CASE STUDY

Malicious Code on a Server
with Customer Data

A Consultant is Called in to Determine What Happened

A consultant is hired by a fortune 500 company that detected a malicious executable on a production server that stores customer data.  The company is unsure how the malicious executable got on the server, or what data the executable may have been exposed.  The company restored a six-month old backup, without the malicious executable, and the production database to a clean system prior to calling in the consultant in.

The consultant created a forensic image of the machine and then used BlackLight for analysis.  BlackLight pared the download history for the system as well as the following Windows artifacts: jumplists, ShellBags, and prefetch.  The Windows artifacts were examined for reference to the malicious executable.  A file with a name similar to the executable was downloaded by an account with the name “adminnistrator” with two N’s.  User Accounts, presented by BlackLight in Actionable Intel, revealed when the user account was created and last accessed.  Because this information is all parsed immediately by BlackLight, the consultant was able to provide a quick update to the client.

The investigation continued, the consultant used more advanced analysis techniques like reviewing volume shadow copies and recovering files no longer on the system.  This analysis allowed the consultant to determine the sequence of events led to the malicious executable and establish a timeline of the events.  Network logs for the narrow time period of interest were reviewed, the analyst looking for unusual outbound connections that could indicate exfiltration of data.  Hash sets for known vulnerable software revealed the system was not up-to-date with current patches, which would have prevented the events that led to the installation of the malicious executable.  At the conclusion of examination, the client was provided with information on how the system was likely compromised, an indication of whether data was exfiltrated, and recommendations for preventing a similar attack in the future.

Because information of interest is all parsed immediately by BlackLight, I was able to provide a quick update to the client.

Private consultant for a fortune 500 company

Main Takeaways:

  • When malicious code was discovered on a production server that stored customer data, a consultant was called in to uncover what happened.
  • BlackLight, used to examine the system, parsed the download history, jumplists, ShellBags, and prefetch providing some quick clues about how the code got on the system.
  • BlackLight was used to examine volume shadow copies, recovering files no longer on the machine, and providing a timeline of events.
  • The client was provided with information on how the system was likely compromised, an indication of whether data was exfiltrated, and recommendations for preventing a similar attack in the future.

Quick Facts

Features: 

BlackLight provided quick access to data of interest in the Actionable Intel tab and Windows artifacts providing initial answers quickly.

Problem Solved:

A consultant is called in to determine how malicious code came to be running on a production server.

Solution Provided:

The consultant provided a timeline of events for this incident and provided recommendations to prevent similar attacks in the future.

Overall Results:

BlackLight quickly and easily showed the Windows artifacts used to determined how the malicious code was introduced to the system and provided the ability to perform in-depth analysis of volume shadow copies.

Add BlackBag To Your Toolkit

See how easy it is to make BlackBag part of your everyday carry with a free trial or quote.