ticktock

Released2023-11-13
Retired2023-12-14
Authorblitztide
ctf sherlock medium windows dfir evtx teamviewer

Scenario

Gladys is a new joiner in the company, she has recieved an email informing her that the IT department is due to do some work on her PC, she is guided to call the IT team where they will inform her on how to allow them remote access. The IT team however are actually a group of hackers that are attempting to attack Forela.

Task 01

Question: What was the name of the executable that was uploaded as a C2 Agent?

Part of the collected data are TeamViewer logs, which, due to the installation as a user, not as an administrator, are not stored in the default location, but rather in /C/Users/gladys/AppData/Local/TeamViewer/Logs. These logs also document the download of an executable file by the attacker onto the compromised system.

2023/05/04 11:21:30.996  4428  6012 G3   Write file C:\Users\gladys\Desktop\merlin.exe
2023/05/04 11:21:34.398  4428  6012 G3   Download from "merlin.exe" to "C:\Users\gladys\Desktop\merlin.exe" (10.95 MB)
2023/05/04 11:21:34.537  4428  3252 G3   TaskbarProgress::ProgressWorkerFunc: Worker end.

Answer: merlin.exe

Task 02

Question: What was the session id for in the initial access?

The TeamViewer logs already used in Task 01 can be used to determine the first access and its session ID.

2023/05/04 11:35:27.433  5716  5840 D3   SessionManagerDesktop::IncomingConnection: Connection incoming, sessionID = -2102926010
2023/05/04 11:35:27.433  5716  5840 D3   CParticipantManagerBase::SetMyParticipantIdentifier(): pid=[1764218403,-2102926010]
2023/05/04 11:35:27.434  5716  5840 D3!! InterProcessBase::ProcessControlCommand Command 39 not handled
2023/05/04 11:35:27.434  5716  5840 D3   IpcRouterClock: received router time: 20230504T103558.360315
2023/05/04 11:35:27.435  5716  4292 D3   CLogin::run(), session id: -2102926010

Answer: -2102926010

Task 03

Question: The attacker attempted to set a bitlocker password on the C: drive what was the password?

Sysmon is installed on the system under investigation. This service monitors system activities and writes them to the event log. For better analysis of the evtx files, hayabusa can be used to obtain a rough overview of the events and any anomalies: hayabusa json-timeline -d C\Windows\System32\winevt\logs\ -o evtx.json The resulting evtx.json file can be filtered with jq to view only the events that depict suspicious activity during process creation (EventID=1).

# cat evtx.json | jq '[.EventID, .RuleTitle] | select(.[0]==1)' | sort | uniq
  1,
  "File Deletion Via Del"
  "LSASS Dump Keyword In CommandLine"
  "Non Interactive PowerShell Process Spawned"
  "Potentially Suspicious Rundll32 Activity"
  "Process Memory Dump Via Comsvcs.DLL"
  "Proc Exec"
  "Renamed Exe File"
  "Suspicious Encoded PowerShell Command Line"
  "Suspicious Execution of Powershell with Base64"
  "Suspicious PowerShell Encoded Command Patterns"

One way to interact with Bitlocker is the manage-bde command, so the entries for suspicious encoded PowerShell commands are particularly interesting: cat evtx.json | jq '[.RuleTitle, .Details] | select(.[0]=="Suspicious Execution of Powershell with Base64")'

[
  "Suspicious Execution of Powershell with Base64",
  {
    "Cmdline": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -e JABTAGUAYwB1AHIAZQBTAHQAcgBpAG4AZwAgAD0AIABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAAIgByAGUAYQBsAGwAeQBsAG8AbgBnAHAAYQBzAHMAdwBvAHIAZAAiACAALQBBAHMAUABsAGEAaQBuAFQAZQB4AHQAIAAtAEYAbwByAGMAZQAKAEUAbgBhAGIAbABlAC0AQgBpAHQATABvAGMAawBlAHIAIAAtAE0AbwB1AG4AdABQAG8AaQBuAHQAIAAiAEMAOgAiACAALQBFAG4AYwByAHkAcAB0AGkAbwBuAE0AZQB0AGgAbwBkACAAQQBlAHMAMgA1ADYAIAAtAFUAcwBlAGQAUwBwAGEAYwBlAE8AbgBsAHkAIAAtAFAAaQBuACAAJABTAGUAYwB1AHIAZQBTAHQAcgBpAG4AZwA=",
    "User": "DESKTOP-R30EAMH\\gladys"
  }
]
[
  "Suspicious Execution of Powershell with Base64",
  {
    "Cmdline": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -e JABTAGUAYwB1AHIAZQBTAHQAcgBpAG4AZwAgAD0AIABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAAIgByAGUAYQBsAGwAeQBsAG8AbgBnAHAAYQBzAHMAdwBvAHIAZAAiACAALQBBAHMAUABsAGEAaQBuAFQAZQB4AHQAIAAtAEYAbwByAGMAZQAKAEUAbgBhAGIAbABlAC0AQgBpAHQATABvAGMAawBlAHIAIAAtAE0AbwB1AG4AdABQAG8AaQBuAHQAIAAiAEMAOgAiACAALQBFAG4AYwByAHkAcAB0AGkAbwBuAE0AZQB0AGgAbwBkACAAQQBlAHMAMgA1ADYAIAAtAFUAcwBlAGQAUwBwAGEAYwBlAE8AbgBsAHkAIAAtAFAAaQBuACAAJABTAGUAYwB1AHIAZQBTAHQAcgBpAG4AZwAgAC0AVABQAE0AYQBuAGQAUABpAG4AUAByAG8AdABlAGMAdABvAHIA",
    "User": "DESKTOP-R30EAMH\\gladys"
  }
]

Part of this (truncated) output is the Cmdline field, which logs the executed, encoded command. After decoding, the command can be read in plain text.

# echo "JABTAGUAYwB1AHIAZQBTAHQAcgBpAG4AZwAgAD0AIABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAAIgByAGUAYQBsAGwAeQBsAG8AbgBnAHAAYQBzAHMAdwBvAHIAZAAiACAALQBBAHMAUABsAGEAaQBuAFQAZQB4AHQAIAAtAEYAbwByAGMAZQAKAEUAbgBhAGIAbABlAC0AQgBpAHQATABvAGMAawBlAHIAIAAtAE0AbwB1AG4AdABQAG8AaQBuAHQAIAAiAEMAOgAiACAALQBFAG4AYwByAHkAcAB0AGkAbwBuAE0AZQB0AGgAbwBkACAAQQBlAHMAMgA1ADYAIAAtAFUAcwBlAGQAUwBwAGEAYwBlAE8AbgBsAHkAIAAtAFAAaQBuACAAJABTAGUAYwB1AHIAZQBTAHQAcgBpAG4AZwA=" | base64 -d
$SecureString = ConvertTo-SecureString "reallylongpassword" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString

# echo "JABTAGUAYwB1AHIAZQBTAHQAcgBpAG4AZwAgAD0AIABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAAIgByAGUAYQBsAGwAeQBsAG8AbgBnAHAAYQBzAHMAdwBvAHIAZAAiACAALQBBAHMAUABsAGEAaQBuAFQAZQB4AHQAIAAtAEYAbwByAGMAZQAKAEUAbgBhAGIAbABlAC0AQgBpAHQATABvAGMAawBlAHIAIAAtAE0AbwB1AG4AdABQAG8AaQBuAHQAIAAiAEMAOgAiACAALQBFAG4AYwByAHkAcAB0AGkAbwBuAE0AZQB0AGgAbwBkACAAQQBlAHMAMgA1ADYAIAAtAFUAcwBlAGQAUwBwAGEAYwBlAE8AbgBsAHkAIAAtAFAAaQBuACAAJABTAGUAYwB1AHIAZQBTAHQAcgBpAG4AZwAgAC0AVABQAE0AYQBuAGQAUABpAG4AUAByAG8AdABlAGMAdABvAHIA" | base64 -d
$SecureString = ConvertTo-SecureString "reallylongpassword" -AsPlainText -Force
Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector

The attacker tried twice unsuccessfully to encrypt the C: drive with AES-256 and a password.

Answer: reallylongpassword

Task 04

Question: What name was used by the attacker?

Just like the session ID from Task 02, the name used by the attacker can also be read from the TeamViewer logs.

2023/05/04 11:35:31.777  5716  4292 D3   CLogin::run() leave, session id: -2102926010
2023/05/04 11:35:31.777  5716  4292 D3   tvsystem::CThread::weakJoin - thread {Not-any-thread} has succesfully detached itself
2023/05/04 11:35:31.777  5716  2468 D3   DesktopThread started, number of Cores: 2
2023/05/04 11:35:31.958  5716  2436 D3   CParticipantManagerBase participant DESKTOP-R30EAMH (ID [1764218403,-2102926010]) was added with the role 3
2023/05/04 11:35:31.958  5716  2436 D3   New Participant added in CParticipantManager DESKTOP-R30EAMH ([1764218403,-2102926010])
2023/05/04 11:35:31.958  5716  2436 D3   CParticipantManagerBase participant fritjof olfasson (ID [1761879737,-207968498]) was added with the role 6
2023/05/04 11:35:31.958  5716  2436 D3   New Participant added in CParticipantManager fritjof olfasson ([1761879737,-207968498])

Answer: Fritjof Olfasson

Task 05

Question: What IP address did the C2 connect back to?

For network connections, Sysmon writes an event with ID 3 to the event log. Using the known name of the binary file, you can filter it and display the destination IP: cat evtx.json | jq '[.RuleTitle, .Details.TgtIP, .Details.Proc] | select(.[2]=="C:\\Users\\gladys\\Desktop\\merlin.exe")'

[
  "Net Conn (Sysmon Alert)",
  "52.56.142.81",
  "C:\\Users\\gladys\\Desktop\\merlin.exe"
]

Answer: 52.56.142.81

Task 06

Frage: Welche Kategorie hat Windows Defender der C2-Binärdatei zugewiesen?
Question: What category did Windows Defender give to the C2 binary file?

In addition to the event log and TeamViewer logs, the data collection also includes Microsoft Defender logging files. These are stored by default in C:\ProgramData\Microsoft\Windows Defender\Support\.

[...]
2023-05-04T10:29:22.070Z DETECTION VirTool:Win32/Myrddin.D file:C:\Users\gladys\Desktop\merlin.exe
[...]

Answer: VirTool:Win32/Myrddin.D

Task 07

Question: What was the filename of the powershell script the attackers used to manipulate time?

As part of the data collection, the ConsoleHost_history.txt file was also collected from the host and stored in the collection. On Windows systems, if available, it is located separately for each user in %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline and is responsible for recording. By default, the last 4,096 commands are saved.

set-executionpolicy bypass
cd ..
cd ..
cd .\Users\
cd .\gladys\Desktop\
dir
.\Invoke-TimeWizard.ps1

To ensure that the file is a file created by the attacker and not a regular file used by gladys, the event for creating the file can be checked thanks to Sysmon Logging (Event ID 2).

{
    "Timestamp": "2023-05-04 12:35:59.965 +02:00",
    "Computer": "DESKTOP-R30EAMH",
    "Channel": "Sysmon",
    "EventID": 11,
    "Level": "info",
    "RecordID": 1866,
    "RuleTitle": "File Created",
    "Details": {
        "PGUID": "5080714D-8A4F-6453-D501-000000000700",
        "PID": 4428,
        "Path": "C:\\Users\\gladys\\Desktop\\Invoke-TimeWizard.ps1",
        "Proc": "C:\\Users\\gladys\\AppData\\Local\\Temp\\TeamViewer\\TeamViewer.exe"
    },
    "ExtraFieldInfo": {
        "CreationUtcTime": "2023-05-04 10:35:59.962",
        "RuleName": "-",
        "User": "DESKTOP-R30EAMH\\gladys",
        "UtcTime": "2023-05-04 10:35:59.964"
    }
}

Since this file was created by TeamViewer and the file name suggests time manipulation, this is the script we are looking for.

Answer: Invoke-TimeWizard.ps1

Task 08

Question: What time did the initial access connection start?

The TeamViewer logs from Task 02 also show the time of first access.

Answer: 2023/05/04 11:35:27

Task 09

Question: What is the SHA1 and SHA2 sum of the malicious binary?

Microsoft Defender has created and stored the checksums it was looking for in the log for the DETECTIONEVENT.

[...]
SDN:Issuing SDN query for \\?\C:\Users\gladys\Desktop\merlin.exe (\\?\C:\Users\gladys\Desktop\merlin.exe) (sha1=ac688f1ba6d4b23899750b86521331d7f7ccfb69, sha2=42ec59f760d8b6a50bbc7187829f62c3b6b8e1b841164e7185f497eb7f3b4db9)
SDN:SDN query completed: 00000000
Internal signature match:subtype=Lowfi, sigseq=0x0000157E4093A282, sigsha=d6cf725601d3674f24c846de1ebd8748dea7635c, cached=false, source=0, resourceid=0x476b09dc
Internal signature match:subtype=Lowfi, sigseq=0x0000157E0BF5A676, sigsha=fcf10facbe87d20c2ad81a5313802a7662f163d2, cached=false, source=0, resourceid=0x476b09dc
Internal signature match:subtype=Lowfi, sigseq=0x0000157EE477CABC, sigsha=9eda2b8c98d41220918af55d055a705cfb0d9f21, cached=false, source=0, resourceid=0x476b09dc
Internal signature match:subtype=Lowfi, sigseq=0x0000157E6ADDFF4C, sigsha=d68287b430d44bad4d2426722d878b33a3859f0d, cached=false, source=0, resourceid=0x476b09dc
Internal signature match:subtype=Lowfi, sigseq=0x0000157ECADD9396, sigsha=3234d0af68c68ef790e72588e2864e3bd55a6100, cached=false, source=0, resourceid=0x476b09dc
2023-05-04T10:29:22.070Z DETECTIONEVENT VirTool:Win32/Myrddin.D file:C:\Users\gladys\Desktop\merlin.exe;process:pid:1992,ProcessStart:133276693023911786;
2023-05-04T10:29:22.070Z DETECTION_ADD VirTool:Win32/Myrddin.D file:C:\Users\gladys\Desktop\merlin.exe
2023-05-04T10:29:22.070Z DETECTION_ADD VirTool:Win32/Myrddin.D process:pid:1992,ProcessStart:133276693023911786
[...]

Answer: ac688f1ba6d4b23899750b86521331d7f7ccfb69:42ec59f760d8b6a50bbc7187829f62c3b6b8e1b841164e7185f497eb7f3b4db9

Task 10

Question: How many times did the powershell script change the time on the machine?

Changes to the system time are logged in the Windows Event Log with ID 4616.

# cat evtx.json | jq '[.EventID, .Details.Proc] | select (.[0]==4616)' | sort | uniq -c
   2374   4616,
      2   "C:\\Windows\\System32\\SystemSettingsAdminFlows.exe"
   2371   "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe"
      1   "C:\\W遀๥￿筕㨡"

To count only the time changes that were caused by the Invoke-TimeWizard.ps1 script, the event details of the triggering process can be read.

Answer: 2371

Task 11

Question: What is the SID of the victim user?

As part of the scenario and in previous tasks, the username of the affected account was determined. Using this and the format of a security identifier (SID), the entire set of collected data can be searched using a grep command. A user SID always begins with S-1-5-21, where S identifies a SID, 1 indicates the version of the SID specification, 5 specifies the identifier authority (NT authority), and 21 represents the beginning of the domain identifier.

# grep -Rnw Collection/ -e "gladys.*S-1-5-21" | head -1
Collection/2023-05-04T11_51_06_5397121_CopyLog.csv:431:2023-05-04 11:51:18.4320687,C:\Users\gladys\AppData\Roaming\Microsoft\Protect\S-1-5-21-3720869868-2926106253-3446724670-1003\6ba96a7a-8872-4ebe-b27c-0d0810a63819,C:\KAPE\C\Users\gladys\AppData\Roaming\Microsoft\Protect\S-1-5-21-3720869868-2926106253-3446724670-1003\6ba96a7a-8872-4ebe-b27c-0d0810a63819,468,21CE723CE1474C5883CBA5F3B6902341CF526AA8,False,2023-05-03 10:56:51.3594700,2023-05-03 10:56:51.3594700,2023-05-03 10:56:51.3594700,00:00:00

The pipe head -1 returns only the first search result. In this case, the CopyLog of the file collection is the first hit Collection/2023-05-04T11_51_06_5397121_CopyLog.csv, which confirms the backup of a file in the C\Users\gladys\AppData\Roaming\Microsoft\Protect\S-1-5-21-3720869868-2926106253-3446724670-1003 folder. This is the Data Protection API (DPAPI), which allows programs to encrypt files for an account without having to worry about storing the components involved. According to the definition, the SID found in the file path can therefore be assigned to the known account.

Answer: S-1-5-21-3720869868-2926106253-3446724670-1003