hyperfiletable

	Released	2023-11-13
	Retired	2024-02-08
	Author	blitztide

Scenario

There has been a new joiner in Forela, they have downloaded their onboarding documentation, however someone has managed to phish the user with a malicious attachment. We have only managed to pull the MFT record for the new user, are you able to triage this information?

Task 01

Question: What is the MD5 hash of the MFT?

This is a check to verify whether the file was transferred completely and without alteration. The hash can be determined, for example, using PowerShell with the command Get-FileHash .\mft.raw -Algorithm md5 | Select-Object Hash, where Select-Object ensures that only the Hash column is output, while the Get-FileHash command returns additional columns.

Answer: 3730c2fedcdc3ecd9b83cbea08373226

Task 02

Question: What is the name of the only user on the system?

For further processing of the MFT file, a tool by Eric Zimmerman called MFTECmd can be used. This tool converts the entries into a different format, making it easier to process them with additional software. Using the command MFTECmd.exe -f '.\mft.raw' --csv . --json ., the provided MFT is analyzed, and the entries are saved in both CSV and JSON files. A search for \Users\ within these files yields 5,641 hits, from which the user “Randy Savage” can be quickly identified based on the full paths.

Answer: Randy Savage

Task 03

Question: What is the name of the malicious HTA that was downloaded by that user?

When searching for .hta files in the MFT, only two hits are found. The second hit is merely the associated Zone.Identifier (see Task 04) for the same file. Therefore, the first hit is the sought-after .hta file.

{
    "EntryNumber": 103820,
    "SequenceNumber": 7,
    "ParentEntryNumber": 105011,
    "ParentSequenceNumber": 2,
    "InUse": true,
    "ParentPath": ".\\Users\\Randy Savage\\Downloads",
    "FileName": "Onboarding.hta",
    "Extension": ".hta",
    "IsDirectory": false,
    "HasAds": true,
    "IsAds": false,
    "FileSize": 1144,
    "Created0x10": "2023-04-05T13:21:40.0706726+00:00",
    "LastModified0x10": "2023-04-05T13:21:45.6478863+00:00",
    "LastModified0x30": "2023-04-05T13:21:40.0732403+00:00",
    "LastRecordChange0x10": "2023-04-05T13:21:45.6478863+00:00",
    "LastRecordChange0x30": "2023-04-05T13:21:40.2279587+00:00",
    "LastAccess0x10": "2023-04-05T13:22:00.9916344+00:00",
    "LastAccess0x30": "2023-04-05T13:21:40.0732403+00:00",
    "UpdateSequenceNumber": 27166224,
    "LogfileSequenceNumber": 375731114,
    "SecurityId": 1793,
    "SiFlags": 32,
    "ReferenceCount": 1,
    "NameType": 1,
    "Timestomped": false,
    "uSecZeros": false,
    "Copied": false,
    "FnAttributeId": 7,
    "OtherAttributeId": 4
}

Answer: Onboarding.hta

Task 04

Question: What is the ZoneId of the download for the malicious HTA file?

The previously mentioned second hit is the Zone.Identifier of the malicious file. This relates to the Alternate Data Streams (ADS) of NTFS. The ZoneId is a feature introduced with Windows XP SP2. It records the origin of the file (e.g., from a download) at the file system level.

{
    "EntryNumber": 103820,
    "SequenceNumber": 7,
    "ParentEntryNumber": 105011,
    "ParentSequenceNumber": 2,
    "InUse": true,
    "ParentPath": ".\\Users\\Randy Savage\\Downloads",
    "FileName": "Onboarding.hta:Zone.Identifier",
    "Extension": ".Identifier",
    "IsDirectory": false,
    "HasAds": false,
    "IsAds": true,
    "FileSize": 389,
    "Created0x10": "2023-04-05T13:21:40.0706726+00:00",
    "LastModified0x10": "2023-04-05T13:21:45.6478863+00:00",
    "LastModified0x30": "2023-04-05T13:21:40.0732403+00:00",
    "LastRecordChange0x10": "2023-04-05T13:21:45.6478863+00:00",
    "LastRecordChange0x30": "2023-04-05T13:21:40.2279587+00:00",
    "LastAccess0x10": "2023-04-05T13:22:00.9916344+00:00",
    "LastAccess0x30": "2023-04-05T13:21:40.0732403+00:00",
    "UpdateSequenceNumber": 27166224,
    "LogfileSequenceNumber": 375731114,
    "SecurityId": 1793,
    "ZoneIdContents": "[ZoneTransfer]\r\nZoneId=3\r\nHostUrl=https://doc-10-8k-docs.googleusercontent.com/docs/securesc/9p3kedtu9rd1pnhecjfevm1clqmh1kc1/9mob6oj9jdbq89eegoedo0c9f3fpmrnj/1680708975000/04991425918988780232/11676194732725945250Z/1hsQhtmZJW9xZGgniME93H3mXZIV4OKgX?e=download&uuid=56e1ab75-ea1e-41b7-bf92-9432cfa8b645&nonce=u98832u1r35me&user=11676194732725945250Z&hash=j5meb42cqr57pa0ef411ja1k70jkgphq\r\n",
    "SiFlags": 32,
    "ReferenceCount": 1,
    "NameType": 1,
    "Timestomped": false,
    "uSecZeros": false,
    "Copied": false,
    "FnAttributeId": 7,
    "OtherAttributeId": 9
}

In the entry ZoneIdContents, the ZoneId is visible. Since it is Zone 3 (“Internet Zone”), the HostUrl is also recorded.

Answer: 3

Task 05

Question: What is the download URL for the malicious HTA?

From the previously extracted content for the ZoneId, the requested download URL can also be read.

Answer: https://doc-10-8k-docs.googleusercontent.com/docs/securesc/9p3kedtu9rd1pnhecjfevm1clqmh1kc1/9mob6oj9jdbq89eegoedo0c9f3fpmrnj/1680708975000/04991425918988780232/11676194732725945250Z/1hsQhtmZJW9xZGgniME93H3mXZIV4OKgX?e=download&uuid=56e1ab75-ea1e-41b7-bf92-9432cfa8b645&nonce=u98832u1r35me&user=11676194732725945250Z&hash=j5meb42cqr57pa0ef411ja1k70jkgphq

Task 06

Question: What is the allocated size for the HTA file? (bytes)

The initially assigned size for the .hta file can be read from the entry for ONBOAR~1.HTA (the MFT short name of the file), for example using Mft2Csv.

Answer: 4096

Task 07

Question: What is the real size of the HTA file? (bytes)

Line 12 from Task 03 provides the actual size of the file.

Answer: 1144

Task 08

Question: When was the powerpoint presentation downloaded by the user?

PowerPoint presentations are identified by the file extension .ppt or, (default) since PowerPoint 2008, .pptx. A search for these extensions in the MFT reveals the download of a file named Proposal.pptx.

{
    "EntryNumber": 105622,
    "SequenceNumber": 4,
    "ParentEntryNumber": 107430,
    "ParentSequenceNumber": 3,
    "InUse": false,
    "ParentPath": ".\\Users\\Randy Savage\\Documents\\Work",
    "FileName": "Proposal.pptx",
    "Extension": ".pptx",
    "IsDirectory": false,
    "HasAds": true,
    "IsAds": false,
    "FileSize": 16552989,
    "Created0x10": "2023-04-05T13:11:49.7425214+00:00",
    "LastModified0x10": "2023-04-05T13:11:53.9605745+00:00",
    "LastRecordChange0x10": "2023-04-05T13:12:14.5858420+00:00",
    "LastRecordChange0x30": "2023-04-05T13:11:53.9605745+00:00",
    "LastAccess0x10": "2023-04-05T13:11:53.9605745+00:00",
    "UpdateSequenceNumber": 26143496,
    "LogfileSequenceNumber": 375276644,
    "SecurityId": 1793,
    "SiFlags": 32,
    "ReferenceCount": 1,
    "NameType": 1,
    "Timestomped": false,
    "uSecZeros": false,
    "Copied": false,
    "FnAttributeId": 10,
    "OtherAttributeId": 4
}

The timestamp labeled Created0x10 indicates the file creation time.

Answer: 05/04/2023 13:11:49

Task 09

Question: The user has made notes of their work credentials, what is their password?

To find additional documents, the user’s file path is further examined. A search for files in \Users\Randy Savage\Documents\Work reveals two more files:

Stats.xls
notes.txt

Small files (118 bytes in the case of notes.txt) can “sometimes” be stored completely within the MFT. These resident files can be extracted from the MFT using MFTECmd with the --dr flag, in this case including the sought-after notes.txt:

New onboarding process:
Download onboarding tool from Google Drive
Username: RSavage
Password: ReallyC00lDucks2023!

Answer: ReallyC00lDucks2023!

Task 10

Question: How many files remain under the C:\Users\ directory? (Recursively)

For this purpose, the files located in the /Users directory that still exist and are real files need to be counted. For example, the Timeline Editor by Eric Zimmerman can be used to filter using this filter:

AND 
    ParentPath begins with .\Users 
    In Use = Checked 
    Is Ads = Unchecked 
    Is Directory = Uncheck

Answer: 3471