The Security Operations Center at Defense Superior are monitoring a customer’s email gateway and network traffic (Crimeson LLC). One of the SOC team identified some anomalous traffic from Josh Morrison’s workstation, who works as a Junior Financial Controller. When contacted Josh mentioned he received an email from an internal colleague asking him to download an invoice via a hyperlink and review it.
The email read:
There was a rate adjustment for one or more invoices you previously sent to one of our customers. The adjusted invoices can be downloaded via this [link] for your review and payment processing. If you have any questions about the adjustments, please contact me.
Thank you.
Jacob
*Tomlinson, Senior Financial Controller, Crimeson LLC.*The SOC team immediately pulled the email and confirmed it included a link to a malicious executable file. The Security Incident Response Team (SIRT) was activated and you have been assigned to lead the way and help the SOC uncover what happened.You have NetWitness and Wireshark in your toolkit to help find out what happened during this incident.**Reading Material:**
PCAP analysis basics with Wireshark [updated 2021] - Infosec Resources
What is the full filename of the initial payload file?
INVOICE_2021937.pdf.bat
Abrimos el pcap en wireshark y como sabemos que fue un empleado interno 192.168.1.9
y nuestro IP es 192.168.1.8
vamos a Stadistics
→ Conversation
y marcamos cual es el paquerte mas grande que se transferio y le damos right-click
para que lo para preparar el filtro que queremos A<->B
y le damos enter.
Vamos un get con un Invoice.pdf pero tambien tiene la extension poco usual de .bat
le vamos a dar right-click
→ Follow
→ TCP Stream
y vamos a ver la conversacion completa
What is the name of the module used to serve the malicious payload?(4 points)
SimpleHTTPserver
Como podemos ver en el 200 OK de donde bajamos el file podemos ver donde dice Server:
SimpleHTTP/0.6 Python/3.8.5
que es un modulo de Python para montar un server para que bajen cosas como podemos ver en screenshot
Analysing the traffic, what is the attacker's IP address?(4 points)
192.168.1.9
Como podemos ver en el Pcap y en el GET request bajamos el file de atacante con el IP 192.168.1.9
Now that you know the payload name and the module used to deliver the malicious files, what is the URL that was embedded in the malicious email?(5 points)
INVOICE_2021937.pdf.bat
Toda esta informacion lo vimos en las anteriores preguntas solo necesitamos juntarlo todo
Find the PowerShell launcher string (you don’t need to include the base64 encoded script)(5 points)
powershell -noP -sta -w 1 -enc
En mismo sitio encontramos la respuesta a la pregunta
What is the default user agent being used for communications?(4 points)
Mozilla/5.0
Despues de decryptar la base64 encontramos el User Agent que es Mozilla/5.0
You are seeing a lot of HTTP traffic. What is the name of a process where malware communicates with a central server asking for instructions at set time intervals?(4 points)
beaconing
Si buscamos como se llama cuando se comunica un a un C2 vamos a ver beaconing
What is the URI containing ‘login’ that the victim machine is communicating to?(5 points)
/login/process.php
Si buscamos en Wireshark con el filtro http
podemos ver que hay un Post
request a /login/process.php
What is the name of the popular post-exploitation framework used for command-and-control communication?(5 points)
Empire
Si buscamos en google podemos ver que la respuesta es Empire
It is believed that data is being exfiltrated. Investigate and provide the decoded password*(5 points)*
Y0uthinky0ucAnc4tchm3$$
Lo primero que vamos a hacer en Wireshark vamos a usar este filtro icmp && ip.src==192.168.1.8 && ip.dst==192.168.1.9
Vamos a marcar el primer paquete y vamos a File Menu
y luego Export Specified Packers
y lo guardamos.
Despues con T-shark que lo tenemos en la maquina vamos a donde lo tenemos instalado en el CMD
y escribimos el siguente comando
``.\tshark.exe -r C:\Users\BTLOTest\Desktop\Investigation<nombre que le pusimos al pcap>.pcap -T fields -e data`
Nos van a salir un monton de hexadecimales como en el screenshot
Vamos a copiarlos todos los hexadecimales y los vamos a poner en Cyberchef con estas recetas
What is the account’s username?(5 points)
$sec-account
En el mismo que descryptamos anteriormente y vimos el password tambien podemo ver el Username que estamos buscando