Friday, September 1, 2023

Solving the CTF challenge - Network Forensics (packet and log analysis), USB Disk Forensics, Database Forensics, Stego

At work, we develop and run various Cyber Security challenges to help the Analyst (and the rest of the team) to rapidly build and demonstrate their skillset. This challenge was put together by one of our Managers Jean. I thought this was an interesting challenge that covered a number of areas. As a result, I thought I should take a stab at it. Here is my write up of my analysis.

Summary
On July 23, 2023 at 23:13 a report was made of suspicious activity relating to someone scanning the 10.240.240.0/24 subnet. Upon investigation, it was determined that these scans originated from the device at IP 10.240.240.5. This device is currently used by the user Newman. The scan successfully identified services for SMB, MSSQL and others. While not found via the scan, the user using Newman account was able to login to the PC at 10.240.240.4 on port 5985 which is associated with Powershell Remoting. There were also connections made from 10.240.240.4 to 10.240.240.6 on port 1433 which is associated with MSQL.

Further analysis of this activity, determined that a malicious file pretending to be Windows update, was executed on the system, resulting in a number of processes being spawned. Most of these activities were performed by the user account Jerry who is the authenticated user on Jerry-PC. 

The image below shows a synopsis of the activity.




Detailed Analysis

First start by looking at the evidence file provided.

$ md5sum challenge_data.zip 
6f620299c237236c068ef3000d086833  challenge_data.zip

Extract the files .

$ unzip challenge_data.zip -d jean_challenge/
Archive:  challenge_data.zip
  inflating: jean_challenge/endpoint_logs/10-240-240-4-events.csv  
  inflating: jean_challenge/endpoint_logs/10-240-240-4-events.evtx  
  inflating: jean_challenge/endpoint_logs/10-240-240-4-events.txt  
  inflating: jean_challenge/endpoint_logs/10-240-240-4-events.xml  
  inflating: jean_challenge/endpoint_logs/10-240-240-5-events.csv  
  inflating: jean_challenge/endpoint_logs/10-240-240-5-events.evtx  
  inflating: jean_challenge/endpoint_logs/10-240-240-5-events.txt  
  inflating: jean_challenge/endpoint_logs/10-240-240-5-events.xml  
  inflating: jean_challenge/packet_capture/packet_capture.pcap  
  inflating: jean_challenge/packet_capture/packet_capture.pcapng  
  inflating: jean_challenge/sql_logs/sql_logs.csv  
  inflating: jean_challenge/sql_logs/sql_logs.xel  
  inflating: jean_challenge/usbstick_image/usbstick.vhd  

Starting with my strengths, performing network forensics on packet_capture.pcapng using Tshark. Looking at the protocol hierarchy to see what is in the PCAP.

$ tshark -q -r packet_capture.pcapng -z io,phs

===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:4926 bytes:1917097
  arp                                    frames:718 bytes:40020
  ip                                     frames:4208 bytes:1877077
    udp                                  frames:26 bytes:5222
      nbdgm                              frames:8 bytes:1944
        smb                              frames:8 bytes:1944
          mailslot                       frames:8 bytes:1944
            browser                      frames:8 bytes:1944
      nbns                               frames:4 bytes:582
      data                               frames:6 bytes:2052
      mdns                               frames:8 bytes:644
    tcp                                  frames:4146 bytes:1864247
      data                               frames:72 bytes:4536
      nbss                               frames:728 bytes:126126
        smb                              frames:4 bytes:888
        smb2                             frames:710 bytes:123980
          data                           frames:117 bytes:20181
      tds                                frames:144 bytes:48140
        tcp.segments                     frames:3 bytes:3716
        _ws.malformed                    frames:3 bytes:857
      dcerpc                             frames:18 bytes:5028
        oxid                             frames:4 bytes:552
        isystemactivator                 frames:2 bytes:1900
      tls                                frames:91 bytes:34985
      http                               frames:569 bytes:372420
        xml                              frames:569 bytes:372420
          tcp.segments                   frames:382 bytes:159294
    icmp                                 frames:36 bytes:7608
      data                               frames:6 bytes:2220
===================================================================

Identifying the number of unique sessions in the files.

$ tshark -q -r packet_capture.pcapng -T fields -e tcp.stream | sort | uniq --count | sort --numeric-sort --reverse | wc --lines  
300

With 300 unique sessions where to start?! Looking at the unique IPs in the file.

$ tshark -q -r packet_capture.pcapng -z conv,ip | sed '1,5d;$d' | cut --fields 1 --delimiter ' ' | sort --uniq
10.240.240.4
10.240.240.5
10.240.240.6

Looking at how these IPs were communicating

$ tshark -q -r packet_capture.pcapng -z conv,ip
================================================================================
IPv4 Conversations
Filter:<No Filter>
                                               |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                               | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
10.240.240.5         <-> 10.240.240.4            1381 653 kB       1795 1,071 kB     3176 1,725 kB      9.965524000       625.0360
10.240.240.4         <-> 10.240.240.6             240 43 kB         294 68 kB         534 112 kB      123.097336000       526.4997
10.240.240.5         <-> 10.240.240.6             211 15 kB         271 21 kB         482 36 kB         9.965348000        22.3932
10.240.240.4         <-> 224.0.0.251                0 0 bytes         4 296 bytes       4 296 bytes   149.549610000         0.6121
10.240.240.6         <-> 224.0.0.251                0 0 bytes         4 348 bytes       4 348 bytes   149.552598000         0.6092
10.240.240.4         <-> 10.240.240.255             0 0 bytes         3 729 bytes       3 729 bytes     9.784243000       359.6082
10.240.240.5         <-> 10.240.240.255             0 0 bytes         3 729 bytes       3 729 bytes    15.335371000       360.2213
10.240.240.6         <-> 10.240.240.255             0 0 bytes         2 486 bytes       2 486 bytes   120.685407000       479.2508
================================================================================

From above, we can see the first 3 sessions have the most frames while the last 5 has 0. 

Looking at the first IP conversation it has a time of 625 seconds. The second has 526 seconds and the 3rd 22 seconds.

Taking a look at the communication between the first two hosts. If you are wondering why the switch to tcpdump, just an accident. Nothing specific.

$ tcpdump -n -r packet_capture.pcapng 'host 10.240.240.5 and 10.240.240.4' -w 5-4.pcap

How many sessions do we have now, that have occurred between these two hosts?

$ tshark -q -r 5-4.pcap -T fields -e tcp.stream | sort | uniq --count | sort --numeric-sort --reverse | wc --lines
129

Ok, with 129 sessions, where do I start?! Asking this question again, from the conversations perspective.

$ tshark -q -r 5-4.pcap -z conv,tcp
================================================================================
TCP Conversations
Filter:<No Filter>
                                                           |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
10.240.240.4:49674         <-> 10.240.240.5:445               360 63 kB         466 67 kB         826 130 kB       76.244037000       542.9534
10.240.240.5:49704         <-> 10.240.240.4:5985              378 338 kB        390 221 kB        768 559 kB      182.473326000       429.0919
10.240.240.5:49706         <-> 10.240.240.4:5985              216 128 kB        479 418 kB        695 547 kB      182.937975000       444.0836
10.240.240.5:49705         <-> 10.240.240.4:5985              182 110 kB        402 356 kB        584 467 kB      182.860278000       428.7639
10.240.240.5:49682         <-> 10.240.240.4:135                 4 264 bytes       5 468 bytes       9 732 bytes     9.194943000         0.0060
10.240.240.5:49675         <-> 10.240.240.4:135                 3 186 bytes       5 332 bytes       8 518 bytes     3.175866000         6.0191
10.240.240.5:49676         <-> 10.240.240.4:139                 3 186 bytes       5 318 bytes       8 504 bytes     3.176094000         6.0231
10.240.240.5:49686         <-> 10.240.240.4:139                 3 186 bytes       5 468 bytes       8 654 bytes     9.198805000         0.0040
10.240.240.5:49677         <-> 10.240.240.4:445                 2 126 bytes       3 348 bytes       5 474 bytes     3.176193000         6.0172
10.240.240.5:49683         <-> 10.240.240.4:445                 2 126 bytes       3 186 bytes       5 312 bytes     9.196929000         0.0032
10.240.240.5:49689         <-> 10.240.240.4:445                 2 126 bytes       3 198 bytes       5 324 bytes     9.201052000         0.0020
10.240.240.5:49691         <-> 10.240.240.4:445                 2 126 bytes       3 268 bytes       5 394 bytes     9.203503000         0.0006
10.240.240.5:49693         <-> 10.240.240.4:445                 2 126 bytes       3 290 bytes       5 416 bytes     9.204569000         0.0006
10.240.240.5:44893         <-> 10.240.240.4:135                 1 60 bytes        2 120 bytes       3 180 bytes     1.986875000         0.0003
10.240.240.5:44893         <-> 10.240.240.4:139                 1 60 bytes        2 120 bytes       3 180 bytes     1.987486000         0.0004
10.240.240.5:44893         <-> 10.240.240.4:445                 1 60 bytes        2 120 bytes       3 180 bytes     1.989021000         0.0002
10.240.240.5:63115         <-> 10.240.240.4:135                 1 74 bytes        2 134 bytes       3 208 bytes    14.311654000         0.0004
10.240.240.5:63116         <-> 10.240.240.4:135                 1 74 bytes        2 134 bytes       3 208 bytes    14.413983000         0.0003
10.240.240.5:63117         <-> 10.240.240.4:135                 1 74 bytes        2 134 bytes       3 208 bytes    14.521630000         0.0005
10.240.240.5:63118         <-> 10.240.240.4:135                 1 74 bytes        2 130 bytes       3 204 bytes    14.627085000         0.0004
10.240.240.5:63119         <-> 10.240.240.4:135                 1 74 bytes        2 134 bytes       3 208 bytes    14.733035000         0.0006
10.240.240.5:63120         <-> 10.240.240.4:135                 1 70 bytes        2 130 bytes       3 200 bytes    14.839555000         0.0006
10.240.240.5:63127         <-> 10.240.240.4:135                 1 66 bytes        2 126 bytes       3 192 bytes    14.983360000         0.0004
10.240.240.5:44893         <-> 10.240.240.4:25                  1 60 bytes        1 60 bytes        2 120 bytes     1.985584000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:143                 1 60 bytes        1 60 bytes        2 120 bytes     1.985873000         0.0002
10.240.240.5:44893         <-> 10.240.240.4:80                  1 60 bytes        1 60 bytes        2 120 bytes     1.986099000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:554                 1 60 bytes        1 60 bytes        2 120 bytes     1.986254000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:111                 1 60 bytes        1 60 bytes        2 120 bytes     1.987703000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:5900                1 60 bytes        1 60 bytes        2 120 bytes     1.988023000         0.0002
10.240.240.5:44893         <-> 10.240.240.4:8888                1 60 bytes        1 60 bytes        2 120 bytes     1.988265000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:1720                1 60 bytes        1 60 bytes        2 120 bytes     1.988459000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:1723                1 60 bytes        1 60 bytes        2 120 bytes     1.988511000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:1025                1 60 bytes        1 60 bytes        2 120 bytes     1.988725000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:21                  1 60 bytes        1 60 bytes        2 120 bytes     1.988861000         0.0002
10.240.240.5:44893         <-> 10.240.240.4:199                 1 60 bytes        1 60 bytes        2 120 bytes     1.989295000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:8080                1 60 bytes        1 60 bytes        2 120 bytes     1.989493000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:3389                1 60 bytes        1 60 bytes        2 120 bytes     1.989684000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:995                 1 60 bytes        1 60 bytes        2 120 bytes     1.989834000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:23                  1 60 bytes        1 60 bytes        2 120 bytes     1.989958000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:110                 1 60 bytes        1 60 bytes        2 120 bytes     1.990236000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:3306                1 60 bytes        1 60 bytes        2 120 bytes     1.990361000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:53                  1 60 bytes        1 60 bytes        2 120 bytes     1.990590000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:587                 1 60 bytes        1 60 bytes        2 120 bytes     1.990756000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:22                  1 60 bytes        1 60 bytes        2 120 bytes     1.990917000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:993                 1 60 bytes        1 60 bytes        2 120 bytes     1.991138000         0.0002
10.240.240.5:44893         <-> 10.240.240.4:113                 1 60 bytes        1 60 bytes        2 120 bytes     1.991356000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:443                 1 60 bytes        1 60 bytes        2 120 bytes     1.991532000         0.0002
10.240.240.5:44893         <-> 10.240.240.4:4899                1 60 bytes        1 60 bytes        2 120 bytes     1.991827000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:1110                1 60 bytes        1 60 bytes        2 120 bytes     1.991970000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:179                 1 60 bytes        1 60 bytes        2 120 bytes     1.992097000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:37                  1 60 bytes        1 60 bytes        2 120 bytes     1.992311000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:2049                1 60 bytes        1 60 bytes        2 120 bytes     1.992457000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:88                  1 60 bytes        1 60 bytes        2 120 bytes     1.992611000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:8000                1 60 bytes        1 60 bytes        2 120 bytes     1.992774000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:990                 1 60 bytes        1 60 bytes        2 120 bytes     1.992920000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:119                 1 60 bytes        1 60 bytes        2 120 bytes     1.993156000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:5000                1 60 bytes        1 60 bytes        2 120 bytes     1.993334000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:6646                1 60 bytes        1 60 bytes        2 120 bytes     1.993476000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:1026                1 60 bytes        1 60 bytes        2 120 bytes     1.993644000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:32768               1 60 bytes        1 60 bytes        2 120 bytes     1.993823000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:49154               1 60 bytes        1 60 bytes        2 120 bytes     1.993909000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:1900                1 60 bytes        1 60 bytes        2 120 bytes     1.994024000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:3128                1 60 bytes        1 60 bytes        2 120 bytes     1.994155000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:5800                1 60 bytes        1 60 bytes        2 120 bytes     1.994324000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:7070                1 60 bytes        1 60 bytes        2 120 bytes     1.994457000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:544                 1 60 bytes        1 60 bytes        2 120 bytes     1.994629000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:5101                1 60 bytes        1 60 bytes        2 120 bytes     1.994841000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:548                 1 60 bytes        1 60 bytes        2 120 bytes     1.994962000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:1029                1 60 bytes        1 60 bytes        2 120 bytes     1.995248000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:9100                1 60 bytes        1 60 bytes        2 120 bytes     1.995410000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:5432                1 60 bytes        1 60 bytes        2 120 bytes     1.995574000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:26                  1 60 bytes        1 60 bytes        2 120 bytes     1.995694000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:10000               1 60 bytes        1 60 bytes        2 120 bytes     1.995838000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:81                  1 60 bytes        1 60 bytes        2 120 bytes     1.995984000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:389                 1 60 bytes        1 60 bytes        2 120 bytes     1.996095000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:515                 1 60 bytes        1 60 bytes        2 120 bytes     1.996281000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:8009                1 60 bytes        1 60 bytes        2 120 bytes     1.996376000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:9999                1 60 bytes        1 60 bytes        2 120 bytes     1.996896000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:1755                1 60 bytes        1 60 bytes        2 120 bytes     2.015660000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:631                 1 60 bytes        1 60 bytes        2 120 bytes     2.015826000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:514                 1 60 bytes        1 60 bytes        2 120 bytes     2.015934000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:5060                1 60 bytes        1 60 bytes        2 120 bytes     2.016081000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:8081                1 60 bytes        1 60 bytes        2 120 bytes     2.016204000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:2001                1 60 bytes        1 60 bytes        2 120 bytes     2.016340000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:6001                1 60 bytes        1 60 bytes        2 120 bytes     2.016520000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:9                   1 60 bytes        1 60 bytes        2 120 bytes     2.016648000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:144                 1 60 bytes        1 60 bytes        2 120 bytes     2.016830000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:1433                1 60 bytes        1 60 bytes        2 120 bytes     2.017082000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:465                 1 60 bytes        1 60 bytes        2 120 bytes     2.017231000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:543                 1 60 bytes        1 60 bytes        2 120 bytes     2.017384000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:3000                1 60 bytes        1 60 bytes        2 120 bytes     2.017494000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:873                 1 60 bytes        1 60 bytes        2 120 bytes     2.017645000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:1027                1 60 bytes        1 60 bytes        2 120 bytes     2.017752000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:49155               1 60 bytes        1 60 bytes        2 120 bytes     2.017935000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:49157               1 60 bytes        1 60 bytes        2 120 bytes     2.018088000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:646                 1 60 bytes        1 60 bytes        2 120 bytes     2.018236000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:2717                1 60 bytes        1 60 bytes        2 120 bytes     2.018423000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:6000                1 60 bytes        1 60 bytes        2 120 bytes     2.018545000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:5666                1 60 bytes        1 60 bytes        2 120 bytes     2.018685000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:79                  1 60 bytes        1 60 bytes        2 120 bytes     2.018788000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:13                  1 60 bytes        1 60 bytes        2 120 bytes     2.019002000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:49152               1 60 bytes        1 60 bytes        2 120 bytes     2.019137000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:5190                1 60 bytes        1 60 bytes        2 120 bytes     2.019263000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:1028                1 60 bytes        1 60 bytes        2 120 bytes     2.031115000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:49153               1 60 bytes        1 60 bytes        2 120 bytes     2.031253000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:8008                1 60 bytes        1 60 bytes        2 120 bytes     2.031431000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:5051                1 60 bytes        1 60 bytes        2 120 bytes     2.031644000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:513                 1 60 bytes        1 60 bytes        2 120 bytes     2.031784000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:5357                1 60 bytes        1 60 bytes        2 120 bytes     2.031926000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:444                 1 60 bytes        1 60 bytes        2 120 bytes     2.032042000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:8443                1 60 bytes        1 60 bytes        2 120 bytes     2.032208000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:7                   1 60 bytes        1 60 bytes        2 120 bytes     2.032387000         0.0002
10.240.240.5:44893         <-> 10.240.240.4:427                 1 60 bytes        1 60 bytes        2 120 bytes     2.032541000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:5009                1 60 bytes        1 60 bytes        2 120 bytes     2.032698000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:106                 1 60 bytes        1 60 bytes        2 120 bytes     2.032788000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:5631                1 60 bytes        1 60 bytes        2 120 bytes     2.033075000         0.0002
10.240.240.5:44893         <-> 10.240.240.4:2000                1 60 bytes        1 60 bytes        2 120 bytes     2.033376000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:3986                1 60 bytes        1 60 bytes        2 120 bytes     2.033584000         0.0001
10.240.240.5:44895         <-> 10.240.240.4:49156               1 60 bytes        1 60 bytes        2 120 bytes     3.114845000         0.0001
10.240.240.5:44895         <-> 10.240.240.4:2121                1 60 bytes        1 60 bytes        2 120 bytes     3.114957000         0.0000
10.240.240.5:63129         <-> 10.240.240.4:135                 1 60 bytes        1 74 bytes        2 134 bytes    15.014570000         0.0001
10.240.240.5:63130         <-> 10.240.240.4:135                 1 60 bytes        1 74 bytes        2 134 bytes    15.049537000         0.0003
10.240.240.5:63131         <-> 10.240.240.4:135                 1 60 bytes        1 74 bytes        2 134 bytes    15.086134000         0.0001
10.240.240.5:63132         <-> 10.240.240.4:7                   1 60 bytes        1 74 bytes        2 134 bytes    15.124352000         0.0003
10.240.240.5:63133         <-> 10.240.240.4:7                   1 60 bytes        1 74 bytes        2 134 bytes    15.156202000         0.0002
10.240.240.5:63134         <-> 10.240.240.4:7                   1 60 bytes        1 74 bytes        2 134 bytes    15.189820000         0.0001
10.240.240.5:44893         <-> 10.240.240.4:2121                0 0 bytes         1 60 bytes        1 60 bytes      1.996564000         0.0000
10.240.240.5:44893         <-> 10.240.240.4:49156               0 0 bytes         1 60 bytes        1 60 bytes      1.996745000         0.0000
================================================================================

If we look above, we see a number of records with frame count of 1 and byte count as 60. We can also see, this scanning activity is originating from the host at 10.240.240.5. This correlates with the findings of the logs (see log analysis section) on NEWMAN-PC (10.240.240.5) where nmap.exe was run.

From above, the sessions of immediate importance are:

10.240.240.4:49674         <-> 10.240.240.5:445               360 63 kB         466 67 kB         826 130 kB       76.244037000       542.9534
10.240.240.5:49704         <-> 10.240.240.4:5985              378 338 kB        390 221 kB        768 559 kB      182.473326000       429.0919
10.240.240.5:49706         <-> 10.240.240.4:5985              216 128 kB        479 418 kB        695 547 kB      182.937975000       444.0836
10.240.240.5:49705         <-> 10.240.240.4:5985              182 110 kB        402 356 kB        584 467 kB      182.860278000       428.7639

Starting with session 10.240.240.4:49674 <-> 10.240.240.5:445. The communication between 10.240.240.4:49674 <-> 10.240.240.5:445 started on July 23, 2023 at 19:11:18 local time.

$ tshark -r 5-4.pcap -Y '(ip.addr== 10.240.240.4) && (tcp.port==49674) && (ip.addr==10.240.240.5) && (tcp.port==445)'  -t ad
  306 2023-07-23 19:11:18.591093 10.240.240.4 → 10.240.240.5 TCP 66 49674 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM

For time in UTC, the activity started at 23:11 on July 23, 2023.

$ tshark -r 5-4.pcap -Y '(ip.addr== 10.240.240.4) && (tcp.port==49674) && (ip.addr==10.240.240.5) && (tcp.port==445)'  -t ud | more
  306 2023-07-23 23:11:18.591093 10.240.240.4 → 10.240.240.5 TCP 66 49674 → 445 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM

The username used to setup the SMB connection was Newman.

  314 2023-07-23 23:11:18.703795 10.240.240.4 → 10.240.240.5 SMB2 615 Session Setup Request, NTLMSSP_AUTH, User: .\Newman
  315 2023-07-23 23:11:18.707464 10.240.240.5 → 10.240.240.4 SMB2 159 Session Setup Response

Digging deeper into this session setup, we see Newman is logging on to JERRY-PC with username Newman. Why is Newman logging on to Jerry PC.

$ tshark -r 5-4.pcap -Y 'frame.number==314' -V | sed '1,197d;214,$d'                                           
                            Domain name: .
                                Length: 2
                                Maxlen: 2
                                Offset: 88
                            User name: Newman
                                Length: 12
                                Maxlen: 12
                                Offset: 90
                            Host name: JERRY-PC
                                Length: 16
                                Maxlen: 16
                                Offset: 102
                            Session Key: fb1a311939e9582ea96066eae0c99946
                                Length: 16
                                Maxlen: 16
                                Offset: 412

Stepping back to take a closer look into this frame.

$ tshark -r 5-4.pcap -Y 'frame.number==314' -V | sed '1,157d;174,$d' 
                                    Attribute: NetBIOS domain name: NEWMAN-PC
                                        NTLMV2 Response Item Type: NetBIOS domain name (0x0002)
                                        NTLMV2 Response Item Length: 18
                                        NetBIOS Domain Name: NEWMAN-PC
                                    Attribute: NetBIOS computer name: NEWMAN-PC
                                        NTLMV2 Response Item Type: NetBIOS computer name (0x0001)
                                        NTLMV2 Response Item Length: 18
                                        NetBIOS Computer Name: NEWMAN-PC
                                    Attribute: DNS domain name: Newman-PC
                                        NTLMV2 Response Item Type: DNS domain name (0x0004)
                                        NTLMV2 Response Item Length: 18
                                        DNS Domain Name: Newman-PC
                                    Attribute: DNS computer name: Newman-PC
                                        NTLMV2 Response Item Type: DNS computer name (0x0003)
                                        NTLMV2 Response Item Length: 18
                                        DNS Computer Name: Newman-PC

Above, we see NEWMAN-PC for the NetBios domain name, the Netbios computer name, DNS domain name  and DNS Computer name. This suggests this computer belongs  to Newman. Newman seems to be using his credentials to connect to Jerry-PC. All  of this is also confirmed via the log analysis further below.

When we look into frame 315 (the response to 314), we see that a Session Id was assigned to Newman on host JERRY-PC.
  
$ tshark -r 5-4.pcap -Y 'frame.number==315' -V | sed '1,106d;115,$d'
        Session Id: 0x0001040000000001 Acct:Newman Domain:. Host:JERRY-PC
            [Account: Newman]
            [Domain: .]
            [Host: JERRY-PC]
            [Authenticated in Frame: 314]
        Signature: f161357be0ca6801f8a6ab45a8a37943
        [Response to: 314]
        [Time from request: 0.003669000 seconds]

We then see a request to connect to the share \\10.240.240.5\Shared from 10.240.240.4. This request was successful.

  316 2023-07-23 23:11:18.726884 10.240.240.4 → 10.240.240.5 SMB2 172 Tree Connect Request Tree: \\10.240.240.5\Shared
  317 2023-07-23 23:11:18.728119 10.240.240.5 → 10.240.240.4 SMB2 138 Tree Connect Response

We then see a request to create a file named log.txt. This response seemed to have been successful

  318 2023-07-23 23:11:18.763385 10.240.240.4 → 10.240.240.5 SMB2 192 Create Request File: log.txt
  319 2023-07-23 23:11:18.764399 10.240.240.5 → 10.240.240.4 SMB2 210 Create Response File: log.txt

After creating the log.txt, we see about 1 byte is written to the file.

  320 2023-07-23 23:11:18.790806 10.240.240.4 → 10.240.240.5 SMB2 171 Write Request Len:1 Off:1000 File: log.txt
  321 2023-07-23 23:11:18.791670 10.240.240.5 → 10.240.240.4 SMB2 138 Write Response

The file is then closed.

  322 2023-07-23 23:11:18.796259 10.240.240.4 → 10.240.240.5 SMB2 146 Close Request File: log.txt
  323 2023-07-23 23:11:18.796697 10.240.240.5 → 10.240.240.4 SMB2 182 Close Response

This process of creating the file and writing 1 byte and closing continued until the session starts reporting Keep-Alive ack messages.

 1119 2023-07-23 23:12:21.454723 10.240.240.4 → 10.240.240.5 SMB2 192 Create Request File: log.txt
 1120 2023-07-23 23:12:21.455367 10.240.240.5 → 10.240.240.4 SMB2 210 Create Response File: log.txt
 1121 2023-07-23 23:12:21.456480 10.240.240.4 → 10.240.240.5 SMB2 171 Write Request Len:1 Off:1290 File: log.txt
 1122 2023-07-23 23:12:21.456752 10.240.240.5 → 10.240.240.4 SMB2 138 Write Response
 1123 2023-07-23 23:12:21.457468 10.240.240.4 → 10.240.240.5 SMB2 146 Close Request File: log.txt
 1124 2023-07-23 23:12:21.457660 10.240.240.5 → 10.240.240.4 SMB2 182 Close Response

At this point above, we see 1 byte is still written but the file is now at offset 1290.It stared off at offset 1000. This means the file should now contain atleast 1290-1000 = 290 bytes. My conclusion at this point, it seems like a keylogger was in use. I see no other reason why one byte would be written at a time.

Writing this session out to a file of it's own.

$ tshark -r 5-4.pcap -Y '(ip.addr== 10.240.240.4) && (tcp.port==49674) && (ip.addr==10.240.240.5) && (tcp.port==445)'  -w 4_49674-5_445.pcap

With the new file created, confirming the share accessed and the file created in this share.

$ tshark -n -r 4_49674-5_445.pcap -T fields -e smb2.tree -e smb2.filename | sort | uniq --count
    123 
    586 \\10.240.240.5\Shared
    117 \\10.240.240.5\Shared   log.txt

We see that there were 117 instances of the log.txt file appearance in this session. If we step back above, I stated it looks like about 290 bytes were written. However, if we look here and see 117 times this file was seen and we know 1 byte was written each time, does this mean the file actually contains 117 bytes or somewhere there? These are all things for us to validate during this investigation.

Preparing to extract the log.txt files by first making a directory named "extracted_content" then changing to that directory to store the extracted contents.

$ mkdir extracted_content && cd extracted_content

Fortunately, TShark (and Wireshark) can extract contents from protocols such as SMB.

$ tshark.exe --export-objects --help
tshark: "--export-objects" are specified as: <protocol>,<destdir>
tshark: The available export object types for the "--export-objects" option are:
     dicom
     ftp-data
     http
     imf
     smb
     tftp

Extracting the log.txt files:

$ tshark -n -r ../4_49674-5_445.pcap --export-objects smb,. -

Looks like 118 files were extracted. My gosh, why all of these discrepancies.

$ ls -l | wc --lines
118

Taking a quick look at the files.

$ ls -l *
-rw-r--r-- 1 kali kali 1265 Jul 26 10:12 '%5clog(100).txt'
-rw-r--r-- 1 kali kali 1266 Jul 26 10:12 '%5clog(101).txt'
-rw-r--r-- 1 kali kali 1267 Jul 26 10:12 '%5clog(102).txt'
-rw-r--r-- 1 kali kali 1268 Jul 26 10:12 '%5clog(103).txt'
-rw-r--r-- 1 kali kali 1279 Jul 26 10:12 '%5clog(104).txt'
-rw-r--r-- 1 kali kali 1280 Jul 26 10:12 '%5clog(105).txt'
-rw-r--r-- 1 kali kali 1281 Jul 26 10:12 '%5clog(106).txt'
-rw-r--r-- 1 kali kali 1282 Jul 26 10:12 '%5clog(107).txt'
...

Reading one of the files

$ cat "%5clog(100).txt"
c

As expected. One character at time. Now do I need to read each of these files individually to see what is in all of them. I don't intend to :-)

$ cat * | tr --complement --delete [:print:]

The above command produced an output with many characters that did not seem to make sense. However, identifying items that matters, we see

"cure Key.shift Passwmord1337an" and "weird acoming fronm you ...skql". Not sure what these mean right now. 

However, back to the packet analysis of another session.

10.240.240.5:49704   <-> 10.240.240.4:5985

Writing this session out to a file

$ tshark -n -r 5-4.pcap -Y '(ip.addr==10.240.240.5) && (tcp.port==49704) && (ip.addr==10.240.240.4) && (tcp.port==5985)' -w 5_49704-4_5985.pcapng

Glancing at the protocol hierarchy. This allows me to get a quick overview of what I may be able to expect in this packets.

$ tshark -n -r 5_49704-4_5985.pcapng -q -z io,phs                                                                                                                                                                                         

===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:768 bytes:559854
  ip                                     frames:768 bytes:559854
    tcp                                  frames:768 bytes:559854
      http                               frames:190 bytes:79651
        xml                              frames:190 bytes:79651
          tcp.segments                   frames:187 bytes:76189
===================================================================

Looking at the date and time of this session from the local time perspective.

$ tshark -n -r 5_49704-4_5985.pcapng -t ad | more 
    1 2023-07-23 19:13:04.820382 10.240.240.5 → 10.240.240.4 TCP 66 49704 → 5985 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM

Looking at the time from UTC

$ tshark -n -r 5_49704-4_5985.pcapng -t ud | more   
    1 2023-07-23 23:13:04.820382 10.240.240.5 → 10.240.240.4 TCP 66 49704 → 5985 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM

The session with the log.txt ended around 23:12 UTC. This session is starting at 23:13 UTC. This means it started just after the other ended.

From the protocol hierarchy, we see HTTP. If there is HTTP then we should see some methods, etc., 

$ tshark -n -r 5_49704-4_5985.pcapng -t ud -T fields -e http.request.method | sort | uniq --count 
    673 
     95 POST

95 POST. Ok, let's see what is going on here. Looking at two of these POST message, we see.

$ tshark -n -r 5_49704-4_5985.pcapng -t ud -Y 'http.request.method==POST'
   10 2023-07-23 23:13:04.821860 10.240.240.5 → 10.240.240.4 HTTP/XML 664 POST /wsman?PSVersion=5.1.22621.1778 HTTP/1.1 
   19 2023-07-23 23:13:05.281275 10.240.240.5 → 10.240.240.4 HTTP/XML 721 POST /wsman?PSVersion=5.1.22621.1778 HTTP/1.1 

Expanding Frame 10, to see what else we can learn, we see "Microsoft WinRM Client" and "PS Remoting version 5.1" being used to connect from 10.240.240.5 to 10.240.240.4. If we pay close attention below, we see the base64 credentials have been decoded by TShark, hence we have the credentials "littlenewman:password" being used to connect to Windows device. 

Evidence in the log analysis shows this account littlenewman with password password was created as a result of the Win11Updates.exe file, which was executed on Jerry-PC.

$ tshark -n -r 5_49704-4_5985.pcapng -t ud -Y 'frame.number==10' -V | sed '1,96d;121,$d' 
Hypertext Transfer Protocol
    POST /wsman?PSVersion=5.1.22621.1778 HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): POST /wsman?PSVersion=5.1.22621.1778 HTTP/1.1\r\n]
            [POST /wsman?PSVersion=5.1.22621.1778 HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: POST
        Request URI: /wsman?PSVersion=5.1.22621.1778
            Request URI Path: /wsman
            Request URI Query: PSVersion=5.1.22621.1778
                Request URI Query Parameter: PSVersion=5.1.22621.1778
        Request Version: HTTP/1.1
    Connection: Keep-Alive\r\n
    Content-Type: application/soap+xml;charset=UTF-8\r\n
    User-Agent: Microsoft WinRM Client\r\n
    Content-Length: 7910\r\n
        [Content length: 7910]
    Host: 10.240.240.4:5985\r\n
    Authorization: Basic bGl0dGxlbmV3bWFuOnBhc3N3b3Jk\r\n
        Credentials: littlenewman:password
    \r\n
    [Full request URI: http://10.240.240.4:5985/wsman?PSVersion=5.1.22621.1778]
    [HTTP request 1/1]
    File Data: 7910 bytes

With 7910 bytes, it is only fair that we look into this to see what is there. Looking at the data from the perspective of YAML.

$ tshark -n -r 5_49704-4_5985.pcapng -t ud -q -z follow,tcp,yaml,0 | more
peers:
  - peer: 0
    host: 10.240.240.5
    port: 49704
  - peer: 1
    host: 10.240.240.4
    port: 5985
packets:
  - packet: 4
    peer: 0
    timestamp: 1690153984.821707964
    data: !!binary |
      UE9TVCAvd3NtYW4/UFNWZXJzaW9uPTUuMS4yMjYyMS4xNzc4IEhUVFAvMS4xDQpDb25uZWN0aW9u
      OiBLZWVwLUFsaXZlDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3NvYXAreG1sO2NoYXJzZXQ9
      VVRGLTgNClVzZXItQWdlbnQ6IE1pY3Jvc29mdCBXaW5STSBDbGllbnQNCkNvbnRlbnQtTGVuZ3Ro
      OiA3OTEwDQpIb3N0OiAxMC4yNDAuMjQwLjQ6NTk4NQ0KQXV0aG9yaXphdGlvbjogQmFzaWMgYkds
      MGRHeGxibVYzYldGdU9uQmhjM04zYjNKaw0KDQo=
  - packet: 5
    peer: 0
    timestamp: 1690153984.821860075
    data: !!binary |
      PHM6RW52ZWxvcGUgeG1sbnM6cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMy8wNS9zb2FwLWVudmVs
      b3BlIiB4bWxuczphPSJodHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA0LzA4L2FkZHJl
      c3NpbmciIHhtbG5zOnc9Imh0dHA6Ly9zY2hlbWFzLmRtdGYub3JnL3diZW0vd3NtYW4vMS93c21h
      bi54c2QiIHhtbG5zOnA9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vd2JlbS93c21hbi8x
      L3dzbWFuLnhzZCI+PHM6SGVhZGVyPjxhOlRvPmh0dHA6Ly8xMC4yNDAuMjQwLjQ6NTk4NS93c21h
      bj9QU1ZlcnNpb249NS4xLjIyNjIxLjE3Nzg8L2E6VG8+PHc6UmVzb3VyY2VVUkkgczptdXN0VW5k
      ZXJzdGFuZD0idHJ1ZSI+aHR0cDovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS9wb3dlcnNoZWxsL01p
      Y3Jvc29mdC5Qb3dlclNoZWxsPC93OlJlc291cmNlVVJJPjxhOlJlcGx5VG8+PGE6QWRkcmVzcyBz
      Om11c3RVbmRlcnN0YW5kPSJ0cnVlIj5odHRwOi8vc2NoZW1hcy54bWxzb2FwLm9yZy93cy8yMDA0
      LzA4L2FkZHJlc3Npbmcvcm9sZS9hbm9ueW1vdXM8L2E6QWRkcmVzcz48L2E6UmVwbHlUbz48YTpB
      Y3Rpb24gczptdXN0VW5kZXJzdGFuZD0idHJ1ZSI+aHR0cDovL3NjaGVtYXMueG1sc29hcC5vcmcv
      d3MvMjAwNC8wOS90cmFuc2Zlci9DcmVhdGU8L2E6QWN0aW9uPjx3Ok1heEVudmVsb3BlU2l6ZSBz
      Om11c3RVbmRlcnN0YW5kPSJ0cnVlIj41MTIwMDA8L3c6TWF4RW52ZWxvcGVTaXplPjxhOk1lc3Nh
      Z2VJRD51dWlkOjM2QjQwNzg4LUVBM0MtNDIyRC1BOTY1LTc1NUQ2RDhCMkJDNzwvYTpNZXNzYWdl
      SUQ+PHc6TG9jYWxlIHhtbDpsYW5nPSJlbi1VUyIgczptdXN0VW5kZXJzdGFuZD0iZmFsc2UiIC8+
      PHA6RGF0YUxvY2FsZSB4bWw6bGFuZz0iZW4tVVMiIHM6bXVzdFVuZGVyc3RhbmQ9ImZhbHNlIiAv
      PjxwOlNlc3Npb25JZCBzOm11c3RVbmRlcnN0YW5kPSJmYWxzZSI+dXVpZDowN0UwMUREMC05RDA5
      LTQ0REYtQTAxNy00NERGRUQxNzlDNTA8L3A6U2Vzc2lvbklkPjxwOk9wZXJhdGlvbklEIHM6bXVz
      dFVuZGVyc3RhbmQ9ImZhbHNlIj51dWlkOkY5QzIyRTAxLTFBRkItNDNDNy04QzdCLTAxRjRENDk0
      RTYzRTwvcDpPcGVyYXRpb25JRD48cDpTZXF1ZW5jZUlkIHM6bXVzdFVuZGVyc3RhbmQ9ImZhbHNl
      Ij4xPC9wOlNlcXVlbmNlSWQ+PHc6T3B0aW9uU2V0IHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5v
      cmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiIHM6bXVzdFVuZGVyc3RhbmQ9InRydWUiPjx3Ok9w
      dGlvbiBOYW1lPSJwcm90b2NvbHZlcnNpb24iIE11c3RDb21wbHk9InRydWUiPjIuMzwvdzpPcHRp
      b24+PC93Ok9wdGlvblNldD48dzpPcGVyYXRpb25UaW1lb3V0PlBUMTgwLjAwMFM8L3c6T3BlcmF0
      aW9uVGltZW91dD48cnNwOkNvbXByZXNzaW9uVHlwZSBzOm11c3RVbmRlcnN0YW5kPSJ0cnVlIiB4
      bWxuczpyc3A9Imh0dHA6Ly9zY2hlbWFzLm1pY3Jvc29mdC4=

What we want is the data  from above. Here is how we can get that using yq.

$ tshark -n -r 5_49704-4_5985.pcapng -t ud -q -z follow,tcp,yaml,0 | \
yq -e ".packets[0].data" | cut --fields 2 --delimiter '"' | sed 's/\\n//g' | \
base64 --decode

POST /wsman?PSVersion=5.1.22621.1778 HTTP/1.1
Connection: Keep-Alive
Content-Type: application/soap+xml;charset=UTF-8
User-Agent: Microsoft WinRM Client
Content-Length: 7910
Host: 10.240.240.4:5985
Authorization: Basic bGl0dGxlbmV3bWFuOnBhc3N3b3Jk

After reviewing this session from the client perspective, nothing meaningful was found from either the client or the server side of the connection.

Trying another session as there were three WinRM sessions.

Looking at : 10.240.240.5:49706  <-> 10.240.240.4:5985             

$ tshark -n -r 5-4.pcap -Y '(ip.addr==10.240.240.5) && (tcp.port==49706) && (ip.addr==10.240.240.4) && (tcp.port==5985)' -w 5_49706-4_5985.pcapng

When did this session start?

$ tshark -r 5_49706-4_5985.pcapng -t ud -c 1
    1 2023-07-23 23:13:05.285031 10.240.240.5 → 10.240.240.4 TCP 66 49706 → 5985 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM

This session is definitely more interesting than the first. Here are the commands which were run. Below I placed comments to better understand the commands.

$ tshark -r 5_49706-4_5985.pcapng -q -z follow,tcp,ascii,0 | \
grep --perl-regexp '<rsp:Command>.*?<' --color=always --only-matching  | \
awk --field-separator='<rsp:Command>' '{ print $2 }' | tr --delete '<' | \
sed 's/&quot;//g' | sed 's/prompt//g' | sed 's/&apos;//g'

whoami
Comment: Identifies the currently logged in user

hostname
Comment: Identifies the hostname of the computing device

Set-ExecutionPolicy
Comment: I was expecting here to see the policy being set specifically, however, I don't see that here. Fortunately, this was identified in the log analysis sesction.

Import-Module
Comment: Similarly, I expected some module being imported. 

$ConnectionString = Server=10.240.240.6;User=JerrySQL;Password=SecurePassword1337;TrustServerCertificate=True
Comment: Setting up of a connection string to authenticate to the SQL Server at 10.240.240.6.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query SELECT SUSER_SNAME()
Comment: Querying the login name of the current security context. I would expect this is just confirmation of JerrySQL.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query SELECT name, SUSER_SNAME(owner_sid) AS DatabaseOwner FROM sys.databases;
Comment: List all databases and get the owner information.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Customers; SELECT name AS TableName FROM sys.tables;
Comment: Using the Seinfeld_Customers database, select the names of all tables from sys.tables

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Employees; SELECT name AS TableName FROM sys.tables;
Comment: Using the Seinfeld_Employees database, select the names of all tables from sys.tables.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Employees; SELECT a.name AS UserName, b.name AS RoleName FROM sys.database_role_members drm JOIN sys.database_principals a ON drm.member_principal_id = a.principal_id JOIN sys.database
Comment: Run a query to extract information about roles and principal_id. 

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Employees; SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = Data;
Comment: Extract information about the fields/columns from the Data table.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Employees; SELECT id, Name, Position from Data;
Comment: Extract information on employees ID, Name and Position from the Data table.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Employees; SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = Payroll;
Comment: Grab information about the Payroll table  columns in the Seinfeld_Employees database.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Employees; SELECT id, Salary from Payroll;
Comment: Select only the id, Salary fields from the Payroll table.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Employees; SELECT a.Name, b.Salary FROM Data a LEFT JOIN Payroll b ON b.id = a.id;
Comment: Select information on employees name and salary from both the Data and Payroll tables.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Employees; UPDATE Payroll SET Salary = 123456 WHERE id = 5;
Comment: Wicked, I get to set my own salary? I envy Newman. At this point, the employee salary is updated?

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query USE Seinfeld_Employees; SELECT a.Name, b.Salary FROM Data a LEFT JOIN Payroll b ON b.id = a.id;
Comment: Validation that the update in salary was successful.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query SELECT name, type_desc FROM sys.server_principals WHERE type IN (S, U)
Comment: Querying the Server Principals. Looking at Microsoft's site, the server_principals type does not show "U".  S=SQL Login.
If we instead look at the database_principals, we see "S = SQL user", "U = Windows user"

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query SELECT DISTINCT grantor.name AS GrantorName, grantee.name AS GranteeName FROM sys.server_permissions perm JOIN sys.server_principals grantor ON perm.grantor_principal_id = grantor.principal_id JOIN
Comment: Query information on permissions.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL SELECT SUSER_SNAME(); REVERT;
Comment: Attempt to login as user GeorgeSQL then valididate the security context matches GeorgeSQL. Once completed, revert back to JerrySQL as the login user.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; USE Seinfeld_Employees; SELECT u.name AS UserName, r.name AS RoleName FROM sys.database_role_members drm JOIN sys.database_principals u ON drm.member_principal_id = 
Comment: Using GeorgeSQL o the Seinfeld_Employees table query the username and roles

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; SELECT name as DatabaseName, SUSER_SNAME(owner_sid) AS DatabaseOwner,  is_trustworthy_on AS TRUSTWORTHY from sys.databases; REVERT;
Comment: Select database owner information that GeorgeSQL can see. Also check via the "is_trustworthy_on" attribute, if SQL Trusts the datbase and its contents.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query $Query 
Comment: Hmmm! I can't remember seeing seeing a $Query variable defined above. Is this an attempt to hide information on the previous queries? It looks so! Or did I miss something?!

While above only shows the commands and my interpretation of the objectives. I was unable to identify any response which would be decoded to reflect the response for these commands. Actually, I find this very strange. Maybe I just needed to pay closer attention to the output. In reality the response does not really matter much to me at this time, unless I'm concerned about confirmation of exfiltration. For now I will consider me not being able to detect the response as a minor setback.

Writing the final WinRM session out to file for analysis.

10.240.240.5:49705   <-> 10.240.240.4:5985

$ tshark -n -r 5-4.pcap -Y '(ip.addr==10.240.240.5) && (tcp.port==49705) && (ip.addr==10.240.240.4) && (tcp.port==5985)' -w 5_49705-4_5985.pcapng

What time did this activity start?

$ tshark -r 5_49705-4_5985.pcapng -t ud -c 1
    1 2023-07-23 23:13:05.207334 10.240.240.5 → 10.240.240.4 TCP 66 49705 → 5985 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM

This started at 23:13:05 on July 23, 2023. What are the command which were run?

$ tshark -r 5_49705-4_5985.pcapng -q -z follow,tcp,ascii,0 | \
grep --perl-regexp '<rsp:Command>.*?<' --color=always --only-matching | \
awk --field-separator='<rsp:Command>' '{ print $2 }' | tr --delete '<' | \
sed 's/&quot;//g' | sed 's/prompt//g' | sed 's/&apos;//g'

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; USE Seinfeld_Employees; SELECT IS_SRVROLEMEMBER(sysadmin) as isSysadmin; EXEC Going_Up; SELECT IS_SRVROLEMEMBER(sysadmin) as isSysadmin; USE master; REVERT;
Comment: Still using GeorgeSQL. Looking for informaton on sysadmins and ultimately connect to the "master" .
What is this "Going_Up"? Fortuntately, this was identified during the analysis of the logs from the SQL Server.
With access to the "master" database, this user now have the keys to the kingdom. Basically full access.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; USE Seinfeld_Customers; SELECT name AS TableName FROM sys.tables; USE master; REVERT;
Comment: Extract the tables from Seinfeld_Customers, once again switch to "master" then revert to the original user.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; USE Seinfeld_Customers; SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = Data; USE master; REVERT;
Comment: Looks like some of this information being requested is similar to what was requested in the previous session. This time using GeorgeSQL account and also switching to the "master" database.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; USE Seinfeld_Customers; SELECT * from Data; USE master; REVERT;
Comment: Select all fields from the Data table

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; USE Seinfeld_Customers; SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME = Secret; USE master; REVERT;
Comment: Grabbing information on the table named secret. 
Considering I did not find information relating to the results returned so far. I'm going to assume this information was learned from what was returned by some of the previous commands. As previously, there was no attempt to access the table named "Secret". Maybe this is something only visible to those with "sysadmin" permission.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; USE Seinfeld_Customers; SELECT * from Secret; USE master; REVERT;
Comment: Grab all informtion from the "Secret" table. Are there passwords here?

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; EXEC sp_configure show advanced options, 1; RECONFIGURE; EXEC sp_configure xp_cmdshell; REVERT;
Comment: "sp_configure" is used to view or change configuration settings on the server. It looks like the attacker is looking at "advanced options" then ultimately running the "xp_cmdshell" to gain access to the Windows command prompt.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; EXEC sp_configure xp_cmdshell, 1; RECONFIGURE; REVERT;
Comment: Not sure why this is run here ...

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; EXEC sp_configure xp_cmdshell; REVERT;
Comment: ... and here. I take this to mean it is either testing or that was not sure what is the string to pass to the command.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; EXEC xp_cmdshell whoami; EXEC xp_cmdshell net user NewUser NewPassword /add &amp;&amp; net localgroup Administrators NewUser /add; REVERT;
Comment: We see a number of commands are run via the shell:
"whoami"
"net user NewUser NewPassword /add &amp;&amp; net localgroup Administrators NewUser /add"
Create a new user "NewUser" with password "NewPassword" and add the suer to the "Administrators" group.

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; CREATE LOGIN MailManSQL WITH PASSWORD = L4rg3j4mb4l4y4s0up!!!; REVERT;
Comment: Create a user "MailManSQL" with password "L4rg3j4mb4l4y4s0up!!!" on the database

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; EXEC sp_addsrvrolemember MailManSQL, sysadmin; REVERT;
Comment: Add the newly created user "MailManSQL" to the "sysadmin" group

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query $Query
Comment: Is this meant to clear any historical information in the $Query variable?

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; ENABLE TRIGGER MasterOfMySQL ON ALL SERVER; REVERT;
Comment: Enable a database trigger to run on all servers.
Where was the trigger created? Did I miss this?
At this point, it looks like the trigger does nothing other than run on all servers?

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query $Query
Comment: Is this meant to clear any historical information in the $Query variable?

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; EXEC sp_configure xp_cmdshell, 0; RECONFIGURE; REVERT;
Comment: Disable the "xp_cmdshell"

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; EXEC sp_configure show advanced options, 0; RECONFIGURE; REVERT;
Comment: Turn off the "show advanced options"

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; USE Seinfeld_Employees; DROP PROCEDURE Going_Up; USE master; REVERT;
Comment: I asked above what is this "Going_Up"? I see now it was a stored procedure. However, I don't see any evidence of it being created previously. Maybe an oversight?

Invoke-Sqlcmd -ConnectionString $ConnectionString -Query EXECUTE AS LOGIN = GeorgeSQL; EXEC sp_dropsrvrolemember GeorgeSQL, sysadmin; REVERT;
Comment: Naughty. Removing GeorgeSQL account from the "syadmin" role.


What do we have for the communication(s) between:
10.240.240.4   <-> 10.240.240.6    

Writing this session out to a file.

$ tshark -n -r packet_capture.pcapng -Y 'ip.addr==10.240.240.4 && ip.addr==10.240.240.6' -w 4-6.pcapng

Let's look at the protocol hierarchy to see what's there. As you might have noticed, I have done this step quite a few times. It is an important step when doing packet analysis. It should be either the first or the second thing you do once you have received a PCAP.

$ tshark -n -r 4-6.pcapng -q -z io,phs

===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:534 bytes:112389
  ip                                     frames:534 bytes:112389
    udp                                  frames:2 bytes:291
      nbns                               frames:2 bytes:291
    tcp                                  frames:532 bytes:112098
      tds                                frames:141 bytes:47845
        tcp.segments                     frames:3 bytes:3716
        _ws.malformed                    frames:3 bytes:857
      tls                                frames:91 bytes:34985
      dcerpc                             frames:16 bytes:4872
        oxid                             frames:4 bytes:552
        isystemactivator                 frames:2 bytes:1900
      data                               frames:64 bytes:3680
===================================================================

Looking at the TCP conversations.

$ tshark -n -r 4-6.pcapng -q -z conv,tcp
================================================================================
TCP Conversations
Filter:<No Filter>
                                                           |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
10.240.240.4:49685         <-> 10.240.240.6:1433               65 19 kB          90 18 kB         155 37 kB       107.695654000       418.8041
10.240.240.4:49678         <-> 10.240.240.6:1433               51 5,839 bytes      57 11 kB         108 16 kB        26.392676000       480.9564
10.240.240.4:49679         <-> 10.240.240.6:1433               36 2,835 bytes      38 3,416 bytes      74 6,251 bytes    26.411732000       440.0113
10.240.240.4:49675         <-> 10.240.240.6:1433               18 5,774 bytes      31 17 kB          49 23 kB        25.572951000         0.8950
10.240.240.4:49683         <-> 10.240.240.6:1433               23 3,333 bytes      22 5,642 bytes      45 8,975 bytes    27.063125000         0.1133
10.240.240.4:49682         <-> 10.240.240.6:1433               15 2,494 bytes      15 3,900 bytes      30 6,394 bytes    26.936916000         0.1164
10.240.240.4:49676         <-> 10.240.240.6:1433                8 1,566 bytes      10 2,472 bytes      18 4,038 bytes    25.934103000         1.4682
10.240.240.4:49677         <-> 10.240.240.6:1433                7 1,056 bytes       8 1,234 bytes      15 2,290 bytes    26.372522000         0.0392
10.240.240.4:49681         <-> 10.240.240.6:135                 6 604 bytes       7 1,876 bytes      13 2,480 bytes    26.480383000         0.0109
10.240.240.4:49684         <-> 10.240.240.6:135                 6 604 bytes       7 1,876 bytes      13 2,480 bytes    27.066458000         0.0026
10.240.240.4:49680         <-> 10.240.240.6:135                 4 600 bytes       8 632 bytes      12 1,232 bytes    26.475825000        38.3491
================================================================================

With 11 sessions, we will analyze these directly rather than writing out to files. 

Looking at the sessions via following the streams, while showing a lot of SQL related information, did not provide anything I found meaningful to this incident.

Here are the commands I ran as seen by my history looking at the streams from 0 to 10.

 2047  tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,0 | tr --squeeze-repeats '.' | sed 's/"."//g'
 2049  tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,1 | tr --squeeze-repeats '.' | sed 's/\.//g'
 2050  tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,2 | tr --squeeze-repeats '.' | sed 's/\.//g'
 2052  tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,3 | tr --squeeze-repeats '.' | sed 's/\.//g' | more
 2054  tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,4 | tr --squeeze-repeats '.' | sed 's/\.//g' 
 2055  tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,5 | tr --squeeze-repeats '.' | sed 's/\.//g' 
 2056  tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,6 | tr --squeeze-repeats '.' | sed 's/\.//g' 
 2062  tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,7 | tr --squeeze-repeats '.' | sed 's/\.//g' | more
 2063  tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,8 | tr --squeeze-repeats '.' | sed 's/\.//g' | more
 2065  tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,9 | tr --squeeze-repeats '.' | sed 's/\.//g' 
 2067  tshark -n -r 4-6.pcapng -q -z follow,tcp,ascii,10 | tr --squeeze-repeats '.' | sed 's/\.//g' | more

Looking at the 7 bytes character strings did not return anything meaningful

$ strings 4-6.pcapng --bytes=7

Considering above, I need to get the Unicode data in a more readable manner. It is better to also search for 16 bits Unicode values. Using a few of the keywords from earlier analysis shows yet still nothing meaningful. 

$ strings 4-6.pcapng --bytes=7 --encoding=l | grep --perl-regexp --ignore-case "jerry|George|Going|xp_cmd"
JerrySQL
.JerryJERRY-PC
.JerryJERRY-PC

What do we have for the communication(s) between 10.240.240.5  <-> 10.240.240.6   Writing these IPs out to a file:

$ tshark -n -r packet_capture.pcapng -Y 'ip.addr==10.240.240.5 && ip.addr==10.240.240.6' -w 5-6.pcapng

Looking at the protocol hierarchy 

$ tshark -n -r 5-6.pcapng -q -z io,phs

===================================================================
Protocol Hierarchy Statistics
Filter: 

eth                                      frames:482 bytes:36432
  ip                                     frames:482 bytes:36432
    tcp                                  frames:445 bytes:28091
      data                               frames:2 bytes:308
      nbss                               frames:9 bytes:1072
        smb                              frames:2 bytes:444
      tds                                frames:3 bytes:295
      dcerpc                             frames:1 bytes:78
    udp                                  frames:7 bytes:2001
      nbns                               frames:2 bytes:291
      data                               frames:5 bytes:1710
    icmp                                 frames:30 bytes:6340
      data                               frames:5 bytes:1850
===================================================================

Looking at the udp coversations this time around first. 

$ tshark -n -r 5-6.pcapng -q -z conv,udp
================================================================================
UDP Conversations
Filter:<No Filter>
                                                           |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
10.240.240.5:63161         <-> 10.240.240.6:44558               0 0 bytes         5 1,710 bytes       5 1,710 bytes    12.963807000         9.2074
10.240.240.5:137           <-> 10.240.240.6:137                 1 199 bytes       1 92 bytes        2 291 bytes     3.316114000         0.0001
================================================================================

Taking a look at that first session that lasted 9.2 seconds. This is interesting because all of this traffic is going from 10.240.240.5 on source port 63161 to 10.240.240.6 on destination port 44558. 

If I did not know better I would say from below this is some type of buffer overflow as we have 5 groups of this.

===================================================================
Follow: udp,ascii
Filter: udp.stream eq 1
Node 0: 10.240.240.5:63161
Node 1: 10.240.240.6:44558
300
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
....

The thing about UDP is that there is no "RST" or "RST/ACK" to say the service is not available. 

Taking a different approach.

What are those ICMP messages about. Looking at the types and code

$ tshark -n -r 5-6.pcapng -Y 'icmp' -T fields -e icmp.type -e icmp.code -E header=y | sort | uniq --count
     10 0       0
      5 3,0     2,0
      5 3       3
      5 8       0
      5 8       9
      1 icmp.type       icmp.code

Nothing there that I would like to spend more time on.

Looking at a few of these TCP sessions

$ tshark -n -r 5-6.pcapng -q -z conv,tcp | head --lines=17                                                                                                                                                                                
================================================================================
TCP Conversations
Filter:<No Filter>
                                                           |       <-      | |       ->      | |     Total     |    Relative    |   Duration   |
                                                           | Frames  Bytes | | Frames  Bytes | | Frames  Bytes |      Start     |              |
10.240.240.5:49688         <-> 10.240.240.6:1433                4 265 bytes       6 412 bytes      10 677 bytes     7.214215000         5.0061
10.240.240.5:63129         <-> 10.240.240.6:135                 5 270 bytes       5 370 bytes      10 640 bytes    13.029264000         9.2059
10.240.240.5:63131         <-> 10.240.240.6:135                 5 270 bytes       5 370 bytes      10 640 bytes    13.100832000         9.1961
10.240.240.5:63133         <-> 10.240.240.6:7                   5 270 bytes       5 370 bytes      10 640 bytes    13.171012000         9.1910
10.240.240.5:63134         <-> 10.240.240.6:7                   5 270 bytes       5 370 bytes      10 640 bytes    13.204561000         9.1886
10.240.240.5:49684         <-> 10.240.240.6:135                 4 252 bytes       5 468 bytes       9 720 bytes     7.211647000         0.0052
10.240.240.5:49678         <-> 10.240.240.6:135                 3 174 bytes       5 332 bytes       8 506 bytes     1.190920000         6.0206
10.240.240.5:49679         <-> 10.240.240.6:139                 3 179 bytes       5 318 bytes       8 497 bytes     1.191149000         6.0226
10.240.240.5:49681         <-> 10.240.240.6:1433                3 174 bytes       5 344 bytes       8 518 bytes     1.191463000         6.0224
10.240.240.5:49687         <-> 10.240.240.6:139                 3 179 bytes       5 468 bytes       8 647 bytes     7.213755000         0.0037
10.240.240.5:49680         <-> 10.240.240.6:445                 2 120 bytes       3 348 bytes       5 468 bytes     1.191310000         6.0177
10.240.240.5:49685         <-> 10.240.240.6:445                 2 120 bytes       3 186 bytes       5 306 bytes     7.213397000         0.0024

Reviewing all 60 sessions in this file suggest there is mostly traffic related to some type of SYN scan


Log Analysis - SQL Logs

How many events to we have in this log file.

$ cat sql_logs.csv | wc --lines
45

During the packet analysis, I did not notice the procedure "Going_Up" being created. I can now see this in the log for both its creation usage and deletion at lines 21, 23 and 41 respectively.

$ cat sql_logs.csv --number | grep --ignore-case --perl-regexp 'going'
    21  "sql_batch_completed","2023-07-23 19:16:08.3418567","2023-07-23 19:16:08.3418567","0","10215","0","39","93","11","0","0","OK","CREATE PROCEDURE Going_Up  WITH EXECUTE AS OWNER  AS BEGIN      DECLARE @SQL NVARCHAR(MAX);      SET @SQL = N'     EXEC sp_addsrvrolemember ''GeorgeSQL'', ''sysadmin''';      EXEC sp_executesql @SQL;      REVERT; END; ","GeorgeSQL","52","0xE004C7E8A806C94CAF88C8CFDB0F9C93","GeorgeSQL","MSSQL-SR","Seinfeld_Employees","4000","JERRY-PC","33D27F8B-5117-4AC4-A81E-EDA8BFD9F5E3","Framework Microsoft SqlClient Data Provider","2023-07-23 19:16:08.4291040"

Comment: This looks like a store procedure is created using the current security context of the database owner.  Looks like GeorgeSQL account is being added to the "sysadmin" group.

23  "sql_batch_completed","2023-07-23 19:16:18.3869066","2023-07-23 19:16:18.3869066","0","12751","0","29","375","3","0","10","OK","EXECUTE AS LOGIN = 'GeorgeSQL'; USE Seinfeld_Employees; SELECT IS_SRVROLEMEMBER('sysadmin') as isSysadmin; EXEC Going_Up; SELECT IS_SRVROLEMEMBER('sysadmin') as isSysadmin; USE master; REVERT;","JerrySQL","52","0xE004C7E8A806C94CAF88C8CFDB0F9C93","JerrySQL","MSSQL-SR","master","4000","JERRY-PC","33D27F8B-5117-4AC4-A81E-EDA8BFD9F5E3","Framework Microsoft SqlClient Data Provider","2023-07-23 19:16:18.5402140"

Comment: The previously created stored procedure is being used. The Seinfeld_Employees database being selected and tests are being done to see if the account is a "syadmin"

41  "sql_batch_completed","2023-07-23 19:20:03.0824037","2023-07-23 19:20:03.0824037","0","7565","0","136","205","8","0","0","OK","EXECUTE AS LOGIN = 'GeorgeSQL'; USE Seinfeld_Employees; DROP PROCEDURE Going_Up; USE master; REVERT;","JerrySQL","52","0xE004C7E8A806C94CAF88C8CFDB0F9C93","JerrySQL","MSSQL-SR","master","4000","JERRY-PC","33D27F8B-5117-4AC4-A81E-EDA8BFD9F5E3","Framework Microsoft SqlClient Data Provider","2023-07-23 19:20:02.3085744"

Comment: The stored procedure is being destroyed.

Similarly for the triggers, I was not able initially, to find information via Packet Analysis, we now see that information here.

$ cat sql_logs.csv --number | grep --ignore-case --perl-regexp 'trigger' 

    35  "sql_batch_completed","2023-07-23 19:18:50.6740293","2023-07-23 19:18:50.6740293","15000","8819","0","88","552","6","0","1","OK","EXECUTE AS LOGIN = 'GeorgeSQL'; DECLARE @SQL NVARCHAR(MAX); SET @SQL = N' CREATE TRIGGER MasterOfMySQL ON ALL SERVER WITH EXECUTE AS ''sa'' AFTER LOGON AS  BEGIN      IF ORIGINAL_LOGIN() = ''JerrySQL''      BEGIN          IF NOT EXISTS (SELECT 1 FROM sys.server_principals WHERE name = ''MailManSQL'')          BEGIN              CREATE LOGIN MailManSQL WITH PASSWORD = ''L4rg3j4mb4l4y4s0up!!!'';         END      END  END;'; EXEC sp_executesql @SQL; REVERT;","JerrySQL","52","0xE004C7E8A806C94CAF88C8CFDB0F9C93","JerrySQL","MSSQL-SR","master","4000","JERRY-PC","33D27F8B-5117-4AC4-A81E-EDA8BFD9F5E3","Framework Microsoft SqlClient Data Provider","2023-07-23 19:18:51.7700571"

Comment: Using GeorgeSQL account create a trigger named MasterOfMySQL on all servers. This looks to be creating the MailManSQL account on the database server if it does not exist.

    36  "sql_batch_completed","2023-07-23 19:19:02.1382526","2023-07-23 19:19:02.1382526","0","975","0","0","2","0","0","0","OK","EXECUTE AS LOGIN = 'GeorgeSQL'; ENABLE TRIGGER MasterOfMySQL ON ALL SERVER; REVERT;","JerrySQL","52","0xE004C7E8A806C94CAF88C8CFDB0F9C93","JerrySQL","MSSQL-SR","master","4000","JERRY-PC","33D27F8B-5117-4AC4-A81E-EDA8BFD9F5E3","Framework Microsoft SqlClient Data Provider","2023-07-23 19:19:02.5253289"

Comment: The Trigger is being enabled

    38  "sql_batch_completed","2023-07-23 19:19:45.1361731","2023-07-23 19:19:45.1361731","0","8129","0","136","213","11","0","1","OK"," DECLARE @SqlScript NVARCHAR(MAX); SET @SqlScript = N' CREATE OR ALTER TRIGGER NoLowSalaryForYou ON Payroll AFTER UPDATE AS  BEGIN      DECLARE @Threshold DECIMAL(10, 2) = 123456;      DECLARE @ID INT = 5;      IF UPDATE(Salary)      BEGIN          UPDATE a          SET Salary = CASE WHEN b.Salary < @Threshold THEN @Threshold ELSE b.Salary END          FROM Payroll a          JOIN inserted b ON a.id = b.id         WHERE a.id = @ID;      END  END;';  EXEC sp_executesql @SqlScript;  USE master; REVERT;","JerrySQL","52","0xE004C7E8A806C94CAF88C8CFDB0F9C93","JerrySQL","MSSQL-SR","master","4000","JERRY-PC","33D27F8B-5117-4AC4-A81E-EDA8BFD9F5E3","Framework Microsoft SqlClient Data Provider","2023-07-23 19:19:44.6864483"

Comment: Looks to be creating a trigger if it does not exist but altering if it does exist. Looks like this will trigger after an UPDATE is made to the Payroll table. Looks to be setting the salary at 123456.


Log Analysis - Windows Logs

While I am not aware of its importance at this time, I do find la57setup.exe within the 10-240-240-4-events.csv log file as an interesting file based on the name. Searching my system to see if such a file is by default on Win 10:

C:\users\securitynik>ver

Microsoft Windows [Version 10.0.19044.3324]

The search did not produce any results

C:\users\securitynik>dir /S c:\la57setup.exe
 Volume in drive C has no label.
 Volume Serial Number is 728F-A8BE
File Not Found

Starting off with the device at 10.24.240.5 now recognized as "NEWMAN-PC"

Sorting the Windows logs in the Windows Event Viewer by "Date and Time", having the earlier events at the top and the more recent ones at the bottom.

Scrolling through the logs we see:

SetValue
2023-07-23 23:09:13.679
EV_RenderedValue_3.00
848
C:\Windows\system32\LogonUI.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI\LastLoggedOnUser
.\Newman
NT AUTHORITY\SYSTEM

This confirms that "Newman" last logged into the system at 23:09:13.

We are able to see below that Newman has Nmap on his system, not sure why ths is needed:

EventData 

  RuleName - 
  UtcTime 2023-07-23 23:09:57.946 
  ProcessGuid {758cb1f7-b345-64bd-8c00-000000004200} 
  ProcessId 6540 
  Image C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe 
  FileVersion 3.10.11 
  Description Python 
  Product Python 
  Company Python Software Foundation 
  OriginalFileName pythonw.exe 
  CommandLine "C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe" -c "from zenmapGUI.App import run;run()" 
  CurrentDirectory C:\Program Files (x86)\Nmap\ 
  User NEWMAN-PC\Newman 
  LogonGuid {758cb1f7-b319-64bd-4ec6-050000000000} 
  LogonId 0x5c64e 
  TerminalSessionId 1 
  IntegrityLevel Medium 
  Hashes MD5=0B3043DC9F9DB2C90D6E116F0862B2D1,SHA256=5198F9DCE2295F913EA0C1D21F0E3C92296F3926E7C1DC87B0308EE0BFD140FE,IMPHASH=CF4CF1ED1C13C236668C924DFD14E4B4 
  ParentProcessGuid {758cb1f7-b31c-64bd-5d00-000000004200} 
  ParentProcessId 4132 
  ParentImage C:\Windows\explorer.exe 
  ParentCommandLine C:\Windows\Explorer.EXE 
  ParentUser NEWMAN-PC\Newman 

We next see that Nmap is used to scan network 10.240.240/0/24, trying to performing a version scan, while enabling OS detection. This also seems more like Zenmap is being used to call the actual nmap.exe file.

nmap.exe" -sV -T4 -O -F -oX C:\Users\Newman\AppData\Local\Temp\zenmap-cjwelvey.xml --version-light 10.240.240.0/24

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:10:05.705 
  ProcessGuid {758cb1f7-b34d-64bd-8e00-000000004200} 
  ProcessId 6708 
  Image C:\Program Files (x86)\Nmap\nmap.exe 
  FileVersion 7.94 
  Description Nmap 
  Product Nmap 
  Company Insecure.Org 
  OriginalFileName nmap.exe 
  CommandLine "C:\Program Files (x86)\Nmap\nmap.exe" -sV -T4 -O -F -oX C:\Users\Newman\AppData\Local\Temp\zenmap-cjwelvey.xml --version-light 10.240.240.0/24 
  CurrentDirectory C:\Program Files (x86)\Nmap\ 
  User NEWMAN-PC\Newman 
  LogonGuid {758cb1f7-b319-64bd-4ec6-050000000000} 
  LogonId 0x5c64e 
  TerminalSessionId 1 
  IntegrityLevel Medium 
  Hashes MD5=C7796D918785956C9235CCF3490132BF,SHA256=9C5B213A5E910E49781F540F1AB975B38BEC460C3B7B8DDA04B0C415D7C5343A,IMPHASH=5AFF993A0259F16A3997F947B2EEBD27 
  ParentProcessGuid {758cb1f7-b345-64bd-8c00-000000004200} 
  ParentProcessId 6540 
  ParentImage C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe 
  ParentCommandLine "C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe" -c "from zenmapGUI.App import run;run()" 
  ParentUser NEWMAN-PC\Newman 

Here is an example of TCP connection being made to "JERRY-PC" via NMAP. While the connection below to "JERRY-PC" is to port 135, there are also connections to port 139, 445

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:10:08.559 
  ProcessGuid {758cb1f7-b34d-64bd-8e00-000000004200} 
  ProcessId 6708 
  Image C:\Program Files (x86)\Nmap\nmap.exe 
  User NEWMAN-PC\Newman 
  Protocol tcp 
  Initiated true 
  SourceIsIpv6 false 
  SourceIp 10.240.240.5 
  SourceHostname Newman-PC 
  SourcePort 49676 
  SourcePortName - 
  DestinationIsIpv6 false 
  DestinationIp 10.240.240.4 
  DestinationHostname JERRY-PC 
  DestinationPort 139 
  DestinationPortName netbios-ssn 

There are also connections to the host at 10.240.240.6 on ports 135, 139, 445 and 1433

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:10:08.560 
  ProcessGuid {758cb1f7-b34d-64bd-8e00-000000004200} 
  ProcessId 6708 
  Image C:\Program Files (x86)\Nmap\nmap.exe 
  User NEWMAN-PC\Newman 
  Protocol tcp 
  Initiated true 
  SourceIsIpv6 false 
  SourceIp 10.240.240.5 
  SourceHostname Newman-PC 
  SourcePort 49681 
  SourcePortName - 
  DestinationIsIpv6 false 
  DestinationIp 10.240.240.6 
  DestinationHostname - 
  DestinationPort 1433 
  DestinationPortName ms-sql-s 

Newman may not have recognized it, but because of the subnet chosing with no exclusion, he is also scanning his own machine :-)

 EventData 

  RuleName - 
  UtcTime 2023-07-23 23:10:35.832 
  ProcessGuid {758cb1f7-b34d-64bd-8e00-000000004200} 
  ProcessId 6708 
  Image C:\Program Files (x86)\Nmap\nmap.exe 
  User NEWMAN-PC\Newman 
  Protocol tcp 
  Initiated true 
  SourceIsIpv6 false 
  SourceIp 10.240.240.5 
  SourceHostname Newman-PC 
  SourcePort 49699 
  SourcePortName - 
  DestinationIsIpv6 false 
  DestinationIp 10.240.240.5 
  DestinationHostname Newman-PC 
  DestinationPort 445 
  DestinationPortName microsoft-ds 

If we had access to Newman's PC, we could corroborate this evidence by looking at the information in the registry.

- EventData 

  RuleName InvDB 
  EventType SetValue 
  UtcTime 2023-07-23 23:10:47.421 
  ProcessGuid {758cb1f7-b312-64bd-1700-000000004200} 
  ProcessId 1176 
  Image C:\Windows\System32\svchost.exe 
  TargetObject HKU\S-1-5-21-2404277346-2099594652-1884649452-1010\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe 
  Details Binary Data 
  User NT AUTHORITY\SYSTEM 

Next up, we see a connection to port 5985 on Jerry-PC from NEWMAN-PC ON PORT 49704. It is interesting than Newman knew of port 5985 as I did not see any response/evidence for these in the logs. More importantly, as we know, this is a challenge, not a real world incident. Hence this is more than likely due to prior knowledge. It could also quite be that this was learned via scanning but the evidence was just not in the log. So many possibilities.

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:13:07.856 
  ProcessGuid {758cb1f7-b3f8-64bd-a900-000000004200} 
  ProcessId 6764 
  Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 
  User NEWMAN-PC\Newman 
  Protocol tcp 
  Initiated true 
  SourceIsIpv6 false 
  SourceIp 10.240.240.5 
  SourceHostname Newman-PC 
  SourcePort 49704 
  SourcePortName - 
  DestinationIsIpv6 false 
  DestinationIp 10.240.240.4 
  DestinationHostname JERRY-PC 
  DestinationPort 5985 
  DestinationPortName - 

This information is confirmed by what was identified in the PCAP file and the analysis done above. The same is true for the following two connections from source port 49705 and  49706 respectively.

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:13:08.243 
  ProcessGuid {758cb1f7-b3f8-64bd-a900-000000004200} 
  ProcessId 6764 
  Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 
  User NEWMAN-PC\Newman 
  Protocol tcp 
  Initiated true 
  SourceIsIpv6 false 
  SourceIp 10.240.240.5 
  SourceHostname Newman-PC 
  SourcePort 49705 
  SourcePortName - 
  DestinationIsIpv6 false 
  DestinationIp 10.240.240.4 
  DestinationHostname JERRY-PC 
  DestinationPort 5985 
  DestinationPortName - 


- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:13:08.321 
  ProcessGuid {758cb1f7-b3f8-64bd-a900-000000004200} 
  ProcessId 6764 
  Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 
  User NEWMAN-PC\Newman 
  Protocol tcp 
  Initiated true 
  SourceIsIpv6 false 
  SourceIp 10.240.240.5 
  SourceHostname Newman-PC 
  SourcePort 49706 
  SourcePortName - 
  DestinationIsIpv6 false 
  DestinationIp 10.240.240.4 
  DestinationHostname JERRY-PC 
  DestinationPort 5985 
  DestinationPortName -

Transitioning to the logs for Jerry-PC at 10.240.240.4 to see exactly what was done by Newman on this system.

I thought about starting the analysis from around the time Newman connected which was at   "UtcTime 2023-07-23 23:13:07.856" from source IP 10.240.240.5 on source port 49704 to destination port 5985 on Jerry's PC. However, poking around the logs prior to that time, shows evidence of earlier problems. Let's look at some of these problems/concerns.

Looks like Jerry might have also been the source of some of his own problems. A file named "Win11updates.exe" was loaded from the drive lettered "E". This may be a network mapped drive or a USB or some other rmedia.

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:07.426 
  ProcessGuid {3f0f5ad4-b38b-64bd-9900-000000003100} 
  ProcessId 1600 
  Image E:\Win11updates.exe 
  FileVersion - 
  Description - 
  Product - 
  Company - 
  OriginalFileName - 
  CommandLine "E:\Win11updates.exe"  
  CurrentDirectory E:\ 
  User JERRY-PC\Jerry 
  LogonGuid {3f0f5ad4-b317-64bd-795a-050000000000} 
  LogonId 0x55a79 
  TerminalSessionId 1 
  IntegrityLevel Medium 
  Hashes MD5=25703C731DA76007CB83370106AA9A39,SHA256=35BB4785955B852476C63C06262F6C1079E1C850B6B2B9DE4EAC40349ED937AD,IMPHASH=0B5552DCCD9D0A834CEA55C0C8FC05BE 
  ParentProcessGuid {3f0f5ad4-b318-64bd-4500-000000003100} 
  ParentProcessId 3440 
  ParentImage C:\Windows\explorer.exe 
  ParentCommandLine C:\Windows\Explorer.EXE 
  ParentUser JERRY-PC\Jerry 

No evidence of executables was found on the USB disk provided. So where did this "Win11updates.exe" file come from?! Did I miss something? 

Well I did, while having a conversation with Jean he told me the evidence was right there, I just missed it. This reinforces the need to pay close attention to what your logs says. Here is the actual entry I missed initially.

- EventData 

  RuleName Context,DeviceConnectedOrUpdated 
  EventType SetValue 
  UtcTime 2023-07-23 23:11:01.707 
  ProcessGuid {3f0f5ad4-b385-64bd-8a00-000000003100} 
  ProcessId 7464 
  Image C:\Windows\System32\WUDFHost.exe 
  TargetObject HKLM\System\CurrentControlSet\Enum\SWD\WPDBUSENUM\_??_USBSTOR#Disk&Ven_General&Prod_UDisk&Rev_5.00#6&1526ad36&0&_&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\FriendlyName 
  Details E:\ 
  User NT AUTHORITY\LOCAL SERVICE 

As we can see above, the USB was inserted and assigned drive letter E: This correlates with where the "Win11updates.exe" file was loaded.

Back to normal programming.

Interestingly, I see the file was loaded a second time. Notice the process ID change. Paying close attention to the integrity level, we see this second run is with higher level privileges. More like Administrator level privileges.

 EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:09.645 
  ProcessGuid {3f0f5ad4-b38d-64bd-9c00-000000003100} 
  ProcessId 6648 
  Image E:\Win11updates.exe 
  FileVersion - 
  Description - 
  Product - 
  Company - 
  OriginalFileName - 
  CommandLine "E:\Win11updates.exe"  
  CurrentDirectory E:\ 
  User JERRY-PC\Jerry 
  LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} 
  LogonId 0x55a23 
  TerminalSessionId 1 
  IntegrityLevel High 
  Hashes MD5=25703C731DA76007CB83370106AA9A39,SHA256=35BB4785955B852476C63C06262F6C1079E1C850B6B2B9DE4EAC40349ED937AD,IMPHASH=0B5552DCCD9D0A834CEA55C0C8FC05BE 
  ParentProcessGuid {3f0f5ad4-b318-64bd-4500-000000003100} 
  ParentProcessId 3440 
  ParentImage C:\Windows\explorer.exe 
  ParentCommandLine C:\Windows\Explorer.EXE 
  ParentUser JERRY-PC\Jerry 

We also see information about this "Win11Updates.exe" file is also written to the registry. Here we see one such example.

- EventData 

  RuleName InvDB-CompileTimeClaim 
  EventType SetValue 
  UtcTime 2023-07-23 23:11:09.730 
  ProcessGuid {3f0f5ad4-b311-64bd-1600-000000003100} 
  ProcessId 1132 
  Image C:\Windows\System32\svchost.exe 
  TargetObject \REGISTRY\A\{5dfb6902-580d-20f2-eee2-25aecfb2b037}\Root\InventoryApplicationFile\win11updates.exe|79834fe67b152d51\LinkDate 
  Details 07/20/2023 02:17:43 
  User NT AUTHORITY\SYSTEM 

We also see the executable leverages Windows Visual C++ Runtime.

- EventData 

  RuleName DLL 
  UtcTime 2023-07-23 23:11:09.770 
  ProcessGuid {3f0f5ad4-b38d-64bd-9c00-000000003100} 
  ProcessId 6648 
  Image E:\Win11updates.exe 
  TargetFilename C:\Users\Jerry\AppData\Local\Temp\_MEI66482\VCRUNTIME140.dll 
  CreationUtcTime 2023-07-23 23:11:09.770 
  User JERRY-PC\Jerry 

The Win11Updates.exe file then spawn a copy of itself

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:09.936 
  ProcessGuid {3f0f5ad4-b38d-64bd-9d00-000000003100} 
  ProcessId 5512 
  Image E:\Win11updates.exe 
  FileVersion - 
  Description - 
  Product - 
  Company - 
  OriginalFileName - 
  CommandLine "E:\Win11updates.exe"  
  CurrentDirectory E:\ 
  User JERRY-PC\Jerry 
  LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} 
  LogonId 0x55a23 
  TerminalSessionId 1 
  IntegrityLevel High 
  Hashes MD5=25703C731DA76007CB83370106AA9A39,SHA256=35BB4785955B852476C63C06262F6C1079E1C850B6B2B9DE4EAC40349ED937AD,IMPHASH=0B5552DCCD9D0A834CEA55C0C8FC05BE 
  ParentProcessGuid {3f0f5ad4-b38d-64bd-9c00-000000003100} 
  ParentProcessId 6648 
  ParentImage E:\Win11updates.exe 
  ParentCommandLine "E:\Win11updates.exe"  
  ParentUser JERRY-PC\Jerry 

Using the spawned "Win11updates.exe" we now see Powershell is spawned, executing a command to create a new user named "LittleNewman" with password "password" on "JERRY-PC". This process is using the current credentials of "JERRY-PC\Jerry".

 EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:10.510 
  ProcessGuid {3f0f5ad4-b38e-64bd-9e00-000000003100} 
  ProcessId 6236 
  Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 
  FileVersion 10.0.22621.1635 (WinBuild.160101.0800) 
  Description Windows PowerShell 
  Product Microsoft® Windows® Operating System 
  Company Microsoft Corporation 
  OriginalFileName PowerShell.EXE 
  CommandLine powershell -Command "Start-Process -FilePath \"cmd.exe\" -ArgumentList \"/c net user LittleNewman password /add\" -Verb RunAs" 
  CurrentDirectory E:\ 
  User JERRY-PC\Jerry 
  LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} 
  LogonId 0x55a23 
  TerminalSessionId 1 
  IntegrityLevel High 
  Hashes MD5=0499440C4B0783266183246E384C6657,SHA256=D436E66C0D092508E4B85290815AB375695FA9013C7423A3A27FED4F1ACF90BD,IMPHASH=342A7FD0A3177AE5549A5EEE99F82271 
  ParentProcessGuid {3f0f5ad4-b38d-64bd-9d00-000000003100} 
  ParentProcessId 5512 
  ParentImage E:\Win11updates.exe 
  ParentCommandLine "E:\Win11updates.exe"  
  ParentUser JERRY-PC\Jerry 

As expected, the Powershell spawned the cmd.exe to execute the tasks above.

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:11.181 
  ProcessGuid {3f0f5ad4-b38f-64bd-a000-000000003100} 
  ProcessId 7880 
  Image C:\Windows\System32\cmd.exe 
  FileVersion 10.0.22621.1635 (WinBuild.160101.0800) 
  Description Windows Command Processor 
  Product Microsoft® Windows® Operating System 
  Company Microsoft Corporation 
  OriginalFileName Cmd.Exe 
  CommandLine "C:\Windows\system32\cmd.exe" /c net user LittleNewman password /add  
  CurrentDirectory E:\ 
  User JERRY-PC\Jerry 
  LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} 
  LogonId 0x55a23 
  TerminalSessionId 1 
  IntegrityLevel High 
  Hashes MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964 
  ParentProcessGuid {3f0f5ad4-b38e-64bd-9e00-000000003100} 
  ParentProcessId 6236 
  ParentImage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 
  ParentCommandLine powershell -Command "Start-Process -FilePath \"cmd.exe\" -ArgumentList \"/c net user LittleNewman password /add\" -Verb RunAs" 
  ParentUser JERRY-PC\Jerry 

It also looks like the Win11Updates.exe file is running from "C:\Users\Public\Win11updates.exe". Maybe the file made a copy of itself. Maybe it was intentionally placed there. I have provided no evidence to show how it got there. I do not it is there and that is all that matters to me at this point.

- EventData 

  RuleName EXE 
  UtcTime 2023-07-23 23:11:11.229 
  ProcessGuid {3f0f5ad4-b38d-64bd-9d00-000000003100} 
  ProcessId 5512 
  Image E:\Win11updates.exe 
  TargetFilename C:\Users\Public\Win11updates.exe 
  CreationUtcTime 2023-07-23 23:11:11.229 
  User JERRY-PC\Jerry 

We next see the attempt to hide the file via the attrib command. This file is being hidden in the "C:/Users/Public/Win11updates.exe". 

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:11.251 
  ProcessGuid {3f0f5ad4-b38f-64bd-a200-000000003100} 
  ProcessId 5832 
  Image C:\Windows\System32\cmd.exe 
  FileVersion 10.0.22621.1635 (WinBuild.160101.0800) 
  Description Windows Command Processor 
  Product Microsoft® Windows® Operating System 
  Company Microsoft Corporation 
  OriginalFileName Cmd.Exe 
  CommandLine C:\Windows\system32\cmd.exe /c "attrib +h C:/Users/Public/Win11updates.exe" 
  CurrentDirectory E:\ 
  User JERRY-PC\Jerry 
  LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} 
  LogonId 0x55a23 
  TerminalSessionId 1 
  IntegrityLevel High 
  Hashes MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964 
  ParentProcessGuid {3f0f5ad4-b38d-64bd-9d00-000000003100} 
  ParentProcessId 5512 
  ParentImage E:\Win11updates.exe 
  ParentCommandLine "E:\Win11updates.exe"  
  ParentUser JERRY-PC\Jerry 

I'm beginning to wonder, if I am concerned about Newman, why are all these tasks so far being done by Jerry's account. Also all of these activity have been done prior to Newman connecting to the system so far. Newman's first connection to port 5985 was at "UtcTime 2023-07-23 23:13:07.856". From the Sysmon logs, Win11Updates.exe did not seem to create any network connections, to allow a remote user to access this system. Is Jerry just as much a cause for concern here as Newman? Hmmmm! Incident response is definitely not easy.

Once again, the user is being created.

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:11.331 
  ProcessGuid {3f0f5ad4-b38f-64bd-a400-000000003100} 
  ProcessId 4416 
  Image C:\Windows\System32\net.exe 
  FileVersion 10.0.22621.1 (WinBuild.160101.0800) 
  Description Net Command 
  Product Microsoft® Windows® Operating System 
  Company Microsoft Corporation 
  OriginalFileName net.exe 
  CommandLine net user LittleNewman password /add  
  CurrentDirectory E:\ 
  User JERRY-PC\Jerry 
  LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} 
  LogonId 0x55a23 
  TerminalSessionId 1 
  IntegrityLevel High 
  Hashes MD5=BB1AE49B6B7C53499E94613761A6AC56,SHA256=AFBE51517092256504F797F6A5ABC02515A09D603E8C046AE31D7D7855568E91,IMPHASH=D45C37A5C97135204AD6E116C34946C3 
  ParentProcessGuid {3f0f5ad4-b38f-64bd-a000-000000003100} 
  ParentProcessId 7880 
  ParentImage C:\Windows\System32\cmd.exe 
  ParentCommandLine "C:\Windows\system32\cmd.exe" /c net user LittleNewman password /add  
  ParentUser JERRY-PC\Jerry 

As expected the "net.exe" command, spawns "net1.exe" to create the user:

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:11.354 
  ProcessGuid {3f0f5ad4-b38f-64bd-a500-000000003100} 
  ProcessId 7840 
  Image C:\Windows\System32\net1.exe 
  FileVersion 10.0.22621.674 (WinBuild.160101.0800) 
  Description Net Command 
  Product Microsoft® Windows® Operating System 
  Company Microsoft Corporation 
  OriginalFileName net1.exe 
  CommandLine C:\Windows\system32\net1 user LittleNewman password /add  
  CurrentDirectory E:\ 
  User JERRY-PC\Jerry 
  LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} 
  LogonId 0x55a23 
  TerminalSessionId 1 
  IntegrityLevel High 
  Hashes MD5=CBF31BACECC4B17A1FE2D65BDC53F111,SHA256=1879DB2ABFF726A5438DD1AE48F20EBED736619C27A32526D09F70AF7EADD0E5,IMPHASH=76EE66A0F294EAB08DCAEF5E64FBF02F 
  ParentProcessGuid {3f0f5ad4-b38f-64bd-a400-000000003100} 
  ParentProcessId 4416 
  ParentImage C:\Windows\System32\net.exe 
  ParentCommandLine net user LittleNewman password /add  
  ParentUser JERRY-PC\Jerry 

We then see "attrib.exe" command is being executed to hide the file 

EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:11.370 
  ProcessGuid {3f0f5ad4-b38f-64bd-a600-000000003100} 
  ProcessId 7860 
  Image C:\Windows\System32\attrib.exe 
  FileVersion 10.0.22621.1 (WinBuild.160101.0800) 
  Description Attribute Utility 
  Product Microsoft® Windows® Operating System 
  Company Microsoft Corporation 
  OriginalFileName ATTRIB.EXE 
  CommandLine attrib +h C:/Users/Public/Win11updates.exe 
  CurrentDirectory E:\ 
  User JERRY-PC\Jerry 
  LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} 
  LogonId 0x55a23 
  TerminalSessionId 1 
  IntegrityLevel High 
  Hashes MD5=A243BC9DB0BFB5F22E146B88BB10C58F,SHA256=0758152947F1A550E52CE8E3F9BCD988A23D36A458AD953795769B11C38FF2EA,IMPHASH=2CB38FE7D8F223D9DA50B7CBA9B95A6D 
  ParentProcessGuid {3f0f5ad4-b38f-64bd-a200-000000003100} 
  ParentProcessId 5832 
  ParentImage C:\Windows\System32\cmd.exe 
  ParentCommandLine C:\Windows\system32\cmd.exe /c "attrib +h C:/Users/Public/Win11updates.exe" 
  ParentUser JERRY-PC\Jerry 

Like any good threat actor, one or more persistence mechanisms had to be created. We see the backdoor user being created above. Now we see a scheduled task (my favourite persistence mechanism) is being created to run the "Win11updates.exe" file whenever Jerry logs on. While the target of the file is in "C:/Users/Public/Win11updates.exe", we see that the "Jerry" is still working out of the "E:\" drive. I like the choice of name for this scheduled tasks "WindowsImportant".

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:11.417 
  ProcessGuid {3f0f5ad4-b38f-64bd-a700-000000003100} 
  ProcessId 7732 
  Image C:\Windows\System32\cmd.exe 
  FileVersion 10.0.22621.1635 (WinBuild.160101.0800) 
  Description Windows Command Processor 
  Product Microsoft® Windows® Operating System 
  Company Microsoft Corporation 
  OriginalFileName Cmd.Exe 
  CommandLine C:\Windows\system32\cmd.exe /c "schtasks /create /tn "WindowsImportant" /tr "C:/Users/Public/Win11updates.exe" /sc ONLOGON /ru "Jerry"" 
  CurrentDirectory E:\ 
  User JERRY-PC\Jerry 
  LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} 
  LogonId 0x55a23 
  TerminalSessionId 1 
  IntegrityLevel High 
  Hashes MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964 
  ParentProcessGuid {3f0f5ad4-b38d-64bd-9d00-000000003100} 
  ParentProcessId 5512 
  ParentImage E:\Win11updates.exe 
  ParentCommandLine "E:\Win11updates.exe"  
  ParentUser JERRY-PC\Jerry

Scheduled tasks is then called as its own process as its parent being cmd.exe.

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:11.511 
  ProcessGuid {3f0f5ad4-b38f-64bd-a900-000000003100} 
  ProcessId 7988 
  Image C:\Windows\System32\schtasks.exe 
  FileVersion 10.0.22621.1 (WinBuild.160101.0800) 
  Description Task Scheduler Configuration Tool 
  Product Microsoft® Windows® Operating System 
  Company Microsoft Corporation 
  OriginalFileName schtasks.exe 
  CommandLine schtasks /create /tn "WindowsImportant" /tr "C:/Users/Public/Win11updates.exe" /sc ONLOGON /ru "Jerry" 
  CurrentDirectory E:\ 
  User JERRY-PC\Jerry 
  LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} 
  LogonId 0x55a23 
  TerminalSessionId 1 
  IntegrityLevel High 
  Hashes MD5=D857FA7279E2861199583474C17A1C6C,SHA256=DDDE64F0F55751763C1BCD53DE9CDFFC0D725D45A8476464A2A0422661813004,IMPHASH=44E70F20C235C150D75F6FC8B1E29CD1 
  ParentProcessGuid {3f0f5ad4-b38f-64bd-a700-000000003100} 
  ParentProcessId 7732 
  ParentImage C:\Windows\System32\cmd.exe 
  ParentCommandLine C:\Windows\system32\cmd.exe /c "schtasks /create /tn "WindowsImportant" /tr "C:/Users/Public/Win11updates.exe" /sc ONLOGON /ru "Jerry"" 
  ParentUser JERRY-PC\Jerry 

I'm beginning to have serious concerns about Jerry. We see that Jerry is attempting to Enable PSRemoting. While PSRemoting is enabled by default on Windows server platforms, the same is not true for client versions. Hence, below, Jerry is deliberately configuring the local computer to receive Powershell remote commands. Ohh Jerry seems up to no good at this point. Or is this Jean preparing the environment for the challenge :-). It doesn't matter, we're just having fun while learning.

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:11.560 
  ProcessGuid {3f0f5ad4-b38f-64bd-aa00-000000003100} 
  ProcessId 8028 
  Image C:\Windows\System32\cmd.exe 
  FileVersion 10.0.22621.1635 (WinBuild.160101.0800) 
  Description Windows Command Processor 
  Product Microsoft® Windows® Operating System 
  Company Microsoft Corporation 
  OriginalFileName Cmd.Exe 
  CommandLine C:\Windows\system32\cmd.exe /c "powershell.exe Enable-PSRemoting -Force" 
  CurrentDirectory E:\ 
  User JERRY-PC\Jerry 
  LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} 
  LogonId 0x55a23 
  TerminalSessionId 1 
  IntegrityLevel High 
  Hashes MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964 
  ParentProcessGuid {3f0f5ad4-b38d-64bd-9d00-000000003100} 
  ParentProcessId 5512 
  ParentImage E:\Win11updates.exe 
  ParentCommandLine "E:\Win11updates.exe"  
  ParentUser JERRY-PC\Jerry 

We see Powershell is spawned by cmd.exe.

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:11.593 
  ProcessGuid {3f0f5ad4-b38f-64bd-ac00-000000003100} 
  ProcessId 7676 
  Image C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 
  FileVersion 10.0.22621.1635 (WinBuild.160101.0800) 
  Description Windows PowerShell 
  Product Microsoft® Windows® Operating System 
  Company Microsoft Corporation 
  OriginalFileName PowerShell.EXE 
  CommandLine powershell.exe Enable-PSRemoting -Force 
  CurrentDirectory E:\ 
  User JERRY-PC\Jerry 
  LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} 
  LogonId 0x55a23 
  TerminalSessionId 1 
  IntegrityLevel High 
  Hashes MD5=0499440C4B0783266183246E384C6657,SHA256=D436E66C0D092508E4B85290815AB375695FA9013C7423A3A27FED4F1ACF90BD,IMPHASH=342A7FD0A3177AE5549A5EEE99F82271 
  ParentProcessGuid {3f0f5ad4-b38f-64bd-aa00-000000003100} 
  ParentProcessId 8028 
  ParentImage C:\Windows\System32\cmd.exe 
  ParentCommandLine C:\Windows\system32\cmd.exe /c "powershell.exe Enable-PSRemoting -Force" 
  ParentUser JERRY-PC\Jerry 

We see the  process WmiPRvSE.exe which is associated with WMI Management Instrumentation. I belive this is also used by PSRemoting.

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:15.310 
  ProcessGuid {3f0f5ad4-b38a-64bd-9800-000000003100} 
  ProcessId 3140 
  QueryName JERRY-PC 
  QueryStatus 0 
  QueryResults ::1;::ffff:10.240.240.4; 
  Image C:\Windows\System32\wbem\WmiPrvSE.exe 
  User NT AUTHORITY\NETWORK SERVICE 

We now see the previously created user "LittleNewman" being placed inside of the "administrators" group on the local computer.

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:17.201 
  ProcessGuid {3f0f5ad4-b395-64bd-ad00-000000003100} 
  ProcessId 6340 
  Image C:\Windows\System32\cmd.exe 
  FileVersion 10.0.22621.1635 (WinBuild.160101.0800) 
  Description Windows Command Processor 
  Product Microsoft® Windows® Operating System 
  Company Microsoft Corporation 
  OriginalFileName Cmd.Exe 
  CommandLine C:\Windows\system32\cmd.exe /c "net localgroup Administrators LittleNewman /add" 
  CurrentDirectory E:\ 
  User JERRY-PC\Jerry 
  LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} 
  LogonId 0x55a23 
  TerminalSessionId 1 
  IntegrityLevel High 
  Hashes MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964 
  ParentProcessGuid {3f0f5ad4-b38d-64bd-9d00-000000003100} 
  ParentProcessId 5512 
  ParentImage E:\Win11updates.exe 
  ParentCommandLine "E:\Win11updates.exe"  
  ParentUser JERRY-PC\Jerry 

As expected, net is called via cmd.exe.

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:17.236 
  ProcessGuid {3f0f5ad4-b395-64bd-af00-000000003100} 
  ProcessId 8144 
  Image C:\Windows\System32\net.exe 
  FileVersion 10.0.22621.1 (WinBuild.160101.0800) 
  Description Net Command 
  Product Microsoft® Windows® Operating System 
  Company Microsoft Corporation 
  OriginalFileName net.exe 
  CommandLine net localgroup Administrators LittleNewman /add 
  CurrentDirectory E:\ 
  User JERRY-PC\Jerry 
  LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} 
  LogonId 0x55a23 
  TerminalSessionId 1 
  IntegrityLevel High 
  Hashes MD5=BB1AE49B6B7C53499E94613761A6AC56,SHA256=AFBE51517092256504F797F6A5ABC02515A09D603E8C046AE31D7D7855568E91,IMPHASH=D45C37A5C97135204AD6E116C34946C3 
  ParentProcessGuid {3f0f5ad4-b395-64bd-ad00-000000003100} 
  ParentProcessId 6340 
  ParentImage C:\Windows\System32\cmd.exe 
  ParentCommandLine C:\Windows\system32\cmd.exe /c "net localgroup Administrators LittleNewman /add" 
  ParentUser JERRY-PC\Jerry 

Then net1.exe is spawned by net.exe

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:17.250 
  ProcessGuid {3f0f5ad4-b395-64bd-b000-000000003100} 
  ProcessId 2480 
  Image C:\Windows\System32\net1.exe 
  FileVersion 10.0.22621.674 (WinBuild.160101.0800) 
  Description Net Command 
  Product Microsoft® Windows® Operating System 
  Company Microsoft Corporation 
  OriginalFileName net1.exe 
  CommandLine C:\Windows\system32\net1 localgroup Administrators LittleNewman /add 
  CurrentDirectory E:\ 
  User JERRY-PC\Jerry 
  LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} 
  LogonId 0x55a23 
  TerminalSessionId 1 
  IntegrityLevel High 
  Hashes MD5=CBF31BACECC4B17A1FE2D65BDC53F111,SHA256=1879DB2ABFF726A5438DD1AE48F20EBED736619C27A32526D09F70AF7EADD0E5,IMPHASH=76EE66A0F294EAB08DCAEF5E64FBF02F 
  ParentProcessGuid {3f0f5ad4-b395-64bd-af00-000000003100} 
  ParentProcessId 8144 
  ParentImage C:\Windows\System32\net.exe 
  ParentCommandLine net localgroup Administrators LittleNewman /add 
  ParentUser JERRY-PC\Jerry 

Little Newman is also being added to the "Remote Management Users" group also.

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:17.275 
  ProcessGuid {3f0f5ad4-b395-64bd-b100-000000003100} 
  ProcessId 2500 
  Image C:\Windows\System32\cmd.exe 
  FileVersion 10.0.22621.1635 (WinBuild.160101.0800) 
  Description Windows Command Processor 
  Product Microsoft® Windows® Operating System 
  Company Microsoft Corporation 
  OriginalFileName Cmd.Exe 
  CommandLine C:\Windows\system32\cmd.exe /c "net localgroup "Remote Management Users" LittleNewman /add" 
  CurrentDirectory E:\ 
  User JERRY-PC\Jerry 
  LogonGuid {3f0f5ad4-b317-64bd-235a-050000000000} 
  LogonId 0x55a23 
  TerminalSessionId 1 
  IntegrityLevel High 
  Hashes MD5=5A6BE4D2519515241D0C133A26CF62C0,SHA256=423E0E810A69AACEBA0E5670E58AFF898CF0EBFFAB99CCB46EBB3464C3D2FACB,IMPHASH=D73E39DAB3C8B57AA408073D01254964 
  ParentProcessGuid {3f0f5ad4-b38d-64bd-9d00-000000003100} 
  ParentProcessId 5512 
  ParentImage E:\Win11updates.exe 
  ParentCommandLine "E:\Win11updates.exe"  
  ParentUser JERRY-PC\Jerry 

In the interest of space and time, there is no need to show cmd.exe spawns net.exe and net.exe spawns net1.exe. We should be aware of this flow by now, based on all the analysis done so far. However, if you are still interested, see the map above.

We then see a file named "ssms.exe" which seems to be associated with "Microsoft SQL Server Management Studio 19" being launched. 

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:11:44.681 
  ProcessGuid {3f0f5ad4-b3b0-64bd-b700-000000003100} 
  ProcessId 6796 
  Image C:\Program Files (x86)\Microsoft SQL Server Management Studio 19\Common7\IDE\Ssms.exe 
  FileVersion 19.1.56.0 
  Description SSMS 19 
  Product Microsoft SQL Server 
  Company Microsoft Corporation 
  OriginalFileName SSMS.EXE 
  CommandLine "C:\Program Files (x86)\Microsoft SQL Server Management Studio 19\Common7\IDE\Ssms.exe"  
  CurrentDirectory C:\Windows\system32\ 
  User JERRY-PC\Jerry 
  LogonGuid {3f0f5ad4-b317-64bd-795a-050000000000} 
  LogonId 0x55a79 
  TerminalSessionId 1 
  IntegrityLevel Medium 
  Hashes MD5=EFA9FE326FD87239CD55FC6CFA2FB031,SHA256=F838835F72F3E05768530BE21E279901715B0DB2B726813658DB804FF368D58B,IMPHASH=B28D945C37B74021F14171C4E229AB7D 
  ParentProcessGuid {3f0f5ad4-b318-64bd-4500-000000003100} 
  ParentProcessId 3440 
  ParentImage C:\Windows\explorer.exe 
  ParentCommandLine C:\Windows\Explorer.EXE 
  ParentUser JERRY-PC\Jerry 

Looks like when the tool was used, it found an SQL Server at 10.240.240.6. Remember, during the nmap scan, Newman did find port 1433 opened on 10.240.240.6. This port is typically associated with MSQL.

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:12:27.268 
  ProcessGuid {3f0f5ad4-b3b0-64bd-b700-000000003100} 
  ProcessId 6796 
  QueryName MSSQL-SR 
  QueryStatus 0 
  QueryResults 10.240.240.6; 
  Image C:\Program Files (x86)\Microsoft SQL Server Management Studio 19\Common7\IDE\Ssms.exe 
  User JERRY-PC\Jerry 

We now see WinRM Host process starting up. Interestingly, the user authenticating this time is LittleNewman against Jerry PC

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:13:10.952 
  ProcessGuid {3f0f5ad4-b406-64bd-c100-000000003100} 
  ProcessId 4000 
  Image C:\Windows\System32\wsmprovhost.exe 
  FileVersion 10.0.22621.1485 (WinBuild.160101.0800) 
  Description Host process for WinRM plug-ins 
  Product Microsoft® Windows® Operating System 
  Company Microsoft Corporation 
  OriginalFileName wsmprovhost.exe 
  CommandLine C:\Windows\system32\wsmprovhost.exe -Embedding 
  CurrentDirectory C:\Windows\system32\ 
  User JERRY-PC\LittleNewman 
  LogonGuid {3f0f5ad4-b406-64bd-62c6-1b0000000000} 
  LogonId 0x1bc662 
  TerminalSessionId 0 
  IntegrityLevel High 
  Hashes MD5=36DFD6343147B4172539CB023EF56485,SHA256=30C91BE613CB8BF4A882DEB2D3B77C8ABC0C41617178BA3681CFA746DFCED273,IMPHASH=35C50CC7209A454799C998CDE17C6E24 
  ParentProcessGuid {3f0f5ad4-b311-64bd-0d00-000000003100} 
  ParentProcessId 876 
  ParentImage C:\Windows\System32\svchost.exe 
  ParentCommandLine C:\Windows\system32\svchost.exe -k DcomLaunch -p 
  ParentUser NT AUTHORITY\SYSTEM 

We also see a Powershell script being executed and the target filename includes LittleNewman.

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:13:11.047 
  ProcessGuid {3f0f5ad4-b406-64bd-c100-000000003100} 
  ProcessId 4000 
  Image C:\Windows\system32\wsmprovhost.exe 
  TargetFilename C:\Users\LittleNewman.JERRY-PC\AppData\Local\Temp\__PSScriptPolicyTest_21oycspq.d2l.ps1 
  CreationUtcTime 2023-07-23 23:13:11.047 
  User JERRY-PC\LittleNewman 

We are now beginning to see some of the evidence we saw earlier via the packet analysis. Below we see the "whoami" command was run. Notice all of this is being done using the LittleNewman account.

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:13:16.542 
  ProcessGuid {3f0f5ad4-b40c-64bd-c300-000000003100} 
  ProcessId 1852 
  Image C:\Windows\System32\whoami.exe 
  FileVersion 10.0.22621.1 (WinBuild.160101.0800) 
  Description whoami - displays logged on user information 
  Product Microsoft® Windows® Operating System 
  Company Microsoft Corporation 
  OriginalFileName whoami.exe 
  CommandLine "C:\Windows\system32\whoami.exe" 
  CurrentDirectory C:\Users\LittleNewman.JERRY-PC\Documents\ 
  User JERRY-PC\LittleNewman 
  LogonGuid {3f0f5ad4-b406-64bd-62c6-1b0000000000} 
  LogonId 0x1bc662 
  TerminalSessionId 0 
  IntegrityLevel High 
  Hashes MD5=E0F37DB23E4F3163159A815610DF8CF2,SHA256=574BC2A2995FE2B1F732CCD39F2D99460ACE980AF29EFDF1EB0D3E888BE7D6F0,IMPHASH=62935820E434AF643547B7F5F5BD0292 
  ParentProcessGuid {3f0f5ad4-b406-64bd-c100-000000003100} 
  ParentProcessId 4000 
  ParentImage C:\Windows\System32\wsmprovhost.exe 
  ParentCommandLine C:\Windows\system32\wsmprovhost.exe -Embedding 
  ParentUser JERRY-PC\LittleNewman 

Next attempt to validate the hostname. Once again, all of this is being done via the PS Remoting.

- EventData 

  RuleName - 
  UtcTime 2023-07-23 23:13:19.898 
  ProcessGuid {3f0f5ad4-b40f-64bd-c500-000000003100} 
  ProcessId 8172 
  Image C:\Windows\System32\HOSTNAME.EXE 
  FileVersion 10.0.22621.1 (WinBuild.160101.0800) 
  Description Hostname APP 
  Product Microsoft® Windows® Operating System 
  Company Microsoft Corporation 
  OriginalFileName hostname.exe 
  CommandLine "C:\Windows\system32\HOSTNAME.EXE" 
  CurrentDirectory C:\Users\LittleNewman.JERRY-PC\Documents\ 
  User JERRY-PC\LittleNewman 
  LogonGuid {3f0f5ad4-b406-64bd-62c6-1b0000000000} 
  LogonId 0x1bc662 
  TerminalSessionId 0 
  IntegrityLevel High 
  Hashes MD5=26867C731CF949313F118FA0911789CB,SHA256=193D56937965C2EECC6556619CAC6B6CE7ADB1827D12830BFED1A7B038288613,IMPHASH=8CB84C534505B1E47EF25FA2CD9A16BB 
  ParentProcessGuid {3f0f5ad4-b406-64bd-c100-000000003100} 
  ParentProcessId 4000 
  ParentImage C:\Windows\System32\wsmprovhost.exe 
  ParentCommandLine C:\Windows\system32\wsmprovhost.exe -Embedding 
  ParentUser JERRY-PC\LittleNewman 


Transitioning to the USB Disk Analysis

Get the MD5 Hash of the USB image provided

$ md5sum usbstick.vhd 
1ecc5c7b011770d185b714f6c6d7de0a  usbstick.vhd

Make a copy of the USB image.

$ cp usbstick.vhd usbstick.vhd.ORIGINAL

Confirm that the MD5 sum of the two files are the same.

$ md5sum *
1ecc5c7b011770d185b714f6c6d7de0a  usbstick.vhd
1ecc5c7b011770d185b714f6c6d7de0a  usbstick.vhd.ORIGINAL

Get some information on the disk using the Linux file command.

$ file usbstick.vhd | fmt
usbstick.vhd: DOS/MBR boot sector MS-MBR Windows 7 english at offset 0x163
"Invalid partition table" at offset 0x17b "Error loading operating system"
at offset 0x19a "Missing operating system", disk signature 0xcac87e69;
partition 1 : ID=0x7, start-CHS (0x0,2,3), end-CHS (0x5,254,57),
startsector 128, 96256 sectors

Using exiftool to take a different look.

$ exiftool ../usbstick.vhd                                                                                                                                                                                                               
ExifTool Version Number         : 12.63
File Name                       : usbstick.vhd
Directory                       : ..
File Size                       : 52 MB
File Modification Date/Time     : 2023:07:23 19:28:58-04:00
File Access Date/Time           : 2023:07:28 09:32:04-04:00
File Inode Change Date/Time     : 2023:07:25 14:45:15-04:00
File Permissions                : -rw-r--r--
Error                           : Unknown file type

Yet another perspective

$ fdisk --list usbstick.vhd
Disk usbstick.vhd: 50 MiB, 52429312 bytes, 102401 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xcac87e69

Device        Boot Start   End Sectors Size Id Type
usbstick.vhd1        128 96383   96256  47M  7 HPFS/NTFS/exFAT
 
Working on the usbstick.vhd file with Autopsy 4.20.0

Created a new case in Autopsy 4.20.0

Added a data source

AT first glance, we see the disk has 3 volumes of which 2 are unallocated:




Expanding volume 2 ...



Looking at the files found, we see 2 images and 3 plain text files being reported.



Looking at the SID on the $RECYCLE.BIN we see a SID: S-1-5-21-2404277346-2099594652-1884649452-1010.



Looking at the log files, we see this SID is associated with the host at 10.240.240.5 which is associated with Newman's computer and account.

$ cat 10-240-240-5-events.csv | grep "S-1-5-21-2404277346-2099594652-1884649452-1010" | head --lines=5                                                                                                                                   
TargetObject: HKU\S-1-5-21-2404277346-2099594652-1884649452-1010\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefile
TargetObject: HKU\S-1-5-21-2404277346-2099594652-1884649452-1010\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files (x86)\Nmap\zenmap\bin\pythonw.exe
TargetObject: HKU\S-1-5-21-2404277346-2099594652-1884649452-1010_Classes\grvopen\shell\open\command\(Default)
TargetObject: HKU\S-1-5-21-2404277346-2099594652-1884649452-1010_Classes\grvopen\shell\open\command\(Default)
TargetObject: HKU\S-1-5-21-2404277346-2099594652-1884649452-1010_Classes\grvopen\shell\open\command\(Default)

Looking into the file $IVM18SN.txt we see "D:\mynotes.txt"

 

But where is that file. I do not see that file at first glance on the disk.

Looking at the file $RVM18SN.txt, we see what seems to be a password.



The creation of this content is attributed to Newman because of the SID.


Learning a little bit more about this file via the "Data Artifacts" tab, we see originally it seemed to have been in the "d:\mynotes.txt" file



We still have not seen the mynotes.txt file as it was found in the recycle bin which suggest it was deleted. We also know it is in the root of d:\drive as this was the letter provided. 

Looking at the root of vol2 as this is the only partition of interest at this time.

At this point, we have found the original file and can export it.



We also see "vessel.png". When this is extracted, we get:



We also see what looks like an alternate data stream via vessel.png:hidden.


Extracted the file and attempt to identify that Alternate Data Stream is being used:

C:\Users\securitynik\Documents>dir vessel.png_hidden /R
 Volume in drive C has no label.
 Volume Serial Number is 9A7A-30CD

 Directory of C:\Users\securitynik\Documents

07/29/2023  12:06 PM               398 vessel.png_hidden
               1 File(s)            398 bytes
               0 Dir(s)  46,440,538,112 bytes free

This does not seem to be using Alternate Data Stream. However, we did see it was a .RAR file from the image above. Leveraging 7zip to open this file.

When I opened the file with 7zip it asked for a password. Time to take advantage of the credentials which were found earlier "r3c0v3r1ng_d3l3t3d_d4t4_1s_fun". Hey Jean, couldn't you have chosen an easier password?! Guess you wanted to ensure no one was able to easily guess the password. Good job!



This created a file named "instructions.txt", with the following context.

"Hello ! I am glad you got my message :) So the data from that pesky Jerry and his friends is inside the image and should be 629 bytes long. Remember, every 3 bits is where it's at!"

Guess this means I have to revisit the image.


Code to recover the message

# Read the file containing the image
fp = open(file=r'c:/tmp/hidden.png', mode='rb')

# Convert the raw bytes to hex
raw_bytes = fp.read().hex(sep=' ', bytes_per_sep=1).split(' ')

# Close the file
fp.close()

# View the length of the file to ensure it is the same as the size on disk
print(len(raw_bytes))

557903

# Get a view of some of the raw bytes
raw_bytes[:10]

['89', '50', '4e', '47', '0d', '0a', '1a', '0a', '00', '00']
['89', '50', '4e', '47', '0d', '0a', '1a', '0a', '00', '00']

# Convert the raw bytes to a list of bits
int_list = [ int(byte, 16) for byte in raw_bytes ]

# Get a snapshot
print(int_list[:10])

[137, 80, 78, 71, 13, 10, 26, 10, 0, 0]


# Convert those numbers to bits
bit_list = bit_list = [ format(item, '0>8b') for item in int_list ]
print(bit_list[:10])

['10001001', '01010000', '01001110', '01000111', '00001101', '00001010', '00011010', '00001010', '00000000', '00000000']

# Condense the bit list to smash it all together
bits_condensed =  ''.join(bit_list)

# Get the first 100 bits
bits_condensed[:100]

'1000100101010000010011100100011100001101000010100001101000001010000000000000000000000000000011010100'

# Now extract every third bit
#bits_by_3 = bits_condensed[::3]
#bits_by_3
bits_at_3 = []
index = 0
for i, value in enumerate(bits_condensed):
    if index <= len(bits_condensed)-10:
        index += 3
        #print(index, bits_condensed[index-1])
        bits_at_3.append(bits_condensed[index-1])

# Get the first 100 bits
print(bits_at_3[:25])

['0', '0', '0', '1', '0', '1', '1', '0', '0', '1', '0', '0', '0', '0', '1', '0', '0', '0', '0', '0', '1', '0', '0', '0', '0']

# Condensed the bits
bits_at_3_condensed = ''.join(bits_at_3)

# Get the first 100 bits
bits_at_3_condensed[:100]

'0001011001000010000010000000001100000100000000000100000000000000000000000000000000100010000000000001'

# Get the bits expanded to recreate the bytes
bits_expanded = [ bits_at_3_condensed [i:i+8] for i in range(0, len(bits_at_3_condensed), 8) ]

# Get the first 100 bits
print(bits_expanded[:10])

['00010110', '01000010', '00001000', '00000011', '00000100', '00000000', '01000000', '00000000', '00000000', '00000000']

# Convert the bits to int values
# https://stackoverflow.com/questions/58016378/is-there-a-way-to-convert-bit-to-int
bits_to_int = [ chr(int(value, 2)) for value in bits_expanded ]

# Get the first 100 bits
print(bits_to_int[:10])

['\x16', 'B', '\x08', '\x03', '\x04', '\x00', '@', '\x00', '\x00', '\x00']

# Get the final bytes
final_bytes = bytes(' '.join(bits_to_int), encoding='utf-8')
final_bytes[:30], len(final_bytes)

(b'\x16 B \x08 \x03 \x04 \x00 @ \x00 \x00 \x00 " \x00 \x1c \x12 \xc3\x8f', 464930)

The above returned 464930 bytes. I know the note stated it is 629 bytes. So the expectation would be to extract the first 629 bytes from above. I did not go this route. 

# Convert these values to hex
final_bytes.hex(sep=' ', bytes_per_sep=1)

'16 20 42 20 08 20 03 20 04 20 00 20 40 20 00 20 00 20 00 20 ...

Above shows the bytes. 

# Write these bytes out to a file
fp = open(file=r'c:/tmp/3bits.txt', mode='wb')
fp.write(final_bytes)
fp.close()


It is sad to say but after extracting the third bit and putting every thing together, I was not able to recover the message. Time to reach out to Jean, to understand where I went wrong.

After reaching out to Jean for clarity/hint on what the ask really is, he mentioned in setting up the challenge, he focused on the pixel value. Interestingly, this is the one area that seems to have caused many folks to question their analysis. It is the one area we provided the most hints.

Changing my approach.

from PIL import Image
import numpy as np

Look at the image pixels from the perspective of Numpy matrix.

img_pixels_vals = np.array(Image.open(fp=r'c:/tmp/hidden.png'))
img_pixels_vals

array([[213, 231, 181, ..., 209, 231, 245], [209, 231, 245, ..., 245, 245, 245], [245, 245, 245, ..., 245, 245, 245], ..., [ 28, 28, 28, ..., 224, 224, 224], [ 32, 32, 32, ..., 224, 224, 224], [ 42, 42, 42, ..., 224, 224, 224]], dtype=uint8)

Get the shape of this array.

img_pixels_vals.shape

(1024, 1536)

Let's flatten the matrix above and squeeze the dimensions. Squeezing brings it down to 1 dimension. At the same time, print the length of the flatten array. 

# Let's flatten the matrix above and squeeze the dimensions
# Squeezing brings it down to 1 dimension
img_pixels_flat = img_pixels_vals.reshape(1, -1).squeeze()

# Print out the bytes and get the length of the flatten pixel
img_pixels_flat, len(img_pixels_flat)

(array([213, 231, 181, ..., 224, 224, 224], dtype=uint8), 1572864)

Get these pixel values as bits. Print the first 100 bits or 3 bytes

# Get these pixel values as bits
pixel_bits = ''.join([ format(pixel, '>08b') for pixel in img_pixels_flat ])

# Print the first 100 bits or 3 bytes
pixel_bits[:24]

'110101011110011110110101'

# Extract every 3 bits again.
pixel_bits_at_3 = []
index = 0
for i, value in enumerate(pixel_bits):
    if index <= len(pixel_bits)-10:
        index += 3
        pixel_bits_at_3.append(pixel_bits[index-1])

# Get the first 25 bits
print(pixel_bits_at_3[:16])

['0', '1', '1', '0', '1', '0', '0', '1', '0', '1', '1', '0', '0', '1', '0', '0']

# Condensed the bits once again 
pixel_at_3_condensed = ''.join(pixel_bits_at_3)

# Print the first 24
pixel_at_3_condensed[:24]

'011010010110010000100000'

# Get the bits expanded to recreate the bytes
pixel_bits_expanded = [ pixel_at_3_condensed[i:i+8] for i in range(0, len(pixel_at_3_condensed), 8) ]

# Get the first 24 bits / 3 bytes
print(pixel_bits_expanded[:3])

['01101001', '01100100', '00100000']

# Print the first 629 bytes as the hint suggested
print(''.join([ chr(int(value, 2)) for value in pixel_bits_expanded ])[:629])

id : 1 Name : Peterman Catalog Phone : 6479991234 PrimaryContact : Jacopo Peterman Email : contact@peterman.com id : 2 Name : Yankee Stadium Phone : 6478881234 PrimaryContact : George SteinBrenner Email : contact@yankees.com id : 3 Name : Vandalay Industries Phone : 6477771234 PrimaryContact : Art Vandalay Email : contact@vandalay.com id investment_amount company_secret -- ----------------- -------------- 1 150000 dogcatalog 2 320000 secondteam 3 69000 sunumbrellas


That's the end! I find this to be a very exciting challenge as it covered many areas of Incident Response.

My Jupyter Notebook for this decoding can be found on my GitHub.


References:

3 comments:

  1. Hi Nik, this looks like a great CTF challenge. Can you please were we can find it? Andre

    ReplyDelete
  2. How newman knew the creds of Jerry's SQL account?
    Extracted from packet no 2753:
    $ConnectionString = "Server=10.240.240.6;User=JerrySQL;Password=SecurePassword1337;TrustServerCertificate=True"

    ReplyDelete
  3. Hey Dorde D.
    I believe he stole it after the USB was inserted. I did not develop the challenge but this would be my initial conclusion.

    ReplyDelete