To Catch a Hacker in My Home Lab – Atreides

Introduction

This blog post will walk you through how to answer the questions that are contained in my Atreides scenario located here: https://github.com/medmondson44/dune/tree/main/atreides. The Jupyter Notebook file is located there. The blog post will go through the initial access vector, situational awareness commands that were run, persistence mechanism used, how privilege escalation to System was achieved, and how lateral movement was performed. If you are unsure of how to parse out the evtx files and get everything loaded into Jupyter Notebooks please refer to my first post in my “To Catch a Hacker in My Home Lab” series here: https://marcusedmondson.com/2021/07/15/to-catch-a-hacker-in-my-home-lab/ 

Summary

I gained initial access into the environment by hosting a malicious hta file that was downloaded through the web browser and then executed with the Windows binary mshta. Another binary was then uploaded and executed with administrator privileges. A few situational awareness commands were run to see what processes and services were running. Persistence was achieved through the use of malicious services and privilege escalation to System was performed by using Meterpreter’s getsystem module. Lateral movement was performed by copying the binary over to harkonnen using PowerShell Copy-Item cmdlet and the binary was then executed using wmic process call create. 

Initial Access

In the following screenshots you can see Edge being used to download the hta file and mshta being used to execute it, and then the malicious PowerShell being run.

Discovery

Discovery was performed by using a battery of built in Windows binaries, such as tasklist, tasklist /svc, ipconfig and systeminfo.

Discovery commands run on harkonnen.

Command and Control

Network connections can be observed going to 10.0.0.22 which was my redirector as well as the actual team server which was 10.0.0.12.

Connection to the team server.

Privilege Escalation

Privilege escalation to System on atreides using meterpreter’s getsystem module.

Privilege escalation to System on harkonnen using meterpreter’s getsystem module.

Lateral Movement

Lateral movement to harkonnen was performed by using the PowerShell cmdlet Copy-Item. The actual command used the PowerShell alias for Copy-Item cp. The binary was then executed using wmic process call create, which is a common way for attacker’s to remotely execute binaries. See index 446 and 481 in the below screenshot.

In the next screenshot you will see the parent process of wmiprvse being used to run spcvs.exe on harkonnen. This is a give away that Windows Management Instrumentation (WMI) was used to execute the binary remotely.

Persistence

Persistence was achieved on harkonnen using the meterpreter module run persistence. This used a malicious service to achieve persistence.

Mitre Techniques

https://attack.mitre.org/techniques/T1189/ – Initial Access

https://attack.mitre.org/techniques/T1218/005/ – Defense Evasion

https://attack.mitre.org/techniques/T1016/ – Discovery

https://attack.mitre.org/techniques/T1007/ – Discovery

https://attack.mitre.org/techniques/T1082/ – Discovery

https://attack.mitre.org/techniques/T1543/003/ – Persistence, Privilege Escalation

https://attack.mitre.org/techniques/T1059/001/ – Execution

https://attack.mitre.org/techniques/T1047/ – Execution

https://attack.mitre.org/techniques/T1570/ – Lateral Movement

Resources

https://redcanary.com/blog/getsystem-offsec/ – excellent resource that breaks down getsystem for privilege escalation.

So thank you for reading this post and until next time…

Happy Hunting,

Marcus

One thought on “To Catch a Hacker in My Home Lab – Atreides

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s