ECW - SIEM investigation
Posted on ven. 22 novembre 2019 in CTF
SIEM investigation (100 points)
One of our employees, Robert, found a USB key on the harbour dock while walking around during his break and decided to connect it to his workstation. Being very curious, he decided to open files contained in the key. Unfortunately for him, one of the files contained ransomware and all his documents are now encrypted.
The events of his workstation are available in the Graylog SIEM of the Harbour Master's Office (HMO) LAN following this URL https://hmo-graylog.harbour.lan:8443 and using these credentials: analyst / ecw2019
Investigate to understand how the machine was infected, what traces were left on the system, and which files were impacted by the ransomware:
- What is the name of the USB stick that Robert has plugged into his computer?
- What is the name of the file opened by Robert who is behind the ransomware execution?
- How many files have been encrypted?
- The ransomware has implemented a way of persistence on the system. What is the name of the file that will be executed to maintain the ransomware on the system?
Note: To convert your answers into flags, you have to compute the SHA1 hash of your answer => ECW{SHA1(answer)}.
Nom de clé USB
C'est sûrement l'étape qui nous a pris le plus de temps. N'étant pas familier avec le système de management des logs (graylog), j'ai fini par trouver un moyen d'exporter l'ensemble des logs dans un fichier CSV afin d'utiliser ce bon vieux grep localement.
Le plus dur : Où doit-on chercher pour trouver le nom d'une clé USB dans les logs d'une machine Windows ?
Après recherches, nous avons fini par trouver une liste de ruches du registre Windows intéressantes en rapport avec les clés USB :
| Information | Ruche |
|---|---|
| Numéro de série | SYSTEM\CurrentControlSet\Enum\USBSTOR |
| Nom de volume | SOFTWARE\Microsoft\Windows Portable Devices\Devices |
| ID de produit/vendeur | SYSTEM\CurrentControlSet\Enum\USB |
| Lettre du volume monté | SYSTEM\MountedDevices |
Ici, celui qui nous intéresse est SOFTWARE\Microsoft\Windows Portable Devices\Devices. De plus, nous cherchons une entrée log dans laquelle une valeur de ce registre est éditée (en gros quand le nom de la clé usb est sauvegardé dans le registre) :
$ grep -E 'Registry value set.*SOFTWARE\\Microsoft\\Windows Portable Devices\\Devices' logs.csv
"2019-09-27T08:26:56.000Z","DESKTOP-F5ERMDT","SYSTEM","User",,,"Registry value set (rule: RegistryEvent)","Microsoft-Windows-Sysmon/Operational",,,,"MONEY","NT AUTHORITY","13","2019-09-27 10:26:57","INFO",,,"01DNRX9681QWSJFZDQA7G3ZB91",,,"C:\Windows\system32\DrvInst.exe",,"-9223372036854775808",,,"6","Registry value set:\\r\\nRuleName: \\r\\nEventType: SetValue\\r\\nUtcTime: 2","Info","0",,"{6b71f96b-c7cd-5d8d-0000-00102b6b3400}","3252",,,,"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","505173","INFO","2",,,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,,"HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\SWD#WPDBUSENUM#_??_USBSTOR#DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07#801257DC&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}\FriendlyName",,,"13","5048","S-1-5-18","2019-09-27 08:26:56.186","2"
"2019-09-27T08:26:56.000Z","DESKTOP-F5ERMDT","SYSTEM","User",,,"Registry value set (rule: RegistryEvent)","Microsoft-Windows-Sysmon/Operational",,,,"MONEY","NT AUTHORITY","13","2019-09-27 10:26:57","INFO",,,"01DNRX965ESSGJP7897MG28R60",,,"C:\Windows\System32\WUDFHost.exe",,"-9223372036854775808",,,"6","Registry value set:\\r\\nRuleName: \\r\\nEventType: SetValue\\r\\nUtcTime: 2","Info","0",,"{6b71f96b-c7cf-5d8d-0000-0010b0c53400}","3252",,,,"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","505127","INFO","2",,,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,,"HKLM\SOFTWARE\Microsoft\Windows Portable Devices\Devices\SWD#WPDBUSENUM#_??_USBSTOR#DISK&VEN_GENERIC&PROD_FLASH_DISK&REV_8.07#801257DC&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}\FriendlyName",,,"13","5048","S-1-5-18","2019-09-27 08:26:55.992","2"
$ echo -n "MONEY" | sha1sum | sed -E 's/^(.)(.*)(.) -/ECW{\1\2\3}/'
ECW{6bf...723}
Nom du fichier ouvert
Ici, nous avons d'abord recherché quelle lettre correspondait au volume de cette clé USB grâce au registre SYSTEM\MountedDevices
Idem que précédemment, on recherche une entrée dans lequelle la valeur du registre est éditée, pas créée :
$ grep 'Registry value set.*SYSTEM\\MountedDevices' logs.csv
"2019-09-27T08:26:53.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"Registry value set (rule: RegistryEvent)","Microsoft-Windows-Sysmon/Operational",,,,,,"Binary Data","NT AUTHORITY","13","2019-09-27 10:26:54","INFO",,"01DNRX93QCFM8D8B11JSRZR611",,,,"System",,,"-9223372036854775808","6",,,"Registry value set:\\r\\nRuleName: \\r\\nEventType: SetValue\\r\\nUtcTime: 2",,,,"Info","0",,,,,,,"{6b71f96b-c4b3-5d8d-0000-0010eb030000}","3252",,,"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","503173",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,"HKLM\SYSTEM\MountedDevices\\??\Volume{b04458c0-e0fe-11e9-b06f-0050569a0156}",,,"13",,"5048",,,"S-1-5-18","2019-09-27 08:26:53.614","2"
"2019-09-27T08:26:53.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"Registry value set (rule: RegistryEvent)","Microsoft-Windows-Sysmon/Operational",,,,,,"Binary Data","NT AUTHORITY","13","2019-09-27 10:26:54","INFO",,"01DNRX93QD2F3WF54V03YCEZCF",,,,"System",,,"-9223372036854775808","6",,,"Registry value set:\\r\\nRuleName: \\r\\nEventType: SetValue\\r\\nUtcTime: 2",,,,"Info","0",,,,,,,"{6b71f96b-c4b3-5d8d-0000-0010eb030000}","3252",,,"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","503175",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,"HKLM\SYSTEM\MountedDevices\\DosDevices\E:",,,"13",,"5048",,,"S-1-5-18","2019-09-27 08:26:53.614","2"
A partir de la, nous avons cherché les différents processus créés impliquant un fichier contenu sur la clé
Pour ça, on utilise encore grep avec une regex:
$ grep -E 'Process Create.*E:\\[a-zA-Z0-9_-]{1,15}\.[a-zA-Z0-9]{1,4}' logs.csv
"2019-09-27T08:28:01.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"Process Create (rule: ProcessCreate)","Microsoft-Windows-Sysmon/Operational","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""& 'C:\Program Files\7-Zip\7z.exe' x .\robber.pdf.7z -pazerty -aoa""","Microsoft Corporation",,"E:\","Windows PowerShell",,"NT AUTHORITY","1","2019-09-27 10:28:02","INFO","10.0.17763.1 (WinBuild.160101.0800)","01DNRXB6012401ETD2VY33ZBRB",,,"SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",,"Medium","-9223372036854775808","6","{6b71f96b-c4e0-5d8d-0000-00204f250900}","0x9254f","Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:01.639\\r\\nP",,,,"Info","0","PowerShell.EXE","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'E:\top_secret.pdf.ps1'""","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","{6b71f96b-c810-5d8d-0000-0010eeae3600}","9072",,"{6b71f96b-c811-5d8d-0000-00105ae93600}","3252",,"Microsoft® Windows® Operating System","{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","510624",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,,,,"1","1","5048",,"DESKTOP-F5ERMDT\robert","S-1-5-18","2019-09-27 08:28:01.639","5"
"2019-09-27T08:28:12.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"Process Create (rule: ProcessCreate)","Microsoft-Windows-Sysmon/Operational","""E:\scvhost.exe""","?",,"E:\","?",,"NT AUTHORITY","1","2019-09-27 10:28:13","INFO","?","01DNRXBGJ64GV4QYSY9QHDF8Q6",,,"SHA1=AB46FD10A9562CDDA95B0EB5DD475BC5E41DA55E,MD5=79F0ED40895935BFF57D763B63B77DA2,SHA256=F20AC7A598D2BDC4FE4F1936BFCB5C0A0406A4E66D292578783B77552F7E5F3C,IMPHASH=FC40519AF20116C903E3FF836E366E39","E:\scvhost.exe",,"Medium","-9223372036854775808","6","{6b71f96b-c4e0-5d8d-0000-00204f250900}","0x9254f","Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:12.226\\r\\nP",,,,"Info","0","?","""E:\scvhost.exe""","E:\scvhost.exe","{6b71f96b-c81b-5d8d-0000-0010ed433700}","8312",,"{6b71f96b-c81c-5d8d-0000-0010e1493700}","3252",,"?","{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","511750",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,,,,"1","1","5048",,"DESKTOP-F5ERMDT\robert","S-1-5-18","2019-09-27 08:28:12.226","5"
[...]
"2019-09-27T08:28:11.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"Process Create (rule: ProcessCreate)","Microsoft-Windows-Sysmon/Operational","""E:\scvhost.exe""","?",,"E:\","?",,"NT AUTHORITY","1","2019-09-27 10:28:12","INFO","?","01DNRXBFGMQ28DXDKZ2H3KNJJE",,,"SHA1=AB46FD10A9562CDDA95B0EB5DD475BC5E41DA55E,MD5=79F0ED40895935BFF57D763B63B77DA2,SHA256=F20AC7A598D2BDC4FE4F1936BFCB5C0A0406A4E66D292578783B77552F7E5F3C,IMPHASH=FC40519AF20116C903E3FF836E366E39","E:\scvhost.exe",,"Medium","-9223372036854775808","6","{6b71f96b-c4e0-5d8d-0000-00204f250900}","0x9254f","Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:11.717\\r\\nP",,,,"Info","0","?","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'E:\top_secret.pdf.ps1'""","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","{6b71f96b-c810-5d8d-0000-0010eeae3600}","9072",,"{6b71f96b-c81b-5d8d-0000-0010ed433700}","3252",,"?","{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","511649",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,,,,"1","1","5048",,"DESKTOP-F5ERMDT\robert","S-1-5-18","2019-09-27 08:28:11.717","5"
"2019-09-27T08:29:12.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"Process Create (rule: ProcessCreate)","Microsoft-Windows-Sysmon/Operational","""C:\Windows\system32\NOTEPAD.EXE"" E:\ps.txt","Microsoft Corporation",,"E:\","Notepad",,"NT AUTHORITY","1","2019-09-27 10:29:12","INFO","10.0.17763.1 (WinBuild.160101.0800)","01DNRXDADQ72NPK4NJ0BMXX21V",,,"SHA1=60733DE225B5C4BFC42FB79E5D1A4F6683243E4A,MD5=782877B30735ABD1EAE241F13145F664,SHA256=E46B3CA5A0EBB4A6979F852F50E22BD08C9F2D0206CC04383978BE0172AC88EE,IMPHASH=C8922BE3DCDFEB5994C9EEE7745DC22E","C:\Windows\System32\notepad.exe",,"Medium","-9223372036854775808","6","{6b71f96b-c4e0-5d8d-0000-00204f250900}","0x9254f","Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:29:12.216\\r\\nP",,,,"Info","0","NOTEPAD.EXE","C:\Windows\Explorer.EXE","C:\Windows\explorer.exe","{6b71f96b-c4e5-5d8d-0000-001074f30a00}","5320",,"{6b71f96b-c858-5d8d-0000-00109a9c4000}","3252",,"Microsoft® Windows® Operating System","{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","534488",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,,,,"1","1","5048",,"DESKTOP-F5ERMDT\robert","S-1-5-18","2019-09-27 08:29:12.216","5"
On remarque le lancement d'un script PowerShell avec un Set-ExecutionPolicy :
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'E:\top_secret.pdf.ps1'
On a donc le nom du fichier lancé à l'origine du ransomware : top_secret.pdf.ps1.
Comme avant, on fait un sha1sum sur le nom :
$ echo -n "top_secret.pdf.ps1" | sha1sum | sed -E 's/^(.)(.*)(.) -/ECW{\1\2\3}/'
ECW{7d8...963}
Nombre de fichiers chiffrés
Nous avons d'abord regardé les entrées de logs associées au fichier à l'origine du ransomware :
$ grep 'top_secret.pdf.ps1' logs.csv
"2019-09-27T08:28:00.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"File created (rule: FileCreate)","Microsoft-Windows-Sysmon/Operational",,,"2019-09-27 08:28:00.834",,,,"NT AUTHORITY","11","2019-09-27 10:28:01","INFO",,"01DNRXB4NXAGTKA4E73B89R1MF",,,,"C:\Windows\Explorer.EXE",,,"-9223372036854775808","6",,,"File created:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:00.834\\r\\nPro",,,,"Info","0",,,,,,,"{6b71f96b-c4e5-5d8d-0000-001074f30a00}","3252",,,"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","510159",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,"C:\Users\robert\AppData\Roaming\Microsoft\Windows\Recent\top_secret.pdf.ps1.lnk",,,,,"11",,"5048",,,"S-1-5-18","2019-09-27 08:28:00.834","2"
"2019-09-27T08:28:01.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"Process Create (rule: ProcessCreate)","Microsoft-Windows-Sysmon/Operational","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""& 'C:\Program Files\7-Zip\7z.exe' x .\robber.pdf.7z -pazerty -aoa""","Microsoft Corporation",,"E:\","Windows PowerShell",,"NT AUTHORITY","1","2019-09-27 10:28:02","INFO","10.0.17763.1 (WinBuild.160101.0800)","01DNRXB6012401ETD2VY33ZBRB",,,"SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",,"Medium","-9223372036854775808","6","{6b71f96b-c4e0-5d8d-0000-00204f250900}","0x9254f","Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:01.639\\r\\nP",,,,"Info","0","PowerShell.EXE","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'E:\top_secret.pdf.ps1'""","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","{6b71f96b-c810-5d8d-0000-0010eeae3600}","9072",,"{6b71f96b-c811-5d8d-0000-00105ae93600}","3252",,"Microsoft® Windows® Operating System","{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","510624",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,,,,"1","1","5048",,"DESKTOP-F5ERMDT\robert","S-1-5-18","2019-09-27 08:28:01.639","5"
"2019-09-27T08:28:00.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"Process Create (rule: ProcessCreate)","Microsoft-Windows-Sysmon/Operational","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'E:\top_secret.pdf.ps1'""","Microsoft Corporation",,"E:\","Windows PowerShell",,"NT AUTHORITY","1","2019-09-27 10:28:01","INFO","10.0.17763.1 (WinBuild.160101.0800)","01DNRXB4M2QN12SYTBJM471EHC",,,"SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",,"Medium","-9223372036854775808","6","{6b71f96b-c4e0-5d8d-0000-00204f250900}","0x9254f","Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:00.767\\r\\nP",,,,"Info","0","PowerShell.EXE","C:\Windows\Explorer.EXE","C:\Windows\explorer.exe","{6b71f96b-c4e5-5d8d-0000-001074f30a00}","5320",,"{6b71f96b-c810-5d8d-0000-0010eeae3600}","3252",,"Microsoft® Windows® Operating System","{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","510093",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,,,,"1","1","5048",,"DESKTOP-F5ERMDT\robert","S-1-5-18","2019-09-27 08:28:00.767","5"
"2019-09-27T08:28:00.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"Process Create (rule: ProcessCreate)","Microsoft-Windows-Sysmon/Operational","\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1","Microsoft Corporation",,"C:\Windows","Console Window Host",,"NT AUTHORITY","1","2019-09-27 10:28:01","INFO","10.0.17763.1 (WinBuild.160101.0800)","01DNRXB4MHZ0RCMJMTRQPT1XRX",,,"SHA1=A32A03532A2AC2CA9C9F67FF4E7FB45680985DF9,MD5=4C41666923A14DC687DEEE3B143AFB55,SHA256=4DD0F069254FE5577D5A478B70093049B4E062BB7760094E50090F6790456DAE,IMPHASH=76923AA1BF85799F169FC2A8BB03894A","C:\Windows\System32\conhost.exe",,"Medium","-9223372036854775808","6","{6b71f96b-c4e0-5d8d-0000-00204f250900}","0x9254f","Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:00.778\\r\\nP",,,,"Info","0","CONHOST.EXE","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'E:\top_secret.pdf.ps1'""","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","{6b71f96b-c810-5d8d-0000-0010eeae3600}","9072",,"{6b71f96b-c810-5d8d-0000-00101bb03600}","3252",,"Microsoft® Windows® Operating System","{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","510113",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,,,,"1","1","5048",,"DESKTOP-F5ERMDT\robert","S-1-5-18","2019-09-27 08:28:00.778","5"
"2019-09-27T08:28:00.000Z","DESKTOP-F5ERMDT",,,,,,,"Process Creation","Security","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'E:\top_secret.pdf.ps1'""",,,,,,,"4688","2019-09-27 10:28:02","AUDIT_SUCCESS",,"01DNRXB5S8Z2H46S6EW7E5ZD4Q",,,,,,,"-9214364837600034816","6",,,"A new process has been created.\\r\\n\\r\\nCreator Subject:\\r\\n Security I",,,,"Info","0",,,,,,,,"4",,,"{54849625-5478-4994-A5BA-3E3B0328C30D}","66720",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Security-Auditing",,,,,"DESKTOP-F5ERMDT","0x9254f","robert","S-1-5-21-4014005275-3135484918-1388781346-1001",,,,,,"13312",,"1800",,,,,"2"
"2019-09-27T08:28:11.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"Process Create (rule: ProcessCreate)","Microsoft-Windows-Sysmon/Operational","""E:\scvhost.exe""","?",,"E:\","?",,"NT AUTHORITY","1","2019-09-27 10:28:12","INFO","?","01DNRXBFGMQ28DXDKZ2H3KNJJE",,,"SHA1=AB46FD10A9562CDDA95B0EB5DD475BC5E41DA55E,MD5=79F0ED40895935BFF57D763B63B77DA2,SHA256=F20AC7A598D2BDC4FE4F1936BFCB5C0A0406A4E66D292578783B77552F7E5F3C,IMPHASH=FC40519AF20116C903E3FF836E366E39","E:\scvhost.exe",,"Medium","-9223372036854775808","6","{6b71f96b-c4e0-5d8d-0000-00204f250900}","0x9254f","Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:11.717\\r\\nP",,,,"Info","0","?","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'E:\top_secret.pdf.ps1'""","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","{6b71f96b-c810-5d8d-0000-0010eeae3600}","9072",,"{6b71f96b-c81b-5d8d-0000-0010ed433700}","3252",,"?","{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","511649",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,,,,"1","1","5048",,"DESKTOP-F5ERMDT\robert","S-1-5-18","2019-09-27 08:28:11.717","5"
Mais dans ces entrées, il n'y avait rien qui s'apparentait à des modifications sur les fichiers excepté la création d'un lien vers top_secret.pdf.ps1 dans C:\Users\robert\AppData\Roaming\Microsoft\Windows\Recent.
Nous avons alors regardé les processus créés par top_secret.pdf.ps1 :
$ grep -E 'Process Create.*top_secret.pdf.ps1' logs.csv
"2019-09-27T08:28:01.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"Process Create (rule: ProcessCreate)","Microsoft-Windows-Sysmon/Operational","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" -c ""& 'C:\Program Files\7-Zip\7z.exe' x .\robber.pdf.7z -pazerty -aoa""","Microsoft Corporation",,"E:\","Windows PowerShell",,"NT AUTHORITY","1","2019-09-27 10:28:02","INFO","10.0.17763.1 (WinBuild.160101.0800)","01DNRXB6012401ETD2VY33ZBRB",,,"SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",,"Medium","-9223372036854775808","6","{6b71f96b-c4e0-5d8d-0000-00204f250900}","0x9254f","Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:01.639\\r\\nP",,,,"Info","0","PowerShell.EXE","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'E:\top_secret.pdf.ps1'""","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","{6b71f96b-c810-5d8d-0000-0010eeae3600}","9072",,"{6b71f96b-c811-5d8d-0000-00105ae93600}","3252",,"Microsoft® Windows® Operating System","{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","510624",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,,,,"1","1","5048",,"DESKTOP-F5ERMDT\robert","S-1-5-18","2019-09-27 08:28:01.639","5"
"2019-09-27T08:28:00.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"Process Create (rule: ProcessCreate)","Microsoft-Windows-Sysmon/Operational","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'E:\top_secret.pdf.ps1'""","Microsoft Corporation",,"E:\","Windows PowerShell",,"NT AUTHORITY","1","2019-09-27 10:28:01","INFO","10.0.17763.1 (WinBuild.160101.0800)","01DNRXB4M2QN12SYTBJM471EHC",,,"SHA1=6CBCE4A295C163791B60FC23D285E6D84F28EE4C,MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",,"Medium","-9223372036854775808","6","{6b71f96b-c4e0-5d8d-0000-00204f250900}","0x9254f","Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:00.767\\r\\nP",,,,"Info","0","PowerShell.EXE","C:\Windows\Explorer.EXE","C:\Windows\explorer.exe","{6b71f96b-c4e5-5d8d-0000-001074f30a00}","5320",,"{6b71f96b-c810-5d8d-0000-0010eeae3600}","3252",,"Microsoft® Windows® Operating System","{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","510093",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,,,,"1","1","5048",,"DESKTOP-F5ERMDT\robert","S-1-5-18","2019-09-27 08:28:00.767","5"
"2019-09-27T08:28:00.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"Process Create (rule: ProcessCreate)","Microsoft-Windows-Sysmon/Operational","\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1","Microsoft Corporation",,"C:\Windows","Console Window Host",,"NT AUTHORITY","1","2019-09-27 10:28:01","INFO","10.0.17763.1 (WinBuild.160101.0800)","01DNRXB4MHZ0RCMJMTRQPT1XRX",,,"SHA1=A32A03532A2AC2CA9C9F67FF4E7FB45680985DF9,MD5=4C41666923A14DC687DEEE3B143AFB55,SHA256=4DD0F069254FE5577D5A478B70093049B4E062BB7760094E50090F6790456DAE,IMPHASH=76923AA1BF85799F169FC2A8BB03894A","C:\Windows\System32\conhost.exe",,"Medium","-9223372036854775808","6","{6b71f96b-c4e0-5d8d-0000-00204f250900}","0x9254f","Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:00.778\\r\\nP",,,,"Info","0","CONHOST.EXE","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'E:\top_secret.pdf.ps1'""","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","{6b71f96b-c810-5d8d-0000-0010eeae3600}","9072",,"{6b71f96b-c810-5d8d-0000-00101bb03600}","3252",,"Microsoft® Windows® Operating System","{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","510113",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,,,,"1","1","5048",,"DESKTOP-F5ERMDT\robert","S-1-5-18","2019-09-27 08:28:00.778","5"
"2019-09-27T08:28:11.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"Process Create (rule: ProcessCreate)","Microsoft-Windows-Sysmon/Operational","""E:\scvhost.exe""","?",,"E:\","?",,"NT AUTHORITY","1","2019-09-27 10:28:12","INFO","?","01DNRXBFGMQ28DXDKZ2H3KNJJE",,,"SHA1=AB46FD10A9562CDDA95B0EB5DD475BC5E41DA55E,MD5=79F0ED40895935BFF57D763B63B77DA2,SHA256=F20AC7A598D2BDC4FE4F1936BFCB5C0A0406A4E66D292578783B77552F7E5F3C,IMPHASH=FC40519AF20116C903E3FF836E366E39","E:\scvhost.exe",,"Medium","-9223372036854775808","6","{6b71f96b-c4e0-5d8d-0000-00204f250900}","0x9254f","Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:11.717\\r\\nP",,,,"Info","0","?","""C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"" ""-Command"" ""if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'E:\top_secret.pdf.ps1'""","C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe","{6b71f96b-c810-5d8d-0000-0010eeae3600}","9072",,"{6b71f96b-c81b-5d8d-0000-0010ed433700}","3252",,"?","{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","511649",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,,,,"1","1","5048",,"DESKTOP-F5ERMDT\robert","S-1-5-18","2019-09-27 08:28:11.717","5"
Et on voit qu'il exécute un autre fichier présent sur la clé : scvhost.exe dont le nom ressemble beaucoup à un processus natif de windows : svchost.exe (hôte de service).
En recherchant les entrées de logs pour ce processus, on remarque qu'il y a beaucoup d'entrées de type FileCreate avec des noms de fichiers classiques auxquels on rajoute l'extension .hackerman (ex : C:\Users\robert\Pictures\Lighthouse.jpg.hackerman).
Nous en avons déduit que ces fichiers étaient les fichiers chiffrés par le ransomware.
Pour les compter, les commandes grep et wc sont suffisantes :
$ grep -E 'FileCreate.*\.hackerman\"' logs.csv | wc -l
2779
$ grep -E 'FileCreate.*\.hackerman\"' logs.csv | wc -l | tr --delete '\n' | sha1sum | sed -E 's/^(.)(.*)(.) -/ECW{\1\2\3}/'
ECW{958...72b}
Persistances
Malheureusement, nous n'avons pas eu le temps de trouver ce dernier flag pendant le CTF mais voici quand même sa résolution.
Etant donné que nous avons trouvé que la logique du ransomware se situe majoritairement dans le programme scvhost.exe, nous avons cherché les processus créés par scvhost.exe :
$ grep -E 'Process Create.*scvhost.exe' logs.csv | grep -v 'top_secret.pdf.ps1'
"2019-09-27T08:28:12.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"Process Create (rule: ProcessCreate)","Microsoft-Windows-Sysmon/Operational","""E:\scvhost.exe""","?",,"E:\","?",,"NT AUTHORITY","1","2019-09-27 10:28:13","INFO","?","01DNRXBGJ64GV4QYSY9QHDF8Q6",,,"SHA1=AB46FD10A9562CDDA95B0EB5DD475BC5E41DA55E,MD5=79F0ED40895935BFF57D763B63B77DA2,SHA256=F20AC7A598D2BDC4FE4F1936BFCB5C0A0406A4E66D292578783B77552F7E5F3C,IMPHASH=FC40519AF20116C903E3FF836E366E39","E:\scvhost.exe",,"Medium","-9223372036854775808","6","{6b71f96b-c4e0-5d8d-0000-00204f250900}","0x9254f","Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:12.226\\r\\nP",,,,"Info","0","?","""E:\scvhost.exe""","E:\scvhost.exe","{6b71f96b-c81b-5d8d-0000-0010ed433700}","8312",,"{6b71f96b-c81c-5d8d-0000-0010e1493700}","3252",,"?","{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","511750",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,,,,"1","1","5048",,"DESKTOP-F5ERMDT\robert","S-1-5-18","2019-09-27 08:28:12.226","5"
"2019-09-27T08:28:13.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"Process Create (rule: ProcessCreate)","Microsoft-Windows-Sysmon/Operational","schtasks.exe /create /f /tn Security\AntivirusScan /tr C:\Users\robert\AppData\Roaming\WINDefender.exe /sc DAILY","Microsoft Corporation",,"E:\","Task Scheduler Configuration Tool",,"NT AUTHORITY","1","2019-09-27 10:28:16","INFO","10.0.17763.1 (WinBuild.160101.0800)","01DNRXBKQMZT9Q2G5XYERS9YBN",,,"SHA1=77F125CE5840293890E1359483C7104AADE25FA7,MD5=5BD86A7193D38880F339D4AFB1F9B63A,SHA256=72900A86F3BED7570AA708657A76DD76BB80B68DB543D303DA401AC6983E39CE,IMPHASH=012D1B3C5FD8B10F0F36DB7243A28CB8","C:\Windows\SysWOW64\schtasks.exe",,"Medium","-9223372036854775808","6","{6b71f96b-c4e0-5d8d-0000-00204f250900}","0x9254f","Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:13.974\\r\\nP",,,,"Info","0","schtasks.exe","""E:\scvhost.exe""","E:\scvhost.exe","{6b71f96b-c81c-5d8d-0000-0010e1493700}","5428",,"{6b71f96b-c81d-5d8d-0000-00102b973700}","3252",,"Microsoft® Windows® Operating System","{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","512731",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,,,,"1","1","5048",,"DESKTOP-F5ERMDT\robert","S-1-5-18","2019-09-27 08:28:13.974","5"
"2019-09-27T08:28:12.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"Process Create (rule: ProcessCreate)","Microsoft-Windows-Sysmon/Operational","TASKLIST /FI ""imagename eq payload.py""","Microsoft Corporation",,"E:\","Lists the current running tasks",,"NT AUTHORITY","1","2019-09-27 10:28:13","INFO","10.0.17763.1 (WinBuild.160101.0800)","01DNRXBGQ97R07WE3QQ0S1BPPG",,,"SHA1=514103BF51B9006D80D0D75018A56E3AF6D03428,MD5=2185AD666AA7188AC9DB4E33DC6A2838,SHA256=B4A874C5CCFA9A698E4A56D7453105CC7617802C385ABE1603760A9BB33D39ED,IMPHASH=D16A743355B243B7509AE74891F10F6B","C:\Windows\SysWOW64\tasklist.exe",,"Medium","-9223372036854775808","6","{6b71f96b-c4e0-5d8d-0000-00204f250900}","0x9254f","Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:12.777\\r\\nP",,,,"Info","0","tasklist.exe","""E:\scvhost.exe""","E:\scvhost.exe","{6b71f96b-c81c-5d8d-0000-0010e1493700}","5428",,"{6b71f96b-c81c-5d8d-0000-0010115e3700}","3252",,"Microsoft® Windows® Operating System","{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","511935",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,,,,"1","1","5048",,"DESKTOP-F5ERMDT\robert","S-1-5-18","2019-09-27 08:28:12.777","5"
Et là, on découvre le pot aux roses : schtasks.exe /create /f /tn Security\AntivirusScan /tr C:\Users\robert\AppData\Roaming\WINDefender.exe /sc DAILY.
Le ransomware a créé une tâche programmée du nom de Security\AntivirusScan et qui va exécuter le fichier WINDefender.exe tous les jours.
En regardant dans les logs, on voit que powershell a créé ce fichier WINDefender.exe deux secondes avant que la tâche programmée ne soit créée par scvhost.exe
$ grep 'WINDefender' logs.csv
"2019-09-27T08:28:13.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"Process Create (rule: ProcessCreate)","Microsoft-Windows-Sysmon/Operational","schtasks.exe /create /f /tn Security\AntivirusScan /tr C:\Users\robert\AppData\Roaming\WINDefender.exe /sc DAILY","Microsoft Corporation",,"E:\","Task Scheduler Configuration Tool",,"NT AUTHORITY","1","2019-09-27 10:28:16","INFO","10.0.17763.1 (WinBuild.160101.0800)","01DNRXBKQMZT9Q2G5XYERS9YBN",,,"SHA1=77F125CE5840293890E1359483C7104AADE25FA7,MD5=5BD86A7193D38880F339D4AFB1F9B63A,SHA256=72900A86F3BED7570AA708657A76DD76BB80B68DB543D303DA401AC6983E39CE,IMPHASH=012D1B3C5FD8B10F0F36DB7243A28CB8","C:\Windows\SysWOW64\schtasks.exe",,"Medium","-9223372036854775808","6","{6b71f96b-c4e0-5d8d-0000-00204f250900}","0x9254f","Process Create:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:13.974\\r\\nP",,,,"Info","0","schtasks.exe","""E:\scvhost.exe""","E:\scvhost.exe","{6b71f96b-c81c-5d8d-0000-0010e1493700}","5428",,"{6b71f96b-c81d-5d8d-0000-00102b973700}","3252",,"Microsoft® Windows® Operating System","{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","512731",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,,,,,,"1","1","5048",,"DESKTOP-F5ERMDT\robert","S-1-5-18","2019-09-27 08:28:13.974","5"
"2019-09-27T08:28:11.000Z","DESKTOP-F5ERMDT",,,,"SYSTEM","User",,"File created (rule: FileCreate)","Microsoft-Windows-Sysmon/Operational",,,"2019-09-27 08:28:11.694",,,,"NT AUTHORITY","11","2019-09-27 10:28:12","INFO",,"01DNRXBFGKC5BVTGRP6PY02FWF",,,,"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe",,,"-9223372036854775808","6",,,"File created:\\r\\nRuleName: \\r\\nUtcTime: 2019-09-27 08:28:11.694\\r\\nPro",,,,"Info","0",,,,,,,"{6b71f96b-c810-5d8d-0000-0010eeae3600}","3252",,,"{5770385F-C22A-43E0-BF4C-06F5698FFBD9}","511648",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Sysmon",,,,,,,,,"C:\Users\robert\AppData\Roaming\WINDefender.exe",,,,,"11",,"5048",,,"S-1-5-18","2019-09-27 08:28:11.694","2"
"2019-09-27T08:28:13.000Z","DESKTOP-F5ERMDT",,,,,,,"Process Creation","Security","schtasks.exe /create /f /tn Security\AntivirusScan /tr C:\Users\robert\AppData\Roaming\WINDefender.exe /sc DAILY",,,,,,,"4688","2019-09-27 10:28:17","AUDIT_SUCCESS",,"01DNRXBMNRBYNTWMFPZM0JZESX",,,,,,,"-9214364837600034816","6",,,"A new process has been created.\\r\\n\\r\\nCreator Subject:\\r\\n Security I",,,,"Info","0",,,,,,,,"4",,,"{54849625-5478-4994-A5BA-3E3B0328C30D}","66827",,,"INFO","2",,,,,"event","im_msvistalog","Microsoft-Windows-Security-Auditing",,,,,"DESKTOP-F5ERMDT","0x9254f","robert","S-1-5-21-4014005275-3135484918-1388781346-1001",,,,,,"13312",,"8884",,,,,"2"
$ echo -n "WINDefender.exe" | sha1sum | sed -E 's/^(.)(.*)(.) -/ECW{\1\2\3}/'
ECW{2d8...6f4}
Merci aux organisateurs pour le ctf et à vous pour votre lecture !
Killbit