CyberDefenders Write-up: Hunter
Disclaimer:
All the answers apart from the obvious will be redacted to encourage defenders to try the challenge themselves.
The Prompt:
The SOC team got an alert regarding some illegal port scanning activity coming from an employee’s system. The employee was not authorized to do any port scanning or any offensive hacking activity within the network. The employee claimed that he had no idea about that, and it is probably a malware acting on his behalf. The IR team managed to respond immediately and take a full forensic image of the user’s system to perform some investigations.
There is a theory that the user intentionally installed illegal applications to do port scanning and maybe other things. He was probably planning for something bigger, far beyond a port scanning!
It all began when the user asked for a salary raise that was rejected. After that, his behavior was abnormal and different. The suspect is believed to have weak technical skills, and there might be an outsider helping him!
Your objective is to analyze the image and to either confirm or deny this theory.
Before we begin, investigations generally have a lot to do with context, and sometimes slightest of context can help you pivot to different artifacts or files to look for. After the walkthrough, we’ll timeline the entirety of the events to the best of our knowledge with relevant timestamps and known context at the time. Timestamps are the most critical objects an analyst can mess up. If your timestamps are inconsistent, your forensic methodology can become questionable.
Also, as you will be working with a lots of tools for specific goals, make a habit of cross verifying with multiple tools to show data consistency. It is not mandatory to know how to parse all the data manually if the tools used are well known with reliable usage, but try to understand the underlying structures being parsed.
1. What is the computer name of the suspect machine?
The first couple questions can easily be answered by looking into registry.
We’ll extract all the relevant hive files from the disk image first to work efficiently.
I’ve made a WIP registry cheat sheet which you can utilize here.
2. What is the computer IP?
Our system’s internal IP is assigned by DHCP protocol, so the field to look for is DhcpIPAddress
under the key:
‘SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces’
3. What was the DHCP LeaseObtainedTime?
Under the same key, we can find the field LeaseObtainedTime
which is the time at which our IP was assigned or ‘leased’.
Read more here.
Most of the timestamps in registry are in epoch time format, you will have to convert them to the required format. We’ll use ‘DCode’.
4. What is the computer SID?
For the SID we will have to calculate it from the SAM hive under the key: ‘SAM\Domains\Account’ and take the last 12 bytes of the ‘V’ field, split into 3 sections of 4 bytes, swap the endianness and convert to decimal.
Read more here.
I suggest utilizing RegRipper, a parser which has a lot of plugins which does all the calculation for us in order to parse the data.
Run it against all the hives, and save the results appropriately named.
5. What is the Operating System(OS) version?
I found a license.rtf under ‘Windows/System32’ which contained some OS information.
7. How many times did this user log on to the computer?
Key: ‘SAM\Domains\Accounts\Users’
8. When was the last login time for the discovered account? Format: one-space between date and time
Same key as above.
9. There was a “Network Scanner” running on this computer, what was it? And when was the last time the suspect used it? Format: program.exe,YYYY-MM-DD HH:MM:SS UTC
We can find many executables in the Downloads directory, one of which is nmap-7.12-setup.exe
. Windows equivalent is called zenmap
.
For the last usage time, we’ll have to examine the prefetch files. First extract them from ‘Windows\Prefetch’.
10. When did the port scan end? (Example: Sat Jan 23 hh:mm:ss 2016)
I found the output results in a file called nmapscan.xml
which was located on the Desktop.
11. How many ports were scanned?
12. What ports were found “open”? (comma-separated, ascending)
13. What was the version of the network scanner running on this computer?
14. The employee engaged in a Skype conversation with someone. What is the skype username of the other party?
15. What is the name of the application both parties agreed to use to exfiltrate data and provide remote access for the external attacker in their Skype conversation?
16. What is the Gmail email address of the suspect employee?
17. It looks like the suspect user deleted an important diagram after his conversation with the external attacker. What is the file name of the deleted diagram?
I had to spent quite a while on this one as it was unclear what the communication platform was. None of the Skype artifacts contained any such diagrams. Their initial contact was on Skype, and then they started sending emails back and forth.
Outlook maintains a local backup copy called backup.pst
which we find under ‘Users/Hunter/Documents/Outlook Files’.
Open it up in a .pst/.ost
parser, I used the one from SysTools.
18. The user Documents’ directory contained a PDF file discussing data exfiltration techniques. What is the name of the file?
Browse the Documents user directory :P
19. What was the name of the Disk Encryption application Installed on the victim system? (two words space separated)
I was also stuck on this one for a long time. I checked for installed-at-one-point applications in the registry in following places:
‘SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall’
‘SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall’
But couldn’t find anything, then in the ‘Program Files (x86)’ directory, I noticed an application called ‘BCWipe’ from ‘Jetico’. It made an UnInstall.log
file which reveals a bunch of utilities it offers.
20. What are the serial numbers of the two identified USB storage?
Key: ‘SYSTEM\ControlSet001\Enum\USBSTOR’
21. One of the installed applications is a file shredder. What is the name of the application? (two words space separated)
22. How many prefetch files were discovered on the system?
23. How many times was the file shredder application executed?
24. Using prefetch, determine when was the last time ZENMAP.EXE-56B17C4C.pf was executed?
Already covered in question #9.
25. A JAR file for an offensive traffic manipulation tool was executed. What is the absolute path of the file?
There are multiple places to look for like UserAssist, AppCompatCache and Amcache.hve. But for the sake of learning, this challenge has removed all those artifacts so we are left with but one option. Prefetch.
Search for .jar
file type in the prefetch, it is easily identifiable once you shortlist them.
We can confirm this with Lnk analysis, export all the .lnk
files from ‘Users/Hunter/AppData/Roaming/Microsoft/Windows/Recent’, and load it in LinkParser.
26. The suspect employee tried to exfiltrate data by sending it as an email attachment. What is the name of the suspected attachment?
27. Shellbags shows that the employee created a folder to include all the data he will exfiltrate. What is the full path of that folder?
We can already browse different directories in FTK Imager. But here it is important to understand the importance of shellbags. If a directory is opened in a view, UsrClass.dat
hive will indefinitely have an entry for it unless manually deleted. Shellbags contains metadata like timestamps and absolute path. It can be helpful in timelining and proving the access to folders by a particular user account.
Open up UsrClass.dat
in ShellBagsExplorer;
28. The user deleted two JPG files from the system and moved them to $Recycle-Bin. What is the file name that has the resolution of 1920x1200?
View the deleted images from $Recycle-Bin and match the one with given resolution to the images found on the disk image.
29. Provide the name of the directory where information about jump lists items (created automatically by the system) is stored?
Jumplist are stored at ‘Users/User/AppData/Roaming/Microsoft/Windows/Recent’ by default under 2 directories: ‘AutomaticDestinations’ & ‘CustomDestinations’.
30. Using JUMP LIST analysis, provide the full path of the application with the AppID of “aa28770954eaeaaa” used to bypass network security monitoring controls.
Load the previously mentioned jumplists from ‘CustomDestinations’ in JumpListExplorer.
Chronological Timelining
Now that we’re done with the questions, let us look at some additional artifacts that will help us in timelining. Please don’t limit yourselves to the scope of the challenge, if you find something interesting to investigate, learn about it actively.
Internet Explorer History
Participants:
The Outsider/Accomplice: Linuxrules (L)
The Suspect: Hunter (H)
TODO: Look into Tor Browser forensics and comeback to this.