This blog post will walk you through how to answer the questions that are contained in my Atreides scenario located here: https://github.com/medmondson44/dune/tree/main/atreides. The Jupyter Notebook file is located there. The blog post will go through the initial access vector, situational awareness commands that were run, persistence mechanism used, how privilege escalation to System was achieved, and how lateral movement was performed. If you are unsure of how to parse out the evtx files and get everything loaded into Jupyter Notebooks please refer to my first post in my “To Catch a Hacker in My Home Lab” series here: https://marcusedmondson.com/2021/07/15/to-catch-a-hacker-in-my-home-lab/
I gained initial access into the environment by hosting a malicious hta file that was downloaded through the web browser and then executed with the Windows binary mshta. Another binary was then uploaded and executed with administrator privileges. A few situational awareness commands were run to see what processes and services were running. Persistence was achieved through the use of malicious services and privilege escalation to System was performed by using Meterpreter’s getsystem module. Lateral movement was performed by copying the binary over to harkonnen using PowerShell Copy-Item cmdlet and the binary was then executed using wmic process call create.
In the following screenshots you can see Edge being used to download the hta file and mshta being used to execute it, and then the malicious PowerShell being run.
Discovery was performed by using a battery of built in Windows binaries, such as tasklist, tasklist /svc, ipconfig and systeminfo.
Discovery commands run on harkonnen.
Command and Control
Network connections can be observed going to 10.0.0.22 which was my redirector as well as the actual team server which was 10.0.0.12.
Connection to the team server.
Privilege escalation to System on atreides using meterpreter’s getsystem module.
Privilege escalation to System on harkonnen using meterpreter’s getsystem module.
Lateral movement to harkonnen was performed by using the PowerShell cmdlet Copy-Item. The actual command used the PowerShell alias for Copy-Item cp. The binary was then executed using wmic process call create, which is a common way for attacker’s to remotely execute binaries. See index 446 and 481 in the below screenshot.
In the next screenshot you will see the parent process of wmiprvse being used to run spcvs.exe on harkonnen. This is a give away that Windows Management Instrumentation (WMI) was used to execute the binary remotely.
Persistence was achieved on harkonnen using the meterpreter module run persistence. This used a malicious service to achieve persistence.
https://attack.mitre.org/techniques/T1189/ – Initial Access
https://attack.mitre.org/techniques/T1218/005/ – Defense Evasion
https://attack.mitre.org/techniques/T1016/ – Discovery
https://attack.mitre.org/techniques/T1007/ – Discovery
https://attack.mitre.org/techniques/T1082/ – Discovery
https://attack.mitre.org/techniques/T1543/003/ – Persistence, Privilege Escalation
https://attack.mitre.org/techniques/T1059/001/ – Execution
https://attack.mitre.org/techniques/T1047/ – Execution
https://attack.mitre.org/techniques/T1570/ – Lateral Movement
https://redcanary.com/blog/getsystem-offsec/ – excellent resource that breaks down getsystem for privilege escalation.
So thank you for reading this post and until next time…