BFT (MFT)

The MFT Forensics Sherlock challenge introduces the fundamentals of Master File Table (MFT) analysis as part of Windows forensics. The scenario involves identifying potential malicious activity through the examination of MFT artifacts extracted from a compromised system. This challenge will equip analysts with parsing MFT data using tools like MFTeCmd, analyze the output with TimeLine Explorer, and inspect raw MFT records using a hex editor. The challenge provides a foundational understanding of filesystem-level forensic analysis on Windows systems.

KEY SKILLS AND OBJECTIVES

Learn how to use MFTECmd to parse Master File Table data.
Utilize TimeLine Explorer to visualize and analyze parsed MFT records.
Understand the structure and significance of MFT entries in forensic investigations.
Use a hex editor to inspect and recover raw file content from the MFT.
Identify suspicious file activity and reconstruct potential attack timelines based on file system metadata.

Simon Stark was targeted by attackers on February 13. He downloaded a ZIP file from a link received in an email. What was the name of the ZIP file he downloaded from the link?

PS C:\> Invoke-WebRequest -Uri https://www.7-zip.org/a/7z2409-x64.exe -OutFile 7zip.exe
 ...
 
 * install 7zip if required

PS C:\> GUI > BFT.zip > 7-zip > extract files
 ...
 
PS C:\> git clone https://github.com/EricZimmerman/MFTECmd.git
PS C:\> cd c:\Temp\MFTECmd\
PS C:\> dotnet publish -f net9.0 -r win-x64 -p:PublishSingleFile=true --self-contained true -p:IncludeNativeLibrariesForSelfExtract=true
PS C:\> cd c:\Temp\MFTECmd\MFTECmd\bin\Release\net9.0\win-x64\publish
PS C:\> Get-ChildItem
 Directory: T:\00.HTB\MFTECmd\MFTECmd\bin\Release\net9.0\win-x64\publish

 Mode                 LastWriteTime         Length Name
 ----                 -------------         ------ ----
 -a----         5/20/2025   9:27 AM       73505112 MFTECmd.exe
 -a----         5/20/2025   9:27 AM          33876 MFTECmd.pdb
 
PS C:\> Copy-Item T:\00.HTB\MFTECmd\MFTECmd\bin\Release\net9.0\win-x64\Publish\MFTECmd.exe "C:\users\Strife\Downloads\BFT\C\"

PS C:\> cd c:\BFT\C
PS C:\> .\MFTECMD.exe -f 'C:\Users\Strife\Downloads\BFT\C\$MFT' --csv "C:\Users\Strife\Downloads\BFT\C" --csvf mft.csv

 * use single quotes IOF the shell to properly interpret the $MFT variable

PS C:\> BROWSER > https://download.ericzimmermanstools.com/net9/TimelineExplorer.zip
 ...

TimeLineExplorer > File > Open > mft.csv
 Filters
  Extension: zip
   Stage-20240213T093324Z-001.zip         2024-02-13 16:34:40
   KAPE.zip                               2024-02-13 16:39:06
   Archive.zip                            2023-07-07 15:25:20
   invoice.zip                            2024-02-13 17:25:52

Examine the Zone Identifier contents for the initially downloaded ZIP file. This field reveals the HostUrl from where the file was downloaded, serving as a valuable Indicator of Compromise (IOC) in our investigation/analysis. What is the full Host URL from where this ZIP file was downloaded?

PS C:\> cd c:\BFT\C
PS C:\> .\MFTECMD.exe -f 'C:\Users\Strife\Downloads\BFT\C\$MFT' --csv "C:\Users\Strife\Downloads\BFT\C" --csvf mft.csv

 * use single quotes IOF the shell to properly interpret the $MFT variable

PS C:\> BROWSER > https://download.ericzimmermanstools.com/net9/TimelineExplorer.zip
 ...

TimeLineExplorer > File > Open > mft.csv
 Filters
  Filename: stage                                    Extension          Zone Id Contents:
   Stage-20240213T093324Z-001.zip:Zone.Identifier    .Identifier        [ZoneTransfer] ZoneId=3 HostUrl=https://storage.googleapis.com/drive-bulk-export-anonymous/20240213T093324.039Z/4133399871716478688/a40aecd0-1cf3-4f88-b55a-e188d5c1c04f/1/c277a8b4-afa9-4d34-b8ca-e1eb5e5f983c?authuser
 
 * it looks like google drive was used to host the malicious file

What is the full path and name of the malicious file that executed malicious code and connected to a C2 server?

PS C:\> cd c:\BFT\C
PS C:\> .\MFTECMD.exe -f 'C:\Users\Strife\Downloads\BFT\C\$MFT' --csv "C:\Users\Strife\Downloads\BFT\C" --csvf mft.csv

 * use single quotes IOF the shell to properly interpret the $MFT variable

PS C:\> BROWSER > https://download.ericzimmermanstools.com/net9/TimelineExplorer.zip
 ...

TimeLineExplorer > File > Open > mft.csv
 Filters
  Parent Path: stage
  Created0x10: 2/13/2024
   .\Users\simon.stark\Downloads\Stage-20240213T093324Z-001\Stage\invoice\invoices     invoice.bat     2024-02-13 17:23:16    2024-02-13 16:38:39

 * Identify all potentially suspicious files related to the malicious ZIP by 
   examining MFT (Master File Table) records. Focus on files with suspicious 
   extensions (e.g., .exe, .dll, .js, .bat, .vbs) created or modified around 
   the same time as the ZIP download. These may indicate payloads or execution 
   artifacts from the ZIP

Analyze the $Created0x30 timestamp for the previously identified file. When was this file created on disk?

PS C:\> cd c:\BFT\C
PS C:\> .\MFTECMD.exe -f 'C:\Users\Strife\Downloads\BFT\C\$MFT' --csv "C:\Users\Strife\Downloads\BFT\C" --csvf mft.csv

 * use single quotes IOF the shell to properly interpret the $MFT variable

PS C:\> BROWSER > https://download.ericzimmermanstools.com/net9/TimelineExplorer.zip
 ...

TimeLineExplorer > File > Open > mft.csv
 Filters
  Parent Path: stage
  Created0x10: 2/13/2024
   .\Users\simon.stark\Downloads\Stage-20240213T093324Z-001\Stage\invoice\invoices     invoice.bat     2024-02-13 17:23:16    2024-02-13 16:38:39

 * Identify all potentially suspicious files related to the malicious ZIP by 
   examining MFT (Master File Table) records. Focus on files with suspicious 
   extensions (e.g., .exe, .dll, .js, .bat, .vbs) created or modified around 
   the same time as the ZIP download. These may indicate payloads or execution 
   artifacts from the ZIP

 * the column created0x10 contains original file metadata timestamps 
   (like created, modified, accessed, etc.). Often the first timestamps written.
 * the column created0x30 contains timestamps updated when the file is 
   renamed, moved, or otherwise interacted with in the file system.

Finding the hex offset of an MFT record is beneficial in many investigative scenarios. Find the hex offset of the stager file from Question 3.

PS C:\> cd c:\BFT\C
PS C:\> .\MFTECMD.exe -f 'C:\Users\Strife\Downloads\BFT\C\$MFT' --csv "C:\Users\Strife\Downloads\BFT\C" --csvf mft.csv

 * use single quotes IOF the shell to properly interpret the $MFT variable

PS C:\> BROWSER > https://download.ericzimmermanstools.com/net9/TimelineExplorer.zip
 ...

TimeLineExplorer > File > Open > mft.csv
 Filters
  Parent Path: stage
  Created0x10: 2/13/2024
   23436   .\Users\simon.stark\Downloads\Stage-20240213T093324Z-001\Stage\invoice\invoices     invoice.bat     2024-02-13 17:23:16    2024-02-13 16:38:39

 * Identify all potentially suspicious files related to the malicious ZIP by 
   examining MFT (Master File Table) records. Focus on files with suspicious 
   extensions (e.g., .exe, .dll, .js, .bat, .vbs) created or modified around 
   the same time as the ZIP download. These may indicate payloads or execution 
   artifacts from the ZIP

 * the column created0x10 contains original file metadata timestamps 
   (like created, modified, accessed, etc.). Often the first timestamps written.
 * the column created0x30 contains timestamps updated when the file is 
   renamed, moved, or otherwise interacted with in the file system.

TimeLineExplorer
 Filename: invoice.bat
 Entry Number: 23436
 Offset Formula: 1024 * 23436 = 23,998,464
 
PS C:\> BROWSER > https://www.rapidtables.com/convert/number/decimal-to-hex.html
 From: Decimal
 To: Hexadecimal
 Decimal Number: 23998464
 Hexadecimal: 16E3000 

 * each MFT record is 1024 bytes in size; multiply the entry value by 1024 to get the decimal offset

Each MFT record is 1024 bytes in size. If a file on disk has smaller size than 1024 bytes, they can be stored directly on MFT File itself. These are called MFT Resident files. During Windows File system Investigation, its crucial to look for any malicious/suspicious files that may be resident in MFT. This way we can find contents of malicious files/scripts. Find the contents of The malicious stager identified in Question3 and answer with the C2 IP and port.

PS C:\> cd c:\BFT\C
PS C:\> .\MFTECMD.exe -f 'C:\Users\Strife\Downloads\BFT\C\$MFT' --csv "C:\Users\Strife\Downloads\BFT\C" --csvf mft.csv

 * use single quotes IOF the shell to properly interpret the $MFT variable

PS C:\> BROWSER > https://download.ericzimmermanstools.com/net9/TimelineExplorer.zip
 ...

TimeLineExplorer > File > Open > mft.csv
 Filters
  Parent Path: stage
  Created0x10: 2/13/2024
   23436   .\Users\simon.stark\Downloads\Stage-20240213T093324Z-001\Stage\invoice\invoices     invoice.bat     2024-02-13 17:23:16    2024-02-13 16:38:39

 * Identify all potentially suspicious files related to the malicious ZIP by 
   examining MFT (Master File Table) records. Focus on files with suspicious 
   extensions (e.g., .exe, .dll, .js, .bat, .vbs) created or modified around 
   the same time as the ZIP download. These may indicate payloads or execution 
   artifacts from the ZIP

 * the column created0x10 contains original file metadata timestamps 
   (like created, modified, accessed, etc.). Often the first timestamps written.
 * the column created0x30 contains timestamps updated when the file is 
   renamed, moved, or otherwise interacted with in the file system.

TimeLineExplorer
 Filename: invoice.bat
 Entry Number: 23436
 Offset Formula: 1024 * 23436 = 23,998,464
 File Size: 286

PS C:\> BROWSER > https://www.rapidtables.com/convert/number/decimal-to-hex.html
 From: Decimal
 To: Hexadecimal
 Decimal Number: 23998464
 Hexadecimal: 16E3000 

 * each MFT record is 1024 bytes in size; multiply the entry value by 1024 to get the decimal offset
 * the batch file named invoice.bat is under 900 bytes, confirming it is a resident file stored directly within the MFT.

HexEditor > File > Open > $MFT
HexEditor > Go To > 16E3000 
 ...
 http://43.204.110.203:6666

PreviousBRUTUS (SSH)NextUNIT42 (SYSMON/EVENT LOGS)

Last updated 5 months ago