Windows Forensics Challenge Walkthrough (LETSDEFEND)
This is a writeup for the “Windows Forensics” letsdefend challenge
The organization has been the target of a phishing campaign, and as a result, the phishing email has been opened on three systems within our network. To identify the Tactics, Techniques, and Procedures (TTPs) employed by the attackers, a rapid triage image was taken from one of the compromised systems and submitted to you for analysis. We need your expertise to help our incident response team respond quickly and take steps to prevent any further breaches across the network.
1/ Initial Access was made through a Malicious Document delivered through email. What Was the full path where the document was downloaded?
Extract the relevant artifacts file
Open AccessData FTK Imager
File > Add Evidence File > Image File > Browse to the relevant file > Finish
Right click on the [root] folder > Export Files > Select destination file > Ok
Open ShellBagsExplorer.exe >
File > Load offline hive > Browse to “LETSDEFEND\Users\CyberJunkie\AppData\Local\Microsoft\Windows”
Select “UsrClass.dat” file > Hold Shift key and open the file
from absolute path:
C:\Users\CyberJunkie\Downloads\MailDownloads
2/ What’s the document name? (The document which was delivered via phishing)
Since the file was downloaded we can check the downloads folder, if it’s not there we can check the recycler bin
Using RBCmd.exe from Eric Zimmerman tools, open the cmd as administrator
Insert the following command and change the appropriate fields:
RBCmd.exe -f “Path to the file”
> .\RBCmd.exe -f "LETSDEFEND\$Recycle.Bin\S-1–5–21–1187034906–4050784041–186213912–1001\$IWKWHDC.docx"
Security Awareness.docx
3/ What’s the stager name which connected to the attacker C2 server
The file was deleted on 2022–08–21 14:03:33
Let’s investigate if any program has been executed that time
Move to preftech directory
.\PECmd.exe -d “LETSDEFEND\Windows\Prefetch” — csv “LETSDEFEND”
Open the csv result file
C:\Users\cyberjunkie\desktop\securitypatch.exe
4/ The attacker manipulated MACB Timestamps of the stager executable to confuse Analysts. Analyze the timestamps of the stager and verify the original timestamp and tampered one.
$STANDARD_INFO (SI) can be modified by user level processes $FILE_NAME (FN) can only be modified by the system kernel
Check system timezone
Open MFTExplorer > Load the $MFT file > Browse to the stager executable path “C:\users\cyberjunkie\desktop\”
2022–08–21 13:02:23.66 : 2021–12–25 15:34:32
5/ The attacker set up persistence by manipulating registry keys. All we know is that GlobalFlags image file technique was used to set up persistence. When exiting a certain process, the attacker persistence executable is executed. What’s the name of that process?
Check HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ for activity after the execution of the stager
Check HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\ for any suspicious information
explorer.exe
6/ What’s the full path alongside name of the executable which is setup for persistence?
From the previous screenshot
C:\Users\CyberJunkie\Documents\GetPatch.exe
7/ The attacker logged in via RDP and then performed lateral Movement. Attacker accessed an Internal network-connected Device via RDP. What command was run on cmd after successful RDP into Other Windows machine?
Each time we use Remote Desktop Protocol (RDP) to connect to a computer, small bitmap images are cached on the source machine. These images are stored in Cache files within the Windows Terminal Services directory. By extracting the bitmap images from the cache file, we can view small, literal pictures of the cached images.
for more reading: See this
Cache for RDP is saved here:
LETSDEFEND\Users\CyberJunkie\AppData\Local\Microsoft\Terminal Server Client\Cache
.\bmc-tools.py -s "LETSDEFEND\Users\CyberJunkie\AppData\Local\Microsoft\Terminal Server Client\Cache" -d [destination folder]Take a close look, because there is no order in seeing those files
net localgroup
8/ The attacker tried to download a tool from the user’s browser in that second machine. What’s the tool name?
Same way
PowerView.ps1
9/ What command was executed which resulted in privilege escalation?
I answered this question using the CyberJunnkie writeup
we can use a tool called DeepBlueCLI used for Threat Hunting via Windows Event Logs
.\DeepBlue.ps1 System.evtx
cmd.exe /c echo kyvckn > \\.\pipe\kyvckn
10/ What framework was used by the attacker?
I don’t know how we can be sure of this answer but it’s the most probable one
Metasploit
Happy Learning !!