HTB-BFT

MFT 数据取证，好好玩好好玩（又是新知识好耶www）！Level：Very Easy

简介

In this Sherlock, you will become acquainted with MFT (Master File Table) forensics. You will be introduced to well-known tools and methodologies for analyzing MFT artifacts to identify malicious activity. During our analysis, you will utilize the MFTECmd tool to parse the provided MFT file, TimeLine Explorer to open and analyze the results from the parsed MFT, and a Hex editor to recover file contents from the MFT.

转化格式

先把 $MFT 转化为 .csv 文件，用 MFTECmd 进行转化

MFTECmd.exe -f "$MFT 路径" --csv "Output 路径"

用 Timeline Explorer 查看 .csv 文件

搜索 .zip 筛查到 Stage-20240213T093324Z-001.zip

Task 1
Simon Stark was targeted by attackers on February 13. He downloaded a ZIP file from a link received in an email. What was the name of the ZIP file he downloaded from the link?

:Stage-20240213T093324Z-001.zip

查找 HostUrl

重新加载打开文件，然后过滤 .zip 文件查看 Zone Id Contents 列表找到 HostUrl

HostUrl = https://storage.googleapis.com/drive-bulk-export-anonymous/20240213T093324.039Z/4133399871716478688/a40aecd0-1cf3-4f88-b55a-e188d5c1c04f/1/c277a8b4-afa9-4d34-b8ca-e1eb5e5f983c?authuser

Task 2
Examine the Zone Identifier contents for the initially downloaded ZIP file. This field reveals the HostUrl from where the file was downloaded, serving as a valuable Indicator of Compromise (IOC) in our investigation/analysis. What is the full Host URL from where this ZIP file was downloaded?

:https://storage.googleapis.com/drive-bulk-export-anonymous/20240213T093324.039Z/4133399871716478688/a40aecd0-1cf3-4f88-b55a-e188d5c1c04f/1/c277a8b4-afa9-4d34-b8ca-e1eb5e5f983c?authuser

查找恶意文件路径和名称

因为前面已经找到了恶意压缩包，并且说执行了压缩包，所以这一次就可以直接筛选名字查找与 Stage-20240213T093324Z-001 有关的内容

可以发现 Stage-20240213T093324Z-001\Stage\invoice 下有一个文件夹，里面有个 invoices.zip 文件（套娃是吧），并且该文件中包含了一个 invoice.bat 文件，这就是需要查找的恶意文件

Task 3
What is the full path and name of the malicious file that executed malicious code and connected to a C2 server?

:C:\Users\simon.stark\Downloads\Stage-20240213T093324Z-001\Stage\invoice\invoices\invoice.bat

识别时间戳

看 Created0x30 这栏然后与 invoice.bat 对应的时间就能找到

Task 4
Analyze the $Created0x30 timestamp for the previously identified file. When was this file created on disk?

:2024-02-13 16:38:39

计算 MFT 中暂存文件的十六进制偏移量

找到 Entry Number 这一栏，对应的文件 .bat，23436 乘以 1024 然后转化为 16 进制得到 16E3000

Task 5
Finding the hex offset of an MFT record is beneficial in many investigative scenarios. Find the hex offset of the stager file from Question 3.

:16E3000

查找驻留文件内容

根据 “they can be stored directly on MFT File itself” 这句话我们用 010 打开 $MFT 文件，跳转到之前所计算出来的 16E3000 地址处，然后往下看会发现有 powershell.exe 的踪影，同时出现了 IP

找到：43.204.110.203:6666

Task 6
Each MFT record is 1024 bytes in size. If a file on disk has smaller size than 1024 bytes, they can be stored directly on MFT File itself. These are called MFT Resident files. During Windows File system Investigation, its crucial to look for any malicious/suspicious files that may be resident in MFT. This way we can find contents of malicious files/scripts. Find the contents of The malicious stager identified in Question3 and answer with the C2 IP and port.

:43.204.110.203:6666

MFT

MFT 简介

MFT（ Master File Table，主文件表），它是 NTFS 文件系统的关键组成部分，包含了 很多信息：

• 文件和目录的属性：包括权限、所有者、创建时间、修改时间、访问时间等。
• 文件数据的物理位置：MFT记录了文件数据在磁盘上的存储位置。
• 文件名：MFT中存储了文件和目录的名称。

每个文件或目录在 MFT 中都有一个固定大小（1024 字节）的记录（Record），其中包含文件名、时间戳、大小、数据位置等信息。

Entry Number

Entry Number（MFT 记录编号），是 $MFT 文件中每个文件/目录的唯一标识编号，可以计算该记录在 $MFT 文件中的起始字节位置，如果一个文件的 MFT 的 Entry Number 是 1000，那么它的 Byte Offset 计算如下：

1000×1024=1024000

这意味着该记录在 $MFT 文件中的起始位置是 1024000 字节（1 MB）。