Scenario

A critical network infrastructure has encountered significant operational disruptions, leading to system outages and compromised machines. Public message boards displayed politically charged messages, and several systems were wiped, causing widespread service failures. Initial investigations reveal that attackers compromised the Active Directory (AD) system and deployed wiper malware across multiple machines.

Fortunately, during the attack, an alert employee noticed suspicious activity and immediately powered down several key systems, preventing the malware from completing its wipe across the entire network. However, the damage has already been done, and your team has been tasked with investigating the extent of the compromise.

You have been provided with forensic artifacts collected via KAPE SANS Triage from one of the affected machines to determine how the attackers gained access, the scope of the malware’s deployment, and what critical systems or data were impacted before the shutdown.

Questions

1. The attack began with using a Group Policy Object (GPO) to execute a malicious batch file. What is the name of the malicious GPO responsible for initiating the attack by running a script?

Analyzing the SOFTWARE Registry Hive found in:

C:\Users\Administrator\Desktop\Start Here\Artifacts\C\Windows\System32\config

Analyzing the Policies registry key in:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History

We find a GPO called DeploySetup

This policy deploys a setup.bat:

2. During the investigation, a specific file containing critical components necessary for the later stages of the attack was found on the system. This file, expanded using a built-in tool, played a crucial role in staging the malware. What is the name of the file, and where was it located on the system? Please provide the full file path.

We have all the logs in:

C:\Users\Administrator\Desktop\Start Here\Artifacts\C\Windows\System32\winevt\logs

I transformed all the logs to a csv file using EVTXECmd.exe:

EVTXECmd.exe -d "C:\Artifacts\C\Windows\System32\winevt\logs" 
--csv "C:\Output\EVTX"

I then searched for zip, tar, and cab files and found:

C:\ProgramData\Microsoft\env\env.cab

3. The attacker employed password-protected archives to conceal malicious files, making it important to uncover the password used for extraction. Identifying this password is key to accessing the contents and analyzing the attack further. What is the password used to extract the malicious files?

Following the previous command, we find this command:

The password is hence:

hackemall

4. Several commands were executed to add exclusions to Windows Defender, preventing it from scanning specific files. This behavior is commonly used by attackers to ensure that malicious files are not detected by the system’s built-in antivirus. Tracking these exclusion commands is crucial for identifying which files have been protected from antivirus scans. What is the name of the first file added to the Windows Defender exclusion list?

I searched for Add-MpPreference and found update.bat was the first file

5. A scheduled task has been configured to execute a file after a set delay. Understanding this delay is important for investigating the timing of potential malicious activity. How many seconds after the task creation time is it scheduled to run?

Note: Consider the system’s time zone when answering questions related to time.

Searching for Schedule Tasks in SOFTWARE Hive, we find:

mstask

Pivoting to Event Logs, we find the below events related to the scheduled task:

The delay is 3.5 (inside the AddMinutes function) which is equivalent to 210 seconds

6. After the malware execution, the wmic utility was used to unjoin the computer system from a domain or workgroup. Tracking this operation is essential for identifying system reconfigurations or unauthorized changes. What is the Process ID (PID) of the utility responsible for performing this action?

Searching for wmic in the event logs, we find:

It has proccess ID 7492

7. The malware executed a command to delete the Windows Boot Manager, a critical component responsible for loading the operating system during startup. This action can render the system unbootable, leading to serious operational disruptions and making recovery more difficult. What command did the malware use to delete the Windows Boot Manager?

I researched how to delete Windows Boot Manager using cmd and found it is possible using bcdedit. So I searched in the event log for bcdedit and found the following command:

C:\Windows\Sysnative\bcdedit.exe /delete {9dea862c-5cdd-4e70-acc1-f32b344d4795} /f

8. The malware created a scheduled task to ensure persistence and maintain control over the compromised system. This task is configured to run with elevated privileges every time the system starts, ensuring the malware continues to execute. What is the name of the scheduled task created by the malware to maintain persistence?

Can be found in Log Events when searching for Schedule Tasks:

Aa153!EGzN

9. A malicious program was used to lock the screen, preventing users from accessing the system. Investigating this malware is important to identify its behavior and mitigate its impact. What is the name of this malware? (not the filename)

Following the bcdedit of the previous question, I found the following command:

Looking for the hash on virus total:

We find it is:

breakwin

10. The disk shows a pattern where malware overwrites data (potentially with zero-bytes) and then deletes it, a behavior commonly linked to Wiper malware activity. The USN (Update Sequence Number) is vital for tracking filesystem changes on an NTFS volume, enabling investigators to trace when files are created, modified, or deleted, even if they are no longer present. This is critical for building a timeline of file activity and detecting potential tampering. What is the USN associated with the deletion of the file msuser.reg?

I parsed the USN journal using MFTECmd.exe:

MFTECmd.exe -f C:\Users\Administrator\Desktop\$J --csv C:\Users\Administrator\Desktop

I opened the result using Timeline Explorer and searched for msuser.reg: