Sam
Investigation
We can use http.request.method == "GET" as a filter to look at the traffic that is most likely of interest for the initial vector of attack.This helped us learn that the attacker has one of their PowerShell scripts hosted at http://172.16.0.5:8080/jaws-enum.ps1, which is one clue. Following the conversation showed us the script information, which is Just Another Windows (Enum) Script, but there was no further information of interest.
Using the command cat sysmon.json | grep 172.16.0.5 -A10 -B10, I was able to see where the address was used in the system and the surrounding event information. We were immediately presented with Record 770, which was an event that had the destination of a PowerShell command as 172.16.0.5. The ProcessId is 5056, which is what we need to look for in the memory dump.
Running cat sysmon.json | grep 5056 -A10 -B10 next got us the parent process ID of 3888. Running the same command on that PID gave us the parent command line of \"C:\\Windows\\System32\\mshta.exe\" \"C:\\Users\\Sam\\Downloads\\sample_template.hta\" , so we know the initial vector of attack was through an HTA file. The parent process ID of the HTA command is 4568, which we can further pivot off of. Searching for that just shows that the user opened the file by clicking on it from the Windows Explorer application.
The PID 5056 comes with a lot of obviously base64-encoded text to execute the PowerShell script immediately from the command line. We are able to use CyberChef with From Base64 ~> Decode text (UTF-16LE) to obtain toe deobfuscated PowerShell code and get a better idea of what the attacker is doing. There was a further base64-encoded archive for obfuscation, but CyberChef FroM Base64 ~> Gunzip was able to decompress it.
Solutions
-
What is the attacker IP, and what is the port that they got a reverse shell on? (3 points)
Answer:
172.16.0.5, 80 -
What's the name of the malicious file that gave remote access to attacker? (4 points)
Answer:
sample_template.hta -
What is the process that has been called by the payload upon execution? (5 points)
Answer:
powershell.exe -
Knowing the payload name and process name, if the payload was generated by msfvenom, what would be the format option that the attacker would’ve used? (5 points)
Answer:
hta-pshReference: https://securiumsolutions.org/windows-hacking-with-hta-file-metasploit-framework/
-
What property in the executed script says that the process runs without using the operation system shell? (5 points)
Answer:
UseShellExecute -
What is the compression stream that has been used in the payload? (5 points)
Answer:
GzipStream -
From the SAM and SYSTEM file that has been exfiltrated, how many user’s hashes would’ve been identified? (5 points)
$ volatility -f WINADMIN.raw --profile Win7SP1x86 hashdump Volatility Foundation Volatility Framework 2.6 Administrator:500:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: IEUser:1000:aad3b435b51404eeaad3b435b51404ee:fc525c9683e8fe067095ba2ddc971889::: sshd:1001:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: sshd_server:1002:aad3b435b51404eeaad3b435b51404ee:8d0a16cfc061c3359db455d00ec27035::: Sam:1003:aad3b435b51404eeaad3b435b51404ee:3c1a570304d09f3327f43a967b97953f:::Answer:
6 -
What is the password of the SAM? (5 points)
Method: Ran
3c1a570304d09f3327f43a967b97953fthrough hashes.com.Answer:
StandardUser -
What is the password of the Admin? (5 points)
Method: Ran
fc525c9683e8fe067095ba2ddc971889through hashes.com.Answer:
Passw0rd! -
What is the port the attacker used to login to the system after cracking the passwords? (3 points)
Answer:
22 -
Are there any other scripts the attacker executed on the system? Find the name of the script (5 points)
Answer:
jaws-enum.ps1