- Brim
- Sysmon
- Timeline Explorer
- EvtxEcmd
- VirusTotal
- CyberChef
- Windows 10 VM
Scenario for the lab.
In the lab, I was provided a packet capture and Windows Event Viewer Sysmon logs. I decided to start the investigation examining the Sysmon logs. Useing EZ Tools (Eric Zimmerman tools) I used EvtxEcmd to convert the event logs into a .csv file for processing in Timeline explorer. This was done through Powershell.
The scenario for the lab, gave us a hint or a place to start the investigation in which it mentioned that the malicious document has a .doc extension, so within Timeline Explorer in the executable info I searched for an file that has a .doc extension and found one file which I wanted to investigate further.
With examing the log of that contained the .doc file, I discovered the user logged in as benimaru and the PID of the file as 496. I then changed the filter to include the username, the PID and Event Code 22, to determine if the file made any DNS requests outside the network found that it did contact an IP address of 167[.]71[.]199[.]191.
That alone is cause for concern as outbound connections can allow for further malware to be downloaded. I continued investigating events by changing the filter to include 496 being the Parent PID and Event Code 1 to see if the document spawned any new processes and found that it started the process C:\Windows\SysWOW64\msdt.exe followed by script with base64 encoded text and what appears to be directory traversal. I used cyberchef to decode the the base64 string and found it to be a command that is launched from ...\Start Menu\Programs\Startup which contacts the domain phishteam[.]xyz/02dcf07, downloaded a file named update.zip, unzips it, runs, it and removes it.
After conducting some OSINT on this attack vector I discovered a post explaining that it was a discovered vulnerbility that is exploited using the start menu. This was seen in the decoded command, and likely the purpose of the .doc file as a dropper for further malware.
Now that part of the intital access has been discovered I moved on to part two of the lab where another hint was given that said, "The Autostart execution reflects explorer.exe as its parent process ID. Child processes of explorer.exe within the event timeframe could be significant. Process Creation (Event ID 1) and File Creation (Event ID 11) succeeding the document execution are worth checking". With this, I changed the Event Code to 11 and Payload 4 to include "startup" from what we know about the vulnerability. This revealed the update.zip that we saw in the decoded base-64 string.
Also, knowing that "The Autostart execution reflects explorer.exe as its parent process ID.", I changed Payload 4 to contain "explorer" and Event Code to 1 to discover any processes created by explorer and came accross Poweshell being executed as "-w hidden -noni certutil..." a common attack method for Powershell to be ran without user being aware. The Powershell command contacted the malicious domain earlier phishtem[.]xyz and downloaded first.exe. Uptaining the hash of first.exe, I did not find any OSINT data signifying that is a known malicious file or executable, however, due to the circumstances under which it is downloaded, I will treat it as malicious.
Continuing down the attack, I changed first.exe to the parent process and Event Code back to 1 to see if it created any processes and I discovered further malicious actions. Particularly, that first.exe contacted a new domain resolvecyber[.]xyz and downloaded and ran ch.exe which ran and connected to the IP address 167.71.199.191 over port 8080 which is used for HTTP traffic in most cases. I obtained the hash of ch.exe and upon researching it, I can confirm that is malicious and particularly the malware chisel, used for tunneling C2 traffic through encypted tunnels such as HTTPS.
With what appears to be a potential Command and Control (c2) server being created by first.exe, I switched my focus to the packet capture to see what kind of traffic was made to the malicious domains and IP addresses. I used Brim/Zui for this task. Within Brim, I filtered for HTTP GET requests to the second malicious donmain/potential C2 server, resolvesyber[.]xyz and discovered numerous GET requests encoded over the port 8080 which we saw connection to.
I noticed that the GET requests to have the same struture in which they start with /9ab62b5?q= and then the string is vastly different which I found to be base64 encoded text. With this knowledge, I went through the the GET requests, decoded them in cyberchef and realized that the attacker is executing commands on the host, confirming that this is a C2 server. Some of the most intresting and troubling commands/actions the attacker did include: discovering the users on the machine, focusing on the user benimaru and discovering a powershell script, automation.ps1 which included a password, and a port scan which showed many HTTP and HTTPS connections.
At this point I knew there was more to uncover but I was stuck so I went back to Timeline Explorer, filterd for Event Code 1 and User benimaru to see what processes were created after the establishment of the C2 server. I found that the service C:\Windows\system32\wsmprovhost.exe was run with -Embedding, followed with what appeared to be discovery commands, so I conducted research on wsmprovhost and found it to be used as part of LOBINS (living off the land binaries), specfically with Winrm which was used to authenticate and connect to the endpoint.
Once again, I moved wsmprovhost.exe to the parent process to see if spawned any other process and found that it was used to downloaded two addtional binaries through powershell, from the inital malicious domain phishteam[.]xyz, spf.exe and final.exe. Obtaining the hashes of these binaries, I found clear evidence that the binary was malicious and specifically "printspoofer". I conducted further OSINT this and came across a GitHub repo which explained it allows: "From LOCAL/NETWORK SERVICE to SYSTEM by abusing SeImpersonatePrivilege on Windows 10 and Server 2016/2019." (https://github.com/itm4n/PrintSpoofer).
Intrestingly, when inputting final.exe into payload 3, it was making queries to the same C2 we saw earlier, resolvecyber[.]xyz. Going back to Brim, I had overlooked that the commands were coming from two different ports, 80 and 8080, which indicates that there is a second C2 sever that was established by final.exe.
I again moved final.exe into the parent process and Event ID to 1 to see if it spawned any other programs... and found that now it appeared the attack was establishing persistance through different means. These included, adding the users "shuna" and "shion" and adding them to the group "administrators". The other persistance mechanism appears to be a adding a registry key to allow final.exe to start on boot.
