 Hello and welcome to the projects obsidian endpoint forensics kill chain three walkthrough before we go through the actual walkthrough. I'd like to draw a little context around what this presentation is. So first of all what is project obsidian obsidian is a project that the blue team village has been working on for a few years now. It is designed, we created a fictitious company. We staff that fictitious company with employees. And then we had the red team, the project obsidian red team attack that that network. And from there we did incident response forensic examination malware reverse engineering cyber threat intelligence and cyber threat hunting. And this presentation today is really the endpoint forensics part of it so the forensics team will have several presentations. This one is kill chain three. And it covers only looking at the endpoints from a forensics perspective. We did collections on the machines in the environment after the environment was attacked. I'll show a little bit of a timeline we're not going to focus on the timeline, because mostly what I want to show in this presentation is the artifacts how we would look at the artifacts how we would draw conclusion from those artifacts. And then a small demo of what it looks like when you would actually do the analysis. I'm not seeing the timeline we'll see several slides and I'm not going to really cover these but I just wanted to cover the kinds of things that we'll see today's presentation. We'll see some, some bloodhound being run in the environment SMB scanning connections from a machine called RDP one to domain controllers, we're going to focus mostly on three machines. The one which is the source of where the attacks came from, and then some activity on the domain controllers, we'll see some malicious admins being added via automation. We'll see some evidence that the actor tried to expel some data, some lateral movement dumping of credentials via dumping else asked. And then NTLM downgrade to allow less secure hashes to be dumped, which could be cracked offline, and then security logs being cleared. Excuse me. So let's see the first piece of evidence that we noticed in this environment. One of the things that we look at very often when we're looking at a possibly compromised environment is the the 7045 message. And this one does not disappoint on the domain controller DC dot magnum top this financial, we see powers of PS exec being run on that machine via the PS exec service. And, and furthermore, we don't see any additional 7045 messages but but this is something that we'll keep in mind as we, as we look more at the data. But one of the things that we do when we analyze machine is we look for, for files that look like they're hostile now actors don't always name their files obvious. This is a hostile file, you know, dot txt but in this case, we did see several files that that looked like they could be created by the attacker one of them was this bloodhound zip file on Pat racist desktop. We saw several other files indicating that power deployed had been run, and the invoke port scan module had been run on the machine. We saw some files that indicated credential dumping and evidence indicates that the first one was using the task manager. L SAS memory dump. And the second, using a technique to use run DLL and execute comm services DLL to dump L SAS. In addition, we find some other very interesting on the Brett social desktop for files called computers dot txt one dot txt two dot txt three dot txt and diving into those files a little far further. We identified that there are list of IP addresses. This is important, because when we look at these files as an investigator. Now we have some evidence to decide the next set of machines we should look at. Now, those four files were used by PS exact on the RDP one machine to automate adding hostile users to the local, local administrators group right we see the addition of combo security. We have a user ID called Jimbo, the user ID called has, and a user ID called Andy using PS exact and automating that using these four files. So, diving into some of the evidence. The first place we're looking here is at Pat racist power shelf console history. And again we see that they used the bloodhound tool to scan the environment. Find vulnerabilities in active directory. We also see just as an aside. This LSAS don't that we had talked about earlier. This is coming from running running chainsaw against the system on operational event log and chainsaw identified this activity. Event ID 11 as LSAS memory dump file creation. Looking further into some of the evidence. We find in Pat racist console history power shell console history execution of port scan running against the subnet 172 one six one six dot 50. Looking for evident looking for for 445 being active. Again, looking further at this evidence we see evidence that the invoke share finder module was used, and looking a little bit further down at the log. We see evidence of Mimi cats being run in the environment to dump the, to dump the hashes LSAS hashes. Next, looking further it at again Pat racist console history power shell console history. We see this dump file that we had identified earlier console history doesn't contain dates and times in it. Going back to the creation time that we saw earlier of this dump file, we can get an idea in our timeline of when this activity took place. Looking further at browser history, we would identify that we collected browser history using velociraptor, and then taking that browser history converted it to a CSV file, and then took that CSV file and put it into a reporting mechanism that I use called a CH report. Using this, and I'll show that in a little bit. We see that this machine reached out to file that pizza and transfer dot SH, indicating that the actor wanted to take the data from the machine and X fill it out. We all see also see it reaching out to interact SH. Now, this one might say that this could be evidence of exfiltration interact dot SH is actually an out of band detection mechanism. It's used when you would when a hostile actor would execute an attack, and then this interact SH is used to report on whether the attack was successful or not. In this case, we don't see the typical URL we would see from interact dot SH so the actor reached out to interact dot SH and was likely just looking at it, probably not being used in the video. Looking further into the evidence. Again, we see in the sysmon logs event ID 13, and PowerShell, I mean, chainsaw identified that this was likely an NTLM downgrade. At 1909 and at 2054, we saw the actor execute an NTLM downgrade. The idea in an NTLM downgrade is to force the machine to allow insecure hashing, and then those credentials can be done, those hashes can be done, and they're easier to crack offline. So we see evidence and of that activity. And if we wanted to, we could actually look in the users registry, actually not in the users registry in the machine registry, HKEY local machine, and we would find the evidence in LM compatibility level, NTLM client sec, and restrict sending NTLM traffic, we would find evidence in those keys that the NT that NTLM had been set to allow downgrading. Looking at this activity in chainsaw, we also see further evidence of PowerShell being executed in the environment of kind of just an added thing we were really looking at the NTLM downgrade. But this is what you'll find often when looking at evidence is other pieces will pop out. You'll take note of them, and then add them into your timeline. So we're seeing evidence of PS exec now this is important, because what we see here is the two machines that are being attacked, right, we see DCO2 and RDPL1 so we see RDPL1 authenticating to DCO2, and then we see DCO2 running PS exec running the service that is exact. And you'll notice that all of the timestamps are 859 so this is a strong correlation that RDPL1 authenticated to DCO2 and ran PowerShell, I keep saying PowerShell ran PS exec on that machine. Again, we mentioned earlier that these files found on the desktop, this desktop, computers.txt, 1.txt, 2.txt, and 3.txt were used to automate PowerShell to add hostile actors to the administrator, hostile user IDs to the administrator's group. And here we see that evidence in the Sysmon logs, again extracted using chainsaw and formatted using ACH report. So these are event ID one that we saw chainsaw identify as Hurricane Panda but really what we're looking at here is PowerShell being used to automate adding hostile administrators to several machines that are located in those txt files, IP addresses located in those txt files. On the machines themselves, here we're seeing on DC the commands being executed. And we see combo security being added with a password of B4 BY metal, an important piece of information, because now we can go to that machine and we know both the hostile user that was added and its password. We also see here later on in this log evidence that the event logs were clear, application security and system. Another piece of added information that we can add to what we know about this machine. This we saw, we see now Pat Reese's in his console history, that MemeCats was run in both MemeCats from PowerShell Empire. And these hashes were used, you'll see the hash being used to escalate this machine to administrator. As mentioned earlier, we see now using chainsaw, chainsaw identified that the event logs had been cleared. And this would be an important time in our timeline, because it would define the point in time where we can really, we really won't know about what happened. So, once the event logs cleared, data previous to this would not be available to us in the event logs, we would have to look at other pieces of evidence to identify activity on this machine. Okay, that was a real quick run through, you know, the evidence that we looked at actually not a lot of pieces are not a lot of artifacts, but a lot of information being gathered. So, let's take a look at some of that data in its native form or in the form that we would review as we gathered information about this machine. So, first on the DC system, I mentioned that we were looking at the 7045 messages so here we're looking at the system event log. In this case, probably the best way to look at this data would be to filter the log, looking for 7045. So, as we mentioned in our walkthrough earlier, we see the evidence of PowerShell, the PowerShell service piece being run on the domain controller. We also mentioned on RDPL1, let's see we're looking at DC here, RDPL1. This is the report tool that I used. This report tool does not do a lot of the parsing of the data, it does some parsing, but mostly it's used to put all of the data to run the parsing utilities and put them all in one place. So, what we're going to look at is we identified that Bloodhound was running the environment. And here we see that Velociraptor selected the console history, PowerShell console history of Pat Rhesus, and this reporting tool simply shows the activity that was in that console history. And here we see the execution of Bloodhound and then the file name that it was saved under, and this gives us information on if we look at that file when that was run. Now, that's not an indication of the first time it was run, it was really an indication of what is available to us. So Bloodhound could have been run five times, four times, it could have been run once, but what we have in this evidence is that Bloodhound was run and that it was run at a specific time. We also identified that a port scan was run. So, again, looking in this console history, we identified that the port scan was run from PowerSploit. One of the things we previously identified was the dump file created by running comm services DLL through the run DLL, creating this dump file, which would be a dump of LSAS. Now, if we look at that search for SQL Ambassador, we also find here is when that was run. So, looking at RDP01, we see that dump file being created, and in the Sysmon event log, Chainsaw identified this activity and reported it, and we just take that and put it into this reporting format. Another thing that we saw earlier was evidence of at least attempts to exfiltrate data. So, looking at the activity around that time, we see the actor reaching out the file pizza transfer.sh. And if we look a little bit further down, we also see the actor reaching out to web wormhole.io. All evidence that the actor was at least interested in exfiltrating the data out of the environment. One of the other things we saw, we mentioned earlier, was an NTLM downgrade attack. So, here, looking at the Chainsaw output, we see what we had seen earlier, which is the NTLM Chainsaw identified this as NTLM, net NTLM downgrade. And again, we could go to the registry itself if we wanted to have some corroborating evidence, we could go to the registry itself and show that those registry keys had indeed been modified. Furthermore, on DC02, we also identified that PowerShell, the PS exec had been run on that machine also. We see that in a event ID 11. So let's look for event ID 11. We saw that activity at about 2059. So, as we look through this data, we go down to 2059, and we see the evidence that PS exec had been run on this machine at 2059 57. So, here we are at our reporting tool. We see on RDP01, this evidence on RDP01 that PS exec, and again, this is just what we had seen in the screenshot. But here we're looking at the evidence itself. Event ID one identified by Chainsaw as PowerShell exec automating the addition of combo security to the administrators group on that set of IP addresses in the computer.txt, 1.txt, 2.txt and 3.txt files. So, as we look at this data, we could then look around it and see that the actor had also done some discovery of the environment, running who am I, and other activity. The dump of LSAS. So, looking at this data in context, we can identify the times that this activity happened, and we get a better idea of sort of what the actor was doing on this machine. And it helped us draw conclusions about what the actor was after what they were interested in it, and what they accomplished or, and sometimes what they didn't accomplish. So, looking at the domain controller, right, we'll see the evidence that that activity was successful on the domain controller. So, let's find and let's look for combo security. And here we see that on the actual machine that net user combo security was run. And again, we're able to draw some context around around times and activity on this machine. So, looking back to our DP01. We also saw the past the hash escalation or elevation activity. And again, looking at Pat Reese's console history PowerShell console history. We don't have times, but we do have a good picture of what the actor did using PowerShell. Clearly not all the things the actor did but but the activity that the actor did on this machine when using PowerShell. The other the last thing we're going to look at, of course, is this evidence that the actor cleared the event logs. So, we can see, not only the execution of that command that the event logs were cleared, but we can I get an idea of exactly when that happened. Right by looking at what is left in the event box after they're clear. So, recapping what we did on this machine to analyze it and to draw some conclusions. We had an environment that was compromised. We ran Velociraptor on the machine to gather telemetry and artifacts. Chainsaw was running on the machine so we use that as the basis for a lot of our conclusions. We ran Chainsaw on the machine to look at the event logs and identify hostile activity. Chainsaw uses Sigma rules to identify hostile activity. We took that data and we put it in a reporting tool, ACH Report, to put all the data in one place to make it easier to kind of draw context around times and activities. We also use a tool called MFT Dump, which takes the MFT, which Velociraptor collected, turns that into a comma separated values file, a CSV file, and then ACH Report can ask that file questions about files that are identified on that machine. Here we got some timestamps of when those hostile files were created and how they were created, what tools were used to create them. That concludes our walkthrough of Kill Chain 3 to learn further about Project Obsidian, about Blue Team Village. Please join us on our Discord channel. Join the conversation. We'll be releasing all of this data as open source. We'll be providing it to the community for lots of reasons. One is so that you can walk through the data using your own tools or the tools we used to learn more and to gain some hands-on experience of how your workflow would go when you're analyzing data, you're learning to analyze data. The second thing is that we hope that this will be used by people with new tools. So as new tools come out, new Blue Team tools are always coming out. This data can be used to test those tools to see if the same conclusions are drawn or if those tools find other information that we may not have uncovered. And also, you can join the conversation on Twitter. We're at Blue Team Village. Or if you want to learn more about the Blue Team Village, you can go to our website, blueteamvillage.org.