Case 002 – Tyler Hudak’s Honeypot

December 11, 2021 Labs, The Hunt
9,104 views
Reading Time: 3 minutes

Case 002 – Hudak’s Honeypot

The Case of The Forgotten Honeypot

 

Readme:

The best way to introduce this is to start with the README from Tyler:

This Ubuntu Linux honeypot was put online in Azure in early October with the sole purpose of watching what happens with those exploiting CVE-2021-41773.

Initially there was a large amount of cryptominers that hit the system. You will see one cron script that is meant to remove files named kinsing in /tmp. This was my way of preventing these miners so more interesting things could occur.

Then, as with many things, I got busy and forgot about it. Fast forward to now (early December) and I remembered it was still up. I logged on and saw CPU usage through the roof. Instead of just shutting it down, I grabbed a disk snapshot, memory snapshot, and ran a tool named UAC (https://github.com/tclahr/uac) to grab live response. The results of this are in this directory.

There are three files:

– sdb.vhd.gz – VHD of the main drive obtained through an Azure disk snapshot
– ubuntu.20211208.mem.gz – Dump of memory using Lime
– uac.tgz – Results of UAC running on the system

Items were obtained in the order above – drive was snapshotted, memory was grabbed, then UAC was run.

Please feel free to share this. All I ask is that if you do any analysis to share it with the community.

If anyone would like to offer a more permanent home for the files, please let me know.

Thanks!

Tyler Hudak

Note

Tyler Hudak is one of the best in the DFIR business. He has given many great talks at conferences in addition to some superb training that can be found on YouTube and Plural Sight. I highly encourage everyone to check out his work. I have put some links below to get you started.

Tyler Hudak to Catch a Spy

Tyler Hudak Forensic Files

Tyler Hudak Intro to Reverse Engineering

Purpose

The purpose of Case 002 is to offer folks a chance at conducting forensics on a compromised Linux system. Case002 was going to be a compromised Linux system set up in the lab. This is even better! The artifacts are from a honeypot. Honeypots are intentionally vulnerable systems left exposed to the internet with the hopes real attackers will infiltrate the system. When this happens a great learning opportunity is provided! Artifacts from the victim machines can be used for training purposes to learn analysis tools, and techniques, in addition to gaining an understanding in how real attackers operate.

Target Audience

Folks wanting to practice or enhance their Linux forensics skills.

Quick Launch

This was launched rather quickly. There may be some changes or updates to this page in the near future.

Questions

Depending on the situation your triage phase may require different questions in a different order etc.

No specific ones yet… but standard questions here for an investigation would be:

Level of breach? Root?

Initial vector?

Actions on Objective?

Malware family?

What was this systems public and internal IP Addresses?

Was this system used to attack other systems?

Were any user accounts compromised?

Were any user accounts added?

What persistence mechanisms were put in place?

The Linux MITRE ATT&CK Framework can also be a great guide:

  • Initial Access?
  • Execution?
  • Persistence?
  • Privelege Escalation?
  • Defense Evasion?
  • Credential Access?
  • Discovery?
  • Lateral Movement?
  • Collection?
  • Command and Control?
  • Execution?
  • Impact?

Resources

Recommended Tools

Grep, Cut, AWK, Autopsy, Plaso, Volatility 3, and Rekall.

More will be added later.

Recommended Book

Practical Malware Forensics by Bruce Nikkel

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Recommended Posts

Linux / MacOS

Download Links

Case002 Linux Honeypot (All Files)

Case002 Disk Image

Case002 UAC Results

Case002 Memory Image

MD5sums

7f1be736d10eb8fb0ae8046ec3f19a7e case002-sdb.vhd-002.gz
72b27afd52ef7c22390bb42ccdc6450c case002-uac.tgz
80922c222d62386580cc7c6be6803431 case002-ubuntu.20211208.mem.gz
4350ad07308a562587d2f911673b95be linux-honeypot.zip

SHA1Sums

679de9cedf8e0c8c377e04c41e31b68fb61b4f63 case002-sdb.vhd-002.gz
e1d27853f67a27ded3fae59d0d28ccbe226f1994 case002-uac.tgz
894c9de19380f915363038ed753c390d69225e95 case002-ubuntu.20211208.mem.gz
60bda4447a49bb6596b48adc28118bcad59fb62c linux-honeypot.zip

SHA256sums

bf43f5f4c189826b22558d12f3ec23ca657cba207914aad515c24f9bb0bab337 case002-sdb.vhd-002.gz
071de8ec88b681139406aa48d2aba292b7876ee6ab559c69e41b39a436ded0f6 case002-uac.tgz
abcb5ad09a02bb89d730381ebad1d58a115aac416e58d92490872516ce098b84 case002-ubuntu.20211208.mem.gz
bd1b6f844e784a82b42e90272650382d3750f459da06321a1d3bdb5e6826fe1d linux-honeypot.zip

Write-Ups and Walkthroughs

They will be posted as they are written. These files should provide a great playground to use with something like the book above. Perhaps you have a write up or walk through you want to share? Let me know on Twitter @DFIRmadness. Happy Hunting!

James

See author's posts

Leave a Reply

Additional Resources

Archives