Threat actors have a variety of tools and techniques at their disposal for cyber attacks, including malware-as-a-service, open-source tools, red team or admin tools. There are also legitimate tools that can be dangerous when used by attackers. Trusted applications and signed binaries can allow attackers to execute code stealthily and with high privileges, potentially going undetected by untrained eyes.
Detecting the use of legitimate applications by attackers without triggering false alarms is a challenge. Since these applications are commonly used by system and endpoint users, it can be difficult to differentiate between legitimate and malicious use.
However, there are solutions. As a SOC analyst, you need to understand how attackers use trusted tools and identify effective detection methods to alert when attackers leverage legitimate tools.
This blog will showcase examples of legitimate Windows applications exploited by threat actors in real attacks. For each tool, we will explain how SOC analysts can detect and identify their use by attackers, along with providing basic detection rules that can be adapted to your organization’s log source and SIEM platform.
On March 16th, we will host a livestream demonstrating these techniques and live examples. Follow us on Twitch to receive notifications when the livestream begins.
Technique Name: PsExec
Analysis
PsExec is a command-line utility used to execute processes on remote systems and redirect console application output. Although designed for administrators, PsExec has been utilized by malicious actors. PsExec connects to remote computers over SMB ports 445 (TCP) or 139 (UDP) and facilitates data transfer between the remote machine and the PsExec process. Notable attacks like NotPetya and APT29 (Cozy Bear) have leveraged PsExec for lateral network movement.
How to Detect
To detect PsExec, monitoring the creation of a new service is vital. A Sigma rule can be implemented to alert on Event ID 7045 when a service named PSEXESVC is created. Additionally, detecting the creation of named pipes like \PSEXESVC-<computer_name>-<random_digits>-<stdin|stdout|stderr> can indicate PsExec usage.
If PsExec is commonly used in your organization, a rule for detecting malicious variants or renamed versions of PsExec should be considered. The provided Sigma rule examples can assist in detecting PsExec usage in your environment.
Technique Name: MSHTA
Analysis
mshta.exe is a Windows-native binary that executes VBScript or JavaScript embedded within Microsoft HTML Application (HTA) files. Attackers can use this legitimate and signed binary to execute remote code while bypassing browser security settings.
Attackers leverage mshta by invoking it through files such as lnk files, and the malicious payload is executed using inline command line arguments or files stored on a remote server. For example, Operation Cobalt Kitty (APT 32) used mshta to execute Cobalt Strike beacons for reconnaissance and download further payloads. Another example is Agen Tesla, which uses decoy documents containing VBA macros that call mshta to download the first stage of the attack and create scheduled tasks to download and execute malware versions using mshta. The BabyShark malware, associated with North Korean threat actors, uses mshta in the first stage of the attack to download an HTA file from a remote server and execute further commands from a command and control server.
To detect the usage of mshta by threat actors, monitoring and alerting upon its execution by suspicious processes and the execution of suspicious processes by mshta is crucial. Attackers may rename the binary to avoid detection, so monitoring changes in system utilities’ paths or names is recommended. Additionally, looking for suspicious command line arguments containing keywords such as ‘javascript’, ‘*.hta’, ‘vbscript’, ‘http’, or ‘https’ in mshta executions can help identify malicious activity.
Another technique called Squiblydoo involves using Regsvr32 to load and execute COM scriptlets from a remote server. This technique is stealthy as it bypasses application control and allow-lists, executing code under user permissions by Regsvr32. Leviathan and APT19 are examples of threat actors using Squiblydoo to execute malicious DLLs and bypass whitelisting to execute arbitrary code on victims’ machines.
To detect Squiblydoo, monitoring for suspicious combinations of Regsvr32 command line arguments such as ‘/s’ for silent execution and ‘/i’ to pass commands to DllInstall can be effective. Additionally, looking for the use of ‘scrobj.dll’ to execute COM scriptlets can help identify malicious activity. To identify suspicious process executions, we have created the Sigma rule below that alerts upon detecting suspicious parent processes:
“`yaml
title: detect Squiblydoo
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: ‘\regsvr32.exe’
CommandLine|contains|all:
– ‘/i:’
– ‘/s’
CommandLine|contains:
– ‘http’
– ‘https’
– ‘ftp’
CommandLine|endswith: ‘scrobj.dll’
condition: selection
“`
To determine if a scriptlet file implements the Squiblydoo technique, you can use [this YARA rule](https://github.com/mikesxrs/Open-Source-YARA-rules/blob/master/RSA/Squiblydoo.yar) to detect files that may potentially use this technique.
### Technique Name: Windows Management Instrumentation (WMI)
#### Analysis
Windows Management Instrumentation (WMI) is an interface that allows programs or scripts to perform operations or manage data on a Windows operating system. Threat actors often leverage WMI to execute behaviors for information gathering, executing payloads, and lateral movement.
#### Real-Life Example
The Iranian threat group Oilrig has extensively used WMI in their OopsIE malware for virtual machine and sandbox detection. They gather information on hardware components and environmental factors to identify virtual environments.
#### How to Detect
Malware can utilize the WMIC utility to interact with WMI. By analyzing process trees in a sandboxed environment, you can identify malicious activities involving WMI. Additionally, YARA rules can be used to detect suspicious WMI queries or calls in scripts or malware. Check for strings that indicate virtual machine detection or other unwanted behavior.
### Technique Name: UAC Bypasses using fodhelper.exe
#### Analysis
User Account Control (UAC) restricts application privileges to prevent unauthorized access. Fodhelper.exe, when used to change language settings, can be abused to bypass UAC by creating missing registry keys and executing code with elevated privileges.
#### Real-Life Example
The Klingon RAT is an advanced RAT that uses UAC bypass techniques, including the abuse of fodhelper.exe, to gain elevated privileges for financial gain.
#### How to Detect
Monitor the registry for the creation of the key `HKCU:\Software\Classes\ms-settings\shell\open\command` by fodhelper.exe. Attacks using this technique will create and modify this key. Tools like Sysmon can help monitor registry changes and alert on suspicious activities involving fodhelper.exe. If you opt for the latter choice, you can access the logs in the Event log under Event Log → Applications and Services → Microsoft → Windows → Sysmon.
The event of creating a new registry key HKCU:\Software\Classes\ms-settings\shell\open\command will be displayed as shown in the image below.
To set up a Sigma rule to identify the creation of this specific key and any potential changes in its value, use the Sigma rule provided below. Ensure that your log configuration is updated if you are not using sysmon in your environment. This rule uses Event ID 12 and 13 to identify the creation of a key and the setting of a value.
Bonus Technique: UAC bypasses using Event Viewer
Another method to bypass UAC involves exploiting a vulnerability in the execution of Event Viewer (eventvwr.exe) discovered by Matt Nelson. This flaw was fixed by Windows in build 15007 in 2017. Make sure your systems are patched and up to date.
Event Viewer allows users to view information and logs about executed processes on the host or remote endpoint, running with administrator privileges. When Event Viewer is launched, it searches for and executes mmc.exe (Microsoft Management Console) to access objects from the Control Panel. This binary is located in two registry locations:
– HKCU\Software\Classes\mscfile\shell\open\command on Windows 7 or HKCU\Software\Classes\ms-settings\shell\open\command on Windows 10
– HKCR\mscfile\shell\open\command
By creating the missing registry location in the first path, attackers can bypass UAC and execute a process with administrator rights.
To detect this method when used by threat actors, utilize the provided Sigma rule.
Conclusions on How to Detect Attackers Using Legitimate Applications
Legitimate applications can be powerful tools in the hands of attackers, enabling them to bypass security measures, evade detection, and run arbitrary code on endpoints. Detecting when these applications are abused by attackers versus normal usage is challenging.
The solution involves awareness of how trusted applications can be exploited by attackers and implementing carefully crafted SIEM rules to trigger alerts when legitimate applications are misused.
Learn more about how Intezer investigates and mitigates cyber attacks using legitimate applications by booking a demo with them. The sentence needs to be provided in order to rewrite it. Please provide the sentence you would like me to rewrite.
