Write-Up > LetsDefend Challenge: Windows Forensics

Scenario: A targeted phishing campaign is carried out against our organization, and so far the phishing mail has been opened by 3 systems in our network. A quick triage image was collected from one of the infected systems and Provided to you for identification of TTP being used by attackers. Identify the Techniques and tactics used by the attacker so our incident response team can respond and mitigate any further compromises across the network.

Note: This challenge is focused on doing manual artifact analysis. You can use Eric Zimmerman’s tools suite for most of the artifacts. Additional research will be required for some questions

Link: https://app.letsdefend.io/challenge/windows-forensics

Level: Hard

Q1. Initial Access was made through a Malicious Document delivered through email. What Was the full path where the document was downloaded?

We have been given a .ad1 disk image. we will either mount it using AccesData FTK Imager tool or import the ad1 image into it. Lets import the ad1 image and since the question asks path of the downloaded file we will check the UsrClass.dat file.
In digital forensics, the USRCLASS.DAT file is used to store ShellBag information and is a valuable source of information for investigators:

ShellBag information

• Stores information about the user’s interactions with files and folders, including the desktop, remote folders, local folders, virtual folders, and Windows special folders

Usage patterns

• Investigators can analyze the contents of the USRCLASS.DAT file to understand how users interact with files and folders.

Lets first export this file and open it using the ShellBags Explorer, since the dat file contains the shellbag information.

We can see the downloads path here.

Q2. What’s the document name? (The document which was delivered via phishing)
Since there are no other files mentioned in the downloads folder, I assume it might have been deleted either by user or autodeleted, we will see the $RecycleBin folder.

Here, the deleted file has been assigned a random value, its a behaviour of the OS, but if we see the hex dump, we can extract the actual filename.

Q3. What’s the stager name which connected to the attacker C2 server(Fullpath\name)

For this we will need to check the AmCache.hve, its a Windows system file that is created to store information related to program executions. We will extract this file from the disk image and use AmCache Parser, a tool that helps to parse this hive.

Here the result that we should be interested in is Unassociated file entry, these provide us executions that are unknown to the tool, and there will be false positives in it, but should be the first things to investigate.

Looking at other file paths, we can exclude since most had System32 or other genuine paths (in real environment, this might not be the case always), but one entry had a file execution from Desktop which is securitypatch.exe

Q4. The attacker manipulated MACB Timestamps of the stager executable to confuse Analysts. Analyze the timestamps of the stager and verify the original timestamp and tampered one. (ORIGINAL TIMESTAMP : TAMPERED TIMESTAMP)

Timestomping is a classing defense evasion technique attackers use to hide forensic evaluations, that is changing creation timestamps to avoid analysts making a perfect attack timeline. For this info we will look into $MFT.
$MFT, or Master File Table, is a file in the NTFS file system that keeps track of all files in a volume. It contains information such as:

• File location in the directory
• Physical file location on the drive
• File metadata
• File size
• Time and date stamps
• Permissions

We will extract this $MFT (is generally present in the root folder) and then import in into MFT explorer (it may take 15 minutes to open)

As we already know the file path, if we go to this path, here we will see two time stamps, first is the
SI_Created On: This is basically a timestamp having Standard Information which will be shown to users when you check properties of a file. They can be manipulated using the API calls as well.

FN_Created On: These are the actual timestamps which cant be manipulated and are present in the MFT (Master File Table)

Q5. The attacker set up persistence by manipulating registry keys. All we know is that GlobalFlags image file technique was used to set up persistence. When exiting a certain process, the attacker persistence executable is executed. What’s the name of that process?

Image File Execution Options is a Windows registry key which enables developers to attach a debugger to an application and to enable “GlobalFlag” for application debugging. This behavior of Windows opens the door for persistence since an arbitrary executable can be used as a debugger of a specific process or as a “MonitorProcess“. In both scenarios code execution will achieved and the trigger will be either the creation of a process or the exit of an application. However it should be noted that the implementation of this technique requires Administrator level privileges as the registry location which the keys needs to be added is under:

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\pentestlab.exe"

Reference: https://pentestlab.blog/2020/01/13/persistence-image-file-execution-options-injection/

Here we need to look for SilentProcessExit key

Q6. Whats the full path alongside name of the executable which is setup for persistence?(FULLPATH\Filename)

Q7. The attacker logged in via RDP and then performed lateral Movement. Attacker accessed an Internal network-connected Device via RDP. What command was run on cmd after successful RDP into Other Windows machine?

This was an interesting question, after researching on the web, I came up with a new thing, when RDP sessions are active the system stores bitmap images of the active session as the cache in the Terminal Server Client in Appdata/Local. We can use bmc-tools.py to retrieve these bitmap images

After executing the command, there were around 2000 bitmap images generated, we need to manually go through all to find this answer.

It seems the attacker uses net localgroup as the command.

Q8. The attacker tried to download a tool from the user’s browser on that second machine. What’s the tool name? (name.ext)

Following the same technique we can find the usage of PowerView.ps1

Q9. What command was executed which resulted in privilege escalation?

For this we need to check the system event logs, and tool called DeepBlue.ps1.
DeepBlue.ps1 is a PowerShell module that can be used to analyze Windows event logs to identify suspicious activity:

• Usage: To use DeepBlue.ps1, you can:

1. Open an administrator-level PowerShell window
2. Navigate to the DeepBlue folder in your user’s Downloads folder
3. Run the command .\DeepBlue.ps1 to process the local Windows security event log
4. Run the command .\DeepBlue.ps1 -log system to process the local Windows system event log
5. Run the command .\DeepBlue.ps1 .\evtx\new-user-security.evtx to process an evtx file

We found the command used for privesc

Q10. What framework was used by the attacker?

In the same screenshot we can find the framework used.