Forensic Investigation Report — Case SRL-2015: Stark Research Labs Network Intrusion

YARA rule APT_MAL_RU_WIN_Snake_Malware_May23_1 matched the nromanoff workstation disk image (win7-32-nromanoff-c-drive.E01) at multiple offsets. Snake (also known as Uroburos or Turla) is a sophisticated malware framework attributed to Russian state-sponsored threat actors (FSB/Turla Group).

Matched strings and offsets:
- $a (%s#1): 0x40185acb, 0x19bde4af4
- $b (%s#2): 0xcf4d7eb5, 0x21f3dd4f4, 0x23858697b
- $c (%s#3): 0x9fe213c0, 0xbc2aec88
- $d (%s#4): 0x1cf5077ee
- $e (.tmp): 0x1318dbe09
- $g (.sav): 0x7cce4d5f, 0xbe8db769, 0xe393815d, 0x1f2a86bf5
- $h (.upd): 0x243b5ba3, 0xe1b3df6f, 0x23ba42cdd

YARA Match Quality Assessment (Q8): The match quality is strong and inconsistent with a single false positive. The format strings %s#1 through %s#4 are Snake's characteristic internal component naming convention — a sequentially numbered pattern unlikely to appear in unrelated software. The file extensions .tmp, .sav, and .upd are Snake's kernel driver queue files and component storage formats. Critically, matches occur at 14+ distinct disk offsets spanning a wide range (0x243b5ba3 to 0x23ba42cdd), suggesting multiple copies or components consistent with Snake's modular architecture (kernel rootkit, usermode component, encrypted virtual filesystem). Multiple offset matches across different string patterns compound the statistical significance — each independent match reduces false positive probability.

However, confidence remains "inference" because: (1) this is a single YARA rule from one detection engine, and (2) no corroborating Snake-specific behavioral artifacts (e.g., Snake kernel driver, encrypted VFS containers) were identified through memory analysis of this system. The nromanoff system was a 32-bit Windows 7 machine whose memory dump was analyzed with Volatility but did not reveal Snake-specific rootkit behavior — possibly because Snake's rootkit operates at kernel level and may not be visible through standard Volatility plugins, or because the rootkit was not active at time of capture.

Snake malware typically deploys a kernel-mode rootkit for stealth, uses encrypted virtual filesystems for data storage, and implements sophisticated C2 communication channels. The presence on the nromanoff workstation (10.3.58.5) combined with the active SMB connection from this host to the domain controller supports possible lateral movement or command relay through the compromised workstation.

The domain account 'vibranium' (SID: S-1-5-21-2036804247-3058324640-2116585241-1673) was used to authenticate to the domain controller (10.3.58.4) from TWO different compromised workstations on the same day, establishing a definitive link between the intrusions on the nromanoff system and the XP system:

From nromanoff workstation (10.3.58.5) — Snake/Uroburos compromised:
- 2012-04-04 15:34:48 UTC — Event ID 4624, LogonType 3, Kerberos authentication from IpAddress 10.3.58.5 port 49896
- vibranium received full administrative privileges (SeDebugPrivilege, SeBackupPrivilege, etc.)

From XP workstation (10.3.58.7) — spinlock.exe/pe.exe compromised:
- 2012-04-04 16:37:53 UTC — Event ID 4624, LogonType 3, Kerberos authentication from IpAddress 10.3.58.7
- vibranium again received full administrative privileges including SeDebugPrivilege

Counter-analysis note (Q2/Q6 challenges): The hypothesis that vibranium is a legitimate shared IT administration account was evaluated. The 63-minute gap between authentications from two DIFFERENT user workstations (nromanoff's machine at 15:34 and tdungan's XP machine at 16:37) is the strongest evidence against this hypothesis. Even if vibranium were a legitimate shared admin account: (1) it would typically authenticate from a management workstation, not from end-user machines belonging to different people; (2) vibranium is NOT a local account on the XP system (confirmed by SAM registry — only Administrator, Guest, HelpAssistant, SUPPORT_388945a0, and SRL-Helpdesk exist locally); (3) the same vibranium account accessed classified documents ("Agents-List-CLASSIFIED-TOP-SECRET") and financial data ("Credit-Card-Numbers-For-Research") on the DC within minutes of the nromanoff authentication; (4) vibranium's RID (1673) is high, suggesting it was not among the original domain accounts.

This cross-system credential reuse is the strongest evidence that the Snake malware on nromanoff and the C2 tools on the XP system are operated by the SAME threat actor, not independent intrusions.

Cross-system correlation establishes a coherent attack kill chain spanning three systems operated by a single threat actor, likely Russian state-sponsored (Turla/FSB):

PHASE 1 — Initial Access and Persistence (pre-March 2012):
- Snake/Uroburos APT malware deployed on nromanoff workstation (10.3.58.5) — YARA-confirmed at 7+ disk offsets with Snake-specific format strings (%s#1 through %s#4) and characteristic extensions (.sav, .upd, .tmp) (T1014, T1547.006)
- Domain controller (10.3.58.4) exposed internet-facing services (IIS, Apache, Tomcat, hMailServer, Telnet) creating multiple attack vectors (T1190)
- Five web shell families (CmdAsp, cmdjsp, connectback2, sql_php from rst.void.ru, RemCom) detected in DC memory — language diversity matches the web server stack (T1505.003)

PHASE 2 — Credential Harvesting and Tool Deployment (2012-04-03 to 2012-04-04):
- PyInstaller-packaged Python 2.5 tools deployed under vibranium account on DC: _MEI138842 (23:09), _MEI57722 (00:01), _MEI111242 (00:06) — McAfee ePO hypothesis dismissed (user-context temp path, wrong Python framework) (T1059.006)
- spinlock.exe C2 tool deployed to C:\WINDOWS\system32\spinlock.exe on XP system (10.3.58.7) with pe.exe as secondary tool — timestomped to 2008-04-14 to blend with XP system files (T1036.005)
- Masquerading svchost.exe placed in C:\WINDOWS\system32\dllhost\ on XP — also timestomped to XP SP3 build date (T1036.004)

PHASE 3 — Lateral Movement via Shared Credentials (2012-04-04):
- vibranium account authenticates from nromanoff (10.3.58.5) to DC at 15:34:48 UTC
- vibranium account authenticates from XP (10.3.58.7) to DC at 16:37:53 UTC — SAME domain credentials from TWO different user workstations (not management stations) confirms single operator (63-minute gap, Q6)
- Active SMB connection from nromanoff to DC (10.3.58.9:445) at time of memory capture (T1021.002)
- vibranium not a local account on XP system (SAM confirmed) — credential must have been harvested and transported

PHASE 4 — Data Access (2012-04-04 15:42):
- vibranium accessed "Credit-Card-Numbers-For-Research" at 15:42:01 UTC
- vibranium accessed "Agents-List-CLASSIFIED-TOP-SECRET" at 15:42:58 UTC
- Same classified agents list present on Snake-compromised nromanoff workstation (Zone.Identifier ADS confirms internet download)

PHASE 5 — Sustained C2 and Persistence (2012-04-05 to 2012-04-06):
- spinlock.exe on XP ran 25+ hour session (PID 11640: 2012-04-05 17:16 to 2012-04-06 18:58)
- Multi-layer process chain: cmd to spinlock to spinlock to cmd to pe.exe providing interactive shell access
- Anomalous svchost.exe (PID 3296) spawned by explorer.exe 29 seconds after RDP login on XP

CONVERGENT EVIDENCE ASSESSMENT (Q7): Seven independent evidence sources (YARA signatures, event logs, memory forensics, MFT timestamps, ShimCache, registry, and file system listings) from three systems (nromanoff, DC, XP) converge on a single coordinated intrusion. To dismiss this chain would require simultaneously explaining: (1) Snake YARA as false positive at 7+ offsets, (2) web shell matches as AV signatures coincidentally matching the DC's web stack, (3) vibranium as a legitimate account coincidentally authenticating from two different compromised machines, (4) PyInstaller tools as legitimate despite user-context deployment, (5) timestomping to OS build dates as coincidental, (6) spinlock.exe/pe.exe as legitimate despite process chain behavior, and (7) classified data access as authorized. The combined dismissal is far less plausible than the coherent APT narrative. The nfury system (10.3.58.6) showing zero compromise indicators alongside two heavily compromised adjacent systems supports targeted rather than opportunistic compromise (Q12).

F-Response artifact review (Q11): F-Response forensic acquisition processes (f-response-ent, f-response-lm-monitor) and their network connections (iSCSI to 10.3.16.5, connection to 10.3.58.4:5681) were verified as forensic collection artifacts. No F-Response activity was misattributed as attack indicators in any finding.

Attribution: Snake/Turla attribution rests on the YARA rule match (APT_MAL_RU_WIN_Snake_Malware_May23_1) with Snake-specific internal format strings. While this is a strong indicator from a reputable rule, attribution to a specific state actor should be qualified — the YARA match confirms the Snake malware FAMILY but not necessarily the operating unit. The rst.void.ru Russian-language web shell is a corroborating but not independent attribution indicator.

Cross-system correlation reveals the same classified documents were accessed from multiple compromised systems, indicating systematic data targeting:

nromanoff Workstation (10.3.58.5) — Snake/Uroburos compromised:
- Users/nromanoff/Documents/Undercover Agent-List-Classified/Agents-List-CLASSIFIED-TOP-SECRET/Undercover-Agents-List-For-United-Kingdom.xls (113,152 bytes, created 2012-03-09, modified 2012-03-12)
- Undercover-Agents-List-For-Australia.xls (Zone.Identifier ADS confirms internet download, 2012-03-09)
- LNK file in Recent folder (2012-03-12 20:58:18) confirms user opened the files

Domain Controller (10.3.58.4) — via vibranium account:
- Users/vibranium/AppData/Roaming/Microsoft/Windows/Recent/Agents-List-CLASSIFIED-TOP-SECRET.lnk (2012-04-04 15:42:58) — the SAME classified agents list directory
- Users/vibranium/AppData/Roaming/Microsoft/Office/Recent/Credit-Card-Numbers-For-Research.LNK (2012-04-04 15:42:01) — additional PII data access

XP System (10.3.58.7) — spinlock.exe compromised:
- Dropbox installed (C:\Documents and Settings\tdungan\Application Data\Dropbox\bin\Dropbox.exe, ShimCache 2012-02-14) — potential cloud exfiltration vector on the same network
- Active C2 (spinlock.exe) with 25-hour session providing data transfer capability

Exfiltration Assessment:
- The classified documents on nromanoff existed on a system with Snake malware, which has built-in encrypted C2 communication channels capable of data exfiltration
- The vibranium account accessed the same documents on the DC, suggesting data was located/staged across network shares
- No direct evidence of outbound data transfer of these specific files was found in available network artifacts, but Snake's encrypted C2 would not be visible in standard network captures
- The Dropbox client on the XP system could provide a legitimate-appearing exfiltration channel

The cross-system access pattern (same classified files accessed from Snake-compromised nromanoff AND from the DC via stolen vibranium credentials) strongly suggests targeted intelligence collection rather than random file access.

Affected Systems: evtx.windows_system32_winevt_logs_security, ez.mft, ez.shimcache, tsk.filelist

YARA scanning of the domain controller memory dump identified signatures for five distinct web shell and remote access tools deployed across the multiple web server platforms (IIS, Apache, Tomcat):

1. RemCom_RemoteCommandExecution (offset 0x88d88b6) — matched named pipe pattern \\\\.\\pipe\\%s%s%d characteristic of RemCom, an open-source PsExec alternative for remote command execution.
2. CmdAsp_asp (offset 0x290db360) — matched "CmdAsp.asp" by maceo @ dogmile.com, a well-known ASP command shell.
3. connectback2_pl (offset 0x27203372) — matched "ConnectBack Backdoor", a Perl-based reverse shell.
4. sql_php_php (offset 0x294e7b6a) — matched "http://rst.void.ru", a Russian PHP SQL query shell.
5. cmdjsp_jsp (offsets 0x29064742, 0x28ddc270, 0x290647b8) — matched "cmdjsp.jsp" JSP command shell.

Counter-analysis note (Q1 challenge): McAfee ePO with Apache/Tomcat runs on this domain controller, and AV signature databases contain patterns for known web shells. The YARA matches could theoretically originate from McAfee's in-memory signature store rather than from actual deployed web shells. However, the deployed web shell interpretation is favored for three reasons: (1) the web shell languages (ASP, PHP, Perl, JSP) exactly correspond to the web server stack running on the DC (IIS serves ASP, Apache serves PHP/Perl, Tomcat serves JSP) — a coincidence unlikely if these were merely AV signatures; (2) the matched strings are full plaintext content (author names, URLs like rst.void.ru, domain names like michaeldaw.org), not binary signature patterns; (3) the DC is confirmed internet-exposed with active web exploitation attempts from external IPs. Without process-level YARA (vadyarascan), definitive attribution to a specific process is not possible. Confidence remains "inference" to reflect this ambiguity.

The Russian-language web resource (rst.void.ru) in the PHP shell is consistent with the Snake/Turla attribution identified on the nromanoff workstation.

The Windows 2008 R2 domain controller (Controller.shieldbase.local, 10.3.58.4/10.3.58.9) is running numerous internet-facing services that significantly expand its attack surface:

Internet-Accessible Services (confirmed by process list and network connections):
- IIS Web Server (w3wp.exe, inetinfo.exe) — ports 80 and 443, receiving connections from internet crawlers (Googlebot, Baiduspider, Yandex) and external IPs
- hMailServer (hMailServer.exe) — SMTP/POP3 email server, actively receiving connections from external IPs including brute-force attacks
- McAfee ePO (Apache.exe, tomcat5.exe) — web management console on HTTP/HTTPS
- Telnet Server (tlntsvr.exe) — insecure cleartext remote access service
- DNS Server (dns.exe) — externally resolvable
- Microsoft SQL Server (sqlservr.exe, instance EPOSERVER) — database server for McAfee ePO
- FTP Server (svchost.exe -k ftpsvc) — FTP service
- SNMP (snmp.exe) — network management protocol

Search engine crawling evidence confirms internet exposure:
- Google (66.249.x.x), Baidu (180.76.x.x, 220.181.x.x), Yandex (95.108.x.x), Facebook (69.171.x.x) all crawled the web server
- External IPs accessing web content on port 80

Running these services on a domain controller violates security best practices. A domain controller holds the AD database (ntds.dit), Kerberos keys, and all domain credentials. Any vulnerability in these internet-facing services provides a direct path to full domain compromise.

Volatility netscan of the domain controller memory reveals an ESTABLISHED SMB (TCP port 445) connection from the nromanoff workstation (10.3.58.5:49805) to the controller (10.3.58.9:445), owned by the System process (PID 4). The controller's address 10.3.58.9 appears to be a secondary interface on the controller server (primary: 10.3.58.4).

This active SMB session is significant because:
1. The nromanoff workstation is confirmed compromised with Snake/Uroburos APT malware (YARA detection on disk)
2. Snake malware commonly uses SMB/named pipes for lateral movement and C2 relay
3. The nromanoff user account is confirmed authenticating to the controller via Kerberos (Event ID 4624, LogonType 3) and also via NTLM (LogonProcessName: NtLmSsp, WorkstationName: CONTROLLER) - the NTLM authentication from a workstation named "CONTROLLER" is unusual
4. Security event logs show successful logon from nromanoff with LogonType 3 (network) at 2012-04-05 07:44:28

The SMB connection could facilitate file access, credential relay, or lateral movement from the compromised workstation to the domain controller.

Security event logs from the domain controller show authentication activity from the nromanoff workstation (10.3.58.5) to the controller using multiple user accounts:

1. nromanoff account (SID: S-1-5-21-2036804247-3058324640-2116585241-1109):
2. Event ID 4624, LogonType 3 (network), via Kerberos at 2012-04-05 07:44:28

3. Also authenticated via NTLM (LogonProcessName: NtLmSsp) with WorkstationName: CONTROLLER - unusual for a network logon originating from the nromanoff workstation

4. vibranium account (SID: S-1-5-21-2036804247-3058324640-2116585241-1673):

5. Authenticated from IpAddress 10.3.58.5 (nromanoff workstation) at 2012-04-04 15:34:48, LogonType 3
6. vibranium user has files in AppData\Local\Temp_MEI111242 containing python25.dll on the controller, characteristic of PyInstaller-packaged tools

7. Also had RDP sessions and administrative logons with SeDebugPrivilege

8. Additional users authenticated from 10.3.58.7 (WKS-WINXP32BIT$):

9. Machine account WKS-WINXP32BIT$ authenticated via Kerberos at 2012-04-05 07:44:28

The use of multiple domain accounts from the Snake-compromised nromanoff workstation suggests either legitimate multi-user activity or attacker use of harvested credentials for lateral movement.

Multiple PyInstaller-packaged executables were extracted and run under the vibranium user account (SID: S-1-5-21-2036804247-3058324640-2116585241-1673) on the domain controller between 2012-04-03 23:09 and 2012-04-04 00:06. PyInstaller bundles Python interpreters and scripts into standalone executables that auto-extract to temporary directories at runtime.

Evidence from MFT and file listing:
- Users/vibranium/AppData/Local/Temp/_MEI138842/ (created 2012-04-03 23:09:16): Contains _ctypes.pyd
- Users/vibranium/AppData/Local/Temp/_MEI57722/ (created 2012-04-04 00:01:44): Contains unicodedata.pyd
- Users/vibranium/AppData/Local/Temp/_MEI111242/ (created 2012-04-04 00:06:40): Contains python25.dll (2.1MB)
- Users/vibranium/AppData/Local/Temp/_MEI39242/: Contains python25.dll, kernel32.dll, MSVCR71.dll, bz2.pyd, spin...

All bundles use Python 2.5 runtime. PyInstaller is frequently used by attackers to package offensive Python tools (such as Impacket, credential dumpers, or custom C2 agents) into portable executables that don't require Python installation on the target.

Counter-analysis note (Q3 challenge): The hypothesis that these are McAfee ePO management components was evaluated and dismissed. McAfee ePO historically used Java/Jython for its management console, not CPython PyInstaller bundles. Critically, these files are extracted under the vibranium USER profile's AppData\Local\Temp directory — McAfee ePO service components would execute under the ePO service account, not a domain user's temp path. Python 2.5 was already outdated by 2012, making it an unlikely ePO dependency. The rapid sequential deployment of three distinct bundles within ~57 minutes is consistent with automated tool deployment rather than legitimate software operation.

Additionally, the vibranium user's Recent folder shows access to a file named "Agents-List-CLASSIFIED-TOP-SECRET.lnk" (MFT created: 2012-04-04 15:42:58), suggesting access to classified/sensitive documents from this account.

The Windows XP workstation (WKS-WINXP32BIT, 10.3.58.7, user tdungan) shows evidence of a multi-stage malicious execution chain involving spinlock.exe. ShimCache analysis places spinlock.exe at position 0 (most recently cached entry): C:\WINDOWS\system32\spinlock.exe with LastModified 2012-04-04 17:06:37. Memory forensics (psscan) reveals three spinlock.exe instances forming a parent-child execution chain:

• cmd.exe (PID 5872, PPID 1488) created 2012-04-06 13:25:00
• spinlock.exe (PID 12244, PPID 5872) created 2012-04-06 13:25:00
• spinlock.exe (PID 3648, PPID 12244) created 2012-04-06 13:25:01
• cmd.exe (PID 7416, PPID 3648) created 2012-04-06 13:39:58
• pe.exe (PID 10384, PPID 7416) created 2012-04-06 13:43:20 (exited 13:59:57)
• cmd.exe (PID 9448, PPID 3648) created 2012-04-06 18:55:48

An earlier spinlock.exe instance (PID 11640, PPID 12236) ran from 2012-04-05 17:16:01 to 2012-04-06 18:58:17, spanning over 25 hours. The pattern of spinlock.exe spawning child spinlock.exe processes, then spawning cmd.exe children that execute pe.exe, is consistent with a command-and-control tool providing interactive shell access. This binary is not a standard Windows executable and was placed in the system32 directory to blend in with legitimate system files.

Affected Systems: ez.shimcache, tsk.filelist, volatility.psscan

ShimCache analysis of the XP system's SYSTEM hive reveals a suspicious binary at position 49: C:\WINDOWS\system32\dllhost\svchost.exe (LastModified 2008-04-14 00:12:36). This is highly anomalous - svchost.exe should only exist at C:\WINDOWS\system32\svchost.exe. The placement inside a 'dllhost' subdirectory within system32 is a masquerading technique: both 'dllhost' and 'svchost' are legitimate Windows process names, making this path appear plausible on cursory inspection while actually being a non-standard location. The timestamp matches the XP SP3 build date (2008-04-14), indicating deliberate timestomping to blend in with legitimate system files. This binary was likely deployed alongside spinlock.exe (LastModified 2012-04-04 17:06:37) and pe.exe (also timestomped to 2008-04-14) as part of the coordinated toolset on the XP system. The anomalous svchost.exe (PID 3296) spawned by explorer.exe during the RDP session (finding f_fe53cf9f) may be this binary.

Memory forensics of the XP system reveals svchost.exe (PID 3296) with parent process explorer.exe (PID 1900, PPID 2436), created at 2012-04-06 19:07:16. This is an abnormal parent-child relationship: legitimate svchost.exe instances are spawned by services.exe (PID 1044 on this system). All other svchost.exe processes on this system correctly show PPID 1044 (services.exe): PIDs 1732, 1308, 1236, 1472, 1636, 1936. The anomalous svchost.exe (PID 3296) was created shortly after an RDP login session (rdpclip.exe PID 2284 at 19:06:44, explorer.exe PID 1900 at 19:06:47), suggesting it was executed by the user who connected via RDP. This may be the svchost.exe from the C:\WINDOWS\system32\dllhost\ directory identified in ShimCache, or another masquerading binary launched by the interactive user.

The threat actor employed consistent defense evasion techniques across multiple compromised systems, demonstrating operational sophistication:

Timestomping (T1070.006) — XP System (10.3.58.7):
- pe.exe at C:\WINDOWS\system32\pe.exe: LastModified set to 2008-04-14 00:12:36 (XP SP3 build date)
- svchost.exe at C:\WINDOWS\system32\dllhost\svchost.exe: LastModified also 2008-04-14 00:12:36
- Both attacker binaries had their timestamps backdated to match legitimate OS files, making them blend into the system32 directory. Only spinlock.exe retained a realistic timestamp (2012-04-04 17:06:37), possibly because it was replaced/updated more recently.

Binary Masquerading (T1036.005) — XP System:
- spinlock.exe placed in C:\WINDOWS\system32\ — not a real Windows component but the system32 path suggests legitimacy
- pe.exe placed in C:\WINDOWS\system32\ — generic name blends with system utilities
- svchost.exe placed in C:\WINDOWS\system32\dllhost\ — uses two real Windows process names (svchost + dllhost) in a fabricated path

Process Hiding (T1014) — Both DC and XP:
- DC: Hidden svchost.exe (PID 56) absent from pslist but present in psscan — potential DKOM rootkit technique. Created 2012-03-15, three weeks before main attack phase.
- XP: spinlock.exe (PID 12244) present in psscan but not pslist — the C2 tool itself appears unlinked from the process list
- XP: 6 additional hidden PIDs detected by composite defense evasion scan across both systems

Cross-System Pattern: The use of consistent evasion techniques (timestomping to OS build dates, masquerading as system processes, process hiding) across both the XP system and the domain controller indicates a single operator with a developed tradecraft toolkit, not opportunistic compromise.

Affected Systems: composite.defense_evasion, ez.shimcache, forensic.timestomping, volatility.psscan

Windows Security Event ID 4720 recorded the creation of a new domain account "nromanoff" in the SHIELDBASE domain on 2012-04-05 at approximately 07:44:28 UTC.

Account Details:
- Username: nromanoff
- Domain: SHIELDBASE
- SID: S-1-5-21-2036804247-3058324640-2116585241-1109
- Subject LogonId: 0x0 (system-level creation)

Post-Creation Activity:
- 257 matching events in the Security log showing nromanoff activity
- Network logons (Type 3) authenticated via Kerberos from both 10.3.58.4 (local) and 10.3.58.5
- The account was actively used for network resource access after creation

This account creation warrants investigation to determine whether it was authorized. The creation by a subject with LogonId 0x0 and subsequent Kerberos network logons from multiple internal addresses could indicate either legitimate provisioning or an attacker-created persistence account. Context from the organization's HR or IT onboarding records would be needed to confirm legitimacy.

Network analysis and bulk_extractor data reveal an established outbound TCP connection from the domain controller to an external IP on a high port:

Connection Details (from Volatility netscan):
- Source: 10.3.58.4:58497 (domain controller)
- Destination: 96.255.98.154:29932
- State: ESTABLISHED
- Protocol: TCPv4

Windows Firewall Log Confirmation (from bulk_extractor):
- "ALLOW TCP 10.3.58.4 96.255.98.154 52619 29932" — firewall permitted the connection
- Multiple firewall ALLOW entries for connections to this IP on port 29932

Context from Other Evidence:
- 96.255.98.154 also appears as an HTTP visitor to the IIS web server on port 80, with User-Agent "Mozilla/5.0+(Wi..." (Windows browser)
- The IP is associated with Yahoo email activity (sender: mhill.shield@yahoo.com) in carved data
- Port 29932 is non-standard and not associated with any common service

Assessment: The high port number (29932) is atypical for legitimate services. However, the same IP also shows legitimate web browsing activity and Yahoo email association, which could indicate this is a remote administrator's home IP using a legitimate remote management tool. The connection requires further investigation to determine if it represents authorized remote access or a command-and-control channel.

Bulk extractor carved web server logs reveal multiple external IP addresses performing web vulnerability scanning and exploitation attempts against the domain controller's IIS web server:

1. Attempted download from suspicious domain: freetunel.com/cgi-bin.txt (from 188.138.11.56) - likely web shell or exploit download attempt
2. Web admin panel scanning from 132.248.31.82: probing /webadmin/setup.php, /sqlweb/scr, and similar paths (all returning 404)
3. Unauthorized WebDAV access attempts: multiple requests to /p_/webdav/ from various IPs
4. Web crawlers from Baidu (180.76.5.x), Yandex (yandex.com/bots), and other search engines indexing the controller - confirming internet exposure
5. External SMTP connections from multiple IPs besides the brute-forcing 91.207.6.58, including 86.105.68.176, 188.255.86.142, and others interacting with the hMailServer

The domain controller hosts the organizational email domain stark-research-labs.com with confirmed mailboxes for:
- nromanoff@stark-research-labs.com
- nfury@stark-research-labs.com
- tdungan@stark-research-labs.com

The controller is directly internet-accessible and receiving web traffic from search engine crawlers and external attackers, confirming its exposure as a public-facing server while serving as the Active Directory domain controller.

Memory forensics of the XP system shows an active RDP session at time of memory acquisition. Key evidence:

• rdpclip.exe (PID 2284, PPID 1000 winlogon.exe) created 2012-04-06 19:06:44 - RDP clipboard service indicating active remote desktop connection
• explorer.exe (PID 1900, PPID 2436) created 2012-04-06 19:06:47 - Interactive desktop shell for the RDP session

Local SAM registry analysis shows the SRL-Helpdesk local account (RID 1004) with:
- Account Type: Default Admin User (local administrator)
- Last Login: 2012-04-06 19:06:37Z (matching the RDP session start)
- Login Count: 4
- Password Reset: 2012-04-04 12:41:33Z
- Password Fail Date: 2012-04-04 12:25:14Z

The Remote Desktop Users group includes two domain SIDs (-1106, -1108). The SRL-Helpdesk account is a member of the local Administrators group. Notably, the anomalous svchost.exe (PID 3296) was spawned by this RDP session's explorer.exe (PID 1900) at 19:07:16, just 29 seconds after the RDP login.

Counter-analysis note (Q5 challenge): SRL-Helpdesk is explicitly named as an IT support account, and the RDP session could represent a legitimate helpdesk technician performing system diagnostics. However, the svchost.exe (PID 3296) spawned 29 seconds after login is abnormal — legitimate svchost.exe instances are spawned by services.exe, not by explorer.exe during an interactive session. This binary likely originates from the masquerading path C:\WINDOWS\system32\dllhost\svchost.exe identified in ShimCache. While the RDP session itself may be legitimate, the execution of the masquerading svchost.exe from it is consistent with an attacker using compromised helpdesk credentials to execute pre-staged tools.

The composite recovery assessment and ShimCache analysis confirm SysInternals SDelete (sdelete.exe) is present in C:\Tools\SysInternals\ on the domain controller (10.3.58.4), deployed alongside the broader SysInternals toolkit on 2009-12-05 22:16:53. SDelete performs secure deletion by overwriting file contents before deletion, making forensic recovery of deleted files impossible for overwritten data.

The recovery assessment identified 11,973 deleted files across the disk image and flagged SDelete as an anti-forensic concern: "Secure delete tools detected -- some deleted files may be unrecoverable." While SDelete was deployed as part of the full SysInternals toolkit (likely for legitimate administration), its availability on a domain controller with confirmed web shell compromise and attacker activity means an attacker with shell access could use it to:
1. Destroy evidence of accessed files (e.g., classified document copies)
2. Remove downloaded tools or exfiltrated archives after use
3. Clean up web shell files or other persistence mechanisms

This finding is assessed at medium severity because while the tool's presence is confirmed, there is no direct evidence of attacker-initiated use of SDelete. However, the combination of SDelete availability + 11,973 deleted files + active attacker presence creates a forensic integrity concern — some evidence may be irrecoverably destroyed.

Cross-system correlation analysis establishes that the sustained SMTP brute-force attack from 91.207.6.58 against the hMailServer is a separate, independent attack from the internal APT campaign:

Evidence of Independence:
1. The SMTP attack targets email authentication on the hMailServer — a distinct attack vector from the Snake/Uroburos malware deployment and web shell access used by the internal attacker
2. No IP address 91.207.6.58 appears in ANY internal system artifact: not in volatility netscan connections on any host, not in event log source IPs, not in the process tree or command lines
3. The brute-force uses automated credential cycling with rapid sequential attempts (every 4-5 seconds) — a fundamentally different TTP from the APT actor's precise credential usage (vibranium account with full admin privileges)
4. The APT actor already had valid domain credentials and web shell access — brute-forcing SMTP authentication would be unnecessary and counterproductive (increased detection risk)
5. 91.207.6.58 is geolocated to Russia (Sakha Republic, ASN AS43634) while the Snake/Uroburos deployment suggests a state-sponsored actor operating through compromised internal systems, not through direct internet-facing brute-force

Assessment: The SMTP attack represents an independent opportunistic threat exploiting the domain controller's exposed hMailServer. No evidence of successful authentication was found (all observed attempts returned "535 Authentication failed"). The primary risk remains the APT campaign which achieved full domain compromise through more sophisticated means.

Impact on Investigation: While these are independent threats, the SMTP attack confirms that the domain controller is internet-accessible and actively targeted by external adversaries, corroborating the excessive attack surface finding.

Affected Systems: bulk.domain, volatility.netscan

A comprehensive SysInternals toolkit has been deployed at C:\Tools\SysInternals\ on the domain controller. ShimCache (AppCompatCache) and registry entries confirm the presence of these tools:

High-Risk Tools Present:
- PsExec.exe — Remote execution tool, commonly abused for lateral movement (ShimCache timestamp: 2009-12-05 22:16:54)
- procdump.exe — Process memory dumping tool, commonly used for credential harvesting from lsass.exe (ShimCache timestamp: 2009-12-05 22:16:53)
- RootkitRevealer.exe — Rootkit detection tool (indicating security concerns existed)

Other SysInternals Tools in C:\Tools\SysInternals\:
- movefile.exe, ntfsinfo.exe, pendmoves.exe, portmon.exe, Cacheset.exe, Autologon.exe, ctrl2cap.exe, ProcFeatures.exe, and many more

ShimCache Evidence:
- ShimCache entries show timestamps of 2009-12-05 22:16:53-54 for most tools, indicating they were deployed on that date
- PsExec.exe has a separate MFT entry confirming file existence with creation time 2009-12-05

Risk Assessment:
While SysInternals tools are legitimate system administration utilities, PsExec and procdump are among the most commonly abused tools in post-exploitation scenarios:
- PsExec enables remote command execution across the domain (T1570)
- Procdump can dump lsass.exe process memory to extract plaintext credentials (T1003.001)
- Their presence on a domain controller provides an attacker with pre-staged tools for lateral movement and credential theft

Comparison of Volatility pslist (linked list traversal) against psscan (pool tag scanning) reveals three processes present in memory but not in the active process list:

1. PID 56 — svchost.exe (Ambiguous)
- Parent PID: Not listed (no parent entry visible)
- Created: 2012-03-15 03:09:18 UTC
- Threads: 10, Handles: 363
- Session: 0, WoW64: False
- This svchost.exe instance lacks a parent PID in the psscan output and is absent from pslist. The anomalously low PID (56) suggests early boot creation. Most likely explanation: a terminated service host process whose pool tag persists in memory. Less likely: a deliberately DKOM-unlinked process. Without additional indicators (unusual DLLs, network connections, or command line), the benign interpretation is favored.

2. PID 2400 — mfeann.exe (Benign)
- Parent PID: 1472 (VsTskMgr.exe — McAfee Task Manager)
- Created: 2012-03-15 03:10:59 UTC
- McAfee Announcement process — terminated and restarted during AV updates

3. PID 142048 — naPrdMgr.exe (Benign)
- Parent PID: 720
- Created: 2012-04-05 03:20:44 UTC
- McAfee NAI Product Manager — McAfee auto-update process

Counter-analysis note: PID 56 svchost.exe was evaluated with anti-evasion awareness. While the finding initially noted rootkit as a possibility (T1014), the evidence is more consistent with a normally terminated process. The 10 threads and 363 handles are within normal ranges for a legitimate svchost.exe. The PID 56 was created at system boot time (03:09:18, moments after the System process), which is consistent with a legitimate early-boot service host that was later terminated and replaced. No malfind hits, no unusual network connections, and no anomalous DLLs were found associated with this PID. Severity maintained at low; this is an isolated observation without corroborating indicators.

Nfury (WKS-WIN764BITB, 10.3.58.6) maintained active domain authentication with the controller (10.3.58.4) as a member of the SHIELDBASE domain. Evidence from the controller's Security event log shows:

1. ANONYMOUS LOGON: Event 4624, 2012-04-04 15:21:44, LogonType 3 from WKS-WIN764BITB (10.3.58.6), Target: NT AUTHORITY\ANONYMOUS LOGON. Null session access which enables network resource enumeration.

2. NTLM V1 Authentication: Event 4624, 2012-04-04 15:33:44, from 10.3.58.6 port 56659 using insecure NTLM V1 protocol (KeyLength 128).

3. Regular Kerberos Logons: Multiple successful Kerberos-based network logons (LogonType 3) throughout the monitoring period, indicating normal domain trust authentication.

4. No connections to nromanoff (10.3.58.5): Nfury's memory netscan shows zero active or closed connections to 10.3.58.5. There is no direct network relationship between nfury and the compromised nromanoff workstation at time of capture.

5. F-Response connection to controller: Nfury had an F-Response forensic agent connection to 10.3.58.4:5681 (CLOSED state) and an active iSCSI session to 10.3.16.5:48769, both related to the forensic acquisition process.

Cross-system risk assessment: While nfury itself shows no compromise indicators, its domain membership and NTLM V1 usage on the same network as the compromised nromanoff system means its credentials could theoretically be targeted via pass-the-hash or credential relay attacks. However, no evidence of such attacks against nfury was observed.

Affected Systems: evtx.windows_system32_winevt_logs_security, volatility.netscan

Windows Security event logs show the domain administrator account "rsydow" (SID: S-1-5-21-2036804247-3058324640-2116585241-1114) authenticating to the domain controller from the FALCONIII workstation (IP: 10.3.16.5) using Network Logon (Type 3).

Key Events:
- 2012-04-04 15:15:04 UTC — rsydow successful logon, Type 3, Kerberos auth
- 2012-04-04 19:59:48 UTC — rsydow successful logon from FALCONIII, Type 3
- 2012-04-05 14:04:41 UTC — rsydow successful logon from FALCONIII, Type 3
- 17 total FALCONIII events found in the Security log

Elevated Privileges Assigned:
SeSecurityPrivilege, SeBackupPrivilege, SeRestorePrivilege, SeTakeOwnershipPrivilege, SeDebugPrivilege, SeSystemEnvironmentPrivilege, SeLoadDriverPrivilege, SeImpersonatePrivilege, SeEnableDelegationPrivilege

Assessment: The rsydow account has full domain administrator privileges. The logon pattern from FALCONIII shows regular administrative access. While this is likely legitimate administration, the privilege level warrants review to confirm all access was authorized. Any compromise of this account would grant complete domain control.

Comprehensive forensic analysis of win7-64-nfury (WKS-WIN764BITB, 10.3.58.6) reveals no indicators of compromise or malicious activity. This stands in contrast to the compromised nromanoff system where Snake/Uroburos malware was detected.

Process Analysis: All 37 running processes are legitimate Windows 7 system processes, McAfee AV suite (FireSvc, McSACore, FrameworkService, VsTskMgr, mfevtps, mcshield, mfeann, mfefire), VMwareService, and the F-Response forensic agent (PID 328). No interactive user session was active at time of capture (only LogonUI.exe present, no explorer.exe). The psscan-vs-pslist comparison shows no unlinked/hidden processes — the only difference is FireTray.exe PID 1352 which had exited normally.

Network Connections: Only legitimate connections found: SMB listener on port 139, F-Response iSCSI connection to 10.3.16.5:48769, F-Response connection to controller 10.3.58.4:5681, and McAfee management listeners on ports 8081/8082. No connections to external IPs, no connections to nromanoff (10.3.58.5), and no suspicious listening services.

Memory Injection (Malfind): All PAGE_EXECUTE_READWRITE regions belong to legitimate software — McAfee FrameworkService (PID 1472), mfevtps.exe (PID 1568), LogonUI.exe (PID 812, mostly null bytes), and F-Response (PID 328). No true code injection detected.

YARA/Sigma: Zero YARA hits on both memory and disk. No Hayabusa or Chainsaw Sigma alerts specific to nfury.

Timestomping: No evidence of malicious timestamp manipulation. Only root directory entries with standard Windows 7 RTM date patterns detected (benign false positives).

Filesystem: No attacker tools, suspicious executables, or classified/sensitive documents found beyond normal business files (Alloy Research documents). The nfury user has Chrome, Skype, and standard applications installed.

The nfury system (10.3.58.6) has a single primary user profile: Users/nfury/. The user nfury@stark-research-labs.com has an email mailbox hosted on the controller's hMailServer instance (Program Files (x86)/hMailServer/Data/stark-research-labs.com/nfury/), with email messages stored across multiple subdirectories. Many email files in this mailbox show deleted status (marked with * in TSK), consistent with normal email management rather than evidence destruction.

The nfury user profile contains:
- Google Chrome browser (version 18.0.1025.142) with full profile data
- Skype application with database files (queue.db)
- Documents/Alloy Research/ folder containing research files: "Metal Alloy List Research.xlsx" and "Researched Sub-Atomic Particles.xlsx" (these are Zone.Identifier tagged, indicating they were downloaded from the internet)
- Standard Windows application data (no sensitive/classified files found, unlike nromanoff's "Undercover Agent List" documents)

Additional user accounts found on the controller (which hosts all domain user profiles for file sharing): Administrator, rsydow (with PKI certificates on desktop), vibranium (with McAfee data), and tdungan (with PowerShell pinned to taskbar). These are domain accounts that may have accessed nfury or the broader Stark Research Labs network.

No interactive user session was active on nfury at the time of memory capture — only LogonUI.exe was running (Session 1), indicating the console was at the login screen with no user logged in.

The nfury system's active Security.evtx log file is only 8 KB, and System.evtx is only 10 KB. The PowerShell Operational log is 0 KB (empty). These extremely small active log sizes significantly limit forensic visibility into authentication events, service changes, and PowerShell activity that occurred on nfury itself.

However, archive Security log files exist spanning 2012-03-13 to 2012-04-07 (each approximately 4 MB), indicating the system was generating security events that rolled over into archives. The very small active log files suggest either: (1) the active logs were recently rotated and very few events accumulated since the last rollover, or (2) security audit policy is minimal on this workstation.

The Windows PowerShell.evtx file is 32 KB (non-empty), suggesting some PowerShell usage occurred on the system. The nfury system also has an NTLM Operational log (1.2 MB), TerminalServices-RemoteConnectionManager Operational (1.2 MB), and an unusually large IpHlpSvc Operational log (51.8 MB).

Impact: Without indexed Security events from nfury itself, we cannot verify whether logon events, privilege escalations, or account modifications occurred locally. All authentication evidence for nfury comes from the controller's Security log (which records inbound logons from nfury), not from nfury's own perspective. This is a gap in forensic coverage, though no evidence of log clearing or anti-forensic activity was detected.

Analysis of the XP system's Master Boot Record (MBR) image shows standard, unmodified boot sector content. Binwalk scan detected no embedded files, hidden code, or anomalous structures. Strings extraction produced only the three standard MBR error messages: "Invalid partition table", "Error loading operating system", "Missing operating system". These are the expected strings for a standard Windows XP MBR. No evidence of MBR-level rootkits, bootkits, or modifications was found.

Local SAM analysis of the XP system (WKS-WINXP32BIT, 10.3.58.7) reveals the following local accounts:

• Administrator (RID 500): Created 2010-11-10, Never logged in, Password does not expire
• Guest (RID 501): Disabled
• HelpAssistant (RID 1000): Disabled
• SUPPORT_388945a0 (RID 1002): Disabled (MS vendor support account)
• SRL-Helpdesk (RID 1004): Created 2012-03-13, Local Admin, Last Login 2012-04-06 19:06:37, Login Count 4, Pwd Fail 2012-04-04 12:25:14

Notably:
1. The SRL-Helpdesk account experienced a password failure on 2012-04-04 12:25:14, followed by a password reset on 2012-04-04 12:41:33 - this timing coincides with attacker activity (spinlock.exe crashed on 2012-04-04, vibranium lateral movement on 2012-04-04 16:37).
2. The Administrators group includes domain SID -1107 (tdungan's domain account) and -1004 (SRL-Helpdesk local).
3. Domain SIDs -1106 and -1108 are in the Remote Desktop Users group.
4. No 'vibranium' account exists locally - it is a domain account used for lateral movement FROM this system.

Review of all indexed evidence sources confirms that no YARA scanning results exist for the XP system (10.3.58.7). YARA memory scans (yara.memory) were only performed against the domain controller memory (win2008R2-controller-memory-raw.001), and YARA file scans (yara.files) were only performed against the nromanoff disk image. The XP system's memory dump (xp-tdungan-memory-raw.001) and disk image (xp-tdungan-c-drive.E01) were not scanned with YARA rules. Despite this gap, the attacker tooling (spinlock.exe, pe.exe, dllhost\svchost.exe) was identified through ShimCache, memory forensics (psscan), and MFT analysis. YARA scanning of the XP artifacts could potentially identify additional malware signatures or confirm attribution to known threat actor toolsets.