Deep Blue Investigation: Unveiling the Secrets of a Compromised Windows Workstation
Introduction:
Welcome to my first write-up on Medium, where we delve into an exciting investigation conducted by Blue Team Labs. In this case, we are tasked with uncovering the truth behind a compromised Windows workstation. Join me on this thrilling journey as we analyze the evidence and reveal the steps taken by the attacker. Let’s begin our Deep Blue Investigation!
Scenario Overview:
Our investigation revolves around a Windows workstation that fell victim to an attack through internet-facing RDP. The attacker exploited this vulnerability and deployed Meterpreter to achieve their objectives. To commence our analysis, we were provided with the Security.evtx and System.evtx log exports from the compromised system. Our primary focus is on scrutinizing these logs, located within the \Desktop\Investigation\ directory, rather than the Windows logs generated by the lab machine.
Analyzing the Security.evtx Log:
Using the powerful DeepBlueCLI tool, we embarked on our quest to uncover crucial information from the Security.evtx log. Let’s explore the answers to the questions posed in this investigation.
Q. Using DeepBlueCLI, investigate the recovered Security log (Security.evtx). Which user account ran GoogleUpdate.exe?
A. Mike Smith
Q. Using DeepBlueCLI investigate the recovered Security.evtx log. At what time is there likely evidence of Meterpreter activity?
A. 4/10/2021 10:48:14
Q. Using DeepBlueCLI investigate the recovered System.evtx log. What is the name of the suspicious service created?
A. rztbzn
Q. Investigate the Security.evtx log in Event Viewer. Process creation is being audited (event ID 4688). Identify the malicious executable downloaded that was used to gain a Meterpreter reverse shell, between 10:30 and 10:50 AM on the 10th of April 2021.
A. Mike Smith, serviceupdate.exe
Q. It’s also believed that an additional account was created to ensure persistence between 11:25 AM and 11:40 AM on the 10th April 2021. What was the command line used to create this account?
A. net user ServiceAct /add
Q. What two local groups was this new account added to?
A. Remote Desktop users, administrators
Thank you for joining me on this investigation! If you enjoyed this write-up, please give it a clap and follow me for more intriguing investigations in the future. Together, we can continue unraveling the mysteries of cybersecurity!
