PrintNightmare Analysis - A LetsDefend Challenge
PrintNightmare Vulnerability Analysis
Summary
Under the scenario of a system that was exploited by PrintNightmare vulnerability, you should investigate the case.
Log Files (pass: infected): Download
This challenge prepared by @Bohan Zhang
Tools used During The Investigation
- Fireeye’s Redline 2.0 - https://fireeye.market/apps/211364
- Brim v0.31.0 - https://www.brimdata.io/download/
- Wireshark 4.0.3 - https://www.wireshark.org/
- VirusTotal - https://www.virustotal.com/gui/
Writeup
We are going to be treating the following files during this analysis:
An important first observation is the name suricata.rules, these are signatures from Suricata, an open-source based intrusion detection system - IDS that can be used to detect known threats in network traffic.
The previous files are respectively: a memory dump file from Redline, the cache from that same analysis, a dcoument containing the setup for the installation of Brim, and a PCAP file containing the challenge.
Looking through the alerts in Brim, what is the vulnerability name and its corresponding CVE?
By opening the file “suricata.rules” in the Brim tool we already have the following detection: Possible CVE-2021–34527 (PrintNightmare) Exploit — SpoolSS RpcAddPrinterDriver.
What is the PrintNightmare Vulnerability?
Before proceeding any further, it’s interessant to profile the principal details about the identified vulnerability CVE-2021–34527 (PrintNightmare):
- It was discovered on June 29th, 2021;
- It’s a critical remote code execution (RCE) vulnerability impacting Windows operating systems;
- The vulnerability allows threat actors who gained initial access to the environment to fully compromise the network and deploy additional malware or ransomware;
- Threat intel indicates the vulnerability is actively exploited in the wild;
- An urgent out-of-band urgent patch was released by Microsoft to remediate the vulnerability. [x]
Who is the Attacker, where is his share path?
Since the previous alert was coming from the SMB (Server Message Block) protocol, we can open the pcap file “challenge-v1” on Wireshark and filter for “smb” to see if there’s any suspicious communication.
We can tell there’s communication by two IPs, 10.10.10.2 and 10.10.10.4. Now by following the TCP stream there’s a chain of events happening - There’s a connection request coming from \\10.10.10.2\share to share the file ‘notsostealthy.dll’. then send requests to get info from the network into the file.
According to Brim, this could be a possible Lateral movement, where the requested information was being sent to the IP address 10.10.10.2 — We can assume this is the attacker, since there’s information being sent to external sources right after it was connected into the network.
Also using Brim, we can find out the e-mail address being used for the self-signed SSL certificate in the traffic by following the SSL (Secure Sockets Layer) protocol.
What is the sha256 hash of the DLL file?
In order to find out the hash of the file ‘notsostealthy.dll’, we can use Wireshark, and go back to the SMB requests and choose the exaclty moment where the file was created, then export the object as SMB.
We can now extract the file which wass 100% downloaded into the system.
Now by updating the obtained file on VirusTotal, we can see its properties.
- pedll.dll - an executable file on your computer’s hard drive, it originates from software you installed on your system.
- The file was detected using assembly — a low-level programming language with a very strong correspondence between the instructions in the language and the architecture’s machine code instructions.
Possible detections through antivirus’ software:
- Trojan/Win32.RL_Generic.R366185
- Trojan.Meterpreter.Extension.I
- Windows.Trojan.Metasploit
- Win64:HacktoolX-gen [Trj]
- HEUR/AGEN.1245274
The Dll File seems to be a malware from the Trojan family, commonly created throught the Meterpreter tool from Metasploit, a penetration testing software.
What is the domain user and hostname used by the attacker to exploit the vulnerability?
Going back to the analysis of the logs through Brim, we have an html request going thorugh the username “Jesse.Harmon” and domain name “BELLYBEAR” and hostname “WIN-FLO4EU2VMSM”.
Now by searching the “Jesse.Harmon” username, we now have the following information:
- The username is associated with the origin ID of our suspected attacker: 10.10.10.2
- Username: Jesse.Harmon
- Domain name: BELLYBEAR
What is the username created by the attacker for persistence?
In order to figure out more data about the users in the operating sytstem, we can switch to Mandiant Redline tool and analyze the memory file “AnalysisSession1".
By selecting the “Users” data, we can now analyze the registered users in that machine. There’s an obvious hint of an user going by the name “hacker”, but it’s importante to notice that attackers in a real environment might not be as obvious.
Now we can summarize the existing users in the following way:
"Administrator" - Full path name: BELLYBEAR\Administrator,
Date it was created: 2021–08–16 22:22:00,
Description: It's a built-in account from the system for administering
the computer/domain.
Belonged to the following groups: Group Policy Creator Owners, Domain
Admins,Domain Users,Enterprise Admins,Schema Admins, Denied RODC
Password Replication Group, Administrators,Users.
---------------------------------------------------------------------------
"Guest" - Full path name: BELLYBEAR\Guest,
Date it was created: Default data,
Description: It's a built-in account from the system for administering
the computer/domain.
Belonged to the following groups: Domain Guests, Guests.
---------------------------------------------------------------------------
"krbtgt" - Full path name: BELLYBEAR\krbtgt,
Date it was created: 2021–08–16 18:37:27,
Description: Default account that exists in all domains of an Active
Directory. Its purpose is to act as a KDC (Key Distribution Centre)
service account for domain controllers.
Belonged to the following groups: Domain Users, Denied RODC Password
Replication Group, Users.
---------------------------------------------------------------------------
"Jesse.Harmon" - Full path name: BELLYBEAR\Jesse.Harmon,
Date it was created: 2021–08–16 18:37:27,
Description: Domain user used by the hacker to exploit the vulnerability.
Belonged to the following groups: Domain Users, Users.
---------------------------------------------------------------------------
"hacker" - Full path name: BELLYBEAR\hacker,
Date it was created: Default data,
Description: Unknown domain user, possible created by the attacker for
the persistence tactic.(TA0003)
Belonged to the following groups: Domain Users, Administrators, Remote
Desktop Users, Users.Note that the “hacker” account is the only one bettween the two accoutns that aren’t system accounts in the Administrators group.
What is the event ID for user creation in Windows, and when was the user being created?
To figure out when the suspicious account was created for persistence, we can search out in the event logs for the specific Event ID (EID) generated when an user account is created in Active Directory, 4720.
Going down on the research, there’s our suspect, and information about when the account “hacker” was created.
What process name is used to establish the shell connection between the attacker’s machine and the Windows server? and what is the listening port on the attacker’s machine?
Since we already know the remote IP address of suspiciou access (10.10.10.2), using Redline, we can now analyze the port logs related to that specific address.
There was a stabilished connection in remote port 443, throug the file rundll32.exe. Rundll32.exe is a Microsoft-signed binary used to load dynamic link libraries (DLLs) in Windows. It is native to Windows and present in both 32 and 64 bit versions.
We can conclude the attacker ran a malicious dll masked as an original file from the system in order to exploit PrintNightmare vulnerability.
The attacker used a famous post-exploitation framework to create the DLL file and establish the shell connection to the Windows server, what is the payload the attacker used?
According to the given hint — “This might not look very obvious at first, but the framework is very famous and used widely by pentester for post-exploitation. For the payload, the attacker used a self-signed SSL Certificate...”.
So to get a clue on which Payload could have been used, we can go back to the analysis of the file “%5cnotsostealthy(3).dll” on VirusTotal. Where it was detected the usage of the Meterpreter tool from Metasploit.
This information can also be seen in comments of the analysis.
Since we already know it’s a possible payload from Meterpreter, in an attack directed at Windows operating system, through the SSL protocol, we can simply research for possible proof of concept.
After looking at the usage of the Meterpreter tool for reverse shell, it was possible to find the payload “payload/windows/x64/meterpreter/reverse_https” which can be used for the same techniques of DLL loader, containing parameters associated with the impersonation of SSL certificates — HandlerSSLCert.
The attacker left a text file for the user Administrator, can you find what the filename is?
Going back to Redline, and analyzing the file system, we can find the text file left under the following path: ”C:\Users\Administrator\Documents\This-Is-Really-A-Nightmare.txt”.
This should be enough to conclude this challenge, thank you for reading!
