ProcNet

A hard level challenge focused on analyzing Sliver malware using API Monitor.

Scenario

With the rising utilization of open-source C2 frameworks by threat actors, our red team has simulated the functionalities of one such widely employed framework. The objective of this exercise is to aid blue teams in strengthening their defenses against these specific threats. We have been provided with PCAP files and APIs collected during the event, which will serve as valuable resources. Using the API Monitor: We are well-acquainted with opening PCAP and .EVTX files, but what are .apmx64 ? The .apmx64 file extension is associated with API Monitor, a software used to monitor and control API calls made by applications and services. To commence your analysis, follow the steps provided below: Download the API Monitor Navigate to "Files" and click on "Open" to view captured data from the file: "Employee.apmx64" or "DC01.apmx64" After opening the file, the "Monitoring Process" window will populate with a list of processes. Expand the view by clicking the '+' symbol to reveal the modules and threads associated with each process. The API calls can be observed in the "Summary" window. To focus our analysis on a specific module, click on the different DLLs loaded by the processes. TIP: When conducting analysis, it is advisable to begin by examining the API calls made by the process itself, rather than focusing solely on DLLs. For instance, if I intend to analyze the API calls of a process named csgo.exe, I will initially expand the view by clicking the '+' symbol. Then, I will narrow down my analysis specifically to 'csgo.exe' by selecting it, and I can further analyze other DLLs as needed.

Evidence

In this challenge , we will receive 2 folders named Employee and DC, the file in each folder will be shown below

DC01.apmx64
DC01.pcapng
Microsoft-Windows-Sysmon_254Operational.evtx

Employee

Employee.apmx64
Employee.pcapng
Microsoft-Windows-Sysmon_254Operational.evtx

Task 1: To which IP address and port number is the malware attempting to establish a connection ?

First, we need to identify which program on the host is the malware. We received two files: Employee and DC (Domain Controller). My hypothesis is that the malware originates from the Employee host and then uses some technique to move laterally to the DC host.

Therefore, let's examine the Employee folder. Open Employee.apmx64 using the API Monitor, and we will find an interesting file.

The file is named csgo.exe and is located at C:\Users\alonzo.spire\Downloads. This is suspicious because the file is in the Downloads folder.

Next, I will examine the log file, focusing on Event ID 3, which is associated with csgo.exe, to determine whether the program has connected to any IP addresses. To achieve this, I will use the Chainsaw tool to search for Event ID 3. The command line for this process is shown below.


.\chainsaw.exe search -t "Event.System.EventID: =3" \sherlock\procnet\Employee\Microsoft-Windows-Sysmon_254Operational.evtx

Answer 1: 3.6.165.8:443

Task 2: Now that you are aware of the IP address and port number, what is the JA3 fingerprint of the C2 server ?

To find this fingerprint, we will use Wireshark to analyze Employee.pcapng. From Task 1, the malware established a connection to IP 3.6.165.8 on port 443, which uses the TLS protocol. Below is my query in Wireshark.


tcp.dstport ==443 && ip.addr == 3.6.165.8

According to this blog, JA3 is a signature hash used to detect malware or command-and-control (C2) traffic. It can be found in the ClientHello packet, which is sent by the client to the server at the beginning of a connection. The image below shows the content of the ClientHello packet sent from our host (10.10.0.79) to the malicious IP address.

Answer 2: 19e29534fd49dd27d09234e639c4057e

Task 3: What is the name of the C2 framework being utilized by the red team ?

Since we have obtained the JA3 fingerprint value of this malware, we will perform a Google search using this value. From my search, I found a report that identifies the name associated with this JA3 fingerprint.

Answer 3: sliver

Task 4: Which WIN32 API provided the red team with the current directory information ?

In the Employee.apmx64 file, we can see that the first Win32 API call made by the malware is GetCurrentDirectoryW. This indicates that the malware is attempting to determine the directory in which the file is located.

Answer 4: GetCurrentDirectoryW

Task 5: Now that we have identified the C2 framework utilized by the red team, which C2 command is responsible for opening notepad.exe by default and loading the .NET CLR into it ?

In this task, I searched through all the provided evidence but could not find an API call that launches notepad.exe. As a result, I turned to Google for reports and blogs discussing Sliver, and I found an interesting blog from Microsoft.

According to this blog, The Sideload, SpawnDll, and Execute-Assembly commands, by default, launch and inject into notepad.exe. This is illustrated in the image below.

Answer 5: execute-assembly

Task 6: What is the name of the module (DLL) that was loaded to gain access to Windows Vault ?

In Task 5, we learned that Sliver loads notepad.exe and runs clr.dll. This technique is designed to be stealthy, as we only see an event where clr.dll is used by notepad.exe. To gain a better understanding of Sliver's process injection technique, I recommend checking out this excellent blog by dominicbreuker. By examining the APIs called from clr.dll, we can determine that this .NET assembly uses vaultcli.dll to access the Windows Vault. This will be illustrated in the image below.

Answer 6: vaultcli.dll

Task 7: After loading the mentioned module, there were a series of WIN32 APIs loaded. Which specific Win32 API is responsible for enumerating vaults ?

By continuing to examine clr.dll, we will identify the API used for enumerating vaults. This will be shown in the picture below.

Answer 7: VaultEnumerateVaults

Task 8: Which command did the attacker execute to identify domain admins ?

In the API monitor, we observed that a new process called net.exe was spawned by csgo.exe. Upon examining this new process, we found that it is used for domain enumeration.

Answer 8: net group "domain admins" /dom

Task 9: The red team has provided us with a hint that they utilized one of the tools from "ARMORY" for lateral movement to DC01. What is the name of the tool ?

By examining the event log file in the DC folder, I discovered evidence of WMI-based lateral movement in Event Codes 19 and 20.

By reviewing the Sliver Armory repository, I discovered a tool named SharpWMI, which can be used for lateral movement.

We can verify whether the malware used this tool by returning to the API monitoring and searching for the keyword SharpWMI

Moreover, I discovered that csgo.exe also executed a VBScript. By using Chainsaw tool, this script can be found in Sysmon Event ID 20 within the DC folder. The evidence will be shown in the images below.

This script is designed to download and execute a file named fifa 24.exe from a remote server

Answer 9: sharpwmi

Task 10: Which command was executed by the red team to extract/dump the contents of NTDS.DIT ?

By observing the Win32 API calls from fifa24.exe, we can see that the malware spawns cmd.exe to execute a script that extracts content from ntds.dit.

Answer 10: cmd /c ntdsutil "ac in ntds" ifm "cr fu %TEMP%\H00i0Z000.dat" q q

Task 11: The red team has obtained the aforementioned dump by compressing it into a ZIP file. Which specific Win32 API is responsible for retrieving the full path of the file to be downloaded?

By using API monitor, we can see that this malware use GetFullPathNameW API for discorvering the name of current path

Answer 11: GetFullPathNameW

PreviousBOughT NextOre

Last updated 6 months ago