Tolkien Ring

Like in many other rooms, the Tolkien rooms has 3 different challenges. The first one we are provided with a packet capture where we need to analyze and get the answers to the different questions. The second challenge is the review of windows event logs (PowerShell) and finally the third challenge is the creation of Suricata rules for the packet captured on the first challenge.

Wireshark Practice

First question - What type of objects can be exported from this PCAP?

In Wireshark we can click File > Export Objects > OBJECT and observe the different objects that can be exported.

Second question - What is the file name of the largest file we can export?

After we click File > Export Objects > HTTP we just need to sort by size and we will have the answer for our question

Third question - What packet number starts that app.php file?

Based on the previous image we can already answer this question

Fourth question - What is the IP of the Apache server?

By clicking on the row related to the app.php we will be moved to packet 687.

We can observe this is an HTTP Response 200 (OK). This means that the source IP belongs to the server while the destination is the client. So to answer our question we only need to grab the source IP from the IP layer of the IPv4 layer from the packet.

Fifth question - What file is saved to the infected host?

In order to understand what happens during this web browser session we need to inspection the session and for that we can right click the packet and press Follow > HTTP Stream. This will popup a new window with the stream we want to investigate.

We can observe that 2 requests being made to app.php. The second is specially interesting because we can see a function that will save to disk a blob of data and a huge base64 piece of data. If we scroll down we will see the name used to save this base64 data.

Sixth question - Attackers used bad TLS Certificates in this traffic. Which Countries were they registered to? (submit the answer in Alphabetical order)

In order to obtain the information related to the TLS certificates we will need to apply a wireshark display filter so that way we can work easily with the data we have available. After some Google FU the answer for that question is: tls.handshake.type == 11. Now that we have the certificates information isolated we need to retrieve the countries information. The way I find it easier is to show that information as a column on our Wireshark view. In order to do that we need to expand Transport Layer Security > Handshake Protocol: Certificate > Certificates > Certificate > Signed Certificate > Issuer > rdnSequence > RDNSequece (id-at-countryName) > CountryName. Now we can double click and press Apply as Column

Now that we know how to see to which country the certificate belongs to the next step is to find what certificates are legit and which ones are not. For this, we will be using the common name to distinguish them. As before let's add that information as a column. Transport Layer Security > Handshake Protocol: Certificate > Certificates > Certificate > Signed Certificate > Issuer > rdnSequence > RDNSequece (id-at-commonName) > uTF8String. This is not a elegant solution however this was my initial approach. A better way to do it is via tshark.

Now we just need to convert the country code to the country name and sort them in alphabetical order.

Is the host infected?

🎉With this we Complete the first challenge! 🎉

Windows Event Logs

In this challenge we need to run an investigation to verify if Grinchum has accessed the Lembanh and if the secret ingredient was stolen.

As a DFIR practicioner, my first approach to this challenge was to run Erik Zimmerman tool - EvtxECmd and then review the csv results to answer the challenge questions. I have run it like this: EvtxECmd.exe -f .\powershell.evtx --csv .\ --csvf powershell.csv This will produce a csv on the current folder named powershell.csv

First question - What month/day/year did the attack take place? (MM/DD?YYYY)

Filtering Payload2 for the word Recipe we can identify the first intent of malicious action on 12/24/2022 11:01:04 AM

Second question - An attacker got a secret froma file. What was the original file's name?

We know this from the previous question

Third question - The contents of the previous file were retrieved, changed and stored to a variable by the attacker. Submit the last full PowerShell line that performed only these actions.

Fourth question - After storing the altered file contents into the variable, the attacker used the variable to run a separate command that wrote the modified data to a file. Submit the last full PowerShell line that performed only this action.

Fifth question - The attacker ran the previous command against a file multiple times. What is the name of this file?

Sixth question - Were any files deleted?

For this we need to look for del commands

Seventh question - Was the original file (from question 2) deleted?

Eight question - What is the Event ID of the log that shows the actual command line used to delete the file?

For this we just need to look for del command and for the column name EventId

Ninth question - Is the secret ingredient compromised?

For this question we need to look for -replace keyword.

Tenth question - What is the secret Ingredient?

🎉With this we Complete our second challenge and just one more to go to obtain the much deserved Tolkien Ring.🎉

Suricata Regatta

Like mentioned on the beginning this challenge is about creating different Suricata to alert on specific packets from the capture provided on the first exercise.

First question - Create a rule to catch DNS lookups for adv.epostoday.uk.

Let's first understand the anatomy of a Suricata rule. There are 3 main parts:

• Action - Determines what happens when the signature matches

• Header - Defines the protocol, IP addresses, ports and direction of the rule

• Rule Options - Defines the specifics of the rule.

On our case we know that action is alert. We know that Suricata supports DNS protocol. The only 2 things missing from the Rule Options are the msg that in this case needs to be Known bad DNS lookup, possible Dridex infection and dns query content to match the domain adv.epostoday.uk.

Second question - Develop a rule that alerts whenever the infected IP address 192.185.57.242 communicates with internal system over HTTP

Based on the request we know the protocol is HTTP and the direction of the communication can happen on both directions. From all of this we can provide an answer to our question:

Third question - Develop a rule to match and alert on an SSL Certificate for heardbellith.Icanwepeh.nagoya.

From the Suricata documentation we know that we can leverage tls.cert_subject to match the subject field of the certificate. Also we know the protocol is tls. From this information we are ready to build our rule.

Forth question - Develop a rule that matches let byteCharacters = atob string inside the HTTP data.

Once again, leveraging the Suricata documentation we have found the content modifier http.response_body. This allows us to match again any string inside the HTTP response body. Besides this is also possible to match against gzip decoded data. Based on this information we are ready to build our Suricata rule.

With this answer we reach the end of the Tolkien Ring saga🎉🎉🎉