Scenario

Lab Link: Lockdown

TechNova Systems' SOC has detected suspicious outbound traffic from a public-facing IIS server in its cloud platform—activity suggestive of a web-shell drop and covert connections to an unknown host.

As the forensic examiner, you have three critical artefacts in hand: a PCAP capturing the initial traffic, a full memory image of the server, and a malware sample recovered from disk. Reconstruct the intrusion and all of the attacker's activities so TechNova can contain the breach and strengthen its defenses.

PCAP Analysis

First Part PCAP Analysis

$ file capture.pcapng 
capture.pcapng: pcapng capture file - version 1.0

Q1

After flooding the IIS host with rapid-fire probes, the attacker reveals their origin. Which IP address generated this reconnaissance traffic?

Answer Format: **.*.*.*

so first command is to see which IPs talked to each other and how much

tshark -r capture.pcapng -q -z conv,ip

-q quiet (no packet details)
-z conv,ip show IP conversation summary

10.0.2.4 has most traffic with your server (6007 packets). Way more than others. This is probably the attacker doing recon.

see what ports 10.0.2.4 was hitting (port scanning = reconnaissance)

tshark -r capture.pcapng -Y "ip.src==10.0.2.4" -T fields -e tcp.dstport | sort | uniq -c | sort -nr

Result is 10.0.2.4 hit tons of different ports Answer:

10.0.2.4

Q2

Zeroing in on a single open service to gain a foothold, the attacker carries out targeted enumeration. Which MITRE ATT&CK technique ID covers this activity?

Answer Format: ***** 

Need to see the actual HTTP requests sent during enumeration.

tshark -r capture.pcapng -Y "ip.src==10.0.2.4 and tcp.dstport==80 and tcp.flags.push==1" -V | head -20

Need to see the actual HTTP requests to identify the enumeration technique used.

tshark -r capture.pcapng -Y "ip.src==10.0.2.4 and tcp.dstport==80 and http" -T fields -e http.request.method -e http.request.uri -e http.user_agent

Now we got

• Nmap service enumeration - probing web server capabilities
• Manual directory enumeration - checking /Documents/, /Documents/shell.aspx

Search :"MITRE ATT&CK" "service enumeration" "port scanning" "nmap" technique

MITRE ATT&CK Technique: T1046 - Network Service Discovery

Answer:

T1046

Q3

While reviewing the SMB traffic, you observe two consecutive Tree Connect requests that expose the first shares the intruder probes on the IIS host. Which two full UNC paths are accessed?

Answer Format: \\**.*.*.**\*********, \\**.*.*.**\***$

Looking for SMB2 Tree Connect commands from attacker to see which shares they accessed first.

tshark -r capture.pcapng -Y "ip.src==10.0.2.4 and tcp.dstport==445 and smb2" -T fields -e smb2.cmd -e smb2.tree | head -20

SMB2 command 3 = Tree Connect. This shows the exact order of share connections.

┌──(hidden㉿Ultra)-[~/Desktop/CTF/CD]
└─$ tshark -r capture.pcapng -Y "ip.src==10.0.2.4 and tcp.dstport==445 and smb2.cmd==3" -T fields -e smb2.tree
\\\\10.0.2.15\\IPC$
\\\\10.0.2.15\\IPC$
\\\\10.0.2.15\\Documents

Answer:

\\10.0.2.15\Documents, \\10.0.2.15\IPC$

Q4

Inside the share, the attacker plants a web-accessible payload that will grant remote code execution. What is the filename of the malicious file they uploaded, and what byte length is specified in the corresponding SMB2 Write Request?

Answer Format: *****.****, *******

filter to only show packets with filenames to see file operations clearly

tshark -r capture.pcapng -Y "ip.src==10.0.2.4 and tcp.dstport==445 and smb2.filename" -T fields -e smb2.cmd -e smb2.filename -e smb2.write_length


5       srvsvc
5
5
5
5       information.txt
5       shell.aspx

need to see the full details of the shell.aspx file operations including write length

tshark -r capture.pcapng -Y "ip.src==10.0.2.4 and tcp.dstport==445 and smb2.filename contains \"shell.aspx\"" -V


        Filename: shell.aspx
            Blob Offset: 0x00000078
            Blob Length: 20
        Blob Offset: 0x00000000
        Blob Length: 0
        ExtraInfo: NO DATA

show all Write Request lengths from the attacker to find the file upload size

┌──(hidden㉿Ultra)-[~/Desktop/CTF/CD]
└─$ tshark -r capture.pcapng -Y "ip.src==10.0.2.4 and tcp.dstport==445 and smb2.cmd==9" -T fields -e smb2.write_length
1015024

• Filename: shell.aspx (from the Create Request)
• Write length: 1015024 (from the Write Request)

Answer:

shell.aspx, `1015024`

Q5

The newly planted shell calls back to the attacker over an uncommon but firewall-friendly port. Which listening port did the attacker use for the reverse shell?

Answer Format: 0000

Look for outbound connections FROM the IIS server TO the attacker reverse shell callback and see which ports the attacker was listening on

tshark -r capture.pcapng -Y "ip.dst==10.0.2.4" -T fields -e tcp.dstport | sort | uniq -c | sort -nr

-port 4443 has 326 connections

so

tshark -r capture.pcapng -Y "ip.dst==10.0.2.4 and tcp.dstport==4443" -T fields -e frame.time_relative -e tcp.flags | head -10

Check if there's actual shell command

tshark -r capture.pcapng -Y "ip.dst==10.0.2.4 and tcp.dstport==4443" -T fields -e tcp.payload | head -5

and yeah port 4443

Answer:

4443

Memory Dump Analysis

Now the Second Part Memory Dump Analysis:

$ file memdump.mem

Q6

Your memory snapshot captures the system's kernel in situ, providing vital context for the breach. What is the kernel base address in the dump?

Answer Format: **************

python3 vol.py -f ../memdump.mem windows.info

Kernel Base     0xf80079213000
DTB     0x1aa000
Symbols file:///home/hidden/Desktop/CTF/CD/lockdown/volatility3/volatility3/symbols/windows/ntkrnlmp.pdb/EF9A48AFA50FF07C616585BB01919536-1.json.xz
Is64Bit True
IsPAE   False
layer_name      0 WindowsIntel32e
memory_layer    1 FileLayer
KdVersionBlock  0xf80079613f10
Major/Minor     15.17763
MachineType     34404
KeNumberProcessors      4
SystemTime      2024-09-10 06:14:13+00:00
NtSystemRoot    C:\Windows
NtProductType   NtProductServer
NtMajorVersion  10
NtMinorVersion  0
PE MajorOperatingSystemVersion  10
PE MinorOperatingSystemVersion  0
PE Machine      34404
PE TimeDateStamp        Sun Nov 10 07:20:39 2075

Answer:

0xf80079213000

Q7

A trusted service launches an unfamiliar executable residing outside the usual IIS stack, signalling a persistence implant. What is the final full on-disk path of that executable, and which MITRE ATT&CK persistence technique ID corresponds to this behaviour?

Answer Format: *:\***********\*********\*******\***** ****\********\*******\*********.***, *****

python3 vol.py -f ../memdump.mem windows.pslist
python3 vol.py -f ../memdump.mem windows.pstree
python3 vol.py -f ../memdump.mem windows.svcscan

Key findings:

• PID 4332: w3wp.exe - This is the IIS worker process (normal for IIS)
• PID 900: updatenow.exe - This is suspicious! It's launched by w3wp.exe (PID 4332) and is running as a 32-bit process (Wow64=True)

python3 vol.py -f ../memdump.mem windows.cmdline --pid 900
python3 vol.py -f ../memdump.mem windows.filescan | grep -i updatenow

PID 900: updatenow.exe

• Parent: w3wp.exe (PID 4332) - the IIS worker process
• Path: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\updatenow.exe
• Command line: "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\updatenow.exe

MITRE ATT&CK Technique: T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder)

T1547

Answer:

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\updatenow.exe, T1547

Q8

The reverse shell's outbound traffic is handled by a built-in Windows process that also spawns the implanted executable. What is the name of this process, and what PID does it run under?

 Answer Format: ****.***, ****

• updatenow.exe (PID 900) is spawned by w3wp.exe (PID 4332)
• w3wp.exe is the IIS worker process that handles web requests
• From the PCAP analysis, we know the reverse shell connected back to the attacker on port 4443

Answer:

w3wp.exe, 4332

Malware Sample Analysis

$ file updatenow.exe 
updatenow.exe: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections

Q9

Static inspection reveals the binary has been packed to hinder analysis. Which packer was used to obfuscate it?

 Answer Format: ***

From the file output: UPX compressed

Answer:

UPX

Q10

Threat-intel analysis shows the malware beaconing to its command-and-control host. Which fully qualified domain name (FQDN) does it contact?

Answer Format: *****.*********.**

d797600296ddbed4497725579d814b7e  updatenow.exe

https://www.virustotal.com/gui/file/c25a6673a24d169de1bb399d226c12cdc666e0fa534149fc9fa7896ee61d406f/behavior

#### SMTP communications

cp8nl.hyperhost.ua
Destination Ip
[185.174.175.187](https://www.virustotal.com/gui/ip-address/185.174.175.187)
Destination Port

587
Subject
PW_%USERNAME%/%COMPUTERNAME%


Smtp FROM
<blessed4ever@genesio.top>
Smtp TO
<blessed4ever@genesio.top>

Message FROM
blessed4ever@genesio.top
Message TO
blessed4ever@genesio.top

Answer:

cp8nl.hyperhost.ua

Q11

Open-source intel associates that hash with a well-known commodity RAT. To which malware family does the sample belong?

Answer Format: **********

d797600296ddbed4497725579d814b7e  updatenow.exe

https://www.virustotal.com/gui/file/c25a6673a24d169de1bb399d226c12cdc666e0fa534149fc9fa7896ee61d406f/community

Answer:

AgentTesla