OVERVIEW:

Professor Jan Vogel has spent the last 6 months developing an early detection system for the Novid Virus. But, one week before the public launch of the Metaalbekkanarie, the confidential research which was set to make the South African government Billions of Randelas was published on Github by attackers.
How could this have happened?

 

NOTE AND TIPS:

In this challenge, you’ll be tasked to investigate events on a compromised host.
These events were orchestrated to reflect the Top 10 MITRE ATT&CK techniques as observed by Red Canary and detailed in their 2021 Threat Detection Report.
Keep this report handy, as it’ll help you understand some of the actions taken by the attackers. You can access the report here: 2021 Threat Detection Report

 

HOW IT WORKS:

If you haven’t previously, sign up for an account via the following Google form: SIGN UP
Once registered, you’ll receive instructions on how to access the CTF system via email. When you sign up, you’ll get 500 points as a gift. No questions asked.
For this investigation, you will be presented with 30 questions relating to the incident together with a set of triage data from a host you are required to investigate.
Each question is worth 100 points. This means, there are 3,000 points up for grabs in the DikBek investigation.
Getting stuck? Each question has a hint that will help you to the correct answer. But, use it wisely as a hint will deduct 50 points.
Like guessing answers? Each wrong answer will result in a penalty of 10 points.

 

TRIAGE EVIDENCE:

In Question 1, you will get a download link for your evidence.
The download is for a 72MB zip archive named INV_DIKBEK_TRIAGE.zip (MD5: 902dec78e0c1432e5a4c8d65fbadbf3a)

This archive contains the following two archives:

  • INV_DIKBEK_EXPORT_WINEVT.zip
  • INV_DIKBEK_EVTXCMD.zip

INV_DIKBEK_EXPORT_WINEVT.zip
This archive contains all the Windows event logs contained on the host in question.
Luckily, someone installed Sysmon on the host… This data can be processed by any tool of your choosing, or even manually reviewed.

INV_DIKBEK_EVTXCMD.zip
This archive contains a CSV output file after processing all the event logs with the latest version of Eric Zimmerman’s Evtx Explorer (EvtxECmd) You can get more information about the tool here (https://ericzimmerman.github.io/#!index.md)

Note: A >1GB csv file is cumbersome to work with. If you don’t already have a process or favourite tool to deal with such big files, you could try Eric Zimmerman’s EZViewer tool, available here: https://ericzimmerman.github.io/#!index.md

It took a few moments to load the file, but seemed to do the job (Initial warning about filesize and all).

 

SCENARIO BACKSTORY:

The South African Endemic Bird Intelligence Agency (SAEBIA)

Jan Vogel, head researcher at the South African Endemic Bird Intelligence Agency (SAEBIA), stood scratching his head while a feeling of emptiness rose up inside of him.

For a few fleeting moments, he hoped that this was all one big misunderstanding. However, as the ZDNet article finished loading on his colleague’s work computer, he saw screenshots of the exact ‘very confidential’ research output that should only have existed in his “Research_2021” folder. He had left the office around 15:00 on 6 May 2021, the day before, after finishing a new draft report on his groundbreaking research into the Dikbekkanarie, also known as the Brimstone Canary in English.

This small passerine bird in the finch family is a resident breeder in central and southern Africa. Around 12 months ago, Vogel’s department received generous grants from the South African Intelligence Services commission to research the weaponisation of these birds. Needless to say, the weaponisation project failed miserably, but Vogel and his team made a discovery so incredibly unbelievable, the president himself came out to visit the research facility to see first hand.

Whether it was a result of sheer brilliant research methodologies, or just plain luck (it was luck), Vogel’s team discovered an interesting occurrence relating to their subject birds.

Around 6 months ago, the team had come to the realisation that their Dikbekkanarie weaponization project was a bust, and that their only successful project will probably remain sending secret encoded messages of the intelligence services with racing pigeons. Whilst resigning to their fate, they decided to let the flock of 11 research Canaries roam freely in the 1000 square meter lab.

After three months of the birds roaming inside the facility, the flock of canaries started to take special interest in one of the researchers, Sophia Wagener. Starting one Monday morning, they would hang around her desk area, and even land on her shoulder when she remained still for long enough. This entertainment however only lasted for two days after which Sophia phoned in sick with Novid virus symptoms. Novid was the name given to the new Covid virus, for which researchers across the globe were scrambling to develop new vaccines.

About a week later, the canary show returned when the flock suddenly took interest in Henk Visser. And, with almost similar timing as Sophia, Henk phoned in sick with Novid two days later. Once the researchers made the link between the Canaries and Novid, they had a few days of panic as the original theory was that the birds were carrying the disease!

However, it wasn’t the case. Long story short, Jan Vogel discovered that for some yet unexplained reason, the South African Dikbekkanarie was attracted to the pheromones emitted by someone infected with the Novid virus. This meant that SAEBIS had discovered an early detection system for people infected with Novid! After this discovery was made, the SAEBIS researchers spent months analysing the molecular DNA structure of the species, and were able to build a robotic Dikbekkanarie, called Metaalbekkanarie (Metal Beak Canary). The Metaalbekkanarie was capable of screening people for Novid, even before they showed symptoms.

All great news, except for the fact that Jan was staring at a ZDNet article which credited a relatively unknown pharmaceutical company based in Panama with the discovery… his discovery!

IT support was promptly phoned and notified of the suspected stolen data. They looped in the SOC, which is where you, the ever eager analyst come in. Running a few index=* searches in your Splunk instance, you realise that there are absolutely no logs in Splunk for the host Jan Vogel was working on…

To top it all, earlier in the morning a friend at the South African Overarching Intelligence Bureau (SAOIB) sent you a message that they were dealing with a possible network compromise on their side. And that’s when it dawned on you… the SAEBIS network is tightly coupled with the SAOIB network. In actual fact, the SAEBIS network is actually peered to the SAOIB domain.

When asked who your friend thought was responsible for the attack, he just replied: “Underground chatter showed lots of recent activity for the threat actor, Fancy Poodle. They’ve been targeting sub-saharan companies in the past year…”

Seeing that there are no logs in Splunk for the host, you proceed to collect all Windows Eventlogs from Jan Vogel’s host to start your triage…