Full Report
Is not a hack until you are 3 tunnels deep – Ian de Villiers External assessments. It’s about not only finding flaws but also looking at ways you can chain lower and medium-level vulnerabilities together, to be utterly devastating and gain full access. After situational awareness phase, pulling in all of my reconnaisance scans and input, I was left with typical results one might expect: missing patches here, little misconfiguration there, the typical…
Analysis Summary
# Tool/Technique: reGeorg
## Overview
reGeorg is a webshell used to create tunnels, often to bypass network restrictions and proxy traffic from a compromised web server to other internal network resources. It is crucial for maintaining C2 or post-exploitation connectivity when direct external access is blocked.
## Technical Details
- Type: Tool (Webshell/Tunneling Utility)
- Platform: Windows (Used in conjunction with PHP webshells, likely targeting Apache/PHP environments)
- Capabilities: Creates a HTTP/HTTPS reverse proxy tunnel from a compromised system back to an external listener.
- First Seen: Prior to February 2016 (Context of the article).
## MITRE ATT&CK Mapping
The primary use described relates to establishing communication capabilities, often bridging the gap between initial compromise and internal network pivoting.
- **TA0011 - Command and Control**
- T1090 - Proxy
- T1090.003 - Proxy: Application Layer Protocol
## Functionality
### Core Capabilities
- Establishing a persistent, interactive channel over HTTP/S traffic originating from a compromised web server.
- Bypassing outbound firewall restrictions by tunneling traffic through an existing web request/response mechanism.
### Advanced Features
- Used here to facilitate pivoting into the internal network, allowing tools like Impacket's psexec to be executed through the created tunnel.
## Indicators of Compromise
- File Hashes: N/A (Tool functionality is based on uploaded scripts)
- File Names: `tunnel.php` (Example script used in the article)
- Registry Keys: N/A
- Network Indicators: Requires an external listener endpoint (defanged placeholder: `external_listener_ip:port`)
- Behavioral Indicators: Outbound web connections that behave unusually like proxy traffic or tunnels between the web server and an external host.
## Associated Threat Actors
- SensePost (Used operationally by the author/team during an assessment).
## Detection Methods
- Signature-based detection: Specific signatures for known reGeorg shell files.
- Behavioral detection: Monitoring web servers (e.g., Apache/PHP processes) for unusual outbound connections, especially those carrying encrypted or structured C2 payloads.
- YARA rules: Can be written for the unique structure of reGeorg scripts.
## Mitigation Strategies
- Strict monitoring and auditing of all outbound connections from web servers, especially non-standard ones.
- Implementing Web Application Firewalls (WAFs) or egress filtering rules that restrict web application processes to only expected destinations.
- Principle of Least Privilege for the web application user account.
## Related Tools/Techniques
- Webshells, Reverse Tunnelling Utilities.
***
# Tool/Technique: Empire (PowerShell Empire)
## Overview
Empire is a post-exploitation framework written in PowerShell that mirrors many Metasploit-like functionalities. It focuses on leveraging native Windows capabilities and PowerShell for stealthy operations after initial access, particularly effective on modern Windows environments.
## Technical Details
- Type: Attack Framework / Post-Exploitation Agent
- Platform: Windows (Relies heavily on PowerShell execution)
- Capabilities: Agent control, credential dumping (mimikatz integration), lateral movement, persistence, and modular command execution.
- First Seen: Prior to 2016 (Popular during that era).
## MITRE ATT&CK Mapping
Empire is intrinsically tied to post-exploitation and C2 phases.
- **TA0001 - Initial Access** (Via stager execution)
- **TA0008 - Lateral Movement**
- **TA0002 - Execution**
- T1059.001 - Command and Scripting Interpreter: PowerShell
- **TA0003 - Persistence**
- **TA0004 - Privilege Escalation**
- **TA0005 - Defense Evasion**
- **TA0011 - Command and Control**
## Functionality
### Core Capabilities
- Starting a listener on an external jumpbox.
- Generating and deploying stagers (`stager.ps1`) to establish an agent connection.
- Providing a flexible, stable command-and-control channel.
### Advanced Features
- Deep integration with modules derived from the **Mimikatz suite**, specifically using `dcsync_hashdump` and `lsadump` functionalities to harvest credentials hashes from memory or Active Directory data.
- Ability to execute commands via RDP sessions proxied through existing tunnels (like reGeorg).
## Indicators of Compromise
- File Hashes: N/A (Generated artifacts like `stager.ps1` would be unique per session)
- File Names: `stager.ps1` (The agent launch script).
- Registry Keys: N/A (Though persistence mechanisms could involve registry modifications).
- Network Indicators: Outbound connections from the compromised host connecting back to the Empire listener (defanged placeholder: `empire_listener_ip:port`).
- Behavioral Indicators: Spawning of PowerShell processes that exhibit C2 communication patterns or load reflective DLLs, execution of credential dumping commands.
## Associated Threat Actors
- Various red teams and potentially sophisticated threat actors utilizing fileless techniques, depending on the version deployed.
## Detection Methods
- Signature-based detection: Known Empire stager payloads (if static).
- Behavioral detection: Detecting command-line arguments indicative of Empire/PowerShell attacks (e.g., encoded command parameters, specific PowerShell modules loaded). Monitoring for processes accessing LSASS memory indirectly (via mimikatz modules).
- YARA rules: Can be developed against known Empire reflective loading signatures.
## Mitigation Strategies
- Application whitelisting to restrict unsigned PowerShell scripts.
- Enabling PowerShell logging (Module, Script Block, and Transcription logging) to capture the commands executed by the Empire agent.
- Implementing endpoint detection and response (EDR) solutions capable of monitoring in-memory code execution.
## Related Tools/Techniques
- Metasploit (Similar interface/feel)
- Cobalt Strike (Similar C2 functionality)
- Mimikatz
***
# Tool/Technique: Chaining Vulnerabilities (SQLi -> Webshell -> Tunneling -> Internal Pivoting)
## Overview
This technique refers to the process documented in the article where multiple, often lower-severity, vulnerabilities are chained together sequentially to escalate access from an initial foothold to high-value targets (like the Domain Controller). The article emphasizes moving "3 tunnels deep."
## Technical Details
- Type: Technique (Exploitation Chain/Pivoting Strategy)
- Platform: Multi-platform (Targets: Web Application host, followed by internal Windows network hosts)
- Capabilities: Escalating access, bypassing network segmentation, and achieving domain compromise through layered exploitation.
- First Seen: Ongoing methodology used in penetration testing and APT activity.
## MITRE ATT&CK Mapping
This maps to the entire kill chain progression realized through linked TTPs.
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application (SQLi)
- **TA0002 - Execution**
- T1566.001 - Phishing: Spearphishing Attachment (Implied need to upload initial shell)
- **TA0010 - Exfiltration** (Achieved after Domain Controller access)
- **TA0011 - Command and Control**
- T1090 - Proxy (Utilizing reGeorg to tunnel commands)
- **TA0007 - Credential Access**
- T1003.001 - OS Credential Dumping: LSASS Memory (via Empire/Mimikatz on pivoted host)
## Functionality
### Core Capabilities
- **Initial Access via SQLi:** Exploiting an SQL Injection vulnerability in an outdated PHP web application to upload a webshell (`myshell.php`).
- **Gaining Foothold & File Transfer:** Escaping the initial low-privilege context (if necessary) to upload tools like `reGeorg` and `wce.exe`.
- **Network Bridging:** Using reGeorg to establish a tunnel out from the constrained host.
### Advanced Features
- **Lateral Movement via Tunnel:** Leveraging the reGeorg tunnel to communicate internally, using another tool (`impacket`'s `psexec`) across proxy connections to gain a foothold on a more privileged host (PDC).
- **Final Payload Delivery:** Using the internal access and tunnel stability to deploy Empire for high-value tasks like hash dumping (`dcsync_hashdump`).
## Indicators of Compromise
- File Hashes: Shells, utility files (`wce.exe`, `tunnel.php`).
- File Names: `myshell.php`.
- Registry Keys: N/A (Focus is on file execution and network traffic).
- Network Indicators: Traffic between the compromised web server and the attacker/proxy infrastructure, followed by internal traffic originating from the web server targeting administrative services (like SMB/RPC for psexec).
- Behavioral Indicators: Unexpected execution of PowerShell (Empire stager) or remote process creation via SMB/RPC (psexec) originating from the web application server.
## Associated Threat Actors
- Red Teams/Penetration Testers (As demonstrated in the article).
## Detection Methods
- **Transaction Tracing:** Monitoring the dependency chain starting from an application error (SQLi log entry) through file drops (webshell) to subsequent network beaconing (reGeorg).
- **Content Inspection:** Looking for classic webshell payloads.
- **Network Segmentation Monitoring:** Alerting on non-standard internal communication initiated by typically internet-facing servers (the web application host).
## Mitigation Strategies
- Robust patch management (addressing missing patches).
- Input validation to prevent SQL Injection.
- Strict segmentation of the network, ensuring web servers cannot reach Domain Controllers or critical internal assets without strict access controls via hardened jump boxes.
- Deploying EDR/XDR to detect anomalous process relationships (e.g., Apache/Nginx spawning shells or communicating via strange protocols).
## Related Tools/Techniques
- Persistence via Web Shells
- Internal Pivoting via SSH/HTTP Tunnels
- Credential Access via Domain Tools (e.g., Impacket toolkit)