TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Investigating Intrusions From Intriguing Exploits

2023-02-08 · Read original ↗

ATT&CK techniques detected

27 predictions
T1053.005Scheduled Task
99%
“##ress was able to further determine the dll was likely malicious based on the creation of very specifically - named scheduled tasks used as persistence to execute the malicious dll. these tasks were named : nvtmrep _ crashreport3 _ { b2fe1952 - 0186 - 36d3 - aahc - ab80ca35ah5b6…”
T1190Exploit Public-Facing Application
99%
“which was not made public and as of this writing has no cve associated with it, was described as follows : a zero - day remote code injection exploit was identified in goanywhere mft. the attack vector of this exploit requires access to the administrative console of the applicati…”
T1190Exploit Public-Facing Application
98%
“compromise activity to this application. at this stage, several possibilities presented themselves ; for one, an adversary may have brute - forced remote connectivity for the servers in question to gain access to the environment and then run subsequent commands in the context of …”
T1190Exploit Public-Facing Application
98%
“relative simplicity of the vulnerability ( and ability to reverse engineer a payload based on the vendor ’ s non - public advisory ), huntress considers this analysis as effectively the release of a proof of concept ( poc ) for this exploit in the wild. as a result, we anticipate…”
T1190Exploit Public-Facing Application
96%
“. while adversaries may gain initial access to the defended network, layered monitoring of post - exploitation activity can detect ( and hopefully defeat ) adversaries before they can harden their presence within the network, and move laterally. conclusions huntress identified an…”
T1218.011Rundll32
95%
“seem more suspicious. knowing that the dll was also executed further raised the risk level of the incident, since if it was malware that was downloaded, it is now running on the system. the main question we wanted to answer at this point was : what was the dll? what does it do? s…”
T1053.005Scheduled Task
94%
“for truebot c2 domain. detection opportunities in addition to the indicators above, organizations can leverage tools such as sigma to identify suspicious behaviors linked to this intrusion. huntress has an example of such a rule, looking for instances of apache tomcat spawning a …”
T1105Ingress Tool Transfer
86%
“investigating intrusions from intriguing exploits summary on 02 february 2023, an alert triggered in a huntress - protected environment. at first glance, the alert itself was fairly generic - a combination of certutil using the urlcache flag to retrieve a remote resource and foll…”
T1053.005Scheduled Task
85%
“the server was isolated due to the observed activity, a similar alert was received for another system in the organization ; this system was also designated for goanywheremft services. this raised even more suspicion about the nature of this attack and the involvement of the goany…”
T1053.005Scheduled Task
82%
“unfortunately, while this advice is sound, it is also difficult to implement and maintain over time. system owners and defenders must therefore extend defense and monitoring beyond the perimeter to ensure that if ( or more likely when ) an adversary gains initial access, options …”
T1053.005Scheduled Task
72%
“- [ 0 - 9a - z ] { 4 } - aahc - [ 0 - 9a - z ] { 7, 8 } ah5b [ 0 - 9 ] { 1 } }. the above regex provided an additional detection touchpoint for huntress. these names are designed to masquerade as legitimate nvidia crash report scheduled tasks using nvtmrep. exe, illustrated as fo…”
T1071Application Layer Protocol
69%
“##hell and wmi functionality, as well as post activity to command and control ( c2 ) infrastructure. what stood out though are references to what appear to be commands or functions for the malware : klls 404no finally, analysis of execution identified the c2 infrastructure for th…”
T1059.001PowerShell
61%
“unfortunately, while this advice is sound, it is also difficult to implement and maintain over time. system owners and defenders must therefore extend defense and monitoring beyond the perimeter to ensure that if ( or more likely when ) an adversary gains initial access, options …”
T1105Ingress Tool Transfer
60%
“subsequent actions. t1140 - deobfuscate / decode files of information adversary used certutil to decode an encoded truebot payload. t1218. 011 - system binary proxy execution : rundll32 adversary used rundll32 to attempt execution of truebot payload. command and control t1071. 00…”
T1218.011Rundll32
58%
“always, " what was downloaded? " in this case we were unable to obtain much information immediately. we tried connecting to the resource ourselves to pull down the file and analyze it, but the port seemed to already be closed. looking at publicly available resources, virustotal d…”
T1486Data Encrypted for Impact
53%
“investigating intrusions from intriguing exploits summary on 02 february 2023, an alert triggered in a huntress - protected environment. at first glance, the alert itself was fairly generic - a combination of certutil using the urlcache flag to retrieve a remote resource and foll…”
T1574.001DLL
52%
“the remote resource. huntress was eventually able to recover a copy of this file, with the following characteristics : name : gamft. dll md5 : 82d4025b84cf569ec82d21918d641540 sha1 : 62f5a16d1ef20064dd78f5d934c84d474aca8bbe sha256 : c042ad2947caf4449295a51f9d640d722b5a6ec6957523e…”
T1486Data Encrypted for Impact
48%
“a group referred to as silence. as reported by the french cert, silence has been active in some form since 2016, with truebot serving as an initial access, post - compromise tool for the entity ’ s operations. while links are not authoritative, analysis of truebot activity and de…”
T1140Deobfuscate/Decode Files or Information
43%
“subsequent actions. t1140 - deobfuscate / decode files of information adversary used certutil to decode an encoded truebot payload. t1218. 011 - system binary proxy execution : rundll32 adversary used rundll32 to attempt execution of truebot payload. command and control t1071. 00…”
T1059.003Windows Command Shell
42%
“odd commands executed on a server should be, " where did they come from? " in this case the parent process was tomcat. exe executing from a subdirectory inside the c : \ program files \ linoma software \ goanywhere directory. apache tomcat is an open - source java web application…”
T1071Application Layer Protocol
40%
“subsequent actions. t1140 - deobfuscate / decode files of information adversary used certutil to decode an encoded truebot payload. t1218. 011 - system binary proxy execution : rundll32 adversary used rundll32 to attempt execution of truebot payload. command and control t1071. 00…”
T1588.003Code Signing Certificates
39%
“software or what their naming convention would be, but deliberate mimicry likely represents an effort by the adversary to evade detection or further scrutiny. in addition to the “ legitimate ” name, the file is a signed binary, using the following signing certificate issued via s…”
T1190Exploit Public-Facing Application
35%
“incident not been identified at a relatively early stage. exploit detection and prevention ideally, defenders can identify ( or block ) exploitation attempts ( especially items against external - facing devices that lead to rce ). in this specific case, however, we appear to have…”
T1036.005Match Legitimate Resource Name or Location
31%
“the remote resource. huntress was eventually able to recover a copy of this file, with the following characteristics : name : gamft. dll md5 : 82d4025b84cf569ec82d21918d641540 sha1 : 62f5a16d1ef20064dd78f5d934c84d474aca8bbe sha256 : c042ad2947caf4449295a51f9d640d722b5a6ec6957523e…”
T1553.002Code Signing
30%
“software or what their naming convention would be, but deliberate mimicry likely represents an effort by the adversary to evade detection or further scrutiny. in addition to the “ legitimate ” name, the file is a signed binary, using the following signing certificate issued via s…”
T1190Exploit Public-Facing Application
30%
“associated with the goanywhere mft administrative access port, the target of the reported rce. subsequent research and investigation show that this port ( and all others, except ssh ) were closed off shortly after the incident, resulting in only remote administration possibilitie…”
T1059.003Windows Command Shell
30%
“- [ 0 - 9a - z ] { 4 } - aahc - [ 0 - 9a - z ] { 7, 8 } ah5b [ 0 - 9 ] { 1 } }. the above regex provided an additional detection touchpoint for huntress. these names are designed to masquerade as legitimate nvidia crash report scheduled tasks using nvtmrep. exe, illustrated as fo…”

Summary

On 02 February 2023, an alert triggered in a Huntress-protected environment. We dive into triaging the threat in this blog.