HTB Heartbreaker: Walkthrough

This sherlock investigates a potential breach of a customers database. It involves scrutinizing an email received by one of their employees, comprehending the implications, and uncovering any possible connections to the data breach.

0) Walkthrough

1) The victim received an email from an unidentified sender. What email address was used for the suspicious email?

We’re provided with a backup/export of the compromised workstation’s filesystem.

First, I decided to explore the user’s appdata folder, and found a .ost file, which is an export of emails, contacts, and other data from a user’s outlook for offline viewing. We can load it into XstReader from github, and view it.

As we can see, there is an interesting and suspicious email with an embedded file.

We can go to the properties and see the senders email:

2) It appears there’s a link within the email. Can you provide the complete URL where the malicious binary file was hosted?

We can right click the link and copy the shortcut and paste it and we see:

http://44.206.187.144:9000/Superstar_MemberCard.tiff.exe

3) The threat actor managed to identify the victim’s AWS credentials. From which file type did the threat actor extract these credentials?

Most likely through the .ost file we’re currently viewing now, which contains some credentials in the drafts.

4) Provide the actual IAM credentials of the victim found within the artifacts.

These are the keys within the drafts of the .ost file:

Access key ID:Secret access key

AKIA52GPOBQCK73P2PXL:OFqG/yLZYaudty0Rma6arxVuHFTGQuM6St8SWySj

5) When (UTC) was the malicious binary activated on the victim’s workstation?

Lets investigate the prefetch file for the binary, maybe it can tell us when it was created/last ran:

 & \ZimmermanTools\net6\PECmd.exe" -f .\Windows\prefetch\SUPERSTAR_MEMBERCARD.TIFF.EXE-C2488B05.pf

6) Following the download and execution of the binary file, the victim attempted to search for specific keywords on the internet. What were those keywords?

We can access the user’s firefox places.sqlite db and check for their search history:

/wb-ws-01/C/Users/ash.williams/AppData/Roaming/Mozilla/Firefox/Profiles/hy42b1gc.default-release$/sqlite3/places.sqlite

We can see quite a few searches all relating to superstar cafe membership:

7) At what time (UTC) did the binary successfully send an identical malicious email from the victim’s machine to all the contacts?

We can check the .ost file again and see:

8) How many recipients were targeted by the distribution of the said email excluding the victim’s email account?

Counting them, we get 58. (Probably a better way to see but im an idiot :D)

9) Which legitimate program was utilized to obtain details regarding the domain controller?

We can utilize chainsaw to sift through the evtx logs on the machine, and look for any instances of the Superstar_MemberCard.tiff.exe binary.

./chainsaw.exe search "Superstar_MemberCard" C:\Users\Zayd\Downloads\wb-ws-01\C\ --skip-errors

After looking through lots of output, we notice an event on sysmon ID 10, which is Process Access, on nltest.exe which is a binary used to obtain a list of domain controllers.

10) Specify the domain (including sub-domain if applicable) that was used to download the tool for exfiltration.

I tried using chainsaw for this again, but the fact I cant specify an event id but also a specific string to look for, made it quite difficult to filter for what I needed, so I loaded the sysmon log into Event Viewer , and filtered for id 22 for DNS queries, and specified the Super string:

11) The threat actor attempted to conceal the tool to elude suspicion. Can you specify the name of the folder used to store and hide the file transfer program?

The dns query was performed at 2024-03-13 10:45:20.904, so we can look for any events right around after that query:

Then when the attacker unzipped it, we can find where the binary was stored on event id 11:

12) Under which MITRE ATT&CK technique does the action described in question #11 fall?

13) Can you determine the minimum number of files that were compressed before they were extracted?

We can utilize chainsaw again, and grep for any TargetFileName instances, which should help us filter out any files that have been created/modified, but chances are if we uniq the results, we should be able to discern how many files exactly were extracted.

./chainsaw.exe search "Superstar_MemberCard.tiff.exe" C:\Users\Zayd\Downloads\wb-ws-01\C\Windows\System32\winevt\ --skip-errors | Select-String -Pattern "TargetFileName" > files.txt

Then on linux:

iconv -f UTF-16 -t UTF-8 files.txt > new_files.txt
cat new_files.txt | tr -d ' ' > out.txt
cat out.txt | grep "PublicFiles" | sort | uniq > final.txt
cat final.txt | wc -l

29

Now 29 isnt the right answer, since there are 2 zip files and the directory itself which weren’t necessarily “Extracted” with from the zip file:

So the answer is 26.

14) To exfiltrate data from the victim’s workstation, the binary executed a command. Can you provide the complete command used for this action?

We can filter for Event id 1 and look for any process creations from WinSCP.exe: