8.B) Software Packing

Question

8.B) Software Packing

Cyb3rWard0g opened this issue 5 years ago · 6 comments

Description

Next, the attacker uploads a new UPX-packed payload (T1045) to the secondary victim.

[meterpreter (PowerShell)\*] > Invoke-SeaDukeStage -ComputerName NASHUA

Answer 1 · 2020-05-03T20:12:15.000Z

#49 Not sure how you want to accept Sigma rules. Feel free to toss it out if you have something else planned.

Answer 2 · 2020-05-04T01:39:03.000Z

Thank you for sharing @patrickstjohn ! That works. Thank you for creating the folder and starting the contributions :) I appreciate it!

Answer 3 · 2020-05-16T21:29:46.000Z

8.B.1 Remote File Copy

Procedure: Copied python.exe payload from a WebDAV share (192.168.0.4) to remote host Scranton (10.0.1.4)
Criteria: The file python.exe created on Scranton (10.0.1.4)

Answer 4 · 2020-05-16T21:53:47.000Z

Security Events

SELECT Message
FROM apt29Host
WHERE LOWER(Channel) = "security"
  AND EventID = 5145
  AND RelativeTargetName LIKE '%python.exe'

Results

 Message | A network share object was checked to see whether client can be granted desired access.
	
Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x861A79

Network Information:	
	Object Type:		File
	Source Address:		10.0.1.4
	Source Port:		59967
	
Share Information:
	Share Name:		\\*\ADMIN$
	Share Path:		\??\C:\windows
	Relative Target Name:	Temp\python.exe

Access Request Information:
	Access Mask:		0x80
	Accesses:		ReadAttributes
				
Access Check Results:
	-

 Message | A network share object was checked to see whether client can be granted desired access.
	
Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x861A79

Network Information:	
	Object Type:		File
	Source Address:		10.0.1.4
	Source Port:		59967
	
Share Information:
	Share Name:		\\*\ADMIN$
	Share Path:		\??\C:\windows
	Relative Target Name:	Temp\python.exe

Access Request Information:
	Access Mask:		0x17019F
	Accesses:		DELETE
				READ_CONTROL
				WRITE_DAC
				SYNCHRONIZE
				ReadData (or ListDirectory)
				WriteData (or AddFile)
				AppendData (or AddSubdirectory or CreatePipeInstance)
				ReadEA
				WriteEA
				ReadAttributes
				WriteAttributes
				
Access Check Results:
	-

 Message | A network share object was checked to see whether client can be granted desired access.
	
Subject:
	Security ID:		S-1-5-21-1830255721-3727074217-2423397540-1107
	Account Name:		pbeesly
	Account Domain:		DMEVALS
	Logon ID:		0x861A79

Network Information:	
	Object Type:		File
	Source Address:		10.0.1.4
	Source Port:		59967
	
Share Information:
	Share Name:		\\*\ADMIN$
	Share Path:		\??\C:\windows
	Relative Target Name:	Temp\python.exe

Access Request Information:
	Access Mask:		0x2
	Accesses:		WriteData (or AddFile)
				
Access Check Results:
	-

Answer 5 · 2020-05-16T21:56:13.000Z

Sysmon Logs

SELECT Message
FROM apt29Host
WHERE Channel = 'Microsoft-Windows-Sysmon/Operational'
    AND EventID = 11
    AND TargetFilename LIKE '%python.exe'

Results

File created:
RuleName: -
UtcTime: 2020-05-02 03:10:23.626
ProcessGuid: {5aa8ec29-cad1-5eac-0100-000000000400}
ProcessId: 4
Image: System
TargetFilename: C:\Windows\Temp\python.exe
CreationUtcTime: 2020-05-02 03:10:23.626

Answer 6 · 2020-05-16T22:04:41.000Z

8.B.2 Software Packing

Procedure: python.exe payload was packed with UPX
Criteria: Evidence that the file python.exe is packed