1/20/2024 0 Comments Log4j cobalt strike![]() ![]() An example of such a machine is one that we labeled Endpoint-3. Searching the IOCs in the Vision One search app revealed several other machines related to this case, as shown in Figure 1. Detections that occurred around the time the alert occurred (commonly used time range is Last 7 days).Compromised accounts used for lateral movement and are transferred files via SMB.Possible command and control (C&C) connections.Suspicious behavior, such as excel.exe spawning rundll32.exe or mobsync.exe spawning cmd.exe.Filename and hashes of the detected files.This search was based on the following indicators: With all the findings from Endpoint-1 and Endpoint-2, we were able to observe for TTPs and create an IOC list that we can search across all the machines reporting to Vision One. This sequence of processes in the execution profile implies that the file was transferred via SMB, evidence of lateral movement which was stopped due to the detection. Vision One’s Execution Profile for the file shows ntoskrnl.exe executing 49c4b8e.exe. The event logs also showed a related entry for the PtH technique stating, “Found 4624 event logs with seclogo as process for ENDPOINT-1-USER.” If there are recent logins of high privilege accounts in the machine, then the password hash of these logins can be extracted by attackers to perform lateral movement to other networked systems. With Vision One and the Trend Micro Investigation Toolkit (TMIK), we were able to identify potential Pass-the-Hash (PtH) attacks that extracts the password hash from the memory and then simply passes it through for authentication. Bloodhound and ADfind.exe in the logs of Endpoint-1 These tools can be used to extract information from the Active Directory.Ĭ:\WINDOWS\system32\cmd.exe /C del 20210526145501_BloodHound.zip YmNhMTJiMzAtYTgxZi00ZWRmLWE2ZjctZTc3MDFiZGM2ODBj.binĬ:\WINDOWS\system32\cmd.exe /C AdFind.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName >. We also identified Bloodhound and ADfind.exe hacking tools deployed in Endpoint-1. A list of the commands executed by mobsync.exe ![]() Nslookup -querytype=ALL -timeout=10 _ldap._tcp.dc._msdcs.Ĭ:\WINDOWS\system32\ping.exe -t 127.0.0.1Įsentutl.exe /r V01 /l”C:\Users\\AppData\Local\Microsoft\Windows\WebCache” /s”C:\Users\\AppData\Local\Microsoft\Windows\WebCache” /d”C:\Users\\AppData\Local\Microsoft\Windows\WebCache”Ĭ:\WINDOWS\system32\cmd.exe /C ping It also executed discovery/internal reconnaissance commands and spawned additional mobsync.exe processes, as shown in Table 1. It attempts a connection to the following IP addresses: We summarize the activities done by this injected tool. Going back to mobsync.exe revealed several other events, as shown in Figure 5. Figure 1 maps out the Cobalt Strike activity that we tracked it also indicates where we started, at Endpoint-1. These steps allowed us to retrace the actions taken by the variant from a single endpoint and revealing the full extent and its origins. Checking detections that occurred around the time range of the alerts.Collecting additional logs from the endpoint to correlate events. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |