WriteUp > HTB Sherlocks — Nuts (Medium)
Scenario: User installs a malicious package, the task is to investigate the incident using KAPE files provided
Tools Used:
- MFT Explorer
- Registry Explorer
- PECmd
- MFTECmd
- Timeline Explorer
Q1. What action did Alex take to integrate the purported time-saving package into the deployment process? (provide the full command)
To find this I assumed there has to be some command executed cmd/powershell. I tried for powershell logs used by the user John. In the KAPE files provided there was no user John, hence I assumed as Administrator user.
Now there are two ways to find powershell logs, one in the event logs (Microsoft-Powershell/Operational.evtx) or the other one is Powershell console history which can be located in the below location
Here we can see the installation command.
Q2. Identify the URL from which the package was downloaded.
Again for this provided KAPE files there are multiple options,
- You have the browser history logs
- The zone identifier. This is the feature of Microsoft NTFS file format specifically the Alternate Data Stream feature which adds data (zone. identifier) to the file downloaded from the internet. This tells the Windows defenses whether or not the file is malicious by looking-up to the identified zone of the internet.
I used the browser history logs, since that's less complicated to find.
Q4. Who is the threat actor responsible for publishing the malicious package? (the name of the package publisher)
I mistakenly searched the entire internet to find this answer, although the answer was right in front to me. The link from which the package was downloaded, also the browser history logs\
Q4. When did the attacker initiate the package download? Provide the timestamp in UTC format (YYYY-MM-DD HH:MM).
I used MFTExplorer and loaded the provided $MFT file, then we can use the search feature to find the answer
Q5. Despite restrictions, the attacker successfully uploaded the malicious file to the official site by altering one key detail. What is the modified package ID of the malicious package?
Looking at the official site of nugget packages, we could see some legitimate packages being published, one of the package was PublishIgnore which was a legitimate one. Attacker abused the name of this package and uploaded PublishIgnor
Q6. Which deceptive technique did the attacker employ during the initial access phase to manipulate user perception? (technique name)
This technique is called typo-squatting where attackers leverage legitimate names to payloads to evade detections.
Q7. Determine the full path of the file within the package containing the malicious code.
Refer to the same screenshot above
Q8. When tampering with the system’s security settings, what command did the attacker employ?
In this package directory there was a malicious powershell script called init.ps1, by analyzing the powershell script
We can see the attacker DisabledRealtimeMonitoring since we know that user John is an administrator.
Q9. Following the security settings alteration, the attacker downloaded a malicious file to ensure continued access to the system. Provide the SHA1 hash of this file.
This was a tough one to find since, the file was not present in the MFT, or KAPE files, no traces of any hashes in the provider tools. All that I knew was that the file was quarantined, which is why I googled a way to get information on the quarantined files, MPGLogs are logs stored by Windows Defender about some information related to the quarantined files.
Q10. Identify the framework utilized by the malicious file for command and control communication.
Again relying on Microsoft defender, since the hash doesn't work on VT, or any other platform, I check the Defeneder.evtx file
Q11. At what precise moment was the malicious file executed?
Again a tough one, the MFT and prefetch logs(when opened through registry explorer) only had created and last accessed timestamps, they fail to identify when was the file first accessed,
I used PECmd tool to parse these logs and store it in a text file.
using the search feature we can see the run count and last run. Usually, when multiple executions are present, it shows the history of executions.
Q12. The attacker made a mistake and didn’t stop all the features of the security measures on the machine. When was the malicious file detected? Provide the timestamp in UTC.
The same Windows Defender logs!
Q13. After establishing a connection with the C2 server, what was the first action taken by the attacker to enumerate the environment? Provide the name of the process.
I went through prefetch logs parsed through PECmd tool.
While going through program executions one common command used by attackers to know the identity of the machine
Q14. To ensure continued access to the compromised machine, the attacker created a scheduled task. What is the name of the created task?\
We can find this in Tasks folder present in C:\Windows\Tasks
Q15. When was the scheduled task created? Provide the timestamp in UTC.
refer above
Q16. Upon concluding the intrusion, the attacker left behind a specific file on the compromised host. What is the name of this file?
This was tough one too, without any contextual information like we have in traditional SIEMs and EDRs, its tough to answer such questions, since there can be many executables created during this time frame, and without hashes its difficult to check the malicious nature of the file even though its a legitimate looking binary, we cant trust it!
I relied on time interval of the above activities
Used $MFT to get the parsed output and opened in Timeline Explorer
filtered it with FileCreate option, I tried most of the exe’s present since again no context was provided, by trial and error the exe was file.exe
Q17. As an anti-forensics measure. The threat actor changed the file name after executing it. What is the new file name?
By referring to the above image, we can see for same Entry number, we have Renameold and RenameNew operations.
Q18. Identify the malware family associated with the file mentioned in the previous question (17).
To achieve this we first need to have the hash or the file itself, I used MFT to search for presence of the file and its location
As we can see, the executable is present in the ProgramData folder
Again, it was tough to find the specific answer and used the trial and error method, as many threat labels were attached to the file.
One that worked is highlighted!
Q19. When was the file dropped onto the system? Provide the timestamp in UTC.
Challenge link: https://app.hackthebox.com/sherlocks/Nuts
