Compromised Windows Server 2022 (simulation)

This series of pages will examine a data set provided by Benjamin Donnachie involving a compromised Windows Server 2022 (simulation data)

To download the E01 set, visit the URL below.

https://ordo.open.ac.uk/articles/dataset/Compromised_Windows_Server_2022_simulation_/26038642/1?file=47197528

Simulated network intrusion as part of research to develop artificial intelligence / machine learning for post-breach triage. All information contained within the image (including but not limited to usernames and IP addresses) is synthetic.

The scenario is described as follows;

Simulated UK-based small office network running from Sept 2023 to Feb 2024. The administrator opened RDP to facilitate working from home. As part of the scenario, on 12th Feb 2024 discovered the server was no longer responding with 'Red Petya' ransomware displayed on the screen. Forensic experts were engaged, the disk decrypted and a forensic image taken in EnCase E01 format (also known as Expert Witness Format).

To begin, we should construct a rough investigation plan with our identified objectives. This usually differs based on the scenario and the context of the analysis (i.e is it a triage review, in-depth forensic analysis, second opinion analysis) and what are we trying to identify? Investigation plans can start off fairly simple such as trying to simply identify a rough timeline of events and then adding to it as the investigation evolves, or it can address a specific query from the outset.

We can use the 12th February 2024 as a time marker. That's the point when the incident was discovered, so we want to find out what happened before, immediate prior, and on the 12th February.

  1. What happened before 12th February 2024

  2. What happened immediately prior to 12th February 2024

  3. What happened on/around 12th February 2024

  4. What happened after 12th February 2024 (documented containment/isolation steps)

Add this to the commonly asked questions (reasonable assumption given the nature of the incident)

  1. How did the ransomware get onto the system?

  2. Were any vulnerabilities exploited?

  3. Were any accounts compromised?

  4. Was any data exfiltrated/stolen?

  5. What identifiers can be obtained from the host? (source IP, usernames, file hashes etc)

  6. What Tools, Techniques, and Procedures (TTPs) were employed during the attack?

If this analysis is being done to support a root cause analysis or some kind of civil/criminal litigation, there may be some more pointed questions guided by attorneys/counsel or other stakeholders.

There may also be some other commonly asked questions which you may be able to anticipate. Some of these help frame your analysis report and give context to the incident to external third parties/stakeholders.

  1. Which operating system was running and which version was it?

  2. Was the operating system updated with the most current security patches? Were any missing?

  3. What services (such as file sharing, remote desktop, web services) did the host offer?

  4. Did any user accounts have weak passwords?

With those questions in mind, we'll explore how to examine and process this data using the following tools;

  • FTK Imager (commercial, free)

  • Autopsy (opensource, free)

  • Plaso (opensource, free)

  • AXIOM - Magnet Forensics (commercial, paid)

Last updated