Zumpyx Blog

OPTinselTrace24-3: Blizzard Breakdown

SherlocksWIP

Scenario

Furious after discovering he’s been left off the Nice List this holiday season, one particular elf - heavily influenced by Krampus - goes rogue, determined to take revenge. Consumed by anger, he hatches a sinister plan to sabotage Christmas by targeting Santa Claus’ most critical asset - its S3 data archive! This repository holds sensitive information, including blueprints for new toys, holiday logistics, toy production schedules, and most importantly, the coveted gift list! With Christmas preparations in full swing, any disruption to this storage could cause chaos across the entire operation, threatening to derail everyone’s holiday season. Will the holiday magic prevail, or will Christmas fall into dismay?

sha256sum BlizzardBreakdown.zip 
67226a5fc51d4c1b6d9c2f9bbc7dc9f80361b3731ba45a0b6a76257afb7a57af  BlizzardBreakdown.zip

unzip -q BlizzardBreakdown.zip -d BlizzardBreakdown     
[BlizzardBreakdown.zip] NORTHPOLE-LUMEN/C/$Boot password:

tree -hL 2
[4.0K]  .
├── [4.0K]  BlizzardBreakdown
│   ├── [4.0K]  AWS-CloudTrail
│   └── [4.0K]  NORTHPOLE-LUMEN
└── [123M]  BlizzardBreakdown.zip

4 directories, 1 file

Initial Analysis

这里有 Windows 的取证文件,那么先导出一下 NTLM

cd ./NORTHPOLE-LUMEN/C/Windows/System32/config
impacket-secretsdump -system SYSTEM -security SECURITY -sam SAM local
---
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[*] Target system bootKey: 0x6e815b0c2c9f7721ca8eb8d145c364eb
[*] Dumping local SAM hashes (uid:rid:lmhash:nthash)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:4fbc7c82498042d7e915dbe8e56deb7a:::
srvc.elf:1001:aad3b435b51404eeaad3b435b51404ee:e19ccf75ee54e06b06a5907af13cef42:::
[*] Dumping cached domain logon information (domain/username:hash)
NORTHPOLE.LOCAL/lannyl:$DCC2$10240#lannyl#0922fbe85bf3f2836a84caf2ecf89a6a: (2024-11-13 16:37:04)
[*] Dumping LSA Secrets
[*] $MACHINE.ACC 
$MACHINE.ACC:plain_password_hex:43006e00570066006400310078006e003f00440064004b006c006e0026003e0050006a003500380068002d004d0024003800510046006300510034002c005b006b003d002400620042007a0058007700290051004f005f00400049002c00590044002b003d0068003000780068005f005c0030002f002800350065002b00230033004800440020006a006d006f0034005300730029003300240049004900510021006e0029006100580023004f0071003400450021006f0022005f0059004d002900630079003e003b004c002c00250020004e0055005b0053006200260074005c0074004d005a002d0030002d002c00
$MACHINE.ACC: aad3b435b51404eeaad3b435b51404ee:9c25e50ed2c40f94c2dd889fed482651
[*] DPAPI_SYSTEM 
dpapi_machinekey:0xf3d6cd4691b582dc5086afabd658391686a1e6ba
dpapi_userkey:0xf4dc495b632c7dbc49273815042d138db1259a1f
[*] NL$KM 
 0000   02 3D 31 5F B6 C3 21 A1  87 90 CB AC 4F FB DC 20   .=1_..!.....O.. 
 0010   2E 5F A2 CF AC FF A5 C2  C1 81 B8 B9 14 94 34 31   ._............41
 0020   C0 48 27 4D 0A 58 12 6E  CA 5F BF A6 95 63 36 C4   .H'M.X.n._...c6.
 0030   D9 0C A3 74 E7 1D 02 33  C6 68 32 D2 2F 25 CC 63   ...t...3.h2./%.c
NL$KM:023d315fb6c321a18790cbac4ffbdc202e5fa2cfacffa5c2c181b8b914943431c048274d0a58126eca5fbfa6956336c4d90ca374e71d0233c66832d22f25cc63
[*] Cleaning up...

AWS 的日志,每个文件名都有完整的位置信息,可以把所有的日志文件放到一个目录中,再全部解压

mkdir aws-logs
find AWS-CloudTrail -type f -exec cp {} aws-logs/ \;
cd aws-logs
gunzip -d *.gz

MFT 文件,可以使用工具先提取索引信息,导出到 json 和 csv 文件

https://github.com/omerbenamram/mft

mft NORTHPOLE-LUMEN/C/\$MFT -o csv > mft.csv
mft NORTHPOLE-LUMEN/C/\$MFT -o json > mft.json

其他可能会用到的工具

https://download.ericzimmermanstools.com/net6/MFTExplorer.zip https://download.ericzimmermanstools.com/net6/PECmd.zip

Task 1

The Victim Elf shared credentials that allowed the Rogue Elf to access the workstation. What was the Client ID that was shared?

tree NORTHPOLE-LUMEN/C/Users/ -L 4
---
NORTHPOLE-LUMEN/C/Users/
├── Default
│   ├── AppData
│   │   └── Roaming
│   │       └── Microsoft
│   ├── NTUSER.DAT
│   ├── NTUSER.DAT.LOG1
│   └── NTUSER.DAT.LOG2
├── Public
│   └── Desktop
│       └── Thunderbird.lnk
├── lannyl
│   ├── AppData
│   │   ├── Local
│   │   │   ├── IceChat Networks
│   │   │   ├── Microsoft
│   │   │   └── Packages
│   │   └── Roaming
│   │       ├── Microsoft
│   │       └── Thunderbird
│   ├── Desktop
│   │   ├── IceChat 9.lnk
│   │   ├── Microsoft Edge.lnk
│   │   └── WinSCP.lnk
│   ├── NTUSER.DAT
│   ├── ntuser.dat.LOG1
│   └── ntuser.dat.LOG2
└── srvc.elf
    ├── AppData
    │   ├── Local
    │   │   └── Microsoft
    │   └── Roaming
    │       └── Microsoft
    ├── Desktop
    │   └── Microsoft Edge.lnk
    ├── NTUSER.DAT
    └── ntuser.dat.LOG1

24 directories, 13 files

查看附件中的用户文件,发现 lannyl 用户有 IceChat Networks 和 Thunderbird 应用,先看一下聊天记录。

find NORTHPOLE-LUMEN/C/Users/lannyl/AppData/Local/IceChat\ Networks/IceChat/Logs/irc.quakenet.org/ -type f -exec cat {} \;
---
...
[03:45.14] <Lanny> Thanks! It’s a lot to learn, but I’m getting there!
[03:53.34] <W4yne> That’s awesome! I actually used to have your role, so I know my way around the setup. I was transferred recently, but I’d be happy to help you get sorted with everything!
[03:55.09] <Lanny> Oh, that would be amazing it’s a bit overwhelming!
[03:56.16] <W4yne> Haha, I get it! So, there’s this tool called TeamViewer we use sometimes for remote setup. Since I’m far away, I insist we use it so I can guide you through everything directly. Here’s the link: +www.teamviewer.com.,
[04:01.47] <Lanny> Hmm but I don’t think I have the privileges to install software.
[04:03.06] <W4yne> Ah, understood. You know what? Let’s use Ammyy Admin instead – it doesn’t require installation at all. Just download it from +www.ammyy.com, and select "Run".
[04:07.46] <Lanny> Okay, trying that now.
[04:09.49] <W4yne> Great! Once it’s running, send me your ID so I can connect and set things up for you.
[04:20.46] <Lanny> Sorry for the delay, I was just on a call.
[04:20.59] <Lanny> 95 192 516
[04:21.05] <Lanny> password: 48480
[04:23.54] <Lanny> Oh no, I just remembered I have to run an errand! Could we pick this up later?
[04:25.25] <W4yne> No problem! Just leave your workstation unlocked, and I’ll handle the setup while you’re out. Everything will be ready when you’re back!
...

可以使用翻译软件读一下,这里大概意思是 W4yne 问 Lanny 要 ID,Lanny 回复了 95192516

Task 2

What is the IP address of the Rogue Elf used during the attack?

cat aws-logs/*.json | jq .Records.[].sourceIPAddress | sort -u
---
"146.70.202.35"
"149.88.103.56"
"212.102.51.42"
"3.146.214.70"
"37.19.205.149"
"91.207.174.13"
"AWS Internal"
"access-analyzer.amazonaws.com"
"backup.amazonaws.com"
"cloudtrail.amazonaws.com"
"dynamodb.application-autoscaling.amazonaws.com"
"ec2.amazonaws.com"
"monitoring.rds.amazonaws.com"
"rds.amazonaws.com"
"resource-explorer-2.amazonaws.com"
"support.amazonaws.com"
"trustedadvisor.amazonaws.com"

筛选出来的 IP 只有 6 个,可以逐个去看一下,也可以直接提交尝试

cat aws-logs/*.json | jq '.Records.[] | select(.sourceIPAddress == "146.70.202.35") | .requestParameters.key' | sort -u
---
"Claus_Operation_Data/AI_HoHoHoliday_Helper_Link.txt"
"Claus_Operation_Data/AI_HoHoHoliday_Helper_Link.txt\tClaus_Operation_Data/blueprints/CandyCaneMachine_Diagram.dwg\tClaus_Operation_Data/blueprints/SantaSleigh_Upgrades.vsdx\tClaus_Operation_Data/blueprints/Toy_Blueprints.pdf\tClaus_Operation_Data/gift_lists/GiftList_Worldwide.csv\tClaus_Operation_Data/gift_lists/NaughtyList_ReviewNotes.docx\tClaus_Operation_Data/gift_lists/NiceList_ReviewNotes.docx\tClaus_Operation_Data/logistics/ElfRoutes_Map2024.kmz\tClaus_Operation_Data/logistics/Global_Delivery_Schedule.xlsx\tClaus_Operation_Data/logistics/Weather_Contingency_Plan.pdf\tClaus_Operation_Data/operational_files/Christmas_CrewChecklist.txt\tClaus_Operation_Data/operational_files/SleighMaintenance_Guide.pdf\tClaus_Operation_Data/operational_files/ToyTestingReports.xlsx\tClaus_Operation_Data/production_schedules/ElfShift_Timetable.pdf\tClaus_Operation_Data/production_schedules/Inventory-Stock_Report.xlsx\tClaus_Operation_Data/production_schedules/ToyFactory_Schedule.csv\tClaus_Operation_Data/reindeer_management/Reindeer_Feeding_Schedule.pdf\tClaus_Operation_Data/reindeer_management/Rudolph_FitnessTracker2gpx\tClaus_Operation_Data/security_protocols/Intrusion_Detection_Config.yaml\tClaus_Operation_Data/security_protocols/NorthPole_Security_Policies.pdf"
"Claus_Operation_Data/blueprints/CandyCaneMachine_Diagram.dwg"
"Claus_Operation_Data/blueprints/SantaSleigh_Upgrades.vsdx"
"Claus_Operation_Data/blueprints/Toy_Blueprints.pdf"
"Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv"
"Claus_Operation_Data/gift_lists/NaughtyList_ReviewNotes.docx"
"Claus_Operation_Data/gift_lists/NiceList_ReviewNotes.docx"
"Claus_Operation_Data/logistics/ElfRoutes_Map2024.kmz"
"Claus_Operation_Data/logistics/Global_Delivery_Schedule.xlsx"
"Claus_Operation_Data/logistics/Weather_Contingency_Plan.pdf"
"Claus_Operation_Data/operational_files/Christmas_CrewChecklist.txt"
"Claus_Operation_Data/operational_files/SleighMaintenance_Guide.pdf"
"Claus_Operation_Data/operational_files/ToyTestingReports.xlsx"
"Claus_Operation_Data/production_schedules/ElfShift_Timetable.pdf"
"Claus_Operation_Data/production_schedules/Inventory-Stock_Report.xlsx"
"Claus_Operation_Data/production_schedules/ToyFactory_Schedule.csv"
"Claus_Operation_Data/reindeer_management/Reindeer_Feeding_Schedule.pdf"
"Claus_Operation_Data/reindeer_management/Rudolph_FitnessTracker2gpx"
"Claus_Operation_Data/security_protocols/Intrusion_Detection_Config.yaml"
"Claus_Operation_Data/security_protocols/NorthPole_Security_Policies.pdf"

cat aws-logs/*.json | jq '.Records.[] | select(.sourceIPAddress == "149.88.103.56") | .requestParameters.key' | sort -u
---
null

cat aws-logs/*.json | jq '.Records.[] | select(.sourceIPAddress == "212.102.51.42") | .requestParameters.key' | sort -u
---
null

cat aws-logs/*.json | jq '.Records.[] | select(.sourceIPAddress == "37.19.205.149") | .requestParameters.key' | sort -u
---
null

cat aws-logs/*.json | jq '.Records.[] | select(.sourceIPAddress == "3.146.214.70") | .requestParameters.key' | sort -u 
---
null

cat aws-logs/*.json | jq '.Records.[] | select(.sourceIPAddress == "91.207.174.13") | .requestParameters.key' | sort -u
---
null

第一个 IP 请求的是一些关于礼品的数据,而其他 IP 并没有访问什么资源,刚好符合这个场景中攻击者的目标,提交 146.70.202.35

Task 3

What is the name of the executable the victim ran to enable remote access to their system?

第一种方法,通过 MFT 文件筛选,有限筛选 Users 目录下的 exe 文件

cat mft.csv | awk -F ',' '{print $22}' | grep Users | grep '\.exe'
---
Users/lannyl/AppData/Local/Microsoft/WindowsApps/Skype.exe
Users/lannyl/AppData/Local/Microsoft/WindowsApps/Microsoft.SkypeApp_kzf8qxf38zg5c/Skype.exe
Users/lannyl/Downloads/TeamViewer_Setup_x64.exe
Users/lannyl/Downloads/Thunderbird Setup 128.4.3esr.exe
Users/lannyl/AppData/Local/Microsoft/OneDrive/OneDriveStandaloneUpdater.exe
Users/lannyl/AppData/Local/Microsoft/WindowsApps/GameBarElevatedFT_Alias.exe
Users/lannyl/AppData/Local/Microsoft/WindowsApps/Microsoft.XboxGamingOverlay_8wekyb3d8bbwe/GameBarElevatedFT_Alias.exe
Users/lannyl/Downloads/AA_v3.exe
Users/lannyl/AppData/Local/Microsoft/OneDrive/24.206.1013.0004/Microsoft.SharePoint.exe
Users/lannyl/AppData/Local/Microsoft/OneDrive/OneDrive.exe
Users/lannyl/AppData/Local/Microsoft/OneDrive/Update/OneDriveSetup.exe
Users/srvc.elf/AppData/Local/Microsoft/WindowsApps/python3.7.exe
Users/srvc.elf/AppData/Local/Microsoft/WindowsApps/Microsoft.DesktopAppInstaller_8wekyb3d8bbwe/python3.7.exe
Users/srvc.elf/AppData/Local/Microsoft/WindowsApps/python3.exe
Users/srvc.elf/AppData/Local/Microsoft/WindowsApps/Microsoft.DesktopAppInstaller_8wekyb3d8bbwe/python3.exe
Users/srvc.elf/AppData/Local/Microsoft/WindowsApps/python.exe

第二种方法就是看 Windows 事件日志,查看系统日志时可以发现

image.png

AA_v3.exe 这个文件名一眼丁真

Task 4

What time (UTC) did the Rogue Elf connect to the victim’s workstation?

cat NORTHPOLE-LUMEN/C/ProgramData/Ammyy/access.log 
20241113-04:23:34.386000 0000273C - [0] PASSED authorization remoteId=95192584; TCP by router 136.243.104.242:443
20241113-04:51:54.357000 0000273C - [0] ENDED  authorized session, bytes recv/send = 19800 / 9826861

这里的时间需要 +8h,可以考虑一下圣诞老人家乡的时区,而且,这题找了好久才找到这里。

Task 5

The Rogue Elf compromised an AWS Access Key. What is the AWS Access Key ID obtained from the victim’s workstation?

cat aws-logs/* | jq '.Records.[] | select(.sourceIPAddress == "146.70.202.35" and .requestParameters.key == "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv" and .eventName=="GetObject")'
---
{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "IAMUser",
    "principalId": "AIDA[REDACTED]",
    "arn": "arn:aws:iam::949622803460:user/arctic-archive-user",
    "accountId": "949622803460",
    "accessKeyId": "AKIA[REDACTED]",
    "userName": "arctic-archive-user"
  },
  "eventTime": "2024-11-13T15:56:58Z",
 ...

攻击者盗取的 AcceessKeyId: AKIA[REDACTED]

Task 6

Which S3 bucket did the Rogue Elf target during the incident?

cat aws-logs/*.json | jq '.Records.[] | select(.sourceIPAddress == "146.70.202.35") | .requestParameters.bucketName' | sort -u
---
"arctic-archive-freezer"
null

👍🏻 目标清晰 arctic-archive-freezer

Task 7

Within the targeted S3 bucket, what is the name of the main directory where the files were stored?

cat aws-logs/*.json | jq '.Records.[] | select(.sourceIPAddress == "146.70.202.35") | .requestParameters.key' | sort -u
---
"Claus_Operation_Data/AI_HoHoHoliday_Helper_Link.txt"
"Claus_Operation_Data/AI_HoHoHoliday_Helper_Link.txt\tClaus_Operation_Data/blueprints/CandyCaneMachine_Diagram.dwg\tClaus_Operation_Data/blueprints/SantaSleigh_Upgrades.vsdx\tClaus_Operation_Data/blueprints/Toy_Blueprints.pdf\tClaus_Operation_Data/gift_lists/GiftList_Worldwide.csv\tClaus_Operation_Data/gift_lists/NaughtyList_ReviewNotes.docx\tClaus_Operation_Data/gift_lists/NiceList_ReviewNotes.docx\tClaus_Operation_Data/logistics/ElfRoutes_Map2024.kmz\tClaus_Operation_Data/logistics/Global_Delivery_Schedule.xlsx\tClaus_Operation_Data/logistics/Weather_Contingency_Plan.pdf\tClaus_Operation_Data/operational_files/Christmas_CrewChecklist.txt\tClaus_Operation_Data/operational_files/SleighMaintenance_Guide.pdf\tClaus_Operation_Data/operational_files/ToyTestingReports.xlsx\tClaus_Operation_Data/production_schedules/ElfShift_Timetable.pdf\tClaus_Operation_Data/production_schedules/Inventory-Stock_Report.xlsx\tClaus_Operation_Data/production_schedules/ToyFactory_Schedule.csv\tClaus_Operation_Data/reindeer_management/Reindeer_Feeding_Schedule.pdf\tClaus_Operation_Data/reindeer_management/Rudolph_FitnessTracker2gpx\tClaus_Operation_Data/security_protocols/Intrusion_Detection_Config.yaml\tClaus_Operation_Data/security_protocols/NorthPole_Security_Policies.pdf"
"Claus_Operation_Data/blueprints/CandyCaneMachine_Diagram.dwg"
"Claus_Operation_Data/blueprints/SantaSleigh_Upgrades.vsdx"
"Claus_Operation_Data/blueprints/Toy_Blueprints.pdf"
"Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv"
"Claus_Operation_Data/gift_lists/NaughtyList_ReviewNotes.docx"
"Claus_Operation_Data/gift_lists/NiceList_ReviewNotes.docx"
"Claus_Operation_Data/logistics/ElfRoutes_Map2024.kmz"
"Claus_Operation_Data/logistics/Global_Delivery_Schedule.xlsx"
"Claus_Operation_Data/logistics/Weather_Contingency_Plan.pdf"
"Claus_Operation_Data/operational_files/Christmas_CrewChecklist.txt"
"Claus_Operation_Data/operational_files/SleighMaintenance_Guide.pdf"
"Claus_Operation_Data/operational_files/ToyTestingReports.xlsx"
"Claus_Operation_Data/production_schedules/ElfShift_Timetable.pdf"
"Claus_Operation_Data/production_schedules/Inventory-Stock_Report.xlsx"
"Claus_Operation_Data/production_schedules/ToyFactory_Schedule.csv"
"Claus_Operation_Data/reindeer_management/Reindeer_Feeding_Schedule.pdf"
"Claus_Operation_Data/reindeer_management/Rudolph_FitnessTracker2gpx"
"Claus_Operation_Data/security_protocols/Intrusion_Detection_Config.yaml"
"Claus_Operation_Data/security_protocols/NorthPole_Security_Policies.pdf"
null

在第二问找攻击者 IP 的时候就可以看到,访问的主目录是 Claus_Operation_Data

Task 8

What time (UTC) did the Rogue Elf disable versioning for the S3 bucket?

cat aws-logs/* | jq '.Records.[] | select (.eventName == "PutBucketVersioning" and .errorCode == null) | .eventTime'
---
"2024-11-13T15:31:15Z"

Task 9

What is the MITRE ATT&CK Technique ID associated with the method used in Question 8?

Google: disable s3 version mitre

https://research.splunk.com/cloud/657902a9-987d-4879-a1b2-e7a65512824b/

这个页面标题符合,往下翻看到 T1490

Task 10

What time (UTC) was the first restore operation successfully initiated for the S3 objects?

cat aws-logs/* | jq '.Records.[] | select (.eventName == "RestoreObject" and .errorCode == null) | .eventTime'
---
"2024-11-13T15:43:49Z"
"2024-11-13T15:43:58Z"
"2024-11-13T15:44:09Z"
"2024-11-13T15:44:17Z"
"2024-11-13T15:44:40Z"
"2024-11-13T15:44:42Z"
"2024-11-13T15:44:45Z"
"2024-11-13T15:44:50Z"
"2024-11-13T15:44:47Z"
"2024-11-13T15:44:52Z"
"2024-11-13T15:44:54Z"
"2024-11-13T15:44:57Z"
"2024-11-13T15:44:59Z"
"2024-11-13T15:45:03Z"
"2024-11-13T15:45:06Z"
"2024-11-13T15:45:09Z"
"2024-11-13T15:45:12Z"
"2024-11-13T15:45:15Z"
"2024-11-13T15:45:20Z"
"2024-11-13T15:45:17Z"

这里记得看一下错误代码是否为空,2024-11-13 15:43:49

Task 11

Which retrieval option did the Rogue Elf use to restore the S3 objects?

cat aws-logs/* | jq '.Records.[] | select(.sourceIPAddress == "146.70.202.35" and .requestParameters.key == "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv" and .eventName == "RestoreObject")'
---
{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "IAMUser",
    "principalId": "AIDA[REDACTED]",
    "arn": "arn:aws:iam::949622803460:user/arctic-archive-user",
    "accountId": "949622803460",
    "accessKeyId": "AKIA[REDACTED]",
    "userName": "arctic-archive-user"
  },
  "eventTime": "2024-11-13T15:44:40Z",
  "eventSource": "s3.amazonaws.com",
  "eventName": "RestoreObject",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "146.70.202.35",
  "userAgent": "[aws-cli/2.20.0 md/awscrt#0.22.0 ua/2.0 os/windows#10 md/arch#amd64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#s3api.restore-object]",
  "requestParameters": {
    "bucketName": "arctic-archive-freezer",
    "Host": "arctic-archive-freezer.s3.us-east-1.amazonaws.com",
    "RestoreRequest": {
      "xmlns": "http://s3.amazonaws.com/doc/2006-03-01/",
      "Days": 1,
      "GlacierJobParameters": {
        "Tier": "Expedited"
      }
    },
    "restore": "",
    "key": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv"
  },
  "responseElements": null,
  "additionalEventData": {
    "SignatureVersion": "SigV4",
    "CipherSuite": "TLS_AES_128_GCM_SHA256",
    "bytesTransferredIn": 162,
    "AuthenticationMethod": "AuthHeader",
    "x-amz-id-2": "fAJEoLQx+LrJUN018m4f6MP/+7IgpZAJoLcbqebNTZmC7JEzUEvL1Qxwb99sMkuyGUbxhsXA0h0=",
    "bytesTransferredOut": 0
  },
  "requestID": "0985WD305AQCDM5B",
  "eventID": "236ec975-eb72-4777-8c37-528bc95a3425",
  "readOnly": false,
  "resources": [
    {
      "type": "AWS::S3::Object",
      "ARN": "arn:aws:s3:::arctic-archive-freezer/Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv"
    },
    {
      "accountId": "949622803460",
      "type": "AWS::S3::Bucket",
      "ARN": "arn:aws:s3:::arctic-archive-freezer"
    }
  ],
  "eventType": "AwsApiCall",
  "managementEvent": false,
  "recipientAccountId": "949622803460",
  "eventCategory": "Data",
  "tlsDetails": {
    "tlsVersion": "TLSv1.3",
    "cipherSuite": "TLS_AES_128_GCM_SHA256",
    "clientProvidedHostHeader": "arctic-archive-freezer.s3.us-east-1.amazonaws.com"
  }
}

重置的这个日志记录中看到 .requestParameters.RestoreRequest.GlacierJobParameters.Tier 的值 Expedited

Task 12

What is the filename of the S3 object that the Rogue Elf attempted to delete?

cat aws-logs/* | jq '.Records.[] | select(.sourceIPAddress == "146.70.202.35" and .eventName == "DeleteObject")'
---
{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "IAMUser",
    "principalId": "AIDA[REDACTED]",
    "arn": "arn:aws:iam::949622803460:user/arctic-archive-user",
    "accountId": "949622803460",
    "accessKeyId": "AKIA[REDACTED]",
    "userName": "arctic-archive-user"
  },
  "eventTime": "2024-11-13T16:04:09Z",
  "eventSource": "s3.amazonaws.com",
  "eventName": "DeleteObject",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "146.70.202.35",
  "userAgent": "[aws-cli/2.20.0 md/awscrt#0.22.0 ua/2.0 os/windows#10 md/arch#amd64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#s3.rm]",                                                                                           
  "errorCode": "AccessDenied",
  "errorMessage": "User: arn:aws:iam::949622803460:user/arctic-archive-user is not authorized to perform: s3:DeleteObject on resource: \"arn:aws:s3:::arctic-archive-freezer/Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv\" because no identity-based policy allows the s3:DeleteObject action",                                                                                                                                   
  "requestParameters": {
    "bucketName": "arctic-archive-freezer",
    "Host": "arctic-archive-freezer.s3.us-east-1.amazonaws.com",
    "key": "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv"
  },
  "responseElements": null,
  "additionalEventData": {
    "SignatureVersion": "SigV4",
    "CipherSuite": "TLS_AES_128_GCM_SHA256",
    "bytesTransferredIn": 0,
    "AuthenticationMethod": "AuthHeader",
    "x-amz-id-2": "BA8zisWwtuss2Bsy7AVVeeS7HHyit1qbn9ZKlzwOmZg0mgT4FWH98Ysny9KKuDV3wAecsaY1Ddo=",
    "bytesTransferredOut": 505
  },
  "requestID": "Z73SW2G90Z6CXTRF",
  "eventID": "b0ae6cec-2b2e-48eb-803c-29744b710476",
  "readOnly": false,
  "resources": [
    {
      "type": "AWS::S3::Object",
      "ARN": "arn:aws:s3:::arctic-archive-freezer/Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv"
    },
    {
      "accountId": "949622803460",
      "type": "AWS::S3::Bucket",
      "ARN": "arn:aws:s3:::arctic-archive-freezer"
    }
  ],
  "eventType": "AwsApiCall",
  "managementEvent": false,
  "recipientAccountId": "949622803460",
  "eventCategory": "Data",
  "tlsDetails": {
    "tlsVersion": "TLSv1.3",
    "cipherSuite": "TLS_AES_128_GCM_SHA256",
    "clientProvidedHostHeader": "arctic-archive-freezer.s3.us-east-1.amazonaws.com"
  }
}

被删除的文件是 GiftList_Worldwide.csv

Task 13

What is the size (MB) of the S3 object that the Rogue Elf targeted in Question 12?

cat aws-logs/* | jq '.Records.[] | select(.sourceIPAddress == "146.70.202.35" and .requestParameters.key == "Claus_Operation_Data/gift_lists/GiftList_Worldwide.csv") | .additionalEventData.bytesTransferredOut'
---
0
8388608
8388608
0
8388608
8388608
8388608
8388608
8388608
8388608
8388608
8388608
8388608
8388608
8388608
8388608
8388608
8388608
8388608
8388608
8388608
505
0

部分日志是有这个文件的大小的,8 MB * 19 = 152 MB

Task 14

The Rogue Elf uploaded corrupted files to the S3 bucket. What time (UTC) was the first object replaced during the attack?

cat aws-logs/* | jq '.Records.[] | select(.sourceIPAddress == "146.70.202.35" and .eventName == "PutObject")' | jq -s .[0]
---
{
  "eventVersion": "1.10",
  "userIdentity": {
    "type": "IAMUser",
    "principalId": "AIDA[REDACTED]",
    "arn": "arn:aws:iam::949622803460:user/arctic-archive-user",
    "accountId": "949622803460",
    "accessKeyId": "AKIA[REDACTED]",
    "userName": "arctic-archive-user"
  },
  "eventTime": "2024-11-13T16:10:03Z",
  "eventSource": "s3.amazonaws.com",
  "eventName": "PutObject",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "146.70.202.35",
  "userAgent": "[aws-cli/2.20.0 md/awscrt#0.22.0 ua/2.0 os/windows#10 md/arch#amd64 lang/python#3.12.6 md/pyimpl#CPython cfg/retry-mode#standard md/installer#exe md/prompt#off md/command#s3.cp]",
  "requestParameters": {
    "bucketName": "arctic-archive-freezer",
    "Host": "arctic-archive-freezer.s3.us-east-1.amazonaws.com",
    "key": "Claus_Operation_Data/AI_HoHoHoliday_Helper_Link.txt",
    "x-amz-storage-class": "GLACIER"
  },
  "responseElements": {
    "x-amz-server-side-encryption": "AES256",
    "x-amz-storage-class": "GLACIER"
  },
  "additionalEventData": {
    "SignatureVersion": "SigV4",
    "CipherSuite": "TLS_AES_128_GCM_SHA256",
    "bytesTransferredIn": 0,
    "SSEApplied": "Default_SSE_S3",
    "AuthenticationMethod": "AuthHeader",
    "x-amz-id-2": "MZmT13mUM+4sjnQw+u1bj6z0vUbe5JxMCpMV3fSD/n9CtgHReLtyw4mhDqm8zJ7UIMNgYAh3QNM=",
    "bytesTransferredOut": 0
  },
  "requestID": "MEDR3K2C6TBC1E55",
  "eventID": "d00a00ee-c459-4c50-9d80-c2e4d352e6e5",
  "readOnly": false,
  "resources": [
    {
      "type": "AWS::S3::Object",
      "ARN": "arn:aws:s3:::arctic-archive-freezer/Claus_Operation_Data/AI_HoHoHoliday_Helper_Link.txt"
    },
    {
      "accountId": "949622803460",
      "type": "AWS::S3::Bucket",
      "ARN": "arn:aws:s3:::arctic-archive-freezer"
    }
  ],
  "eventType": "AwsApiCall",
  "managementEvent": false,
  "recipientAccountId": "949622803460",
  "eventCategory": "Data",
  "tlsDetails": {
    "tlsVersion": "TLSv1.3",
    "cipherSuite": "TLS_AES_128_GCM_SHA256",
    "clientProvidedHostHeader": "arctic-archive-freezer.s3.us-east-1.amazonaws.com"
  }
}

可以看到第一次上传的时间是:2024-11-13 16:10:03Z

Task 15

What storage class was used for the S3 objects to mimic the original settings and avoid suspicion?

Task 14 可以看到 “x-amz-storage-class”: “GLACIER”,GLACIER 就是使用的 S3 对象存储类型

Comment

熟知 aws 日志各个字段的表达意思,那问题就不大了。

Questions

  1. The Victim Elf shared credentials that allowed the Rogue Elf to access the workstation. What was the Client ID that was shared?

    95192516

  2. What is the IP address of the Rogue Elf used during the attack?

    146.70.202.35

  3. What is the name of the executable the victim ran to enable remote access to their system?

    AA_V3.EXE

  4. What time (UTC) did the Rogue Elf connect to the victim’s workstation?

    2024-11-13 12:23:34

  5. The Rogue Elf compromised an AWS Access Key. What is the AWS Access Key ID obtained from the victim’s workstation?

    AKIA[REDACTED]

  6. Which S3 bucket did the Rogue Elf target during the incident?

    arctic-archive-freezer

  7. Within the targeted S3 bucket, what is the name of the main directory where the files were stored?

    Claus_Operation_Data

  8. What time (UTC) did the Rogue Elf disable versioning for the S3 bucket?

    2024-11-13 15:31:15

  9. What is the MITRE ATT&CK Technique ID associated with the method used in Question 8?

    T1490

  10. What time (UTC) was the first restore operation successfully initiated for the S3 objects?

    2024-11-13 15:43:49

  11. Which retrieval option did the Rogue Elf use to restore the S3 objects?

    expedited

  12. What is the filename of the S3 object that the Rogue Elf attempted to delete?

    GiftList_Worldwide.csv

  13. What is the size (MB) of the S3 object that the Rogue Elf targeted in Question 12?

    152

  14. The Rogue Elf uploaded corrupted files to the S3 bucket. What time (UTC) was the first object replaced during the attack?

    2024-11-13 16:10:03

  15. What storage class was used for the S3 objects to mimic the original settings and avoid suspicion?

    glacier