Category : Endpoint Forensics
LEVEL : Medium
Challenge Download link : https://cyberdefenders.org/blueteam-ctf-challenges/enroll/32
Instructions:
Unzip the challenge (pass: cyberdefenders.org), examine the image, and answer the provided questions.
Case Overview:
The SOC team got an alert regarding some illegal port scanning activity coming from an employee’s system. The employee was not authorized to do any port scanning or any offensive hacking activity within the network. The employee claimed that he had no idea about that, and it is probably a malware acting on his behalf. The IR team managed to respond immediately and take a full forensic image of the user’s system to perform some investigations.
There is a theory that the user intentionally installed illegal applications to do port scanning and maybe other things. He was probably planning for something bigger, far beyond a port scanning!
It all began when the user asked for a salary raise that was rejected. After that, his behavior was abnormal and different. The suspect is believed to have weak technical skills, and there might be an outsider helping him!
Your objective as a soc analyst is to analyze the image and to either confirm or deny this theory.
Supportive Tools:
First of all , we need to dump some important registry hives :
- SAM
- SECURITY
- SOFTWARE
- SYSTEM
- ntuser.dat
- usrClass.dat
Now Load these hives into registry Explorer
Q1-What is the computer name of the suspect machine?
- Go to System/Controlset001/Control/ComputerName
THE Answer : 4ORENSICSQ2-What is the computer IP?
- Go to System\Controlset001\Services\TCPIP\Parameters\Interfaces{8CB9FBF6-AE*****} :
THE Answer : 10.0.2.15Q3-What was the DHCP LeaseObtainedTime?
- In the same path form previous question , look at LeaseObtainedTime value :
- THE value is 1466475852 , Now we need to change it to UTC
- Go to this site epochconverter :
THE Answer : 21/06/2016 02:24:12 UTCQ4-What is the computer SID?
- Go to SAM\Domains\Account\Aliases\Members\ S-1–5–21–2489440558–2754304563–710705792
THE ANSWER : S-1-5-21-2489440558-2754304563-710705792Q5-What is the Operating System(OS) version?
- Go to Microsoft\Windows NT\CurrentVersion , and look at
ProductName value :
THE ANSWER : 8.1Q6-What was the computer timezone?
- Go to SYSTEM\ControlSet001\Control\TimeZoneInformation\ and look at “TimeZoneKeyName” :
THE ANSWER : UTC-07:00Q7-How many times did this user log on to the computer?
- I used Reg Ripper tool to analyses SAM file :
- Now open report file generated by Reg Ripper :
THE ANSWER : 3Q8-When was the last login time for the discovered account? Format: one-space between date and time
- Form the screenshot above form previous question :
THE ANSWER : 2016-06-21 01:42:40Q9-There was a “Network Scanner” running on this computer, what was it? And when was the last time the suspect used it? Format: program.exe,YYYY-MM-DD HH:MM:SS UTC
- First thing dump prefetch folder using FTK :
. Now open it with WinPrefetchView :
- Now scroll down you will notice a process with name ZENMAP.EXE ( network scanner tool ) :
THE ANSWER : zenmap.exe,2016-06-21 12:08:13 UTCQ10-When did the port scan end? (Example: Sat Jan 23 hh:mm:ss 2016)
- Go to /root/Users/Hunter/Desktop , and dump nmapscan.xml file
- Now open the file with any xml viwer :
THE ANSWER : Tue Jun 21 05:12:09 2016Q11-How many ports were scanned?
- Form the same file :
THE ANSWER : 1000Q12-What ports were found “open”?(comma-separated, ascending)
- Form the same file :
THE ANSWER : 22,80,9929,31337Q13-What was the version of the network scanner running on this computer?
- Form the same file :
THE Answer : 7.12Q14-The employee engaged in a Skype conversation with someone. What is the skype username of the other party?
- I used Skyperious tool to do skype forensics , a resource that may help you with your investigation .
- first , we need to dump skype database , so go to /root/Users/Hunter/AppData/Roaming/skype and dump the skype folder :
- now open main Database (Root/Users/Hunter/AppData/Roaming/Skype/hunterehpt/main.db) with Skyperious :
- Open the database in Skyperious and go to chat section:
THE ANSWER : linux-rul3zQ14-What is the name of the application both parties agreed to use to exfiltrate data and provide remote access for the external attacker in their Skype conversation?
- With the same tool open the chat between the attacker and the employee :
THE ANSWER : TeamviewerQ16-What is the Gmail email address of the suspect employee?
- Go to information section :
THE ANSWER : ehptmsgs@gmail.comQ18-The user Documents’ directory contained a PDF file discussing data exfiltration techniques. What is the name of the file?
- Go to Documents directory in FTK (root/Users/Hunter/Documents)
THE ANSWER : Ryan_VanAntwerp_thesis.pdfQ19-What was the name of the Disk Encryption application Installed on the victim system? (two words space separated)
- In FTK go to /root/Program Files[x86]/Jetico/BCWIPE .
- In the BCWipe directory, there is the “UnInstall.log” file, which contains the answer:
THE Answer : Crypto SwapQ20-What are the serial numbers of the two identified USB storage?
- In Registry Viewer Go to SYSTEM\ControlSet001\Enum\USB :
THE ANSWER : 07B20C03C80830A9,AAI6UXDKZDV8E9OUQ21-One of the installed applications is a file shredder. What is the name of the application? (two words space separated)
- check program names in /root/Users/Hunter/Program Files[x86]/jetico
THE ANSWER : Jetico BCWipeQ22-How many prefetch files were discovered on the system?
- Use PECmd tool to list all prefetch files :
E:\tools\Get-ZimmermanTools\net6>PECmd.exe -d "C:\Users\user\Desktop\New folder\Prefetch"
THE Answer : 174Q23-How many times was the file shredder application executed?
- Since we know the tool name form previous question (BCWipe) , so we can go and check Prefetch :
THE ANSWER : 5Q24-Using prefetch, determine when was the last time ZENMAP.EXE-56B17C4C.pf was executed?
- Easy , check prefetch files :
THE ANSWER : 06/21/2016 12:08:13 PMQ25-A JAR file for an offensive traffic manipulation tool was executed. What is the absolute path of the file?
- In Download folder you can find a jar file so i guess the file name is the answer :
THE ANSWER : C:\Users\Hunter\Downloads\Burpsuite_free_v1.7.03.jarQ27-Shellbags shows that the employee created a folder to include all the data he will exfiltrate. What is the full path of that folder?
- First dump USRCLASS.dat and import it into shell bags explorer .
THE Answer : C:\Users\Hunter\Pictures\ExfilQ28-The user deleted two JPG files from the system and moved them to $Recycle-Bin. What is the file name that has the resolution of 1920x1200?
- If you checked the second photo in $Recyclebin, you would notice that it is the same as ws_Small_cute_kitty_1920x1200.jpg in “Users\Hunter\Picture\Private.”
THE ANSWER : ws_Small_cute_kitty_1920x1200.jpgQ29-Provide the name of the directory where information about jump lists items (created automatically by the system) is stored?
- Jump Lists are stored in sub-folders of the user’s Recent folder previously identified as storing LNK files (C:\Users<username>\AppData\Roaming\Microsoft\Windows\Recent).
- Now go to : /root/Users/Hunter/AppData\Roaming\Microsoft\Windows\Recent
THE ANswer : AutomaticDestinationsQ30-Using JUMP LIST analysis, provide the full path of the application with the AppID of “aa28770954eaeaaa” used to bypass network security monitoring controls.
- Now we need to dump the files form above question AutomaticDestinations and CustomDestinations and load this with JumpListExplorer tool :
- Load AutomaticDestinations files in JumpListExplorer and search for aa28770954eaeaaa :
THE Answer : C:\Users\Hunter\Desktop\Tor Browser\Browser\firefox.exeTHE END
BY : Ahmed Nasser
