Sign in

svch0st

Some Statistics on Cobalt Strike Configs in April and May 2021

Collected from over 1000 configurations, here are some high-level statistics that demonstrate some of the common trends among one of the most popular tools in an adversary’s arsenal. These configs were collected from live servers around early May 2021.

If you are interested in how the data was collected, scroll to the bottom of the article. Also if you just want the raw data here is a link.

If you want to read more about how the configurations are structured in Cobalt Strike payloads his article is a good start:

Most common watermark

Unsurprisingly most common watermark was 0. The…


Windows Server Artefact

Overview

User Access Logging (UAL) is feature in Windows Server that aggregates client usage data by role on a local server. The DFIR team at KPMG released a great blog which spotlights User Access Logs by delving into the different components that make up the database.

Artefact Features

Applicable OS: Windows Server 2012+
Requirements: Enabled by default on supported OS
Evidence of:
Lateral Movement-User/IP requests to a server (per day)
Location
:

  • C:\Windows\System32\LogFiles\SUM\Current.mdb
  • C:\Windows\System32\LogFiles\SUM\SystemIdentity.mdb
  • C:\Windows\System32\LogFiles\SUM\<GUID>.mdb

Format: ESE Databases
Current Parsing Tools:

Retention: 2–3 years. Current.mdb contains the most recent 24 hours (by default) and is then moved into…


Windows Memory Forensics

Part 1

What is the PID of the application where you might learn “how hackers hack, and how to stop them”?

Format: #### Warning: Only 1 attempt allowed!

From investigating the internet history in the previous questions, I remember an IE search similar to the quote in the question.

This search was for “how to stop getting hacked over and over” found in the bulk_extractor output which was also in the IE History.

There may be a much more elegant solution to find the quote in the question but I just visited the URL in IE and found a YouTube video by…


Windows Memory Forensics

Part 1

What is the IPv4 address that myaccount.google.com resolves to?

At the start of the memory challenge I had ran bulk_extractor over the image while I was working on the other questions. Reading some of the other writeups and the discord posts, users had been using the .pcap generated from bulk_extractor to answer the network based questions. I decided to give it a go for these questions. By simply searching for the string “google” we can see a DNS packet querying the domain “myaccount.google.com”.

In one of the answers we have an A record that returns the IP address of the…


Windows Memory Forensics

Challenge 10

*At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. *

What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”

I started this week with the netscan plugin

vol.py -f memdump.mem --profile=Win7SP1x64 netscan

From the netscan output, we can see there are 4 established connections

The format in the question would suggest “172.253.63.188:443” is the answer, but I did a lookup up on the IP addresses which confirmed the answer.


Windows Memory Forensics

Part 1

The user had a conversation with themselves about changing their password. What was the password they were contemplating changing too. Provide the answer as a text string.

I started off by running kdbgscan over the image to get the profile: Win7SP1x64

When reading the question for part 1, I had a deja vue moment. Back in the MVS 2020 CTF (which used the same image) I had come across a password that was wrong answer at the time. This is an excerpt from my writeup back then:


Part 1

What package(s) were installed by the threat actor? Select the most correct answer!

Part 2

Why?

- hosting a database

- serving a webpage

- to run a php webshell

- create a fake systemd service

Part 1

Especially considering last weeks question, we know where to look when we are investigating packages! Jumping into /var/log/apt/history.log there is an entry at the bottom for php. There is a significant jump in the timestamps so this potentially could be the attacker.

I tried php and it was correct!

Answer: php

Part 2

If I had to take a guess from the get go…


Part 1 Domains and Such

What is the IP address of the HDFS primary node?

Part 2:

Is the IP address on HDFS-Primary dynamically or statically assigned?

Part 3:

What is the interface name for the primary HDFS node?

Part 1

If you navigate to /etc/network/interfaces on the primary image, you can currently see the interface information. The main interface en33 will provide the answers to the first answer.

Answer: 192.168.2.100

Part 2

So the next question, is really a 50/50 but we can see in the image above that the answer is there!

Answer: statically

Part 3

Again, we have already solved this question from the first answer.

Answer: ens88

One file provided all 3 answers this week! It was defintely a nice break from the last couple of weeks.


Challenge 6 (Nov. 9–16) The Elephant in the Room 25

Part One: Hadoop is a complex framework from Apache used to perform distributed processing of large data sets. Like most frameworks, it relies on many dependencies to run smoothly. Fortunately, it’s designed to install all of these dependencies automatically. On the secondary nodes (not the MAIN node) your colleague recollects seeing one particular dependency failed to install correctly. Your task is to find the specific error code that led to this failed dependency installation. [Flag is numeric]

Part two: Don’t panic about the failed dependency installation. A very closely related…


Challenge 5 (Nov. 2–9) Had-A-Loop Around the Block 75

What is the original filename for block 1073741825?

Initially, I was thinking along with your traditional blocks on the disk, but I quickly realised that the block number 1073741825 was waaaaaay too large to be referring to the image itself.

I next tried my luck by running TSK tools (complied with libewf) over the images.

First running mmls to get the offset:

Then using the offset of the main partitions to run fls over the

fls -o 2048 -r -m / -i ewf /mnt/hgfs/Case2-HDFS/HDFS-Master.E01 | grep 1073741825

I grepped over the…

svch0st

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store