Red Team Tools 2(FireEye Breach) LetsDefend DFIR Challenge
This investigation case is about FireEye red team tools Breach . FireEye is one of the largest cybersecurity firm in world. In December 2020 fireeye disclosed publicly that they were breached and that too for a long time. The adverseries stole many zero day exploitkits ,many red teaming tools which were not publicly available and created solely for red teaming activities by FireEye. After disclosing the breach, IOC’s were also published publicly by them in order to stop the malicious usage of those leaked tools. This is the github repo which contains detection rules, iocs etc.
Honeypots are devices in a network that behave like every other machine but its usually setup to trap an intruder.Our(LetsDefend Network) honeypot device has been hacked. We are given only the hostname of endpoint(honeypot).
Lets Defend has a built in soc system containing all the logs , case handling , investigation event management , endpoint visibility etc
We can look for the ip of endpoint named Alex-HP
The ip is 172.16.17.55
Q1 What is command&control IP address?
We can see search the logs based upon the src address and see all the ips it has communicated with
We can see all the ips it has contacted and logs associated with it
The first ip resolves to a suspicious domain name
We search it on virustotal and its flagged
But the question is ip of c2 server, the ip 35.189.10.17 is not flagged but the domain name is , so its probably the phishing domain and it keeps changing the ip it resolves to.
Some ips resolve to domains like google,youtube and wikipedia but the last 2 ips 221.181.185.200 and 120.79.181.138 are both malicious. But notice the date gap between both logs which is probably because the 2nd maicious ip was acting as a backup c2 server incase the first fails , which does after 4 months of incident
Also to confirm we can go to endpoint managment and see the commands executed on the endpoint which shows that executables were downloaded from the ip we are looking into
Answer : 221.181.185.200
Q2 Can you find out which country the attack was from?
We can use whois to do the lookup
Answer : China
Q3 Can you find the name of the tool the attacker used to gather information about the system?
This one took some time. The hint says to use our osint skills. Since this investigation is based upon the stolen red tools from fireeye breach , the attacker must be using tools from those stolen tools.
We search on google about the fireeye breach
This blog lists all the red team tools leaked in the breach
Since we saw that services.exe was downloaded from the c2 server we can see the process creations and list at the endpoint
We can see the sub process spawned by services.exe . on the above mentioned blog we find a tool called wmispy which was also leaked and used the wmi classes.
Answer : WMIspy
Q4 What is the name of the query language used to collect information about the system?
We google the query language of windows
Answer : WQL
Q5 We detected that a new user has been created on the device. Can you find this user’s password?
We go to the endpoint managment and see the commands executed on the device
Answer : H4rd2Cr4ck!.
Q6 Can you find the name of the tool used for privilege escalation?
This ones also tough. Tere are over 40 tools leaked and many of them are used for privilege escalation.How can we find the one used by the attacker with the little endpoint visibilty we have.
In command history we see a command echo logon server
Upon Googling , we can see that this command prints the domain controller which authenticated the current logged on user. This verifies that our breached environment is an Active Directory Network.
Now we can slim down our list of leaked tools, which leaves only a one vulneribility related to AD
Answer : SharpZeroLogon
Q7 Can you write the CVE code (CVE-XXXX-XXXX) of the vulnerability used during privilege escalation?
Answer : CVE-2020–1472