Pre5 Forensics (CyberHackathon 23 Online Qualifiers)
We are provided with event logs and registry hives as artifacts
I started with using evtxecmd for parsing event logs and REcmd for registry. This will create provide us the data in timeline format.
Lets Start analysing
Question 1: What was the name of the script that ran on the machine?
To find the script name lets open the csv containing event logs timeline. The first event shows a powershell script
To further confirm lets view powershell operational event logs in event viewer.
We can further confirm this by viewing recent docs registry artifact result
Also note down the timestamp when the script was executed as this may help us further in the investigation.
Answer : Freemoney.ps1
Question 2: Which service was used to connect the machine to other devices? [Note: Captial Letters]
To see this lets view other surrounding events from when script was executed.
We see that an RDP connection was made to a server with address 192.168.1.4. To further prove this theory we can analyse Terminal Server Client registry key from user’s NTUSER.dat hive to see whether this server was connected to.
The location of this key is
NTUSER.DAT\SOFTWARE\MICROSOFT\TERMINAL SERVER CLIENT
We see that the host 192.168.1.4 was connected using the username Work.
Ans RDP
Question 3: What IP address did the machine try to connect to?
As we already established this in previous question
Answer 192.168.1.4
Question 4: We think the script hidden a command to be executed later. Can you find that command? [Note: Keep Spaces]
This question was the one with which everyone struggled. Our Team T3M4n6 was the first team to solve this question and this challenge. Unfortunately rest of the teams also completed this a bit after and shared the flags to other teams, But we still remained on top.
Anyways lets start analysis of this. Lets open registry timeline.
This was the point and context we had so far. The question was which command was hidden by the script, meaning we have to find persistence mechanism installed by the script. SO logicly it would have occured after the execution of the script. Lets scroll and see the events.
This specific event catched my eye
What this specific event means is that regedit was used to edit the above registry key. This is definitely suspicious because if we see a key being edited some time after a malicious script being executed on the system, it definitely is a red flag.
Then I visited that registry key to see whether i hit the jackpot or no. I opened the SOFTWARE hive in registry explorer and navigated to the location.
The last entry seemed SUS to me
We see that this command was added which executes a c2 beacon/Reverse shell residing in Temp dir. basically how this persistence works is that whenever the system is booted this command would get executed
Answer netsh add helper C:\Users\Work\AppData\Local\Temp\h1dd3nshell.exe