Investigating Windows Scenario
Last updated
Last updated
After successfully executing a phishing attack, the threat actor tricked an employee into downloading a malicious executable file, gaining control over the victim's machine.
The attacker disabled Windows Defender's real-time monitoring using Set-MpPreference -DisableRealtimeMonitoring $true, likely to avoid detection while executing malicious activities such as malware deployment or data exfiltration.
The attacker then attempted to establish persistence by creating a service named svehosts and proceeded to download a file called shell.ps1 onto the system.
This command creates a malicious Windows service that automatically downloads and executes a PowerShell script from the attacker's server.
When the system starts, the service:
Launches cmd.exe.
Executes PowerShell to download shell.ps1 from 192.168.1.100.
Runs the malicious PowerShell script, potentially establishing remote access.
The attacker then attempted to create a service named "update" to replicate the functionality of "svehosts" service.
Next, The attacker attempted to modify an existing Windows service (notepad.exe) to execute a malicious PowerShell command upon system startup.
This command modifies an existing Windows service (notepad.exe) to execute a malicious payload instead of its intended function. It replaces the service's execution path with a PowerShell command that downloads shell.ps1 from 192.168.100.24 and executes it, potentially establishing a reverse shell.
Then, the attacker set up an HTTP server and utilized the Invoke-WebRequest PowerShell cmdlet to download a file named scvhost.exe onto the compromised system.
The attacker attempted to download an executable file named scvhost.exe and save it to the directory C:\Program Files.
We then applied a filter for this executable file to analyze the attacker's actions and determine its intended purpose.
The attacker attempted an AS-REP Roasting attack on the Windows Active Directory environment.
It enumerates Active Directory accounts that have the Do not require Kerberos preauthentication setting enabled.
Extracts AS-REP response hashes for those accounts.
Saves the hashes in Hashcat format for offline password cracking.
The attacker can then use Hashcat to brute-force weak passwords.
The attacker then attempted to automate an FTP connection to 192.168.200.124 on port 4444. Upon establishing the connection, they attempted to execute cmd.exe, potentially enabling remote command execution on the target server. This behavior is commonly associated with malicious activity, where attackers leverage FTP to establish a reverse shell or exfiltrate sensitive data.
He attempted to establish a reverse shell, but this time, he encoded the command.
We extracted this command and decoded it using CyberChef.
Then the attacker attempted to establish a reverse shell on port 4444 before switching to port 8080.
Next, the attacker attempted to bypass security restrictions by forcing PowerShell to execute scripts without limitations, disregarding any policies that might prevent script execution.
After this, he attempted to enumerate Active Directory users who do not require Kerberos pre-authentication.
The attacker then attempted to download a tool named Rubeus from the HTTP server they configured, saving it to the C:\Temp directory.
The attacker downloaded this tool intending to perform an AS-REP Roasting attack but did not execute it. Instead, they prioritized establishing persistence by creating user accounts and scheduled tasks. Let's examine this further.
Next, the attacker created a user named "admin."
He then attempted the AS-REP Roasting attack again, this time utilizing the Rubeus tool to extract hashes and save them to a file named hashes.txt.
Next, the attacker established persistence by creating a scheduled task named "WindowsUpdate." This task was configured to run every five minutes and execute a file named "Windows_Update.exe."
This task runs under the SYSTEM account, meaning it has full administrative privileges.
We also identified additional persistence mechanisms attempted by the attacker, such as a randomly named pipe (wnqufs).
He then attempted the AS-REP Roasting attack again using the scvhostt.exe executable, storing the extracted hashes in the Temp directory.
After completing the attack, he opened the file updates.txt to check for any tickets that could be cracked to obtain the password.
The attacker then attempted network enumeration by executing commands such as ipconfig to display network configuration details and arp -a to retrieve the ARP table.
Next, the attacker attempted to generate a memory dump of the lsass.exe process (Local Security Authority Subsystem Service) and saved it as a file named lsass.dump.
The attacker then attempted to complete the enumeration process by listing all local user accounts using the net users command and identifying all visible computers on the network with the net view command.
Next, The attacker attempted to identify available hosts for lateral movement by using the ping command to determine which hosts were responsive.
Afterward, the attacker identified a host with the IP address 10.20.10.17 that responded to their requests. Consequently, they attempted to retrieve the machine's hostname and assess their privilege level on the system.
We believe he obtained the password of the Administrator account by cracking the ticket he acquired during the AS-REP Roasting attack.
The attacker attempted to download a file named Services.exe and saved it to the following path: C:\Users\Public\Services.exe.
He then prepared for data exfiltration by archiving all files from the Documents and Desktop folders of all user accounts, saving the compressed data as a ZIP file named backup.zip in the Public folder.
He then downloaded a file named explorer.exe onto the domain controller and saved it in C:\Windows\Temp\explorer.exe.
He then attempted to enumerate all user accounts within the Active Directory domain before creating a new user account named "systen" with the password "p@ssw0rd".
Next, the attacker attempted to retrieve a list of users belonging to the "Domain Admins" group within the Active Directory (AD) domain. Subsequently, they added the previously created user, "systen," to the local Administrators group on the compromised system.
He then utilizes NTDSUTIL, a built-in Windows utility, to generate a full backup of the Active Directory (AD) database (NTDS.DIT), storing the backup in C:\Windows\Temp\backup.
We believe the attacker returned to the PC10 device and leveraged Robocopy, a powerful command-line file copying tool in Windows, to steal user documents. The files were copied to a publicly accessible location (C:\Users\Public\backup), enabling later exfiltration of the data.
He then attempted to download a file named update.exe to the domain controller, saving it in the Temp directory under the same name.
The attacker then used WinRAR to compress, encrypt, and archive the NTDS.dit file along with the SYSTEM registry hive. This enabled them to extract Active Directory password hashes, facilitating potential credential theft and privilege escalation. The archived file was saved to C:\Windows\Temp\backup.rar.
The attacker then executed a PowerShell command to recursively search user directories for text, CSV, Excel, and Word documents containing keywords like "password," "pass," "pwd," or "credentials," to steal stored credentials or sensitive information.
Then he completed enumerating the active directory by executing some commands like tree, whoami, diskpart.
tree → Lists the directory structure, which can help an attacker understand the file system layout and locate sensitive files.
diskpart → Provides details about disk partitions, volumes, and mounted drives, which can reveal network shares and hidden storage used for data exfiltration.
whoami → Shows the current user’s privileges, domain, and group memberships, helping an attacker determine their level of access.
Next, he utilized WinRAR to compress the contents of the C:\DATA directory into an archive named Doms.rar.
He then completed the enumeration by searching for sensitive information within text-based files and scanning the C:\ directory for sensitive data and scripts.
He then created a scheduled task named WindowsUpdate, configured to run every five minutes, as a persistence mechanism.
The attacker proceeded to enumerate all domain users to gather information on usernames and their associated descriptions.
He then attempted to enumerate all stored credentials on the Windows system.
He then downloaded a tool called dnscat2 to exfiltrate the obtained data using DNS tunneling.
After downloading the dnscat2 tool, he manually configured the DNS server for the "Ethernet" interface to 192.168.100.179 (the attacker's IP address).
He disabled real-time monitoring on the PC10 machine, which was the initial point of compromise.
Next, the attacker began exfiltrating the acquired data, compressing it, and transmitting it to the IP addresses 192.168.100.179 and 192.168.100.24 using DNS tunneling.
Here, the attacker attempted to exfiltrate data using the dnscat tool.
The attacker then tried to disable system recovery by deleting all shadow copies, preventing file restoration and backup recovery.
This report was created by:
Fares Ebrahim Morcy
Abdelrahman Adly lofty
Amany Osama GadElmawla
Mohamed Elsayed Moghazy
Hoda amr Mohamed
Karim fathy salem
Youssef Khaled Sayed
Amjed Hatem
