Table Top Exercise/GameDay

Outline
This document is created to provide the outline and overall objectives of the Table Top Exercises which should be performed for validation of the documentation and SOPs of the project.

Scenario
DeMo Team Analysis:
While monitoring DeMo Team has identified one of store front desk employee’s PC was generating some anomalous behavior.

 There are some Ransomware signatures which got deleted followed by a RAT alarm triggered by CrowdStrike on the device, which is not cleaned/quarantined.
 A Process Injection alarm triggered.
 An unauthorized process named nbtscan.exe was found to be executed on the host.

Demo Team has also identified a credential dumping alarm on CrowdStrike on a security admin user’s PC on the same store named Gideon.

These 2 machines were found to be communicating with a POS Device on Store and Organization Domain controller- AllSafeCyberSec as per analysis from DeMo team. Demo Team has
escalated the case to SIRT Team.

SIRT Analysis:
From the initial investigation,

 SIRT Team has identified, the user has received a suspicious email for a security update and from that day onwards the activity started.
 SIRT Team has found a file named nbs.txt which seems to be related to nbtscan.exe on the front desk machine.
 SIRT Team found some evidences that Gideon’s machine seems to be communicating with the Domain Controller.

SIRT Team has captured these 3 machines memory dumps and escalated the case to SIRT Forensics team for further analysis and to identify the RCA.

Questions that needs to be answered:

Machine:Target1 (Front Desk PC)

1. What email address tricked the front desk employee into installing a security update?
2. How was the fake update delivered? If so, what is the filename?
3. What is the name of the RAT family used by the attacker?
4. The malware appears to be leveraging process injection. What is the PID of the process that is injected?
5. What is the unique value the malware is using to maintain persistence after reboot?
6. Malware often uses a unique value or name to ensure that only one copy runs on the system. What is the unique name the malware is using?
7. Is the machine compromised before? Can we identify that?
8. What is the NTLM password hash for the administrator account?
9. Do you find any tools moved by the attacker on the compromised front desk host? How many tools did the attacker move?
10. What is the password for the front desk local administrator account?
11. What is the std create data timestamp for the nbtscan.exe tool?
12. Attacker relation with nbtscan.exe tool? The attackers appear to have stored the output from the nbtscan.exe tool in a text file on a disk called nbs.txt. What is the IP address of the first
machine in that file?
13. What is the full IP address and the port was the attacker's malware using?
14. It appears the attacker also installed legit remote administration software. What is the name of the running process?
15. It appears the attackers also used a built-in remote access method. What IP address did they connect to?

Machine: Target2 (Gideon’s PC)

1. It appears the attacker moved latterly from the front desk machine to the security admins (Gideon) machine and dumped the passwords. What is Gideon's password?
2. Once the attacker gained access to "Gideon," they pivoted to the AllSafeCyberSec domain controller to steal files. It appears they were successful. What password did they use?
3. What was the name of the RAR file created by the attackers?
4. How many files did the attacker add to the RAR archive?
5. Any scheduled task on this machine?

Machine: POS

1. What is the malware CNC's server?

2. What is the common name of the malware used to infect the POS system?
 3. In the POS malware whitelist. What application was specific to Allsafecybersec?
4. What is the name of the file the malware was initially launched from?

Answers:
First, we must find the correct volatility profile for the images. In our real cases, we will know the host OS version, but still we need to figure out which profile suits the parsing.

vol.py -f target1/Target1-1dd8701f.vmss imageinfo

Usually the first once works.

Question1: What email address tricked the front desk employee into installing a security update?

We can first use the filescan plugin to see if there are ost/pst file present in the memory dump

vol.py -f target1/Target1-1dd8701f.vmss —profile=Win7SP1x86_23418 filescan > target1-filescan.txt

cat target1-filescan.txt | grep -F '.ost'
 Nex
t, we dump the files and extract their contents.

vol.py -f target1/Target1-1dd8701f.vmss —profile=Win7SP1x86_23418 dumpfiles -D . -n -u -Q 0x000000003ecec2b0,0x000000003fc61be0

mv '[email protected] - outlook2.ost.dat' Frontdesk.ost
pffexport -m all -f all Frontdesk.ost
grep -r -i update Frontdesk.ost.export/

Message0000
1 contains references to an update that must be Downloaded. Annotated in yellow is the downloaded link. It is not a secure http connection, so we can assume it’s malware. To find the sender
of the email we can do below:

cat 'Frontdesk.ost.export/Root - Mailbox/IPM_SUBTREE/Inbox/Message00001/OutlookHeaders.txt'

Answer: [email protected]

Question2: Is there any file delivered on email? If so, what is the filename?

From the previous question, we saw that the filename is named AnyConnectInstaller.exe.

Answer: AnyConnectInstaller.exe

Question3: What is the name of the rat's family used by the attacker?

AnyConnectInstaller is not a process in itself. To dump it, we can check the output of the filescan plugin that we ran previously.

cat target1-filescan.txt | grep -i AnyConnect

Then create a directory to dump all files from memory

mkdir AnyConn
vol.py -f target1/Target1-1dd8701f.vmss —profile=Win7SP1x86_23418 dumpfiles -D AnyConn -n -u -Q
0x000000003df12dd0,0x000000003df1cf00,0x000000003e0bc5e0,0x000000003e2559b0,0x000000003e2ae8e0,0x000000003ed57968
md5sum AnyConn/*

The first hash is flagged by 61 vendors

in VirusTotal. Microsoft flags it as Worm:Win32/Xtrat.B!D:

Xtrat is short for Xtreme Rat.

Answer: XTREMERAT
Question4: The malware appears to be leveraging process injection. What is the PID of the process that is injected?

In VirusTotal, we can see a list of contacted IP addresses:

We can check if these values match Established connections in the memory dump, using the netscan plugin:

vol.py -f target1/Target1-1dd8701f.vmss —profile=Win7SP1x86_23418 netscan | grep ESTABLISHED

 Answer: 2996

Question5: What is the unique value the malware is using to maintain persistence after reboot?

Evidence of persistence can be found in the registry. First, we need to find the virtual offset of the Software hive:

vol.py -f target1/Target1-1dd8701f.vmss —profile=Win7SP1x86_23418 hivelist

Next, we use the printkey plugin to show the contents of the Run key:

vol.py -f target1/Target1-1dd8701f.vmss —profile=Win7SP1x86_23418 printkey -o 0x8b79d008 -K "Microsoft\Windows\CurrentVersion\Run"

Here, the Run key for

AnyConnectInstaller.exe is saved as MrRobot. The presence (https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys) of this key means the malware is run
every time a user logs on.

Answer: Mr.Robot

Question6: What is the unique name the malware is using?

Malware often uses a unique value or name to ensure that only one copy runs on the system. Let’s check the handles open for pid 2996:

vol.py -f target1/Target1-1dd8701f.vmss —profile=Win7SP1x86_23418 handles —pid 2996

The mutant handle ‘fsociety0.dat’ which seems unusual.

Answer: fsociety0.dat

Question7: Is the machine compromised before? Can we identify that?

There is not much evidence in the cmdline/consoles/cmdscan plugins. One way to find potential attackers is to filter for User directories:

cat target1-filescan.txt | grep -o 'Users\\[A-Za-z]' | sort | uniq

Zerocool the unusual name which seems to be created long back and there is no trace of this user.
Answer: Zerocool

Question8: What is the NTLM password hash for the administrator account?

Using the hashdump plugin:

vol.py -f target1/Target1-1dd8701f.vmss —profile=Win7SP1x86_23418 hashdump

Answer:
79402b7671c317877b8b954b3311fa82

Question9: Do you find any tools moved by the attacker on the compromised front desk host? How many tools did the attacker move?

A tool must mean anything ‘executable’ so to speak. In the consoles plugin’s output, there was an instance of Windows\Temp being listed:

vol.py -f target1/Target1-1dd8701f.vmss —profile=Win7SP1x86_23418 consoles

There’s four ‘tools’ in this directory: getlsasrvaddr.exe, nbtscan.exe, wce.exe and Rar.exe.

Because there are also two directories in the Temp folder. We can check the filescan output for LNK files and Jumplists, stored (https://nasbench.medium.com/windows-forensics-analysis-
windows-artifacts-part-ii-71b8fa68d8a1) as AUTOMATICDESTINATIONS-MS and CUSTOMDESTINATIONS-MS.

cat target1-filescan.txt | egrep '\.lnk|Destinations' | grep frontdesk

All the files returned.

We can literally dumped ALL of them, instead of wasting time copy-pasting the offsets we can use this one liner to format them into a comma separated line which would then be passed to the
Q option of dumpfiles:

cat target1-filescan.txt | egrep '\.lnk|Destinations' | grep frontdesk | sed 's/ .//g' | tr '\n' ','
mkdir links
vol.py -f target1/Target1-1dd8701f.vmss —profile=Win7SP1x86_23418 dumpfiles -D links -u -n -Q [paste offsets from command above]
grep -F '\Temp' links/

Of the four files matching, only w.lnk* and 918e0ecb43d17e23.automaticDestinations-ms.dat directly reference a file in the Windows\Temp directory.

Strings – 918e0ecb43d17e23.automaticDestinations-ms.dat

So the lnk/JumpLists do not contain values of interest…

Eventually, we can search for the executable names in Google:*

getlsasrvaddr.exe is a tool (https://github.com/returnvar/wce) that finds the addresses for Windows Credentials Editor to find credentials in memory.
nbtscan.exe is a NetBios scanning tool.
Rar.exe is WinRAR.
wce.exe is Windows Credentials Editor.

This is where paying attention to the question is important! The question asked for the number of TOOLS moved. Even though we checked the Github Repo of Windows Credentials Editor. We
didn’t really put together that wce.exe and getlsasrvaddr.exe belong to the same tool! So in total, three tools were moved

Answer: 3
Question10: What is the password for the front desk local administrator account?

In the output of the consoles plugin, we can see that Windows Credential Editor (wce.exe) (https://github.com/returnvar/wce) was executed. On WCE’s github page, the option* -w means
‘Dump cleartext passwords stored by the digest authentication package ‘.

Annotated in pink is the cleartext password for the

front-desk Admin account:
Answer: flagadmin@1234

Question11: What is the std create data timestamp for the nbtscan.exe tool?

The most precise way to find filesystem metadata is by analyzing the $MFT. With volatility, we can use the mftparser plugin. Then, we just need to grep for the filename:

vol.py -f target1/Target1-1dd8701f.vmss —profile=Win7SP1x86_23418 mftparser > mft.txt

cat mft.txt | head -n 10 #to get the column names
cat mft.txt | grep -F 'nbtscan.exe'
The Standard Creation timestamp is 2015-10-09 10:45:12 UTC+0000.

Answer: 2015-10-09 10:45:12 UTC

Question12: What is the IP address of the first machine in that file?

The attackers appear to have stored the output from the nbtscan.exe tool in a text file on a disk called nbs.txt. Since we have saved the output of the filescan plugin to a file, we can just grep for
‘nbs.txt’ to find its offset and dump the file:

cat target1-filescan.txt | grep -F 'nbs.txt'

vol.py -f target1/Target1-1dd8701f.vmss —profile=Win7SP1x86_23418 dumpfiles -D . -n -u -Q 0x000000003fdb7808
cat file.None.0x83eda598.nbs.txt.dat

The first machine is ALLSAFECYBERSEC\AD01

with IP address 10.1.1.2.

Answer: 10.1.1.2

Queation13: What is the full IP address and the port was the attacker's malware using?
In Question 4, the malware’s md5 hash was submitted to Virus Total. It showed a list of contacted IPs by the malware. This list was compared with established connections from the netscan
plugin. The only matching IP was 180.76.254.120, on port 22

The same IP address hosted the initial malware, ‘AnyConnectInstaller.exe’ which the user was tricked into downloading.

Answer: 180.76.254.120:22

Question14: What is the name of the running process?

It appears the attacker also installed legit remote administration software. If we use the uninstallinfo plugin, no remote administration software is returned. However, there is evidence of
TeamViewer being executed in the cmdline plugin:

vol.py -f target1/Target1-1dd8701f.vmss —profile=Win7SP1x86_23418 cmdline

The
use of –action hooks and –IPCport is suspicious. We can check the log file for more information:

cat target1-filescan.txt | grep -F 'TeamViewer10_Logfile.log

mkdir tvlog
vol.py -f target1/Target1-1dd8701f.vmss —profile=Win7SP1x86_23418 -D tvlog dumpfiles -n -u -Q
0x000000003fa2e2d8,0x000000003fa564e0,0x000000003fc9b038,0x000000003fd5bbb8
cat tvlog/*

We can see a connection to the Attacker’s IP address! On top of that, TeamViewer.exe is returned by the malfind plugin:

vol.py -f target1/Target1-1dd8701f.vmss —profile=Win7SP1x86_23418 malfind | grep Pid

Answer: TeamViewer.exe

Question15: What IP address did they connect to?

It appears the attackers also used a built-in remote access method. The last result from cmdline, after the TeamViewer commands is for mstsc.exe, which is a built-in remote access method
(https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mstsc):

vol.py -f target1/Target1-1dd8701f.vmss —profile=Win7SP1x86_23418 cmdline

 If we look at the
netscan plugin for Established connections, the attackers connected to 10.1.1.21:

If we would want to find more information about these connections, then we could dump the Security evtx log, and look for event ID 4624: (https://ponderthebits.com/2018/02/windows-rdp-
related-event-logs-identification-tracking-and-investigation/)

Answer: 10.1.1.21

Machine: Target2 (Gideon’s PC)

Question1: What is Gideon's password?

It appears the attacker moved latterly from the front desk machine to the security admins (Gideon) machine and dumped the passwords. Using the cmdscan plugin:

vol.py -f target2/target2-6186fe9f.vmss —profile=Win7SP1x86_23418 cmdscan

The attacker used Windows Credential Editor with the -w flag again, but piped the output to file ‘w.tmp’. We can retrieve it by using the filescan and dumpfiles plugin:

vol.py -f target2/target2-6186fe9f.vmss —profile=Win7SP1x86_23418 filescan > target2-filescan.txt

cat target2-filescan.txt | grep -F 'w.tmp'
vol.py -f target2/target2-6186fe9f.vmss —profile=Win7SP1x86_23418 dumpfiles -n -u -D . -Q 0x000000003fcf2798
cat file.None.0x85a35da0.w.tmp.dat

Answer: t76fRJhS
Question2: What password did they use?

Once the attacker gained access to “Gideon,” they pivoted to the AllSafeCyberSec domain controller to steal files. It appears they were successful.

Previously, we found that the attackers stored the output of nbtscan.exe into a file named nbs.txt. This revealed that the IP Address of the Domain Controller is 10.1.1.2.

In the output of Target2’s console, we can see that the attackers logged into the DC (annotated in yellow) and compressed all text files into a rar archive named ‘crownjewlez.rar’:
The command used was rar a -hp123qwe!@# crownjewlez.rar .txt.

The switch -hp is used to encrypt both file data and headers. Therefore the password used was 123qwe!@# .

Answer: 123qwe!@#

Question3: What was the name of the RAR file created by the attackers?

As we saw above, the rar file was named crownjewlez.rar.

Answer: crownjewlez.rar

Question4: How many files did the attacker add to the RAR archive?

Since the files were stolen from the DC server, they are not accessible in the MFT or the filescan plugin. Instead, we can dump pid 3048 (which is the PID associated with the creation of the rar
archive).

vol.py -f target2/target2-6186fe9f.vmss —profile=Win7SP1x86_23418 memdump —pid 3048 -D .

strings -a -td 3048.dmp > 3048.txt
strings -a -td -el 3048.dmp >> 3048.txt
cat 3048.txt | grep -F 'crownjewlez.rar' -B 5 -A 5
From offset 35357324, we can see some text files that would have been added to the archive. To find all of them, we just need to grep more lines from this offset:

cat 3048.txt | grep "^35357324 " -B 10 -A 20

Only three files occur following this offset. To double check our findings, we can grep for the directory ‘\crownjewels\’ . In the console history, we saw that the attacker cd-ed into that directory,
and listed its contents.

cat 3048.txt | grep -F '\crownjewels\'

 The same three files appear in this directory.
We can safely confirm that only three text files were added to the rar archive.

Answer: 3

Question5: What is the name of the file associated with the scheduled task?

The attacker appears to have created a scheduled task on Gideon’s machine. Scheduled Tasks can be found in the Registry and under the \Tasks\ Directory:

cat target2-filescan.txt | grep -F '\Tasks\'

The files annotated in Yellow are quite suspicious, and are associated with malware (https://www.exterminate-it.com/malpedia/file/at1.job). We can dump them and examine their contents:

vol.py -f target2/target2-6186fe9f.vmss —profile=Win7SP1x86_23418 dumpfiles -D . -n -u -Q 0x000000003fc399b8,0x000000003fd05bd8

cat file.None.0x85a86af0.At1.dat
 The file being executed is 1.bat. Before looking at
the file, we do below

vol.py -f target2/target2-6186fe9f.vmss —profile=Win7SP1x86_23418 hivelist

 After finding
the offset, we can print the key for At1:

vol.py -f target2/target2-6186fe9f.vmss —profile=Win7SP1x86_23418 printkey -o 0x8b267008 -K "Microsoft\Windows

NT\CurrentVersion\Schedule\Taskcache\Tree\At1"

This confirms that the Scheduled Task is up and running. Finally, we can dump the 1.bat file and check its contents:
cat target2-filescan.txt | grep -F '1.bat'
vol.py -f target2/target2-6186fe9f.vmss —profile=Win7SP1x86_23418 dumpfiles -D . -n -u -Q 0x000000003f427e50
cat file.None.0x83faf398.1.bat.dat

The Scheduled Task runs

Windows Credential Editor and dumps the plaintext passwords to w.tmp.

Answer: 1.bat

Machine: POS

Question1: What is the malware CNC's server?

First, we should find the which Pids are returned by the malfind plugin:

vol.py -f pos01/POS-01-c4e8f786.vmss —profile=Win7SP1x86_23418 malfind | grep Pid

Next, we can check the netscan plugin for these Pids, using egrep:

vol.py -f pos01/POS-01-c4e8f786.vmss —profile=Win7SP1x86_23418 netscan | egrep '1828|2200|3740|1836|2700|3376|2092|3208|3136'

All the IPs are local Ips, except for the connection to iexplorer.exe:

We can do a quick strings search for this IP address and see if it comes up again:
strings pos01/POS-01-c4e8f786.vmss | grep -F '54.84.237.92' -B 10 -A 10

The first
match is enough to confirm that it is the C2C server of the attacker. The attack follows the same pattern as the other machines.

Answer: 54.84.237.92

Question2:What is the common name of the malware used to infect the POS system?

In the previous question, we found that the malware was (very likely) to be distributed through an email. We can find the files offset using the filescan plugin, dump it and then check its md5
hash in Virus Total:

vol.py -f pos01/POS-01-c4e8f786.vmss —profile=Win7SP1x86_23418 filescan > pos01-filescan.txt

cat pos01-filescan.txt | grep -F 'allsafe_update'
vol.py -f pos01/POS-01-c4e8f786.vmss —profile=Win7SP1x86_23418 dumpfiles -D . -n -u -Q 0x000000003e7ab038
md5sum 'file.None.0x8559cf78.allsafe_update[1].exe.dat'
#returns 99349d277cc5bcb138f4239151fb8370

Microsoft flags (https://www.virustotal.com/gui/file/074adbc4e4778ba575e6781323e60bd51dca545222aefe3acebde6e53b6c39a3) the file as ‘PWS:Win32/Dexter.A‘, commonly known as

Dexter:

Answer: Dexter

Question3: In the POS malware whitelist. What application was specific to Allsafecybersec?

We can analyze the dumped executable to see how it operates:

peframe 'file.None.0x8559cf78.allsafe_update[1].exe.dat'
 Here is a list of files present in the executable.

There is only one potential match to Allsafecybersec – allsafe_protector.exe.

Answer: allsafe_protector.exe

Question4: What is the name of the file the malware was initially launched from?
We previously identified that the initial malware was ‘allsafe_update.exe ‘. The executable was found at:
\Device\HarddiskVolume2\Users\pos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NEQ2CLDX.

It was suggested that it was delivered through a link to the C2C server. We can use the iehistory for more information:

vol.py -f pos01/POS-01-c4e8f786.vmss —profile=Win7SP1x86_23418 iehistory

There are more than one records of this link.

Answer: allsafe_update.exe