CyberDefenders Write-up: Hunter

9 min readJan 22, 2022

--

Disclaimer:

All the answers apart from the obvious will be redacted to encourage defenders to try the challenge themselves.

The Prompt:

The SOC team got an alert regarding some illegal port scanning activity coming from an employee’s system. The employee was not authorized to do any port scanning or any offensive hacking activity within the network. The employee claimed that he had no idea about that, and it is probably a malware acting on his behalf. The IR team managed to respond immediately and take a full forensic image of the user’s system to perform some investigations.
There is a theory that the user intentionally installed illegal applications to do port scanning and maybe other things. He was probably planning for something bigger, far beyond a port scanning!
It all began when the user asked for a salary raise that was rejected. After that, his behavior was abnormal and different. The suspect is believed to have weak technical skills, and there might be an outsider helping him!
Your objective is to analyze the image and to either confirm or deny this theory.

Before we begin, investigations generally have a lot to do with context, and sometimes slightest of context can help you pivot to different artifacts or files to look for. After the walkthrough, we’ll timeline the entirety of the events to the best of our knowledge with relevant timestamps and known context at the time. Timestamps are the most critical objects an analyst can mess up. If your timestamps are inconsistent, your forensic methodology can become questionable.

Also, as you will be working with a lots of tools for specific goals, make a habit of cross verifying with multiple tools to show data consistency. It is not mandatory to know how to parse all the data manually if the tools used are well known with reliable usage, but try to understand the underlying structures being parsed.

1. What is the computer name of the suspect machine?

The first couple questions can easily be answered by looking into registry.

We’ll extract all the relevant hive files from the disk image first to work efficiently.

The main 4 hives are located under ‘**Windows/System32/config**’.

The user specific NTUSER.dat is under ‘**Windows/System32/config/systemprofile**’.

TheUsrClass.dat is under ‘**Users/Hunter/AppData/Local/Microsoft/Windows**’.

Now we can load it in a parser like Registry Explorer.

I’ve made a WIP registry cheat sheet which you can utilize here.

Computer Name is located in the SYSTEM hive.

2. What is the computer IP?

Our system’s internal IP is assigned by DHCP protocol, so the field to look for is DhcpIPAddress under the key:

‘SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces’

3. What was the DHCP LeaseObtainedTime?

Under the same key, we can find the field LeaseObtainedTime which is the time at which our IP was assigned or ‘leased’.

4. What is the computer SID?

For the SID we will have to calculate it from the SAM hive under the key: ‘SAM\Domains\Account’ and take the last 12 bytes of the ‘V’ field, split into 3 sections of 4 bytes, swap the endianness and convert to decimal.

5. What is the Operating System(OS) version?

I found a license.rtf under ‘Windows/System32’ which contained some OS information.

We can verify it with ‘**ProductName**’ field here as well.

6. What was the computer timezone?

As the answer is asked in UTC, we don’t have to convert the set timezone. We can directly make use of the ActiveTimeBias field.

7. How many times did this user log on to the computer?

Key: ‘SAM\Domains\Accounts\Users’

8. When was the last login time for the discovered account? Format: one-space between date and time

Same key as above.

9. There was a “Network Scanner” running on this computer, what was it? And when was the last time the suspect used it? Format: program.exe,YYYY-MM-DD HH:MM:SS UTC

We can find many executables in the Downloads directory, one of which is nmap-7.12-setup.exe . Windows equivalent is called zenmap.

For the last usage time, we’ll have to examine the prefetch files. First extract them from ‘Windows\Prefetch’.

10. When did the port scan end? (Example: Sat Jan 23 hh:mm:ss 2016)

I found the output results in a file called nmapscan.xml which was located on the Desktop.

11. How many ports were scanned?

12. What ports were found “open”? (comma-separated, ascending)

13. What was the version of the network scanner running on this computer?

14. The employee engaged in a Skype conversation with someone. What is the skype username of the other party?

Export the **main.db** located at ‘Users/Hunter/AppData/Roaming/Skype/hunterehpt’.

The username can be found in the ‘**Chats**’ table.

15. What is the name of the application both parties agreed to use to exfiltrate data and provide remote access for the external attacker in their Skype conversation?

Go through the ‘**Messages**’ table, and examine the conversation.

16. What is the Gmail email address of the suspect employee?

17. It looks like the suspect user deleted an important diagram after his conversation with the external attacker. What is the file name of the deleted diagram?

I had to spent quite a while on this one as it was unclear what the communication platform was. None of the Skype artifacts contained any such diagrams. Their initial contact was on Skype, and then they started sending emails back and forth.

The challenge details mentioned Outlook, so I pivoted to Outlook as well.

Outlook maintains a local backup copy called backup.pst which we find under ‘Users/Hunter/Documents/Outlook Files’.

Open it up in a .pst/.ost parser, I used the one from SysTools.

Here we can find the attachment of the said diagram.

18. The user Documents’ directory contained a PDF file discussing data exfiltration techniques. What is the name of the file?

Browse the Documents user directory :P

19. What was the name of the Disk Encryption application Installed on the victim system? (two words space separated)

I was also stuck on this one for a long time. I checked for installed-at-one-point applications in the registry in following places:

‘SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall’

‘SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall’

But couldn’t find anything, then in the ‘Program Files (x86)’ directory, I noticed an application called ‘BCWipe’ from ‘Jetico’. It made an UnInstall.log file which reveals a bunch of utilities it offers.

20. What are the serial numbers of the two identified USB storage?

Key: ‘SYSTEM\ControlSet001\Enum\USBSTOR’

21. One of the installed applications is a file shredder. What is the name of the application? (two words space separated)

There are 3 cleaner applications downloaded, one of which is two-worded.

22. How many prefetch files were discovered on the system?

23. How many times was the file shredder application executed?

24. Using prefetch, determine when was the last time ZENMAP.EXE-56B17C4C.pf was executed?

Already covered in question #9.

25. A JAR file for an offensive traffic manipulation tool was executed. What is the absolute path of the file?

There are multiple places to look for like UserAssist, AppCompatCache and Amcache.hve. But for the sake of learning, this challenge has removed all those artifacts so we are left with but one option. Prefetch.

Search for .jar file type in the prefetch, it is easily identifiable once you shortlist them.

We can confirm this with Lnk analysis, export all the .lnk files from ‘Users/Hunter/AppData/Roaming/Microsoft/Windows/Recent’, and load it in LinkParser.

26. The suspect employee tried to exfiltrate data by sending it as an email attachment. What is the name of the suspected attachment?

Look for any mails that have attachments.

27. Shellbags shows that the employee created a folder to include all the data he will exfiltrate. What is the full path of that folder?

We can already browse different directories in FTK Imager. But here it is important to understand the importance of shellbags. If a directory is opened in a view, UsrClass.dat hive will indefinitely have an entry for it unless manually deleted. Shellbags contains metadata like timestamps and absolute path. It can be helpful in timelining and proving the access to folders by a particular user account.

Open up UsrClass.dat in ShellBagsExplorer;

28. The user deleted two JPG files from the system and moved them to $Recycle-Bin. What is the file name that has the resolution of 1920x1200?

View the deleted images from $Recycle-Bin and match the one with given resolution to the images found on the disk image.

29. Provide the name of the directory where information about jump lists items (created automatically by the system) is stored?

Jumplist are stored at ‘Users/User/AppData/Roaming/Microsoft/Windows/Recent’ by default under 2 directories: ‘AutomaticDestinations’ & ‘CustomDestinations’.

30. Using JUMP LIST analysis, provide the full path of the application with the AppID of “aa28770954eaeaaa” used to bypass network security monitoring controls.

Load the previously mentioned jumplists from ‘CustomDestinations’ in JumpListExplorer.

Chronological Timelining

Now that we’re done with the questions, let us look at some additional artifacts that will help us in timelining. Please don’t limit yourselves to the scope of the challenge, if you find something interesting to investigate, learn about it actively.

Internet Explorer History

A teamviewer url is found which seems to be the one that pops up by default when a session is terminated.

Participants:

The Outsider/Accomplice: Linuxrules (L)
The Suspect: Hunter (H)

TODO: Look into Tor Browser forensics and comeback to this.