Make a transfer of 1 SGD using SWIFT server


After a successful phishing we gained access to the workstation of one of the staff. A privilege escalation afford us to perform a Lateral Movement to the server managing the authentication (Active Directory). After an Account Discovery we managed to find an administrator of the operational servers. A Persistence was apply in his workstation and after few days we managed to hijack the connection to the SWIFT server during a monthly maintenance.

Day 1: A CV especially crafted to match banker profile was created. The document was backdoored with a Rundll32 (T1085) payload.

Day 3: The trapped document was sent to HR emails found on the corporate web site.

Day 4: The Spearphishing Attachment (T1193) was successful and gained us access to the HR workstation.

Day 5: A Network Share Discovery (T1135) afforded us to find a file server and to find its Service Principal Names (SPN). From that point a Kerberoasting (T1208) attack was performed and the allowed us to performed a Brute Force (T1110) attack against the NTLM hash retreived.

Day 9: The password for file server TGS finally found. We performed a lateral movement using a Remote Services (T1021) on the file servers. From this account we were able to discover other account (Account Discovery T1087) and their roles. An operational admin was found and we waited for him to login to the file server.

Day 12: The admin finally logged in to the file server. We dumped his credentials (Credential Dumping T1003) from the file server. Accessing to his own workstation gave us the location and the credential of the SWIFT server.

Day 14: After few days of exploration, the business logic around SWIFT to make a transfer was to complex to understand by our self. Hence we found one of the user of the SWIFT application and recorded his screen for a while (Screen Capture T1113) in order to understand how a transfer is made.

Day 17: We were finally able to make a transfer from the SWIFT server.