search

Reaper

hashtag
Description

Our SIEM alerted us to a suspicious logon event which needs to be looked at immediately . The alert details were that the IP Address and the Source Workstation name were a mismatch .You are provided a network capture and event logs from the surrounding time around the incident timeframe. Corelate the given evidence and report back to your SOC Manager.

hashtag
Files

└─$ 7z x Reaper.zip -P'hacktheblue'
 
└─$ /bin/ls -Alh Reaper
total 1.4M
-rwxrwx--- 1 root vboxsf 308K Jul 31 00:56 ntlmrelay.pcapng
-rwxrwx--- 1 root vboxsf 1.1M Jul 31 01:10 Security.evtx

hashtag
Tasks

hashtag
Task 1. What is the IP Address for Forela-Wkstn001?

My initial thought was to query DNS for IPs, but only FORELA-WKSTN001. We can use NetBIOS to resolve hostnames of internal network computers.

 tshark -Y "nbns" -T fields -e nbns.addr -e nbns.name -r .\ntlmrelay.pcapng | Sort-Object | Get-Unique | Select-String wkst

172.17.79.129   FORELA-WKSTN001<00>,FORELA-WKSTN001<00> (Workstation/Redirector)
172.17.79.129   FORELA-WKSTN001<20>,FORELA-WKSTN001<20> (Server service)
172.17.79.136   FORELA-WKSTN002<00>,FORELA-WKSTN002<00> (Workstation/Redirector)
172.17.79.136   FORELA-WKSTN002<20>,FORELA-WKSTN002<20> (Server service)
circle-check

Answer: 172.17.79.129

hashtag
Task 2. What is the IP Address for Forela-Wkstn002?

circle-check

Answer: 172.17.79.136

hashtag
Task 3. Which user account's hash was stolen by attacker?

Because we have ntlmrelay we should look into LLMNR protocol which in a nutshell is next generation NetBIOS protocol. We can see requests going not to DC, but external IP

Writeup.png

Filtering for NTLMSSP shows unsuccessful authorization requests, but the relay must have stolen user hashes from these requests.

Writeup-1.png

The victim is FORELA\arthur.kyle user

circle-check

Answer: arthur kyle

hashtag
Task 4. What is the IP Address of Unknown Device used by the attacker to intercept credentials?

circle-check

Answer: 172.17.79.135

hashtag
Task 5. What was the fileshare navigated by the victim user account?

Filter smb for connection requests:

Writeup-2.png
circle-info

Hint: Filter for smb2 traffic in Wireshark. Search for keywords "BAD_NETWORK_NAME" in packet details.

circle-check

Answer: \\DC01\Trip

hashtag
Task 6. What is the source port used to logon to target workstation using the compromised account?

The NTLMSSP request from source port of 40252 was successful login.

Writeup-3.png

The event can also be found in evtx file by filtering for event 4624(S): An account was successfully logged onarrow-up-right

circle-check

Answer: 40252

hashtag
Task 7. What is the Logon ID for the malicious session?

circle-check

Answer: 0x64a799

hashtag
Task 8. The detection was based on the mismatch of hostname and the assigned IP Address.What is the workstation name and the source IP Address from which the malicious logon occur?

circle-check

Answer: FORELA-WKSTN002, 172.17.79.135

hashtag
Task 9. When did the malicious logon happened. Please make sure the timestamp is in UTC?

The SystemTime event property shows timestamp in UTC.

circle-check

Answer: 2024-07-31 04:55:16

hashtag
Task 10. What is the share Name accessed as part of the authentication process by the malicious tool used by the attacker?

If we follow the stream from Task 6, we can observe that malicious actor visited share on \\172.17.79.129\IPC$, but that the format is incorrect.

Writeup-4.png

Events log shows that after successful logon \\*\IPC$ was accessed.

Writeup-5.png

  • * is a wildcard that can refer to any available server or computer on the network.

  • IPC$: This is a hidden administrative share used for Inter-Process Communication (IPC) between networked computers. The $ at the end signifies that it's a hidden share, meaning it won't appear in standard network share listings.

circle-check

Answer: \\*\IPC$

PreviousLogjammerNextRecollection

Last updated