Open in app

Sign up

Sign in

Write

Sign up

Sign in

System Weakness

Home

About

Follow publication

System Weakness

System Weakness is a publication that specialises in publishing upcoming writers in cybersecurity…

Follow publication

Windows Forensics Analysis: Analyzing Forensics Artifacts to Uncover System compromise and RDP lateral movement

--

Hello Blue Teamers . I created Another Challenge on Letsdefend platform. This challenge is about Windows Forensics and how to parse and analyze various important artifacts to determine full cyber kill chain , from delivery to Lateral movement

Scenario

Investigation

We have a disk image of extension ad1.

We would first need to mount this on our computer then we will be able to see all files under this. We will do this via ftk imager

First select file option and click mount image , then a prompt window will open to select the image file

Then click mount to mount the disk image. It will display the mount location

Now go to file explorer and open the the disk

Now we can browse and see all the files which were included in this image. In this exercise , I created a custom image to only include relevant artifacts to this challenge to make disk image size as compact as possible

All the Artifacts can be analyzed using windows , since most of eric zimmerman tools are for windows. However we have to use some python tools for 2 artifacts. which can also be done via windows by installing python. But i will be using linux as it already have python setup to analyze those 2 artifacts. Run all tools as administrator

Q1 Initial Access was made through Malicious Document delivered through email.What Was the full path where document was downloaded?

So a document was delivered to a end user and question wants us to find the path where it was downloaded. Shellbags store the location of various locations visited via file explorer.

we will use shellbagexplorer tool by eric zimmerman to analyze shellbags

we click load offline hive and select usrclass.dat file which contains the relevant artifact

The path for usclass.dat is c:\users\cyberjunkie\appdata\local\microsoft\windows\usclass.dat

So we found users download location , as we know doc was delivered via mail so we spotted MailDownloads

Answer : C:\Users\CyberJunkie\Downloads\MailDownloads

Q2 : Whats the document name?

So we know that document was opened by user since that’s what caused system compromise. The document was deleted after stager was downloaded , as stated in hints. The evidence of this document can also be found from 1 or 2 other artifacts but i wanted to focus on recycle bin artifact. We can see a $IW… file with docx extension but cant open it. WE can use another tool called RBcmd from eric zimmerman which parses recycle bin files.

The command is simple : RBcmd.exe -f “Path of the $I file”

And we see the file name and the deletion time of the file

Answer : SecurityAwareness.docx

Q3 : Whats the stager name which connected to attacker C2 server(Fullpath\name)

To find name of the stager, we must find evidence of execution. We can find the filename from prefetch artifacts using prefetch parser tool.

However we will focus on amcache artifact . We can use amcache parser tool to grab data from it. Amcache is originally intended for backward compatibility and it stores path of the files and some other metadata.

Again tool syntax is same as above

This produced some 4 5 csv files

WE will focus on the last one which Unassociated files which are list of all files which were ran and were cached here

We autosize the excel data for better view, and here we can see available info

After scrolling we spot a suspicious file named SecurityPatch.exe

WE also get wealth of info , like hash of file. We don’t get any hit from our malicious file, although it was a metasploit stager.

Answer : C:\USERS\CYBERJUNKIE\DESKTOP\SecurityPatch.exe

Q4 : Attacker manipulated MACB Timestamps of the stager executable to confuse Analysts. Analyze the timestamps of the stager and verify the original timestamp and tampered one. ({ORIGINAL TIMESTAMP : TAMPERED TIMESTAMP})

Now i will shift to my kali linux to analyze the artifact there but you can do it in windows too if you have python installed.

The file we want to analyze is $MFT which holds record of every transaction in the filesystem

We first need to remove attributes from $MFT file to be able to analyze (This can be done from windows cmd). Then rename the file to MFT (remove the $ sign)

We run the tool

Now we will open this csv file in excel to see

Its a lot of data and since we want to analyze the timestamps of the stager , we can search the name of it

Now we scroll and compare timestamps. Its better to freeze the top pane to see which data we are seeing . For ease i copied the entire row of this and the first row to know what info it is

Now i can easily compare

So how this works is that whenever anyone tampers timestamp , such as using tools like timestomp , the tampered timestamps are processed at user level , not kernel level. So original timestamp info is always saved correctly at kernel level. The $Standard_Information works at user level and $FILE_Name works at kernel level. these information are stored in $MFT database

We can immediately see that standard info is from year 2021 and Filename info tells from 2022, which is time and day of incident. so attacker tampered the time and set it to on day of christmas 2021 (Way to ruin holidays)

Answer : {2022–08–21 13:02:23.66 : 2021–12–25 15:34:32}

Q5 : Attacker set up persistence by manipulating registry keys. All we know is that GlobalFlags image file technique was used to setup persistence. When exiting a certain process, the attacker persistence executable is executed. Whats the name of that process?

So a little bit of research is needed from users side. We can find the relevant registry info form following paths

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit

Now we will use Registryexplorer tool from eric zimmerman and navigate to the above registry key

The registry hives are located at

[root]\Windows\System32\config

If opening hive asks load dirty hive, just ignore it and load the hive

We navigate to relevant location and find a entry for explorer.exe and inside it we see a file named Getpatch.exe

So here’s answer for this question and the next one . Whenever explorer.exe is closed, GetPatch.exe is executed. Cool right?

Answer : explorer.exe

Q6 : Whats the full path alongside name of the executable which is setup for persistence.(FULLPATH\Filename)

Answer : C:\Users\CyberJunkie\Documents\GetPatch.exe

Q7 : Attacker logged in via rdp and then performed lateral Movement.Attacker accessed a Internal network connected Device via rdp. What command was ran on cmd after successful rdp into Other Windows machine?

Whenever we rdp into a computer, small bitmaps images are cached on the machine from which we initiated rdp connection. These are saved in Cache files under windows terminal services directory. We can parse out the bitmap images out from that cache file and see literal small pictures .

Location of cache files

[root]\Users\CyberJunkie\AppData\Local\Microsoft\Terminal Server Client\Cache

WE can use a tool called bmc-tools from github. It s a python script so it can also be used on windows but i am doing on linux

I moved to the cache file location

We create a output directory then run the command

Now we can visit this folder from file explorer and we will have many small pictures. These pictures are not in order so we will have to make sense of it but still this artifact is krazyyyy

Now we can see pictures of the second windows machine which was accessed by attacker

We need to find pictures of command line since questions ask what commands were used

WE can see that attacker typed net localgroup to enumerate groups available and we also see its output.

Answer : net localgroup

Q8 : Attacker tried to download a tool from user browser in that second machine. Whats the tool name? (name.ext)

Now answer our last question

We can see pictures of user accessing browser, and then we see some malicious searches

Powerview is a post compromise enumeration script ,part of powersploit framework. WE can find more evidence of powerview below but for writeup this is just fine

Answer : PowerView.ps1

Q9 : Attacker escalated privileges. Find out the full command line argument

Now we will analyze event logs and will use a framework called deepbluecli which will enrich evtx logs.

I copied the relevant system and security log to current dir and ran deepbluecli against it

Answer : cmd.exe /c echo kyvckn > \\.\pipe\kyvckn

Q10 What framework was used by attacker?

We can see that its metasploit style cmd command so metasploit is in use

Answer : Metasploit

Hope you liked this challenge

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Sign up for free

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Try for $5/month
Cybersecurity
Blue Teaming
Forensics
Soc

--

--

System Weakness
System Weakness
Follow

Published in System Weakness

6.6K Followers
Last published 18 hours ago

System Weakness is a publication that specialises in publishing upcoming writers in cybersecurity and ethical hacking space. Our security experts write to make the cyber universe more secure, one vulnerability at a time.

Follow
CyberJunnkie
CyberJunnkie
Follow

Written by CyberJunnkie

309 Followers
29 Following

Senior Defensive Content Engineer @HackTheBox 🖥️ 🐱‍💻 DFIR Analyst @ ProvenData

Follow

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams