Probably my last Xintra Lab. Quite guessy, hint’s don’t actually help, answers are very different from what we see in the labs. Overall it cultivates the “Dig Harder” mindset, teaches some tools, but that’s about it.
BackgroundNetwork1️⃣ N-Day ExploitationQuestion 1Question 2Question 3Question 4Question 5Question 6Question 7Question 8Question 92️⃣ WebshellsQuestion 1Question 2Question 3Question 4Question 5Question 6Question 7Question 83️⃣ Credential DumpingQuestion 1Question 2Question 3Question 4Question 54️⃣ Malware & PersistenceQuestion 2Question 3Question 4Question 5Question 6Question 7Question 8Question 9Question 10Question 11Question 12Question 13Question 14Question 15Question 165️⃣ Lateral MovementQuestion 1Question 2Question 3Question 46️⃣ Golden SAMLQuestion 1Question 2Question 3Question 4Question 57️⃣ OAuth AbuseQuestion 1Question 2Question 38️⃣ Email CompromiseQuestion 1Question 2Question 39️⃣ Defensive EvasionQuestion 1Question 2Question 3Question 4Question 5Question 6🔟 Registry TimestompingQuestion 1Question 2🔟 + 1️⃣ ExfiltrationQuestion 1Question 2Question 3Question 4Question 5Question 6Question 7CompletionLearning Points
Background
On the 8th April 2023, the CISO received an email from USCert stating that a malicious IP linked with a nation state threat actor APT29 4.198.67.125 had been observed interacting with the company network.
Determine:
- Was sensitive IP accessed and/or exfiltrated?
- Was the compromise successful?
- What did the threat actors do?
Notes:
- A new employer "Sombra" was hired during this period
- The IT team have blocked the IP at the firewall
- The security teams have run Defender scans on all hosts to remove malware
Network
1️⃣ N-Day Exploitation
Question 1
What was the earliest timestamp seen from the attacker's IP address we got in the scoping notes?
We check the various logs for the presence of the IP address
4.198.67.125We see network traffic happening on 2nd April 2023
Select the left most portion of the graph to narrow down to the earliest timestamp
Answer:
2023-04-02 02:36:07Question 2
What user account were the attackers targeting when performing the exploit that gave them initial access into the environment?
Doing a quick search, it’s targeting
CVE-2022-41040CVE-2022-41082 or ProxyShell CVEs (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207)We look at the
ExchangeIIS logs and search for autodiscover.jsonLooking at the
message, there is a base64 encoded payloadBase64 decode the payload to get the username
Answer:
AdministratorQuestion 3
Out of the four CVEs below which was being successfully used for exploitation by the attacker?
We find PoCs for
CVE-2022-41040CVE-2022-41082 or ProxyShell CVEs (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207)The only valid value of the options being
CVE-2021-34473Answer:
CVE-2021-34473Question 4
What was the first host that was targeted by the attacker for exploitation?
Looking at the IP address of the same event, it’s
10.0.0.5Referring to the Network Diagram, it’s
MAIL01Answer:
MAIL01Question 5
What was the first name of one of the secret new mailbox accounts created by the threat actor on the mail server?
It’s actually creating a user account, not a mailbox account.
Search in Windows Event Logs for user account creation (4720)
Search for the user that was created by
MAIL01$, which is the administrator account of MAIL01 machine that got compromised, and the target user that got created was eavesThis activity can also be found in
azure-audit-logs. This created a new azure user, which then creates a new mailboxThere’s another user creation event, but this is a local user which does not result in a Mailbox being created
You can also find it in the PS ConsoleHost_History file
Answer:
eavesQuestion 6
Did the attackers attempt to upload anything during initial exploitation? If so what was the file extension?
Look at
inetpub to find any uploaded files on the serverWe also see several files in
C\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\authAnswer:
.aspxQuestion 7
What Mailbox PowerShell cmdlet was used to create the "webshells" used in the ProxyShell CVE-2021-31207 exploit?
Search for the write up on
CVE-2021-31207New-MailBoxExportRequest – Mailbox john.doe@enterprise.corp -FilePath \\127.0.0.1\C$\path\to\webshell.aspx
Also can be found in
MSExchange Management.evtxAnswer:
New-MailBoxExportRequestQuestion 8
How did the attackers hide the dropped files on MAIL01? What was the PowerShell cmdlet used to perform clean up?
In the same
.evt logsAnswer:
Remove-MailboxExportRequestQuestion 9
What was the PowerShell cmdlet used when the attackers escalated privileges by assigning permissions on MAIL01 when performing the ProxyShell exploitation?
Answer:
New-ManagementRoleAssignment2️⃣ Webshells
Question 1
When was the webshell "download.aspx" uploaded to Mail01 server?
Go to
Filesystem index and search for the filenameLook at the created timestamp
Answer:
2023-04-11 06:00Question 2
Can you identify one location where these webshells were installed on the server E.g C:\Users\XINTRA\Desktop\
Question 3
How many unique named webshells were uploaded by the attacker?
Use MFT viewer to analyze the file path in question 2
Question 4
What is an interesting name/agent associated with the attacker's device that could be used as an indicator of compromise?
Look at the proxylogs to find the user agent
The answer is not the user agent itself, but the
useragentinfo.deviceAnswer:
SpiderQuestion 5
Can you decode the webshell kzNpYqWU6R.aspx and answer what DOCUMENT was embedded inside this webshell?
Looking at the magic bytes of the file, it’s
Microsoft Outlook Personal Storage Table file.
!BN which is aMicrosoft Outlook Personal Storage Table file.
We rename the file to
.pst and open it using XstReaderAnswer:
cupiditate-deserunt.docxQuestion 6
Which one of these is a directory that was interacted with through a webshell?
Finding the different webshells in
cs_uri_stem, we find download.aspx with a cs_uri_query containing a Windows pathAnswer:
C:\Windows\TempQuestion 7
On MAIL01 what staging folder was used by the attacker?
Using the same screenshot in question 8
Answer:
C:\Windows\Temp\ToolsQuestion 8
What file did the attackers attempt to exfiltrate through the download.aspx webshell?
We analyze
download.aspx to see it’s functionsDownloading files would have a
get parameterLook at IIS logs to see what commands were issued to
download.aspx with getAnswer:
Upload.zip3️⃣ Credential Dumping
Question 1
What time was NTDS.dit extracted from DC01?
NTDS.dit cannot be accessed directly because it’s always going to be in useAttackers must make a copy of it, or obtain it from the Volume Shadow Copy
Search for file accesses to
NTDS.ditExtract the MFT using
MFTECmd>MFTECmd.exe -f "C:\Labs\Evidence\AssassinKitty\TriageImages\Triage_DC01\C\$MFT" --csv "output"
Analyze the output with
Timeline ExplorerWe see
ntds.dit in a weird folder extractAnswer:
2023-04-09 03:29:08Question 2
What was the process that was used to perform the extraction of ntds.dit? E.g. notepad.exe
Search for either
vssadmin
ntdsutil
vssadmin create shadow /for=C:
ntdsutil "activate instance ntds" "ifm" "craete full C:\Temp" quit quit
And we found
vssadminAnswer:
vssadmin.exeQuestion 3
What folder was NTDS.dit exported to?
According to Question 1
We can confirm this by looking at the Triaged Image
Answer:
C:\extractQuestion 4
What time was the dump of the lsass.exe process created on MAIL01?
Look for
lsass.dmp in the MFT of MAIL01Answer:
2023-04-08 01:36:04Question 5
What was the directory of the lsass process dump on PC01?
Look for
lsass.dmp in the MFT of PC014️⃣ Malware & Persistence
What was the name of the attacker created account on PC01?
Search for user creation events (4720) on
PC01. There’s only 1 hitAnswer:
pcmanageQuestion 2
What was the WindowsUpdateAssistant.exe binary identified as?
Search for event ID 1116 which happens when MSFT Defender detects a malicious file, and find
WindowsUpdateAssistant.exeAnswer:
VirTool:Win64/Havokiz.D!MTBQuestion 3
What was the executable werfault.exe detected as?
Same approach as above
Answer:
Backdoor:Win64/CobaltStrike.NP!dhaQuestion 4
What was the name of the malicious .lnk file quarantined by defender on PC02?
Same approach as above
Answer:
Notepad.lnkQuestion 5
What URL does the malicious scheduled task on ADFSSERVER reach out to?
Search for Schedule Task creation event id 4698, and filter away
\Microsoft\Windows TasksWe investigate
PowerShellUpdate and see the IP address in the payload_dataAnswer:
http://20.92.20.220:80/bQuestion 6
What was the name of the malicious scheduled task created on PC02?
Search the same query as above but for computer
pc02Analyze the contents of
WindowsUpdateAssistantPaste it in CyberChef to format it nicely, and we see that it executes
WindowsUpdateAssistant.exe on start upAnswer:
WindowsUpdateAssistantQuestion 7
What was the name of the binary used in the previously identified malicious scheduled task created on PC02?
Looking at the screenshot in question 6
Answer:
WindowsUpdateAssistant.exeQuestion 8
On PC02 what time was C:\Windows\system32\WindowsUpdateAssistant.exe deleted?
We can find file deletion events on
FileSystem LogAnswer:
2023-04-10 04:40:42Question 9
What user created the malicious lnk file on PC01?
In
FileSystem log, search for when the file was created, and it was around 11th AprilNow we search the PowerShell transcript of users during that period
And we find that
winston created the fileAnswer:
assassinkitty\winstonQuestion 10
What was the executable directory and name for the malicious shortcut lnk file?
Looking at the PowerShell transcript in screenshot for Question 9
Answer:
C:\Windows\SystemApps\notepad.exeQuestion 11
When was the malicious binary used in the shortcut/lnk file deleted on PC01?
Search for delete events of
notepad.lnk, and it happened around April 11 2023The first 3 delete events are related to
PC01Answer:
2023-04-11 08:29:33Question 12
What was the binary name of the malicious service installed on DC01?
Search for service installed event id 7045 on
DC01Answer:
PowerShellUpdater.exeQuestion 13
What was the service name of the malicious service identified on DC01?
Search for the PowerShell transcripts
Answer:
PowerShell updaterQuestion 14
What was the name of the malicious scheduled task created on ADFSserver?
Search for Scheduled Task creation event id 4698 on
ADFSAnswer:
PowerShellUpdateQuestion 15
Check the WMI Operational event logs on MAIL01 and extract the beacon URL for the malware
Search for event id 5861 (Microsoft-Windows-WMI-Activity/Operational)
Answer:
http://20.92.20.220:80/aQuestion 16
What was the name of the registry key used for persistence that would run werfault.exe on PC01?
Referring to question 3, we check what activity was detected by Defender as malicious, and find the registry key path
Answer:
faultChecker5️⃣ Lateral Movement
Question 1
What was the earliest date Winston accessed files inside \\DC01\\KittyShare on PC02?
Search for event id 5145 (A network share object was checked to see whether client can be granted desired access.) on the share
kittyshare by user winstonLook for the earliest date
We can also search for
Recent Documents on winstonAnswer:
2023-04-09Question 2
What tool was used to facilitate lateral movement from DC01 to PC01?
Search for network drive accesses for
PC01 from 10.0.0.4, which is the IP address of DC01Answer:
PsExec.exeQuestion 3
Wmiexec.py was used to laterally move between which two hosts?
python scripts including
wmiexec.py was found on MAIL01Look at what processes
wmiexec.py would spawnThis is enabled by smb connections
so we search for network connections being started from
MAIL01, and see that the distinct computers being connected to is DC01Answer:
Mail01 to DC01Question 4
What user account was being used in the wmiexec.py lateral movement?
Format: Assassinkitty\Admin
Using the same query as Question 5, search for the subject user name.
Winston is accessing SYSVOL files on
DC01, so we look at the activity of henry which is accessing the root windows folder of DC01 which more closely resembles WMI activityAnswer:
assassinkitty\henry6️⃣ Golden SAML
Question 1
What was the target username for the pass-the-hash attempt in the environment?
Search for logon type 9 (runas, network auth) and
TargetOutboundUsernameOr also search for
payload.event_data.LogonProcessName: seclogoAnswer:
aadcsvc$Question 2
What day did Golden SAML attack begin on ADFSServer?
When performing a golden SAML attack, an adversary must first gain administrative privileges on the ADFS server through additional Lateral Movement and Privilege Escalation. Once these privileges are obtained, the attack will proceed according to the following steps
On the ADFS server, look at the powershell transcript logs
In one of the files, we see activity related to dumping keys (step 1)
Answer:
2023-04-10Question 3
What tool was used by the threat actors to forge SAML tokens after the Golden SAML attack took place?
In the same transcript file
Answer:
AADInternalsQuestion 4
What was the directory used to store the extracted certificate from the Golden SAML attack?
View MFT data to find creation of
.pfx filesAnswer:
C:\Windows\TempQuestion 5
What two user accounts were targeted during the Golden SAML attack and should be assumed as compromised?
Search for PowerShell transcripts and console log history.
They contain
get-aduser commands that targets certain usersAnswer: henry and sombra
7️⃣ OAuth Abuse
Question 1
OAuth abuse occurred; which user's email consented to the application?
We search for Azure Audit Logs for
Activity: Consent to applicationWe look at the following fields to see who successfully consented to
OfficeApplicationAnswer:
winston@assassinkitty.comQuestion 2
Which of the following permissions were granted via the OAuth malicious application?
Check the data to see the permissions granted
Question 3
What is the redirect URL that was used by the malicious application for OAuth abuse?
We get the Application ID of the application that
winston consented to, which is target object ID fa2bbd9e-6f9b-4b15-ba88-f3923dd47e5cWe then search for activities surrounding this application ID
Look at the entry for adding service principal, which indicates it’s creating a new application
Answer:
https://20.92.20.220:5000/getAToken8️⃣ Email Compromise
Question 1
In the Azure command line logs on the ADFSServer what was the only command that was successful?
Search for
.azure folder in the user folder which shows a history of commands ran on Azure CLISearch for commands with
exit code: 0Technically another command also succeeded
Answer:
keyvault listQuestion 2
What was the subject of the email sent by winston@assassinkitty.com?
Search for
Send operations in office365 logsAnswer:
IntroductionsQuestion 3
Which user opened the malicious email sent by winston@assassinkitty.com?
Search for
MailItemsAccessed(how do you know if sombra opened the EXACT email sent by winston….?)
Answer:
sombra@assassinkitty.com9️⃣ Defensive Evasion
Question 1
What was the first time defender was disabled on DC01?
Search for event ID 5007 (antimalware configuration change) on
DC01 and search for disabling eventsOr search PowerShell transcripts to find disabling events
Answer:
2023-04-08 03:48:13 (likely a typo since it’s 20230408134813 in the PowerShell Transcript)Question 2
What was the name of executable tool used to timestomp files?
Look at PowerShell transcript logs in
MAIL01Answer:
AppExtension.exeQuestion 3
What timestamp were the webshells timestomped to?
Answer:
2021-02-20 17:56:34Question 4
What time was the timestomping performed by the attackers on the file 6XgVzNz5bd6.aspx?
Search for when
AppExtension.exe was first spawnedAnswer:
2023-04-12 06:42:00Question 5
How many files were deleted using SDELETE on Mail01?
Search for process spawning of
sdeleteOr Parse the
$Extend\$J file with MFTECmdSearch for this pattern of data, which is indicative of
sdeleteAnswer: 3
Question 6
What was the first date the timestomped file 6XgVzNz5bd6.aspx was interacted with through the Proxy?
Search
ExchangeIIS logsAnswer:
2023-04-08🔟 Registry Timestomping
Question 1
What time did the attackers attempt to timestomp the Machine\Software\Microsoft\Windows\CurrentVersion\Run registry on MAIL01 to?
PowerShell history of winston
Answer:
2021-02-20 10:56:34Question 2
What was the name of the executable used for registry timestomping on MAIL01?
Screenshot above
Answer:
adbapi.exe🔟 + 1️⃣ Exfiltration
Question 1
What was the filename of the file that was downloaded by the attacker through one of the webshells?
Find
ExhangeIIS logs for interactions with the .aspx webshells and find suspicious queriesAnswer:
Upload.zipQuestion 2
On PC02 what was the name of the installation file for a cloud file hosting tool used for exfiltration?
Check the desktop of
winstonAnswer:
MEGAsyncSetup64.exeQuestion 3
What is the email associated with this cloud tool on PC02?
Check the MEGASync logs
Answer:
ceyoma7119@marikuza.comQuestion 4
According to the logs on PC02 what time was KittyDB.json added to the upload queue for exfiltration?
Answer:
04-11-2023 05:24:53Question 5
On DC01 what was the name of the installation file for a cloud file hosting tool used for exfiltration?
Answer:
OneDriveSetup.exeQuestion 6
What time was upload.zip downloaded from Mail01 through the webshell?
Answer:
2023-04-11 06:09:25Question 7
What is the email associated with the exfiltration tool used on DC01?
Use regripper to rip
NTDAT.ditApparently the answer is the same as Question 3??? Terrible..
Completion
Learning Points
- Inspect scripts and find out what processes are being spawned there
- PtH can be detected with logon type 9 and
LogonProcessName: seclogo
- Check both PowerShell Transcripts as well as
ConsoleHost_history.txt
C:\Users\winston\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline C:\Users\winston\Documents\PowerShellTranscript