HomeLabs

In today’s exercise, we’re tasked with investigating an incident related to two previous investigations from last week. Threat Intel has reported that the same actor has targeted our network again. This time, the actor has added additional layers of obfuscation, including the use of compromised infrastructure, HTTPS, and password-protecting ZIP files. 🧩 Scenario Overview We received an alert for a suspicious IP address, but there was no additional context or information related to the alert. In this investigation, we will: Step 1: Confirm the Time Frame of the PCAP Our first step is to confirm that the PCAP file we received corresponds to the correct time frame. To do this, we’ll use the capinfos command, which will provide us with detailed metadata about the PCAP file, including the start and end times of the capture. Run the following command on the PCAP file: capinfos <path_to_pcap_file> The output of this command will give us several important details, including: We need to confirm that the start time and end time match the reported suspicious activity timeline. If they match, we can proceed to analyze the content of the PCAP for any signs of malicious activity. If the times don’t match, we may need to investigate further or request additional data from the SOC team. 🖥️ Step 2: OSINT Research on IP Address Once we’ve confirmed the correct time frame, our next task is to investigate the IP address (185.199.109.133) using OSINT. This research helps us understand the reputation of the IP and whether it is associated with any known malicious activity. To begin, we can use services like Whois, VirusTotal, and AbuseIPDB to gather more context on the IP. Run the following query on VirusTotal to see if this IP has been flagged: https://www.virustotal.com/gui/search/185.199.109.133 You may find information about the IP’s associations with malicious activity such as: If the IP is flagged, it adds more context to our investigation. If not, we will need to analyze the PCAP file more closely for other signs of malicious behavior. Nothing overly malicious; however, it is known that threat actors host malware on file sharing sites, including GitHub. 🦈Step 3: Analyze the PCAP Using Wireshark Now that we’ve confirmed the time frame and researched the IP, we’ll move on to the PCAP analysis using Wireshark. Wireshark is a powerful tool that allows us to capture and analyze network traffic in great detail. Filter for the Suspicious IP Address: The first step is to filter the traffic to focus on the suspicious IP. In Wireshark, use the following filter to display only packets from or to 185.199.109.133: ip.addr == 185.199.109.133 This filter will show all traffic involving this IP address. Look for the following types of activity: Once we’ve identified any suspicious packets, we can drill down into their details to further analyze the activity. We then look for other suspicious IP addresses and protocols on WireShark. If FTP is being used, we can extract the file being transferred from the PCAP by: Extract the file exfilled by filtering the pcap by “ftp-data”. After we follow the TCP Stream. The “PK” identifies the file as being a zip file. We then select the show data as “raw” and save the file as “transferredfile.zip” 🔓 Step 4: Cracking Password-Protected Zip Files Let’s try to unzip the file from the command line. unzip transferredfile.zip The file is password protected. Now let’s see if we can crack the password using zip2John and John. After we will use John to crack the hashfile.txt created above. I first use this command to crack the file password: john –wordlist=/usr/share/wordlists/rockyou.txt hashfile.txt Next, we will use this command to show the password: john –show hashfile.txt The password has been successfully cracked and it’s called “batman” Then we use the cracked password “batman” to unzip the file and observe the contents. Use this command to unzip using the password: unzip -P batman transferredfile.zip What are those files? Let’s navigate to the “gamedata” directory and run the file command against the file named “History” cd gamedata cd History As seen above, “History” is a SQLite database. Browser data on chromium browsers, such as Chrome and Edge, is stored as SQLite databases. This includes the browser history. Using sqlite3 list the tables in the database by using this command: sqlite3 History “.tables” Then we can type the sqlite3 command below to dump the urls table to a csv file: sqlite3 -header -csv History “SELECT * FROM urls;” > urls.csv After we can type the command below to read the first 25 lines of the urls table. cat urls.csv | head -25 This confirms that the “History” file is browser history. Opening the systeminfo.txt file confirms it is the result of the systeminfo command ran on the victim system. cat systeminfo.txt 📊 Step 5: Endpoint Analysis Using Splunk In addition to network traffic analysis, it’s important to correlate the findings with endpoint data. In this case, we’ll use Splunk to analyze Sysmon logs for any endpoint activity related to the suspicious IP address. After conducting PCAP analysis, we can use the information discovered to pivot through event logs using Splunk. Pivot on the date/time of the connection to the suspicious IP address discovered from the PCAP. We can use “UtcTime” field for the accurate time of activity. An easy way to view the events for the specific UTCTime is to do a table using the following SPL. source=”15Jan_2024_Exercise_Splunkdata.csv” sourcetype=”csv”| table _time, UtcTime, EventCode, event_description, file_path,TargetImage,ParentCommandLine, Message As seen below, several interesting events jump out. We can now pivot back to Wireshark at the time that itunes.ps1 was created 23:30:05.650 and see that was the same time there was a connection to githubusercontent.com. We can also cross reference the time of creation for gamedata.zip (23:30:19.324) and the beginning of the FTP session less than one second later. To look closer at the registry entries add EventCode 13 to the query. source=”15Jan_2024_Exercise_Splunkdata.csv” sourcetype=”csv” EventCode=13| table _time, UtcTime, EventCode, event_description, file_path,TargetImage,ParentCommandLine, Message We see 7zip running (which zipped the gamedata

In this incident response exercise, we’re tasked with investigating a suspicious alert triggered by a connection to a potentially malicious IP address: 146.185.170.222. The investigation involves analyzing a PCAP file using Wireshark and utilizing Splunk for endpoint analysis to uncover the nature of the threat. Whether you’re learning incident response or exploring cybersecurity analysis, this breakdown aims to provide insight into the investigative process behind such alerts. 🧩 Scenario OverviewThe alert originated from the SOC shift lead, who assigned the task of investigating an alert for a malicious IP address (146.185.170.222). The provided PCAP file contains the activity in question. Our objectives for this exercise are: 1: Confirming the PCAP Time Frame Using the capinfos tool, we verify the time frame of the PCAP file to ensure it aligns with the alert’s timestamp. This command provides metadata about the PCAP file, including the start and end times of the capture. 2: OSINT Research on IP Address 146.185.170.222 To better understand the nature of this IP, we performed open-source intelligence (OSINT) research using platforms like VirusTotal. Question 1. Is there published OSINT on the IP address? Yes Question 2. If so, what? The results were alarming — the IP has been associated with several high-profile malware families, including: These are well-known banking trojans and loaders often used in financially motivated cyberattacks and ransomware campaigns. Specifically, VirusTotal reported connections to: This strongly indicates that 146.185.170.222 is part of a known malicious infrastructure, and any communication with it should be treated as a serious threat. 3: Analyzing the PCAP with Wireshark Opening the PCAP file in Wireshark, we filter traffic related to the IP address: 146.185.170.222 Question 3. Was there a successful connection to the suspicious IP address? Yes Question 4. Was malware downloaded? Yes Question 5. If so, what is the name of the malicious file? Exfil.ps1 and Keylogger.ps1 What is the SHA256 Hashes of the files? Question 6. What does the malware do? Steals and exfils browser history, system information, and keylogger information’s. Question 7. Was there any information stolen? Yes Question 8. If so, how was information exfiltrated? FTP 4: Utilize Splunk for Endpoint Analysis Question 9. What was the file that caused the connection to the malicious IP address? Invoice.ps1 By pivoting off of evidence found in the PCAP — particularly a file named Exfil.ps1 — we crafted a simple SPL query in Splunk to trace back the activity: Question 10. What is the persistence mechanism for Exfil? Registry Run key. Using the same SPL as previously used, we can see Exfil.ps1 being written to the CurrentVersion\Run key. Question 11. What is the persistence mechanism for Keylogger? Registry Run Key. Question 12. How is data exfilled? Zipped and exfilled via FTP. We see the file being exfilled in the pcap. Pivoting from Exfil.zip discovered in the pcap, we see the file creation, with the following SPL: Additionally, we see the code for Exfil.ps1 from the pcap and see that it is writing the system info and the browser history to the directory \Windows\Temp\Exfil folder. Then we see it zipping the directory. Attack Overview: The downloader (Invoice.ps1) downloads two malicious PowerShell files, Exfil.ps1 and Keylogger.ps1. The Exfil file steals browser history, system information, and keylogger results and zips them up in a file and uses FTP to exfil the file. Keylogger installs a keylogger that writes the results to a .txt file. The downloader establishes persistence by writing to the Run key to start Keylogger.ps1 and Exfil.ps1 each time the user logs in to the system. The downloader PowerShell is shown below. The code for Exfil.ps1 is shown below.

🔍 Introduction In this incident response exercise, we are tasked with investigating a suspicious alert triggered by a connection to an IP address flagged as potentially malicious: 100.38.242.113. The investigation involves analyzing a PCAP file using Wireshark and utilizing Splunk for endpoint analysis to uncover what happened during the attack. Whether you’re learning incident response or exploring cybersecurity analysis, I hope this breakdown helps you understand the investigative mindset behind alerts like these. 🧩 Scenario OverviewThe alert came from the SOC team for a connection to a known malicious IP address: 100.38.242.113. The goal of this exercise was to: Step 1: PCAP AnalysisTo begin the investigation, we first confirm that the PCAP file provided corresponds to the correct timeframe. This can be done using the capinfos tool to view the capture’s metadata and verify timestamps. Open-Source Intelligence (OSINT) on the Malicious IP Address:Next, we perform some OSINT research on the IP address 100.38.242.113. A quick search reveals the IP address is associated with Qakbot, a notorious banking Trojan. This information gives us a significant lead into the type of attack we’re dealing with. Question 1. Is there published OSINT on the IP address? Yes Question 2. If so, what? Associated with Qakbot. Wireshark Analysis:Once we’ve identified the IP address as malicious, we filter the PCAP for traffic involving 100.38.242.113 in Wireshark. We quickly determine that there was indeed a successful connection to this IP address. The malware that was downloaded from this connection was named shell.txt, which had been disguised as a .txt file to bypass security filters. Upon closer inspection, the file was actually a .bat file. It appears that the attackers used a technique to evade detection by renaming the malicious file. Question 3. Was there a successful connection to the suspicious IP address? Yes Question 4. Was malware downloaded? Yes File Export and Hashing:By analyzing the PCAP further, we managed to carve out the shell.bat file, extract its SHA256 hash, and analyze its behavior. The malware sets up a reverse shell, connecting the victim’s system back to the attacker’s machine for remote access. Question 5. If so, what is the name of the malicious file? shell.txt (shell.bat) Question 6. What is the SHA256 Hash of the file? Step 2: Malware BehaviorOnce executed, the shell.bat file initiates a PowerShell script that establishes a reverse TCP connection back to the attacker’s server. From there, the attacker can execute commands remotely on the victim’s machine. Some commands seen in the captured traffic include: Question 8. Was there any information stolen? Yes, enumeration took place. Step 3: Splunk AnalysisThe next step is to pivot through event logs using Splunk, where we search for logs related to the downloaded shell.txt file. By querying the data, we uncover the file path and confirm the file’s unusual extension change, which raises questions about the attacker’s evasion tactics. And This enumeration provides valuable information about the target system, which could help attackers decide their next steps, such as deploying more malware or establishing a command-and-control. Question 9. What file was the cause of the connection to the malicious IP address? GiftCard.bat File Path and Parent Process:Using Splunk’s search query, we track down the file’s location on the system. We also observe that the parent process responsible for downloading the file was powershell.exe, a legitimate Windows process that was weaponized by the attacker to execute malicious code. Conclusion: The Impact of the AttackThe investigation uncovers several key findings: The cause of the connection to the suspicious IP address was determined to be the execution of a .bat file that triggered the download of the reverse shell, exploiting a gap in real-time protection settings on the victim’s machine. This incident highlights the importance of proper endpoint protection and detection mechanisms to prevent malware from executing on vulnerable systems. Final Thoughts:Incident response exercises like this are invaluable for learning how to track down and analyze attacks in a controlled environment. By leveraging tools like Wireshark for packet analysis and Splunk for log analysis, cybersecurity professionals can develop a thorough understanding of attack techniques and improve response times in real-world incidents.