When working on network traffic analysis, responders need to identify quickly the severity and the depth of the incident once it has been determined that something is going on in a certain host. Analyzing traffic is not always easy due the different implants related to frameworks used for penetration testing and Red Team, malware custom protocols, encrypted traffic and the fact that each network and host nowadays is using many different applications which are constantly sending telemetry.
In this example we will analyze suspicious network activity involving Command and Control communications related to the use of Metasploit framework and how as defenders we can analyze and extract artifacts easily to understand the activity.
In this case example, we have a PCAP capture where we have suspicious TCP network traffic. As we can see after the TCP handshake some data is being sent and received corresponding to server-client communications. Inspecting the TCP traffic we identified a cmd interactive shell receiving and sending commands to another internal IP address.
In the below image we can observe that whatever is interacting with the shell is running the commands “whoami” and ”vssadmin” to identify who is the user and if the user can list the shadow volumes.
As we can see in the capture, the user has no privileges to list the shadow volumes and what starts to look like an attacker initiating host reconnaissance is using afterwards “bitsadmin” to manually download the tool “Invoke-Mimikatz” renamed as “msbuild.exe”, masquerading the file as a legitimate program to start dumping credentials and escalate privileges on the host. We can see that the download was successful and the attacker checked if the file was downloaded to the path “Downloads”, but unluckily the PCAP stops here and it does not contains additional useful evidence we can use.
Therefore we start following the timestamps of previous activity involving the affected host and the IP addresses and we observe something interesting.
In a previous stream we observed that the initial user accessed a webserver at 10.16.4.192:8080 containing different files where apparently were stored as a web resource since we can spot an MSI installer, powershell notes, admin credentials etc.
We keep inspecting the PCAP when we observed that one of the files were downloaded to the host. The username willingly or not, downloaded the file “URGENT-UPDATE.hta” which contains an encoded PowerShell script that is executed when the user clicks on it.
Our next step will be to check the content of this PowerShell script and determine whether is legit or not.
For the sake of the demonstration I will use Cyberchef suite to perform all the operations and decode the final payload. I’m not going to detail how Cyberchef works, just to mention that is an available online tool for data operations that you can download and use locally. All the recipes are available in the official GitHub page.
After decoding the first Base64 layer we identified a second Base64 layer that uses the GzipStream class to decompress the data. This second layer contains multiple PowerShell functions wrapping a base64 encoded data. After analyzing the script, even if we don’t know yet the final payload, we can understand by the functions used such as GetProcAddress, the .NET class AssemblyName and CreateThread&VirtualAlloc(kernel32.dll) that this payload(which is likely to be shellcode due its length) is decoded and injected directly into PowerShell address space to spawn a new thread.
Sometimes in shellcode some data might be visible like an hardcoded User-Agent or a domain name. However since this is not this case, let’s jump directly into the analysis.
For shellcode analysis different tools can be used such a IDA or the online tool Defuse.ca to perform static analysis. However, sometimes it’s just easier just to run the shellcode with a C wrapper that we can compile, a sandbox or a debugger.
In this case after analyzing the file with the shellcode debugger ScDbg we observe some of the calls performed to call the ws2_32.dll functions WSASocket and WSAStartup to use the Windows sockets.
However, we can statically check the shellcode disassembly(used defuse.ca for this) and some data in the instructions will be visible anyway. In the code there’s two push instructions together. Decoding the hex data to decimal and considering the endianess inverting the bytes we can spot the same IP address and port used to call home.
After this investigation, we identified when and how the compromise started, extracted the artifacts and concluded that:
The user was possibly lured to download a malicious file masqueraded as a legit file.
This malicious HTA file was likely to be made using Metasploit’s framework msfvenom due the morphology of the PowerShell script, which contains multiple methods to inject shellcode using multiple formats such a VBScript, JScript, PowerShell, Python, C# etc.
After the execution of the HTA file, the attacker started performing reconnaissance on the host, attempted to enumerate shadow volumes and downloaded Invoke-Mimikatz on to the host to dump credentials.
