Refer to Boogeyman1 for the challenge room on TryHackMe

Artefacts

For the investigation, we will be provided with the following artefacts:

• Copy of the phishing email (`dump.eml`)
• PowerShell logs from Julianne's workstation (`powershell.json`)
• Packet capture from the same workstation (`capture.pcapng`)

Note: The powershell.json file contains JSON-formatted PowerShell logs extracted from its original EVTX file using the evtx2json tool.

Tools

• Thunderbird: A free and open-source cross-platform email client.
• LNKParse3: A Python package for analyzing binary files with LNK extensions.
• Wireshark: A GUI-based packet analyzer.
• Tshark: The CLI version of Wireshark.
• jq: A lightweight and flexible command-line JSON processor.

Email Analysis

Julianne, a finance employee at Quick Logistics LLC, received a follow-up email about an unpaid invoice from their business partner, B Packaging Inc. Unbeknownst to her, the attached document was malicious and compromised her workstation.
The security team flagged the suspicious execution of the attachment, alongside phishing reports from other finance department employees, indicating a targeted attack on the finance team. Recent trends show that the initial TTP used for the malicious attachment is linked to a new threat group called Boogeyman, known for targeting the logistics sector.

Investigation Guide

Given the initial information, we know the compromise began with a phishing email. Let's start by analyzing the dump.eml file located in the artefacts directory. There are two methods to analyze the headers and rebuild the attachment:

Manual Method: Use command-line tools such as cat, grep, base64, and sed. You can manually analyze the contents and build the attachment by decoding the string located at the bottom of the file.

• $ echo # sample command to rebuild the payload, presuming the encoded payload is written in another file, without all line terminators
• $ cat *PAYLOAD FILE* | base64 -d > Invoice.zip

Automated Method: Double-click the EML file to open it in Thunderbird. From there, you can save and extract the attachment. Once the payload from the encrypted archive is extracted, use LNKParse3 to analyze the information contained within the payload.

• $ lnkparse *LNK FILE*

Task

What is the email address used to send the phishing email?
We can locate the source email address in the email header in Thunderbird.

What is the email address of the victim?
The victim's email address is available in the screenshot above.

What is the name of the third-party mail relay service used by the attacker based on the DKIM-Signature and List-Unsubscribe headers?
We can identify the email relay service provider in the DKIM-Signature within the source code.

Note: The ‘d=’ tag specifies the domain that is responsible for signing the email. This domain is typically the organization or entity that sent the email, and it is used to verify the authenticity of the email’s sender.

What is the name of the file inside the encrypted attachment?
After saving and extracting the attachment from the .zip file, we can see the filename.

Warning: Ensure not to open the file, as we cannot confirm if it is safe.

What is the password of the encrypted attachment?
We can find the password in the email's content.

Based on the result of the lnkparse tool, what is the encoded payload found in the Command Line Arguments field?
By using the lnkparse tool and grep keyword "Command", we can find the encoded value in the CLI arguments.

$ lnkparse Invoice_20230103.lnk | grep -e "Command"

Endpoint Security

Based on the initial findings, we discovered how the malicious attachment compromised Julianne's workstation:

• A PowerShell command was executed.
• Decoding the payload reveals the starting point of endpoint activities.

Investigation Guide

With the following discoveries, we should now proceed to analyze the PowerShell logs to uncover the potential impact of the attack:

• Start by searching for the execution of the initial payload in the PowerShell logs based on the previous findings.
• Since the data is in JSON format, use the `jq` command in the CLI to parse it.
• Be aware that some logs may be redundant and lack critical information; these can be ignored.

JQ Cheatsheet

jq is a command-line tool for processing JSON data. It works well with other text-processing commands. Refer to the table below for guidance on parsing logs for this task. For more details, visit jq 1.7 Manual.

Parse all JSON into beautified output	cat powershell.json | jq
Print all values from a specific field without printing the field	cat powershell.json | jq '.Field1'
Print all values from a specific field	cat powershell.json | jq '{Field1}'
Print values from multiple fields	cat powershell.json | jq '{Field1, Field2}'
Sort logs based on their Timestamp	cat powershell.json | jq -s -c 'sort_by(.Timestamp) | .[]'
Sort logs based on their Timestamp and print multiple field values	cat powershell.json | jq -s -c 'sort_by(.Timestamp) | .[] | {Field}'

Task

What are the domains used by the attacker for file hosting and C2? Provide the domains in alphabetical order. (e.g. a.domain.com,b.domain.com)
After learning the field names using jq command, we will investigate into ScriptBlockText field.

$ cat powershell.json | jq

Since we already identified one of the attacker's domains from previous tasks, we can use the commands sort, uniq, and grep with the keyword "bpakcaging.xyz" to find two domains in the output.

What is the name of the enumeration tool downloaded by the attacker?
We know that the ScriptBlockText field contains the PowerShell commands that were executed on the machine, so we will review those commands.

$ cat powershell.json | jq '.ScriptBlockText' | sort | uniq

After some examination and research, I discovered the tool used for enumeration. Refer to Seatbelt on GitHub for more details about the tool.

What is the file accessed by the attacker using the downloaded sq3.exe binary? Provide the full file path with escaped backslashes.
First, we will trace the binary mentioned in the question using the grep keyword 'sq3.exe'. We found that the command was executed from '.\Music\sq3.exe', so we need to determine the full path.

$ cat powershell.json | jq '.ScriptBlockText' | grep -e 'sq3.exe'

Next, to find out from which user's workstation the binary was executed, we will trace the attacker's working directory by searching for the command 'cd'. Once we know the username, we need to add the binary's file path to C:\Users\<username> to retrieve the full path.

$ cat powershell.json | jq '.ScriptBlockText' | grep -e 'cd '

What is the software that uses the file in the previous question?
We can identify the software from the screenshot prior to the last one; it is in the package directory.

What is the name of the exfiltrated file?
After some examination and research in the ScriptBlockText field, I discovered the command that exfiltrate the sensitive file.

$ cat powershell.json | jq '.ScriptBlockText' | sort | uniq

Note: The command assigns the sensitive file to the variable $file and the IP address 167.71.211.113 to the variable $destination. It then reads the entire binary content of the specified file into the $bytes variable, preparing it for further transmission.

What type of file uses the .kdbx file extension?
After some research, I found that the file extension is used by an open-source password manager. For more details, please refer to here.

What is the encoding used during the exfiltration attempt of the sensitive file?
By examining the command executed after initiating the file exfiltration, we can identify the encoding method used.

$ cat powershell.json | jq '.ScriptBlockText' | sort | uniq | grep -A 2 '<sensitive file>'

What is the tool used for exfiltration?
By examining the command executed after initiating the file exfiltration, we can identify the tool used for  exfiltration in this case.

$ cat powershell.json | jq '.ScriptBlockText' | sort | uniq | grep -A 3 'protected_data.kdbx'

Note: The commands read the binary content of a sensitive file, convert it into a HEX format, and prepare it for exfiltration. It then repeatedly sends the hex-encoded data as DNS queries using nslookup to a specified destination (167[.]71[.]211[.]113), transferring the sensitive information covertly.

Network Traffic Analysis

Based on the PowerShell log investigation, we identified the following:

• The attacker accessed and exfiltrated two sensitive files.
• Uncovered the domains and ports involved in the network activity.
• Discovered the tool used for exfiltration.

Investigation Guide

We can conclude the investigation by analyzing the network traffic from the attack:

• Use the identified domains and ports.
• Review all commands executed by the attacker, which were logged in the packet capture.
• Trace the streams of notable commands found in the PowerShell logs.
• Based on the logs, we can extract the contents of the exfiltrated data by understanding its encoding.

Task

What software is used by the attacker to host its presumed file/payload server?
In the last task, we identified the C2 server's IP address (167.71.211.113). We will use this IP address as a filter in Wireshark to monitor any network connections between the victim and the server.

Wireshark: ip.addr == 167.71.211.113

By examining one of the HTTP packets, we can determine the application used by the server.

I also attempted to use Tshark with the field http.server and filtered for the C2 server's IP address.

$ tshark -r capture.pcapng -T fields -e ip.src -e ip.dst -e http.server | sort -r | uniq | grep -e '167.71.211.113'

Note: SimpleHTTP is a built-in module in Python 2, known as the “http.server” package in Python 3. It allows users to set up a basic web server to serve files directly from a directory using commands.

What HTTP method is used by the C2 for the output of the commands executed by the attacker?
The method can be identified in two ways: first, within the same HTTP stream from the previous task.

And second, through the command we used to determine the tool used for exfiltration.

$ cat powershell.json | jq '.ScriptBlockText' | sort | uniq | grep -A 3 'protected_data.kdbx'

What is the protocol used during the exfiltration activity?
We can reuse the same command from the previous question, and the output will indicate the application used for the exfiltration activity. We then just need to determine the protocol used, which is quite clear.

$ cat powershell.json | jq '.ScriptBlockText' | sort | uniq | grep -A 3 'protected_data.kdbx'

What is the password of the exfiltrated file?
Based on the hint "The password is stored in the database file accessed by the attacker", we can examine the POST request packets sent over the network.

Wireshark: http.request.method == POST

To retrieve the data that’s sent over the network, we need to copy the html value from the packet, then decode it from the Decimal. I then found the data that we are looking for in the packet No.44467.

Note: Some network protocols and file formats define their data in decimal. I.e. HTTP headers, JSON objects, and CLI tools may expect numerical values in decimal. This adherence to common practices minimizes potential misinterpretations during data transmission.

After decoding by CyberChef, I found the password of the file.

What is the credit card number stored inside the exfiltrated file?
Remember that the attacker attempted to use the DNS protocol to transfer the data. We will extract DNS queries using Tshark. The output shows some HEX values preceding the domains, and these HEX values are the same for both the domains and their subdomains.

$ tshark -r capture.pcapng -T fields -e dns.qry.name | awk NF | sort | uniq

To only capture the HEX value, we will filter for those containing "bpakcaging.xyz," isolates the portion before the first dot using cut, and removes duplicates with uniq. Then save it in to a file for modification.

$ tshark -r capture.pcapng -T fields -e dns.qry.name | grep <domain> | cut -f 1 -d "." | uniq > file.txt

Once we open the text file, we will notice some unnecessary text values, such as "cdn," "files," and others.

Once the text file contains only HEX values, we will use xxd to convert the HEX input back into binary format and output it as the password manager’s file.

$ cat file.txt | xxd -r -p > secret.kdbx

Note: Since it was previously stated that the attacker successfully transmitted the password manager’s file over the network, we can confirm that the file we reconstructed is the one used by the password manager. Therefore, we will use the .kdbx format.

After that, we can open the file using the password retrieved in the previous task. The credit card number can then be found in the file. By right-clicking on "Company Card," selecting "Copy Field," and then "Account Number," we can obtain the value.