbUse the tool
Stellar Repair for Exchange and load the edb file, and open stanley's inboxWe see an 2 emails sent by
Brick Top tostanley containing link to download ZIP files, both with the password VirusSystemsImportantDocuments.zip ImportantDocumentsV2.zip
Answer:
bricktop@securitydocs.awsapps.comQuestion 4
What threat name did Windows Defender classify the item that the patient zero account first downloaded?
Bounce back to ELK and search Event logs for “Defender” and “ImportantDocuments.zip”
Answer:
Trojan:Script/Wacatac.B!mlQuestion 5
What date was the domain registered which hosted the initial payloads?
Look up using
whoisAnswer:
2023-10-06Question 6
What was the password of the second zip file?
The answer is in the email above
Answer:
VirusSystems4️⃣ Infection Time
Question 1
What is the name of the batch script that the victim ran to initiate the infection?
If we read the email, it tells the user to copy both files into
C:\Users\Public and to launch SecureLauncher.batWe can find the files in
C:\Labs\Evidence\VirusVipers\TriageImages\2023-10-16T054504_Evidence-VV-PC-01\C\Users\PublicAnswer:
SecureLauncher.batQuestion 2
What is the "key" that is provided to the malicious PowerShell script?
We search in Elastic for process creation events with the string
SecureDocs.ps1Select the
CommandLine field and we see the key being passed inAnswer:
ImportantDocumentsQuestion 3
What was the malicious domain the PowerShell process attempted to connect to?
Search in Elastic for Process Creation events of
SecureDocs.ps1 on host VV-PC-01Look for the event that was executed by
w.stanley and take note of the New Process Id0x2274 == 8820
This means that upon executing that powershell command and passing in the key, it created a new child process with PID 8820
We now search for DNS queries surrounding PID 8820 and find the DNS name it was querying
Answer:
viper.vpn-update.zipQuestion 4
What is the PID of the process that first made connect to the malicious C2 on the patient zero host?
Looking at the DNS query above, the PID is 8820
Answer: 8820
Question 5
What was the original file name of the encrypted payload embedded in the .ps1 script?
We make a copy of
SecureDocs.ps1 and modify it to print the contents of the encoded payloadThe first few bytes in Decimal are
77 90 144
Which when converted to ASCII
MZ ...
This likely means it’s a portable executable.
We rename
output.txt to output.exe, and open it with PEStudioAnswer:
Docs.exeQuestion 6
Identify the key (in UTF8) in the .NET binary that is used to decrypt the payload from the previous question
Looking at the result of PE studio, it’s a
.NET binary, meaning we can use DNSpy to decompile the binary and analyze the source codeWe see a function called
XOR_Decrypt with the key as US5A3G5FQVV8Answer:
US5A3G5FQVV8Question 7
What is the full path of the process the initial payload spawned and then injected itself into?
In ELK, search for processes spawned by
SecureDocs.ps1.Using the PID we found earlier of 8820, find it’s child processes
Answer:
C:\Windows\System32\rundll32.exeAlternative; Since
CreateThread was called in the .NET binary, we can search for CreateRemoteThread calls by powershell.exeQuestion 8
What was the PID for this new process?
Information from above
Answer: 4776
5️⃣ Attacking VirusVipers
Question 1
What was the first local admin account the threat actor gained access to?
🕵🏼: Using RegRipper, how do I get all members in the Administrator group? 🤖: … you need to parse the SAM hive …
We run
RegRipper on the C:\Labs\Evidence\VirusVipers\TriageImages\2023-10-16T054504_Evidence-VV-PC-01\C\Windows\System32\config\SAMAnalyzing the output of
report.txt, we find members in Administrator groupReference the
Profile information in C:\Labs\Evidence\VirusVipers\ProcessedEvidence\VV-PC-01\Registry\20240329030758 to get the SID→Username mappingAnd we see that
w.stanley is the an AdministratorAnswer:
virusvipers\w.stanleyQuestion 2
What file did the threat actor open and view to understand the network?
Since we know that
w.stanley was compromised, we search for recently accessed files around the same periodC:\Labs\Evidence\VirusVipers\ProcessedEvidence\VV-PC-01\Registry\20240329030758 and open the RecentDocs registry file for w.stanleySort by
Extension Last Opened and we see two files being opened on 2023-10-13ImportantDocumentsV2.zip SPNetworkDiagram.png
Answer:
SPNetworkDiagram.pngQuestion 3
The threat actor dumped several registry hives. What name did they exported the SAM hive as?
Registry dumping is done via
reg.exeWe search for the command
reg save to find all instances of registry dumpingAnswer:
samantha.txtWe start investigating what PID 4776 does. Filtering away network connections and DNS queries, we don’t find anything interesting.
Question 4
What is the full path of the tool used to create vv.dmp?
Find child processes spawned by PID 4776, and we see 4 processes being spawned
8820 -> 4776 -> 1912 -> 8928 -> [5312, 3344, 5272] 8820 -> 4776 -> 2492 8820 -> 4776 -> 4868 -> 4712 -> [8420, 10312, 6348, 7684, 6620] 8820 -> 4776 -> 6048 -> 168
We investigate activities done by each of these PIDs
PID 1912 spawns
cmd.exe with PID 8928PID 8928 executes
cmd.exe again, and also executes disksnapshot.exe and wuauclt.exeWe trace the child processes of PID 8928 and see that it executes
procdump.exe to dump lsass.exeAnswer:
C:\Users\Public\procdump.exeQuestion 5
What was the UNC path the threat actor staged "SecureLauncher.bat" on after they had initially gained access to the VirusVipers network?
Find all instances of execution of
SecureLaunhcer.batWe see execution happening on
R:\\ and \\VV-DC-01We can also see the mapping of
R drive to vv-dc-01 in w.stanley's recent filesAnswer:
\\VV-DC-01\clients\Temp\SecureLauncher.batQuestion 6
What was the name of the tool the threat actor downloaded via Chrome on the patient zero host to understand details about Active Directory ?
🕵🏼: What Sysmon event codes are generated when a file is downloaded via a browser? 🤖: … 1 (Process Creation), 11 (File Creation), 15 (File stream creation), 3 (Network connection) and 22 (DNS query) …
Search for
File Stream Created events (event code 15)There is an overlap between events from
Microsoft-Windows-Sysmon and SecurityCenter.We want events from
Microsoft-Windows-Sysmon, and filter away events from SecurityCenterView all downloaded files, and we see
ADExplorer.exe being downloaded by msedge.exeAnswer:
ADExplorer.exe6️⃣ Attacking SyntheticPartners
Question 1
What was the path the threat actor set as an exclusion to AV on the patient zero host?
🕵🏼: What logs will be generated when I exclude a file from Microsoft Defender? 🤖: … Event ID 5007 - "Configuration has changed" ... Registry key "HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths" would have been modified …
When a path is whitelisted from the AV, the registry key
HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths will be modifiedSearch event code
5007 (Microsoft Defender Antivirus Configuration change) and the string HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths on ELKWe see the folder path
C:\Users\Public added to the exclusion pathAnswer:
C:\Users\PublicQuestion 2
What service did the threat actor disable to impair a defender's visibility once they were in the SyntheticPartners network?
Search for Event ID 7040 on SyntheticPartner machines
SP-DC-01 and SP-PC-01.Event ID 7040 logs changes events to a service
We see that the service
winlogbeat was disabled on SP-PC-01. winlogbeat is a service that collects telemetry from a windows machine to give visibilityAnswer:
winlogbeatQuestion 3
What is the password for the sp-admin account?
Search for the command
runas which is used to impersonate other accountsWe see
runas being called to impersonate sp-admin on October 14 15:56:38 on VV-PC-02 by virusvipers\c.mckayWindows would not log passwords captured when executing
runas , so the password would not be found in PowerShell transcripts or Console History logsSince have access to SAM and SYSTEM, we can dump the hash and crack it, but we find the password in cleartext instead
Tracing the activity of this new session spawned by
runas with PID 9468, it spawns a new process with PID 7856PID 7856 then spawns PowerShell with PID 2536 and also calls
cscript CopyCats.vbsTracing PID 2536, we see that it calls
CopyCatv2.vbsLooking at the file on
VV-PC-02, the password of sp-admin is in cleartextAnswer:
Hunter2!7️⃣ Supply Chain Attack
Question 1
What VPN agent do the users at VirusVipers use to access the SyntheticPartners network?
It’s in the Network Diagram
Answer:
OpenVPNQuestion 2
What host in VirusVipers did the threat actor use to access the SyntheticPartners network?
Looking at
CopyCatv2.vbs, its mapping \\sp-dc-01.internal.cloudapp.net\c$ to network drive Q:This was done on
VV-PC-02Answer:
VV-PC-02Checking OpenVPNConnect.exe spawning
To connect to SyntheticPartners, a VPN connection needs to be established.
Searching for instances of running
OpenVPNConnect.exe, we see that the only host that was running it was VV-PC-02Checking network connections between subnets
We search for Sysmon event ID 2 to get network connection events.
Then we search for Destination host belonging to
SP... and Source host belonging to VV... to find connections between subnetsWe see that the only host machine is
VV-PC-02Question 3
What was the local IP address assigned to this host by the VPN adapter? This was the same IP as the source for the connections made from VirusVipers to SyntheticPartners?
Check the first connection between the subnets to get the IP address
Answer:
10.0.3.2Question 4
When did the threat actor make their first VPN connection to the SyntheticPartners network?
🕵🏼: What logs do I look out for when a machine first connects to a VPN network? 🤖: … OpenVPN → Logs typically written to `.log` files, not Winlog directly …
Since the user who was connecting was
vipervirus/c.mckay, we search the user’s folders for log files belonging to OpenVPNFilter to the data October 14, and search for a successful connection event
Answer:
2023-10-14 14:01:55Question 5
How long did the first malicious VPN session last in seconds?
From the same log, it was disconnected on
2023-10-14 14:13:20 , so it lasted for 11m 25 seconds or 685 secondsAnswer: 685 seconds
Question 6
What was the method the threat actor accessed the SyntheticPartners network during a VPN connection?
Referring to image in question 3
Answer:
RDPQuestion 7
What was the first host in the SyntheticPartners network the threat actor accessed?
Referring to image in question 3
Answer:
SP-DC-01Question 8
What is the SID of the user the threat actor first uses to access the SyntheticPartners Network?
Correlating the time at
October 14 14:21:15, we find login events with logon type 10 (RDP)The account that was logged into was
sp-adminWe extract the
ProcessedEvidence of SP-DC-01 and look at ProfileList to get the SID of sp-adminAnswer:
S-1-5-21-2525899764-3259092811-2554837162-5008️⃣ Exploring the New Network
Question 1
What is the SHA1 of "importantdocuments.exe" that was used by the threat actor once they gained access to the SynthenticPartners network?
Investigating the Triage image of
SP-DC-01, we find importantdocuments.exe in C:\Users\Public\TempUsing PowerShell and
Get-FileHashAnswer:
5438E5BAFB8390FA1A7942504D6F884C3B86F15EAmcache also stores hashes
Investigating Processed image of
SP-DC-01, we look at UnassociatedFileEntriesIn
Full Path, look for importantdocuments.exe and from there we get the SHA1Question 2
What is the Product Name for the tool WinPost.exe the threat actor ran?
WinPost.exe appears in one of the PowerShell transcripts for SP-AdminLooking at the strings, the binary actually belongs to SharpEDRChecker
Check
AssemblyInfo.cs to get the product nameAnswer:
EDRCheckerQuestion 3
It looks like the threat actor deleted some very strangely named files in C:\Users\Public\Temp on SP-DC-01. What tool was used to generate these files?
Looking at the RecycleBin folder on
SP-DC-01, we see some ZIP files with gibberish namesCorrelating the SID value, these files were deleted by
sp-adminLooking at the PowerShell transcript of
sp-admin, we see a command being executed by SharpHound with the flag to randomize namesAnswer:
SharpHoundQuestion 4
Who is the CEO of SyntheticPartners? The threat actor was able to identify within the network.
Exploring files in
C:\ShareAnswer: Dr Doom
Question 5
What are the coordinates of SyntheticPartners' Top Secret Robot Assembly Facility?
Also in the same folder
Answer: -74.7144, -164.7219
9️⃣ Timestomping
Question 1
What was the filename of the tool or script the threat actor used to timestomp files?
Looking at the PowerShell transcripts of
sp-admin, there are activities related to changing times stamps when Invoke-Stompy was calledIn the same transcript, we see the module
Stompy.ps1 being loadedAnswer:
Stompy.ps1Question 2
What is the timestamp the threat actor stomped the files in the Recycle Bin to on SP-DC-01?
In the screenshot in Question 1, there were all changed to
01/01/2023 02:00:00Answer:
2023-01-01 02:00:00Question 3
How many files had their timestamps modified on SP-DC-01 that are still on disk?
Stompy was also used to modify these user filesWe check their existence on
C:\Share\There are 11 files here + 5 in the Recycle bin
This method is wrong because not all files on disk will be physically copied to the TriagedImage folder. Instead we need to use
MFTExplorer or MFTECmd to open up C:\$MFT of the triaged imageOpening up the
$MFT file with MFTExplorerC:\Labs\Tools\EricZimmerman\MFTECmd>MFTECmd.exe -f "C:\Labs\Evidence\VirusVipers\TriageImages\2023-10-16T070342_Evidence-SP-DC-01\C\$MFT" --csv "c:\temp\csv"
Then open the CSV file in
Timeline ExplorerSet the filters
Last Modifiedto the time-stomped date of2023-01-01
Parent Pathto filter awayCollection
Is Adsto filter away Alternate Data Stream files
Answer: 163
🔟 Exfiltration
Question 1 (Hint used)
What was the file name the threat actor moved from SyntheticPartners back to the VirusVipers network?
Looking at
CopyCat2.vbs, it mounts \\sp-dc-01.internal.cloudapp.net\c$ and copies a file overLooking at the PowerShell transcript of
C.Mackay, we can also see the activity of copying the file from the remote drive to VV-PC-02Answer:
$R4FR549.zipQuestion 2
How many files did the threat actor exfiltrate? If the threat actor moved and exfiltrated a zip file, how many files are within the archive?
The exfiltrated file is renamed to
SP.zip in C:\Users\Public\Temp\SP.zipOn the Triaged Image however, it’s still the original filename
Extract the zip folder and examine how many files are inside
Answer: 11
Question 3 (Hint used)
For the host VV-PC-02, how many bytes did Windows record rundll32.exe sending on 14 Oct 2023?
The
SRUM file contains network data usageAnswer: 9626549
Completion
Learning Points
- Event codes can overlap between different log sources. Filter for the correct log source!
- Not all files being opened by the user is logged in ELK, and you have to go through forensic evidences via the RegDumps using
RegRipper, or the Triaged Images
- Triaged Images do not contain all of the files on disk. Will need to use
MFTExplorerto openC:\$MFTfile and find images
SRUMdatabase contains network transfer information
Errors
Unfinished Hints
It was actually
msedge.exe (which is based off Chromium I guess but being pedantic)It was actually on
SP-PC-01, not SP-DC-01