Monday, November 13, 2017

DFIR CTF: Precision Widgets of North Dakota Intrusion


Hi all, it's time for me to create a new DFIR CTF so I'm releasing my previous one to the public. Please if you're playing this and have some fun/see some value send me feedback @securitymustard and what you'd like to see in future DFIR games.

Note that some of the infrastructure for this (OSINT component, company website, etc) are no longer hosted. This doesn't make the game unplayable it was mostly just eye-candy. There is also a Twitter account you can get access to in the course of this, It's not a big deal if it were ransacked (if it hasn't been already) but please respect others and don't ruin the game.

Background:
Precision Widgets of North Dakota is a manufacturer of high tech precision aircraft and mobility parts primarily for government customers across the globe. PWND owns patents for several processes and designs which are the foundation of their brand and their most precious asset.

PWND was recently outbid on a contract to manufacture 150,000 Rascal scooter performance exhaust systems for the local government of Fort Lauderdale Florida. Due to PWND's previous success in this area and substantial cost advantages in the market PWND's CEO and founder Billy Honeydew immediately suspects foul play.

You are an incident response consultant from Johnson and Johnson and Johnson LLP tasked with discovering if there was data stolen from the PWND network, and if so how.

Evidence Downloads: 
Note: Decrypt password is "nolycasissor" (Ross is a Cylon backwards.. don't ask?)



Questions (recommended points, KC phase, question):

  1. 25 Recon What is the internal IP address of PWND-CEO? 
  2. 25 Recon What is the internal IP address of PWND-ITADMIN? 
  3. 25 Recon What is the internal IP address of PWNDDC01? 
  4. 25 Recon What is the full name of the domain? 
  5. 25 Recon What is Billy Honeydew's Twitter handle (no @)? 
  6. 25 Recon What is the Twitter handle of the individual he talks to (no @)? 
  7. 25 Recon What is the full link to the malware (unshortened)? 
  8. 50 Delivery What is the time in UTC (MM/DD/YYYY HH:MM) of the initial malware delivery? 
  9. 50 Delivery What is the time in UTC (MM/DD/YYYY HH:MM) of the payload download on PWND-CEO? 
  10. 75 Weaponization What type of payload is the malware (exactly as you'd see it in the builder)? 
  11. 25 C2 What is the IP of the C2 server? 
  12. 25 C2 What destination port is being used by the malware (format port/protocol)? 
  13. 50 C2 What is the time in UTC (MM/DD/YYYY HH:MM) of the first connection of pwnd-ceo to the C2? 
  14. 50 C2 What is the time in UTC (MM/DD/YYYY HH:MM) of the first connection of pwnd-itadmin to the C2? 
  15. 50 C2 What is the time in UTC (MM/DD/YYYY HH:MM) of the first connection of pwnddc01 to the C2? 
  16. 50 Installation What PID is the malware running under on PWND-CEO? 
  17. 50 C2 How many packets were transferred between PWND-CEO and the C2 IP? 
  18. 50 Actions on Objectives How much data (round to nearest MB) was transferred from the system that data was exfiltrated from? 
  19. 25 Installation What data stream of the payload on disk indicates where it came from? 
  20. 50 Actions on Objectives What is the filename of the staging tool used? 
  21. 50 Actions on Objectives What is the true application name of the staging tool? 
  22. 75 Actions on Objectives What is the mistaken name the attacker named the staging tool before changing it?
  23. 75 Actions on OBjectives What command had resulted in the domain admin credential being stored in memory? 
  24. 50 Actions on Objectives What is the password for the bhoneydew domain account? 
  25. 50 Actions on Objectives What is the password for the pwnddc01 domain account? 
  26. 50 Actions on Objectives What is the password for the cmaldonado domain account? 
  27. 25 Actions on Objectives What protocol was used to transfer payloads laterally (1 guess)? 
  28. 25 Actions on Objectives What is the filename used as a payload in lateral movement? 
  29. 50 Actions on Objectives What time was the payload transferred to 192.168.64.137?
  30. 50 Actions on Objectives What time was the payload transferred to 192.168.64.149? 
  31. 50 Actions on Objectives What protocol was used to execute payloads remotely? 
  32. 100 Installation In the decoded payload instructions that would be run on a x86 system, what is the exact path defined in "DownloadData"? 
  33. 100 Actions on Objectives Try to login to the malicious user's twitter account - what is the password (2 guesses)? Note: Do not tweet, delete tweets, delete the account, or otherwise ruin the challenge for others.  
  34. 150 Actions on Objectives Who is the bad guy in this case (1 try)? 
  35. 25 Recon What is the active time bias running on PWNDITADMIN? 
  36. 25 Installation What is the name of the process on PWNDITADMIN that has executable injected code? What is the 2 byte hex string that indicates this to you? Answer in form processname,hexbytes    
  37. 50 Installation What is the size in bytes of the file uploaded by the hacker to PWNDITADMIN? Based upon the differences in the created, modified and accessed times what file operation do you theorize was used to put it there? Format: size,operation    
  38. 50 Actions on Objectives What is the total number of files inside the exfiltration archive?
  39. 50 Actions on Objectives What is the most concerning folder name that was exfiltrated?