Choose Your Own Red Team Adventure: Commands

This is a continuation of a Choose Your Own Red Team Adventure series. If you don’t know how you got here, start at the beginning. Otherwise, continue reading …

After an hour of looking, and sorting your results in your notes, you have a good list of your next steps to chase.

Then your connection drops! What happened? “Maybe Bob just shut his laptop” you say to yourself.

You send your phish to another user, Alice, from another SMTP domain that you frequently use on engagements. You give it an hour or so, but there’s no indication it was delivered. So, you switch to another domain. And another. You exhaust your list. None of them work.

You run out of time.

GAME OVER.

Post Analysis

These commands have been around since the beginning of the command line, and you can execute them in your sleep, which is what you must have been, because you didn’t notice the endpoint controls running on this host.

Commands are actually new processes, and each process, along with its arguments, are logged centrally by the endpoint detection and response (EDR) product where a combination of commoditized and custom analytics execute against the logs.

One of the analysis layers observed that no other users in Accounting have ever executed any of these commands, which flagged this host for review. Your intrusion lasted 58 minutes before your host was put into a containment VLAN and the callback domain was blocked across the enterprise.

The raw Indicators of Compromise (IOCs) were passed to a third-party threat intel team who maintains a large database of domains and IP addresses used maliciously. They reviewed the callback domain, noting that until 11 days ago, it was parked at specific hosting provider. Pivoting off the original parked IP address, they observed eleven other parked domains, and blacklisted all of them at the enterprise’s edge, which is why your SMTP email from other domains did not work, nor would the callbacks have worked had the payloads landed.

THE END