Tryhackme-Incident Response and Forensics

Incident Response and Forensics

Volatility

task1 Intro

Install Volatility onto your workstation of choice or use the provided virtual machine. On Debian-based systems such as Kali this can be done via apt-get install volatility

task2 Obtaining Memory Samples

1.What memory format is the most common?

.raw

.raw是最常见的内存文件类型

2.The Window’s system we’re looking to perform memory forensics on was turned off by mistake. What file contains a compressed memory image?

hiberfil.sys

windows内存文件在 %SystemDrive%/hiberfil.sys

3.The Window’s system we’re looking to perform memory forensics on was turned off by mistake. What file contains a compressed memory image?

.vmem

task3 Examining Our Patient

1.First, let’s figure out what profile we need to use. Profiles determine how Volatility treats our memory image since every version of Windows is a little bit different. Let’s see our options now with the command volatility -f MEMORY_FILE.raw imageinfo

2.Running the imageinfo command in Volatility will provide us with a number of profiles we can test with, however, only one will be correct. We can test these profiles using the pslist command, validating our profile selection by the sheer number of returned results. Do this now with the command volatility -f MEMORY_FILE.raw --profile=PROFILE pslist. What profile is correct for this memory image?

WinXPSP2x86

3.Take a look through the processes within our image. What is the process ID for the smss.exe process? If results are scrolling off-screen, try piping your output into less

368

4.In addition to viewing active processes, we can also view active network connections at the time of image creation! Let’s do this now with the command volatility -f MEMORY_FILE.raw --profile=PROFILE netscan. Unfortunately, something not great is going to happen here due to the sheer age of the target operating system as the command netscan doesn’t support it.

5.It’s fairly common for malware to attempt to hide itself and the process associated with it. That being said, we can view intentionally hidden processes via the command psxview. What process has only one ‘False’ listed?

csrss.exe

6.In addition to viewing hidden processes via psxview, we can also check this with a greater focus via the command ‘ldrmodules’. Three columns will appear here in the middle, InLoad, InInit, InMem. If any of these are false, that module has likely been injected which is a really bad thing. On a normal system the grep statement above should return no output. Which process has all three columns listed as ‘False’ (other than System)?

csrss.exe

7.Processes aren’t the only area we’re concerned with when we’re examining a machine. Using the ‘apihooks’ command we can view unexpected patches in the standard system DLLs. If we see an instance where Hooking module: that’s really bad. This command will take a while to run, however, it will show you all of the extraneous code introduced by the malware.

8.Injected code can be a huge issue and is highly indicative of very very bad things. We can check for this with the command malfind. Using the full command volatility -f MEMORY_FILE.raw --profile=PROFILE malfind -D <Destination Directory> we can not only find this code, but also dump it to our specified directory. Let’s do this now! We’ll use this dump later for more analysis. How many files does this generate?

12

9.Last but certainly not least we can view all of the DLLs loaded into memory. DLLs are shared system libraries utilized in system processes. These are commonly subjected to hijacking and other side-loading attacks, making them a key target for forensics. Let’s list all of the DLLs in memory now with the command dlllist

10.Now that we’ve seen all of the DLLs running in memory, let’s go a step further and pull them out! Do this now with the command volatility -f MEMORY_FILE.raw --profile=PROFILE --pid=PID dlldump -D <Destination Directory> where the PID is the process ID of the infected process we identified earlier (questions five and six). How many DLLs does this end up pulling?

12

task4 Post Actions

1.Upload the extracted files to VirusTotal for examination.

2.Upload the extracted files to Hybrid Analysis for examination - Note, this will also upload to VirusTotal but for the sake of demonstration we have done this separately.

3.What malware has our sample been infected with? You can find this in the results of VirusTotal and Hybrid Anaylsis.

Cridex

task5 Extra Credit

Check out the resources provided above!

Investigating Windows

task1 Investigating Windows

Username: Administrator Password: letmein123!

1.Whats the version and year of the windows machine?

Windows Server 2016

2.Which user logged in last?

Administrator

常见的日志 – 事件查看器（eventvwr.msc)

事件ID

• 4624 - 账户已成功登录
• 4625 - 账户登录失败
• 4634 - 账户被注销
• 4647 - 用户发起注销
• 4648 - 试图使用显式凭据登录
• 4720 - 创建用户

事件类型

• 登录类型2：本地交互式登录（Interactive）指用户在计算机控制台上进行的登录，也就是在本地键盘上进行的登录; --对应的事件ID（4648,4624)
• 登录类型3：网络（Network）访问网络共享文件夹或打印机;–对应事件ID(4624,5140文件共享)
• 登录类型4：批处理（Batch) 当Windows运行一个计划任务时，“计划任务服务”将为这个任务首先创建一个新的登录会话以便它能在此计划任务所配置的用户账户下运行;
• 登录类型5：服务（Service）与计划任务类似，每种服务都被配置在某个特定的用户账户下运行，当一个服务开始时，Windows首先为这个特定的用户创建一个登录会话，这将被记为类型5;
• 登录类型7：解锁（Unlock）解开屏幕锁定需要键入用户名和密码，产生的日志类型为Type7；
• 登录类型8：网络明文（NetworkCleartext） ：通常发生在IIS 的 ASP登录；
• 登录类型9：新凭证（NewCredentials） ：通常发生在RunAS方式运行某程序时的登录验证；
• 登录类型10：远程交互（RemoteInteractive） ：通过终端服务、远程桌面或远程协助访问计算机时，Windows将记为类型10，以便与真正的控制台登录相区别；–对应的事件ID(4648,4624,4672)
• 登录类型11：缓存交互（CachedInteractive） :在自己网络之外以域用户登录而无法登录域控制器时使用缓存登录。默认情况下，Windows缓存了最近10次交互式域登录的凭证HASH，如果以后当你以一个域用户登录而又没有域控制器可用时，Windows将使用这些HASH来验证你的身份。

3.When did John log onto the system last?

Answer format: MM/DD/YYYY H:MM:SS AM/PM

03/02/2019 5:48:32 PM

4.What IP does the system connect to when it first starts?

10.34.2.3

注册表(regedit) - 开机启动项

HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Run

5.What two accounts had administrative privileges (other than the Administrator user)?

Answer format: username1, username2

Jenny，Guest

计算机管理-本地用户和组 查看Administrator组成员

Windows隐藏账户 (windows欢迎界面/net user/控制面板-用户账户窗口/计算机管理-本地用户和组中无法查到的用户)

建立隐藏账户

1.net user 用户名$ 密码 /add

net localgroup administrators 用户名$ /add 将用户添加进管理员

net localgroup “Remote Desktop Users” 用户名$ /add 允许用户远程登录

2.路径 HKEY_LOCAL_MACHINE --SAM–SAM(需要右击权限修改管理员权限)-Domains-Account-users F5刷新显现

3.修改隐藏账户对应信息中F属性值与Administrator的F属性值相同;

(Names表中账户$项类型值对应上一级Users表中的项,即账户名对应账户信息)

4.将隐藏账户名称及隐藏账户信息导出为reg文件;

5.net user 用户名$ /del 删除账户信息;

6.把导出的注册表reg文件重新导入到注册表中;

6.Whats the name of the scheduled task that is malicous.

Clean file system

7.What file was the task trying to run daily?

nc.ps1

8.What port did this file listen locally for?

1348

9.When did Jenny last logon?

Never

10.At what date did the compromise take place?

Answer format: MM/DD/YYYY

03/02/2019

11.At what time did Windows first assign special privileges to a new logon?

Answer format: MM/DD/YYYY HH:MM:SS AM/PM

03/02/2019 4:04:49 PM

12.What tool was used to get Windows passwords?

mimikatz

mimikatz - 轻量级调试工具，可以提升进程权限注入进程读取进程内存。直接从 lsass.exe 进程中获取当前登录系统用户名的密码， lsass是微软Windows系统的安全机制它主要用于本地安全和登陆策略，通常我们在登陆系统时输入密码之后，密码便会储存在 lsass内存中，经过其 wdigest 和 tspkg 两个模块调用后，对其使用可逆的算法进行加密并存储在内存之中， 而 mimikatz 正是通过对lsass逆算获取到明文密码！也就是说只要你不重启电脑，就可以通过他获取到登陆密码，只限当前登陆系统！

注：但是在安装了KB2871997补丁或者系统版本大于windows server 2012时，系统的内存中就不再保存明文的密码，这样利用mimikatz就不能从内存中读出明文密码了。mimikatz的使用需要administrator用户执行，administrators中的其他用户都不行。

13.What was the attackers external control and command servers IP?

76.32.97.132

hosts文件位于 C:\Windows\System32\drivers\etc\hosts

14.What was the extension name of the shell uploaded via the servers website?

.jsp

"inetpub"是计算机上的文件夹，是微软互联网信息服务 （IIS） 的默认文件夹。网站内容和 Web 应用存储在 inetpub 文件夹中，从而保持其组织和安全。

15.What was the last port the attacker opened?

1337

16.Check for DNS poisoning, what site was targeted?

google.com

Disk Analysis & Autopsy

Task1 Windows 10 Disk Image

1.What is the MD5 hash of the E01 image?

3f08c518adb3b5c1359849657a9b2079

2.What is the computer account name?

DESKTOP-0R59DJ3

3.List all the user accounts. (alphabetical order)

keshav,sivapriya,andhya,srini,H4S4N,joshwa,suba,shreya

4.Who was the last user to log into the computer?

sivapriya

5.What was the IP address of the computer?

Program Files(X86)\Look@LAN\irunin.ini

192.168.130.216

6.What was the MAC address of the computer? (XX-XX-XX-XX-XX-XX)

08-00-27-2c-c4-b9

7.Name the network cards on this computer

ROOT/Microsoft/Windows NT/CurrentVersion/NetworkCards/2

Intel®PRO /1000 MT Desktop Adapter

8.What is the name of the network monitoring tool?

LOOK@LAN

9.A user bookmarked a Google Maps location. What are the coordinates of the location?

12°52’23.0"N 80°13’25.0"E

10.A user has his full name printed on his desktop wallpaper. What is the user’s full name?

[外链图片转存失败,源站可能有防盗链机制,建议将图片保存下来直接上传(img-cl6LQSH7-1629092922281)(https://gitee.com/zhangwenbo1229/picgo/raw/master/main/20210813172450.png)]

Anto Joshwa

11.A user had a file on her desktop. It had a flag but she changed the flag using PowerShell. What was the first flag?

powershell执行记录 Users > ‘username’ > AppData > Roaming > Microsoft > Windows > PowerShell > PSReadLine > ConsoleHost_history.txt

flag{HarleyQuinnForQueen}

12.The same user found an exploit to escalate privileges on the computer. What was the message to the device owner?

Flag{I-hacked-you}

13.2 hack tools focused on passwords were found in the system. What are the names of these tools? (alphabetical order）

Windows Defender扫描日志Program Data > Microsoft > Windows Defender > Scans > History > Service > DetectionHistory > 02

lazagne,mimikatz

14.There is a YARA file on the computer. Inspect the file. What is the name of the author?

Benjamin DELPY (gentilkiwi)

15.One of the users wanted to exploit a domain controller with an MS-NRPC based exploit. What is the filename of the archive that you found? (include the spaces in your answer)

2.2.0 20200918 Zerologon encrypted.zip

[TryHackMe] Disk Analysis & Autopsy (razrsec.uk)