Scenario

CyberSecure Dynamics, a rapidly expanding technology services firm, has identified anomalous activity within its cloud-hosted SQL Server environment, attributed to outdated authentication configurations and weak default accounts. As an incident responder, your responsibility is to conduct a thorough investigation, analyze the relevant artifacts, reconstruct the timeline of events, identify exploited vulnerabilities and misconfigurations, and assess the full scope of the compromise—all while ensuring the confidentiality of specific attacker techniques.

Questions

Initial Access

1. The attacker attempts to gain access by compromising a privileged SQL Server account. Which MITRE ATT&CK ID corresponds to this credential access technique, and what specific account was targeted?

• Searching online for MITRE brute force, we find T1110
• I transformed the evtx provided logs to csv using EVTXCmd.exe:

EvtxECmd.exe -d "C:\Users\Administrator\Desktop\Start Here\Artifacts\C\Windows\System32\winevt\logs" --csv C:\Users\Administrator\Desktop

I then started skimming the logs and found a brute for account sa:

The answer is hence:

T1110,sa

2. When was the last time the attacker successfully logged in or authenticated to the SQL Server using the compromised account?

2025-03-09 11:32

3. What was the source IP address used by the attacker when attempting to access the SQL Server?

The IP can be found in Payload Data3 column:

Execution

4. What is the full command executed to extract the contents of the archive downloaded from the attacker’s machine?

In the logs, after the brute force, we find the command:

C:\Users\Public\xx.exe x C:\Users\Public\XeX.7z -oC:\Users\Public -y

5. What is the name of the shell exploited by the attacker during the incident, and which MITRE ATT&CK technique identifier is associated with its misuse?

In logs, after the brute force, we find MSSQLSERVER configuration change, where xp_cmdshell was changed from 0 to 1:

6. After gaining initial access and launching a shell, a new process was spawned to execute commands. What is the Process ID (PID) of this process, and what is its full command-line?

6868, "C:\Program Files\Microsoft SQL Server\MSSQL15.MSSQLSERVER\MSSQL\Binn\sqlservr.exe" -sMSSQLSERVER

7. At what precise time did the attacker initiate modifications to the shell configuration utilized during the attack?

The MSSQLSERVER configuration change log is associated with its relevant time:

2025-03-09 11:40:42

Defense Evasion

8. The attacker attempts to evade detection using an ineffective method, but analyzing their attack sequence and skill level is crucial. Which antivirus vendor was the first to be targeted by the attacker?

Analyzing the logs, we find the user started by killing processes. The first one was avp.exe and doing a google search, we find it is related to kaspersky:

Persistence

9. What is the full path of the batch file created by the attacker, which contains multiple commands essential to their attack, such as user account creation, privilege escalation, and system configuration modifications?

The batch file can be found in the logs:

10. Which account did the attacker use for persistence, and in which registry path did they attempt to hide this account from the Windows login screen?

The account and the registry key can be found in the logs:

11. Understanding how the attacker established WMI-based persistence is crucial for detecting and mitigating long-term unauthorized access. What is the BMof file used to create the WMI persistence, what is the name of the WMI Consumer event registered by the attacker, and what is the full path of the file executed as a result of this WMI setup?

NF.bmof,BatConsumer,C:\Users\Public\Xex\mi.bat

I collected different parts of the answer from different log entries

Event Log 20:

12. What is the full registry key path where the attacker added the Debugger value to maintain persistence, and what is the exact data assigned to that value?

Searching for Debugger in the logs we find:

The answer is:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\svchost.exe, C:\Users\Public\XeX\services.exe

Credential Access & Privilege Escalation

13. What is the full registry command executed by the attacker to modify Windows security settings and enable plaintext credential storage, aiding in credential theft?

The registry command can be found in the logs:

reg  add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest" /v UseLogonCredential /t REG_DWORD /d 1 /f 

14. What is the complete file path of the encoded file that was later used to escalate privileges?

In the logs, we find the user downloaded FM.txt:

15. It seems the attacker used a proof-of-concept privilege escalation tool for NetworkService that’s available on GitHub. What is the full link to the GitHub repository for this tool?

https://github.com/decoder-it/NetworkServiceExploit

Command and Control

16. What is the attacker’s machine IP used for downloading files during the attack activities?

It can be found in the command used to download FM.txt:

18.184.228.195

17. The attacker’s main objective seems to be the deployment of mining software. What is the MD5 hash of the miner?

At the end, we can find the cryptominer log:

F6D520AE125F03056C4646C508218D16