Open in app

Sign in

Write

Sign in

PrintNightmare Challenge: Memory forensics and Network forensics (LetsDefend)

CyberJunnkie
6 min readOct 26, 2022

Today i will be solving printnightmare challenge in which we are provided with network capture and an memory image to analyse. We will use Brim and Redline to uncover exploitation of CVE-2021–34527 in internal network. This challenge is available for free on letsdefend platform.

We have a document giving instructions how to setup brim. We are also provided with a suricata rule file and a pcap file and a redline memory image. we will add pcap and suricata rule in brim to view co related alerts

We need to download brim to analyze pcapng file to identify malicious alerts to answer some questions

Q1 Looking through the alerts in Brim, what is the vulnerability name and its corresponding CVE?

If we open suricata rule file, we can see the rule is related to printnightmare alongside its cve reference

Answer : {PrintNightmare, CVE-2021–34527}

Q2 What is Attacker’s IP?

While seeing alerts in brim , we spot a request being made to smb shares

we can see that 10.10.10.4 is connecting to 10.10.10.2 on smb port. Now first thing which comes in our mind is that .4 address is of attacker and its enumerating .2 file share, but if we see the alert reason , it says that a request for a dll file is being made by 10.10.10.4 from 10.10.10.2 , which means that attacker is already on the victim host (10.10.10.4) and is requesting a possible malicious dll from attacker hosted file share (\\10.10.10.2\). More on this in next question

Answer : {10.10.10.2}

Q3 What is Attacker’s share path?

In next alert we can see the file share which was being requested

Answer {\\10.10.10.2\share}

Q4 What is the name of the malicious DLL file hosted by the attacker?

We saw the dll name in the same alert which showed requested file share

we can also verify succesfull download of the dll in another alert

Answer {notsostealthy.dll}

Q5 What is the sha256 hash of the DLL file?

We can see md5 hash of the dll from brim alert where file was downloaded

We can lookup this into virustotal to see the detection rate and get its sha256 hash

Answer {fa1ee835869ea97559359568043aea3a52508b360cfc5195a3d7fbb60cef55a5}

Q6 What is the email address used for the self-signed SSL Certificate in the traffic?

Now if we focus on ssl related alerts , we see an alert mentioning email address and we also see how the certificate was signed

Self signed certificates should always be looked into, as they don’t come from a trusted source most of the time .

Answer {override@shields.mertz.net}

Q7 What is the domain user used by the attacker to exploit the vulnerability?

In brim dashboard we can also see timestamp associated with the alerts

The alerts are not sorted with timestamp order , but since we have very limited alert we can easily figure out alerts order

This alert is one of the first recorded one , before the dll download one. Attacker authenticated as Domain user of Jesse.Harmon and got access to the victim machine

We can see the domain name and domain user too

Answer {BELLYBEAR\Jesse.Harmon}

Q8 What is the exploit server’s hostname?

We can see hostname in the same alert as previous

Answer {WIN-FLO4EU2VMSM}

Q9 What is the username created by the attacker for persistence?

Now we will move towards memory analysis using Mandiant Redline

Now if we see the users present on the system at time of memory dump , we can see only 1 user other than “Jesse Harmon” user. Rest of users are domain service accounts and local service accounts

Answer {hacker}

Q10 What is the event ID for user creation in Windows, and when was the user being created?

Whenever a user is created, an event ID 4720 is generated in windows security log. We search for that specific event id in EventID(EID) field .

We get 5 matching events , some of them were for service accounts and legit user jesse, the hacker user was in the latest event of user creation

Answer {4720, 2021–08–16 19:31:46Z}

Q11 What process name is used to establish the shell connection between the attacker’s machine and the Windows server? and what is the listening port on the attacker’s machine?

We will now analyze processes and their network status to determine the process responsible for allowing RCE to attacker

This will be easy since we already have an IOC (Attacker Internal IP address)

We found that attacker used a malicious dll as part of exploiting PrintNightmare vulnerability , in windows rundll32 is responsible for executing dll’s and managing its handles.

Answer {rundll32.exe, 443}

Q12 The attacker used a famous post-exploitation framework to create the DLL file and establish the shell connection to the Windows server, what is the payload the attacker used?

Hint said that attacker used a famous post exploitaion framework and metasploit came in my mind. I opened my kali and listed all available payloads using msfvenom and grepped for payloads under windows platform and using https protocol since we know ssl certificates were also present as an artifact so an https payload was used

Answer {windows/x64/meterpreter/reverse_https}

Q13 The attacker left a text file for the user Administrator, can you find what the filename is?

We go to file system in redline and see files present under Administrator user directory. We see a text file in Documents folder

Answer {This-is-really-a-nightmare.txt}

Dfir
Cybersecurity
Blue Team
Memory Forensics
Vulnerability

--

--

CyberJunnkie

Written by CyberJunnkie

258 Followers

Defensive Content Engineer @HackTheBox 🖥️ 🐱‍💻

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams