# TeamCity Exploit Lab

First, let’s identify the available sourcetypes. ```splunk-spl index="main" | stats count by sourcetype ```

Q1) After analyzing the compromised systems, you discovered that several files have been encrypted. What extension has been appended to these files, indicating the ransomware's activity? ```splunk-spl index="main" sourcetype="wineventlog:microsoft-windows-sysmon/operational" EventCode=11 host=JB01 | stats count by TargetFilename ```

Answer: .lsoc Q2) While reviewing the infected machines, you notice a ransom note left behind by the attacker. Can you find and provide the exact name of this file? ```splunk-spl index="main" sourcetype="wineventlog:microsoft-windows-sysmon/operational" EventCode=11 *Desktop* | stats count by TargetFilename ```

I also mounted the IT01 disk and located the attacker's note file. * Press `Win + R` to open the Run dialog. * Type `diskmgmt.msc` and press **Enter**. * In the Disk Management window, click **Action** in the top menu and select **Attach VHD**. * Browse to the location of your `.vhd` file, select it, and click **OK**.

The note file was located at `G:\D\Users\roby\Desktop`.

Answer: un-lock your files.html Q3) What email addresses did the attacker provide for the victim to contact? Let's open the file.

Answer: : Q4) Which CVE was exploited by the attacker to gain initial access? Answer: *CVE*-2024-27198 Q5) During the investigation, it was discovered that the attacker used a TeamCity server to gain initial access. Can you identify the URL of the compromised TeamCity server? I mounted the BJ01 disk and reviewed the TeamCity server logs. ```powershell Select-String -Path "F:\E\TeamCity\logs\teamcity-server.log" -Pattern "https://" ```

Answer: Q6) Tracing the logs from the time of the breach, what is the IP address of the attacker's machine responsible for this attack? ```splunk-spl index="main" sourcetype="wineventlog" host="JB01" (EventCode=4103 OR 4104) | rex field=Message "Host\s+Application\s+=\s+(?[^\r\n]+)" | stats count by HostApplication ```

Let's decode the Base64-encoded PowerShell command.

This command directs the executable to connect to an external IP address (54.174.120.223) on port 8443. This could be a command-and-control (C2) server, used by the attacker for remote management of compromised systems. Answer: 54.174.120.223 Q8) The attacker created a new account on the TeamCity server. What is the ID of this newly created account? From the teamcity-server.log file.

Answer: 31 Q9) Before establishing a foothold on the beachhead, the attacker used specific commands to evade the system’s defenses. Based on your analysis, which MITRE ATT\&CK sub-technique do these actions correspond to? ```splunk-spl index="main" sourcetype="wineventlog" host="JB01" (EventCode=4103 OR 4104) | rex field=Message "Host\s+Application\s+=\s+(?[^\r\n]+)" | stats count by HostApplication ```

The `-ExecutionPolicy ByPass` flag explicitly bypasses security restrictions to execute potentially malicious code. Answer: T1562.001 Q10) After evading defenses, the attacker added exclusion paths to avoid detection by security tools. What exclusion paths were added on the compromised machine JB01? Load the SYSTEM and SOFTWARE hives from the JB01 host into Registry Explorer. Q11) The attacker deployed a binary on the beachhead machine to tunnel command and control (C2) traffic, bypassing firewall restrictions. What password did they use for this tunneling connection? From Q6.

Answer: M554-0sddsf2\@34232fsl45t31 Q12) In an attempt to facilitate communication with their command-and-control server, the attacker created a custom firewall rule. Which port was configured to allow this traffic? ```splunk-spl index="main" sourcetype="wineventlog" host="JB01" EventCode=4103 OR 4104 | rex field=Message "Host\s+Application\s+=\s+(?[^\r\n]+)" | stats count by HostApplication ```

Answer: 8080 Q13) To cover their tracks, the attacker attempted to remove a directory they created during the attack. What specific command was used to delete this directory?