Szechuan Sauce - Case Investigation

What’s the Operating System version of the Server? (two words)

# SOFTWARE registry (DC)
2012 R2

What’s the Operating System of the Desktop? (four words separated by spaces)

# SOFTWARE registry (DESKTOP)
Windows 10 Enterprise Evaluation

What was the IP address assigned to the domain controller?

# \SYSTEM: ControlSet001\Services\Tcpip\Parameters\Interfaces\
10.42.85.10

What was the timezone of the Server?

UTC-8

What was the initial entry vector (how did they get in)?. Provide protocol name.

# We must think one thing, most of the attacks are coming from RDP like ssh, smb, ftp and others.
# The other things is we need to view wireshark and brimsecurity(recommand)
RDP

What was the malicious process used by the malware? (one word)

$ python3 vol.py -f ../citadeldc01.mem windows.info
$ python3 vol.py -f ../citadeldc01.mem windows.pslist.PsList
Volatility 3 Framework 1.0.1
Progress:  100.00        PDB scanning finished                     
PID    PPID    ImageFileName    Offset(V)    Threads    Handles    SessionId    Wow64    CreateTime    ExitTime    File output

4    0    System    0xe0005f273040    98    -    N/A    False    2020-09-19 01:22:38.000000     N/A    Disabled
204    4    smss.exe    0xe00060354900    2    -    N/A    False    2020-09-19 01:22:38.000000     N/A    Disabled
324    316    csrss.exe    0xe000602c2080    8    -    0    False    2020-09-19 01:22:39.000000     N/A    Disabled
404    316    wininit.exe    0xe000602cc900    1    -    0    False    2020-09-19 01:22:40.000000     N/A    Disabled
412    396    csrss.exe    0xe000602c1900    10    -    1    False    2020-09-19 01:22:40.000000     N/A    Disabled
452    404    services.exe    0xe00060c11080    5    -    0    False    2020-09-19 01:22:40.000000     N/A    Disabled
460    404    lsass.exe    0xe00060c0e080    31    -    0    False    2020-09-19 01:22:40.000000     N/A    Disabled
492    396    winlogon.exe    0xe00060c2a080    4    -    1    False    2020-09-19 01:22:40.000000     N/A    Disabled
640    452    svchost.exe    0xe00060c84900    8    -    0    False    2020-09-19 01:22:40.000000     N/A    Disabled
684    452    svchost.exe    0xe00060c9a700    6    -    0    False    2020-09-19 01:22:40.000000     N/A    Disabled
800    452    svchost.exe    0xe00060ca3900    12    -    0    False    2020-09-19 01:22:40.000000     N/A    Disabled
808    492    dwm.exe    0xe00060d09680    7    -    1    False    2020-09-19 01:22:40.000000     N/A    Disabled
848    452    svchost.exe    0xe00060d1e080    39    -    0    False    2020-09-19 01:22:41.000000     N/A    Disabled
928    452    svchost.exe    0xe00060d5d500    16    -    0    False    2020-09-19 01:22:41.000000     N/A    Disabled
1000    452    svchost.exe    0xe00060da2080    18    -    0    False    2020-09-19 01:22:41.000000     N/A    Disabled
668    452    svchost.exe    0xe00060e09900    16    -    0    False    2020-09-19 01:22:41.000000     N/A    Disabled
1292    452    Microsoft.Acti    0xe00060f73900    9    -    0    False    2020-09-19 01:22:57.000000     N/A    Disabled
1332    452    dfsrs.exe    0xe00060fe1900    16    -    0    False    2020-09-19 01:22:57.000000     N/A    Disabled
1368    452    dns.exe    0xe00060ff3080    16    -    0    False    2020-09-19 01:22:57.000000     N/A    Disabled
1392    452    ismserv.exe    0xe00060ff7900    6    -    0    False    2020-09-19 01:22:57.000000     N/A    Disabled
1556    452    VGAuthService.    0xe000614aa200    2    -    0    False    2020-09-19 01:22:57.000000     N/A    Disabled
1600    452    vmtoolsd.exe    0xe00061a30900    9    -    0    False    2020-09-19 01:22:57.000000     N/A    Disabled
1644    452    wlms.exe    0xe00061a9a800    2    -    0    False    2020-09-19 01:22:57.000000     N/A    Disabled
1660    452    dfssvc.exe    0xe00061a9b2c0    11    -    0    False    2020-09-19 01:22:57.000000     N/A    Disabled
1956    452    svchost.exe    0xe0006291b7c0    30    -    0    False    2020-09-19 01:23:20.000000     N/A    Disabled
796    452    vds.exe    0xe000629b3080    11    -    0    False    2020-09-19 01:23:20.000000     N/A    Disabled
1236    452    svchost.exe    0xe000629926c0    8    -    0    False    2020-09-19 01:23:21.000000     N/A    Disabled
2056    640    WmiPrvSE.exe    0xe000629de900    11    -    0    False    2020-09-19 01:23:21.000000     N/A    Disabled
2216    452    dllhost.exe    0xe00062a26900    10    -    0    False    2020-09-19 01:23:21.000000     N/A    Disabled
2460    452    msdtc.exe    0xe00062a2a900    9    -    0    False    2020-09-19 01:23:21.000000     N/A    Disabled
3724    452    spoolsv.exe    0xe000631cb900    13    -    0    False    2020-09-19 03:29:40.000000     N/A    Disabled
3644    2244    coreupdater.ex    0xe00062fe7700    0    -    2    False    2020-09-19 03:56:37.000000     2020-09-19 03:56:52.000000     Disabled
3796    848    taskhostex.exe    0xe00062f04900    7    -    1    False    2020-09-19 04:36:03.000000     N/A    Disabled
3472    3960    explorer.exe    0xe00063171900    39    -    1    False    2020-09-19 04:36:03.000000     N/A    Disabled
400    1904    ServerManager.    0xe00060ce2080    10    -    1    False    2020-09-19 04:36:03.000000     N/A    Disabled
3260    3472    vm3dservice.ex    0xe00063299280    1    -    1    False    2020-09-19 04:36:14.000000     N/A    Disabled
2608    3472    vmtoolsd.exe    0xe00062ede1c0    8    -    1    False    2020-09-19 04:36:14.000000     N/A    Disabled
2840    3472    FTK Imager.exe    0xe00063021900    9    -    1    False    2020-09-19 04:37:04.000000     N/A    Disabled
3056    848    WMIADAP.exe    0xe0006313f900    5    -    0    False    2020-09-19 04:37:42.000000     N/A    Disabled
2764    640    WmiPrvSE.exe    0xe00062c0a900    6    -    0    False    2020-09-19 04:37:42.000000     N/A    Disabled
coreupdater

Which process did malware migrate to after the initial compromise? (one word)

$ python3 vol.py -f ../citadeldc01.mem windows.malfind
spoolsv

Identify the IP Address that delivered the payload.

# Open pcap in brimsecurity, go http request tab, find /coreupdater.exe in uri
194.61.24.102 (Deliver payload)

What IP Address was the malware calling to?

# In csv file, find coreupdater. YOu will see the ip address.
python3 vol.py -f ../citadeldc01.mem windows.netscan | tee output.csv
203.78.103.109 (Calling this ip, which means C&C)

Where did the malware reside on the disk?

python3 vol.py -f ../citadeldc01.mem windows.filescan | tee output.csv
C:\Windows\System32\Coreupdater.exe

What's the name of the attack tool you think this malware belongs to? (one word)

# Install Clamav
sudo apt-get update
sudo apt-get install clamav clamav-daemon -y
sudo systemctl stop clamav-freshclam
sudo freshclam
sudo systemctl start clamav-freshclam

# malfind scan show PAGE_EXECUTE_READWRITE=107,57,26 in spoolv.exe
python3 vol.py -f ../citadeldc01.mem windows.malfind
python3 vol.py -f ../citadeldc01.mem windows.pslist.PsList --pid 3724 --dump
clamscan -r ../dump-file
metasploit

One of the involved malicious IP's is based in Thailand. What was the IP?

# You need to think one thing. One is we have two ip 194.61.24.102 (deliver) and 203.78.103.109 (C&C)
# https://lite.ip2location.com/thailand-ip-address-ranges
203.78.103.109

Another malicious IP once resolved to klient-293.xyz . What is this IP?

# https://www.virustotal.com/gui/home/url
# The other way is question numbe8. In this question we already seen this ip. Right Click > VirusTotal lookup
194.61.24.102

The attacker performed some lateral movements and accessed another system in the environment via RDP. What is the hostname of that system?

# You can see downloaded file in your machine:3 (20200918_0417_DESKTOP-SDN1RPT.E01)

Other than the administrator, which user has logged into the Desktop machine? (two words)

# You can see DESKTOP-SDN1RPT user list in access data
rick sanchez

What was the password for "jerrysmith" account?

# It can be domain user Because we can't find any user account in C:\Users
# Domain use are stored in this location
C:\Windows\NTDS\ntds.dit

# Install impacket
git clone https://github.com/SecureAuthCorp/impacket.git
cd impacket
python setup.py install 

# Dumping hashes (copy ntds.dit and SYSTEM registry key to our machine)
$ impacket-secretsdump -ntds '../../ntds.dit' -system '../../SYSTEM' -outputfile hashes LOCAL
Impacket v0.9.23.dev1+20210315.121412.a16198c3 - Copyright 2020 SecureAuth Corporation

[*] Target system bootKey: 0xdfa37c24984935de32e2063e02918c28
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: 6e884ac48cd2aa3a8d5f50c64d4bc38a
[*] Reading and decrypting hashes from ../../ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:10e63d3f2c9924bae49241cff847e405:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CITADEL-DC01$:1001:aad3b435b51404eeaad3b435b51404ee:33c082748b7d35ec846a513b7be92d94:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:25c9610b742a5bca9aa3801c08b8ca4e:::
C137.local\jerrysmith:1104:aad3b435b51404eeaad3b435b51404ee:bc51f858ccacc9db408c0ba511d5d639:::
C137.local\summersmith:1105:aad3b435b51404eeaad3b435b51404ee:26b2cc706093c4fa46e0519ec5feaeaf:::
C137.local\ricksanchez:1106:aad3b435b51404eeaad3b435b51404ee:746447f27820a9d863eea94d176cc135:::
C137.local\mortysmith:1108:aad3b435b51404eeaad3b435b51404ee:dc8b282b8f4e1dd3c5f95fd491ff6d8d:::
C137.local\bethsmith:1109:aad3b435b51404eeaad3b435b51404ee:b9cc9177094af2e17b413a0cbf63fac2:::
C137.local\birdman:1118:aad3b435b51404eeaad3b435b51404ee:944055b77ebe7d6fd80f24b5fce634fb:::
DESKTOP-SDN1RPT$:1602:aad3b435b51404eeaad3b435b51404ee:fa6ecdc900cbeeb623cfc92297e5b653:::
[*] Kerberos keys from ../../ntds.dit 
CITADEL-DC01$:aes256-cts-hmac-sha1-96:3635b6b22a960673e327ca4c378e162befa74ee56e46b3841b84cabecfc062e8
CITADEL-DC01$:aes128-cts-hmac-sha1-96:9324dad1f82699bf65cdbfd5a4572067
CITADEL-DC01$:des-cbc-md5:94abfd29f1929d19
krbtgt:aes256-cts-hmac-sha1-96:141aca9186cc33caa6ef3db5cf3a53b783bd29e7431a153c89f8b1d4562de7f1
krbtgt:aes128-cts-hmac-sha1-96:d695009f7f7b6eb48a6b1b749493f199
krbtgt:des-cbc-md5:b025018c62ec023b
C137.local\jerrysmith:aes256-cts-hmac-sha1-96:87eb9c5715de1eb078cc6691871672019356976f093348c03b0ca21a75fc0e9f
C137.local\jerrysmith:aes128-cts-hmac-sha1-96:ea468a0f250c15fea4e8f4c74d20c56e
C137.local\jerrysmith:des-cbc-md5:7c40d03464e5e9a8
C137.local\summersmith:aes256-cts-hmac-sha1-96:38060a9e953e8dde6e991db5de72e566c8a652c195b0e88d9c81e26d05ee1ce5
C137.local\summersmith:aes128-cts-hmac-sha1-96:8851e24f50c80026e2e1578a2a3d3802
C137.local\summersmith:des-cbc-md5:3bd09e3b73bfb0f4
C137.local\ricksanchez:aes256-cts-hmac-sha1-96:08bc14d8f69e1ceadd0079303cd1bc434ed61d6a4895f71073662ff24eb8e4dd
C137.local\ricksanchez:aes128-cts-hmac-sha1-96:0c428543d20db44c45cbf6948b4cf5d4
C137.local\ricksanchez:des-cbc-md5:cdf891a75889f107
C137.local\mortysmith:aes256-cts-hmac-sha1-96:ee5442baa6535d2580ac694ac6c0cbe3a65f137ba3ace39a18cba58a160ce73c
C137.local\mortysmith:aes128-cts-hmac-sha1-96:697ece25fd3cffbfa24d82ab9789596c
C137.local\mortysmith:des-cbc-md5:3280f79b131aea4c
C137.local\bethsmith:aes256-cts-hmac-sha1-96:1e98c29b4ba43d21d200bd1802ff5109c0549621931e2f3af0c0809099405b88
C137.local\bethsmith:aes128-cts-hmac-sha1-96:ea3285637fe5bb216bcd5cd0cfbc6663
C137.local\bethsmith:des-cbc-md5:151f891ff4cb6b4f
C137.local\birdman:aes256-cts-hmac-sha1-96:f20039a71fad3a9a0a374c09e55f1d1bed1600c2329fee84aada8a502d903023
C137.local\birdman:aes128-cts-hmac-sha1-96:6507f6ac1b4ec9c23e65d1528ec92ec1
C137.local\birdman:des-cbc-md5:2f4068527aeafb85
DESKTOP-SDN1RPT$:aes256-cts-hmac-sha1-96:424f9a36c72c7bec7a2f7082111ed818c375e8945e6cfc9bc599b6587fb1b3ea
DESKTOP-SDN1RPT$:aes128-cts-hmac-sha1-96:14122a1520d70f1dc6fccbf8aee330b0
DESKTOP-SDN1RPT$:des-cbc-md5:6d20ad583729b03e

$ cat hashes.ntds
Administrator:500:aad3b435b51404eeaad3b435b51404ee:10e63d3f2c9924bae49241cff847e405:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
CITADEL-DC01$:1001:aad3b435b51404eeaad3b435b51404ee:33c082748b7d35ec846a513b7be92d94:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:25c9610b742a5bca9aa3801c08b8ca4e:::
C137.local\jerrysmith:1104:aad3b435b51404eeaad3b435b51404ee:bc51f858ccacc9db408c0ba511d5d639:::
C137.local\summersmith:1105:aad3b435b51404eeaad3b435b51404ee:26b2cc706093c4fa46e0519ec5feaeaf:::
C137.local\ricksanchez:1106:aad3b435b51404eeaad3b435b51404ee:746447f27820a9d863eea94d176cc135:::
C137.local\mortysmith:1108:aad3b435b51404eeaad3b435b51404ee:dc8b282b8f4e1dd3c5f95fd491ff6d8d:::
C137.local\bethsmith:1109:aad3b435b51404eeaad3b435b51404ee:b9cc9177094af2e17b413a0cbf63fac2:::
C137.local\birdman:1118:aad3b435b51404eeaad3b435b51404ee:944055b77ebe7d6fd80f24b5fce634fb:::
DESKTOP-SDN1RPT$:1602:aad3b435b51404eeaad3b435b51404ee:fa6ecdc900cbeeb623cfc92297e5b653:::

# Copy hash to the hashes.txt (C137.local\jerrysmith:1104:aad3b435b51404eeaad3b435b51404ee:bc51f858ccacc9db408c0ba511d5d639:::)
$ hashcat -m 1000 hash.txt /usr/share/wordlists/rockyou.txt --force
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344384
* Bytes.....: 139921497
* Keyspace..: 14344384

bc51f858ccacc9db408c0ba511d5d639:!BETHEYBOO12!   

Session..........: hashcat
Status...........: Cracked
Hash.Type........: NTLM
Hash.Target......: bc51f858ccacc9db408c0ba511d5d639
Time.Started.....: Sun Apr 11 20:30:24 2021 (5 secs)
Time.Estimated...: Sun Apr 11 20:30:29 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  3628.5 kH/s (0.33ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 14344192/14344384 (100.00%)
Rejected.........: 0/14344192 (0.00%)
Restore.Point....: 14340096/14344384 (99.97%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: !caroline ->  kristenanne

Started: Sun Apr 11 20:30:20 2021
Stopped: Sun Apr 11 20:30:30 2021

What was the original filename for Beth’s secrets?

# Firstly i find with The Sleuth Kit (TSK) but find nothing
$ mmls 20200918_0347_CDrive.E01
DOS Partition Table
Offset Sector: 0
Units are in 512-byte sectors

      Slot      Start        End          Length       Description
000:  Meta      0000000000   0000000000   0000000001   Primary Table (#0)
001:  -------   0000000000   0000002047   0000002048   Unallocated
002:  000:000   0000002048   0000718847   0000716800   NTFS / exFAT (0x07)
003:  000:001   0000718848   0023590911   0022872064   NTFS / exFAT (0x07)
004:  -------   0023590912   0023592959   0000002048   Unallocated

$ fls 20200918_0347_CDrive.E01 -o 2048                                                                                           [20:37:27]
r/r 4-128-4:    $AttrDef
r/r 8-128-2:    $BadClus
r/r 8-128-1:    $BadClus:$Bad
r/r 6-128-4:    $Bitmap
r/r 7-128-1:    $Boot
d/d 11-144-4:    $Extend
r/r 2-128-1:    $LogFile
r/r 0-128-6:    $MFT
r/r 1-128-1:    $MFTMirr
r/r 9-128-8:    $Secure:$SDS
r/r 9-144-11:    $Secure:$SDH
r/r 9-144-14:    $Secure:$SII
r/r 10-128-1:    $UpCase
r/r 10-128-4:    $UpCase:$Info
r/r 3-128-3:    $Volume
d/d 35-144-5:    Boot
r/r 135-128-1:    bootmgr
r/r 157-128-1:    BOOTNXT
r/r 161-128-3:    BOOTSECT.BAK
d/d 164-144-1:    Recovery
d/d 162-144-1:    System Volume Information
V/V 256:    $OrphanFiles

#

PreviousSpotlight - MAC Image Forensics NextNetwork Forensics

Last updated 4 years ago