TickTock

Scenario

Gladys is a new joiner in the company, she has recieved an email informing her that the IT department is due to do some work on her PC, she is guided to call the IT team where they will inform her on how to allow them remote access. The IT team however are actually a group of hackers that are attempting to attack Forela.

The sherlock archive contains a rapid triage dump collected by KAPE on a Windows host. The dump includes parts of the C:\ partition and log files relevant for forensics.

Information Gathering

Rapid triage dumps contain a lot of logging data that needs to be organized and processed before use. Some of the most important data sources collected by KAPE include:

The Master File Table ($MFT): A table of records for all files and folders stored on the NTFS volume.
Event logs (C:\Windows\System32\winevt\logs): System logs in the .evtx format, collected by Windows.
User profile data (C:\Users\<user>): Local profiles store settings and temporary files that might prove useful forensically.

There are several approaches for organizing and analyzing the collected data, though the most important toolkit is Eric Zimmerman's tools. Regardless of the method used for further analysis, the tools EvtxECmd and MFTECmd fom the Zimmerman suite are essential for parsing event logs or the MFT, respecitively.

The toolkit is for Windows only and parses the input files into JSON or CSV. The output can then be analyzed using tools like Timeline Explorer or MFT Explorer. Alternatively, the JSON output can be directly searched using a tool like grep.

The MFT is parsed using MFTECmd like so:

PS> Z:\sherlocks\ticktock\Collection\C>mftecmd.exe -f '$MFT' --json Z:\sherlocks\ticktock\C --csv Z:\sherlocks\ticktock\C
MFTECmd version 1.2.2.1

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/MFTECmd

Command line: -f $MFT --json Z:\sherlocks\ticktock\C --csv Z:\sherlocks\ticktock\C

Warning: Administrator privileges not found!

File type: Mft

Processed $MFT in 2.5914 seconds

$MFT: FILE records found: 120,652 (Free records: 11,126) File size: 128.8MB
Path to Z:\sherlocks\ticktock\C doesn't exist. Creating...
        CSV output will be saved to Z:\sherlocks\ticktock\C\20250510223301_MFTECmd_$MFT_Output.csv
        JSON output will be saved to Z:\sherlocks\ticktock\C\20250510223301_MFTECmd_$MFT_Output.json

Note

If using PowerShell, the path to the $MFT file has to be enclosed in single quotes to prevent PowerShell from treating it as a variable. This not an issue if using cmd.exe.

Windows stores event logs in C:\Windows\System32\winevt\logs as multiple .evtx files. Using EvtxECmd the files can be combined into a single JSON file like so:

PS> EvtxECmd.exe -d Z:\sherlocks\ticktock\Collection\C\Windows\System32\winevt\logs --json Z:\sherlocks\ticktock
...
Event log details
Flags: IsDirty
Chunk count: 1
Stored/Calculated CRC: F7876ABD/F7876ABD
Earliest timestamp: 2022-10-27 08:18:56.0000000
Latest timestamp:   2023-05-04 11:38:16.0000000
Total event log records found: 83

Records included: 83 Errors: 0 Events dropped: 0

Metrics (including dropped events)
Event ID        Count
400             10
403             9
600             64

Processed 74 files in 24.5386 seconds


Files with errors
Z:\sherlocks\ticktock\Collection\C\Windows\System32\winevt\logs\Microsoft-Windows-CAPI2%4Operational.evtx error count: 99
Z:\sherlocks\ticktock\Collection\C\Windows\System32\winevt\logs\Microsoft-Windows-Sysmon%4Operational.evtx error count: 1

With the logs combined, grepping for specific items becomes much easier. For instance, all events containing powershell -e (inline PowerShell invocations) can be enumerated:

$ grep "powershell.exe -e" 20250511141538_EvtxECmd_Output.json | jq               
{
  "PayloadData1": "ProcessID: 3804, ProcessGUID: 5080714d-8150-6453-0d03-000000000700",
  "PayloadData2": "RuleName: -",
  "PayloadData3": "MD5=190E6E0CDBEF529941D9E5F8F979F5D9,SHA256=8787D4B624880012ABDB442532BE762DB0361DECE169FEF9E1E877A9DF9E00CB,IMPHASH=44B4867FED7460EEC45FBEE7804BB612",
  "PayloadData4": "ParentProcess: -",
  "PayloadData5": "ParentProcessID: 5768, ParentProcessGUID: 00000000-0000-0000-0000-000000000000",
  "PayloadData6": "ParentCommandLine: -",
  "UserName": "DESKTOP-R30EAMH\\gladys",
  "ExecutableInfo": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -e JABTAGUAYwB1AHIAZQBTAHQAcgBpAG4AZwAgAD0AIABDAG8AbgB...
...

Chainsaw

Chainsaw is a tool for analyzing forensic artefacts from Windows sytems using pre-defined Sigma detection rules. This helps filter out non-relevant log entries and focus on events that are of interest.

Chansaw operates directly on the .evtx event files. It also requires the Sigma detection rules to be present on the system, as well as a mapper between them and Chainsaw's rules.

The event can be analyzed with Chainsaw like so:

$ chainsaw hunt --skip-errors -s ~/sboxshare/tools/sigma -r /usr/share/chainsaw/rules -m /usr/share/chainsaw/mappings/sigma-event-logs-all.yml -o ../chainsaw_hunt.log ../Collection/C/Windows/System32/winevt/logs

Failure

During processing, Chainsaw failed to analyze the Microsoft-Windows-Sysmon%4Operational.evtx event log with the following error:

1	`[!] failed to parse document '../Collection/C/Windows/System32/winevt/logs/Microsoft-Windows-Sysmon%4Operational.evtx' - An error occurred while trying to deserialize evtx stream`

Unfortunately, as this particular log is essential for solving some of the questions below, Chainsaw is missing crucial data in its report.

Once done, Chainsaw produces a plain text report of its findings. The file is organized by topic, making it much easier to navigate the event logs and finding IOCs and pinpointing when important events occurred.

Splunk

An alternative to analyzing the output from EvtxECmd.exe using tools like grep is to upload the data to a SIEM like Splunk. The upside of this is easier oversight that helps finding potentially interesting details.

Other Logs

Aside from the logging data collected by Windows' event logging system, some parts of the OS store their own logs, primarly as text files in various locations.

Some potentially useful logs in this category include:

PowerShell history: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
- Log of all PowerShell commands run by a given user.
Windows Defender log: C:\ProgramData\Microsoft\Windows Defender\Support
- Contains log files from scans performed by Windows Defender. May provide further details if malware is detected. The log files in this directory are unfortunately encoded in UTF16-LE, which makes searching them with grep difficult.

Tasks

What was the name of the executable that was uploaded as a C2 Agent?

Looking through the rapid triage dump, there is a TeamViewer folder under C:\Users\gladys\AppData\Local. It's likely that TeamViewer the remote access tool mentioned in the scenario.

There is a log file under Logs in the TeamViewer folder. Searching the file for .exe turned the following:

...
2023/05/04 11:21:30.830  4428       4688 G3   tvnetwork::StreamManagerInternals::ReadStreamParameters: type=6 (StreamType_File, private), streamTypeUuid={39f8c238-87a6-4fc5-8173-872482924948}, source=[1761879737,-207968498], features=1, compression=2 streamID=35
2023/05/04 11:21:30.996  4428       6012 G3   Write file C:\Users\gladys\Desktop\merlin.exe
2023/05/04 11:21:34.398  4428       6012 G3   Download from "merlin.exe" to "C:\Users\gladys\Desktop\merlin.exe" (10.95 MB)
2023/05/04 11:21:34.537  4428       3252 G3   TaskbarProgress::ProgressWorkerFunc: Worker end.
...

The uploaded executable is merlin.exe.

What was the session id for in the initial access?

This is the first session ID recorded in the TeamViewer15_Logfile.log:

1	`2023/05/04 11:35:27.433 5716 5840 D3 SessionManagerDesktop::IncomingConnection: Connection incoming, sessionID = -2102926010`

The attacker attempted to set a bitlocker password on the C: drive what was the password?

The Chainsaw report lists some suspicious entries under the PowerShell Engine State that are similar to the one below:

alt text

The full content of the entry can be found by searching for parts of the event details, i.e. powershell.exe -e JABTAGUAYwB1AHIAZQB, in the combined event log output from EvtxECmd.exe:

$ grep "powershell.exe -e JABTAGUAYwB1AHIAZQB" 20250511141538_EvtxECmd_Output.json| jq
{
  "PayloadData1": "ProcessID: 3804, ProcessGUID: 5080714d-8150-6453-0d03-000000000700",
  "PayloadData2": "RuleName: -",
  "PayloadData3": "MD5=190E6E0CDBEF529941D9E5F8F979F5D9,SHA256=8787D4B624880012ABDB442532BE762DB0361DECE169FEF9E1E877A9DF9E00CB,IMPHASH=44B4867FED7460EEC45FBEE7804BB612",    
  "PayloadData4": "ParentProcess: -",
  "PayloadData5": "ParentProcessID: 5768, ParentProcessGUID: 00000000-0000-0000-0000-000000000000",                                                                           
  "PayloadData6": "ParentCommandLine: -",
  "UserName": "DESKTOP-R30EAMH\\gladys",
  "ExecutableInfo": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -e JABTAGUAYwB1AHIAZQBTAHQAcgBpAG4AZwAgAD0AIABDAG8AbgB2AGUAcgB0AFQAbwAtAFMAZQBjAHUAcgBlAFMAdAByAGkAbgBnACAAIgByAGUAYQBsAGwAeQBsAG8AbgBnAHAAYQBzAHMAdwBvAHIAZAAiACAALQBBAHMAUABsAGEAaQBuAFQAZQB4AHQAIAAtAEYAbwByAGMAZQAKAEUAbgBhAGIAbABlAC0AQgBpAHQATABvAGMAawBlAHIAIAAtAE0AbwB1AG4AdABQAG8AaQBuAHQAIAAiAEMAOgAiACAALQBFAG4AYwByAHkAcAB0AGkAbwBuAE0AZQB0AGgAbwBkACAAQQBlAHMAMgA1ADYAIAAtAFUAcwBlAGQAUwBwAGEAYwBlAE8AbgBsAHkAIAAtAFAAaQBuACAAJABTAGUAYwB1AHIAZQBTAHQAcgBpAG4AZwAgAC0AVABQAE0AYQBuAGQAUABpAG4AUAByAG8AdABlAGMAdABvAHIA",        
  "MapDescription": "Process creation",
...

Decoding the payload in UTF-16LE produces the following:

1 2	`$SecureString = ConvertTo-SecureString "reallylongpassword" -AsPlainText -Force Enable-BitLocker -MountPoint "C:" -EncryptionMethod Aes256 -UsedSpaceOnly -Pin $SecureString`

The BitLocker password is reallylongpassword.

What name was used by the attacker?

The TeamViewer mentions the names used by the participants during the connection setup:

...
2023/05/04 11:35:31.958  5716       2436 D3   CParticipantManagerBase participant DESKTOP-R30EAMH (ID [1764218403,-2102926010]) was added with the role 3
2023/05/04 11:35:31.958  5716       2436 D3   New Participant added in CParticipantManager DESKTOP-R30EAMH ([1764218403,-2102926010])
2023/05/04 11:35:31.958  5716       2436 D3   CParticipantManagerBase participant fritjof olfasson (ID [1761879737,-207968498]) was added with the role 6
2023/05/04 11:35:31.958  5716       2436 D3   New Participant added in CParticipantManager fritjof olfasson ([1761879737,-207968498])
...

What IP address did the C2 connect back to?

Knowing the C2 executable's name (merlin.exe) makes it fairly straight-forward to search the combined event log for occurences of the executable and find any related details:

$ grep "merlin.exe" 20250511141538_EvtxECmd_Output.json | grep "Destination" | jq 
...
  "PayloadData1": "ProcessID: 5768, ProcessGUID: 5080714d-89ce-6453-c202-000000000700",
  "PayloadData2": "RuleName: Usermode",
  "PayloadData3": "SourceHostname: DESKTOP-R30EAMH.forela.local",
  "PayloadData4": "SourceIp: 10.10.0.79",
  "PayloadData5": "DestinationHostname: ec2-52-56-142-81.eu-west-2.compute.amazonaws.com",                                                                                    
  "PayloadData6": "DestinationIp: 52.56.142.81",
  "UserName": "DESKTOP-R30EAMH\\gladys",
  "ExecutableInfo": "C:\\Users\\gladys\\Desktop\\merlin.exe",
  "MapDescription": "Network connection",
  "ChunkNumber": 57,
...

Alternatively, as there are over 350 hits for merlin.exe, using a SIEM like Splunk can be helpful.

The IP address is 52.56.142.81.

What category did Windows Defender give to the C2 binary file?

This was discovered by Chainsaw and listed under the Antivirus topic in the Chainsaw report:

[+] Group: Antivirus
┌─────────────────────┬────────────────────┬──────────┬───────────┬─────────────────┬──────────────────────┬──────────────────────┬──────┬─────────────────────┬─────────────┐
│      timestamp      │     detections     │ Event ID │ Record ID │    Computer     │     Threat Name      │     Threat Path      │ SHA1 │        User         │ Threat Type │
├─────────────────────┼────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────┼──────────────────────┼──────┼─────────────────────┼─────────────┤
...
├─────────────────────┼────────────────────┼──────────┼───────────┼─────────────────┼──────────────────────┼──────────────────────┼──────┼─────────────────────┼─────────────┤
│ 2023-05-04 10:32:39 │ ‣ Windows Defender │ 1009     │ 29        │ DESKTOP-R30EAMH │ VirTool:Win32/Myrddi │ file:_C:\Users\glady │      │                     │             │
│                     │                    │          │           │                 │ n.D                  │ s\Desktop\merlin.exe │      │                     │             │
└─────────────────────┴────────────────────┴──────────┴───────────┴─────────────────┴──────────────────────┴──────────────────────┴──────┴─────────────────────┴─────────────┘

The name given is VirTool:Win32/Myrddin.D.

What was the filename of the powershell script the attackers used to manipulate time?

This can be found in the ConsoleHost_history.txt log, which is part of the rapid triage dump.

The name of the script is Invoke-TimeWizard.ps1:

$ cat ConsoleHost_history.txt
set-executionpolicy bypass
cd ..
cd ..
cd .\Users\
cd .\gladys\Desktop\
dir
.\Invoke-TimeWizard.ps1

What time did the initial access connection start?

This is the initial connection over TeamViewer.

From the TeamViewer15_Logfile.log:

1
2
3

...
2023/05/04 11:35:27.433  5716       5840 D3   SessionManagerDesktop::IncomingConnection: Connection incoming, sessionID = -2102926010
...

The intial connection was on 2023/05/04 11:35:27.

What is the SHA1 and SHA2 sum of the malicious binary?

The merlin.exe binary isn't part of the KAPE output, though it was detected and identified by Windows Defender.

There is a record of this when searching for merlin.exe in C:\ProgramData\Microsoft\Windows Defender\Support\MPLog-07102015-052145.log:

... 
Internal signature match:subtype=Lowfi, sigseq=0x0000469675E991EE, sigsha=610f07f98502b1edd929b9271a0a5a60b5412a34, cached=false, source=0, resourceid=0x147f4bf1
FP supression checks:CheckTrusted=true (Sigseq=0x13d784f6fe2e7), CheckLimit=true, IsNotRevokedCertSig=true, IsNotFpCheckDisabledSig=true, IsSignedFileCheck=false, IsNotExcludedCertificate=true (FriendlySigSeq=0x0)
SDN:Issuing SDN query for \\?\C:\Users\gladys\Desktop\merlin.exe (\\?\C:\Users\gladys\Desktop\merlin.exe) (sha1=ac688f1ba6d4b23899750b86521331d7f7ccfb69, sha2=42ec59f760d8b6a50bbc7187829f62c3b6b8e1b841164e7185f497eb7f3b4db9)
SDN:SDN query completed: 00000000
...
2023-05-04T10:29:22.070Z DETECTIONEVENT VirTool:Win32/Myrddin.D file:C:\Users\gladys\Desktop\merlin.exe;process:pid:1992,ProcessStart:133276693023911786;
2023-05-04T10:29:22.070Z DETECTION_ADD VirTool:Win32/Myrddin.D file:C:\Users\gladys\Desktop\merlin.exe
2023-05-04T10:29:22.070Z DETECTION_ADD VirTool:Win32/Myrddin.D process:pid:1992,ProcessStart:133276693023911786
...

The hashes are: ac688f1ba6d4b23899750b86521331d7f7ccfb69:42ec59f760d8b6a50bbc7187829f62c3b6b8e1b841164e7185f497eb7f3b4db9

How many times did the powershell script change the time on the machine?

Time changes on Windows are logged as Event ID 4616: The system time was changed.

Aside from using a SIEM to filter for the relevant event ID, there are at least two ways of finding this using grep on the combined event log output from EvtxECmd.exe.

Keeping in mind that the question is only about the times the system time was changed by PowerShell and not in general, one way is to search for the event description and the keyword powershell:

1 2	`$ grep "The system time was changed" 20250511141538_EvtxECmd_Output.json \| grep powershell \| wc -l 2371`

Another method is to use jq's select feature to selectively extract parts of a JSON object and then filtering for for events containing the keyword powershell:

1 2	`$ jq -c 'select(.EventId == 4616)' 20250511141538_EvtxECmd_Output.json \| grep powershell \| wc -l 2371`

What is the SID of the victim user?

The SID for a user can be found in a number of ways. One way is to search the event logs, as the SID is often included in the event payload. Being included in the payload means that there is no simple way of filtering for the SID value alone, though it's usually easy to spot.

A typical event that will include the user's SID is Event ID 4624: An account was successfully logged on:

$ jq 'select(.EventId == 4624)' 20250511141538_EvtxECmd_Output.json
{
  "PayloadData1": "Target: DESKTOP-R30EAMH\\gladys",
...
  "ExecutableInfo": "C:\\Windows\\System32\\svchost.exe",
  "MapDescription": "Successful logon",
  "ChunkNumber": 4,
  "Computer": "DESKTOP-R30EAMH",
  "Payload": "{\"EventData\":{\"Data\":[{\"@Name\":\"SubjectUserSid\",\"#text\":\"S-1-5-18\"},{\"@Name\":\"SubjectUserName\",\"#text\":\"WIN-PG5PB1QM351$\"},{\"@Name\":\"SubjectDomainName\",\"#text\":\"WORKGROUP\"},{\"@Name\":\"SubjectLogonId\",\"#text\":\"0x3E7\"},{\"@Name\":\"TargetUserSid\",\"#text\":\"S-1-5-21-3720869868-2926106253-3446724670-1003\"},{\"@Name\":\"TargetUserName\",\"#text\":\"gladys\"}

The SID is S-1-5-21-3720869868-2926106253-3446724670-1003.