README.md

TickTock

Write-up author: jon-brandy

Lessons Learned:

• Reviewing TeamViewer logs (hunting C2 agent, hunting the attacker session).
• Reviewing Prefetch logs to identify previously opened or executed binaries.
• Reviewing Sysmon log to identify outbound / inbound network connections.
• Reviewing Windows Defender and Powershell log to identify the C2 Agent, Drive Mounting Execution, and C2's hashes.
• Parsing raw Master File Table using MFTECmd.exe
• Reviewing parsed MFT using Time Explorer.
• Using Get-WinEvent grab for timestamp change event.

SCENARIO:

Gladys is a new joiner in the company, she has recieved an email informing her that the IT department is due to do some work on her PC, she is guided to call the IT team where they will inform her on how to allow them remote access. The IT team however are actually a group of hackers that are attempting to attack Forela.

STEPS:

1. In this case, we're tasked to investigate a malicious remote access connection through the logs given.
2. Based from the scenario and the questions, we can conclude that a new employee gets a call from the attacker to allow them remote access to her PC. After they get a TeamViewer connection, they also launch a C2 agent.

ARTIFACTS GIVEN

3. It seems we're gonna dealing with parsing Master File Table and reviewing Windows Event Logs if needed.

1ST QUESTION --> ANS: Merlin.exe

4. Since the initial entry is from the gladys PC, where she allowed the attacker to do remote access to her PC. Let's check the log file inside her directory for any remote access application avail.

Navigating through --> /C/Users/gladys/AppData/Local/

5. Seems we identified what remote access application gladys used, it's TeamViewer. Now let's review the log start by the TeamViewer15_Logfile.log

6. Long story short, upon reviewing the logs. Found an outbound connection at 11:21:34 from Gladys PC.
7. It downloaded a binary file named Merlin.exe. The binary stored at the desktop.

8. This could be the C2 Agent, but further checking is needed.
9. Upon reviewing the csv file which contains prefetch log, found that Merlin.exe is part of the prefetch. Meaning it's previously Opened or Executed on the PC.
10. It can be found at timestamp --> 11:51:15 row 63.

11. But again, we need more evidence whether it is indeed acts as a C2 agent.
12. Now let's review the Windows Event log.
13. The simplest way to identify whether the binary is malicious or not, we can start by reviewing the Windows Defender event log.
14. Long story short, found that Merlin.exe is logged inside the log.

15. Reviewing the logs previous it, Windows Defender categorized the Merlin.exe as VirTool:Win32/Myrddin.D.

16. So to summarize this up, Merlin.exe gets executed then quarantined by the Windows Defender, then it freed again.
17. Great! We hunted the C2 agent.

2ND QUESTION --> ANS: -2102926010

18. Now, to identify the initial access's session ID, we need to review again the Team Viewer logfile.
19. Found that an initial connection started at 11:35:27 and the login attempt is at 11:35:27, then it authenticated at 11:35:31.
20. Which means the session ID is --> -2102926010.

3RD QUESTION --> ANS: reallylongpassword

21. To identify this event where the attacker attempted to set a bitlocked password on the C drive, we need to review Windows Powershell event log.
22. Found an interesting powershell execution at 18:14:33, the contents are encoded with base64.

23. Upon decoding it, it's indeed the command used by the attacker to mount the C drive. Also we identified the password used.

4TH QUESTION --> ANS: fritjof olfasson.

24. Next, to identify the name used by the attacker, again we need to review the TeamViewer logfile.

25. Based, from the evidence above, after the attacker authenticated. It saved the session and saved the local participant as 1764218403.
26. Not long after it, around 4 seconds later, we can identified 2 participants inside the session.

27. The first one, likely is Gladys PC's Hostname. The other one should be the attacker --> fritjof olfasson.
28. As an additional information. There is an attempt to screenshot the desktop.

5TH QUESTION --> ANS: 52.56.142.81

29. To identify the destination of the C2 agent, simply review the sysmon log and filter for event ID 3 --> Network Connection Detected.

30. Great! Now we know the destination IP is --> 52.56.142.81.

Destination IP details

6TH QUESTION --> ANS: VirTool:Win32/Myrddin.D

31. Previously, by analyzing the Windows Defender event log, we identified the C2 binary categorized as --> VirTool:Win32/Myrddin.D.

7TH QUESTION --> ANS: Invoke-TimeWizard.ps1

32. If you notice, when reviewing the TeamViewer log, the timestamp of the next logs seems manipulated (?)

33. This must be the attacker doing to confuse the analyst or the Incident Responds team.
34. After reviewing several log at sysmon for eventID 11, found few powershell script with interesting filename.
35. Seems this time we're gonna need to review the MFT, let's parse the MFT to CSV file then open it using Time Explorer. Anyway there's another simple method if you don't want to parse it, simply using MFTExplorer you can open the raw MFT file without converting it first to CSV file.

TIME EXPLORER

36. Let's start the search by filtering for gladys's Desktop first.

37. Interestingly, there is a powershell script named Invoke-TimeWizard. Based from the filename and it's location. It's indeed the script used by the attacker to manipulate the TeamViewer timestamp. It manipulate the windows timestamp as a whole.

ADDITION RESULT USING MFT Explorer

38. As you can see, using MFT Explorer shall help us with the visibility to review each timestamp of files.

8TH QUESTION --> ANS: 2023/05/04 11:35:27

38. Again, based on our previous analsis on TeamViewer logfile. The initial connection starts at 2023/05/04 11:35:27.

9TH QUESTION --> ANS: ac688f1ba6d4b23899750b86521331d7f7ccfb69:42ec59f760d8b6a50bbc7187829f62c3b6b8e1b841164e7185f497eb7f3b4db9

39. Rather than carving the binary from the raw MFT file manually, let's review the Windows Defender log.

PATH TO DEFENDER LOGS:
C/ProgramData/Microsoft/Windows Defender/Support

40. Reviewing the MPLog shall help us to identify both sha1 and sha2.

10TH QUESTION --> ANS: 2371

41. To identify the count, we need to review the security event log then filter for eventID 4616 and with keyword powershell.

COMMAND

Get-WinEvent -Path '.\Collection\C\Windows\System32\winevt\logs\Security.evtx' -FilterXPath "*[System[(EventID=4616)]]" | Where-Object { $_.Message -like '*powershell*' } | Measure-Object

11TH QUESTION --> ANS: S-1-5-21-3720869868-2926106253-3446724670-1003

42. Again, reviewing the security event log, we can identify the SID for gladys.

43. Great! We've investigated the case!

IMPORTANT LINKS

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/default.aspx?i=j