Investigating web shells

11 minute read

Short CTF write up with a focus on web shells and the Tomcat platform.

Web shells memory write up

WIN-CEKM08E74HR-20150611-222930.raw

All I know is that this dump is from a machine running a web server which has been compromised. I don’t know how it was compromised, nor do I have any other details about the server itself.

Identify the OS profile
Set environment variable ‘mem’ to /mnt/volatility/DF/WIN-CEKM08E74HR-20150611-222930.raw

$ cd /root/volatility
$ mem=/mnt/volatility/DF/WIN-CEKM08E74HR-20150611-222930.raw
$ python vol.py -f $mem imageinfo

Volatility results

Volatility Foundation Volatility Framework 2.6.1
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : VistaSP1x86, Win2008SP1x86, Win2008SP2x86, VistaSP2x86
                     AS Layer1 : IA32PagedMemory (Kernel AS)
                     AS Layer2 : FileAddressSpace (/mnt/volatility/DF/WIN-CEKM08E74HR-20150611-222930.raw)
                      PAE type : No PAE
                           DTB : 0x122000L
                          KDBG : 0x8190ac98L
          Number of Processors : 1
     Image Type (Service Pack) : 2
                KPCR for CPU 0 : 0x8190b800L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2015-06-11 22:29:32 UTC+0000
     Image local date and time : 2015-06-11 18:29:32 -0400

Would be reasonable to assume it will be Win2008 based on the ‘web server’ part of the challenge.

$ python vol.py -f $mem --profile=Win2008SP1x86 pslist

Processes of interest;

0x831f3d90 cmd.exe                3248   1728      0 --------      0      0 2015-06-11 22:21:49 UTC+0000   2015-06-11 22:21:49 UTC+0000
0x8363c7f0 tasklist.exe           3256   3248      0 --------      0      0 2015-06-11 22:21:49 UTC+0000   2015-06-11 22:21:49 UTC+0000
0x835f5718 cmd.exe                3520   1728      0 --------      0      0 2015-06-11 22:24:04 UTC+0000   2015-06-11 22:24:04 UTC+0000
0x830e9d90 cmd.exe                3572   2032      1       17      0      0 2015-06-11 22:25:00 UTC+0000
0x8362fca0 bg.jpg                 3580   3572      1       61      0      0 2015-06-11 22:25:00 UTC+0000
0x835eba10 cmd.exe                3604   1728      0 --------      0      0 2015-06-11 22:25:15 UTC+0000   2015-06-11 22:25:15 UTC+0000
0x836407b0 cmd.exe                3612   1728      0 --------      0      0 2015-06-11 22:25:24 UTC+0000   2015-06-11 22:25:24 UTC+0000
0x830e2d90 tasklist.exe           3620   3612      0 --------      0      0 2015-06-11 22:25:24 UTC+0000   2015-06-11 22:25:24 UTC+0000
0x83693bc0 TrustedInstalle        2364    596      3      104      0      0 2015-06-11 22:26:34 UTC+0000
0x832e7020 csrss.exe              2664   2684      8      188      2      0 2015-06-11 22:26:55 UTC+0000
0x83125cd8 winlogon.exe           2732   2684      3      114      2      0 2015-06-11 22:26:55 UTC+0000
0x82a3f530 taskeng.exe            2448   1012      9      226      2      0 2015-06-11 22:27:17 UTC+0000
0x83681610 dwm.exe                2860   1160      3       70      2      0 2015-06-11 22:27:17 UTC+0000
0x837241d8 explorer.exe           2428   2856     17      425      2      0 2015-06-11 22:27:18 UTC+0000
0x83117020 jusched.exe            3056   2428      1       50      2      0 2015-06-11 22:27:18 UTC+0000
0x83632d08 VBoxTray.exe           3060   2428      9      228      2      0 2015-06-11 22:27:18 UTC+0000
0x83201b90 Tomcat7w.exe           2816   2428      2       50      2      0 2015-06-11 22:27:18 UTC+0000
0x83116ad8 wuauclt.exe            3360   1012      2      142      2      0 2015-06-11 22:27:32 UTC+0000
0x8311ec10 cmd.exe                4032   2428      1       19      2      0 2015-06-11 22:29:10 UTC+0000

Server appears to be a Windows 2008 box running Tomcat7.
Pull network information

$ python vol.py -f $mem --profile=Win2008SP1x86 netscan

0x1eda4db0         TCPv4    -:8080                         58.64.141.245:1057   CLOSED           1728     Tomcat7.exe

Looks like this server is listening on 192.168.56.30.
There’s a remote connection associated with PID 1728 / Tomcat7.exe
This PID is also the PPID for numerous cmd.exe

Let’s run pstree to see the family (could also run pstree -v)

 $ python vol.py -f $mem --profile=Win2008SP1x86 pstree

0x837241d8:explorer.exe                             2428   2856     17    425 2015-06-11 22:27:18 UTC+0000
. 0x83201b90:Tomcat7w.exe                            2816   2428      2     50 2015-06-11 22:27:18 UTC+0000
. 0x83117020:jusched.exe                             3056   2428      1     50 2015-06-11 22:27:18 UTC+0000
. 0x8311ec10:cmd.exe                                 4032   2428      1     19 2015-06-11 22:29:10 UTC+0000

. 0x83139650:services.exe                             596    520      6    234 2015-06-11 22:05:29 UTC+0000
.. 0x832dc560:Tomcat7.exe                            1728    596     28    360 2015-06-11 22:05:56 UTC+0000
... 0x835eba10:cmd.exe                               3604   1728      0 ------ 2015-06-11 22:25:15 UTC+0000
... 0x836407b0:cmd.exe                               3612   1728      0 ------ 2015-06-11 22:25:24 UTC+0000
.... 0x830e2d90:tasklist.exe                         3620   3612      0 ------ 2015-06-11 22:25:24 UTC+0000
... 0x831f3d90:cmd.exe                               3248   1728      0 ------ 2015-06-11 22:21:49 UTC+0000
.... 0x8363c7f0:tasklist.exe                         3256   3248      0 ------ 2015-06-11 22:21:49 UTC+0000
... 0x835f5718:cmd.exe                               3520   1728      0 ------ 2015-06-11 22:24:04 UTC+0000

Dump Tomcat PID memory (1728)

$ python vol.py -f $mem --profile=Win2008SP1x86 memdump -p 1728 -D /mnt/volatility/DF/tomcat-dump/

Strings output 1728.dmp to readable

$ strings -a /mnt/volatility/DF/tomcat-dump/1728.dmp > /mnt/volatility/DF/tomcat-dump/1728strings.txt

COMPUTERNAME=WIN-CEKM08E74HR
ComSpec=C:\Windows\system32\cmd.exe
DFSTRACINGON=FALSE
FP_NO_HOST_CHECK=NO
LOCALAPPDATA=C:
2\config\systemprofile\AppData\Local
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\ProgramData\Oracle\Java\javapath;C:\Wi
:\Windows;C:\Windows\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC
PROCESSOR_ARCHITECTURE=
ENTIFIER=x86 Family 6 Model 42 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=2a07
ProgramData=C:\Program
UvDrive=C:
SystemRoot=C:\Windows
TEMP=C:\Windows\TEMP
TMP=C:\Windows\TEMP
Format
USERDOMAIN=WORKGROUP
USERNAME=WIN-CEKM08E74HR$
USERPROFILE=C:\Windows\system32\config\systemprofile
windir=C:\Windows

       "C:\Program Files\Apache Software Foundation\Tomcat 7.0\bin\Tomcat7.exe" //RS//Tomcat7

58.64.141.245 - tomcat [11/Jun/2015:18:07:04 -0400] "POST /manager/html/upload?org.apache.catalina.filters.CSRF_NONCE=262D313C4A6E085593AF3CAD4F4E7A99 HTTP/1.1" 200 158

58.64.141.245 - - [11/Jun/2015:18:07:27 -0400] "POST /webfiles/ HTTP/1.1" 200 2367
58.64.141.245 - - [11/Jun/2015:18:07:37 -0400] "POST /webfiles/ HTTP/1.1" 200 2460
58.64.141.245 - - [11/Jun/2015:18:07:51 -0400] "POST /webfiles/ HTTP/1.1" 200 2388
58.64.141.245 - - [11/Jun/2015:18:09:26 -0400] "POST /webfiles/ HTTP/1.1" 200 8973
58.64.141.245 - - [11/Jun/2015:18:12:16 -0400] "POST /webfiles/ HTTP/1.1" 200 48896
58.64.141.245 - - [11/Jun/2015:18:12:42 -0400] "POST /webfiles/ HTTP/1.1" 200 2245
58.64.141.245 - - [11/Jun/2015:18:13:16 -0400] "POST /webfiles/ HTTP/1.1" 200 2278
58.64.141.245 - - [11/Jun/2015:18:15:24 -0400] "POST /webfiles/ HTTP/1.1" 200 2261
58.64.141.245 - - [11/Jun/2015:18:15:34 -0400] "POST /webfiles/ HTTP/1.1" 200 5149
58.64.141.245 - - [11/Jun/2015:18:16:31 -0400] "POST /webfiles/ HTTP/1.1" 200 5227
58.64.141.245 - - [11/Jun/2015:18:19:52 -0400] "POST /webfiles/ HTTP/1.1" 200 5149
58.64.141.245 - - [11/Jun/2015:18:21:49 -0400] "POST /webfiles/ HTTP/1.1" 200 5227
58.64.141.245 - - [11/Jun/2015:18:24:04 -0400] "POST /webfiles/ HTTP/1.1" 200 2271
58.64.141.245 - - [11/Jun/2015:18:25:15 -0400] "POST /webfiles/ HTTP/1.1" 200 2271
58.64.141.245 - - [11/Jun/2015:18:25:25 -0400] "POST /webfiles/ HTTP/1.1" 200 5305

Looking for shells

$ cat /mnt/volatility/DF/tomcat-dump/1728strings.txt | grep -i 'post' | more

Let’s see when 58.64.141.245 first accessed the web server.

58.64.141.245 - - [08/Jun/2015:19:38:44 -0400] "GET /manager/html HTTP/1.1" 401 2538

$ grep -C10 "58\.64\.141\.245" /mnt/volatility/DF/tomcat-dump/1728strings.txt

58.64.141.245 - - [11/Jun/2015:18:27:51 -0400] "GET /webfiles/?sort=1&downfile=C%3A%5Cinetpub%5Cwwwroot%5Csm.gif HTTP/1.1" 200 975 - - [11/Jun/2015:18:27:37 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200 3714
58.64.141.245 - - [11/Jun/2015:18:27:44 -0400] "GET /webfiles/?sort=1&file=C%3A%5Cinetpub%5Cwwwroot%5Csm.gif HTTP/1.1" 200 972 7:34 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200 3714/1.1" 200 3714 - [11/Jun/2015:18:13:43 -0400] "GET /webfiles/?sort=1&dir=C%3A%5Cinetpub%5Cwwwroot HTTP/1.1" 200 8863
58.64.141.245 - - [11/Jun/2015:18:13:43 -0400] "GET /webfiles/?Javascript HTTP/1.1" 200 3714

Let’s focus on the activity around ‘GET /webfiles’

$ grep -C10 "GET \/webfiles" /mnt/volatility/DF/tomcat-dump/1728strings.txt

GET /webfiles/?sort=1&file=C%3A%5Cinetpub%5Cwwwroot%5Csm.gif HTTP/1.1
accept:*/**
referer:http://192.168.56.30:8080/webfiles/?sort=1&dir=C%3A%5Cinetpub%5Cwwwroott
accept-language:en-uss
user-agent:Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0))
accept-encoding:gzip, deflatee
host:192.168.56.30:80800
connection:Keep-Alivee
cookie:JSESSIONID=D4BB0A17D08FE321DF87835231D798244
cookie:JSESSIONID=D4BB0A17D08FE321DF87835231D798244
0A17D08FE321DF87835231D798244
--
Accept-Encoding: gzip, deflate
Host: 192.168.56.30:8080
Connection: Keep-Alive
Cookie: JSESSIONID=983D1DF88F7A229E9D2C5DD76804F120
Authorization: Basic dG9tY2F0OnRvbWNhdA==

Authorisation is base64. Let’s decode it.

$ echo dG9tY2F0OnRvbWNhdA== | base64 -d
tomcat:tomcat

Found interesting strings in 1728strings.txt

178956:Created by jsp File Browser v.

Let’s focus on that.

179973:"                <small>jsp File Browser version
179974-C by <a href="http://www.vonloesch.de">www.vonloesch.de</a></small>
179975- </center>
179976-</html>
179977-java/util/zip/ZipFile

246416- <div class="formular">
246417- <form class="formular2" action="/webfiles/" enctype="multipart/form-data" method="POST">
246418-         <input type="hidden" name="dir" value="C:\inetpub\wwwroot">
246419-         <input type="hidden" name="sort" value="1">
246420-         <input type="file" class="textfield" onKeypress="event.cancelBubble=true;" name="myFile">
246421-         <input title="Upload selected file to the current working directory
246422-" type="Submit" class="button" name="Submit" value="Upload"
246423-         onClick="javascript:popUp('/webfiles/')">
246424- </form>
246425-    <form class="formular2" action="/webfiles/" method="POST">
246426-         <input type="hidden" name="dir" value="C:\inetpub\wwwroot">
246427-         <input type="hidden" name="sort" value="1">
246428-         <input type="hidden" name="command" value="">
246429-         <input title="Launch command in current directory" type="Submit" class="button" id="but_Lau" name="Submit" value="(L)aunch external program">
246430- </form>
246431-    </div>
246432-
246433- <hr>
246434- <center>
246435:         <small>jsp File Browser version 1.2 by <a href="http://www.vonloesch.de">www.vonloesch.de</a></small>
246436- </center>
246437-</bo
246438-H7
246439- H7
246440- H7
246441- Wp<
246442-/manager/images/asf-logo.gif
246443-org.apache.catalina.filters.CSRF_NONCE
246444-multipart/form-data; boundary=---------------------------7df134640124
246445-/manager/images/tomcat.gif
246446-org.apache.catalina.filters.CSRF_NONCE=262D313C4A6E085593AF3CAD4F4E7A99
246447-en-us
246448-262D313C4A6E085593AF3CAD4F4E7A99
246449-W/"2066-1431019026000"
246450-36791
246451-Thu, 07 May 2015 17:17:06 GMT
246452-W/"7279-1431019026000"
246453-/manager/html/upload
246454-/manager/html

248751-/webfiles/tml/uploadlogo.gif
248752-sort=1&file=C:\inetpub\wwwroot\sm.gif5Csm.gif3C4A6E085593AF3CAD4F4E7A99
248753-HTTP/1.1 200 OK
248754-Server: Apache-Coyote/1.1
248755-Content-Disposition: inline;filename="sm.gif"
248756-Content-Type: image/gif;charset=ISO-8859-1
248757-Content-Length: 97
248758-Date: Thu, 11 Jun 2015 22:27:44 GMT
248759-Administrator:WIN-CEKM08E74HR:A15153D335C2751F17306D272A9441BB:835FD21AAC32076DF24DC75E0C77144F
248760-pe="hidden" name="dir" value="C:\inetpub\wwwroot">
248761-         <input type="hidden" name="sort" value="1">
248762-         <input type="hidden" name="command" value="">
248763-         <input title="Launch command in current directory" type="Submit" class="button" id="but_Lau" name="Submit" value="(L)aunch external program">
248764- </form>
248765-    </div>
248766-
248767- <hr>
248768- <center>
248769:         <small>jsp File Browser version 1.2 by <a href="http://www.vonloesch.de">www.vonloesch.de</a></small>

38887-      out.write("\t\t<input type=\"hidden\" name=\"command\" value=\"\">\n");
38888-      out.write("\t\t<input title=\"Launch command in current directory\" type=\"Submit\" class=\"button\" id=\"but_Lau\" name=\"Submit\" value=\"");
65343-      out.write("\t\t<input type=\"hidden\" name=\"command\" value=\"\">\n");
65344-      out.write("\t\t<input title=\"Launch command in current directory\" type=\"Submit\" class=\"button\" id=\"but_Lau\" name=\"Submit\" value=\"");

Let’s find this shell.

58.64.141.245 - - [11/Jun/2015:18:12:18 -0400] "GET /webfiles/?uplMonitor=C%3A%5Cfakepath%5C12.bat HTTP/1.1" 200 574

$ cat /mnt/volatility/DF/tomcat-dump/1728strings.txt | grep -i '\.bat'

<snip>
at 18:25 c:\windows\12.bat
first&uplMonitor=C%3A%5Cfakepath%5C12.bat
Javascriptonitor=C:\fakepath\12.bat12.bat
C:\fakepath\12.bat
Content-Disposition: form-data; name="myFile"; filename="12.bat"
uplMonitor=C%3A%5Cfakepath%5C12.bat
Javascript=C:\inetpub\wwwrootwwroot12.bat
uplMonitor=C%3A%5Cfakepath%5C12.bat
at 18:25 c:\windows\12.bat
first&uplMonitor=C%3A%5Cfakepath%5C12.bat
C:\fakepath\12.bat
<snip>
GET /webfiles/?first&uplMonitor=C%3A%5Cfakepath%5C12.bat HTTP/1.1
Content-Disposition: form-data; name="myFile"; filename="12.bat"
<snip>
58.64.141.245 - - [11/Jun/2015:18:12:16 -0400] "GET /webfiles/?first&uplMonitor=C%3A%5Cfakepath%5C12.bat HTTP/1.1" 200 865
58.64.141.245 - - [11/Jun/2015:18:12:18 -0400] "GET /webfiles/?uplMonitor=C%3A%5Cfakepath%5C12.bat HTTP/1.1" 200 574

Right. C:\fakepath\12.bat - let’s dump this batch script

$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i "12\.bat"

Volatility Foundation Volatility Framework 2.6.1
0x000000001ee373f8      8      0 -W-rw- \Device\HarddiskVolume1\Windows\12.bat

$ python vol.py -f $mem --profile=Win2008SP1x86 dumpfiles -Q 0x000000001ee373f8 -D /mnt/volatility/DF/tomcat-dump/
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x1ee373f8   None   \Device\HarddiskVolume1\Windows\12.bat

Examine 12.bat

$ cat /mnt/volatility/DF/tomcat-dump/file.None.0x8362e730.dat

@echo off
c:\inetpub\wwwroot\bg.jpg -e -o c:\inetpub\wwwroot\sm.gif

pstree verbose

$ python vol.py -f $mem --profile=Win2008SP1x86 pstree -v
..... 0x8362fca0:bg.jpg                              3580   3572      1     61 2015-06-11 22:25:00 UTC+0000
         audit: \Device\HarddiskVolume1\inetpub\wwwroot\bg.jpg
         cmd: c:\inetpub\wwwroot\bg.jpg  -e -o c:\inetpub\wwwroot\sm.gif
         path: c:\inetpub\wwwroot\bg.jpg

Let’s determine what bg.jpg actually is

$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i 'bg\.jpg'

Volatility Foundation Volatility Framework 2.6.1
0x000000001ede1ba0      8      0 -W-rw- \Device\HarddiskVolume1\inetpub\wwwroot\bg.jpg
0x000000001f2dc170      7      0 R--r-d \Device\HarddiskVolume1\inetpub\wwwroot\bg.jpg

$ sha1sum /mnt/volatility/DF/tomcat-dump/file.*
c0d7899cc49bf2cb4f3abe663dc6a62ed69c06ff  /mnt/volatility/DF/tomcat-dump/file.None.0x832c0680.dat

https://www.virustotal.com/gui/file/b1f233d1eccf366af43ebd62e8f276ba3794c353c3f179b8989798870d07e00b/detection

26019082706f9898a716d8803f57cc70365c821b  /mnt/volatility/DF/tomcat-dump/file.None.0x8362fb20.img

$ strings file.None.0x8362fb20.img

WCE %s (Windows Credentials Editor) - (c) 2010,2011,2012 Amplia Security - by Hernan Ochoa (hernan@ampliasecurity.com)
Use -h for help.
Options:
        -l              List logon sessions and NTLM credentials (default).
                        Optional: -r<refresh interval>.
        -s              Changes NTLM credentials of current logon session.
                        Parameters: <UserName>:<DomainName>:<LMHash>:<NTHash>.
        -o              saves all output to a file.
        -r              Lists logon sessions and NTLM credentials indefinitely.
                        Refreshes every 5 seconds if new sessions are found.
        -c              Run <cmd> in a new session with the specified NTLM credentials.
                        Parameters: <cmd>.
        -e              Lists logon sessions NTLM credentials indefinitely.
                        Refreshes every time a logon event occurs.
                        Parameters: <filename>.
        -i              Specify LUID instead of use current logon session.
                        Parameters: <luid>.
        -d              Delete NTLM credentials from logon session.
                        Parameters: <luid>.
        -a              Use Addresses.
                        Parameters: <addresses>
        -f              Force 'safe mode'.
        -g              Generate LM & NT Hash.
                        Parameters: <password>.
        -K              Dump Kerberos tickets to file (unix & 'windows wce' format)
Error in cmdline!. Bye!.
        -k              Read Kerberos tickets from file and insert into Windows cache
username wrong format!.
        -w              Dump cleartext passwords stored by the digest authentication package
        -v              verbose output.

So it’s windows credential editor. -e for credentials, -o for output.
Review sm.gif

$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i 'sm\.gif'

Volatility Foundation Volatility Framework 2.6.1
0x000000001edf6640      1      0 R--rw- \Device\HarddiskVolume1\inetpub\wwwroot\sm.gif

$ python vol.py -f $mem --profile=Win2008SP1x86 dumpfiles -Q 0x000000001edf6640 -D /mnt/volatility/DF/tomcat-dump/wce

Volatility Foundation Volatility Framework 2.6.1
DataSectionObject
0x1edf6640 None \Device\HarddiskVolume1\inetpub\wwwroot\sm.gif


$ strings /mnt/volatility/DF/tomcat-dump/wce/file.None.0x830f1448.dat
Administrator:WIN-CEKM08E74HR:A15153D335C2751F17306D272A9441BB:835FD21AAC32076DF24DC75E0C77144F

Identifying tasks

$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i 'tasks'

Volatility Foundation Volatility Framework 2.6.1
0x000000001ee03280      1      0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\NetworkAccessProtection\NAPStatus UI
0x000000001ee49ba8      1      0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\CertificateServicesClient\UserTask
0x000000001f122450      1      0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\TextServicesFramework\MsCtfMonitor
0x000000001f127f80      1      0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\Multimedia\SystemSoundsService
0x000000001f1e8bd8     17      1 RW-r-- \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx
0x000000001f1eb750      8      0 -W-r-- \Device\HarddiskVolume1\Windows\System32\Tasks\At1
0x000000001f22da78     10      1 RW-r-- \Device\HarddiskVolume1\Windows\Tasks\SCHEDLGU.TXT
0x000000001f22e9c8      6      1 R--rw- \Device\HarddiskVolume1\Windows\Tasks
0x000000001f231b18      2      0 R--r-d \Device\HarddiskVolume1\Windows\System32\taskschd.dll
0x000000001f2638d0      1      0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\PLA\System\ConvertLogEntries
*0x000000001f297ad8      8      0 -W-r-d \Device\HarddiskVolume1\Windows\Tasks\At1.job*
0x000000001f2e7ed0      1      0 R--r-d \Device\HarddiskVolume1\Windows\System32\Tasks\Microsoft\Windows\Server Manager\ServerManager


$ python vol.py -f $mem --profile=Win2008SP1x86 dumpfiles -Q 0x000000001f297ad8 -D /mnt/volatility/DF/tomcat-dump/tasks
$ strings -el /mnt/volatility/DF/tomcat-dump/tasks/file.None.0x8363fd10.dat

c:\windows\12.bat
SYSTEM
Created by NetScheduleJobAdd.
$ xxd /mnt/volatility/DF/tomcat-dump/tasks/file.None.0x8363fd10.dat

00000000: 0006 0100 7cbf 6c48 bcaa 564e 928f 06eb  ....|.lH..VN....
00000010: 7057 4ccb 4600 ca00 0000 0000 3c00 0a00  pWL.F.......<...
00000020: 2000 0000 0014 730f 0000 0000 0113 0400   .....s.........
00000030: 0200 e021 df07 0600 0400 0b00 1200 1900  ...!............
00000040: 0000 1c00 0100 1200 6300 3a00 5c00 7700  ........c.:.\.w.
00000050: 6900 6e00 6400 6f00 7700 7300 5c00 3100  i.n.d.o.w.s.\.1.
00000060: 3200 2e00 6200 6100 7400 0000 0000 0000  2...b.a.t.......
00000070: 0700 5300 5900 5300 5400 4500 4d00 0000  ..S.Y.S.T.E.M...
00000080: 1e00 4300 7200 6500 6100 7400 6500 6400  ..C.r.e.a.t.e.d.
00000090: 2000 6200 7900 2000 4e00 6500 7400 5300   .b.y. .N.e.t.S.
000000a0: 6300 6800 6500 6400 7500 6c00 6500 4a00  c.h.e.d.u.l.e.J.
000000b0: 6f00 6200 4100 6400 6400 2e00 0000 0000  o.b.A.d.d.......
000000c0: 0800 0000 0000 0000 0000 0100 3000 0000  ............0...
000000d0: df07 0600 0b00 0000 0000 0000 1200 1900  ................
000000e0: 0000 0000 0000 0000 0000 0000 0000 0000  ................
000000f0: 0000 0000 0000 0000 0000 0000 0100 0100  ................
00000100: 3c56 fcbd fe46 561b 1843 6c37 2c42 d847  <V...FV..Cl7,B.G
00000110: 8146 13f0 4dc0 8ca1 6385 9699 3525 f122  .F..M...c...5%."
00000120: a49a 20ed 4b99 5850 df79 17f8 0f16 4777  .. .K.XP.y....Gw
00000130: b394 0b70 a307 7bd4 993b a5d4 71a0 0a19  ...p..{..;..q...

Dump security logs to identify who created scheduled task

$ python vol.py -f $mem --profile=Win2008SP1x86 filescan | grep -i 'security'

Volatility Foundation Volatility Framework 2.6.1
0x000000001ee09960      3      1 RW---- \Device\HarddiskVolume1\Windows\System32\config\RegBack\SECURITY
0x000000001f091600     11      1 RW---- \Device\HarddiskVolume1\Windows\System32\config\SECURITY
0x000000001f1ed2c0     13      1 RW-r-- \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Security.evtx
0x000000001fa06ed8      1      1 RW---- \Device\HarddiskVolume1\Windows\System32\config\SECURITY.LOG1
0x000000001fa31308     17      1 RWDr-d \Device\HarddiskVolume1\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
0x000000001fa31b00      1      1 RW---- \Device\HarddiskVolume1\Windows\System32\config\SECURITY.LOG2
0x000000001fa37a60      1      1 RW-r-d \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Configuration-Wizard%4Operational.etl
0x000000001fa37b08      1      1 RW-r-d \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Configuration-Wizard%4Diagnostic.etl
$ python vol.py -f $mem --profile=Win2008SP1x86 dumpfiles -Q 0x000000001f1ed2c0 -D /mnt/volatility/DF/tomcat-dump/security-log/

Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x1f1ed2c0   None   \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Security.evtx
SharedCacheMap 0x1f1ed2c0   None   \Device\HarddiskVolume1\Windows\System32\winevt\Logs\Security.evtx

Renamed file.None.0x831ef6a0.vacb to file.None.0x831ef6a0.vacb.evtx
Opened in Event Viewer, refined by ID 4698 (new scheduled task has been created)

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> 
  <EventID>4698</EventID> 
  <Version>0</Version> 
  <Level>0</Level> 
  <Task>12804</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x8020000000000000</Keywords> 
  <TimeCreated SystemTime="2015-06-11T22:13:16.426336000Z" /> 
  <EventRecordID>7273</EventRecordID> 
  <Correlation /> 
  <Execution ProcessID="608" ThreadID="2268" /> 
  <Channel>Security</Channel> 
  <Computer>WIN-CEKM08E74HR</Computer> 
  <Security /> 
  </System>
- <EventData>
  <Data Name="SubjectUserSid">S-1-5-18</Data> 
  <Data Name="SubjectUserName">WIN-CEKM08E74HR$</Data> 
  <Data Name="SubjectDomainName">WORKGROUP</Data> 
  <Data Name="SubjectLogonId">0x3e7</Data> 
  <Data Name="TaskName">\At1</Data> 
  <Data Name="TaskContent"><?xml version="1.0" encoding="UTF-16"?>
  <Task version="1.0" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo /> <Triggers> <TimeTrigger> <StartBoundary>2015-06-11T18:25:00</StartBoundary> </TimeTrigger> </Triggers> <Principals> <Principal id="Author"> <UserId>@AtServiceAccount</UserId> <LogonType>InteractiveTokenOrPassword</LogonType> <RunLevel>HighestAvailable</RunLevel> </Principal> </Principals> <Actions Context="Author"> <Exec> <Command>c:\windows\12.bat</Command> </Exec> </Actions> </Task></Data> 
  </EventData>
  </Event>

TL;DR

We have a Tomcat7 installation on a Windows 2008 server. Access was gained with default tomcat credentials (tomcat/tomcat). A file was uploaded which provided SYSTEM level access. Windows Credential Editor (WCE) was uploaded, a scheduled task was created which executed WCE and dumped local credentials into a single file. The attacker downloaded that file remotely, gaining access to the local Administrator account credentials. All attacks took place on 11th June 2015 from the IP 58.64.141.245