Attack Stages

Updated on

In this section, we will go through the different attack stages that are part of our demo.

1. A phishing email to the victim

An attacker has been doing reconnaissance of a user over social media and publicly available information using Open Source Intelligence (OSINT) tools. The attacker has noticed that the user has been posting free coupons. The attacker has set up a command and control (C2) website with a deceiving name "freecup0ns.tk" to manipulate this user.

Note: The website freecup0ns.tk is set up for demonstration purposes.

The user has received a macro-enabled word document in an email. Once the document is opened and enabled, Google Chrome is opened to the website freecup0ns.tk. The notepad app is automatically opened as well. An attacker could print anything on this notepad. 

2. What's visible to the victim

The victim only sees Google Chrome and notepad opened up on their screens, which doesn't lead the victim to think this is malicious behavior.

Furthermore, from the endpoint only legitimate protocols are used during this attack, which again is not suspicious or even considered to be blocked.

3. What is actually happening on the endpoint

The attacker has crafted this attack to make it look benign and evade all traditional network and endpoint security products.

So this is what's visible to victim:

  • Email with an attachment (word document)
  • Email came from a legit domain and the Word document doesn't look suspicious
  • After opening the Word document (+enable content):
    • Google Chrome opens with a coupon website.
    • A text file is opened in notepad
    • All network connections were made over legitimate protocols

None of these actions would have triggered a user to be suspicious.

4. What else happened at the victim's endpoint

  • Download of an implant from attacker's staging server
  • Execution of implant on victim's endpoint establishing connection over port 443 to attacker's command and control (C2) server
  • Once the C2 Server sees the implant, an autorun is used to move the implant laterally to another machine (victim 2). This is done using WinRM
    • From this moment, the attacker can run any PowerShell command on victim 1 and victim 2 machines.
  • Attacker ran a PowerShell script, password spraying the AD server, targeting known users.
  • Execution of local endpoint reconnaissance commands such as (systeminfo, arp, hostname etc.) and outputs saved locally on the endpoint.
  • File transfer of locally saved file with endpoint reconnaissance to attacker's server to gain insight of this endpoint, this could have been any other files such as all word or Excel files from the endpoint to attacker's server as well
  • Download of darkside ransomware from attackers' staging server
  • Execution of the ransomware
  • Clearing of all the logs

All of this telemetry data is captured by Carbon Black and you will review it in the next section

Previous Article Overview: Threat Hunting with Carbon Black XDR
Next Article Wear A Hat As A Victim: Lab Instruction