Attackers workflow mapped
Attacker's Summary
This summary will cover the attackers workflow as discovered from my point of view. I believe the attack first started with nmap port scanning. While looking through web request logs I discovered the use of the nmap scripting engine. From here, there were several webshells uploaded, and several failed. The attacker took advantage of CVE-2023-34362, an exploit found in a file system known as MoveIT.
Triaging Summary
We are provided a summary of logs extracted by the Kroll artifact parser and extractor and a memory dump which is corrupted and cannot be loaded with a memory analysis tool such as volatility. Unfortunately I couldn't get the KAPE tool to load the logs I was provided. I believe the KAPE tool is used once you have access to a host. This was a new tool for me, and my understanding below;
Imagine you have a messy room filled with different types of objects, and you need to organize and document everything in an efficient manner. KAPE is like a specialized toolset that helps you systematically go through the room, identify specific types of objects (digital artifacts in the case of forensics), and neatly categorize and document them.
In this analogy:
Messy Room: Represents a digital device or storage medium containing a variety of data.
Objects in the Room: Correspond to digital artifacts, such as files, logs, registry entries, and other pieces of information that are relevant for forensic analysis.
KAPE Toolset: Acts as your organized approach to sorting through the mess. It has specific tools for identifying, collecting, and processing different types of digital artifacts. It streamlines the investigative process and ensures that you can efficiently gather the necessary evidence without missing anything important.
In essence, KAPE is like having a specialized organizer for your digital investigation, helping forensic analysts efficiently sift through and document digital evidence in a methodical and systematic way.
Workflow
References
MoveIT Secure Data Transfer Software
MoveIT CVE
Kroll Artifact Parser and Extractor
MFT Parser
Sherlock Questions
1. Name of the ASPX webshell uploaded by the attacker?
Location the webshell involved investigation http GET/POST requests to the webserver. To find the evidence of a webshell we browse to the following web directory.
\\HTB\\iliketo\\Triage\\Triage\\uploads\\auto\\C%3A\\inetpub\\logs\\LogFiles\\W3SVC2The inetpub folder is evidence of the use of Microsoft IIS.
The log file contains many post requests of ASPX file
2. What was the attacker's IP address?
3. What user agent was used to perform the initial attack?
4. When was the ASPX webshell uploaded by the attacker?
5. The attacker uploaded an ASP webshell which didn't work, what is its filesize in bytes?
7. Which tool did the attacker use to initially enumerate the vulnerable server?
8. We suspect the attacker may have changed the password for our service account. Please confirm the time this occurred (UTC)
9. Which protocol did the attacker utilize to remote into the compromised machine?
10. Please confirm the date and time the attacker remotely accessed the compromised machine?
11. What was the useragent that the attacker used to access the webshell?
12. What is the inst ID of the attacker?
13. What command was run by the attacker to retrieve the webshell?
14. What was the string within the title header of the webshell deployed by the TA?
15. What did the TA change the our moveitsvc account password to?