TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Deep Dive: Squashing an MSSQL Attack

2017-07-17 · Read original ↗

ATT&CK techniques detected

12 predictions
T1547.001Registry Run Keys / Startup Folder
96%
“crimeware, remote access tools, and cryptocurrency miners. our detailed technical write ups on the samples we reverse engineered can be found below : - redosdru — encrypted dll payloads to avoid on - disk signatures - generic downloader leads to bitcoin miner — coming soon! - vit…”
T1071.001Web Protocols
94%
“##83e2 - 42a0e84845714ee18f63f80e37b26fe7c29f52cd76305db6c10d51c0534e6a53 - 748e5d31dfd30eeb2e34423f8b7c173b1c0585a98aecd57ef955bbfdb01b74ec - 085ba2ddcae15e2dd996b8152d6512c53958e7e6ae0bd87a5f2f7c7e4352428e - 4187894e15916bb51bb7c7f9297e15a6ddec9839ead55148c7e62821d42a5bab malic…”
T1055.001Dynamic-link Library Injection
74%
“##gger to troubleshoot a process ( debugger ). when a process gains execution, one of the earliest actions performed by explorer. exe is to check the ifeo key. if the executed process has a correlating subkey ( shares the same name ), windows will check for a debugger value. if t…”
T1543.003Windows Service
70%
“##s … / f although cmd. exe was a legitimate microsoft executable, the use of a registry value named “ aut2 ” with these nested commands was anomalous. as a result, huntress classified the activity as malicious. suspicious service huntress also discovered a service named “ wsqhwr…”
T1622Debugger Evasion
64%
“##gger to troubleshoot a process ( debugger ). when a process gains execution, one of the earliest actions performed by explorer. exe is to check the ifeo key. if the executed process has a correlating subkey ( shares the same name ), windows will check for a debugger value. if t…”
T1112Modify Registry
60%
“attacker chose to modify and delete several registry keys to ensure their commands would run as expected. with these hurdles out of their way, the attackers were free to perform more nefarious actions such as killing antivirus processes : killing antivirus w / image file executio…”
T1053.005Scheduled Task
52%
““ taskkill. exe / f / im myapp. exe ” as demonstrated in this procmon screenshot : this technique is an ideal way to prevent some antivirus products from running. to see exactly what processes these attackers were targeting, check out the full list of their ifeo related registry …”
T1546.012Image File Execution Options Injection
43%
“##gger to troubleshoot a process ( debugger ). when a process gains execution, one of the earliest actions performed by explorer. exe is to check the ifeo key. if the executed process has a correlating subkey ( shares the same name ), windows will check for a debugger value. if t…”
T1071.001Web Protocols
40%
“. 4. 135. 126 - 49. 4. 135. 223 - 49. 4. 142. 49 - 49. 4. 142. 141 - 49. 4. 142. 187 - 49. 4. 142. 195 - 49. 4. 143. 176 - 58. 221. 72. 196 - 58. 253. 66. 22 - 59. 33. 252. 251 - 59. 63. 189. 106 - 103. 228. 131. 193 - 103. 230. 108. 85 - 107. 179. 126. 94 - 114. 80. 253. 90 - 11…”
T1003OS Credential Dumping
38%
“deep dive : squashing an mssql attack during the previous msp moment, we walked our readers through an incident where our partner, ntconnections, used huntress to discover a previously undetected breach. in this deep drive, we ’ ll examine the tradecraft used by the attackers to …”
T1489Service Stop
32%
““ taskkill. exe / f / im myapp. exe ” as demonstrated in this procmon screenshot : this technique is an ideal way to prevent some antivirus products from running. to see exactly what processes these attackers were targeting, check out the full list of their ifeo related registry …”
T1078Valid Accounts
31%
“although the hackers behind this compromise used many different techniques, all of them were well known and documented within the cybersecurity community. despite this, these attackers were able to gain access, disable the preventive security in place, establish a foothold, and s…”

Summary

During the previous MSP Moment, we walked our readers through an incident where our partner, NTConnections, used Huntress to discover a previously undetected breach. In this Deep Drive, we’ll examine the tradecraft used by the attackers to gain access through the database, kill/disable antivirus, download malicious files, and establish a persistent foothold within the network.