Post

Reaper

Posted
Preview Image
By Heland
views 2 min read
Reaper

CHALLENGE DESCRIPTION

Our SIEM alerted us to a suspicious logon event which needs to be looked at immediately . The alert details were that the IP Address and the Source Workstation name were a mismatch .You are provided a network capture and event logs from the surrounding time around the incident timeframe. Corelate the given evidence and report back to your SOC Manager.

SET UP

1
2
3
4
5
6
7
8
9
10
11
12
13
14

# 1. Create a Python virtual environment
python3 -m venv myenv

# 2. Activate the virtual environment
source myenv/bin/activate   # For Linux/macOS

# 3. Install the python-evtx library
pip install python-evtx

# 4. Download the evtx_dump.py script 
wget https://raw.githubusercontent.com/williballenthin/python-evtx/master/scripts/evtx_dump.py

# 5. Run the script on your .evtx file
python3 evtx_dump.py some.evtx > log.xml

SOLUTION

What is the IP Address for Forela-Wkstn001?

Open wireshark and find Forela-Wkstn001 and we will see the IP.

Answer 172.17.79.129

What is the IP Address for Forela-Wkstn002?

Open wireshark and find Forela-Wkstn002 and we will see the IP.

Answer 172.17.79.136

What is the username of the account whose hash was stolen by attacker?

1

grep -i 'username' log
Answer arthur.kyle

What is the IP Address of Unknown Device used by the attacker to intercept credentials?

1

grep -a5 -i 'arthur.kyle' log
Answer 172.17.79.135

What was the fileshare navigated by the victim user account?

Hint: Filter for smb2 traffic in wireshark. Search for keywords “BAD_NETWORK_NAME” in packet details.

Search SMB Bad_network_name on Google and we can see this smb2.nt_status == 0xc00000cc

Search that term in wireshark, follow any packet

Answer \\DC01\Trip

What is the source port used to logon to target workstation using the compromised account?

Search ntlmssp in wireshark.

Answer 40252

What is the Logon ID for the malicious session?

1

grep -a5 -i 'PORT from above' log
Answer 0x64A799

The detection was based on the mismatch of hostname and the assigned IP Address.What is the workstation name and the source IP Address from which the malicious logon occur?

1

grep -a15 -i 'Logon ID above' log
Answer FORELA-WKSTN002, 172.17.79.135

At what UTC time did the the malicious logon happen?

Answer 2024-07-31 04:55:16

What is the share Name accessed as part of the authentication process by the malicious tool used by the attacker?

Answer \\*\IPC$
HTB-sherlock, DFIR, very-easy
CTF writeup log evtx