Mission 14 (10 pts). What is the executable (.exe) file? How could it be used?
- If we do a search of the entire file system looking for .exe files, we see a lot of files returned back
- From the above output, there are two files that seem interesting as there is no further direction provided in the mission. The two files are:
/var/ftp/oswinsck.exe
/opt/CybatiWorks/Labs/volatility/CybatiWorks-1/ControlFLASH.exe - The first file “oswinsck.exe” appears to come from: http://www.ostrosoft.com/oswinsck.aspx. This could be useful to test network connections as a wrapper to the Windows Winsock API.
- The second file “ControlFLASH.exe” appears to be the ApacheBench command line utility based on the PDFs with the VirusTotal information for this binary. The ApacheBench program is also used as a default template with MetaSploit for an attack. The program “ControlFlash.exe” is a legitimate Rockwell Automation program, but based on the file information in the PDFs, does not appear to be the real program. It appears that an attacker provided this custom version of ControlFlash.exe to an organization. The attacker may have used this program in an attack and was able to establish a MetaSploit session. From there, the attacker was able to find various RSLogix program files (.RSS files) on an engineering workstation. These observations were based on the screenshots in the same folder.
No comments:
Post a Comment