Studying “BazarCall to Conti Ransomware via Trickbot and Cobalt Strike”: Part 2
Tracing the Cyber Intrusion: A Dive into Eric Zimmerman’s Timeline Explorer
Greetings to all readers joining me on this cybersecurity exploration.
Today, I dive deeper into our investigation, picking up from where I left off in Part 1. I’ve identified a potentially malicious DLL file marked by its SHA256 hash “87402c2ee3595cd862dbb82648aa9ebf17d41ceb05f912e50493d9ba96acb9a4” and have begun tracing back to the initial document sent by the attackers to infiltrate the victim company’s network. Below is a table of what I have taken as notes earlier in Part 1.
EZ Tools Installation
I fired up my Windows VM in my Home Lab and installed Eric Zimmerman’s tools using a PowerShell script to get all EZ tools at once. Unfortunately, EZ tools are only available for Windows. Check out the screenshot below for the installation steps. After completing the download and installation process, I now have a full set of EZ tools ready to use.
Loading csv log files
The tool I’m using for this investigation is the Timeline Explorer. It’s designed to work with CSV and Excel files, but unfortunately, seems it cannot use search queries to search in multiple files at once. So, I had to combine all four MDE CSV files into one to enable this feature.
Combining CSV files is straightforward. In Windows, you can use the following command:
copy *.csv combined.csvAlternatively, in a Linux terminal, you can use:
cat *csv > combined.csvRemember to run these commands from the folder where the CSV files are located. Check out the screenshots below for a demonstration of these commands.
Once the CSV files are combined, I open the combined.csv file in the Timeline Explorer. To start up the tool, I navigate to the correct path and double-click the exe file located at C:\ Eztools\TimlineExplorer\TimlineExplorer.exe. Then, I simply drag and drop the combined.csv file inside the tool's GUI window.
At this point, I’m ready to delve deeper into the logs and uncover any malicious activities and files.
Starting The deeper Investigation:
- Returning to where I left off in Part 1, my last finding was a suspicious event involving a parent process file named Velociraptor.exe, which was associated with a PowerShell command line that downloaded a sample of malicious DLL. I searched for it in the Timeline Explorer, making it my first search query this time.
Unfortunately, there are 22 events associated with Velociraptor.exe, and I couldn’t capture all the details in a single screenshot due to the multitude of columns in the Timeline Explorer. To provide a comprehensive view, I’ve included four screenshots.
- In the first screenshot, we observe the creation of two files at 11:53:15 on 11/06/2021: a PowerShell script and a PowerShell script module. This suggests they may have been used in combination with other PowerShell scripts. Following this, two process creation events occur immediately after the files are created. Within seconds, a PowerShell command is executed, with a connection success event appearing in between. This aligns with the creation of File 1.zip, the method of which we already discussed in my previous article.
- The second screenshot reveals the process command line of the process creation events, showing the execution of conhost.exe with parameters and the same PowerShell command with base64 encoding that I previously analyzed, responsible for downloading the 1.zip file. Additionally, commands involving lsass.exe are executed in the OpenProcessAPICall event. Details such as remote URL, remote IP, and port can be seen in a connection success event line.
- In the third and fourth screenshots, we observe two distinct sets of event logs. The first set reveals a recurring execution of a familiar PowerShell script under the program “Velociraptor.exe.” This script appears to be quite familiar and is repeated multiple times throughout the events. Meanwhile, the second group of event logs shows processes initiated under the program “services.exe.” These processes entail the configuration and launch of a file named “client.config.yaml” as a service, from the provided file path.
What catches my eye here are the two files created (.ps1 and .psm1), prompting further investigation.
2. Investigating these powershell scripts
In light of my latest findings, PowerShell and Cmd command lines and scripts are among the most common methods attackers use to gain access, maintain persistence, and control their victim’s systems. To further my investigation, I focused on the first part of the files’ names up to where they share common characters:
__PSScriptPolicyTest_
Based on the results shown in the screenshot above, we have identified 304 events primarily involving the creation of pairs of .ps1 and .psm1 files in different /Temp folders across all four machines whose logs I am examining. Unfortunately, the MDE logs do not provide the contents of these script files. Therefore, I turned to the internet to search for the parent file and gather information about it.
3. Googling for Velociraptor.exe
Upon Googling Velociraptor.exe, I discovered that this file or application was completely unknown to me, but it appears to be a legitimate cybersecurity tool.
- This discovery led me to reconsider my latest suspected findings. It’s possible that all those processes and activities related to this app might actually belong to the company’s security team and not to adversaries. After all, security teams also utilize PowerShell and PowerShell scripts to test and automate their tools for detection, setup, configuration, and/or implementation of protection tools and rules. This theory somewhat explains the abundance of scripts present.
- On the other hand, I still have no proof that Velocirator.exe has not been abused or modified by attackers.
4. Conclusion
As I write my blogs concurrently with my investigations, my initial plans can often change based on the results of those investigations. Today’s story serves as a prime example of the challenges, I believe encountered by every cybersecurity analyst when working on a new case.At this point, it’s important to shift focus and explore different paths, exploring various suspicious files from the notes, utilizing different tools and logs to effectively validate and substantiate a correct hypothesis.
This adaptability and willingness to explore new avenues are crucial in the ever-evolving landscape of cybersecurity. While uncertainties may arise, each discovery contributes to a deeper understanding of the threat landscape.
I hope you found this article engaging, and I look forward to sharing more insights with you in my next installment.
