Collected from over 1000 configurations, here are some high-level statistics that demonstrate some of the common trends among one of the most popular tools in an adversary’s arsenal. These configs were collected from live servers around early May 2021.
If you are interested in how the data was collected, scroll to the bottom of the article. Also if you just want the raw data here is a link.
If you want to read more about how the configurations are structured in Cobalt Strike payloads his article is a good start:
Most common watermark
Unsurprisingly most common watermark was 0. The…
User Access Logging (UAL) is feature in Windows Server that aggregates client usage data by role on a local server. The DFIR team at KPMG released a great blog which spotlights User Access Logs by delving into the different components that make up the database.
Applicable OS: Windows Server 2012+
Requirements: Enabled by default on supported OS
Evidence of: Lateral Movement-User/IP requests to a server (per day)
Format: ESE Databases
Current Parsing Tools:
Retention: 2–3 years.
Current.mdb contains the most recent 24 hours (by default) and is then moved into…
What is the PID of the application where you might learn “how hackers hack, and how to stop them”?
Format: #### Warning: Only 1 attempt allowed!
From investigating the internet history in the previous questions, I remember an IE search similar to the quote in the question.
This search was for “how to stop getting hacked over and over” found in the bulk_extractor output which was also in the IE History.
There may be a much more elegant solution to find the quote in the question but I just visited the URL in IE and found a YouTube video by…
What is the IPv4 address that myaccount.google.com resolves to?
At the start of the memory challenge I had ran bulk_extractor over the image while I was working on the other questions. Reading some of the other writeups and the discord posts, users had been using the .pcap generated from bulk_extractor to answer the network based questions. I decided to give it a go for these questions. By simply searching for the string “google” we can see a DNS packet querying the domain “myaccount.google.com”.
In one of the answers we have an A record that returns the IP address of the…
*At the time of the RAM collection (20-Apr-20 23:23:26- Imageinfo) there was an established connection to a Google Server. *
What was the Remote IP address and port number? format: “xxx.xxx.xx.xxx:xxx”
I started this week with the netscan plugin
vol.py -f memdump.mem --profile=Win7SP1x64 netscan
From the netscan output, we can see there are 4 established connections
The format in the question would suggest “126.96.36.199:443” is the answer, but I did a lookup up on the IP addresses which confirmed the answer.
The user had a conversation with themselves about changing their password. What was the password they were contemplating changing too. Provide the answer as a text string.
I started off by running kdbgscan over the image to get the profile:
When reading the question for part 1, I had a deja vue moment. Back in the MVS 2020 CTF (which used the same image) I had come across a password that was wrong answer at the time. This is an excerpt from my writeup back then:
What package(s) were installed by the threat actor? Select the most correct answer!
- hosting a database
- serving a webpage
- to run a php webshell
- create a fake systemd service
Especially considering last weeks question, we know where to look when we are investigating packages! Jumping into
/var/log/apt/history.log there is an entry at the bottom for php. There is a significant jump in the timestamps so this potentially could be the attacker.
I tried php and it was correct!
If I had to take a guess from the get go…
Part 1 Domains and Such
What is the IP address of the HDFS primary node?
Is the IP address on HDFS-Primary dynamically or statically assigned?
What is the interface name for the primary HDFS node?
If you navigate to /etc/network/interfaces on the primary image, you can currently see the interface information. The main interface en33 will provide the answers to the first answer.
So the next question, is really a 50/50 but we can see in the image above that the answer is there!
Again, we have already solved this question from the first answer.
One file provided all 3 answers this week! It was defintely a nice break from the last couple of weeks.
Challenge 6 (Nov. 9–16) The Elephant in the Room 25
Part One: Hadoop is a complex framework from Apache used to perform distributed processing of large data sets. Like most frameworks, it relies on many dependencies to run smoothly. Fortunately, it’s designed to install all of these dependencies automatically. On the secondary nodes (not the MAIN node) your colleague recollects seeing one particular dependency failed to install correctly. Your task is to find the specific error code that led to this failed dependency installation. [Flag is numeric]
Part two: Don’t panic about the failed dependency installation. A very closely related…
Challenge 5 (Nov. 2–9) Had-A-Loop Around the Block 75
What is the original filename for block 1073741825?
Initially, I was thinking along with your traditional blocks on the disk, but I quickly realised that the block number 1073741825 was waaaaaay too large to be referring to the image itself.
I next tried my luck by running TSK tools (complied with libewf) over the images.
mmls to get the offset:
Then using the offset of the main partitions to run
fls over the
fls -o 2048 -r -m / -i ewf /mnt/hgfs/Case2-HDFS/HDFS-Master.E01 | grep 1073741825
I grepped over the…