PS：僅記錄過程，不一定正確

官網(wǎng)：https://incident-response-challenge.com/

一、Basic部分

1、Time Machine

https://incident-response-challenge.com/challenges/1

題目描述：

StoryGOT Ltd CTO claimed that he found out a suspicious activity on his laptop.

He stated that some of his files suddenly moved from one location to another, when other files seem to be modified on illogical dates. He asked us to check if we can find anomaly indicators which is relevant to his desktop files.

We found out that he was right and there is clear indication of anomaly, using a well-known technique. Try to examine the following ?$MFT file, focusing the CTO’s Desktop files.

Can you find the anomaly, which is relevant to the time in which file’s changes/modifications have been made, based on the provided $MFT File?

InstructionsSubmit the name of the file that has been found to be affected by the attacker and its original creation time.

The file is located directly on the Desktop.

Time Format: DD-MM-YYYY HH:MM:SS

Filename Format: filename.ext (ext stands for a 3-letter file extension)

wp：用mft2csv打開下載的$MFT文件找到文件即可

2、Hello Dok

https://incident-response-challenge.com/challenges/2

題目描述：

Story

Podrick claims that last Monday (February 3, 2020), at lunch time (around 12:00 PM) a USB device of a malicious entity was plugged into his personal computer. He has also mentioned that he saw one of his colleagues – Theon G, leaving his (Podrick’s) office with the USB in his hand.

Theon claims that he entered the office to visit Aria (who sits in the same office). When he saw Aria was not there, he left the office immediately.

Podrick regularly doesn’t lock his computer and suspects that Theon took advantage of this to steal some of his personal data.

We were invited to examine Podrick’s PC.

Was a USB Device connected to Podrick’s PC on February 3, 2020?

Instructions

Submit the Serial/UID of the suspected USB device

wp：下載的文件是注冊表文件，分析 system注冊表，找到12：00最近的usb記錄

3、Bling-Bling

Story

Lord Varys, director of the finance department in GOT-Research Ltd, found out that certain information about the senior employees’ salaries were leaked and reached other employees of the organization. This financial information is saved on a network shared folder. Permissions to this network folder have been given to Lord Petyr Baelish, and 2 former employees: John Snow, and Daenerys Targaryen. Both John and Daenerys work as external consultants to GOT and aren’t part of the finance department anymore.

Their permissions to the finance shared folders haven’t been revoked yet. Petyr Baelish, John, and Daenerys were never in a good relationship, and Varys suspects them as the cause of the leak. He assumes that one of them wanted to hurt his name and make people think that he leaked the information.

GOT-Research CEO asked John and Daenerys about the mentioned event, when both claimed that they didn’t access the finance folder for almost a year (since leaving the finance department).

Important Information:

To examine if John or Daenerys have accessed the financial data, which includes that Management-Salaries.xlsx file that contains the data which has been leaked.

GOT invited us to investigate the Consultants’ PC.

Instructions

Submit the main suspect’s first name + filename of the suspicious finance file, found on the suspect's host.

Filename Format:File-Name.ext

wp：下載下來的文件是Jumplist記錄文件，用JumpList Explorer工具分析即可

4、Is that you?

Story

We were asked to come as soon as possible to GOT Ltd. main site in Japan to investigate their Windows Server 2012 R2 – Domain Controller.

The organizational security experts claimed that lately the server has crashed a few times and that other errors have also occurred frequently. Their attempts to find a reasonable explanation have failed and they suspect that malicious activity on this server has been taking place.

To investigate this issue, Podrick, GOT Ltd. VP invited us as DFIR experts.

As the first step in the investigation, before our arrival to Japan, GOT Ltd. , sent us a raw memory dump which has been taken from the Domain Controller at 17:40. The organizational security experts have noticed that the server crashes have occurred each time around 17:45 and tried to get the best raw memory they could for our investigation.

Can you recognize the suspected process in memory?

Instructions

Submit the PID and PPID of the suspected process

PID: 3-4 Decimal Digits value

PPID: 3-4 Decimal Digits value

wp:下載的文件是內(nèi)存dump文件，直接上Volatility 找進程

5、B4 Catch

Story

Aria, Head of Security and IT at GOT Ltd. noticed some suspicious SIEM alerts. The alerts mentioned a suspicious file named Scvhost.exe which has been recognized on some organizational hosts. Right as she started to examine this issue, the files were deleted from the hosts.

Aria suspects that Scvhost.exe is a malicious file (probably some kind of malware) and that the attacker is currently in the organizational network.

GOT Ltd management wants us to determine if the Scvhost.exe has been executed on the organizational hosts, when the execution occurred, and how it was deleted.

Instructions

Submit the last execution time of the suspicious file + number of executions on the examined host.

Time Format: DD-MM-YYYY HH:MM (no seconds)

wp：Prefetch文件分析

(Prefetch（預(yù)讀?。?，從Windows XP開始引入，用來加速應(yīng)用程序啟動過程。Prefetch包含可執(zhí)行文件的名稱、文件時間戳、運行次數(shù)、上次執(zhí)行時間、Hash等。Win7上記錄最近128個可執(zhí)行文件的信息，Win8-10上的最近1024個可執(zhí)行文件。)

上輔助工具PECmd

https://github.com/EricZimmerman/PECmd

6、Titan

Story

The Master of Whispers has ears everywhere.

The kingdom has decided it is time to do something about it.

We are going from server to server fo find his little birds who keep talking, repeatedly.

This Ubuntu server has been suspected to be compromised.

We need to know the IP of the listener.

Instructions

Submit the IP of the malicious C2

wp：下載了一個ubuntu的磁盤文件，直接找crontab日志和執(zhí)行記錄就行

7、Sports

Story

Sansa went on a trip to The Eyrie.

Upon her return she seems to be feeling unwell. We think she has been infected with a bug.

When she wakes up, she starts coughing up commercials for Anti-Marriage campaigns.

Please look at her profile and see what the issue is.

Instructions

Submit the malicious file executed using the persistence mechanism on the station:

Filename Format: filename.ext (ext stands for a 3 letter file extension)

wp：下載文件C盤文件。里面有hive記錄文件，直接上注冊表分析軟件

找到Run key下的注冊表值就好了

8、LNK Files

Story

Someone has been spreading rumors about how much everyone makes in the kingdom. Upon, further investigation we found that the salaries file accidently had its permissions set to everyone.

Sansa believes that someone is Littlefinger.

We need to find evidence that he had accessed the salaries file.

This way we can finally have leverage against him.

Instructions

Submit the flag located in the same artifact source as the evidence against Littlefinger:

wp：找LNK文件 ：關(guān)鍵字：salaries，找到一個連接到共享的文件/或者分析jumplist也可以

二、Medium部分

1、Can’t touch this

Story

Podrick was satisfied from our first investigation, in which we proved that Theon has probably plugged his USB device to Podrick’s PC when he was away.

As we remember, we proved that someone (Theon) plugged a USB device to Podrick’s PC on February 3, 2020 – around 12 PM (12:15-12:45 PM according to our findings of Suspicious USB usage – Hello DOK).

Podrick claims that some of his files/directories have changed, he thinks that the changes have also made by Theon on his first access to his machine which we have already proved as probably happened. He wants us to find out which files were changed/touched by Theon, focusing on the Projects folder which according to Podrick has been completely emptied.

We said that we would do our best and continue with our investigation, to find which files have been watched/copied by Theon.

Instructions

Submit the time in which the “Projects” folder was recreated by Theon.

Note: it is recommended you solve Challenge No.2 before starting this challenge.

Time Format: HH:MM:SS

wp：Hello DoK的升級版，要先完成這個才行。

下載的文件里面有一堆日志文件和Hive文件，分析了很久的日志文件未果，最后發(fā)現(xiàn)下載的文件夾名字有提示shellbag

然后用shellbag分析工具加載hive文件就可以找到了。

2、Copy PaSTe

Story

Theon, one of GOT Ltd. Employees has been fired due to many disciplinary issues.

Theon was a member of the Help-Desk team and supported the company employees on the following aspects:

• Computing hardware problems

• Software installations

• Email support

Theon’s hearing before dismissal took place on February 5, 2020. And he was officially fired on February 8, 2020.

Right after Theon’s dismissal, some private emails of GOT’s CEO (John Snow) and VP (Daenerys) has been published.

Theon claims that he has nothing to do with that.

Varys, Theon former boss, claims that Theon didn’t have any access to the CEO’s and VP’s emails. But he also suggested to give us Theon’s PC which hasn’t yet been formatted for us to investigate.

Varys already checked Theon’s Desktop and said that it’s totally empty, which means that Theon has probably moved/deleted some files.

Can you find the specific file that has been deleted/moved which can indicate that Theon had access to John’s (CEO) E-Mail data?

Instructions

Submit the name of the moved/deleted file that can indicate Theon had access to John’s E-Mail data.

Filename Format: filename.ext

wp：下載的文件有這些

找工具分析一下

3、WhoaMI

Story

The SOC analysts of the GOT organization reported that they have found some anomalies. The analysts assume that the attacker still exists on the organization but can’t find any backdoor signs.

They asked us for help and sent us the disk image copy to investigate.

The head of the SOC team stated that according to his observation there has been massive PowerShell and CMD usage throughout the organization, including in hosts which are not being used by technical employees.

One of the most suspicious hosts is Lady Brienne’s host. Brienne (GOT's accountant) stated that she has never used PowerShell or CMD, while the SOC team stated that her machine is probably the “noisiest” in the last few days.

Can you find the backdoor technique which has being used by the attacker on Lady Brienne’s PC?

Instructions

Submit the full path of the file executed by the persistence mechanism.

Full path Format: C:\path\to\malicious\file.ext

wp：wmi取證

用strings查看OBJECTS.DATA 文件 搜索 powershell.exe關(guān)鍵字

參考：https%3A%2F%2Fwww.fireeye.com%2Fcontent%2Fdam%2Ffireeye-www%2Fglobal%2Fen%2Fcurrent-threats%2Fpdfs%2Fwp-windows-management-instrumentation.pdf

http%3A%2F%2Findex-of.es%2FForensic%2FDEFCON-23-WMI-Attacks-Defense-Forensics.pdf

4、Kiwi

Story

Jaime, known as the King-Slayer is head of HR in GOT Ltd. He recognized, or at least thinks that he recognized, some suspicious activity on his PC.

Yesterday – February 8, 2020, around 15:00, he recognized a file with a kiwi logo appeared on his desktop. According to him, the file suddenly disappeared not long after its first appearance on his desktop. Later that day, he started getting messages saying he needs to re-activate Windows Defender. He activated Windows Defender and got the same message again a few hours later.

King-Slayer decided to tell this to his friend in the IT department – Chris. When Chris heard the story, he reported it immediately to the Cyber Security department of GOT Ltd.

The organization’s CISO didn’t want to waste time and called us right away.

GOT Ltd main office is in Switzerland. The CISO sent us all the event logs from King-Slayer’s PC and from the Domain Controller.

Can you help us to find the relevant anomaly?

• Jaime’s user account (KingSlayer) is Local Admin on his host.

• Domain Name -> GOT.Com

• DC Server name -> WIN-IL7M7CC6UVU

• Jaime (King Slayer) host -> DESKTOP-HUB666E (172.16.44.135)

Instructions

Submit the domain user account which the attacker used (other than King-Slayer) and the IP Address of the host which he accessed to using this user account.

wp：域取證。日志審計，哈希傳遞攻擊

審核Security.evtx日志文件

5、Seashell

Seashell

Story

The great web server has been showing signs of weird activity lately.

Some weird cronjobs have been created and there has been some unexpected outgoing traffic.

We think maybe someone has gained access to the server.

The cronjobs were created using a web-server user. We suspect someone managed to create a backdoor using the website itself.

Instructions

Find the flag in the reverse shell.

wp：下載的文件是 pfsense防火墻里面的文件。Linux系統(tǒng)，關(guān)鍵詞提示：webshell 、爬蟲

根據(jù)提示信息，直接搜索所有字符串，找到反向shell。搜索bash關(guān)鍵字就行了

6、Sneak

StoryThe Army of the North believes it might have a spy amongst them.

They have clear indication that the enemy anticipates their movement.

We must find the suspicious process that keeps sending data outside.

InstructionsFind the suspicious process name.

Process Name Format: Process.exe

wp：下載的文件是內(nèi)存dump文件

volatility取證試試，找可疑進程

不能掃到鏡像信息，只能手動指定profile，最后確定是 windows 10 x64 15063 版本

7、Universal

Story

We have been getting reports from a concerned user about unusual behavior on his workstation. CMD windows occasionally popup, and sometimes the station is reset.

The behavior seems to persist after these restarts.

We believe some malicious software has implemented a persistence mechanism, but our team has not been able to find it so far.

Instructions

Submit the persistent process

Process Name Format: Process.exe

wp: 關(guān)鍵提示：GlobalFlag

用registry explorer 找注冊表項目，搜 GlobalFlag注冊表key 就行了

參考：Image File Execution Options Injection, Technique T1183 - Enterprise | MITRE ATT&CK? https://attack.mitre.org/techniques/T1183/

8、Notes

Story

An attacker has gained access to Littlefinger’s session on his computer.

He has successfully connected to Kings Landing (DC) using the GOT\varys-adm of the IT team Domain Admin account credentials.

It is yet unclear how he found those credentials.

We suspect it to be the entry point of the attacker to the whole organization.

Instructions

Submit the Varys-adm user password.

wp：關(guān)鍵提示：BMChache

找到 rdp bitmap cache 文件

找工具解析 找到密碼

9、Psss

Story

Same old story.

The master of whispers has ears everywhere.

Cersei is paranoid…

We have another station which might be compromised.

Help us find the IP of the listening C2 server.

Instructions

Submit the IP of the reverse shell server.

下載的文件是vhdx鏡像 ，掛載它，恢復(fù)日志文件

找到powershell執(zhí)行記錄

關(guān)鍵提示：Powershell

10、Roots

StoryWe have found the following pdf running around our infrastructure.

It clearly has legs.

We believe the attacker has hidden a password to one of his services in the code and we need that password.

Instructions

In the PDF there is a word file and in the word file there is a macro that contains the flag in ascii.

wp：根據(jù)提示需要分析惡意pdf文件，pdf文件中包含word文件，找到word宏

用kali的 pdf-Parser試試

找到里面有代碼從GitHub下載一個powershell腳本 找到這個腳本找到密碼

FlaG_[W0N-C0NGr@T5]

三、Advanced部分

1、2nd Base

StoryOnce again, we have found ourselves with some malware running amuck our peasants.

However, this time we have made an image of a clean machine. Use it to compare the infected machine with the clean machine. Maybe it could help?

What is the malicious process?

Instructions

Submit the name and PID of the malicious process.

Process Name Format: ProcessName.exe

wp：下載文件包括兩個內(nèi)存鏡像，比對一下

先分析Baseline鏡像的進程

再看看另外一個有惡意進程的鏡像里面的進程

值得懷疑的進程

2、Meow

Story

We have met quite an advanced adversary.

Multiple accounts have been compromised on the network.

We think an attacker gained access to the DC and harvested the credentials.

We have imaged the domain controller and we think there should be some leftovers which can indicate which relevant tool has been used by the attacker. Can you find them?

Instructions

Submit the tool's name, which has been used by the attacker

Filename Format: FILE.EXT (ext stands for a 3-letter file extension)

wp：DC取證

找一個惡意工具的名字和路徑

FTK掛載鏡像，然后數(shù)據(jù)恢復(fù)

3、Sad

Story

There is a station infected with ransomware (desktop-hub666e).

This station has some very valuable files. All of our transactions with the Iron Bank are kept there.

We have captured a PCAP and a memory dump of the station for some analysis.

We can't afford to pay the current ransom. We need the data inside that encrypted file.

Instructions

Submit the data in the encrypted file.

wp：感染了勒索軟件，取證 pcap和內(nèi)存轉(zhuǎn)儲

關(guān)鍵提示：WananCry

ps:沒有做出來

4、Insurance

Story

The user Robert had his wallpaper changed to a life insurance ad.

Robert says he did not do it. We assume someone connected to his machine and did so!

We have no idea how the insurance wallpaper got to the station. Any help?

Instructions

Submit the time stamp of the lateral movement technique used:

Timestamp: YYYY-MM-DD HH:MM (no seconds)

wp：下載了一個vhdx鏡像，關(guān)鍵詞 PsEXEC

加載鏡像

直接復(fù)制的日志不能用，要數(shù)據(jù)恢復(fù)，然后把日志復(fù)制出來看

看logon的日志 找psexec關(guān)鍵字

PS：不知道有沒有做對。

5、Layers

Story

We had an attacker on the network, we think we flushed him out, but we think there are still some other stations he had infected or had access to.

We ran Autoruns using Kansa on the stations, and saved each station's output on the following format: -Autorunsc.csv. hopefully we can see if any station looks suspicious.

Instructions

Submit the most suspected computer name + name of suspicious artifact(filename).

Filename Format: filename.ext (ext stands for a 3-letter file extension)

wp：關(guān)鍵詞：Kansa Stacking

Kansa監(jiān)控記錄分析。

PS：不確定是否做對了

6、Frog Find

Story

Classic case. We have a frog running loose and its running havoc.

We have clear indication of malicious outgoing traffic to a host on the digital ocean.

We can’t seem to find the malicious process on the system.

We know there is a frog hidden in the malicious executable.

Find the process, extract the frog.

Instructions

Find the flag inside the malicious process.

wp：關(guān)鍵詞：Process Hollowing

下載內(nèi)存鏡像 直接上Volatility分析一下

可疑進程

dump出來

7、DB

Story

WAF logs show an unusual spike in SQL Injection attempts on our domain Westeros.GOT.com in the last days (since 4.2.2020).

We are afraid an attacker might have been able to access the server using the SQL Injection.

Please make sure whether the attacker was able or not to successfully use the SQL injection to gain access to the server.

If he did, what is the time he did so?

Instructions

Submit the time when the attacker gained access to the OS.

Time format: YYYY-MM-DD HH:MM (no seconds)

wp：服務(wù)器被SQL注入了。

找到執(zhí)行時間 2020年2月4日之后，找獲得系統(tǒng)訪問權(quán)限的時間

下載的vhdx文件，找windows security 日志

找到了兩個時間 2020-02-04 23：56 和 2020-02-05 00：07

PS：提交了第一個好像錯了

最終得分：

最終排名

說明?

本文由合天網(wǎng)安實驗室原創(chuàng)，轉(zhuǎn)載請注明來源。?

關(guān)于合天網(wǎng)安實驗室 ?

合天網(wǎng)安實驗室（www.hetianlab.com）-國內(nèi)領(lǐng)先的實操型網(wǎng)絡(luò)安全在線教育平臺?

真實環(huán)境，在線實操學(xué)網(wǎng)絡(luò)安全 ；實驗內(nèi)容涵蓋：系統(tǒng)安全，軟件安全，網(wǎng)絡(luò)安全，Web安全，移動安全，CTF，取證分析，滲透測試，網(wǎng)安意識教育等。

合天網(wǎng)安取證分析課程：http://s.htlabs.vip/foa

合天網(wǎng)安取證分析挑戰(zhàn)課程：http://s.htlabs.vip/foc