Tate | Security+ | CDSA | CCD

ZeroLogon

Scenario:

Your role as a Tier 2 SOC Analyst at EliteSystems Corp is put to the test following an alert from the Tier 1 team about a confirmed phishing email leading to a potential network wide intrusion. With disk data already triaged and ready for analysis, you must uncover the extent of this intrusion and identify the compromised assets within the network.

Well, looking at the image I can immediately identify this as a spearphishing attempt.

Red flags in the body of the email:

1. Sense of urgency. “Melenia” is attempting to extort the recipient of this email into downloading and opening the compressed software.
2. Zipped, password-protected, email attachment. This should set off major red flags for analysts, employees should never open password protect zip files downloaded from emails. This is for two reasons:
   • Password-protected zip files are encrypted, so most security tools won’t be able to detect the malicious software inside. The intention of this is to ensure the confidentiality and integrity of the file that is sent, however, this can be exploited by threat actors who deliver their initial payloads through encrypted email attachments.
   • Depending on the context of the organization, the security team could create email gateway rules to drop messages with password-protected zip files.

Thunderbird Logs on the Initially Targeted User

This indicates to me that the original Yahoo mail server that sent the email attachment likely targeted other individuals as well, and that we are on the right track.

I’m going to start with using Eric Zimmerman’s LECmd.exe to parse the LNK files in emily’s Desktop directory, and output them to a csv file to be imported to TimelineExplorer.

It looks like the documents.zip file started in the Downloads folder, nothing too intresting here so far, so I will pivot to Event Logs.

This appears to be a malicious executable used for C2 communications, which we will come back to later.

For now, I saw an encoded PowerShell command which I was able to decode using CyberChef.

As well as a command that downloads and uses the Invoke-ShareFinder module from PowerView.