Incident Response Management

Labs

1
Contents

1 Case Study #1: SingHealth Cyber Attack 2018 ............................................................................................... 3

6 Lab #1: Investigating a breached server ........................................................................................................ 8
7 Lab #2: Investigating persistence................................................................................................................. 20
8 Lab #3: Exploring SRP (Software Restriction Policies) ................................................................................. 37
9 Lab #4: Investigating Windows web attacks ................................................................................................ 44
10 Lab #5: Using Log Parser .......................................................................................................................... 58
11 Lab #6: Blocking Joomla Exploit ............................................................................................................... 73
12 Lab #7: Linux web server attack............................................................................................................... 82
13 Case Study #2: Travelex Ransomware 2019 ............................................................................................ 89
14 Case Study #3: Industroyer2 2022 ........................................................................................................... 92

2
1 Case Study #1: SingHealth Cyber Attack 2018
PUBLIC REPORT OF THE COMMITTEE OF INQUIRY INTO THE CYBER ATTACK ON
SINGAPORE HEALTH SERVICES PRIVATE LIMITED’S PATIENT DATABASE

From: https://www.mci.gov.sg/-/media/mcicorp/doc/report-of-the-coi-into-the-cyber-attack-on-
singhealth-10-jan-2019.ashx

Things to take note:

• SCM - Sunrise Clinical Manager (An electronic medical records software solution, which
allows healthcare staff to access real-time patient data)

1.1 Patient Zero

August 23, 2017

• The employees of SingHealth had received an email and an employee had clicked on the
email attachment. The email attachment file contains a malware

1.2 Callback to overseas C2 Server

August 24, 2017

• Workstation A began calling-back to overseas C2 Server

1.3 Log Files Created

August 29, 2017

• Files containing password credentials in plaintext, belonging to Employee of Workstation A

was created

3
2.1 Hacking Tools and Remote Access Trojan Installed
December 1, 2017

• The malware that was sent to Employee in Workstation A on 23rd August 2017, exploits an
un-patched outlook application that was running on the workstation. Hacking tools was
successfully installed and some of which was masqueraded as .jpg images files. Shortly after
the installation of the hacking tools, Remote Access Trojan (RAT) was created

2.2 Credentials Stolen

December, 2017 - June 2018

• Attacker stole the credentials of administrators account consisting of local admin, system
admin, and domain admin

2.3 Callback to Foreign IP Address

January 19, 2018

• Two workstations from SingHealth Public Health Institution were separately making callbacks
to a foreign IP Address

2.4 Detection of Callback

January 19, 2018

• IHiS detected the callbacks from workstations to a suspicious foreign IP Address and blocked
it. However, no further actions were taken

2.5 Detection of failed logins

January 11, 2018

• IHiS Database, Citrix and SCM teams detected failed logins to the SCM database through
Singapore General Hospital Citrix Servers

2.6 Investigation Begins

January 13, 2018

• CERT commenced forensic investigation

2.7 Gained Access to Workstation B

April 17, 2018

• Attacker gained access to Workstation B and installed a RAT, which gained control of
Workstation B. Workstation B was a workstation that has access to the SCM application

4
2.8 Unauthorized Access to Citrix Server 1 via Remote Desktop Protocol (RDP)
May 17, 2018 - June 11, 2018

• Attacker used a Local Admin account to remotely log into Citrix Server 1 on numerous
occasions, which is not meant for day-to-day operation

2.9 Detection of unusual logins to Citrix Server 1

June 11, 2018

• IHiS staff aware of the unusual logins to Citrix Server 1 using a Local Admin Account,
changed the local admin account password on the same evening

2.10 Event logs deleted

June 11, 2018

• Events log from Citrix Server 1 was deleted to cover attacker's traces

2.11 Change account to access Citrix Server

June 12, 2018

• Attacker tried to access the server using the Local Admin account, but failed to do so.
Proceeded to change to another account to access the server

2.12 Attempt to access SCM Database from Citrix Server 1

May 24, 2018 - June 12, 2018

• Attacker attempts to login to SCM Database from Citrix Server 1 using Workstation A.
However, failed to access due to invalid user-IDs or invalid domain

2.13 Access to Citrix Server 2

June 13, 2018

• Attacker remotely access Citrix Server 2 using local service account

2.14 Failed Access to SCM Database from Citrix Server 2

June 13, 2018

• Numerous failed attempt login to the SCM Database from Citrix Server 2 due to invalid user-
IDs

3.1 Obtain A.A Account Credentials

June 26, 2018

• Attacker obtained credentials of A.A. account from Citrix Server 3

5
3.2 Compromised SCM
June 26, 2018

• Attacker compromised SCM from Citrix Server 2 using the A.A. account

3.3 Queries SCM Database & Reconnaissance of Database

June 26, 2018 - July 4, 2018

• Attacker make queries to SCM Database to retrieve medical records. Prime Minister Mr. Lee
Hsien Loong was specifically targeted and repeatedly accessed

4.1 Exfiltration of Data

June 27, 2018 - July 4, 2018

• Data was transferred out from SCM Database to C2 Server via Workstation A

5.1 Detection of unusual queries

July 4, 2018

• IHiS detected unusual queries to SCM Database, terminated all the queries, and took steps to
prevent similar malicious queries

5.2 Attempt to access Singhealth Network

July 18, 2018

• Attacker attempt to re-access the Singhealth Network via Phishing Email again

5.3 Reported to CSA

August 1, 2018

• IHiS informed and reported the phishing email to CSA and was assessed by CSA

6
Case Study #1: Questions

Identification

• How did IHiS verify the unauthorized access? How can the detection be improved?

Containment

• What measurement did IHiS take or not take? When measurement was taken, was it
effective?

Eradication/Recovery

• How did the incident start? How can this be prevented?

Lessons Learned

• If you are to manage a similar situation as SingHealth/IHiS, how will you do it differently?

7
6 Lab #1: Investigating a breached server
6.1 Scope
In this lab, we will use Metasploit Framework to exploit a Windows Server machine. We will learn to
search for malicious activities and files.

6.2 Using VirtualBox

Search for and launch Oracle VM VirtualBox

6.3 Start Windows VM (va-windows)

Select the irm-windows virtual machine (VM) icon and double-click to start the VM

Wait for the VM to finish booting up before proceeding with next section

Click Restart Now if you are prompted with a You must restart your computer to apply these
changes dialog. Otherwise, wait for Windows to finish booting up.

8
6.4 Start Kali VM (va-kali)
Select the va-kali virtual machine icon and double click it to start the VM.

Wait for VM to finish booting up before proceeding with the next section

6.5 Resizing VM display window

You can resize the Virtual Machine (VM) window to change the video resolution.

6.6 Run EternalBlue exploit

In Kali VM, locate and start Terminal Emulator

9
In the Terminal window, type ./pipeline and press ENTER. This will start Metasploit Framework (a
penetration testing toolkit) to compromise the Windows server and execute a series of commands.

When done, you should see “Auxiliary module execution completed” followed by exit

Now, in the Terminal window, type ./eternalRomance and press ENTER. This will start Metasploit
Framework (a penetration testing toolkit) to compromise the Windows server and execute a series of
commands.

10
Type shell and press ENTER. This will open a command prompt

6.7 Looking for IOC (Indicators of Compromise)

Go to the Windows VM and launch a Command Prompt

6.8 Locate outgoing network connections

Type netstat -an | find "EST" and press ENTER. This command searches for established network
connections. Search for a line that has irm-kali:4444. This indicates an outgoing connection from
the Windows Server to Kali.

6.9 TCPView
Go to Windows Start, Run. Enter tcpview and click OK. Click Agree if you encounter a license
agreement dialog

11
This will launch Sysinternals’ TCPView utility. Locate for the entry with Remote Port 4444. Notice the
Process name is powershell.exe

Select the entry, right button click on powershell.exe and click Process Properties

This should indicate the process as Windows PowerShell

Go to menu, Options, un-check Resolve Addresses (If it is already unchecked, keep it as it is)

This shows the actual IP addresses

Close TCPView.

12
6.10 Process Explorer
Go to Start, Run. Enter procexp and press OK. Click Agree if you encounter a license agreement
dialog

This should launch Process Explorer. Search for and select powershell.exe.
(There may not be a child process cmd.exe)

Select powershell.exe, right mouse button click and click Properties

13
This should display properties of the process under Image tab

Click on TCP/IP tab. This will indicate a network connection between the Windows and Kali VM

Un-check Resolve addresses to view the IP addresses

14
6.11 VirusTotal
Select powershell.exe entry, right button mouse click and click on Check VirusTotal.

You may be prompted about VirusTotal Terms of Service. Click Yes to continue

Click OK if prompted about VirusTotal results lookup

Scroll the Process Explorer to the right until the VirusTotal column is visible. It should indicate Hash
submitted. Wait for a while, the status should change to 0/XX where XX is the number of anti-
malware engines on VirusTotal (E.g., 74 in the screenshot below).

Thereafter, close Process Explorer.

15
6.12 Looking for malicious files
From the Windows VM and launch a Command Prompt

Type cd \windows\sysWOW64 and press ENTER

Enter dir /OD *.exe and press ENTER.

This command list all files with EXE file extensions sort by date (oldest first). Notice the newest file is
the wce64.exe file that was uploaded (actual dates and time will be the date and time you
uploaded the file and will be different from that in the screenshot).

Type sigcheck -u –vt –vr wce64.exe and press ENTER.

16
Note that this will take a while to complete. A browser window will open to a link with detection ratio
that is more than 0. (e.g.
https://www.virustotal.com/en/file/68a15a34c2e28b9b521a240b948634617d72ad619e3950bc6dc769
e60a0c3cf2/analysis/ as shown in the screenshot). Scroll down and read the description.

In the command prompt, type certutil -hashfile wce64.exe SHA256 and press ENTER. Compare
the hash value with that in the browser window

Also type sigcheck –h wce64.exe and press ENTER. Notice that the file is Unsigned

17
For comparison, type sighcheck -h cmd.exe and press ENTER. Notice that the file is listed as
Signed. Note the other details such as Publisher and Company.

Close Command Prompt window.

6.13 Kali VM
Switch back to Kali VM

6.14 Exit Command Shell

Type exit and press ENTER to exit command shell.

6.15 Exit meterpreter

Type exit and press ENTER to close meterpreter shell.

6.16 Exit Metasploit

Type exit and press ENTER again to close metasploit.

Close the Terminal window.

18
6.17 References
Sigcheck, TCPView and Process Explorer are part of Microsoft’s Sysinternals Suite, which is a list of
free troubleshooting utilities.
They can be downloaded from https://docs.microsoft.com/en-us/sysinternals/downloads/sysinternals-
suite or directly via https://live.systernals.com

19
7 Lab #2: Investigating persistence
7.1 Scope
In this lab, we will examine how attackers maintain persistence on a compromised PC.

7.2 Pre-requisites
Ensure that the irm-kali and irm-windows VM are Running

In Kali VM, locate and start Terminal Emulator.

Type ./listen and press ENTER. This script will start a meterpreter listener.

7.3 Logoff Windows

Go to Windows VM, click the Window button located at the bottom left of the screen and click
“Administrator” and click on “Sign Out”

20
This will logoff administrator account.

7.4 Login
From the VM menu, click on Input, go to Keyboard and click Insert Ctrl-Alt-Del Host+Del

Click inside the Password textbox, enter Sing@tel and press ENTER

That will log you into Windows.

7.5 Kali VM
Once Windows has booted up, switch back to Kali VM. After a while, you should see a “Meterpreter
session 1 opened” (actual text may be slightly different from screen shot)

21
Press ENTER. Type sessions -l and press ENTER. This command displays the list of active
connections. Note the Id value (which is 1 in the screenshot below but may vary)

Type sessions -i 1 (1 is the Id value as displayed in your VM). That will give you a meterpreter shell.

Type sysinfo and press ENTER

Type the following commands:

• shell
• whoami
• hostname

The commands indicate that you have a shell access on the Windows server as administrator.

22
7.6 Reverse Shell connection investigation
Go to the Windows VM and launch a Command Prompt

7.7 Locate outgoing network connections

Type netstat -an | find "EST" and press ENTER. Search for a line that has 192.168.1.10:443. This
indicates an outgoing connection from the Windows Server to Kali.

7.8 TCPView
Go to Start, Run. Enter tcpview and click OK. Click Agree if you encounter a license agreement
dialog

This will launch Sysinternals’ TCPView utility. Locate for the entry with Remote Port 80. Notice the
Process name is svchost.exe. Also notice that there are several processes with the same name of
svchost.exe. (NOTE: other values such as PID may differ from the screenshot shown)

Select the entry, right button click on svchost.exe and click on Process Properties

23
This should display the process details. Note the Path value.

Select another svchost.exe entry, right button click and click Process Properties

Note the Description and Path value

Close TCPView.

7.9 Task Manager

Go to task bar, right button click and click Start Task Manager. Alternatively, you can use CTRL,
SHIFT, ESC key combination. You may want to maximize the Task Manager window

24
Go to Processes tab, right click on the Name tab and check “Process Name” and “Publisher”. (If
its checked, ignore this)

Look for entries with Process Name value of svchost.exe. Notice that lots of entries have the
Process Name “svchost.exe”.

Select entry with Publisher value of “ “(Blank). Right button click and click Open File Location.

25
That will open up File Explorer to C:\Users\Administrator\AppData\Local\Temp

Select another svchost.exe, right-button click and click Open File Location

Notice that it is at C:\Windows\System32

Close Windows Explorer and Windows Task Manager

7.10 Process Explorer

Go to Start, Run. Enter procexp and press OK. Click Agree if you encounter a license agreement
dialog

This should launch Process Explorer. Search for entries with value svchost.exe. Notice that most of
them are under (i.e. they are child processes of) services.exe

26
Select one of the svchost.exe entry, right-button click and click Check VirusTotal

Wait for status under VirusTotal column to change from Hash submitted. Status should change to
0/XX where XX is the number of anti-malware engines on VirusTotal (e.g. 74 in the screenshot
below)

27
Scroll down to explorer.exe and locate svchost.exe entry

Select the svchost.exe entry, right button click and click on Check VirusTotal

Wait for VirusTotal status to change from Hash submitted. After a while, it should return a non-zero
value, e.g. 44/75 as seen in the screenshot (actual values may be different).

Move mouse pointer over the value (E.g., 44/75 in the screen shot) and click on the link

This should open a browser to VirusTotal with the analysis results. View the page contents. Or click
on this link
(https://www.virustotal.com/gui/file/fd77176b06a841c1fd27570053f0b57f317620993e238ec465fa948
a95d804ed)

28
Close browser. Go back to Process Explorer. Select the svchost.exe that had non-zero VirusTotal
detection, right mouse button click and click on Properties

View the process properties details under Image tab

Click on TCP/IP tab to view network connection details

29
Un-check Resolve addresses to view the IP addresses

Close the dialog box. Select the svchost.exe entry, right button click and click Suspend

The CPU column for svchost.exe should show Suspended

7.11 Kali Connection

Go to Kali VM metasploit session, press ENTER a few times. Notice that the session is not
responsive and eventually is closed (Actual screenshots may vary)

30
7.12 Autoruns
Return back to Windows VM. Go to Start, Run. Type autoruns and click OK. Click Agree if you
encounter a license agreement dialog

Click on the Logon tab. Scroll through the list and located an entry with name of Updater and Image
Path of c:\users\administrator\appdata\local\temp\svchost.exe

Go to the Filter textbox near the top. Enter svchost and press ENTER

31
That will filter the display to show svchost.exe entry

Notice that the entry is under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

7.13 Registry Explorer

Select the entry, right button click and click Jump to Entry

This should launch Registry Editor and navigate to the registry entry.

Close Registry Explorer and return back to Autoruns

32
7.14 File Location
Select the entry, right button click and click on Jump to Image

This will launch Windows Explorer and navigate to location of svchost.exe file

Close Windows Explorer and return to Autoruns

7.15 Autoruns
Select the updater entry, right button click and click Properties

33
This shows the file Properties. Close the dialog box

Select the updater entry, right button click and click Check VirusTotal. You may be prompted about
VirusTotal Terms of Service. Click Yes to continue

Wait for VirusTotal results

Select the entry, right button click and click on Process Explorer

34
This will launch Process Explorer and show the Image properties for svchost.exe. (Screen shots
may differ) Note details such as Path, Parent and User

Is this the correct svchost.exe entry?

Close the dialog and close Process Explorer.

7.16 Autoruns
Go to Autoruns,

Uncheck Updater entry box

Then select it, right button click and click on Jump to Entry

35
Notice that svchost.exe is now in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled
node.

Close Registry Editor.

Close Autoruns.

7.17 Kali VM

7.18 Exit Command Shell

Type exit and press ENTER to exit command shell

7.19 Exit meterpreter

Type exit and press ENTER to close meterpreter shell.

7.20 Exit Metasploit

Type exit and press ENTER again to close metasploit

36
8 Lab #3: Exploring SRP (Software Restriction Policies)
8.1 Scope
In this lab, we will explore using Microsoft SRP (Software Restriction Policies) to improve security by
restricting certain applications from running.

8.2 Pre-requisites
Ensure that irm-windows VM is running.

8.3 Blacklisting an application

In this section, we will blacklist specific applications from running.
Go to Start, run. Enter gpedit.msc and press ENTER.

This will launch Local Group Policy editor

37
8.4 New Policies
In the left pane under Computer Configuration node, expand Windows Settings by click + icon.
Expand Security Settings and select Software Restriction Policies node

Right button click and select New Software Restriction Policies

This will create additional entries

8.5 Default settings

Select Enforcement and double click to view Properties

38
View the different options. Click Cancel to close the dialog

Select Security Levels and double click to access the folder

In the right pane, notice that the entry with Name Unrestricted has a tick arrow to indicate that this is
the default setting.

39
8.6 New Hash Rule
In the left pane, select Additional Rules, right button click and select New Hash Rule

In the New Hash Rule dialog, click Browse

In the Open file dialog, navigate to C:\Windows\SysWOW64 folder, search for and select
wce64.exe and click Open to close the dialog box

40
In the New Hash Rule dialog, click OK

Note the new wce64.exe rules that is created in the right pane with Security Level of Disallowed

8.7 Verify Application Black-listing

Launch Command Prompt application

Enter the following commands

• cd \windows\syswow64
• wce64

Notice that you are unable to run wce64 command

41
8.8 Event Logging
Click Start, Run, type eventvwr and click OK

In the left pane, click + to expand Windows Log

Select Application

In the middle pane, locate and select entry with level of Warning and Source
SoftwareRestrictionPolicies. Double click on the entry to view details

42
This entry indicates that wce64.exe was blocked from executable by user Administrator

Click Close to close the dialog.

Close Event Viewer
Close Group Policy Editor

8.9 Reference
Microsoft SRP is supported in all Windows version since Server 2003 and Windows XP.
Documentation is available at https://docs.microsoft.com/en-us/windows-server/identity/software-
restriction-policies/software-restriction-policies

App Locker is more advanced and is supported in Windows version since Windows 7/8 (Enterprise,
Ultimate but not Professional editions) and Windows Server 2008 R2. Documentation is available at
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-
control/applocker/requirements-to-use-applocker

43
9 Lab #4: Investigating Windows web attacks
9.1 Scope
In this lab, we will explore web shells and web exploits

9.2 Pre-requisites
Ensure that the irm-kali and irm-windows VM are running

9.3 Run Joomla exploit

In Kali VM, locate and start Terminal Emulator

Type ./joomla and press ENTER. This script will attempt to compromise the Windows web site

9.4 Looking for IOC (Indicators of Compromise)

Go to the Windows VM and launch a Command Prompt

44
9.5 Locate outgoing network connections
Type netstat -an | find "EST" and press ENTER. Search for a line that has 192.168.1.10:4444. This
indicates an outgoing connection from the Windows Server to Kali.

9.6 TCPView
Go to Windows Start, Run. Enter tcpview and click OK. Click Agree if you encounter a license
agreement dialog

This will launch Sysinternals’ TCPView utility. Locate for the entry with Remote Port 4444. Notice the
Process name is php-cgi.exe

Select the entry, right button click and click Process Properties

This indicate the process as FastCGI

45
Click OK to close dialog.
Go to menu, Options, un-check Resolve Addresses (If its unchecked, ignore this)

This shows the actual IP addresses

Close TCPView.

9.7 Process Explorer

Go to Start, Run. Enter procexp and press OK. Click Agree if you encounter a license agreement
dialog

Search for php-cgi.exe. Notice that this is a child process of w3wp.exe (IIS Worker Process) which
itself is a child of svchost.exe

46
Mouse over svchost.exe. It should indicate the Service Windows Process Activation Service [WAS]
and World Wide Web Publishing Service [W3SVC]

Select svchost.exe, right button click and click Properties.

In the popup dialog, click on Services tab. Dialog should indicate the NT Services registered in this
process

Click OK to close dialog.

47
Select php-cgi.exe, right button click and click Properties.

In the popup dialog, click on TCP/IP tab. This will indicate the network connection between Windows
and Kali.

Uncheck Resolve address to view IP addresses

Click OK to close dialog

48
9.8 VirusTotal
Select php-cgi.exe, right button click and click Check VirusTotal

You may be prompted about VirusTotal Terms of Service. Click Yes to continue

Click OK if prompted about VirusTotal results lookup

Scroll the Process Explorer to the right until the VirusTotal column is visible. It should indicate Hash
submitted. Wait for a while. Status should change to 0/XX where XX is the number of anti-malware
engines on VirusTotal (e.g. 74 in the screenshot below)

Close Process Explorer.

49
9.9 Kali VM
Switch back to Kali VM.

9.10 Exit meterpreter

Type exit and press ENTER to close meterpreter shell.

9.11 Exit Metasploit

Type exit and press ENTER to close metasploit

Close terminal window.

9.12 Investigating IIS Log Files

We will now investigate IIS web server logs to detect how the server was compromised.

9.13 IIS Manager

In irm-windows VM, go to Windows Start, Run. Enter inetmgr and click OK. Click Agree if you
encounter a license agreement dialog

From IIS manager, click on + sign in left Connections pane to expand VA-WINDOWS(IRM-
WINDOWS) node

50
Expand the Sites node by clicking on the + sign

Select Joomla web site

9.14 Logging
In right pane, locate and select Logging icon. Double click on the icon

Launch Windows Explorer, navigate to C:\Inetpub\logs\LogFiles\W3VC2\ folder

51
Look for the newest file, select it, right button click and click Edit with Notepad++

Note the Fields values near the top of the file. Notice the cs(User-Agent) field after c-ip field.

Scroll page down to the bottom. You will notice a line which contains a long string of text containing
words such as JDatabaseDriverMysqli (actual screenshots may differ)

You have just discovered how attacker compromised the web server. Close Notepad++.

9.15 Test webshell

We will now investigate webshell capabilities.

9.16 Launch Firefox

From Kali VM, locate and launch Firefox

In the address bar, enter http://va-windows.en.singtelcsi.com/cmdasp.aspx and press ENTER

52
On the web page, enter NT console commands such as dir, hostname and click Execute

Try other commands on the page.

9.17 Run and investigate other webshells

Open a new browser tab, go to the following URLs

• http://va-windows.en.singtelcsi.com/c99shell.php
• http://va-windows.en.singtelcsi.com/privr57.php
• http://va-windows.en.singtelcsi.com/b374k.php

Try the different functions available.

For b374k, you may be prompted with a text box.

53
Type b374k and press ENTER.

Following pictures will allow you to know where are all these website files is being stored at.

Click on Advanced Settings.

54
On the left panel, right click ‘Joomla” and click “Explore”

These are where all the files being located at.

9.18 Investigate web source code

In your Windows VM, go to C:\Inetpub\Joomla, locate the files cmdasp.aspx. Edit with Notepad++
and view the source code.

Also view the source files for the following files

• C99shell.php
• B374k.php
• Privr57.php
Notice that while some files such as C99shell.php contain readable text, others such as b374k.php
contains un-readable (aka obfuscated) text.

55
9.19 VirusTotal check via sigcheck
Open a command prompt and run the following commands:

• cd \inetpub\joomla
• sigcheck –vt –vr *.php

*Its normal if there are more files being checked other than b374k, c99shell and privr57*
Note the detection rate value under VT detection

56
57
10 Lab #5: Using Log Parser
10.1 Scope
This lab gives an overview on how Log Parser and LPS (Log Parser Studio) studio can be used to
query logs.

10.2 Pre-requisites
Log Parser 2.2 (https://technet.microsoft.com/en-us/scriptcenter/dd919274) and Log Parser Studio
(https://gallery.technet.microsoft.com/office/Log-Parser-Studio-cd458765) must be installed

10.3 LogParser
From Start menu, search for and start Log Parser

This should open a command prompt. You may want to maximize the window.

58
Also go to Start Menu, search for Log Parser folder and start Log Parser 2.2 Documentation

Review the documentation and navigate to Reference, Input Formats, EVT.

10.4 View Event Logs

In the Log Parser command prompt, type LogParser -i EVT "SELECT top 5 EventID,
EventTypeName, Message FROM Application" and press ENTER. Review the output

59
Locate and execute Event Viewer.

Go to Application log (Under Windows Logs), scroll the content window and look through all the logs
all the way down to bottom, and compare the event log entries with Log Parser output.

Close Event Viewer.

60
10.5 View event logs using LogParser Studio
Go to Windows Start button, locate and execute Log Parser Studio. Click Continue if being
prompted)

Click the top left icon (Create a new query)

10.6 View Event logs

In the new window, click on NOTSET beside Log Type: and select EVTLOG

In the bottom window, enter the text SELECT top 5 EventID, EventTypeName, Message FROM
Application

Click the second icon on toolbar (Execute active query) to run the query

61
View the results and compare them to the command prompt LogParser output and event log entries
(actual screen shots will differ)

Mouse over the Q1 tab, right button click and click Close Tab

10.7 Viewing large files

A key feature of Log Parser and LPS (Log Parser Studio) is the ability to query large files, which is a
useful feature when doing investigation. We will use this feature to examine web server logs.

10.8 Viewing IIS Logs manually

Execute Windows Explorer and navigate to C:\DDOS\. These are log files collected from a simulated
DDoS attack. Noticed that the files are more than 500 megabytes in size.

Select one of the files, right button click and click Edit with Notepad++

62
Noticed that it takes quite a while for Notepad++ to load the file

If you launch Task Manager, you will notice that Notepad++ is consuming CPU resources (Actual
value will depend on number of processor core assigned to the VM)

Close Notepad++ and close task manager.

10.9 View IIS logs using LPS

From Log Parser Studio, open a new query

Click NOTSET and select IISW3CLOG

In the top toolbar, click the icon labelled LOG (Choose log files/folders to query)

In the Log File Manager dialog, click Add Folder

63
Navigate to C:\DDOS, select any file and click Open.

Click OK to close dialog.

Note the default query text.

Execute the query.

64
View the output.

Refer to Log Parser documentation for description of the different fields.

10.10 Get IIS request count by web clients

We want to investigate the web clients that has been making web requests to the server.
In Log Parser Studio screen, go to the bottom query window. Clear window of all query text except for
the word SELECT. Append a space beside SELECT

Press F3 function key. This should pop-up a help window displaying IIS fields

65
Select c-ip and either double-click or press ENTER. This will copy c-ip to windows clipboard and
close the helper dialog. (Future usage note, you can make multiple selections by pressing CTRL or
SHIFT key)

Click inside the query window. Make sure cursor is beside SELECT text

CTRL-V to paste from clipboard. That should paste the text c-ip in.

Complete the query by typing in , COUNT(*) FROM '[LOGFILEPATH]' GROUP BY c-ip ORDER BY
COUNT(*) DESC

Execute the query

66
Wait a few minutes for LogParser to query. You can view status bar at the bottom for query status.

When query is complete, view the output. Which clients made the most number of requests?

10.11 Export query results

Click the Export icon

Save the file as c-ip.csv on your desktop and click OK

If you are prompted with the below dialog, click Cancel

67
Navigate to desktop, select c-ip.CSV, right button click and click Edit with Notepad++

View the contents and close Notepad++

Switch back to Log Parser Studio. Click the Graph (Create chart from active result grid) icon

From the graph window, click on Labels icon to display count and click on Drop down to switch
between different graph types

68
Click on File, Save Image.

Save the file as c-ip.jpg to your desktop. You can double-click and view the image

Close your graph window

10.12 Exporting Query as PowerShell script

Click the right most icon (Export query as PowerShell script)

Save as c-ip.ps1 in C:\DDOS folder and click Save

69
Launch Windows Explorer, navigate to C:\DDoS and view the c-ip.PS1 in Notepad++

View contents of the PowerShell script file. What does the script do? Where does it save the output
file to?

Click on the PowerShell icon in the taskbar

70
In your PowerShell window, type in the following commands:

• cd \DDoS
• .\c-ip.PS1
Notice that you are unable to execute the PowerShell script

Type Set-ExecutionPolicy Bypass -Scope Process and press ENTER. If prompted, press ENTER

Type .\c-ip.PS1 and press ENTER. This will take a while to complete

When done, close Windows PowerShell

10.13 View query output

Launch Windows Explorer and navigate to This PC -> Documents folder. Select New Query.CSV
file and view in Notepad++

71
Compare the results with that in LPS results window or the exported c-ip.CSV file

Close Log Parser Studio.

72
11 Lab #6: Blocking Joomla Exploit
11.1 Scope
We will attempt to prevent Joomla exploit by blocking web requests with exploit specific User-Agent
value.

11.2 IIS Manager

In irm-windows VM, click Start and search Run and enter “inetmgr” to access IIS Manager

From IIS manager, click on + sign in left Connections pane to expand VA-WINDOWS (IRM-
WINDOWS) node

Expand the Sites node by clicking on the + sign

Select Joomla web site

73
11.3 Method 1 : Using URL Rewrite to block custom requests
In features view, locate and double-click URL Rewrite

11.4 Add Inbound Rule

In the right pane, under Actions section, click on Add Rule(s)…

We will create an inbound rule to detect and block Joomla exploit. Select Blank rule under Inbound
rules and click OK.

11.5 Edit Inbound Rule

Enter the following values:
1. Name: Block Joomla RCE exploit
2. Pattern: .*

74
Click on dropdown arrow on the right to expand Conditions section

Click Add

Under Condition input, type {HTTP_USER_AGENT}. (You can also use your mouse or keyboard to
select the value)

Under Pattern, enter JDatabase and ensure that Ignore case is checked. Click OK to save the
changes.

75
Scroll down to Action section. Change Action type: to Custom Response

Enter the following values:

• Status code: 404

• **Substatus code: 2
• Reason: Not found
• Error description: File not found

Take note: Substatus code is not sent to client browser but is recorded in the IIS logs. This allows
anyone viewing log to differentiate between actual 404 or File Not Found response where substatus
code is 0 and custom response where code is 2
In the right pane, click Apply and Back to Rules under Action section. Then click Back to Rules

76
Launch Command Prompt in the Windows VM. Type iisreset and press ENTER. This command
restarts web server process

11.6 Attempt web exploit

Switch to Kali VM, locate and start Terminal Emulator

Type ./joomla and press ENTER. This script will attempt to compromise the Windows web site

Noticed that the exploit does not work this time. Instead, you get an Exploit completed, but no
session was created error message.

11.7 IIS logs

Go to Windows VM, launch Windows Explorer, navigate to C:\Inetpub\logs\LogFiles\W3VC2\ folder

77
Look for the newest file, select it, right button click and click Edit with Notepad++

Scroll down to the bottom of the page. Note the different web requests sent from Kali VM (as
indicated by c-ip aka client IP address value of 192.168.1.10). Notice that the exploit attempt web
requests has the values 404 2 which corresponds to sc-status and sc-substatus accordingly

11.8 Using Log Parser Studio (Optional)

Besides manual investigation, we can use Log Parser Studio to locate the Joomla attack entries.

11.9 Log File Location

Start Log Parser Studio. From LPS, open a new query

Click NOTSET and select IISW3CLOG

78
In the top toolbar, click the icon labelled LOG (Choose log files/folders to query)

Click Add Files

Navigate to C:\inetpub\logs\LogFiles\W3SVC2, select the newest file and click Open

Uncheck C:\DDoS\*.log. Ensure that W3SVC2 entry is checked

Click OK to close Log File Manager dialog

79
11.10 Query statement
Change query text such that the statement is
SELECT date, time, c-ip, cs(User-Agent), sc-status, sc-substatus FROM '[LOGFILEPATH]'
WHERE cs(User-Agent) like '%JDa%'

Take note: You can use the IIS Fields (Press F3) feature to select required fields (press ENTER) and
paste (CTRL-V) from clipboard

Execute the query

80
11.11 UTC and Local time
Note that IIS by default records UTC times in web server log. Log Parser provides functions to
convert timestamp to local time.

11.12 Modify Query

From Log Parser Studio, change your query to the following
SELECT TO_TIMESTAMP(date, time) as utc-time, TO_LOCALTIME(utc-time) as local-time, c-ip,
cs(User-Agent), sc-status, sc-substatus FROM '[LOGFILEPATH]' WHERE cs(User-Agent) like
'%JDa%'
Changes from previous query are highlighted

Execute the query

Look at query results. Noted that UTC-time is listed correctly as local time (GMT=8)

Close Log Parser Studio

11.13 Kali VM
Switch to Kali VM

11.14 Exit Metasploit

Type exit and press ENTER again to close metasploit

81
12 Lab #7: Linux web server attack
12.1 Scope
In this lab, we will explore web attacks on Linux servers

12.2 Pre-requisites
Ensure that the irm-kali VM are running

12.3 Start Linux VM

Select irm-linux, double-click to start it

Wait for the Linux command prompt to appear

12.4 Run Joomla exploit

In Kali VM, locate and start Terminal Emulator

82
Type ./wordpress and press ENTER

Wait a few minutes for Metasploit to start and exploit Wordpress site. Enter “Shell” and press Enter.

12.5 Web Site

From Kali VM, locate and launch Firefox

In bookmark bar, click on va-linux. This will load WordPress site located on the Linux VM

Go to the address bar, change it to http://va-linux.en.singtelcsi.com/wordpress/c99shell.php and

press ENTER. This will load our c99 backdoor.

83
12.6 C99 web shell functionalities
Most web shells work with Linux VM. Attempt to try the different features on this backdoor. For
example, c99 provides the ability for the attacker to launch a reverse terminal shell.

An Example: Turn on another terminal and key in “nc –l –v –p 5992” and press “Enter”. On the
Firefox, press “Back-Connection” on the website. Enter “192.168.1.10” under the Host Field. And
“5992” on Port Field, ensure it is “Perl” for the use field, and press Connect.

12.7 Investigate
Go to Windows VM, from Start menu, locate and launch PuTTY

84
12.8 SSH to va-linux
In Host Name text box, enter va-linux and click Open

In the login prompt, type root and press ENTER. When prompted for password, type Sing@tel and
press ENTER

85
12.9 Optional: Adjust font size
If font size are too small or too big, click top corner and click Change Settings

Click Appearance in the left pane, in the right pane, click Change, and select a suitable Size in Font
Dialog. Click OK to close dialog

Then click Apply to close PuTTY Reconfiguration dialog

86
12.10 Check for network connections
Type netstat -an | grep EST and press ENTER. Output indicates an outgoing connection to va-kali
at 192.168.1.10

12.11 Check web server logs

Type tail –f /var/log/httpd/access_log and press ENTER. Output shows GET and POST web
requests from va-kali (192.168.1.10) to va-linux (192.168.1.11) for /wp-content/plugins/inboundio-
marketing/admin/partials/csv_uploader (actual screenshots may vary). The POST request is due
to file upload.

Type exit and press ENTER to close PUTTY session

12.12 NOTE: Using Log Parser studio to investigate apache logs

Log parser studio can be used to query Apache logs. The log files will need to be transferred to
Windows box with Log Parser installed with Log Type set to NCSA

87
12.13 Shutdown Linux VM
From va-linux VM menu, select Machine and ACPI Shutdown to shut down the VM

88
13 Case Study #2: Travelex Ransomware 2019

Travelex Cyber-Attack Timeline

From: https://www.cm-alliance.com/cybersecurity-blog/travelex-cyber-attack-timeline

13.1 Vulnerabilities discovered in Pulse Secure VPN

March, 2019

• Pulse Secure VPN vulnerabilities was being discovered in March 2019 and was patched up in
April 2019. (CVE-2019-11510)

13.2 Un-patched of Pulse Secure VPN Software

September 13, 2019

• A tweet was tweeted by CEO of Bad Packets that Travelex servers are found with this
vulnerability. However, Travelex remained not patching its Pulse Secure VPN software

13.3 Ransomware Attack

December 31, 2019

• Travelex was hit by a ransomware attack that disrupted its currency exchange business. The
ransomware was called "Sodinokibi Ransomware"

13.4 Shutting down servers

December 31, 2019

• After confirming the attack, Travelex immediately put all its servers offline to protect the data
of thousands of its customers

13.5 Contacted the Police

January 2, 2020

• Travelex contact MET Police two days after the incident took place as they conducted
detailed investigation.

89
13.6 Disclose hack incident to public
January 2, 2020

• CEO of Travelex apologized to public for suspending their services in order to contain the
virus and protect data. The company also stated there were no personal data or information
had been compromised after their home investigation team investigated

13.7 Files being encrypted

January 6, 2020

• Independent investigation by BleepingComputer confirmed that the ransomware had indeed

infected Travelex systems as the extensions that was attached with encrypted files was a
string of more than 5 characters

13.8 Confirmation of Encryption

January 6, 2020

• Sodinokibi confirmed to BleepingComputer that it had encrypted the entire Travelex network
and taken more than 5GB of personal data, which includes dates of birth, social security
numbers, card information and other details of Travelex customers. Ransom note was also
spread across the media

13.9 Investigation Begins

January 9, 2020

• All staff members at Travelex headquarters were asked to deposit their laptops for a detailed
investigation into the cyber-attack

13.10 Recovered of customer-facing systems in UK

January 17, 2020

• CEO of Travelex announced had recovered customer-facing systems in the UK

13.11 Ransom was paid

January 17, 2020

• Sodinokibi told BleepingComputer that they have received payment from Travelex, but will not
specify amount. However, an employee reportedly said, Travelex paid the hackers the
equivalent of $2.3 million ransom

13.12 All Travelex Systems are recovered

February 24, 2020

• All systems in Travelex for all countries are restored

90
Case Study #2: Questions

Identification

• Did Travelex detect the ransomware? How can the detection be improved?

Containment

• What measurement did Travelex take or not take? When measurement was taken,
was it effective?

Eradication/Recovery

• How did the incident start? How can this be prevented?

Lesson Learned

• If you were to encounter the same situation as Travelex, will you pay the ransomware
or will you not?

Preparation

• If you were the Business Continuity Management Steering Committee of Travelex,

what plans will you prepare for future after this incident?

91
14 Case Study #3: Industroyer2 2022

Industroyer2 Timeline

From: https://www.welivesecurity.com/2022/04/12/industroyer2-industroyer-reloaded/

14.1 Beginning of the current Russian invasion in Ukraine

February 24, 2022

• The Russian Federation invaded Ukraine in a steep escalation of the Russo-Ukrainian War

14.2 Deployment of CaddyWiper against a Ukrainian bank

March 14, 2022

• The attackers deployed a new version of the CaddyWiper destructive malware

14.3 ESET detects CaddyWiper

09:38 UTC March 14, 2022

• ESET researchers reported a novel data-wiper malware, dubbed CaddyWiper. It was

designed to destroy data and partition information from attached drives

92
14.4 Compilation of Industroyer2
06:35:32 UTC March 23, 2022

• According to Portable Executable Timestamp, the industroyer2 was compiled on this date,
this indicates that Threat Actor had planned their attack for more than 2 weeks

14.5 Deployment of CaddyWiper against a Ukrainian governmental entity

April 1, 2022

• CaddyWiper infiltrated targeted systems through Windows domain controllers

14.6 Deployment of CaddyWiper on some Windows machines and of Linux and

Solaris destructive malware at the energy provider
14:58 UTC April 8, 2022

• CaddyWiper was applied against personal computers, servers, and automated process
control systems running Windows OS. For Linux-based systems, attackers leveraged
RSHRED, SOLOSHRED, and AWFULSHRED data-wiping scripts. The correct wiper is picked
depending on the installed operating system

14.7 Sandworm* operator creates the scheduled task to launch Industroyer2

15:02:22 UTC April 8, 2022

• Industroyer2 was deployed as a single Windows executable named 108_100.exe and

executed using a scheduled task on 16:10 UTC April 8, 2022

14.8 Scheduled execution of Industroyer2 to cut power in a Ukrainian region

16:10 UTC April 8, 2022

• Analysis is still ongoing in order to determine what are the exact actions taken for each
device. This component is able to control specific ICS systems in order to cut power

14.9 Scheduled execution of CaddyWiper on the same machine to erase

Industroyer2 traces
16:20 UTC April 8, 2022

• The wipers were deployed with further intention to erase Industroyer2 traces and complicate
the regaining control of the ICS consoles for the power grid operators

*Sandworm is also known as Unit 74455, is allegedly a Russian cyber-military unit of the GRU,
the organization in charge of Russian military intelligence*

93
Case Study #3: Questions

**THIS IS FOR DISCUSSION PURPOSES ONLY*

Identification

• Did Ukraine detect the Wiper malware? How can the detection be improved?

Containment

• Assuming this is done via cyber espionage, how could Ukraine handle it?

Eradication/Recovery

• Other than the assumption above, what are the possibilities ways of how the incident
start? How can this be prevented?

Lesson Learned

• If you were to encounter the same situation as the answer above, how would you have
handled it?

94