As promised, here are the answers to my latest dfir challeng.
1. Who delivered the attack?
isd@petro-markets.info
2. Who was the attack delivered too?
amirs@petro-market.org
callb@petro-market.org
wrightd@petro-market.org
3. What time was the attack delivered?
Mon, 26 Nov 2012 14:00:08 -0600
4. What time was the attack executed?
ENG-USTXHOU Mon Nov 26 2012 23:01:54
FLD-SARIYADH Tue Nov 27 2012 00:17:58
5. What is the C2 ip Address?
58.64.132.141
6. What is the name of the dropper?
Symantec-1.43-1.exe
7. What is the name of the backdoor?
6to4ex.dll
8. What is the process name the backdoor is running in?
svchost.exe
9. What is the process id on all the machines the backdoor is installed on?
ENG-USTXHOU 1024
FLD-SARIYADH 1032
10. What usernames were used in this attack?
callb
amirs
sysbackup
11. What level of access did the attacker have?
Local system administrator
12. How was lateral movement performed?
Combination of net commands, psexec and .bat scripts
13. What .bat scripts were placed on the machines?
system1.bat
system2.bat
syetem3.bat
system4.bat
system5.bat
system6.bat
14. What are the contents of each .bat script?
1.bat
@echo off
mkdir c:\windows\webui
net share z=c:\windows\webui /GRANT:sysbackup,FULL
ipconfig >> c:\windows\webui\system.dll
net share >> c:\windows\webui\system.dll
net start >> c:\windows\webui\system.dll
net view >> c:\windows\webui\system.dll
2.bat
@echo off
c:\windows\webui\gs.exe -a >> c:\windows\webui\svchost.dllst
3.bat
@echo off
dir /S C:\*.dwg > c:\windows\webui\https.dll
4.bat
@echo off
c:\windows\webui\ra.exe a -hphclllsddlsdiddklljh -r c:\windows\webui\netstat.dll "C:\Engineering\Designs\Pumps" -x*.dll
5.bat
@echo off
copy c:\windows\webui\wc.exe c:\windows\system32
at 04:30 wc.exe -e -o h.out
6.bat
@echo off
ipconfig /all >> c:\windows\webui\system.dll
net share >> c:\windows\webui\system.dll
net start >> c:\windows\webui\system.dll
net view >> c:\windows\webui\system.dll
15. What other tools were placed on the machines by the attacker?
gs.exe - gsecdump
ps.exe - psexec
ra.exe - rar.exe
sl.exe - scanline
wc.exe - Windows Credentials Editor
16. What directory was used by the attacker to drop tools?
c:\windows\webui
17. Was the directory newly created or was it there prior to the attack?
Newly Created
18. What were the names of the exfiltrated files?
pump1.dwg - pump100.dwg
19. What did the exfiltrated files contain?
Files contained all 0's
20. What time did winrar run?
Tue Nov 27 2012 01:11:19
21. What is the md5sum of pump1.dwg?
a48266248c04b2ba733238a480690a1c
22. Which machines were compromised and need to be remediated?
ENG-USTXHOU-148
FLD-SARIYADH-43
IIS-SARIYADH-03
23. Which user accounts were compromised and need to be remediated?
callb - Used by attacker
amirs - Used by attacker
sysbackup - Used by attacker
saadmin\petro-market.org - Hash seen dumped by gsecdump
administrator\current - Hash seen dumped by gsecdump
24. Are there additional machines that need to be analyzed?
Yes. The machine of the third phish recipient (wrightd@petro-market.org). That needs to be validated that it has not been comp'd.
25. Describe how each machine was involved in this incident and overall what happened.
See writeup
No comments:
Post a Comment