In this post, I would like to share some walkthroughs on the Sherlock Challenges such as Procnet which can be considered a Hard Difficulty which can be found here

Introduction of Procnet Challenge


In this challenge, With the rising utilization of open-source C2 frameworks by threat actors, our red team has simulated the functionalities of one such widely employed framework. The objective of this exercise is to aid blue teams in strengthening their defences against these specific threats. We have been provided with PCAP files and APIs collected during the event, which will serve as valuable resources. Let us now initiate the hunting process.


Using the API Monitor: We are well-acquainted with opening PCAP and .EVTX files, but what are .apmx64 ? The .apmx64 file extension is associated with API Monitor, a software used to monitor and control API calls made by applications and services. To commence your analysis, follow the steps provided below: Download the API Monitor Navigate to “Files” and click on “Open” to view captured data from the file: “Employee.apmx64” or “DC01.apmx64” After opening the file, the “Monitoring Process” window will populate with a list of processes. Expand the view by clicking the ‘+’ symbol to reveal the modules and threads associated with each process. The API calls can be observed in the “Summary” window. To focus our analysis on a specific module, click on the different DLLs loaded by the processes.


TIP: When conducting analysis, it is advisable to examine the API calls made by the process itself, rather than focusing solely on DLLs. For instance, if I intend to analyze the API calls of a process named csgo.exe, I will initially expand the view by clicking the ‘+’ symbol. Then, I will narrow down my analysis specifically to ‘csgo.exe’ by selecting it, and I can further analyze other DLLs as needed.

Case Scenario on Procnet Challenge

With the rising utilization of open-source C2 frameworks by threat actors, our red team has simulated the functionalities of one such widely employed framework. The objective of this exercise is to aid blue teams in strengthening their defenses against these specific threats. We have been provided with PCAP files and APIs collected during the event, which will serve as valuable resources. Let us now initiate the hunting process.
 
Using the API Monitor:
 
We are well-acquainted with opening PCAP and .EVTX files, but what are .apmx64 ? The .apmx64 file extension is associated with API Monitor, a software used to monitor and control API calls made by applications and services. To commence your analysis, follow the steps provided below:
 
Download the API Monitor
Navigate to "Files" and click on "Open" to view captured data from the file: "Employee.apmx64" or "DC01.apmx64"
After opening the file, the "Monitoring Process" window will populate with a list of processes. Expand the view by clicking the '+' symbol to reveal the modules and threads associated with each process.
The API calls can be observed in the "Summary" window. To focus our analysis on a specific module, click on the different DLLs loaded by the processes.
TIP: When conducting analysis, it is advisable to begin by examining the API calls made by the process itself, rather than focusing solely on DLLs. For instance, if I intend to analyze the API calls of a process named csgo.exe, I will initially expand the view by clicking the '+' symbol. Then, I will narrow down my analysis specifically to 'csgo.exe' by selecting it, and I can further analyze other DLLs as needed.

Let’s start working on the Sherlock challenge of procnet


As usual, we should be downloading the file onto our machine.


We can extract the file by using the zip command

A screenshot of a computer program

Description automatically generated

For this activity, we can use the apimonitor-x64.exe which can be downloaded from here. I’m pretty lazy about switching back and forth between Windows and Linux on the same VMware which led me to use wine on Linux Operating System.

sudo apt install wine && sudo apt install libwine

If you are not installing the Wine tool on your Linux Operating System, you can use the command above to install it


We will be using the Wireshark tool also to analyze the pcapng file for this Sherlock challenge

1. To which IP Address and port number is the malware attempting to establish a connection?


After analysing the Employee.apmx64 file by using the Api Monitor tool, I noticed that there’s a URL containing an IP Address which could be our answer to this question


However, we cannot see the port using the Api Monitor tool, therefore we will be using Wireshark to retrieve the port by filtering with ip.addr == 10.10.0.79 && ip.addr == 3.6.165.8 syntax

2. Now that you are aware of the IP address and port number, what is the JA3 fingerprint of the C2 server?


Under the packet of 293 Client Hello, we should be able to retrieve the JA3 fingerprint

3. What is the name of the C2 framework being utilized by the red team?


I notice there is a packet like GET /csgo.exe where we can investigate further


When we analyze by following the TCP stream, I have noticed some programs cannot be readable


Therefore, let’s save the raw data on our machine

A black background with green text

Description automatically generated

I found it weird that the file clarification mentioned only “data

A computer screen with green text

Description automatically generated

Nothing is shown useful when running ExifTool


As a result, we were required to remove the upper packet information and we managed to retrieve a different response


Even if we managed to retrieve a different output using ExifTool


I uploaded the file on VirusTotal and surprisingly I got a few red flag

A screen shot of a computer

Description automatically generated

The popular threat label is trojan.sliver which sliver might be the C2 framework

4. Which WIN32 API provided the red team with the current directory information?


After carefully the csgo.exe on the API monitor, I did notice that GetCurrentDirectoryW might the WIN32 API that we looking for

5. Now that we have identified the C2 framework utilized by the red team, which C2 command is responsible for opening notepad.exe by default and loading the .NET CLR into it?


After doing some research, I managed to find the C2 command that might be used in this Procnet challenge which could be execute-assembly

6. What is the name of the module (DLL) that was loaded to gain access to Windows Vault?


There’s a Monitored Process that looks interesting which is vaultcli.dll

7. After loading the mentioned module, a series of WIN32 APIs were loaded. Which specific Win32 API is responsible for enumerating vaults?


I will be looking at the command log which I found VaultEnumerateVaultsW and VaultEnumerateVaults

8. Which command did the attacker execute to identify domain admins?


I have found it weird on the csgo.exe where there’s a Windows command. As a result, it mxt

9. The red team has provided us with a hint that they utilized one of the tools from “ARMORY” for lateral movement to DC01. What is the name of the tool?


I was wondering about the information for this question. However, nothing comes out of my head. Therefore,I was googling the answer and found it on the website about the tools from ARMORY. The answer is sharpwmi

10. Which command was executed by the red team to extract/dump the contents of NTDS.DIT?


When analysing on DC version of apmx64 file, I noticed there is a command that stands which could be the answer to this question

11. The red team has obtained the aforementioned dump by compressing it into a ZIP file. Which specific Win32 API is responsible for retrieving the full path of the file to be downloaded?


I also noticed that the GetFullPathName is been used for the fifa24.exe