Case Introduction: DFIR Investigation – Suspicious File Download Incident

Incident Overview

Security Operations Center (SOC) detected that on August 30, 2024, at 22:56:20 UTC, the employee Alice downloaded a suspicious file from the URL http[:]//w1ndowsupdate.com:8000/update.exe.hta onto her Windows workstation. As a result, an alert was triggered, prompting an incident response investigation to assess the situation.

Objective

The objective of this investigation is to:

  1. Determine the nature and impact of the downloaded suspicious file.
  2. Identify any indicators of compromise (IOCs) associated with this incident.
  3. Investigate if any further compromise has occurred on Alice’s workstation.
  4. Ascertain if there has been any data exfiltration as a result of this incident.

Provided Evidence

Note: By downloading these files, you acknowledge that you have read and understood our license agreement here.

To facilitate the investigation, the following evidence has been captured and provided:

  • Disk Triage Collection: A triage data collection of Alice’s workstation, which includes relevant file system and any system artifacts. Download Triage Collection
  • Memory Image + pagefile.sys: A memory dump supplemented by the pagefile.sys to capture in-memory activity at the time of the incident. Download memory image Download pagefile
  • PCAP File: A packet capture file that logs network activity, particularly around the time of the suspicious activity. Download PCAP file

Instructions

As part of this case, you are asked to:

  1. Analyze the PCAP File: Scrutinize network traffic logs for any signs of communication with malicious sites, servers or data exfiltration.
  2. Analyze the Disk files: Examine the file system, event logs, and any relevant system artifacts present in the data collection of the system’s disk image.
  3. Analyze the Memory Image: Investigate the memory dump and pagedump.sys file for signs of malicious activity and indicators of compromise.
  4. Perform Timeline Analysis: Create a timeline of the disk image and perform analysis.

To guide your investigation, you are encouraged to use supporting materials such as the Practical Windows Forensics CheatSheet

Key Points to Investigate

  • Capture general system information.
  • Identify how update.exe.hta was downloaded and if it was executed.
  • Examine persistence mechanisms that may have been established on the system.
  • Identify any malicious or suspicious threat actor activity.
  • Provide evidence of potential data exfiltration attempts.
  • Document all findings and indicators of compromise (IOCs) systematically. By conducting a thorough analysis of the provided files, you will uncover the sequence of events, assess the extent of a potential compromise, and determine if any sensitive data has been stolen. Your findings will be critical in understanding the impact of this incident and formulating an appropriate response strategy.

Rules of Engagement

  1. Scope of Investigation:
  • Only the workstation designated as CLIENT2 (Internal IP: 192.168.0.104) is in scope.
  • The user account in question is alice.
  1. Timeframe:
  • Focus your investigation on events occurring from 2024-08-30 22:50:27 UTC onwards.
  1. Environment Constraints:
  • There were no antivirus or other security tools enabled on the workstation by default.
  1. Internal IP Addresses for Reference:
  • 192.168.0.10DC1 (Domain Controller)
  • 192.168.0.1 – Gateway, Splunk server
  • 192.168.0.104CLIENT2