Description: In this video I will show you how to solve GrrCon Forensics Challenges Using Volatility Framework.
Challenge Questions
1. How was the attack delivered?
2. What time was the attack delivered?
3. What was that name of the file that dropped the backdoor?
4. What is the ip address of the C2 server?
5. What type of backdoor is installed?
6. What is the mutex the backdoor is using?
7. Where is the backdoor placed on the filesystem?
8. What process name and process id is the backdoor running in?
9. What additional tools do you believe were placed on the machine?
10. What directory was created to place the newly dropped tools?
11. How did the attacker escalate privileges?
12. What level of privileges did the attacker obtain?
13. How was lateral movement performed?
14. What was the first sign of lateral movement?
15. What documents were exfiltrated?
16. How and where were the documents exfiltrated?
17. What additional steps did the attacker take to maintain access?
18. How long did the attacker have access to the network?
19. What is the secret code inside the exfiltrated documents?
20. What is the password for the backdoor?
Answers : -
Question 1 - How was the attack delivered?
– HTTP / IE
Question 2. What time was the attack delivered?
- 2012-04-28 01:59:22
Question 3 - What was that name of the file that dropped the backdoor?
– swing-mechanics.doc[1].exe
Question 4 - What is the ip address of the C2 server?
- 221.54.197.32
Question 5 - What type of backdoor is installed?
- Posion Ivy
Question 6 – What is the mutex the backdoor is using?
- )!VoqA.I4
Question 7. Where is the backdoor placed on the filesystem?
- C:\windows\system32\svchosts.exe
Question 8 - What process name and process id is the backdoor running in?
- 1096 / explorer
Question 9. What additional tools do you believe were placed on the machine?
– All the executable shown in the filescan output. Some can be identified (i.e winrar, psexec, etc), but others are still unknown (because the file names are obscured and no part of the executable remained in memory at the time).
Question 10. What directory was created to place the newly dropped tools?
- C:\WINDOWS\system32\systems\
Question 11. How did the attacker escalate privileges?
- WCE to domain admin, pass the hash
Question 12. What level of privileges did the attacker obtain?
- Administrator with debug and load driver priv
Question 13. How was lateral movement performed?
- Through combinations of “net use” and PSExec
Question 14. What was the first sign of lateral movement?
- The use of net.exe at 2012-04-28 01:59:56
Question 15 - What documents were exfiltrated?
- All the pdfs listed plus the “Tokyo Tigers Expansion.odt” file
Question 16 - How and where were the documents exfiltrated?
- ftp - 66.32.119.38
Question 17 – What steps were used to main network access?
- Run key with svchosts
Question 19 - What is the secret code inside the exfiltrated documents?
- 76bca1417cb12d09e74d3bd4fe3388e
Question 20. What was the password for the backdoor?
– tigers
Memory Image : - http://t.co/m0JCvrnV
Reference : - http://volatility-labs.blogspot.in/2012/10/solving-grrcon-network-forensics.html
Tags: grrcon , forensics , challenge , volatility ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Cmmon buy a microphone please no sound :( then plz stop making vid tutes for linux commands if u cant explain
Sorry. But if you are familiar with Volatility Framework so almost you can understand 80% things rest of the things - you need to test it out yourself. Please go through the Reference For the More Information.