Category: Endpoint Forensics
LEVEL : Difficult
Challenge Download Link
Instructions:
- Uncompress the lab (pass: cyberdefenders.org)
Scenario:
You are part of the incident response team at FinTrust Bank. This morning, the network monitoring system flagged unusual outbound traffic patterns from several workstations. Preliminary analysis by the IT department has identified a potential compromise linked to an exploited vulnerability in WinRAR software.
As an incident responder, your task is to investigate this compromised workstation to understand the scope of the breach, identify the malware, and trace its activities within the network.
Tools:
- Arsenal Image Mounter
- SQLite Viewer
- Eric Zimmerman Tools
- NTFS Log Tracker
- Registry Explorer
- Event Log Explorer
- Strings
- CyberChef
First, you can use Arsenal Image Mounter tool to mount the image file , but i used FTK Imager .
Q1-In your investigation into the FinTrust Bank breach, you found an application that was the entry point for the attack. Which application was used to download the malicious file?
- First we need to check the installed applications in our workstation
- Go to C:/Users/Administrator/AppData/Roaming :
- Now go to C:/Users/Administrator/Downloads/****** ******
- You will find a zip file named ****************
- now unzip the file , you will notice a file named ***************
- So we found a suspicious script downloaded by *********** , Which is our entry point .
THE ANSWER : ********Q2-Finding out when the attack started is critical. What is the UTC timestamp for when the suspicious file was first downloaded?
- Now check the suspicious zip file properties :
THE Answer : ****-**-** **:**:** **Q3-Knowing which vulnerability was exploited is key to improving security. What is the CVE identifier of the vulnerability used in this attack?
- Form Challenge Scenario We know which vulnerability used by the attacker :
- Now use google to search about the CVE linked to this vulnerable software :
THE Answer : ***-****-*****Q4-In examining the downloaded archive, you noticed a file in with an odd extension indicating it might be malicious. What is the name of this file?
- Form Q1 we know the the name of the suspicious file :
THE Answer : **** ******.*** .***Q5-Uncovering the methods of payload delivery helps in understanding the attack vectors used. What is the URL used by the attacker to download the second stage of the malware?
- Now we need to run our malicious file in isolated environment
THE Answer : ****://***.**.**.**:**** *********************.***Q6-To further understand how attackers cover their tracks, identify the script they used to tamper with the event logs. What is the script name?
- Now we need to check our logs , So go to : C:/Windows/System32/Winevt/logs .
- Export the power shell logs and open the logs with event viewer :
- Now check Event ID 403: Script Block Logging, Records the execution of PowerShell script blocks :
THE Answer : *********.**1Q7-Knowing when unauthorized actions happened helps in understanding the attack. What is the UTC timestamp for when the script that tampered with event logs was run?
- From the previous questions :
THE Answer : ****-**-** **:**:** **Q8-We need to identify if the attacker maintained access to the machine. What is the command used by the attacker for persistence?
- Again we need to run the malicious file and run CMD Watcher Tool :
The Answer : *********************************************************Q9-To understand the attacker’s data exfiltration strategy, we need to locate where they stored their harvested data. What is the full path of the file storing the data collected by one of the attacker’s tools in preparation for data exfiltration?
- There might be another ways to solve this question , but i just check the AppData temp folder .
- Go to C:/Users/AppData/local/temp/*****.***
Note that the contains of that file is the output of the PowerShell script located in C:\Windows\Temp\run.ps1 :
This script is used to scan the network for the online devices :
THE Answer : *:\*****\*************\*******\*****\****\******.***THE END
BY : Ahmed Nasser
MY LinkedIn
