Boogeyman 3

CONTEXT

Challenge Link: TryHackMe - Boogeyman 3

I. Background

Without tripping any security defences of Quick Logistics LLC, the Boogeyman was able to compromise one of the employees and stayed in the dark, waiting for the right moment to continue the attack. Using this initial email access, the threat actors attempted to expand the impact by targeting the CEO, Evan Hutchinson.

1. Incident

The email appeared questionable, but Evan still opened the attachment despite the scepticism. After opening the attached document and seeing that nothing happened, Evan reported the phishing email to the security team.

2. Initial Investigation

Upon receiving the phishing email report, the security team investigated the workstation of the CEO. During this activity, the team discovered the email attachment in the downloads folder of the victim.

In addition, the security team also observed a file inside the ISO payload, as shown in the image below.

Lastly, it was presumed by the security team that the incident occurred between August 29 and August 30, 2023.

II. Artifacts

1. THM AttackBox

There are multiple services running for this room:

Mainly for a hosted ELK Stack application:

Meaning TCP Port 9200 should be for the Elastic API.

2. Elastic API

There seems to be Windows Event Logs ingested into the platform:

Using the following JSON query to see what the analyst will be dealing with:

For the first 10000 logs based on process creations within the specified timeframe, a bulk of it was generated by evan.hutchinson and allan.smith:

Now, looking at the number of endpoints with process creation logs, more than half was generated on WKSTN-0051 and will now be assumed to be the workstation of evan.hutchinson:

ANALYSIS

For this section, the following JSON query will be utilized but the value of user.name will be changed depending on the user being investigated:

I. WKSTN-0051

Upon execution of the HTA file (PID 6392), three new processes were spawned:

It copies an implant somewhere in the filesystem and executes a function, DllRegisterServer, from review.dat via rundll32.exe. It eventually creates a scheduled task (named Review) presumably for persistence:

Tracing the executions of review.dat to figure out what it does, the related PIDs were searched:

The attacker seems to have been able to gain local administrator privileges on WKSTN-0051 as the user evan.hutchinson based on the sequence of user enumeration commands and eventually running fodhelper.exe which could be utilized for UAC Bypass primarily for Windows 10.

It is also important to note that the last execution discovered above was for a lateral movement attempt to WKSTN-1327 as allan.smith. For now, looking into executions spawned from fodhelper.exe:

It's taking a base64 encoded string from the registry and runs it via PowerShell. What that command is could be retrieved from the logs by following the execution:

It is an Empire stager and calls back to cdn.bananapeelparty.net:80 or 165.232.170.151:80:

Following the commands associated with the Empire stager, the attacker performed enumeration targeting the domain and proceeded to download and execute mimikatz.exe where they were able to authenticate as itadmin via Pass-the-Hash:

II. WKSTN-1327

Using Invoke-ShareFinder from PowerView.ps1, the attacker seems to have discovered credentials for allan.smith in a file named, IT_Automation.ps1, and executed commands on WKSTN-1327 remotely via Invoke-Command:

Another Empire stager was executed on the new workstation using the same method:

Confirming if the Invoke-Command executions were successful, it can be seen that the commands were spawned via wsmprovhost.exe meaning the attempt went through:

It seems that allan.smith is a Local Administrator on the workstation and the attacker leveraged the fact by dumping credentials via a downloaded mimikatz.exe. This time, revealing the NTLM hash of the Domain Administrator, Administrator:

The Empire stager was run again then the attacker used Invoke-Command once again to execute commands remotely on DC01 as well as establish persistence via schtasks.exe on WKSTN-1327:

III. DC01

Confirming the remote executions on DC01 via Invoke-Command, everything went through even including an Empire stager:

The attacker performed a DCSync attack via mimikatz.exe on another Domain Administrator, backupda:

A callback to the Empire C2 was then established using the Domain Administrator account on both WKSTN-0051 and WKSTN-1327:

IV. Ransomware

The attacker after having full control of the QUICKLOGISTICS.ORG domain downloaded and executed suspicious file, ransomboogey.exe, as well as on WKSTN-1327. The ransomware was downloaded on WKSTN-0051 but there were no signs of execution:

An execution of ransomboogey.exe by itadmin could also be seen on WKSTN-1327:

TIMELINE OF EVENTS