![]() ![]() The threat actors were most interested in files concerning financial statements, ransomware reports, and salary data.ĥ.255.98144:8080 / dxabtcom File Intial Exec Qbot DLL These alerts tell us that data was indeed exfiltrated from the environment. While the threat actors were active in the environment, we received 3 different alerts stating that someone had opened canary documents from the IP address 91.193.182165. "Spawn To 圆4": "%windir%\\sysnative\\runonce.exe", Ping was used to verify machines were online ping -n 1 Lateral Movement On the Domain Controller, the threat actors gathered information about the installed security software through WMI:Ĭ:\Windows\system32\cmd.exe /C wmic /namespace:\\root\Securit圜enter2 PATH AntiSpywareProduct GET /valueĬ:\Windows\system32\cmd.exe /C wmic /namespace:\\root\Securit圜enter2 PATH AntiVirusProduct GET /valueĬ:\Windows\system32\cmd.exe /C wmic /namespace:\\root\Securit圜enter2 PATH FirewallProduct GET /value Later, more discovery commands were executed via the Cobalt Strike beacon, which gathered information about the active directory environment.ĪDFind (renamed in find.exe) used to enumerate computers C:\redacted\find.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName This is part of the “SYSTEM INFO” bot request, as described in a recent article from SecureList. ![]() QBot initially starts a number of processes to collect information about the affected system. Soon after, a TGT for the administrator account was requested: For example, our Cobalt Strike Defender Guide covers detection of this technique in more detail. We have seen the use of over-pass-the-hash several times before. The threat actor obtained the NTLM hash value of the administrator account through the Zerologon exploit and used over-pass-the-hash to request a TGT from the domain controller. Source PID 10492 belonging to QBot, injected a DLL into PID 4072 which we discovered was part of Cobalt Strike C2 communication. The injected explorer.exe process was used to spawn and inject into additional instances of explorer.exe (32-bit). Upon execution of the initial DLL, QBot uses process hollowing to start a suspended instance of explorer.exe (32-bit) and then injects itself into this process. The explorer shell was also restarted by the threat actor: After authenticating to the DC with the DC account, the threat actors dumped the Domain Admin hash, and then reset the DC password in order to unbreak the Active Directory Domain. We can also see that the SubjectUserName is ANONYMOUS LOGON.Ī connection was performed from the beachhead to the Domain Controller using the DC account. The PasswordLastSet field is equal to the TimeCreated field, meaning that the password of the domain controller was successfully updated. The combination of these two flaws could allow an attacker to completely compromise the authentication, and thus to impersonate a server of their choice.”Īs we can see on the network captures, a brute-force attack was performed in order to spoof the identity of the domain controller :Īfter the end of the brute force traffic, we can see a single instance where a the exploit has completed successfully.Īfter being successfully authenticated, the DC password was set: Another implementation issue that allows this attack is that unencrypted Netlogon sessions aren’t rejected by servers (by default). This results in a cryptographic flaw in which encryption of 8-bytes of zeros could yield a ciphertext of zeros with a probability of 1 in 256. However, the ComputeNetlogonCredential function sets the IV to a fixed value of 16 zero bytes. “In order to use AES-CFB8 securely, a random initialization vector (IV) needs to be generated for every plaintext to be encrypted using the same key. Three milliseconds after the Zerologon exploit, an event 4742 “A computer account was changed.” was generated on the targeted Domain Controller.Īs explained in a detailed blog from CrowdStrike, the ZeroLogon CVE relies on the AES-CFB8 algorithm used with a zero IV : The executable was named “cool.exe” : C:\Windows\system32\cmd.exe /C cool.exe Administrator -c "taskkill /f /im explorer.exe" Thirty minutes after gaining initial access, the threat actors ran an executable file on the beachhead to exploit CVE-2020-1472, Zerologon. Message: Task scheduler Task Registered Privilege Escalation LogName: Microsoft-Windows-TaskScheduler/Operational ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |