PrintNightmare Challenge: Memory forensics and Network forensics (LetsDefend)

Q1 Looking through the alerts in Brim, what is the vulnerability name and its corresponding CVE?

If we open suricata rule file, we can see the rule is related to printnightmare alongside its cve reference

Q2 What is Attacker’s IP?

While seeing alerts in brim , we spot a request being made to smb shares

Q3 What is Attacker’s share path?

In next alert we can see the file share which was being requested

Q4 What is the name of the malicious DLL file hosted by the attacker?

We saw the dll name in the same alert which showed requested file share

Q5 What is the sha256 hash of the DLL file?

We can see md5 hash of the dll from brim alert where file was downloaded

Q6 What is the email address used for the self-signed SSL Certificate in the traffic?

Now if we focus on ssl related alerts , we see an alert mentioning email address and we also see how the certificate was signed

Q7 What is the domain user used by the attacker to exploit the vulnerability?

In brim dashboard we can also see timestamp associated with the alerts

Q8 What is the exploit server’s hostname?

We can see hostname in the same alert as previous

Q9 What is the username created by the attacker for persistence?

Now we will move towards memory analysis using Mandiant Redline

Q10 What is the event ID for user creation in Windows, and when was the user being created?

Whenever a user is created, an event ID 4720 is generated in windows security log. We search for that specific event id in EventID(EID) field .

Q11 What process name is used to establish the shell connection between the attacker’s machine and the Windows server? and what is the listening port on the attacker’s machine?

We will now analyze processes and their network status to determine the process responsible for allowing RCE to attacker

Q12 The attacker used a famous post-exploitation framework to create the DLL file and establish the shell connection to the Windows server, what is the payload the attacker used?

Hint said that attacker used a famous post exploitaion framework and metasploit came in my mind. I opened my kali and listed all available payloads using msfvenom and grepped for payloads under windows platform and using https protocol since we know ssl certificates were also present as an artifact so an https payload was used

Q13 The attacker left a text file for the user Administrator, can you find what the filename is?

We go to file system in redline and see files present under Administrator user directory. We see a text file in Documents folder

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store