Chris Long

9 minute read

Question 31

What is the name of the user that was created after the endpoint was compromised?

I have no idea what “the endpoint” is referring to here, so basically I’m stuck looking for anything user-creation related.

I wish I could tell you I had some surefire way of finding the answer, but here’s how I solved this one. I started with this query becuase it captured any event that had both “user” and “add”:

index=botsv3 earliest=0 "add" "user"

I noticed there were some strings and sourcetypes I could filter out:

index=botsv3 earliest=0 "add" "user" NOT "Network Connected Devices Auto-Setup" NOT ec2-user sourcetype!="stream:mysql"

That left me with 64 events. I went through them one at a time finding some malicious powershell (no user creation) and eventually seeing a net user /add event on FYODOR-L. I tested that username as the answer and it was correct!

Question 31 answer:


Question 32

What is the process ID of the process listening on a “leet” port?

I’m pretty sure the port here is going to be “1337” or “31337”. I know osquery has a “listening_ports” table, so I’m hopeful I’ll see the results there! I’m going to start narrow and fan out if that doesn’t pay off:

index=botsv3 earliest=0 sourcetype=osquery:results name=*port* (31337 OR 1337)

Jackpot! One event shakes out from that search, and it contains our answer in the columns.pid field

Question 32 answer:


Question 33

A search query originating from an external IP address of Frothly’s mail server yields some interesting search terms. What is the search string?

First of all, let’s see if we can figure out what the mail server is (we remember seeing some O365 being used) and what exactly is being queried.

I start by using tstats to see if I can figure out which host might be the mail server, but noting sticks out:

|tstats count where index=botsv3 by host

I decide to check if there’s still an MX record for froth.ly:

$ dig -t mx froth.ly

;; ANSWER SECTION:
froth.ly.		3599	IN	MX	0 froth-ly.mail.protection.outlook.com.

$ host froth-ly.mail.protection.outlook.com.
froth-ly.mail.protection.outlook.com has address 104.47.38.36

Like we suspected, it’s O365. I assume O365 doesn’t provide a single IP address and uses some form of load blanacing, so it’s weird to think about “the external IP address of Frothly’s mail server” in this context.

However, it’s possible there’s multiple mail servers. I do a search for postfix OR exim OR dovecot OR sendmail and notice the sourcetype of stream:smtp is primarily tied to the matar host. However, I keep in mind that maybe Matar is a host set up as a network monitor.

I start to hit a wall and decide to broaden my search to anything that might be in the 104.47.0.0/16 netblock using Splunk’s auto-CIDR expansion

index=botsv3 earliest=0 src_ip=104.47.0.0/16

Looking at the source field, I see two sharepoint related sources that don’t seem to match the others, so I pull them up and investigate further:

index=botsv3 earliest=0 src_ip=104.47.0.0/16 source=https*

I immediately see Operation: SearchQueryPerformed in both of them, and think that maybe I’m on the right track. It doesn’t seem to list the exact search query, but there’s a field called “CorrelationId”, so maybe other events share that ID to help you correlate multiple events together!

index=botsv3 earliest=0 b464754d-de35-47e8-e6e2-08d5f269decb OR 1d34d528-3afc-4eca-75e0-08d5f269bff0

This doesn’t seem to return any additional information, so I’m going to narrow down the search timeframe between these events and maybe we can find the search in Sharepoint logs or something similar.

index=botsv3 searchquery
Time: Between 8/20/2018 4:27:57.000 and 8/20/2018 4:28:49.999

There are two events in the o365:management:activity and the answer lies in the Parameters{}.Value field

Question 33 answer:


Question 34

What is the MD5 value of the file downloaded to Fyodor’s endpoint system and used to scan Frothly’s network?

Oooh, I love looking for network scanning in logs. Things we can look for:

  • Outbound connections to numerous ports
  • Outbount connections to numerous hosts

Let’s see if we have the network traffic to do this. There’s quite a bit captured in the stream:* sourcetype, so I think that might be a good one to operate on. Plus, we know the source host! Sysmon may also be a huge help here if it’s capturing network connections.

I’ll start with Sysmon because it would provide the process<->network traffic mapping immediately:

index=botsv3 earliest=0 host="FYODOR-L" source="WinEventLog:Microsoft-Windows-Sysmon/Operational"

Awesome, looks like we have Sysmon logs and they include network traffic. Let’s try to isolate the scanning by counting the number of distinct ports hit by Image:

index=botsv3 earliest=0 host="FYODOR-L" source="WinEventLog:Microsoft-Windows-Sysmon/Operational" 
| stats dc(DestinationPort) as DestinationPortDistinctCount by host, Image 
| sort - DestinationPortDistinctCount

There’s one program that stands out here. Let’s find the MD5 hash for it:

index=botsv3 earliest=0 host="FYODOR-L" source="WinEventLog:Microsoft-Windows-Sysmon/Operational" Image="C:\\Windows\\Temp\\hdoor.exe" | table Hashes

Question 34 answer:


Question 35

Based on the information gathered for question 304, what groups was this user assigned to after the endpoint was compromised? Answer guidance: Comma separated without spaces, in alphabetical order.

NOTE: CONTAINS SPOILERS FOR QUESTION 31

Since we know the username already, it should be fairly simple to enumerate which groups this account got added to. Boy, I hope I don’t regret saying that so early.

The Windows Event Log contains EventCode 4732 for members being added to security-enabled local groups. Let’s start by enumerating that, but we may have to expand if there were non-local groups that this account was added to as well.

index=botsv3 earliest=0 svcvnc EventCode=4732

We see two groups. I’m going to test that as my answer – and it works!

Question 35 answer:


Question 36

At some point during the attack, a user’s domain account is disabled. What is the email address of the user whose account gets disabled and what is the email address of the user who disabled their account? Answer guidance: Comma separated without spaces, in alphabetical order. (Example: jdoe@mycompany.com,tmiller@mycompany.com)

Same strategy here. Let’s find the event code for accounts being disabled, because I don’t know it off the top of my head.

index=botsv3 earliest=0 sourcetype=wineventlog account disabled

OOF, way too many events. I’m going to google: windows event log account disabled

The always helpful ultimatewindowssecurity.com resource shows EventCode 4725 is for accounts being disabled.

Oddly enough, I don’t see a hit for index=botsv3 earliest=0 EventCode=4725

I go back to the website, and notice this tiny message:

You will also see event ID4738 informing you of the same information.

Good to know! index=botsv3 earliest=0 EventCode=4738

This 1 event doesn’t seem to be the answer. The presence of email addresses in the question makes me think this might be AzureAD or something. I’m going to search for more.

I search a bit more and see some events from the ms:aad:signin sourcetype showing an account is disabled. I think aad probably stands for Azure Active Directory. From these events, we know which account was disabled, so let’s work backwards from here:

index=botsv3 earliest=0 sourcetype="ms:*" bgist@froth.ly disable

The person who did the disabling is in the actor.userPrincipalName field. We can now combine these two email addresses into an answer:

Question 36 answer:


Question 37

Another set of phishing emails were sent to Frothly employees after the adversary gained a foothold on a Frothly computer. This malicious content was detected and left behind a digital artifact. What is the name of this file? Answer guidance: Include the file extension. (Example: badfile.docx)

I decide to search for things flagged as a virus or malicious, knowing I’m looking for email related data:

index=botsv3 earliest=0 virus OR malicious

I see this string in an email content body: Umm doesn't open. Looks like it has a virus? WTF dude? and it’s sent from Peat Cerf <pcerf@froth.ly>.

Looks like Mallory also attempts to open it:

-----Original Message-----
From: Mallory Kraeusen=20
Sent: Wednesday, July 25, 2018 6:42 PM
To: Billy Tun <btun@froth.ly>; Bruce Gist <bgist@froth.ly>
Cc: Bud Stoll <bstoll@froth.ly>
Subject: RE: Wild Birthday Extravaganza!!!

Wait....there's no photos?

-----Original Message-----
From: Billy Tun=20
Sent: Wednesday, July 25, 2018 6:35 PM
To: Mallory Kraeusen <mkraeusen@froth.ly>; Bruce Gist <bgist@froth.ly>
Cc: Bud Stoll <bstoll@froth.ly>
Subject: RE: Wild Birthday Extravaganza!!!

Hey Mallory/Bruce,

This looks like a bad link. I've copied Bud for awareness since it looks li=
ke your email might have been pwned.=20


-----Original Message-----
From: Mallory Kraeusen=20
Sent: Wednesday, July 25, 2018 6:33 PM
To: Bruce Gist <bgist@froth.ly>; allhands <allhands@froth.ly>
Subject: RE: Wild Birthday Extravaganza!!!

OMG that was so fun bruce. Clicking!

I’m not going to lie, I spent a lot of time running in circles on this question and I eventually somewhat bruteforced the answer. I did so by enumerating all the Symantec Threat Detection events, regexing out the filename and threat name, and seeing if any of those worked:

index=botsv3 earliest=0 SourceName="Symantec AntiVirus" EventCode=51 
| rex field=Message "Security Risk Found\!\s(?<threat>[^\s]+)" 
| rex field=Message "in File\:\s(?<filename>[\S\s]+)\sby\:" 
| table threat, filename 
| search filename!=*.partial

There’s one file in those set of results that don’t match the others, and after removing the [66] from the filename, it works!

Not thrilled with my answer to this question.

Question 37 answer:


Question 38

Based on the answer to question 310, what is the name of the executable that was embedded in the malware? Answer guidance: Include the file extension. (Example: explorer.exe)

Let’s look for process chain information, ideally found in the Sysmon data:

index=botsv3 earliest=0 sysmon *.xlsm

This returns only 2 events. We can see the TargetFilename is the answer to question 37 and the name of the executable being run is in the Image field.

Question 38 answer:


Question 39

How many unique IP addresses “used” the malicious link file that was sent?

Ugh, another vague question. Are we talking about source addresses or destination addresses? What does “used” mean here? Let’s see if we can dig this up in Sysmon as well. We know it’s probably a .lnk file.

After digging a bit on what I believe to be the malicious .lnk (based off of email chains I dug up). I see a reference to AnonymousLinkUsed in the o365:management:activity sourcetype. I guess maybe that’s what was meant by “used” in the question? I’ll try iterating on that.

index=botsv3 earliest=0  Operation=AnonymousLinkUsed sourcetype="ms:o365:management" 
| stats dc(ClientIP)

I check, and that’s it!

Question 39 answer:


Question 40

What port number did the adversary use to download their attack tools?

Yeah, the “one” adversary in this entire dataset :-P

Honestly, keeping track of the adversaries in this organization is like trying to name all the fish in the ocean.

To me, this question implies a non-standard port, but maybe not. I’ve come to really like the stream:* sourcetypes, so I’ll focus my search there.

I decide to try out the “rare” ports in that dataset:

index=botsv3 earliest=0 sourcetype=stream:* protocol_stack!=*udp* | rare dest_port

The first 7 seem pretty odd, so I’ll see what’s going on with those ports:

index=botsv3 earliest=0 sourcetype=stream:* protocol_stack!=*udp* (
dest_port=50504 
OR dest_port=22790 
OR dest_port=3333 
OR dest_port=40552 
OR dest_port=8088 
OR dest_port=1025 
OR dest_port=1080
)

I manually start scanning the events and notice something weird about the port one: it’s a Powershell useragent pulling down a png from /images/logos.png. Why would that happen under normal circumstances?

I test out that port as the answer, and ca-ching!

Question 40 answer

comments powered by Disqus