Scenario

As a forensic investigator at IResponseDash, you are tasked with examining a ransomware attack that has compromised multiple endpoints. Your primary objective is to determine the delivery method of the ransomware and to trace all activities of the attacker to understand the progression of the attack.

To accomplish this, you will analyze logs, review system and network activities, and gather evidence of the attacker’s actions. This investigation will allow you to provide recommendations for addressing the current incident and enhancing defenses to prevent future attacks.

Questions

Q1. Knowing the IP address of the machine that initiated the attack helps trace the attack’s origin. What is the IP address of the attacker’s machine?

Filtering on Event ID 4624, we find Logon Type 3 and Logon Type 10 having the IP:

192.168.19.100

Q2. Knowing the account used by the attacker helps track activities and identify compromised accounts. What is the SID of the account the attacker used to gain initial access on the victim machine?

From the previous question, the user that authenticated was Hanii_IT.
Filtering on this user we get the SID:

S-1-5-21-1393444541-2628512620-2908104607-1112

Q3. Identifying PowerShell commands reveals attackers’ activities such as avoiding detection. What was the first PowerShell command the attacker used for defense evasion?

Filtering on Event ID 400, we find:

Set-MpPreference -DisableRealtimeMonitoring $true

Q4. We need to find the enumeration output file revealing the network information gathered by the attacker. What is the TXT filename output of one of the network enumeration activities performed by the attacker?

I parsed the $MFT table and filtered on .txt files and found:

ipall.txt

Q5. Identifying the tools used reveals the methods and scope of network enumeration. After gathering basic information about the network, what third-party tool did the attacker use to identify the file share and perform network enumeration?

In prefetch, we find:

Netscan

Q6. Knowing the tool used for data exfiltration helps in identifying the methods and channels used by the attacker to exfiltrate sensitive data. What command-line tool did the attacker use to attempt data exfiltration?

In prefetch, we find:

Rclone

Q7. Identifying the IP addresses of the machines involved in lateral movement helps map the attacker’s path and understand the attack’s scope. Can you provide the IP address of the machine to which the attacker moved laterally and the IP address of the initial access machine?

The first IP can be found using Event ID 24 that is created when a local session disconnects:

192.168.31.130

The local IP can be found in registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet001\Services\Tcpip\Parameters\Interfaces\

The answer to the question is hence:

192.168.31.130, 192.168.31.129

Q8. Knowing the path of the file share targeted by the attacker helps in identifying compromised data and understanding the attack’s impact. What is the full path of the file share on the file server that was targeted by the attacker?

We have the artefacts of the shared file server and the mapping letter is F.
In this file server’s MFT, we find the files were in Shares\BusinessMaterial
Hence, the answer is:

F:\Shares\BusinessMaterial

Q.9 Identifying the SHA1 file hash of the malware helps in verifying the exact malicious file and correlating it with known malware signatures. What is the SHA1 file hash of the ransomware run on the file server and IT-machine?

Analyzing the MFT, Logs and Amcache.hve leads that the attacker executed final.exe
To get the SHA1, we need to parse Amcache.hve using the following command:

AmcacheParser.exe -f "C:\Users\Administrator\Desktop\Start Here\Artifacts\IT-Machine\Evidence-IT\C\Windows\AppCompat\Programs\Amcache.hve" --csv C:\Users\Administrator\Desktop

The result is:

cfaa59dd3288387f62efbf54477d531f4d3964f3

Q10. Knowing the extension of encrypted files can potentially help us with identifying the ransomware variant. What is the file extension of the encrypted files?

We can find the extension on MFT:

_vNrFy5

Q11. Determining the registry modifications by the malware is crucial for identifying its malicious activities. What registry value did the malware add to display its ransom message?

The file can be found in run registry key located in Hanii_IT NTUSER.dat:

Software\Microsoft\Windows\CurrentVersion\Run

The file is:

c:\users\hanii_it\appdata\local\temp\how_to_decrypt.hta

Trigona Ransomware Lab – CyberDefenders

Scenario

Questions

Q1. Knowing the IP address of the machine that initiated the attack helps trace the attack’s origin. What is the IP address of the attacker’s machine?

Q2. Knowing the account used by the attacker helps track activities and identify compromised accounts. What is the SID of the account the attacker used to gain initial access on the victim machine?

Q3. Identifying PowerShell commands reveals attackers’ activities such as avoiding detection. What was the first PowerShell command the attacker used for defense evasion?

Q4. We need to find the enumeration output file revealing the network information gathered by the attacker. What is the TXT filename output of one of the network enumeration activities performed by the attacker?

Q5. Identifying the tools used reveals the methods and scope of network enumeration. After gathering basic information about the network, what third-party tool did the attacker use to identify the file share and perform network enumeration?

Q6. Knowing the tool used for data exfiltration helps in identifying the methods and channels used by the attacker to exfiltrate sensitive data. What command-line tool did the attacker use to attempt data exfiltration?

Q7. Identifying the IP addresses of the machines involved in lateral movement helps map the attacker’s path and understand the attack’s scope. Can you provide the IP address of the machine to which the attacker moved laterally and the IP address of the initial access machine?

Q8. Knowing the path of the file share targeted by the attacker helps in identifying compromised data and understanding the attack’s impact. What is the full path of the file share on the file server that was targeted by the attacker?

Q.9 Identifying the SHA1 file hash of the malware helps in verifying the exact malicious file and correlating it with known malware signatures. What is the SHA1 file hash of the ransomware run on the file server and IT-machine?

Q10. Knowing the extension of encrypted files can potentially help us with identifying the ransomware variant. What is the file extension of the encrypted files?

Q11. Determining the registry modifications by the malware is crucial for identifying its malicious activities. What registry value did the malware add to display its ransom message?

Support – Hack The Box

Timelapse – Hack The Box

Sauna – Hack The Box

Forest

Active – Hack The Box

Scenario

Questions

Q1. Knowing the IP address of the machine that initiated the attack helps trace the attack’s origin. What is the IP address of the attacker’s machine?

Q2. Knowing the account used by the attacker helps track activities and identify compromised accounts. What is the SID of the account the attacker used to gain initial access on the victim machine?

Q3. Identifying PowerShell commands reveals attackers’ activities such as avoiding detection. What was the first PowerShell command the attacker used for defense evasion?

Q4. We need to find the enumeration output file revealing the network information gathered by the attacker. What is the TXT filename output of one of the network enumeration activities performed by the attacker?

Q5. Identifying the tools used reveals the methods and scope of network enumeration. After gathering basic information about the network, what third-party tool did the attacker use to identify the file share and perform network enumeration?

Q6. Knowing the tool used for data exfiltration helps in identifying the methods and channels used by the attacker to exfiltrate sensitive data. What command-line tool did the attacker use to attempt data exfiltration?

Q7. Identifying the IP addresses of the machines involved in lateral movement helps map the attacker’s path and understand the attack’s scope. Can you provide the IP address of the machine to which the attacker moved laterally and the IP address of the initial access machine?

Q8. Knowing the path of the file share targeted by the attacker helps in identifying compromised data and understanding the attack’s impact. What is the full path of the file share on the file server that was targeted by the attacker?

Q.9 Identifying the SHA1 file hash of the malware helps in verifying the exact malicious file and correlating it with known malware signatures. What is the SHA1 file hash of the ransomware run on the file server and IT-machine?

Q10. Knowing the extension of encrypted files can potentially help us with identifying the ransomware variant. What is the file extension of the encrypted files?

Q11. Determining the registry modifications by the malware is crucial for identifying its malicious activities. What registry value did the malware add to display its ransom message?

Related Posts

Trending now