CTF Writeups
This writeup is taken from the questions of the 400 series questions from the BOTSv2 data set on Tryhackme. This room contains multiple different scenarios but we will be focusing on the questions in relation to 400 series which focuses on a scenario in where you are tasked with hunting an Advanced Persistent Threat group using Splunk.
- A Federal law enforcement agency reports that Taedonggang often spear phishes its victims with zip files that have to be opened with a password. What is the name of the attachment sent to Frothly by a malicious Taedonggang actor?
As we know this is a zip file, we should start by searching for all zip files. We also know that this came from a spear phishing attack most likely over email. This means we should try parameters related to email protocols such as SMTP, POP3 etc. In this case, SMTP is what were looking for:
index="botsv2" *.zip sourcetype="stream:smtp"answer:invoice.zip
- What is the password to open the zip file?
We can add the filename to the search query to get the ball rolling. We will then use CTRL+F in the browser and search for the keyword ‘password’. Sifting through the keyword matches and you will find the answer
index="botsv2" *.zip sourcetype="stream:smtp" "attach_filename{}"="invoice.zip"ans:912345678
- The Taedonggang APT group encrypts most of their traffic with SSL. What is the "SSL Issuer" that they use for the majority of their traffic? Answer guidance: Copy the field exactly, including spaces.
As we know SSL is related to tcp, we can try this along with the IP found ;
index="botsv2" sourcetype="stream:tcp" 52.42.208.228ans:C = US
- What unusual file (for an American company) does winsys32.dll cause to be downloaded into the Frothly environment?
Using the originally suggested search field we can find a command line C:\Windows\system32\ftp.exe” -i -s:winsys32.dll which will allow us to refine our search using FTP. By checking the list of FTP commands, we know a common one used is RETR. This will give us a list of files downloaded using that method. This will lead us to a sus looking file.
index="botsv2" sourcetype="stream:ftp" method=RETRans:나는_데이비드를_사랑한다.hwp
- What is the first and last name of the poor innocent sap who was implicated in the metadata of the file that executed PowerShell Empire on the first victim's workstation? Answer example: John Smith
Check the names in the invoice.zip file and/or email :
Answer = ryan kovar
- Within the document, what kind of points is mentioned if you found the text?
Answer:cybereastegg
- To maintain persistence in the Frothly network, Taedonggang APT configured several Scheduled Tasks to beacon back to their C2 server. What single webpage is most contacted by these Scheduled Tasks? Answer example: index.php or images.htm
We can find this by searching for what we already know, which is that Sysmon will log events relating to scheduled tasks. We can search for events relating to its process,schtasks.exe . The smart thing to do from here would be to start excluding results of events from legitimate programs, but I did it the hard way and sifted through the results until i noticed something suspiscous. I had a feeling i would be looking for an encoded command running through powershell (or cmd.exe), which is exactly what was found. When we decode the copmmand from base64 we can see it is changing registry values if we use this value to search, we will find several php files related to it. One of them will be the right answer:
Answer: process.php
