This is my analysis of the dfir challenge I published in Nov. 2012. If you would like to try the challenge it can be found here.
ENG-USTXHOU-148
The first host I looked at was ENG-USTXHOU-148 as this is where the initial alert originated. After reviewing the data it looked like the attacker gained access to the machine via a phish. After gaining access a tool drop directory was created (c:\windows\webui) and began being populated with the following tools:
Evidence of gsecdump being ran was found as well as privilege escalation via pass the hash (wce).
Attempts to use psexec against 172.16.150.10 and 172.16.223.47 were seen using domain account callb and local admin user sysbackup.
A share was seen being mapped from IIS-SARIYADH-03 to the local host.
A share was mapped from 172.16.223.47 to the local machine. It also appeared that files with .dll extensions were created on a remote machine and copied to this machine. This assumption is based on seeing the m-time and seconds to a few minutes later seeing the cb-time in the timeline. This would not be normal if these files were actual dll's.
You can find a detailed analysis of the host here.
- gsecdump.exe (ps.exe)
- scanline.exe (sl.exe)
- wce.exe (wc.exe)
- rar.exe (ra.exe)
- psexec.exe (ps.exe)
Evidence of gsecdump being ran was found as well as privilege escalation via pass the hash (wce).
Attempts to use psexec against 172.16.150.10 and 172.16.223.47 were seen using domain account callb and local admin user sysbackup.
A share was seen being mapped from IIS-SARIYADH-03 to the local host.
A share was mapped from 172.16.223.47 to the local machine. It also appeared that files with .dll extensions were created on a remote machine and copied to this machine. This assumption is based on seeing the m-time and seconds to a few minutes later seeing the cb-time in the timeline. This would not be normal if these files were actual dll's.
You can find a detailed analysis of the host here.
IIS-SARIYADH-03
The next host I responded to was IIS-SARIYADH because I it was apparent that the attacker was able to move laterally to that machine via psexec and net use.
Analysis of this machine showed that it had been accessed by the attacker from 2 different machines (ENG-USTXHOU-148 and FLD-SARIYADH-43). It appeared that bat scripts were executed on the machine through the use of psexec. The bat files were not able to be recovered from this machine.
Winrar was seen being ran by the sysbackup user. The attacker was able to rar pump1.dwg - pump100.dwg. It is suspected that this rar file was exfiltrated.
The tool drop directory (webui) was shared giving the sysbackup user full permissions.
A scheduled task was created to execute wce in listening mode and collect hashes. This scheduled task failed to run.
The attacker was able to gain access to this machine by the same phishing email that compromised ENG-USTXHOU-148. The same Gh0st rat was used giving the attacker full access to the compromised machine as well as any machines that may use the sysbackup credentials.
Once the attacker had access to the machine the attacker collected system information and then moved laterally to IIS-SARIYADH-03. Once gaining access to this machine the attacker executed several bat scripts using psexec. 2 bat scripts to take note of was system3.bat which searched the machine for all files with and extension of .dwg. System5.bat created a rar file with all .dwg files found on the system.
Signs of gsecdump were seen in memory, but no hashes were found with the exception of amirs and sysbackup. A scheduled task was created to collect hashes as users authenticate using wce. These hashes were then logged to h.out.
DC-USTXHOU
This host was not compromised.
Network Traffic
Analysis and decoding of the C2 traffic can be found here.
No comments:
Post a Comment