Answers to Case 001
SPOILERS!
README.TXT:
This lab, and the training that goes with it, is done in my spare time. Life has been coming at me fast over the past few weeks. The following is a pretty solid time line of events along with the necessary information to start checking your work. Some of the times are approximate until the more thorough forensic analysis can be completed. For now the information comes from quick analysis and the attack log roughly maintained during the attack run that generated these artifacts. I appreciate your patience. Happy Hunting!
Current State: Functional Answers for folks to start checking their work. Not the final edition!
Summary
NOTE: The UTC Offset for the virtual machines was incorrectly set to -7. The Virtual Router that collected the PCAP at the network was correctly set to UTC -6! Adjustments during timeline analysis will need to be made. This stresses the importance of properly interviewing the victim network owner, taking good notes during collection, and paying attention during the investigation.
Summary (All times following are on 19 September 2020 UTC): On September 19th, 2020 at 0221 UTC an attacker from 194.61.24.102 began a successful brute force against the Domain Controller 10.42.85.10 using Hydra to gain access as the user, “Administrator”. The attacker used Internet Explorer to download coreupdate.exe from 194.61.24.102 over http at 02:24:06. The attacker then began searching, exfiltrating, and manipulating data using a combination of meterpreter and the RDP GUI session. The adversary moved laterally to the client machine Desktop-SDN1RPT via RDP from the DC. Using the same methodology that was seen on the DC the attacker downloaded and installed the same malware. Data was located and exfiltrated from the desktop system in a similar fashion as was done on the DC. The attacker logged out of the RDP Sessions and an un-migrated meterpreter session died. The adversary logged in a second time, re-started the meterpreter session, migrated it and then exited the RDP session.
Timeline
All Times UTC for 19 September 2020 (@ indicates approximate time):
- 02:19 – Single NMAP Probe of TCP Port 3389 from 194.61.24.102
- 02:21 – RDP Brute Force begins with Hydra from 194.61.24.102
- 02:21 – CITADEL\Administrator successfully logs in over RDP from 194.61.24.102
- 02:24:06 – Compromised Account uses Internet Explorer to download meterpreter from 194.61.24.102 over HTTP to the DC
- 02:27:49 – Malware installed as Windows AutoStart Service with Local System Priveleges on the DC
- @02:30 – Secrets from the file server are placed into a secret.zip file using the windows GUI
- @02:31 – Secret.zip is exfiltrated, then deleted, using meterpreter
- 02:32:21 – Szechuan Sauce.txt is accessed by the attacker!!
- 02:34 – Secret_Beth.txt is deleted from the DC File Share
- 02:34 – Beth_Secret.txt with a different secret is created on the DC file share
- 02:35 – Attacker initiates lateral movement with RDP to the Desktop-SDN1RPT system
- @02:38 – Beth_Secret.txt is timestomped with meterpreter so that it matches the time of PortalGunsPlans.txt on the DC
- 02:40 – Compromised Account uses Internet Explorer to download meterpreter from 194.61.24.102 over HTTP to the Desktop system
- @02:41 – Malware persistence is intalled on the Desktop system as a service (same as DC) and in the registry (same as the DC).
- @02:46 – loot.zip is created on the Desktop system using the File Explorer (aka the GUI).
- @02:48 – loot.zip is exfiltrated and then deleted from the Desktop System
- @0850 – Rick Sanchez discovery?! (More to follow)
- @0852 – Attacker terminates the first RDP Session with the DC
(More will be added in addition to event times being refined).
Quick Answers to the Questions
- What is the Operating System of the Server? Windows 2012
- What is the Operating System of the Desktop? Windows 10
- What was the local time of the Server? Mountain Standard Time (UTC -6)
- Was there a breach? Yes
- What was the initial entry vector (how did they get in)? RDP Brute Force
- Was malware used? Yes
- What process was malicious on the Domain Controller? coreupdater and spoolsv. coreupdater was the initial process, it was then migrated to spoolsv.exe.
- What IP Address delivered the payload? 194.61.24.102 via Internet Explorer download when the attacker was RDP’d into the victim.
- What IP Address is the malware calling to? 203.78.103.109
- Where is this malware on disk? C:\Windows\System32\coreupdate.exe
- When did it first appear? 820 mountain? I didn’t write this down and am going to find it during analysis.
- Was it moved? Yes. From the Administrators Downloads folder to C:\Windows\System32\.
- What were the capabilities of this malware? Many. Its Metasploit and is quite versatile. It is capable of process migration, credential theft, key logging, screen scraping, many many modules…
- Is this malware easily obtained? Yes. It comes with Metasploit Framework which is free to download and use.
- Was this malware installed with persistence on any machine? Yes. Both in the registry and as a service.
- When?
- Where? Windows Registry and as a Service.
- What process was malicious on the Domain Controller? coreupdater and spoolsv. coreupdater was the initial process, it was then migrated to spoolsv.exe.
- What IP Addresses were involved that were malicious? 194.61.24.102 and 203.78.103.109
- Were any IP Addresses from known adversary infrastructure? Yes. 194.61.24.102 was being tracked as a hostile IP address prior to the date of the incident. It was specifically being tracked as being involved in RDP Brute Force attacks. 203.78.103.109 was also briefly attached to happydoghappycat-th.com which was allegedly involved with an APT; however, that changed right around the lab was released. It has since been reported as not being involved.
- Are these pieces of adversary infrastructure involved in other attacks around the time of the attack? Yes.
- Were any IP Addresses from known adversary infrastructure? Yes. 194.61.24.102 was being tracked as a hostile IP address prior to the date of the incident. It was specifically being tracked as being involved in RDP Brute Force attacks. 203.78.103.109 was also briefly attached to happydoghappycat-th.com which was allegedly involved with an APT; however, that changed right around the lab was released. It has since been reported as not being involved.
- Were any other systems accessed by the attacker?
- How? The Desktop machine , Desktop-SDN1RPT, was accessed by the attacker using RDP. The attacker Brute Forced the password for the Administrator account on the DC. Once inside the DC they opened a second RDP session from within the Domain Controller to the Desktop machine re-using the same credentials.
- When? The compromised Domain Administrator account initiated a connection to the Desktop-SDN1RPT machine from Domain Controller, CITADEL-DC01, at 02:35:55 UTC on 19 September 2020 according to the PCAP, or 03:35:54 on 19 September 2020 according to the Super Timeline when left uncorrected. In reality it was at 02:35:54 UTC.
- Was any data stolen or accessed?
- When? secret.zip was exfiltrated from the DC at 02:31; loot.zip was exfiltrated from the Desktop Machine @02:48
- What was the network layout of the victim network? Two hosts in 10.42.85.0/24. DC 10.42.85.10; user 10.42.85.115
- What architecture changes should be made immediately? RDP should behind VPN, RDP direct to DC from internet should be turned off immediately,
- If the Szechuan sauce was stolen, what time was it stolen? Approx. 0230 UTC 19 September 2020.
- Were any other sensitive files stolen or accessed? What were the times? Yes. Beth’s secrets were found and manipulated around 0234 UTC. Morty’s thoughts were stolen around 0234 UTC.
- When was the last known contact with the adversary? Last interactive logoff was around 0300 UTC. At the time of capture the attacker was still interacting with the system.
Advanced and Bonus Questions (Rough Draft for now)
- What CIS Top 20 or SANS Top 20 Controls would have directly prevented this breach?
- What major architecture improvement could be made that would have prevented this breach? VPN, IPS, External Firewall
- What policy improvements or controls should be implemented to secure this environment? VPN, Password complexity increased, no password re-use, External Firewall, IPS, EDR
- What users have actually logged onto the DC? Administrator (Check the users folder on the disk image)
- What users have actually logged onto the Desktop machine? Administrator and Rick Sanchez (Check the users folder on the disk image)
- What are the passwords for the users in the domain?
- Administrator:)&Denver89
jerrysmith:!BETHEYBOO12!
summersmith:34MarvelBootySalmon$$
ricksanchez:800PortalsForMe%
mortysmith:Jessica@1
bethsmith:RedWine1!
birdman:(dimension5150)
- Administrator:)&Denver89
- Can you recover the original file about Beth’s Secrets?
- What was the original name? Secret_Beth.txt
- Original Contents? Earth Beth is the real Beth.
- What file was time stomped? The secret about Beth. Beth_Secret.txt
Thanks for creating a good sample case to practice IR.
I have a question about Q3. I checked the following key of dc01.
“HKLM¥SYSTEM¥ControlSet001¥Control¥TimeZoneInformation”
It shows me the timezone settings is “Pacific Standard Time (UTC -8)”.
But this article says the answer is “Mountain Standard Time (UTC -6)”
What were my mistakes in this question?
It is not a mistake on your part… it’s a bad admin! Alas – there is a bit of work you will have to do to get the timelines to align. In other words the victim machines were not set to the right time.
Where is the evidence of secret.zip being exfil’d and deleted? I can see loot.zip being deleted but not secret
Hello,
Can you please help me how you got Mountain Standard Time (UTC -6) as the answer for local DC server time. According to my calculations looking at different “Bias” variables, my answer was Mountain Daylight Time/Pacific Standard Time UTC-7. Please clarify. Thanks a lot for this exercise 🙂