TLDR: Decom your test machines properly! Hashes are still useful after the machine is gone
New Toys are fun
20,266 logins in 12 hours! Should be enough to get started.
I managed to use the logs to build out some nice rules and hunting query’s pulling in data from OTX (Tor nodes, Known bad IPS). Thought this would be the end of this and shut it all down.
Out of curiosity I started to look at the usernames logging on, messed up the KQL query and sorted by smallest rather than largest…
One account stood out as looking a lot like a legit domain account, odd. Took a quick look around the other logons and it wasn’t coming from an IP used by other bots nor was the IP on a bad list. Quick search on Shodan for the domain and I found some other servers reporting the same domain all hosted in Azure, nice!
Hunting for Hashes
After thinking about it for a few hours (Blue Team never sleeps) I thought what would happen if I just said I was that server and let them send an NTLM hash over.
Scrapped the windows machine and booted a fresh Ubuntu box, spent an age installing everything again and fired up Responder to reply on SMB, WinRM and RDP. Left it running over night and came back to a whole lot of junk. Quick grep over the logs and I have 1000+ Administrator hashes thanks to the bots. I should have given up at this point but decided to swap IP addresses and try again.
After jumping IP addresses, a couple more times…was about to give up again…
A hash that looks legit! Again, a quick search of Shodan shows the domain is legit and looks to belongs to a dev environment!
Aftermath
Is this a BOT using a previously leaked cred - Possible!
Is this method useful in the real world - Almost certainly not!
Should you be careful when spinning up machines in Azure for dev and forgetting that they have died - 100%
Had my fun so I’m going to go back to KQL hell until I get bored and start playing with DLL hijacking again 😉