Szechuan Sauce - Case Investigation
What’s the Operating System version of the Server? (two words)
# SOFTWARE registry (DC)
2012 R2What’s the Operating System of the Desktop? (four words separated by spaces)
# SOFTWARE registry (DESKTOP)
Windows 10 Enterprise EvaluationWhat was the IP address assigned to the domain controller?
# \SYSTEM: ControlSet001\Services\Tcpip\Parameters\Interfaces\
10.42.85.10What was the timezone of the Server?
UTC-8What was the initial entry vector (how did they get in)?. Provide protocol name.
# We must think one thing, most of the attacks are coming from RDP like ssh, smb, ftp and others.
# The other things is we need to view wireshark and brimsecurity(recommand)
RDPWhat was the malicious process used by the malware? (one word)
$ python3 vol.py -f ../citadeldc01.mem windows.info
$ python3 vol.py -f ../citadeldc01.mem windows.pslist.PsList
Volatility 3 Framework 1.0.1
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
4 0 System 0xe0005f273040 98 - N/A False 2020-09-19 01:22:38.000000 N/A Disabled
204 4 smss.exe 0xe00060354900 2 - N/A False 2020-09-19 01:22:38.000000 N/A Disabled
324 316 csrss.exe 0xe000602c2080 8 - 0 False 2020-09-19 01:22:39.000000 N/A Disabled
404 316 wininit.exe 0xe000602cc900 1 - 0 False 2020-09-19 01:22:40.000000 N/A Disabled
412 396 csrss.exe 0xe000602c1900 10 - 1 False 2020-09-19 01:22:40.000000 N/A Disabled
452 404 services.exe 0xe00060c11080 5 - 0 False 2020-09-19 01:22:40.000000 N/A Disabled
460 404 lsass.exe 0xe00060c0e080 31 - 0 False 2020-09-19 01:22:40.000000 N/A Disabled
492 396 winlogon.exe 0xe00060c2a080 4 - 1 False 2020-09-19 01:22:40.000000 N/A Disabled
640 452 svchost.exe 0xe00060c84900 8 - 0 False 2020-09-19 01:22:40.000000 N/A Disabled
684 452 svchost.exe 0xe00060c9a700 6 - 0 False 2020-09-19 01:22:40.000000 N/A Disabled
800 452 svchost.exe 0xe00060ca3900 12 - 0 False 2020-09-19 01:22:40.000000 N/A Disabled
808 492 dwm.exe 0xe00060d09680 7 - 1 False 2020-09-19 01:22:40.000000 N/A Disabled
848 452 svchost.exe 0xe00060d1e080 39 - 0 False 2020-09-19 01:22:41.000000 N/A Disabled
928 452 svchost.exe 0xe00060d5d500 16 - 0 False 2020-09-19 01:22:41.000000 N/A Disabled
1000 452 svchost.exe 0xe00060da2080 18 - 0 False 2020-09-19 01:22:41.000000 N/A Disabled
668 452 svchost.exe 0xe00060e09900 16 - 0 False 2020-09-19 01:22:41.000000 N/A Disabled
1292 452 Microsoft.Acti 0xe00060f73900 9 - 0 False 2020-09-19 01:22:57.000000 N/A Disabled
1332 452 dfsrs.exe 0xe00060fe1900 16 - 0 False 2020-09-19 01:22:57.000000 N/A Disabled
1368 452 dns.exe 0xe00060ff3080 16 - 0 False 2020-09-19 01:22:57.000000 N/A Disabled
1392 452 ismserv.exe 0xe00060ff7900 6 - 0 False 2020-09-19 01:22:57.000000 N/A Disabled
1556 452 VGAuthService. 0xe000614aa200 2 - 0 False 2020-09-19 01:22:57.000000 N/A Disabled
1600 452 vmtoolsd.exe 0xe00061a30900 9 - 0 False 2020-09-19 01:22:57.000000 N/A Disabled
1644 452 wlms.exe 0xe00061a9a800 2 - 0 False 2020-09-19 01:22:57.000000 N/A Disabled
1660 452 dfssvc.exe 0xe00061a9b2c0 11 - 0 False 2020-09-19 01:22:57.000000 N/A Disabled
1956 452 svchost.exe 0xe0006291b7c0 30 - 0 False 2020-09-19 01:23:20.000000 N/A Disabled
796 452 vds.exe 0xe000629b3080 11 - 0 False 2020-09-19 01:23:20.000000 N/A Disabled
1236 452 svchost.exe 0xe000629926c0 8 - 0 False 2020-09-19 01:23:21.000000 N/A Disabled
2056 640 WmiPrvSE.exe 0xe000629de900 11 - 0 False 2020-09-19 01:23:21.000000 N/A Disabled
2216 452 dllhost.exe 0xe00062a26900 10 - 0 False 2020-09-19 01:23:21.000000 N/A Disabled
2460 452 msdtc.exe 0xe00062a2a900 9 - 0 False 2020-09-19 01:23:21.000000 N/A Disabled
3724 452 spoolsv.exe 0xe000631cb900 13 - 0 False 2020-09-19 03:29:40.000000 N/A Disabled
3644 2244 coreupdater.ex 0xe00062fe7700 0 - 2 False 2020-09-19 03:56:37.000000 2020-09-19 03:56:52.000000 Disabled
3796 848 taskhostex.exe 0xe00062f04900 7 - 1 False 2020-09-19 04:36:03.000000 N/A Disabled
3472 3960 explorer.exe 0xe00063171900 39 - 1 False 2020-09-19 04:36:03.000000 N/A Disabled
400 1904 ServerManager. 0xe00060ce2080 10 - 1 False 2020-09-19 04:36:03.000000 N/A Disabled
3260 3472 vm3dservice.ex 0xe00063299280 1 - 1 False 2020-09-19 04:36:14.000000 N/A Disabled
2608 3472 vmtoolsd.exe 0xe00062ede1c0 8 - 1 False 2020-09-19 04:36:14.000000 N/A Disabled
2840 3472 FTK Imager.exe 0xe00063021900 9 - 1 False 2020-09-19 04:37:04.000000 N/A Disabled
3056 848 WMIADAP.exe 0xe0006313f900 5 - 0 False 2020-09-19 04:37:42.000000 N/A Disabled
2764 640 WmiPrvSE.exe 0xe00062c0a900 6 - 0 False 2020-09-19 04:37:42.000000 N/A Disabled
coreupdaterWhich process did malware migrate to after the initial compromise? (one word)
$ python3 vol.py -f ../citadeldc01.mem windows.malfind
spoolsvIdentify the IP Address that delivered the payload.
# Open pcap in brimsecurity, go http request tab, find /coreupdater.exe in uri
194.61.24.102 (Deliver payload)What IP Address was the malware calling to?
# In csv file, find coreupdater. YOu will see the ip address.
python3 vol.py -f ../citadeldc01.mem windows.netscan | tee output.csv
203.78.103.109 (Calling this ip, which means C&C)Where did the malware reside on the disk?
python3 vol.py -f ../citadeldc01.mem windows.filescan | tee output.csv
C:\Windows\System32\Coreupdater.exeWhat's the name of the attack tool you think this malware belongs to? (one word)
# Install Clamav
sudo apt-get update
sudo apt-get install clamav clamav-daemon -y
sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam
# malfind scan show PAGE_EXECUTE_READWRITE=107,57,26 in spoolv.exe
python3 vol.py -f ../citadeldc01.mem windows.malfind
python3 vol.py -f ../citadeldc01.mem windows.pslist.PsList --pid 3724 --dump
clamscan -r ../dump-file
metasploitOne of the involved malicious IP's is based in Thailand. What was the IP?
# You need to think one thing. One is we have two ip 194.61.24.102 (deliver) and 203.78.103.109 (C&C)
# https://lite.ip2location.com/thailand-ip-address-ranges
203.78.103.109Another malicious IP once resolved to klient-293.xyz . What is this IP?
# https://www.virustotal.com/gui/home/url
# The other way is question numbe8. In this question we already seen this ip. Right Click > VirusTotal lookup
194.61.24.102The attacker performed some lateral movements and accessed another system in the environment via RDP. What is the hostname of that system?
# You can see downloaded file in your machine:3 (20200918_0417_DESKTOP-SDN1RPT.E01)Other than the administrator, which user has logged into the Desktop machine? (two words)
# You can see DESKTOP-SDN1RPT user list in access data
rick sanchezWhat was the password for "jerrysmith" account?
# It can be domain user Because we can't find any user account in C:\Users
# Domain use are stored in this location
C:\Windows\NTDS\ntds.dit
# Install impacket
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
python setup.py install
# Dumping hashes (copy ntds.dit and SYSTEM registry key to our machine)
$ impacket-secretsdump -ntds '../../ntds.dit' -system '../../SYSTEM' -outputfile hashes LOCAL
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation
[*] Target system bootKey: 0xdfa37c24984935de32e2063e02918c28
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 6e884ac48cd2aa3a8d5f50c64d4bc38a
[*] Reading and decrypting hashes from ../../ntds.dit
Administrator:500:aad3b435b51404eeaad3b435b51404ee:10e63d3f2c9924bae49241cff847e405:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CITADEL-DC01$:1001:aad3b435b51404eeaad3b435b51404ee:33c082748b7d35ec846a513b7be92d94:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:25c9610b742a5bca9aa3801c08b8ca4e:::
C137.local\jerrysmith:1104:aad3b435b51404eeaad3b435b51404ee:bc51f858ccacc9db408c0ba511d5d639:::
C137.local\summersmith:1105:aad3b435b51404eeaad3b435b51404ee:26b2cc706093c4fa46e0519ec5feaeaf:::
C137.local\ricksanchez:1106:aad3b435b51404eeaad3b435b51404ee:746447f27820a9d863eea94d176cc135:::
C137.local\mortysmith:1108:aad3b435b51404eeaad3b435b51404ee:dc8b282b8f4e1dd3c5f95fd491ff6d8d:::
C137.local\bethsmith:1109:aad3b435b51404eeaad3b435b51404ee:b9cc9177094af2e17b413a0cbf63fac2:::
C137.local\birdman:1118:aad3b435b51404eeaad3b435b51404ee:944055b77ebe7d6fd80f24b5fce634fb:::
DESKTOP-SDN1RPT$:1602:aad3b435b51404eeaad3b435b51404ee:fa6ecdc900cbeeb623cfc92297e5b653:::
[*] Kerberos keys from ../../ntds.dit
CITADEL-DC01$:aes256-cts-hmac-sha1-96:3635b6b22a960673e327ca4c378e162befa74ee56e46b3841b84cabecfc062e8
CITADEL-DC01$:aes128-cts-hmac-sha1-96:9324dad1f82699bf65cdbfd5a4572067
CITADEL-DC01$:des-cbc-md5:94abfd29f1929d19
krbtgt:aes256-cts-hmac-sha1-96:141aca9186cc33caa6ef3db5cf3a53b783bd29e7431a153c89f8b1d4562de7f1
krbtgt:aes128-cts-hmac-sha1-96:d695009f7f7b6eb48a6b1b749493f199
krbtgt:des-cbc-md5:b025018c62ec023b
C137.local\jerrysmith:aes256-cts-hmac-sha1-96:87eb9c5715de1eb078cc6691871672019356976f093348c03b0ca21a75fc0e9f
C137.local\jerrysmith:aes128-cts-hmac-sha1-96:ea468a0f250c15fea4e8f4c74d20c56e
C137.local\jerrysmith:des-cbc-md5:7c40d03464e5e9a8
C137.local\summersmith:aes256-cts-hmac-sha1-96:38060a9e953e8dde6e991db5de72e566c8a652c195b0e88d9c81e26d05ee1ce5
C137.local\summersmith:aes128-cts-hmac-sha1-96:8851e24f50c80026e2e1578a2a3d3802
C137.local\summersmith:des-cbc-md5:3bd09e3b73bfb0f4
C137.local\ricksanchez:aes256-cts-hmac-sha1-96:08bc14d8f69e1ceadd0079303cd1bc434ed61d6a4895f71073662ff24eb8e4dd
C137.local\ricksanchez:aes128-cts-hmac-sha1-96:0c428543d20db44c45cbf6948b4cf5d4
C137.local\ricksanchez:des-cbc-md5:cdf891a75889f107
C137.local\mortysmith:aes256-cts-hmac-sha1-96:ee5442baa6535d2580ac694ac6c0cbe3a65f137ba3ace39a18cba58a160ce73c
C137.local\mortysmith:aes128-cts-hmac-sha1-96:697ece25fd3cffbfa24d82ab9789596c
C137.local\mortysmith:des-cbc-md5:3280f79b131aea4c
C137.local\bethsmith:aes256-cts-hmac-sha1-96:1e98c29b4ba43d21d200bd1802ff5109c0549621931e2f3af0c0809099405b88
C137.local\bethsmith:aes128-cts-hmac-sha1-96:ea3285637fe5bb216bcd5cd0cfbc6663
C137.local\bethsmith:des-cbc-md5:151f891ff4cb6b4f
C137.local\birdman:aes256-cts-hmac-sha1-96:f20039a71fad3a9a0a374c09e55f1d1bed1600c2329fee84aada8a502d903023
C137.local\birdman:aes128-cts-hmac-sha1-96:6507f6ac1b4ec9c23e65d1528ec92ec1
C137.local\birdman:des-cbc-md5:2f4068527aeafb85
DESKTOP-SDN1RPT$:aes256-cts-hmac-sha1-96:424f9a36c72c7bec7a2f7082111ed818c375e8945e6cfc9bc599b6587fb1b3ea
DESKTOP-SDN1RPT$:aes128-cts-hmac-sha1-96:14122a1520d70f1dc6fccbf8aee330b0
DESKTOP-SDN1RPT$:des-cbc-md5:6d20ad583729b03e
$ cat hashes.ntds
Administrator:500:aad3b435b51404eeaad3b435b51404ee:10e63d3f2c9924bae49241cff847e405:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CITADEL-DC01$:1001:aad3b435b51404eeaad3b435b51404ee:33c082748b7d35ec846a513b7be92d94:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:25c9610b742a5bca9aa3801c08b8ca4e:::
C137.local\jerrysmith:1104:aad3b435b51404eeaad3b435b51404ee:bc51f858ccacc9db408c0ba511d5d639:::
C137.local\summersmith:1105:aad3b435b51404eeaad3b435b51404ee:26b2cc706093c4fa46e0519ec5feaeaf:::
C137.local\ricksanchez:1106:aad3b435b51404eeaad3b435b51404ee:746447f27820a9d863eea94d176cc135:::
C137.local\mortysmith:1108:aad3b435b51404eeaad3b435b51404ee:dc8b282b8f4e1dd3c5f95fd491ff6d8d:::
C137.local\bethsmith:1109:aad3b435b51404eeaad3b435b51404ee:b9cc9177094af2e17b413a0cbf63fac2:::
C137.local\birdman:1118:aad3b435b51404eeaad3b435b51404ee:944055b77ebe7d6fd80f24b5fce634fb:::
DESKTOP-SDN1RPT$:1602:aad3b435b51404eeaad3b435b51404ee:fa6ecdc900cbeeb623cfc92297e5b653:::
# Copy hash to the hashes.txt (C137.local\jerrysmith:1104:aad3b435b51404eeaad3b435b51404ee:bc51f858ccacc9db408c0ba511d5d639:::)
$ hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt --force
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384
bc51f858ccacc9db408c0ba511d5d639:!BETHEYBOO12!
Session..........: hashcat
Status...........: Cracked
Hash.Type........: NTLM
Hash.Target......: bc51f858ccacc9db408c0ba511d5d639
Time.Started.....: Sun Apr 11 20:30:24 2021 (5 secs)
Time.Estimated...: Sun Apr 11 20:30:29 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 3628.5 kH/s (0.33ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 14344192/14344384 (100.00%)
Rejected.........: 0/14344192 (0.00%)
Restore.Point....: 14340096/14344384 (99.97%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: !caroline -> kristenanne
Started: Sun Apr 11 20:30:20 2021
Stopped: Sun Apr 11 20:30:30 2021What was the original filename for Beth’s secrets?
# Firstly i find with The Sleuth Kit (TSK) but find nothing
$ mmls 20200918_0347_CDrive.E01
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors
Slot Start End Length Description
000: Meta 0000000000 0000000000 0000000001 Primary Table (#0)
001: ------- 0000000000 0000002047 0000002048 Unallocated
002: 000:000 0000002048 0000718847 0000716800 NTFS / exFAT (0x07)
003: 000:001 0000718848 0023590911 0022872064 NTFS / exFAT (0x07)
004: ------- 0023590912 0023592959 0000002048 Unallocated
$ fls 20200918_0347_CDrive.E01 -o 2048 [20:37:27]
r/r 4-128-4: $AttrDef
r/r 8-128-2: $BadClus
r/r 8-128-1: $BadClus:$Bad
r/r 6-128-4: $Bitmap
r/r 7-128-1: $Boot
d/d 11-144-4: $Extend
r/r 2-128-1: $LogFile
r/r 0-128-6: $MFT
r/r 1-128-1: $MFTMirr
r/r 9-128-8: $Secure:$SDS
r/r 9-144-11: $Secure:$SDH
r/r 9-144-14: $Secure:$SII
r/r 10-128-1: $UpCase
r/r 10-128-4: $UpCase:$Info
r/r 3-128-3: $Volume
d/d 35-144-5: Boot
r/r 135-128-1: bootmgr
r/r 157-128-1: BOOTNXT
r/r 161-128-3: BOOTSECT.BAK
d/d 164-144-1: Recovery
d/d 162-144-1: System Volume Information
V/V 256: $OrphanFiles
#Last updated
Was this helpful?