DFIR Challenge Answers

As promised, here are the answers to my latest dfir challeng.

1. Who delivered the attack?

isd@petro-markets.info

2. Who was the attack delivered too?

amirs@petro-market.org

callb@petro-market.org

wrightd@petro-market.org

3. What time was the attack delivered?

Mon, 26 Nov 2012 14:00:08 -0600

4. What time was the attack executed?

ENG-USTXHOU Mon Nov 26 2012 23:01:54

FLD-SARIYADH Tue Nov 27 2012 00:17:58

5. What is the C2 ip Address?

58.64.132.141

6. What is the name of the dropper?

Symantec-1.43-1.exe

7. What is the name of the backdoor?

6to4ex.dll

8. What is the process name the backdoor is running in?

svchost.exe

9. What is the process id on all the machines the backdoor is installed on?

ENG-USTXHOU 1024

FLD-SARIYADH 1032

10. What usernames were used in this attack?

callb

amirs

sysbackup

11. What level of access did the attacker have?

Local system administrator

12. How was lateral movement performed?

Combination of net commands, psexec and .bat scripts

13. What .bat scripts were placed on the machines?

system1.bat

system2.bat

syetem3.bat

system4.bat

system5.bat

system6.bat

14. What are the contents of each .bat script?

1.bat
@echo off
mkdir c:\windows\webui
net share z=c:\windows\webui /GRANT:sysbackup,FULL
ipconfig >> c:\windows\webui\system.dll
net share >> c:\windows\webui\system.dll
net start >> c:\windows\webui\system.dll
net view >> c:\windows\webui\system.dll

2.bat
@echo off
c:\windows\webui\gs.exe -a >> c:\windows\webui\svchost.dllst

3.bat
@echo off
dir /S C:\*.dwg > c:\windows\webui\https.dll

4.bat
@echo off
c:\windows\webui\ra.exe a -hphclllsddlsdiddklljh -r c:\windows\webui\netstat.dll "C:\Engineering\Designs\Pumps" -x*.dll

5.bat
@echo off
copy c:\windows\webui\wc.exe c:\windows\system32
at 04:30 wc.exe -e -o h.out

6.bat
@echo off
ipconfig /all >> c:\windows\webui\system.dll
net share >> c:\windows\webui\system.dll
net start >> c:\windows\webui\system.dll
net view >> c:\windows\webui\system.dll
15. What other tools were placed on the machines by the attacker?

gs.exe - gsecdump

ps.exe - psexec

ra.exe - rar.exe

sl.exe - scanline

wc.exe - Windows Credentials Editor

16. What directory was used by the attacker to drop tools?

c:\windows\webui

17. Was the directory newly created or was it there prior to the attack?

Newly Created

18. What were the names of the exfiltrated files?

pump1.dwg - pump100.dwg

19. What did the exfiltrated files contain?

Files contained all 0's

20. What time did winrar run?

Tue Nov 27 2012 01:11:19

21. What is the md5sum of pump1.dwg?

a48266248c04b2ba733238a480690a1c

22. Which machines were compromised and need to be remediated?

ENG-USTXHOU-148

FLD-SARIYADH-43

IIS-SARIYADH-03

23. Which user accounts were compromised and need to be remediated?

callb - Used by attacker

amirs - Used by attacker

sysbackup - Used by attacker

saadmin\petro-market.org - Hash seen dumped by gsecdump

administrator\current - Hash seen dumped by gsecdump

24. Are there additional machines that need to be analyzed?

Yes. The machine of the third phish recipient (wrightd@petro-market.org). That needs to be validated that it has not been comp'd.

25. Describe how each machine was involved in this incident and overall what happened.

See writeup