Hunter
Description
A SOC analyst received an alert about possible lateral movement and credential stuffing attacks. The alerts did not have high confidence because the SOC deployment was new, and there was a chance of false positives. After further review and network analysis by a senior SOC analyst, it was confirmed that an attack had occurred. As part of the incident response team, I was assigned to investigate the incident ticket. The network capture device had been experiencing performance issues for some time, so not all traffic was captured. The challenge provided endpoint artifacts and a limited network capture for analysis. My objective was to conduct a deep dive into the available data sources and determine how the incident occurred.
Walkthrough
I completed the tasks in a non-linear order and answered each question as I found the relevant evidence.
Initial Triage
The challenge provided a network capture and a KAPE acquisition.
For the KAPE acquisition, I loaded the evidence into Autopsy for basic analysis.
However, I focused on the network capture first. I opened it in Wireshark and started looking for interesting traffic.
Network Capture Analysis
The network capture was quite large, so some Wireshark features took a long time to load. I started with the Protocol Hierarchy view to get an overview of the traffic.
Most of the traffic looked normal, but I noticed FTP traffic. My initial theory was that the attacker might have used FTP to exfiltrate data or transfer tools, so I filtered the capture to show only FTP traffic.
Explanation - File Transfer Protocol
File Transfer Protocol (FTP) is a standard network protocol used to transfer files between a client and a server. FTP uses a client-server architecture with separate control and data connections. The control connection sends commands and receives responses, while the data connection transfers files. FTP can be used for both uploads and downloads, and it supports multiple authentication methods.
The FTP traffic confirmed that files were being transferred. I found three transferred files.
Using Wireshark’s Export Objects feature, I exported the files.
Both ZIP files were password protected. Their contents were:
keepassproc.zip: ZIP archive containingkeepassproc.dmpredacted-project.zip: ZIP archive containing theREDACTED_SENSITIVE/directoryDatabase.kdbx: KeePass database file
I then reviewed the FTP traffic to understand the attacker’s actions.
- The attacker logged in with the username
theyoungwolfand passwordTheLongNightIsComing.
PWDshowed/home/theyoungwolfLISTrevealed a directory namedxchjfadCWD xchjfadLISTrevealed a subdirectory nameduk_campaignsCWD uk_campaigns
LISTrevealed a file namedProcess Hacker 2.lnkMDTM Process Hacker 2.lnkreturned the timestamp20230621090341
Task 13
Upon failing their initial attempt to exfiltrate data, the SOC team observed further FTP data being sent to a cloud environment. It is believed that the attackers spun up an instance on the cloud and ran another FTP server hastily to exfiltrate the collected data. Please try to find more information regarding the adversary's infrastructure, so the Threat Intel team can better understand which group might be behind this attack. What is the remote path on the adversary's server where they stored the exfiltrated data?The FTP traffic showed that the attacker exfiltrated three files to a cloud environment. The remote path appeared in the FTP commands immediately before the file transfers.
The answer is /home/theyoungwolf/xchjfad/uk_campaigns
Task 16
What specific CVE did the attacker exploit to gain access to the sensitive content?The exfiltrated data included a KeePass database and a KeePass process dump. If the attacker already knew the KeePass password, they would not need to dump the KeePass process. This suggested that the attacker exploited a KeePass vulnerability to recover the password from memory.
CVE-2023-32784 affects KeePass 2.x before 2.54 and can allow recovery of the cleartext master password from a memory dump, even when the workspace is locked or KeePass is no longer running. Using Autopsy, I found that the KeePass version in the KAPE acquisition was 2.53.1, which is vulnerable to CVE-2023-32784.
The answer is CVE-2023-32784
Task 8
We believe the attacker enumerated installed applications on the system and found an application of interest. We have seen some alerts for a tool named Process Hacker. Which application were they interested in?Based on the evidence above, the application of interest was KeePass.
The answer is KeePass
FileZilla Client
Before using the KeePass exploit, I needed the password for the ZIP file containing the KeePass dump.
In the C acquisition, the user alonzo.spire had these programs on the desktop:
- KeePass 2
- Process Hacker 2
- GitHub Desktop
- Hard Disk Sentinel Enterprise Server
- FileZilla Client
Process Hacker 2 and KeePass 2 were already known to be related to the attack. The attacker likely used Process Hacker 2 to dump the memory of KeePass 2 and recover the password.
FileZilla Client is an FTP client that can be used to exfiltrate data. Its presence suggested that the attacker might have used it instead of the command-line FTP client. Based on this, I searched for FileZilla configuration files in the acquisition.
In C\Users\alonzo.spire\AppData\Roaming\FileZilla, I found recentservers.xml, which contains the FTP server history for the user. The file contained several saved FTP entries.
Credentials:
- Host:
13.235.18.128- Port:21- Username:theyoungwolf- Password:TheLongNightIsComing - Host:
ypmlads.ftp.fileserver- Port:4825- Username:cyberjunkie- Password:UionskHGTLDS - Host:
13.45.67.23- Port:21- Username:alonzo.spire- Password:TheAwesomeGrape
Task 12
The attackers tried to exfiltrate the data to their FTP server but couldn't connect to it. The threat intelligence team wants you to collect more TTPs (Tactics, Techniques, and Procedures) and IOCs (Indicators of Compromise) related to the adversary. It would be really helpful for the TI team if you could provide some useful information regarding the attacker's infrastructure being used. Can you find the domain name and the password of their FTP server?The answer is ypmlads.ftp.fileserver:UionskHGTLDS
This password also worked for the ZIP file, so I extracted the files and analyzed them. The keepassproc.dmp file was a memory dump of the KeePass process and contained the material needed to recover the KeePass database password.
KeePass Exploitation
Since the attacker exploited CVE-2023-32784, I used keepassproc.dmp to recover the password for the KeePass database. A public PoC for this vulnerability is available here.
Running the exploit recovered the KeePass database password.
The password is ?hlhdfGVBUlgtlhkjnkm63069!@efkl$
I then used this master password to open Database.kdbx.
There were three entries in the database:
| Title | Username | Password |
|---|---|---|
| DC-Admin share | Administrator | PapxxuW5Ly8t3KSl8G1k |
| Forela work email | alonzo.spire@forela.co.uk | aP6x3SqNJncyHtL1ogNa |
| Redacted-Project | redacted-project.zip | oyuUYk8@ojFknk(DCB23+ |
With the password for redacted-project.zip, I extracted the archive and analyzed its contents. Two files were found:
note.txt
Internal Comms App config.json
Task 17
Find a way to access the sensitive information. The information was related to development of an internal application. What is the suggested name for this app?The config.json file revealed the suggested name for the internal application.
The answer is C-Comms
Task 18
We believe the attacker had access to the Social Security Number (SSN) of a partner's employee due to the data exfiltrated. Please confirm the SSN number of Arthur Morgan from zeeindustries?The Internal Comms App config.json file contained the SSN for Arthur Morgan.
The answer is 762-67-5421
Task 19
We believe the domain admin credentials were leaked during this incident. Please confirm the Domain Admin password.The KeePass database contained the Domain Admin password.
The answer is PapxxuW5Ly8t3KSl8G1k
Acquisition Analysis
Task 15
The security team highlighted that information pertaining to a sensitive project may have been exfiltrated by the attackers and are now worried about the threat of extortion. Which directory did the attacker manage to stage and then exfiltrate?From the previous analysis of the exfiltrated data, I already knew that the attacker exfiltrated the REDACTED_SENSITIVE directory. I used MFTECmd to parse $MFT and Timeline Explorer to analyze the results.
The answer is C:\Users\alonzo.spire\Documents\REDACTED_SENSITIVE
Task 9
What was the name of the initial dump file?The attacker dumped the memory of the KeePass process to recover the password. The extracted dump was named keepassproc.dmp, but that was not the original dump name. I continued using $MFT data and Timeline Explorer to identify the original filename.
There were two entries with the .dmp extension: keepassproc.dmp and a shortcut named pid9180.dmp.lnk. The shortcut indicated that the original dump file was likely pid9180.dmp, because the name included the process PID and matched the naming style of a process dumping tool such as Process Hacker.
The answer is pid9180.dmp
Task 14
For how long did the tool used for exfiltrating data run before being closed? (Answer in seconds)The tool used for exfiltration was FileZilla Client. To determine how long FileZilla ran, I checked both SRUM data and UserAssist data, since FileZilla is a GUI application.
SRUM returned four entries for FileZilla Client. I cross-checked them against the network capture timeline to identify the relevant execution window.
In the network capture, FTP traffic started at 2023-06-21 12:20:16 and ended at 2023-06-21 12:23:04, which roughly matched two SRUM entries that ended at 12:24:00. However, submitting the duration from those entries was incorrect.
I then switched to UserAssist data.
Explanation - UserAssist
UserAssist is a Microsoft Windows feature that tracks the usage of applications and files. It is stored in the Windows Registry and records information about executed programs, including run count and last access time. This data is useful in forensic analysis because it can help determine which applications were used during a specific time window.
It can be found in the registry path HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist.
The runtime was 10 minutes and 48 seconds, which is 648 seconds.
The answer is 648
Task 4
When was whoami command executed on the system by the attacker? (UTC)The whoami command displays the currently logged-in user. Its execution can be identified through Prefetch artifacts. I used PECmd to parse the Prefetch files.
The answer is 2023-06-21 11:19:59
Task 3
What's the SHA1 hash of the exe which gave remote access to the attacker?After identifying the execution time of whoami, I checked the Prefetch data again to find any executable that ran around the same time.
A suspicious executable named OWUJOMCY.EXE ran shortly before whoami. This was likely the executable that provided remote access to the attacker.
I confirmed this by checking files loaded by OWUJOMCY.EXE in the Prefetch data. cmd.exe was loaded, confirming that this executable allowed the attacker to run commands on the system.
To get the SHA1 hash of the executable, I searched for it in Amcache data using AmcacheParser.
The answer is 23873bf2670cf64c2440058130548d4e4da412dd
Explanation - Prefetch and Amcache
Prefetch: When an executable runs from a specific location for the first time, Windows creates a Prefetch file. Investigators can use Prefetch records to determine what executable ran and when it ran. Prefetch files are located in C\Windows\Prefetch.
Amcache: Amcache stores records of applications that have run on a Windows system. It can contain details such as executable path, first run time, and SHA1 hash. The Amcache hive is located at C\Windows\AppCompat\Programs\Amcache.hve.
Task 2
When did the attacker gain a foothold on the system? (UTC)The attacker’s foothold time can be determined from the Prefetch execution time of OWUJOMCY.EXE.
The answer is 2023-06-21 11:19:34
Task 5
We believe the attacker performed enumeration after gaining a foothold. They likely discovered a PDF document containing RDP credentials for an administrator's workstation. We believe the attacker accessed the contents of the file and utilised them to gain access to the endpoint. Find a way to recover contents of the PDF file and confirm the password.I searched for PDF files in $MFT using Timeline Explorer.
The file internal_documentation.pdf looked promising. Similar to the SillyEli challenge, I used the Windows Search index to recover the PDF contents.
Explanation - Windows.edb
Windows.edb is a database file used by the Windows Search service to index and store information about files and their contents. It is located at C\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb. The Windows Search service uses this database to speed up searches for files, emails, and other content. For forensic analysis, Windows.edb can be valuable because it may contain metadata and indexed content from files.
I used sidr from this repository to parse Windows.edb and search for the PDF contents.
PS E:\Tools\sidr> .\sidr.exe -f csv E:\HTB\Sherlock\hunter\C
Processing ESE db: E:\HTB\Sherlock\hunter\C\ProgramData\Microsoft\search\data\applications\windows\Windows.edb
WARNING: The database state is not clean.
Processing a dirty database may generate inaccurate and/or incomplete results.
Use windows\system32\esentutl.exe for recovery (/r) and repair (/p).
Note that Esentutl must be run from a version of Windows that is equal to or newer than the one that generated the database.
E:\Tools\sidr\FORELA-WKSTN002_File_Report_20260509_071827.024389900.csv
E:\Tools\sidr\FORELA-WKSTN002_Internet_History_Report_20260509_071827.024628500.csv
E:\Tools\sidr\FORELA-WKSTN002_Activity_History_Report_20260509_071827.025114500.csv
Found 1 Windows Search database(s)I opened FORELA-WKSTN002_File_Report_20260509_071827.024389900.csv in Timeline Explorer, searched for internal_documentation.pdf, and found the file contents.
The answer is JollyRancherATForela22
Task 6
At what time did the adversary initially authenticate utilizing RDP? (UTC)To find the RDP authentication time, I reviewed the Security event logs in the KAPE acquisition. I used EvtxECmd to parse Security.evtx and Timeline Explorer to analyze the events.
RDP authentication generates event ID 4624, which indicates a successful logon. A LogonType of 10 indicates a remote interactive logon. I filtered for event ID 4624 and looked for Logon Type: 10.
The answer is 2023-06-21 11:44:52
Task 10
The attackers downloaded a custom batch script from their C2 server. What is the full C2 domain URL from where it was downloaded?Because the downloaded file was a batch script, I searched for .bat files in $MFT using Timeline Explorer.
Only one suspicious entry was found: Scout.bat in C:\Users\alonzo.spire\Pictures. The file was not present in the acquisition, so I again used the Windows Search index to look for its contents.
The content did not contain anything useful. I returned to $MFT and checked activity around the time the batch file was created.
A certutil.exe Prefetch file was created right after the batch file. This suggested that the batch file was downloaded using certutil.exe. I confirmed this by checking the Prefetch data for certutil.exe, which showed that Scout.bat was loaded.
certutil.exe stores downloaded metadata and a copy of the downloaded file in C:\Users\<User>\AppData\LocalLow\Microsoft\CryptnetUrlCache. In that directory, I found metadata containing the URL from which the batch file was downloaded.
The answer is http://oakfurnitures.uk/ovxlabd/campaign/uk_orgs/scout.bat
Task 11
What is the MD5 hash of the batch script?A copy of the batch script was stored in the Content folder under CryptnetUrlCache. I used Get-FileHash to calculate the MD5 hash.
PS E:\HTB\Sherlock\hunter\C\Users\alonzo.spire\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content> Get-FileHash .\A3CEB2B928510B461A9B19D9B4B8D5B6 -Algorithm MD5
Algorithm Hash Path
--------- ---- ----
MD5 93F595357E23C5FCE3ED694DAFA7C0A3 E:\HTB\Sherlock\hunter\C\User...The answer is 93F595357E23C5FCE3ED694DAFA7C0A3
Task 7
The security team has located numerous unusual PowerShell scripts on the host. We believe the adversary may have downloaded the tooling and renamed it to stay hidden. Please confirm the original name of the malicious PowerShell script utilised by the attacker.I searched $MFT and Timeline Explorer for .ps1 files under the alonzo.spire user directory.
Most entries were not useful. The only suspicious file was clean.ps1 in C:\Users\alonzo.spire\Pictures. Searching the Windows index for the file contents did not return anything useful, so I looked for script execution traces instead.
I parsed the PowerShell event logs with EvtxECmd and reviewed the results in Timeline Explorer.
A script block showed that a file was downloaded from https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 and saved as clean.ps1.
The answer is PowerView.ps1
Task 1
What is the MITRE technique ID of the tactic used by the attacker to gain initial access to the system?I knew the attacker used OWUJOMCY.EXE, which was dropped in C:\Windows, to gain initial access to the system. The next question was how the attacker dropped and executed it.
The executable ran at 2023-06-21 11:19:34. I reviewed Security event logs around that time to look for clues.
These entries all occurred at 2023-06-21 11:19:34, which matched the execution time of OWUJOMCY.EXE.
One notable detail was that immediately after FORELA\alonzo.spire logged on, NT AUTHORITY\SYSTEM also logged on at the same timestamp. This suggested that the attacker may have used PsExec to execute a service as SYSTEM and drop the executable.
Based on this PsExec forensics article, I checked HKLM\SYSTEM\CurrentControlSet\Services for any service whose binary path pointed to OWUJOMCY.EXE.
A service named tFdj had the binary path C:\Windows\OWUJOMCY.EXE.
From MITRE ATT&CK’s PsExec page, the relevant technique for executing binaries through services on a remote system is T1569.002.
The answer is T1569.002
Question and Answer
| Task | Question | Answer |
|---|---|---|
| 1 | What is the MITRE technique ID of the tactic used by the attacker to gain initial access to the system? | T1569.002 |
| 2 | When did the attacker gain a foothold on the system? (UTC) | 2023-06-21 11:19:34 |
| 3 | What’s the SHA1 hash of the exe which gave remote access to the attacker? | 23873bf2670cf64c2440058130548d4e4da412dd |
| 4 | When was whoami command executed on the system by the attacker? (UTC) | 2023-06-21 11:19:59 |
| 5 | We believe the attacker performed enumeration after gaining a foothold. They likely discovered a PDF document containing RDP credentials for an administrator’s workstation. We believe the attacker accessed the contents of the file and utilised them to gain access to the endpoint. Find a way to recover contents of the PDF file and confirm the password. | JollyRancherATForela22 |
| 6 | At what time did the adversary initially authenticate utilizing RDP? (UTC) | 2023-06-21 11:44:52 |
| 7 | The security team has located numerous unusual PowerShell scripts on the host. We believe the adversary may have downloaded the tooling and renamed it to stay hidden. Please confirm the original name of the malicious PowerShell script utilised by the attacker. | PowerView.ps1 |
| 8 | We believe the attacker enumerated installed applications on the system and found an application of interest. We have seen some alerts for a tool named Process Hacker. Which application were they interested in? | KeePass |
| 9 | What was the name of the initial dump file? | pid9180.dmp |
| 10 | The attackers downloaded a custom batch script from their C2 server. What is the full C2 domain URL from where it was downloaded? | http://oakfurnitures.uk/ovxlabd/campaign/uk_orgs/scout.bat |
| 11 | What is the MD5 hash of the batch script? | 93F595357E23C5FCE3ED694DAFA7C0A3 |
| 12 | The attackers tried to exfiltrate the data to their FTP server but couldn’t connect to it. The threat intelligence team wants you to collect more TTPs and IOCs related to the adversary. Can you find the domain name and the password of their FTP server? | ypmlads.ftp.fileserver:UionskHGTLDS |
| 13 | Upon failing their initial attempt to exfiltrate data, the SOC team observed further FTP data being sent to a cloud environment. What is the remote path on the adversary’s server where they stored the exfiltrated data? | /home/theyoungwolf/xchjfad/uk_campaigns |
| 14 | For how long did the tool used for exfiltrating data run before being closed? (Answer in seconds) | 648 |
| 15 | The security team highlighted that information pertaining to a sensitive project may have been exfiltrated by the attackers and are now worried about the threat of extortion. Which directory did the attacker manage to stage and then exfiltrate? | C:\Users\alonzo.spire\Documents\REDACTED_SENSITIVE |
| 16 | What specific CVE did the attacker exploit to gain access to the sensitive content? | CVE-2023-32784 |
| 17 | Find a way to access the sensitive information. The information was related to development of an internal application. What is the suggested name for this app? | C-Comms |
| 18 | We believe the attacker had access to the Social Security Number (SSN) of a partner’s employee due to the data exfiltrated. Please confirm the SSN number of Arthur Morgan from zeeindustries? | 762-67-5421 |
| 19 | We believe the domain admin credentials were leaked during this incident. Please confirm the Domain Admin password. | PapxxuW5Ly8t3KSl8G1k |
MITRE ATT&CK
| Observed Activity | ATT&CK Tactic | ATT&CK Technique |
|---|---|---|
The attacker executed OWUJOMCY.EXE through a service named tFdj, consistent with PsExec-style service execution. | Execution | T1569.002 - System Services: Service Execution |
OWUJOMCY.EXE loaded cmd.exe, allowing the attacker to run commands on the host. | Execution | T1059.003 - Command and Scripting Interpreter: Windows Command Shell |
The attacker ran whoami during post-compromise enumeration. | Discovery | T1033 - System Owner/User Discovery |
| The attacker accessed a PDF containing RDP credentials. | Credential Access | T1552.001 - Unsecured Credentials: Credentials In Files |
| The attacker authenticated over RDP using recovered credentials. | Lateral Movement | T1021.001 - Remote Services: Remote Desktop Protocol |
The attacker downloaded Scout.bat from oakfurnitures.uk using certutil.exe. | Command and Control | T1105 - Ingress Tool Transfer |
The attacker downloaded PowerView and renamed it to clean.ps1. | Defense Evasion | T1036.005 - Masquerading: Match Legitimate Resource Name or Location |
| The attacker used PowerView for Active Directory-style enumeration. | Discovery | T1087.002 - Account Discovery: Domain Account |
| The attacker used Process Hacker to dump KeePass process memory. | Credential Access | T1555 - Credentials from Password Stores |
| The attacker exploited CVE-2023-32784 to recover the KeePass master password from memory. | Credential Access | T1212 - Exploitation for Credential Access |
The attacker staged the REDACTED_SENSITIVE directory before exfiltration. | Collection | T1074.001 - Data Staged: Local Data Staging |
| The attacker used FTP infrastructure to exfiltrate KeePass data and project files. | Exfiltration | T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |