Hyperfiletable
Sherlock Scenario
There has been a new joiner in Forela, they have downloaded their onboarding documentation, however someone has managed to phish the user with a malicious attachment. We have only managed to pull the MFT record for the new user, are you able to triage this information?
在 Forela 中有一名新成员加入,他们已经下载了他们的入职文件,但是有人成功通过恶意附件钓鱼攻击了该用户。我们只能获取到该新用户的 MFT 记录,您能处理这些信息吗?
题目数据
Task 1
MFT 的 MD5 哈希值是多少?
File path and name: D:\Downloads\hyperfiletable\mft.raw\mft.raw
Name: mft.raw
Type: .raw
Size: 115.5 MB
Bytes: 121110528
Modified: 2023-06-02 22:38:10
Attributes: A
Copies: 1
CRC32: 29C15241
CRC64: 4EE3D6ED243B4347
MD5: 3730C2FEDCDC3ECD9B83CBEA08373226
Answer
3730C2FEDCDC3ECD9B83CBEA08373226
Task 2
信息
这里使用到 MFTECmd 这款工具
系统中唯一用户的名称是什么?
使用 MFTECmd
这款工具解析 mft 文件
PS D:\_Tool\_ForensicAnalyzer\MFTECmd> .\MFTECmd.exe -f D:\Downloads\hyperfiletable\mft.raw\mft.raw --csv "D:\Downloads\hyperfiletable\mft.raw"
MFTECmd version 1.2.2.1
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/MFTECmd
Command line: -f D:\Downloads\hyperfiletable\mft.raw\mft.raw --csv D:\Downloads\hyperfiletable\mft.raw
Warning: Administrator privileges not found!
File type: Mft
Processed D:\Downloads\hyperfiletable\mft.raw\mft.raw in 1.5877 seconds
D:\Downloads\hyperfiletable\mft.raw\mft.raw: FILE records found: 110,818 (Free records: 7,240) File size: 115.5MB
CSV output will be saved to D:\Downloads\hyperfiletable\mft.raw\20240102085049_MFTECmd_$MFT_Output.csv
分析输出的结果文件,在其中搜索关键词 \user
,即可得到用户个人文件夹的路径
Answer
Randy Savage
Task 3
被该用户下载的恶意 HTA 的名称是什么?
使用用户的默认下载目录作为关键词进行搜索 .\Users\Randy Savage\Downloads
由于数据量较大,完整数据未在此体现
EntryNumber | SequenceNumber | InUse | ParentEntryNumber | ParentSequenceNumber | ParentPath | FileName | Extension | FileSize | ReferenceCount | ReparseTarget | IsDirectory | HasAds | IsAds | SI<FN | uSecZeros | Copied | SiFlags | NameType | Created0x10 | Created0x30 | LastModified0x10 | LastModified0x30 | LastRecordChange0x10 | LastRecordChange0x30 | LastAccess0x10 | LastAccess0x30 | UpdateSequenceNumber | LogfileSequenceNumber | SecurityId |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
103820 | 7 | TRUE | 105011 | 2 | .\Users\Randy Savage\Downloads | Onboarding.hta | .hta | 1144 | 1 | FALSE | TRUE | FALSE | FALSE | FALSE | FALSE | Archive | Windows | 21:40.1 | 21:45.6 | 21:40.1 | 21:45.6 | 21:40.2 | 22:01.0 | 21:40.1 | 27166224 | 375731114 | 1793 | ||
103820 | 7 | TRUE | 105011 | 2 | .\Users\Randy Savage\Downloads | Onboarding.hta:Zone.Identifier | .Identifier | 389 | 1 | FALSE | FALSE | TRUE | FALSE | FALSE | FALSE | Archive | Windows | 21:40.1 | 21:45.6 | 21:40.1 | 21:45.6 | 21:40.2 | 22:01.0 | 21:40.1 | 27166224 | 375731114 | 1793 |
即可找到答案
Answer
Onboarding.hta
Task 4
恶意 HTA 文件的 ZoneId 是多少?
上文记录的末尾就有
[ZoneTransfer]
ZoneId=3
HostUrl=https://doc-10-8k-docs.googleusercontent.com/docs/securesc/9p3kedtu9rd1pnhecjfevm1clqmh1kc1/9mob6oj9jdbq89eegoedo0c9f3fpmrnj/1680708975000/04991425918988780232/11676194732725945250Z/1hsQhtmZJW9xZGgniME93H3mXZIV4OKgX?e=download&uuid=56e1ab75-ea1e-41b7-bf92-9432cfa8b645&nonce=u98832u1r35me&user=11676194732725945250Z&hash=j5meb42cqr57pa0ef411ja1k70jkgphq
Answer
3
Task 5
恶意 HTA 的下载 URL 是什么?
Answer
https://doc-10-8k-docs.googleusercontent.com/docs/securesc/9p3kedtu9rd1pnhecjfevm1clqmh1kc1/9mob6oj9jdbq89eegoedo0c9f3fpmrnj/1680708975000/04991425918988780232/11676194732725945250Z/1hsQhtmZJW9xZGgniME93H3mXZIV4OKgX?e=download&uuid=56e1ab75-ea1e-41b7-bf92-9432cfa8b645&nonce=u98832u1r35me&user=11676194732725945250Z&hash=j5meb42cqr57pa0ef411ja1k70jkgphq