Boogeyman 3
Last updated
Last updated
Due to the previous attacks of Boogeyman, Quick Logistics LLC hired a managed security service provider to handle its Security Operations Center. Little did they know, the Boogeyman was still lurking and waiting for the right moment to return.
This room may require the combined knowledge gained from the Path. We recommend going through the following rooms before attempting this challenge.
Investigation Platform
Before we proceed, deploy the attached machine by clicking the Start Machine button in the upper-right-hand corner of the task. The provided virtual machine runs an Elastic Stack (ELK), which contains the logs that will be used throughout the room.
Once the machine is up, access the Kibana console (via the AttackBox or VPN) using the credentials below.
Without tripping any security defences of Quick Logistics LLC, the Boogeyman was able to compromise one of the employees and stayed in the dark, waiting for the right moment to continue the attack. Using this initial email access, the threat actors attempted to expand the impact by targeting the CEO, Evan Hutchinson.
The email appeared questionable, but Evan still opened the attachment despite the scepticism. After opening the attached document and seeing that nothing happened, Evan reported the phishing email to the security team.
Upon receiving the phishing email report, the security team investigated the workstation of the CEO. During this activity, the team discovered the email attachment in the downloads folder of the victim.
In addition, the security team also observed a file inside the ISO payload, as shown in the image below.
Lastly, it was presumed by the security team that the incident occurred between August 29 and August 30, 2023.
Given the initial findings, you are tasked to analyse and assess the impact of the compromise.
1) What is the PID of the process that executed the initial stage 1 payload?
First, I changed the date from August 29, 2023, to August 30, 2034.
I then applied a filter to get events containing the malicious PDF attachment "ProjectFinancialSummary_Q3.pdf".
I then filtered the results to show only processes associated with mshta.exe, which provided the corresponding Process ID (PID).
Answer: 6392
2) The stage 1 payload attempted to implant a file to another location. What is the full command-line value of this execution?
Answer: C:\Windows\System32\xcopy.exe" /s /i /e /h D:\review.dat C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat
3) The implanted file was eventually used and executed by the stage 1 payload. What is the full command-line value of this execution?
In context, this command is trying to register a DLL named review.dat by calling its DllRegisterServer function.
4) The stage 1 payload established a persistence mechanism. What is the name of the scheduled task created by the malicious script?
The command sets up a daily scheduled task at 6:00 AM to execute rundll32.exe with review.dat,DllRegisterServer using PowerShell.
Answer: Review
5) The execution of the implanted file inside the machine has initiated a potential C2 connection. What is the IP and port used by this connection? (format: IP:port)
Filter results to display Event Code 3 (Network Connection).
Answer: 165.232.170.151:80
6) The attacker has discovered that the current access is a local administrator. What is the name of the process used by the attacker to execute a UAC bypass?
fodhelper.exe is used by the Windows operating system to manage optional features, allowing users to enable or disable certain functionalities.
Attackers exploit fodhelper.exe because it is a trusted Microsoft binary and it automatically runs with elevated privileges without prompting for UAC when invoked from a standard user context.
Answer: fodhelper.exe
7) Having a high privilege machine access, the attacker attempted to dump the credentials inside the machine. What is the GitHub link used by the attacker to download a tool for credential dumping?
Answer: https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip
8) After successfully dumping the credentials inside the machine, the attacker used the credentials to gain access to another machine. What is the username and hash of the new credential pair? (format: username:hash)
Answer: itadmin:F84769D250EB95EB2D7D8B4A1C5613F2
9) Using the new credentials, the attacker attempted to enumerate accessible file shares. What is the name of the file accessed by the attacker from a remote share?
Answer: IT_Automation.ps1
10) What is the hostname of the attacker's target machine for its lateral movement attempt?
Answer: WKSTN-1327
11) Using the malicious command executed by the attacker from the first machine to move laterally, what is the parent process name of the malicious command executed on the second compromised machine?
12) The attacker then dumped the hashes in this second machine. What is the username and hash of the newly dumped credentials? (format: username:hash)
I filtered by the target hostname where the attacker dumped the hashes.
Answer: administrator:00f80f2538dcb54e7adc715c0e7091ec
13) After gaining access to the domain controller, the attacker attempted to dump the hashes via a DCSync attack. Aside from the administrator account, what account did the attacker dump?
Answer: backupda
14) After dumping the hashes, the attacker attempted to download another remote file to execute ransomware. What is the link used by the attacker to download the ransomware binary?
The attacker is now on the domain controller, so let's filter by the DC01 hostname.
Answer: http://ff.sillytechninja.io/ransomboogey.exe
