Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Kill Chain 1:
- Recon: Joomla Joomscan
- Weaponization: acquire the appliance (probably spam filtering), reverse engineering, custom exploit development. Testing against other orgs, building custom firmware with all needed tools.
- Delivery: Probably email (assumes the spam filtering device was exploited)
- Exploitation: Unknown vector, but assumes email related
- Installation: Backdoor is “installed” probably with the custom firmware, likely using the firmware update mechanism for the appliance
- C2: VPS was noted in use for communications, but protocol is unknown
- AoO: Responder.py in analysis mode, nmap (this leads into recon for Chain #2)
- Kill Chain 2:
- Weaponization: Built tools in chain #1 to allow tunneling through the appliance
- Delivery: Tunneling communications, SOCKS proxy server or tgcd
- Exploitation: none required because mongo wasn’t configured with security
- Installation: N/A
- C2: Retrieving data through the tunnel
- AoO: Review data, no installation in the mongo DB
- Kill Chain 3:
- Recon: Chain #1 (nmap)
- Weaponization: building tgcd
- Delivery: Tunneling communications with tgcd
- Exploitation: No authentication required, misconfigured iscsi
- Installation: N/A
- C2: Retrieving data through the tunnel
- AoO: Review data, no installation in the backups on Synology NAS. Vmfs-fuse to mount a VMware backup image. Dump LSA Secrets and obtain the password of a service account for BesAdmin.
- Kill Chain 4:
- Recon: Became interested in the Exchange server because of the backups in the synology NAS
- Weaponization: proxychains, smbclient
- Delivery: smbclient tunneled with tgcd (??)
- Exploitation: use of password from backups
- Installation: psexec_psh to get meterpreter loaded
- C2: Meterpreter communications
- AoO: Dump wdigest (plaintext) credentials from memory, including a domain admin
- Kill Chain 5:
- Recon: Scanning (nmap, etc).
- Weaponization: using the port forwarding tools and meterpreter already mentioned
- Delivery: over port forwarding tools using domain admin creds and SMB
- Exploitation: using passwords gained from domain admin
- Installation: meterpreter
- C2: meterpreter
- AoO: Downloading mail and other files
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement