// CyberDefenders  ·  Network Forensics

Lockdown

CyberDefenders Easy [CyberChef, Wireshark, VirusTotal, Volatility]
[Execution, Persistence, Privilege Escalation, Defense Evasion, Discovery, Lateral Movement, Command and Control]
proof of completion → challenge page → ← all labs

Scenario

TechNova Systems’ SOC detected suspicious outbound traffic from a public-facing IIS server. Three artefacts were provided for analysis: a PCAP of the initial traffic, a full memory image of the server, and a malware sample recovered from disk. The goal was to reconstruct the full intrusion timeline and identify all attacker activity.

Tooling

Investigation

Reconnaissance — Network Service Discovery

Conversation statistics in Wireshark immediately revealed a high volume of traffic originating from 10.0.2.4, consistent with rapid-fire probing of the IIS host. lockdown_conversions.png

Filtering for SMB2 traffic from the attacker IP exposed targeted share enumeration:

ip.addr==10.0.2.4 && smb2

The attacker connected to two UNC paths on the IIS host:

This activity maps to MITRE T1046 — Network Service Discovery.

Initial Access — Webshell Upload via SMB

Continuing to follow attacker SMB2 traffic revealed an SMB2 Write Request uploading a malicious file to the Documents share:

Show Image lockdown_smb_upload.png The uploaded ASPX webshell provided the attacker with remote code execution on the IIS server.

Execution — Reverse Shell

Reviewing conversation statistics confirmed outbound callback traffic from the IIS host to the attacker on an uncommon but firewall-friendly port:

The uploaded hex blob was extracted and decoded in CyberChef using From Hex, revealing an MZ PE executable — confirming the shell uploaded a binary payload. The reconstructed file MD5:

94bf1fafad9c0b1b3570922da19ed68f4930ea855c54fbf844fe4d9be8d6a133

VirusTotal identified the sample as Trojan.Meterpreter/Shellcode.

Memory Forensics — Volatility Analysis

With the memory image acquired, Volatility was used to examine the running system state.

System information:

bash

vol -f memdump.mem windows.info

Process tree analysis:

bash

vol -f memdump.mem windows.pstree

lockdown_pstree.png The process tree revealed w3wp.exe (IIS worker process, PID 4332) spawning a suspicious child process — a clear indicator of webshell-driven execution.

Command line enumeration:

bash

vol -f memdump.mem windows.cmdline

This confirmed the persistence implant path:

900 updatenow.exe "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\updatenow.exe"

Dropping an executable into the Startup folder maps to MITRE T1547 — Boot or Logon Autostart Execution, ensuring the implant survives reboots.

Malware Analysis — AgentTesla

Static analysis of updatenow.exe revealed the binary was packed with UPX to hinder analysis and evade signature-based detection.

Dynamic and threat intelligence analysis showed the malware beaconing to its C2 infrastructure:

VirusTotal open-source intelligence attributed the sample to the AgentTesla malware family — a well-known commodity RAT used for credential theft and keylogging.

lockdown_family.png

IOCs

| Type | Value | | —————— | ————————————————————————– | | Attacker IP | 10[.]0[.]2[.]4 | | IIS Host | 10[.]0[.]2[.]15 | | Webshell | shell.aspx | | Reverse Shell Port | 4443 | | SHA256 | 94bf1fafad9c0b1b3570922da19ed68f4930ea855c54fbf844fe4d9be8d6a133 | | Malware Family | AgentTesla | | C2 FQDN | cp8nl[.]hyperhost[.]ua | | Persistence Path | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\updatenow.exe | | Packer | UPX | | Kernel Base | 0xf80079213000 |

Conclusion

The attacker conducted network service discovery against a public-facing IIS server, then used SMB to upload a Meterpreter ASPX webshell. The webshell provided code execution via the IIS worker process w3wp.exe, which was used to drop a UPX-packed AgentTesla implant into the Startup folder for persistence. Memory forensics confirmed the execution chain and identified the full on-disk path of the persistence mechanism. The malware beaconed to a Ukrainian hosting provider for C2 communications.

References

After flooding the IIS host with rapid-fire probes, the attacker reveals their origin. Which IP address generated this reconnaissance traffic?
Click flag to reveal 10.0.2.4
Zeroing in on a single open service to gain a foothold, the attacker carries out targeted enumeration. Which MITRE ATT&CK technique ID covers this activity?
Click to reveal answer T1046
While reviewing the SMB traffic, you observe two consecutive Tree Connect requests that expose the first shares the intruder probes on the IIS host. Which two full UNC paths are accessed?
Click flag to reveal \\10.0.2.15\Documents, \\10.0.2.15\IPC$
Inside the share, the attacker plants a web-accessible payload that will grant remote code execution. What is the filename of the malicious file they uploaded, and what byte length is specified in the corresponding SMB2 Write Request?
Click to reveal answer shell.aspx, 1015024
The newly planted shell calls back to the attacker over an uncommon but firewall-friendly port. Which listening port did the attacker use for the reverse shell?
Click flag to reveal 4443
Your memory snapshot captures the system’s kernel in situ, providing vital context for the breach. What is the kernel base address in the dump?
Click to reveal answer 0xf80079213000
A trusted service launches an unfamiliar executable residing outside the usual IIS stack, signalling a persistence implant. What is the final full on-disk path of that executable, and which MITRE ATT&CK persistence technique ID corresponds to this behaviour?
Click flag to reveal C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\updatenow.exe, T1547
The reverse shell’s outbound traffic is handled by a built-in Windows process that also spawns the implanted executable. What is the name of this process, and what PID does it run under?
Click to reveal answer w3wp.exe, 4332
Static inspection reveals the binary has been packed to hinder analysis. Which packer was used to obfuscate it?
Click flag to reveal UPX
Threat-intel analysis shows the malware beaconing to its command-and-control host. Which fully qualified domain name FQDN does it contact?
Click to reveal answer cp8nl.hyperhost.ua
Open-source intel associates that hash with a well-known commodity RAT. To which malware family does the sample belong?
Click flag to reveal
← blue team ops inksec.io red team →