threat-analysis

Analysis of Cyber Threat Actor Intrusion in an Architecture and Engineering Company

DeepSeas analysts identified an unspecified cyber threat actor conducting post-compromise activities in a company within the Architecture and Engineering industry. The targeted system was a domain controller that did not have an EDR agent installed. The DeepSeas SOC detected the creation of a file on an adjacent system that did have an EDR agent and successfully contained the intrusion. Most of the malicious commands were executed on four separate devices, three of those being domain controllers (DC1, DC2, DC3), with the fourth device being a backup file server.

Once the attacker accessed the network, they began actively scanning for open ports. After obtaining access to DC1, the attacker tried and failed to install RemCom, executed multiple commands in quiet mode to establish a new admin account, connected to a Cobalt Strike C2 server, and finally, copied system configurations and dumped credentials for exfiltration. The DeepSeas cyber threat intelligence  team provided a detailed description of this attack in the following sections, as well as a graphical representation of the attack.

Active Scanning

It is unclear how the attacker initially penetrated the network. The earliest indication of malicious activity on the network occurred when the attacker accessed a network device and executed a script which enumerated connected devices. The attacker’s script scanned a variety of devices on the network and discovered RDP, RCP, Kerberos, Veeam Deployment, and MSSQL open ports.

Failed RemCom Installation and System Reconnaissance

After scanning was complete, the attacker pivoted to their primary target, DC1. The attacker enumerated running processes and output them to a file in the %TEMP folder. They then attempted to invoke the application nmcmshug.exe, but execution was denied by company policy as this application is on the company’s blacklist. Analysis of nmcmshug.exe identified the binary as a copy of RemCom, a Remote Command (RAT) tool which enables an attacker to execute arbitrary commands on a compromised system.[i] When the RemCom installation failed, the attacker then listed local user accounts, retrieved information about user groups and domains they belong to, and redirected the output to a file in the %TEMP folder. The attacker utilized the quiet (-q) and /Q arguments so the commands were executed without printing characters to the console. The attacker also set up the Windows Remote Management (WinRM) service in quiet mode, hiding user prompts and on-screen messages.

Privilege Escalation

Following system reconnaissance and the failed attempt to install RemCom, the attacker created a new user account and added it to the administrator’s group. They then utilized the “reg” command to hide the new user from the login screen to evade detection. This is a well-known tactic for attackers of all levels of capability. Almost all the commands to establish a new user account were executed with the quiet and /Q arguments.[ii]

Cobalt Strike Server Connection and Lateral Movement

After creating a new administrator-level account and hiding it from the login screen, the attacker utilized PowerShell to connect to a remote server at 23.227.198.235, and very likely downloaded a payload from a URL (hxxp://23.227.198.235:8099/). This IP was previously identified by DeepSeas analysts as a Cobalt Strike command and control (C2) server in October 2022.[iii] This action was not blocked by security policy. DeepSeas was not able to confirm the installation of the Cobalt Strike payload with the customer as these devices were quickly decommissioned after incident disclosure.

The use of Cobalt Strike is not surprising in an intrusion like this, given the popularity of this toolkit among malicious actors. Cobalt Strike is designed to simulate advanced threat actors, with features including but not limited to various forms of command and control (C2) communication, keystroke logging, data exfiltration, and many other features. It also provides a flexible framework for developing custom attacks and payloads. Additionally, Cobalt Strike offers a user-friendly interface, making it a popular choice for both experienced and inexperienced attackers alike. Its popularity also means that there is a large community of users who share tactics, techniques, and procedures (TTPs) and technical support.

After connecting to the Cobalt Strike C2 server, the attacker opened a file on the desktop, “(customer name)_local_dns_export.txt.”. The attacker then ran a series of commands to view domain admins, enterprise admins, local users, and domain controllers in the domain to likely record to the text document for export. The attacker then copied the contents of Windows Registry “HKLM\SYSTEM,” “HKLM\SAM,” and “HKLM\SECURITY” keys to a local file that was set to be deleted after use. These registry keys contain important information about the system’s configuration, user accounts, and security policies that can be useful to an attacker in various ways.

  • “HKLM\SYSTEM”: Attackers can use this information to identify vulnerabilities, find unpatched software or services, and determine which exploits or malware may be effective against the system.
  • “HKLM\SAM”: If an attacker can access this key, they can extract password hashes for all local user accounts, which can be cracked and used to gain unauthorized access to the system.
  • “HKLM\SECURITY”: Attackers can use this information to identify privileged accounts or groups, escalate their privileges, or bypass access controls.

After copying the contents of the registry keys, the attacker shifted focus to identifying the users logged into DC2. The attacker viewed the task list and created a file named “35da7a1.exe” in the “admin$” directory of DC2. Here, the attacker was likely continuing to collect information about the environment and staging collections for follow on activities.

Lsass, SqlDumper, WDigest, and Mimikatz

Then, the attacker executed a series of commands using the rundll32.exe utility and the MiniDump function of the legitimate comsvcs.dll binary to generate a full dump of the Lsass process and save it to c:\windows\temp\lsass.dmp. They then used SQLDumper.exe to convert the dump and save the result to c:\windows\temp\atplogs.csv. SQLdumper is a debugging utility popular with red teams and attackers as an alternative means to create a LSASS dump file. Without the proper protections in place, this technique could go unnoticed by security solutions because the utility uses a signed Microsoft binary.[iv][v][vi]

The attacker then attempted to cover their tracks by deleting the account, “admin$” using the net user command. They also performed several ping tests to check the connectivity to different domains and IP addresses. They were then observed executing more commands to gather information about the system and specific users, and  executing commands to rename and delete log files. Fifteen minutes after renaming and deleting log files, a registry key was added to enable the logging of credentials in WDigest in plaintext. Lastly, the attacker then forced a refresh of Group Policy to apply the change.[vii]

The last command executed by the attacker ran Mimikatz to dump credentials stored in the cache of the local security authority (LSA) on the backup file server. The attacker executed more commands attempting to collect information about specific user accounts and trust relationships in Active Directory on DC1 before being detected, at which point the DeepSeas SOC alerted the customer.

Quarantine

The DeepSeas SOC alerted the organization immediately upon receiving the initial alert, who quarantined all four infected devices. The attacker had access to three separate domain controllers, giving them the opportunity to compromise the entire network. In remediation of the intrusion, DeepSeas analysts quickly thwarted the attacker’s attempt at a more in-depth and serious intrusion. The attacker demonstrated their expertise in identifying and pivoting to systems that would give them access to the entire environment. Without timely notification, the impact of the attack could have been much greater. Although the motivation of the attacker was not known, it is likely that this activity was a precursor to ransomware activity and the exfiltration of sensitive data. This incident highlights the importance of timely detection and response in defending against sophisticated attackers who can pivot rapidly through a network.

DeepSeas recommends the following for preventing against these kinds of attacks:

  • Use multi-factor authentication: Implementing multi-factor authentication can help prevent attackers from accessing systems and applications with stolen credentials.
  • Harden domain controllers: Domain controllers are a critical component of Windows Active Directory environments, and as such, they should be hardened and properly configured. Best practices include restricting access to domain controllers, implementing strong passwords, and regularly monitoring for suspicious activity.
  • Use security solutions: Companies should use security solutions such as firewalls, intrusion detection and prevention systems, and endpoint protection software to help prevent and detect attacks.

Citations

[i] https://www.virustotal.com/gui/file/3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71
[ii] https://twitter.com/malmoeb/status/1496875024254640129
[iii] https://www.virustotal.com/gui/ip-address/23.227.198.235/community
[iv] https://lolbas-project.github.io/lolbas/OtherMSBinaries/Sqldumper/
[v] https://twitter.com/countuponsec/status/910969424215232518
[vi] https://learn.microsoft.com/en-US/troubleshoot/sql/tools/use-sqldumper-generate-dump-file
[vii] https://www.ired.team/offensive-security/credential-access-and-credential-dumping/forcing-wdigest-to-store-credentials-in-plaintext