A walkthrough of the CERT Australia BSides 2017 Incident Response challenge

we will trigger the 2015 Australian challenge and we have entered his percent circle welcome this is the third year from the challenge stateside running again this year upstairs if you're not involved or it is kind of capsule guys and running it a lot of fun

this presentation is about lots of talent so I'll start with a very wise to Israeli adults set challenges and then run through some of the technical details from view we issued a challenge to everyone who gets for this and I guess over the past couple of years especially we've been expanding very rapidly so we've had additional funding to grow over three consecutive years we rolled out a CSD we've got technical staff and all those offices around the country Brisbane Sydney Melbourne and how they coming online very soon and we've recently established a 24 second capability as well we're all about hope line poles and means the triage is happening so we need technical people in my state as well so we're

getting very good at creating challenges too so we have a new one to use in each recruitment around and we use them in events like these I guess from Isis if the hillside Furby Department but very quickly the process is no ethical decisions we shortly as we issues shortlisted applicants the tech challenge and then we do these with the opportunity we really talk to the applicant during the interview and understand what I learned from the game saw on the things to create the technical challenge there's a lot of with that gut is into it obviously we have to set up at scenario build the pathway and software might happen prime might get as realistic as possible and

package it up and then check the big talent for the applicants

[Music] and what's going on so when the issue the challenge we give a description of the scenario so in engineering I'll explain in a minute what a compensation they suddenly lost the ability of what was happening in their presence control environment and needed to understand what happen so in this scenario they have escalated that we undertaken incident response and we know we've collected a couple of artifacts we've got the RAM I represented Iran from the web station using and a packet capture from the network in reality probably we have either of these the applicants are able to use both the memory snapshot in the packet capture sometimes we give a preference so we say we percentage with focus on

the packet I'm sorry the memory but if you're having troubles of that have a look at the packet capture for this one we didn't it was really up to the applicant to choose what way they wanted to stop and stop waiting for us trying to piece together what happened so just for those who may not be familiar with a mention Wyatt's been through a human machine interface basically a piece of software that allows an engineer to monitor what's happening in a crisis control environment whether that's energy generation and distribution water and wastewater distribution or even on a manufacturing floor so open these environments Amman 24 hours a day they're highly critical and they walk piece with the electricity

so stepping back quickly and having a think about what we actually want to try and achieve from working through this exercise you want to try and build a bit of context extract us a bit of information about the environment its website is operating here trying to work out what happened and wait piece together a bit of a timeline with that how it happened and then for the purposes of the report we ask the applicant to write some remediation advice and think about it from a search perspective what would this be doing we typically providing advice to the industry about this particular activity if it was something that might be relevant to everybody else because -

another fact each of them will tell us slightly different things slightly different people on what happened will have a bit of a look at both and during the walkthrough and I guess from the memory different perspective we can have a look at what crisis is already on the website and see if there's any suspicious looking processes and then PLL's it might be malicious we can extract out effects from the memory dump so it solved or even try and reconstruction executables - running on samples for example we can also identify a nuclear cars backed in from the packet capture we can look at what hosts the communication what criticals are using and whether there's anything unusual

there can also extract files and things if they're being transferred so we're going to have a look at the memory happy Festivus and we're going to use volatility to do that volatility is a Python tool free tool for the elderly framework is very analyzing ram captured from brain computers but typically the RAM a tool is used to take a snapshot of the volatile memory and it's a to a file what solitude of is understand how different operating systems and different versions of operating systems use memory and how the memory structures look further different for different versions of different operating systems so one of the first steps is to identify the version of the operating system that

the workstation was running pictures of Allah Tillett II that so that he can correctly understand the memory dollars that were using so I'm not going to go through how we do that volatility and contain some utilities that allow you to do that in this case the windows 7 wait section

[Music] so we're gonna have a few of these so fencing so both of these is volatility scripts on the far left you'll see a come on pulled up dy and then P at least legislative processes the police of crisis is running in the work station at the time that the memory dump was taken [Music] don't worry too much about the data in the columns that of this run-through what's in the cold so we've got the name of the executable a process ID parent crisis and how the detection problem as well SC SS that's like a login session so 0yz system session when the creation one is session a bit more detail and we also get the sad time for each process

so looking at some system process we get a bit of an idea of when the Machine started which is all the data on the same day this is all done in a very compressed time frame to 5947 [Music] that we log in about six from the top which is two 49:30 is computer actually automatically load even when I feed it up and I use the station's looking down towards the bottom you'll see I explore keeps an explorer and Acrobat alright and then right at the bottom did some pretty interesting looking processes powershell c'mon buddy and clients are they I think it's a very quick overview of books running on the machine but the relationship between parent and children

is and one time crisis and whether or not they're running an interactive session along our volatility has a few different ways of representing this process information the PS tree just shows you that parent-child hierarchy so this one I guess chose the relationship between different processes of the top you can see how show created the command on a PC crisis which creates a client elective process what interesting and that's probably the Munchkin Easton wanted also to the advantage in my application mention the HMI starts very early on site

that's my throw from you so it started at 305 which is roughly 20 seconds up to the Machine booth what I wrote about the application please expect and the PowerShell soft happens about 28 minutes later at 3:20 I mentioned those sessions so the sessions command just groups all of the processes 5 position the 30 that you can they can see that in the station 0 all these sort of system processes are running and then session 1 is where you put all su - lin processes Internet Explorer and PowerShell client you can get a feel for how those processes might have been created

another thing you can do with volatility it's just list the command line parameters that a process was started with pulled out there and you can also see which directory into the executables contain advanced like mi is in Program Files directory which is where you'd expect to see a patient [Music]

[Music] come on buddy was used to run a second command which it's a client for pixie and that's ranking from quite an unusual location which is a temperate directory so this I guess a picture with hanging here about these points or they process a little bit unusual and we probably want to understand a bit more about what it's doing I should have said a lot of ways to approach this and this is what I actually was one of two people that created this challenge so when I'm thinking about it I know where the heaven point is so sort of got a very directed pop free to challenge obviously but people would happen singing me out

back so for the Welcome always involved but just looking at what we got out of that very quick examination of the processes we see that the mentation mi excited three of the agency is likely to be the HMI application that in low visibility and we see net Explorer and that Chrebet Rida started around 370 325 and these applications are often used to leave you as I guess a connection make this amount waves are there on the radar and then we see these suspicious prices around power bills Indian client so they can see that brand so what can we find out about this advanced a shamanic and we dig into it a little bit and see

whether it's what it's communicating with on the network what it might look like on the screen it's actually a screenshot reminding volatilities that our table for that is why frying wireframe diagram of what the weaboos application actually looks like it's actually a whole screenshot see look we know start button on the bottom left there the annotation my applications are so you can see

my application you can be like conservation the Tom fall team and a pressure region on the screen in the mid summer recess well sort of give you a desk from the memory manager I prefer out something that gives you an indication of what the engineer was actually looking at just a bit of inside the where we're going so there's actually a couple of gauges there there's a voltage gauge and a pressure gauge they're actually showing the engineer a couple of values from a

so else when we find out about this advanced age wise process so it's process ID was 2364 up front of the net fit tense conduit filtered out the network activity associated with that process and you can see there it's got an established connection to 45 I to choose on a remind anyone no one five a to ease my path to the communications protocol it's been around for a very long time and very little security built into it and it's used to interact with process control devices but quite an example of one so that we can pull it for if there's any other one bus traffic in the memory dump so here I've just stripped out the four

five back to traffic what we see is we see once again advanced HMI if they're the top but then fine thought XE has by TCP sessions has three different parts on 580 per month bus so that's interesting in itself that this exceeds actually using ESP using the motor particle but now just into the packet capture ball just using water and I killed for their the TCP session which is at the top psi is uniquely identified by that for a nine-month i9 Wireshark understand what box we can see up at the top there highlighted as it's read holding registers so this is the HMI application sending a multi-system on to some remote device I've seen to read to help to

registers in this case if you look down the bottom you can see the two values that are returned from that request that is value 47 in about 1868 so these are basically values that represent something happening in the logic of the races controller that the HMI is able to interpret and presented to the I also noticed that the time here is very early on it's 301 so this likely to be before anything bad happened later on having a look at another one of those DC positions but this is one of the ones that the Kleinfeld XE process ran we can see there's a very short TCP session basically initiates the three-way handshake and then sends the beef salute

looks like a TCP connect scan

connections that we were able to pull out of the memory there's a different command center so in this CCP session which is happening right at the end is at 3:30 trees there's a command center to write multiple registers and what what it's doing is its right overwriting 64 registers with the value 0 so this is a mud-pots commander's intent by 5xe to override if we have a look again at that initial session but much later on after that right registers command so the HMI is still calling the device our thing for the values from those two registers and now we see it seeing zeros as a value for either reading so this might explain why the edge of the answers they

lost visibility of what was happening at the remote control up all the sudden the values on the HTML application one dance with zero and they work so at this point we know that advanced HMI use is my first interacted with a single host the dot 200 heads if you have a look at the timings in the packet capture you see a tree so city registers every half-second updating very regularly and additionally those values were around 47 and 68 and respectively we also found that client ID actually used more folks to send the rice multiple registers it also looked like I was possibly doing some CTP connector scanning on board 502 and that write command that 64 registers to the 0 value

and then we saw following that that the HMI was receiving 0 values and responsible for it so we've got a bit of a picture of what happened this very high level with still some pretty tricky quiz questions to be answered so how did that client dot exe get there what triggers a PowerShell the commands to define exe process and what did it do what does that clients identity command do we know it possibly did some scanning it looks like an overwrite some registers but that's just based on a few artifacts it could be a lot do what that actual crisis was able to do was it support working of its own accord or was interesting that the

commanding control so that is all these unknowns about that particular application that we need to dig into a bit more so taking a step back we can go back to the memory capture and volatility and try and look at maybe the browsing history this or Internet Explorer was running highlighted the URLs some of the URLs that were chanted by that come on to you that there's a bit of a theme going on with the top floor please around water systems and what will hope to be benders of of control systems type product and then the one at the bottom is really hard

trying using wireshark we can have a look at some of the requests that were sent to those posts I'm very quickly now reading here on a suspicious Depot they came from and you take water dog home so we can actually extract this it's both from the pickup and have a look at it in there I'm just on a list becomes the contents of the bit car to give you a bit of a feel for what's in it so there's two screens with this the first screen it's really some windows API and at the top to be some Python libraries there's also well the defines a taxi in there that's interesting and a whole lot of Python artifacts

it looks like possibly this could be an executable that was built using Python there was a public API are basically - libraries of Python files that are sitting together so you can literally make Faro which is what I've done here I've just listed the content for that expo you can see a client of py there what about Sookie UI is up you guys a whole lot of Python code that we could pull out and have a look at trying on the stand so just look at the top of the client Buffy boy we see the very top there a reference to the end

third and most pristine references dns resolver that's interesting though what would it be using DNS for and then the way that we see some configurations are it's you can put if you create so the

more time than we have now you can three through this script in all of these to get a pretty clear picture of what that so mention DNS show these in Google app it's actually the code from github that allows you to use DNS phenomena controller so a client oh they see is actually being written to query as the intensive to receive commands what it's going to do when it's interacting with the network so if we go back to the packet capture we can actually have a look at some of these month control traffic you can pull it out have a look at it probably needs to be encrypted go with these in the Parsons alright so we

thought the pretty good picture of will client thought XE does now the I mean reminding questions that we're going to answer now he's has been Alan get there

but on this slide there's software is what HTML and the software dot HTML which we realized so hard when you have by societies the web have a look at software as both HTML and it's very suspicious-looking piece of JavaScript and the visual basic script we regarded through and have a look at you can see actually perhaps an exploit going on here so this and my file is that you can pull it out the set of commands that are ran to download that zip file unzip it and execute that plan so they can see prices so that's all happening in the browser and that's just the reach of great concept for an exploit of the vulnerability each a net explorer that

we actually the basically owns a vulnerability in IE that allows dispraise philip hi and without knowing you cyber falsities and execute [Music]

the tape spies open run on workstations that are updated that is to wrap it up very quickly that was a really quick one run through of the challenge so you had a watering hole website that engineer browse to reach results of even the delivery of a malware tile into their legislation that Maui and started sending at DNS queries to command control so it actually gives some standing of the hopes up meant but connected to family love the house running my first I just see the with on five by two to the hope supplement keep an outside three parcels that we saw her Illya and in sent that [Music]

[Applause]