TeamCity Exploit Lab

First, let’s identify the available sourcetypes.

index="main" 
| stats count by sourcetype

Q1) After analyzing the compromised systems, you discovered that several files have been encrypted. What extension has been appended to these files, indicating the ransomware's activity?

index="main" sourcetype="wineventlog:microsoft-windows-sysmon/operational"  EventCode=11 host=JB01
| stats count by TargetFilename

Answer: .lsoc

Q2) While reviewing the infected machines, you notice a ransom note left behind by the attacker. Can you find and provide the exact name of this file?

index="main" sourcetype="wineventlog:microsoft-windows-sysmon/operational"  EventCode=11 *Desktop*
| stats count by TargetFilename

I also mounted the IT01 disk and located the attacker's note file.

• Press Win + R to open the Run dialog.

• Type diskmgmt.msc and press Enter.

• In the Disk Management window, click Action in the top menu and select Attach VHD.

• Browse to the location of your .vhd file, select it, and click OK.

The note file was located at G:\D\Users\roby\Desktop.

Answer: un-lock your files.html

Q3) What email addresses did the attacker provide for the victim to contact?

Let's open the file.

Answer: KishaOStone@proton.me:AnthonyGThomas@tutanota.com

Q4) Which CVE was exploited by the attacker to gain initial access?

Answer: CVE-2024-27198

Q5) During the investigation, it was discovered that the attacker used a TeamCity server to gain initial access. Can you identify the URL of the compromised TeamCity server?

I mounted the BJ01 disk and reviewed the TeamCity server logs.

Select-String -Path "F:\E\TeamCity\logs\teamcity-server.log" -Pattern "https://"

Answer: https://jb.cyberrange.cyberdefenders.org/

Q6) Tracing the logs from the time of the breach, what is the IP address of the attacker's machine responsible for this attack?

index="main" sourcetype="wineventlog"  host="JB01" (EventCode=4103 OR 4104) 
| rex field=Message "Host\s+Application\s+=\s+(?<HostApplication>[^\r\n]+)"
| stats count by HostApplication

Let's decode the Base64-encoded PowerShell command.

This command directs the executable to connect to an external IP address (54.174.120.223) on port 8443. This could be a command-and-control (C2) server, used by the attacker for remote management of compromised systems.

Answer: 54.174.120.223

Q8) The attacker created a new account on the TeamCity server. What is the ID of this newly created account?

From the teamcity-server.log file.

Answer: 31

Q9) Before establishing a foothold on the beachhead, the attacker used specific commands to evade the system’s defenses. Based on your analysis, which MITRE ATT&CK sub-technique do these actions correspond to?

index="main" sourcetype="wineventlog"  host="JB01" (EventCode=4103 OR 4104)
| rex field=Message "Host\s+Application\s+=\s+(?<HostApplication>[^\r\n]+)"
| stats count by  HostApplication

The -ExecutionPolicy ByPass flag explicitly bypasses security restrictions to execute potentially malicious code.

Answer: T1562.001

Q10) After evading defenses, the attacker added exclusion paths to avoid detection by security tools. What exclusion paths were added on the compromised machine JB01?

Load the SYSTEM and SOFTWARE hives from the JB01 host into Registry Explorer.

Q11) The attacker deployed a binary on the beachhead machine to tunnel command and control (C2) traffic, bypassing firewall restrictions. What password did they use for this tunneling connection?

From Q6.

Answer: M554-0sddsf2@34232fsl45t31

Q12) In an attempt to facilitate communication with their command-and-control server, the attacker created a custom firewall rule. Which port was configured to allow this traffic?

index="main" sourcetype="wineventlog"  host="JB01" EventCode=4103 OR 4104 
| rex field=Message "Host\s+Application\s+=\s+(?<HostApplication>[^\r\n]+)"
| stats count by HostApplication

Answer: 8080

Q13) To cover their tracks, the attacker attempted to remove a directory they created during the attack. What specific command was used to delete this directory?