DownUnderCTF

Forensic

DFIR Investigation 1

Difficulty: Medium

Statement: An attacker has installed a C2 persistence mechanism on this system.

• When is it scheduled to next execute?
• What C2 IP address is the PowerShell stager configured to connect to?

Flag format: DUCTF{hh:mm_IP} Flag example: DUCTF{15:27_10.0.0.8}

File password: Awt4Wh6dT3by0hXmfFZn

The challenge provides the dfir-investigation zip file.

After extracting the zip, I get the file triage-image.ad1.

To read the content of this file, I will use the FTK Imager tool via windows.

I will start by recovering different event logs in order to retrieve information located at the path : C:\Windows\System32\winevt\Logs

In the powershell operational event log, I will find a payload that looks suspicious:

I notice that there is a base64 encoded string in the payload, so I will decode it:

echo "aAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMAAuADIANwA6ADcANwA3ADcA" | base64 -d

Output :

http://192.168.0.27:7777

We have retrieved the IP, now we need to find the next execution time.

The command and control persistence mechanism uses WMI objects.

When creating or modifying a WMI object, windows updates the base files of the WMI repository in C:\windows\system32\wbem\repository

The file that will interest me in this directory is OBJECTS.DATA because it contains a lot of information about the modifications of WMI objects in clear text.

I will search for the word powershell within the file and I will get this logs followed by the encoded payload:

SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime' AND TargetInstance.Hour = 12 AND TargetInstance.Minute= 38 GROUP WITHIN 60

We know that the next execution will be at 12:38.

Flag: DUCTF{12:38_192.168.0.27}