Network Forensics
bendy1025
EXAMPLEOFAFinal_Report.docxCFIAR 20021115II01A ffdsfdgs dfsdfdfdfd Confidential: Business Use Only
[2192] [Feb 19, 2019]
Forensic Analysis Investigative Report
|
Incident Report Number |
20190219-I-001 |
|
Report Name |
CMIT460 Final Project |
|
Location Category |
[Internal] |
|
Reported Incident Date |
20131022 |
Table of Contents
1.0 Initial Incident Discovery 4
1.3 Description of system(s) in question 4
1.4 Identified Computer System(s) 4
1.6 Initial Forensic Discovery 5
1.7 Initial Corrective Action 6
4.3 Reference 3 11
4.4 Reference 4 11
Executive Summary
On October 22, 2013 at approximately 13:27PM, company asset with the internal IP of 192.168.40.10 was compromised. The host was redirected to a malicious domain and proceeded to download and install various strains of malware. The infected host then began to beacon back to the malware Command and Control servers. The biggest potential risk to the organization is that asset could have been exfiltrating data from the host machine; the beacon traffic was encrypted so our team was unable to determine for sure. For remediation, we suggest the machine be disconnected from the network immediately, and then reimaged from a safe backup. After doing so, it can be reconnected and be up for business use again.
1.0 Initial Incident Discovery
1.1 Summary
The only evidence our team was able to acquire was a PCAP to perform this investigation. The following will be a summary of what we were able to determine during our initial assessment of the event.
1.2 Action Items
· Disconnect the system from the network
· Reimage the machine from a safe backup.
· Apply patches to the system.
· Configuration changes (NoScript browser extension, antivirus, etc.)
· Place system back into operations.
1.3 Description of system(s) in question
The system is located internally on the network (due to the addressing scheme) and was likely a user workstation. We are unable to determine which shares this system would have been able to access.
1.4 Identified Computer System(s)
· Hostname: Unable to determine
· IP Address: 192.168.40.10
· MAC Address: 00:20:18:eb:ca:28
· Operating system: Unable to determine
1.5 Security Mechanisms
It is unlikely that there were any security mechanisms in place due to the routine nature of this compromise. Most antivirus systems, firewalls, or IPS would have prevented the download/installation of known malicious files. Sophos Antivirus immediately flagged the malware samples carved from the PCAP, thus they are known signatures/behaviors.
1.6 Initial Forensic Discovery
A script geolocates the IP of the host (from domain j[.]maxmind[.]com.
A beacon (POST) request to malicious domain uocquimscisqaic[.]org.
Then encrypted communication with the following IPs:
· 72.24.235.141
· 201.1.171.89
· 85.28.144.49
Followed by UDP traffic with the following likely malicious IPs:
· 111.119.186.150
· 24.142.33.67
· 118.107.222.161
· 95.180.241.120
· 5.102.206.178
· 84.202.148.220
· 190.206.224.248
· 185.12.43.63
· 27.109.17.227
· 37.49.224.148
· 187.245.116.205
· 202.29.179.251
· 27.109.17.227
· 37.49.224.148
· 187.245.116.205
· 202.29.179.251
· 75.75.125.203
· 182.160.5.97
· 203.81.69.155
ICMP pings from:
· 202.87.216.190
· 37.243.218.70
· 212.85.174.80
· 31.169.11.208
Malicious files flagged as:
· Generic-S
· Generic-R
· Exp-JS
1.7 Initial Corrective Action
· The system must be removed from the network/logically isolated to begin our investigation.
· A write-blocker should be applied to the system to prevent any contamination.
· A forensic image will be taken to perform analysis on.
· We will carve the malware samples out into a VM and observe their behavior.
1.8 Participants
|
Name |
Extension |
Title |
|
Cameron Woody |
ext702 |
Incident Response Analyst |
|
|
|
|
|
|
|
|
1.9 Additional Information
Our team is working with limited resources in this specific case, as we only have a PCAP to work with. Ideally, there would be logs, IDS alerts, a network map, a drive image, etc. to work with.
2.0 Forensic Process
2.1 Tools
· Wireshark
· Version: 2.6.3
· Virustotal
· URL: https://www.virustotal.com
· Sophos Endpoint
· Version 10.8.3
· Domain Tools
· URL: https://www.domaintools.com/
2.2 Logs
The primary indication of the compromise of this system is all of the beaconing activity. The asset beaconed to numerous likely malicious IP addresses including some Domain Generation Algorithm domains.
2.3 Methods
· Wireshark:
· Ip.addr == 192.168.40.10
· Ip.addr == 192.168.40.10 && tcp.port == 80
· tcp.stream eq #
· Virustotal:
· Submitted the malicious files to the Virustotal website.
· Sophos:
· Scanned malicious files with Sophos Endpoint protection
· Domain Tools:
· Queried malicious IPs in Domain Tools to locate their geographic area.
MD5 Hashes of files:
· b05817f297aadba445fc04ffa840e5e2 mal1.exe
· 630c7509c75b961afbe54720d606a6dd mal2.exe
· 5d74f02594fc345f003c16c5d6c90b3a mal3_unknown
· 146740484b2965609b789f43108c91b4 mal4.exe
· 2ddb6e7cf1707f8adec71a228b5a52b4 mal5.exe
· fc04ff7f5c763b943f5ac06521586dff mal6.exe
· fdd6323ff4ea92102311da9213a29ac2 swf_file.swf
3.0 Results and Findings
3.1 Summary
User was browsing the internet and encountered a compromised site aes[.]whichdigitalphoto.co[.]uk, which redirected the user to the malicious domain zivvgmyrwy.3razbave[.]info. A script was then downloaded from this domain R E F 2. This script triggered a further download of an executable REF 3. This was followed by the download of 3 more executables, one of which launched a script to geo-locate the compromised system REF 4. One more executable is downloaded and then beacon activity begins: various post to malicious domains via various TCP and UDP ports. Our team has no visibility into what was contained in this traffic, but it could be data exfiltration.
3.2 Corrective Actions
· The machine be reimaged with the most recent reliable backup.
· Once it is successfully reimaging, the system should have all relevant patches applied to it.
· After this, any mitigations should be applied
· Anti-virus
· No-script
· IDS
· Bring the system back into the live production environment.
3.3 Lessons Learned
Users should be more careful of which sites they browse to, especially at work. Do not browse to anything even remotely untrustworthy with a company workstation. Second, the user should install a browser extension such as NoScript which will prevent browsers from executing any scripts or downloads without explicit permission. Any suspicious activity or slowdown on the workstation (have no way of knowing if this was noticeable at all) should be immediately reported.
4.0 Appendix
4.1 Reference 1 (REF1)
Screenshot of the requesting host (compromised internal machine)’s web browser info.
4.2 Reference 2 (REF2)
Screenshot of the script download to the compromised machine.
4.3 Reference 3 (REF3)
Screenshot of the first executable download by the compromised machine.
4.4 Reference 4 (REF4)
Screenshot of the geo-location script run on the compromised machine.
dfsdfddd fgdfgdfgfg dfgfgfgsdfgf: fgdfggff Use Only 1 of 3
Created by: [Cameron Woody] 1 of 5
Template adapted from Steve J. Scott, superhac.com. Retrieved January 2014 from http://superhac.com/wp-content/uploads/2008/01/cfiar.doc
