Multi-Step Attack Behaviors
a1 Initial compromise: the attacker from the outside network opens up an IRC connection to Linux host. Using remote code execution vulnerability of Unreal IRC, the IRC process (ircd) forks telnet (telnet.netkit) process, and the telnet process creates a connection back to the attacker machine port 4444. The attacker then upload malware (trojan.exe) under the folder /var/www.
a2 Malware infection: a user from Windows client uses IE to open the website hosted by Linux to download the malware (trojan.exe) and executes it locally. The malware binary opens a reverse connection back to the attacker host, which allows the attacker to have access to its intranet.
a3 Privilege escalation: the attacker starts another process (notepad.exe) via trojan.exe. The notepad.exe process opens another connection to attacker host, which escalates the attacker’s privilege to gain the local administrator access. With this permission, the attacker dumps the memory space and enumerates previously cached domain controller administrator credentials.
a4 Obtain user credentials: with domain administrator’s credential gained from the previous step, the attacker connects to Windows DC and opens another reverse connection back to the attacker host via powershell. Finally, the attacker uploads a password enumerator tool (e.g., pwdump7.exe and wce.exe) and runs the tools to dump all user information stored on the domain controller’s memory.
a5 Data exfiltration: using the credentials gained from the previous stage, the attacker connects to the DB server and dumps the database. The attacker then creates a reverse channel and transfers the database dump back to his host.