CyberDefenders.org — KrakenKeylogger Blue Team Lab Walkthrough
Endpoint Investigation with DB Browser & Eric Zimmerman’s tools
Introduction:
Hello! I’ve recently stumbled on the practice labs over on cyberdefenders.org. This challenge room was one of the first that I tried on the site and while stumbling through the questions, I thought it would be a great opportunity to do a write-up to solidify the concepts for me and share this cool challenge with anyone who stumbles across this post. Thanks for reading!
Challenge Link: https://cyberdefenders.org/blueteam-ctf-challenges/119/
Challenge Scenario:
An employee at a large company was assigned a task with a two-day deadline. Realizing that he could not complete the task in that timeframe, he sought help from someone else. After one day, he received a notification from that person who informed him that he had managed to finish the assignment and sent it to the employee as a test. However, the person also sent a message to the employee stating that if he wanted the completed assignment, he would have to pay $160.
The helper's demand for payment revealed that he was actually a threat actor. The company's digital forensics team was called in to investigate and identify the attacker, determine the extent of the attack, and assess potential data breaches. The team must analyze the employee's computer and communication logs to prevent similar attacks in the future.
Question 1: What is the the web messaging app the employee used to talk to the attacker?
AND
Question 2: What is the password for the protected ZIP file sent by the attacker to the employee?
This question mentions a web-based messaging app and the scenario lists a handful of tools to solve the challenge including DB Browser for SQLite. Normally, you can view the browser history database with this tool, so I turned my attention to examining the browser databases to see what I could find.
Unfortunately, these artifacts are missing from the challenge files for Google Chrome so we have to pivot, but there is one clue in the scenario description — notification. This got me thinking about the Windows notification center toasts.
I did a quick search for Notifications in Windows and was surprised to actually stumble on some results in the directory: \Users\OMEN\AppData\Local\Microsoft\Windows\Notifications
Inside of this directory is a database file, wpndatabase.db, which after a little Google magic I figured out is a database for Windows Push Notifications that stores Windows notification data. I loaded up this database file with the DB Browser to see if I could find anything interesting…
Interesting, indeed! Within the notification table, it looked like I may have found the answer for Question 1 and Question 2 here. Two for the price of one!
Question 3: What domain did the attacker use to download the second stage of the malware?
The discovery in the previous questions gave me a pretty good starting point. I needed to locate the file the attacker sent to the victim and analyze it for anything suspicious. When conducting an investigation, even for lab scenarios, I typically make it a habit to do a quick manual browsing of the folder structure (AppData, Downloads, etc.) to familiarize myself with the environment. After seeing the filename for the ZIP file in the wpndatabase, I recalled seeing a similar file artifact in my earlier reconnaissance.
I took a look at the contents within the victim’s Downloads folder and noticed something suspicious — a shortcut or lnk file, called templet.
I referred to another of the scenario’s suggested tools, LECmd. This utility can be used to parse lnk files for further analysis.
Within the argument, there appeared to be an obfuscated URL and I spent way too much time in CyberChef before I could finally deobfuscate it to solve Question 3.
If you spend some time researching this malware on Google, however, there is an excellent analysis write-up that could help in scripting this process very quickly…
Question 4: What is the name of the command that the attacker injected using one of the installed LOLAPPS on the machine to achieve persistence?
AND
Question 5: What is the complete path of the malicious file that the attacker used to achieve persistence?
LOLAPPS? I was familiar with LOLBins but this was new to me. I took to Google to understand if this was the same thing or something else. Fortunately, I stumbled across a website explaining LOLAPPS, including some examples of how to leverage a few of these apps for persistence.
With that information, I remembered seeing evidence of one of these applications, Greenshot, on the victim’s system during my earlier browsing of the challenge files.
Using the linked resources available for Greenshot on the LOLAPPS project site, I was able to find evidence of persistence from abuse of the External Command Plugin within the application’s configuration file. This was very interesting because I noticed a familiar filename referenced in the command being used for persistence and used this path to answer Question 5, too!
Question 6: What is the name of the application the attacker utilized for data exfiltration?
During my earlier analysis, there was another application that stuck out to me. A common post-compromise technique for the bad guys to leverage is installing legitimate remote access software for use as an alternative command and control or exfiltration channel (MITRE ATT&CK T1219).
Knowing this, I suspected that I already had the answer from checking out the AppData of the challenge files and from browsing the Microsoft Edge browser history database.
Question 7: What is the IP address of the attacker?
Now that I knew what application was used for exfiltration, I suspected that I needed to locate the application logs to help reveal the attacker’s IP address. Based on my previous experience with a different remote access software, I felt pretty confident that a quick search of the vendor’s site would tell me where to look.
Sure enough, this application maintains a trace file that can be located in %appdata%\REDACTED\ad.trace
For this last question, I utilized the last of the scenario suggested tools, Timeline Explorer. I had not used this tool before and found that it really helped speed up the log analysis. I tried a couple of searches within the trace file looking for external access. The right one was “logged in” which gave me the final answer for this lab!
Conclusion:
Thank you to cyberdefenders.org for the challenge! This was a really fun lab scenario that provided a unique set of challenges during the investigation. This challenge also provided a great introduction to some of Eric Zimmerman’s tools that I had not used before and allowed me to better understand and analyze the Windows Push Notification database, LOLAPPS, and application logs.
