DetectLog4j

For the last week, log4shell vulnerability has been gaining much attention not for its ability to execute arbitrary commands on the vulnerable system but for the wide range of products that depend on

DetectLog4j | Blue team challenge.CyberDefenders

Q1 What is the computer hostname?

for this challenge, I will use autopsy and fkt imager,

go-to operating system information and u will see the hostname in the right panel (note that your result may have some difference from mine as the file is still loading )

Answer: vcw65

Q2 What is the Timezone of the compromised machine?

we need to open the SYSTEM file to know the timezone

it will be at the following path: windows/system32/config

the system file would be on the right panel

we would search by Ftk imager this time till the autopsy completes its loading

export the file then load hive by registry editor.

go to the path: system\ControlSet001\Control\TimeZoneInformation to find the timezone

the time zone is pacific standard time, google it

Answer: UTC-8

Q3 What is the current build number on the system?

from the same path at Q2 for the system at ftk imager, scroll down for the SOFTWARE file and export it

load the hive using the registry editor and go to the path: software\Microsoft\Windows NT\CurrentVersion

Answer: 14393

Q4 What is the computer IP?

in the registry editor go to the path: system\ControlSet001\Services\Tcpip\Parameters\Interfaces{82e90056-fd8d-4a24-913a-fc46f535fddf}

Answer: 192.168.112.139

Q5 What is the domain computer was assigned to?

in the registry editor go to the path:

system\ControlSet001\Services\Tcpip\Parameters

Answer: cyberdefenders.org

Q6 When was myoussef user created?

now would use autopsy in the "Account" panel for the mentioned user time creation

Answer: 2021-12-28 06:57:23 utc

Q7 What is the user mhasan password hint?

from the same panel at Q6 "Account",

Answer: https://www.linkedin.com/in/0xmohamedhasan/

Q8 What is the version of the VMware product installed on the machine?

in the registry editor go to the path: software\VMware, Inc.\apacheTomcat

Another way using autopsy: from the installed programs :

Answer: 6.7.0.40322

Q9 What is the version of the log4j library used by the installed VMware product?

actually, I didn't know how to find the library path so I tried to search for it by name using Autopsy and fortunately, I found it

Answer: 2.11.2

Q10 What is the log4j library log level specified in the configuration file?

Search for log4j.properties and read the files till find their stat ..

Answer: INFO

Q11 The attacker exploited log4shell through an HTTP login request. What is the HTTP header used to inject payload?

By searching in Google, the header is x-forwarded-for

https://thestack.technology/vmware-log4j-exposure-attack-log4shell/

Answer: x-forwarded-for

Q12 The attacker used the log4shell.huntress.com payload to detect if vcenter instance is vulnerable. What is the first link of the log4huntress payload?

in autopsy search for log4shell.huntress.com, and export the log file.

Answer: log4shell.huntress.com:1389/b1292f3c-a652-4240-8fb4-59c43141f55a

Q13 When was the first successful login to vsphere WebClient?

Search for audit_events at autopsy or go to the path: ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\logs

then find the earlier Loginsuccess event.

Answer: 28/12/2021 20:39:29 UTC

Q14 What is the attacker's IP address?

from the same events, we could find the IP 192.168.112.128 tried many times to log in.

Answer: 192.168.112.128

Q15 What is the port the attacker used to receive the cobalt strike reverse shell?

search for PowerShell lunching logs, name : Microsoft-Windows-PowerShell%4Operational.evtx

then search for BASE64

useing cyberchef transform from base 64 and gunzip

use execute the code using Fakenet then analyze it by Wireshark.

Answer: 1337

Q16 What is the script name published by VMware to mitigate log4shell vulnerability?

Google it,

Answer:vc_log4j_mitigator.py

Q17 In some cases, you may not be able to update the products used in your network. What is the system property needed to set to 'true' to work around the log4shell vulnerability?

Again google it, then try both solutions :

log4j2.formatMsgNoLookups or the LOG4J_FORMAT_MSG_NO_LOOKUPS

Answer: log4j2.formatMsgNoLookups

Q18 What is the log4j version which contains a patch to CVE-2021-44228?

search for CVE-2021-44228 path

Answer: 2.15.0

Q19 Removing JNDIlookup.class may help in mitigating log4shell. What is the sha256 hash of the JNDILookup.class?

Search for JNDILookup.class and export the file,

then extract the file and search for JNDILookup.class

using HachMyFiles,

Answer: 0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e

Q20 Analyze JNDILookup.class. What is the value stored in the CONTAINER_JNDI_RESOURCE_PATH_PREFIX variable?

in Autopsy search for "CONTAINER_JNDI_RESOURCE_PATH_PREFIX"

Answer: java: comp/env/

Q21 What is the executable used by the attacker to gain persistence?

to find that we need to search for any startup program or executable file,

so search in the user's file for NTUSER.DAT

we will find it at the path: root\Users\Administrator.WIN-B633EO9K91M\NTUSER.DAT

export the file and open the hive using the registry editor

finally, search for any file with " Run ", we would find "RunOnce"

Answer: baaaackdooor.exe

Q22 When was the first submission of ransomware to virustotal?

after many searches, I found that the first ransomware submitted is "khonsari.exe"

then I searched for its analysis report.

Answer: 2021-12-11 22:57:01

Q24 What is the ISP that owns that IP that serves the text file?

from the previous virustotal report, the domain is Amazon

Answer: Amazon

Q25 The ransomware check for extensions to exclude them from the encryption process. What is the second extension the ransomware checks for?

from the article Khonsari ransomware analysis, we could see its behavior

Answer: ini

Hope that helps you, and thank you :)