Mirthz šŸ‘€
Cerulean - Blue Team Lab Online Writeup

Cerulean - Blue Team Lab Online Writeup

Mon Jan 13 2025
BTLO
5 minutes
writeup blue team BTLO FrostByte'24
800 words

ā„ļø Challenge Story ā„ļø Link to ā„ļø Challenge Story ā„ļø

FrostGuard is sending threats towards Cerulean Inc, mainly Janeā€™s PCā€”the Head of Production. What is this bot planning?

Scenario

Youā€™re the lead security analyst at Cerulean Inc., a respected manufacturer of industrial control systems. Your SIEM alerts you to suspicious RDP connections to the Production Departmentā€”especially Janeā€™s PC (the head of the department). It was determined later on that the attacks were malicious. You are tasked to analyze the triage artifacts on her computer and investigate the RDP connections for possible exfiltration.

Reference Article: https://www.securityblue.team/blog/posts/investigating-insider-threats-rdp-activity-magnet-forensics

list

list

We have a lot of tools for use in this challenge.šŸ„³

list

Evidence come with Triage from KAPE and Axiom Report.

list

Haha, Iā€™m actually glad you gave me so many tools to use.

Question#1 Link to Question#1

  1. When did Jane receive the malicious mail from an attacker pretending to be from IT Support? Check the web history to help us better timeline the series of events. (Format: YYYY-MM-DD HH:MM:SS UTC)Ā (1 points)
list

I use hindsight.py for find information from webhistory.
use -i option path ā€¦\Jane\AppData\Local\Google\Chrome\User Data\Default

list

After get result file from hindsight, I use Timeline Explorer for find the answer.
It have a lot of information, I need to scope. try to search in subject column with ā€œIT Supportā€.


list

After search I found that email from IT support

list

Answer time from first email.

Question#2 Link to Question#2

  1. The threat actor immediately, after RDPā€™ing, tries to log into other storage-based resources. What is the one with the most traffic? (Format: Storage Name)Ā (2 points)
list

Time to use ā€œMagnet AXOIM Examinerā€ to find more information.
This question asks us to find storage-based resources, of which there are only a few. In this question, I found the information about accessing to cloud storage. Then I go to ā€œCloud Services URLsā€ and filter Site name ā€œGoogle Driveā€. and see the result that most traffic shown.

Question#3 Link to Question#3

  1. It looks like the threat actorā€™s motive is data exfiltration via RDP. What ITM ID corresponds with this technique? (Format: XXXXX.XXX)Ā (2 points)
list

It seems like the only thing we know about now is that cloud storage was used to do something to Janeā€™s machine.
LOL I just try to search about ā€œgoogle driveā€, and I found this.
Ref : https://insiderthreatmatrix.org/articles/AR4/sections/IF001/subsections/IF001.001

Question#4 Link to Question#4

  1. Letā€™s step back for a bit. Janeā€™s account mistakenly has admin rights. What role did they assign to her? (Format: Job Role (Title))Ā (2 points)
list

This question want us to find Jane job role, look at ā€œUser Account Windowsā€ and filter Username only Jane, and I found Jane job role description.

Question#5 Link to Question#5

  1. It seems like she downloaded Slack before the RDP session. Our main point of communication is Teams, so this is strange. What is the installation date and time of this software? (Format: YYYY-MM-DD HH:MM:SS UTC)Ā (2 points)
list

This question want us to find installation time of Slack, we can find information about installed program in the Axiom report. Check in ā€œInstalled Programsā€, we gonna found that on the first record. Donā€™t forget to change time to UTC. (+12 hr. in this case)

Question#6 Link to Question#6

  1. There is enough evidence of Slack being used on Janeā€™s machine. Can you provide the unofficial URL being utilized for communication? (Format: hxxps://url.tld)Ā (3 points)
list

Comeback to find web history that relate with slack, I search subject with ā€œslackā€ and I found only 1 URLs that look suspicious.

Question#7 Link to Question#7

Q7) Provide the initial time and Origin IP Address for the RDP connections to Janeā€™s workstation. (Format: MM/D/YYYY H:MM:SSS XX UTC, XXX[.]XXX[.]XXX[.]XXX)Ā (4 points)

list

Then back to Axiom report again, find information about RDP connections, filter Jane in ā€œOrigin Service Nameā€. And looking for first connection.

Question#8 Link to Question#8

Q8) Our Project Venus plans were leaked, triggering the defenses. What are the four documents in alphabetical order? (Hint: examine the Windows Defender Logs) (Tip: remove ā€˜project venusā€™ and ā€˜ceruleanā€™ from the document names). (Format: Doc1, Doc2, Doc3, Doc4)Ā (9 points)

list

This question need us to find trigger information in Windows Defender Logs, we need to find ā€œMPlogā€ in Windows Defender folder.
Path : ../../ProgramData/Microsoft/Windows Defender/Support
Ref : https://www.crowdstrike.com/en-us/blog/how-to-use-microsoft-protection-logging-for-forensic-investigations/

list

try to search with ā€œprojectā€

list

Donā€™t forget to remove ā€˜project venusā€™ and ā€˜ceruleanā€™ and answer with alphabetical order.

End Link to End

Mirthz

Mirthz

Thank you everyone for reading.šŸ˜½


Telegram
Douban
Reddit
Pocket