In December 2022, we observed an intrusion on a public-facing MSSQL Server, which resulted in BlueSky ransomware. First discovered in June 2022, BlueSky ransomware has code links to Conti and Babuk ransomware.
2022 年 12 月,我们观察到对面向公众的 MSSQL Server 的入侵,导致 BlueSky 勒索软件。BlueSky 勒索软件于 2022 年 6 月首次被发现,具有指向 Conti 和 Babuk 勒索软件的代码链接。
While other reports point to malware downloads as initial access, in this report the threat actors gained access via a MSSQL brute force attack. They then leveraged Cobalt Strike and Tor2Mine to perform post-exploitation activities. Within one hour of the threat actors accessing the network, they deployed BlueSky ransomware network wide.
虽然其他报告指出恶意软件下载是初始访问,但在本报告中,威胁参与者通过MSSQL暴力攻击获得了访问权限。然后,他们利用 Cobalt Strike 和 Tor2Mine 进行开采后活动。在威胁行为者访问网络的一小时内,他们在整个网络范围内部署了 BlueSky 勒索软件。
Case Summary 案例摘要
In the month of December 2022, we observed a cluster of activity targeting MSSQL servers. The activity started with brute force password attempts for the MS SQL “sa” (System Administrator) account on an internet facing server. Upon successfully discovering the password, the threat actors enabled “xp_cmdshell” on the SQL server. The “xp_cmdshell” allows users with sysadmin privilege to execute shell commands on the host.
在 2022 年 12 月,我们观察到一组针对 MSSQL 服务器的活动。该活动始于在面向 Internet 的服务器上对 MS SQL“sa”(系统管理员)帐户进行暴力破解密码尝试。成功发现密码后,威胁参与者在 SQL Server 上启用了“xp_cmdshell”。“xp_cmdshell”允许具有 sysadmin 权限的用户在主机上执行 shell 命令。
Using “xp_cmdshell” the threat actors first executed a PowerShell command on the SQL server. The command contained base64 encoded content, which, upon execution, established a connection to a Cobalt Strike command and control server. This activity was immediately followed by injection into the legitimate process winlogon. The injected process then spawned PowerShell and cmd to perform SMB scans and discovery using SMBexec.
使用“xp_cmdshell”,威胁参与者首先在 SQL Server 上执行 PowerShell 命令。该命令包含 base64 编码的内容,在执行时,该内容与 Cobalt Strike 命令和控制服务器建立了连接。此活动之后立即注入到合法进程 winlogon 中。然后,注入的进程会生成 PowerShell 和 cmd,以使用 SMBexec 执行 SMB 扫描和发现。
The PowerShell session was then seen making a connection to a Tor2Mine stager server. This was followed by execution of a PowerShell script which performed a variety of operations, such as checking privileges of the active user, disabling of AV solutions, and dropping of a miner payload named java.exe. Tor2Mine is a Monero-mining campaign that is based on XMRigCC. Depending upon the privileges of the user, the script also performs creation of scheduled tasks and Windows services to maintain persistence on the host.
然后看到 PowerShell 会话与 Tor2Mine 暂存器服务器建立连接。随后执行PowerShell脚本,该脚本执行各种操作,例如检查活动用户的权限,禁用AV解决方案以及删除名为java.exe的矿工有效负载。Tor2Mine 是一个基于 XMRigCC 的门罗币挖矿活动。根据用户的权限,该脚本还会执行计划任务和 Windows 服务的创建,以保持主机上的持久性。
Around 15 minutes after initial access, the threat actors then moved laterally toward domain controllers and file shares using remote service creation. These services were used to execute the same PowerShell commands, download and execute the Tor2Mine malware. Upon establishing access to one of the domain controllers the threat actors performed similar activity as observed on the beachhead.
在初始访问后大约 15 分钟,威胁参与者随后使用远程服务创建横向移动到域控制器和文件共享。这些服务用于执行相同的 PowerShell 命令、下载和执行 Tor2Mine 恶意软件。在建立对其中一个域控制器的访问后,威胁参与者执行了与在滩头上观察到的类似的活动。
After roughly 30 minutes after initial access, the BlueSky ransomware binary was dropped and executed on the beachhead. The execution worked as intended which resulted in the ransomware spreading to all devices in the network over SMB. The time to ransomware in this case was 32 minutes.
初次访问大约 30 分钟后,BlueSky 勒索软件二进制文件被丢弃并在滩头阵地上执行。执行按预期工作,导致勒索软件通过 SMB 传播到网络中的所有设备。在这种情况下,勒索软件的时间是 32 分钟。
Threat Actor Profile: 威胁参与者配置文件:
Cobalt Strike Cobalt 罢工
The Cobalt Strike server observed in this intrusion was first observed on December 16th 2022 and remained active through January 17th 2023. We saw the server then return for a second time frame from April 6th 2023 though April 15th 2023. This data was provided via the Threat Intel tracking services of The DFIR Report.
在这次入侵中观察到的 Cobalt Strike 服务器于 2022 年 12 月 16 日首次观察到,并在 2023 年 1 月 17 日之前一直处于活动状态。我们看到服务器随后从 2023 年 4 月 6 日到 2023 年 4 月 15 日返回了第二个时间范围。此数据通过 DFIR 报告的威胁情报跟踪服务提供。
Tor2Mine Tor2矿山
The PowerShell scripts involved in this case as well as infrastructure for the Tor2Mine server were observed being reused in May 2023 with the PaperCut NG CVE-2023-27350 exploit as the initial access source. In that intrusion no ransomware was observed. The linked case data is available for All Intel subscribers in event 21132 (c39d59d8-8bae-49f5-8b29-de5c13b61899).
2023 年 5 月,观察到本案中涉及的 PowerShell 脚本以及 Tor2Mine 服务器的基础设施被重用,并将 PaperCut NG CVE-2023-27350 漏洞作为初始访问源。在那次入侵中,没有观察到勒索软件。在事件 21132 (c39d59d8-8bae-49f5-8b29-de5c13b61899) 中,所有英特尔用户都可以使用链接的案例数据。
Services 服务业
We offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt Strike, Sliver, BianLian, Metasploit, Empire, Havoc, etc. More information on this service can be found here.
我们提供多种服务,包括跟踪命令和控制框架(如 Cobalt Strike、Sliver、BianLian、Metasploit、Empire、Havoc 等)的威胁源服务。有关此服务的更多信息,请点击此处。
Our All Intel service includes private reports, exploit events, long term infrastructure tracking, clustering, C2 configs, and other curated intel.
我们的全英特尔服务包括私有报告、漏洞利用事件、长期基础设施跟踪、集群、C2 配置和其他精选情报。
We’ll be launching a private ruleset soon, if you’d like to get in at a discounted rate for the beta, please Contact Us.
我们将很快推出一个私人规则集,如果您想以折扣价进入测试版,请联系我们。
If you are interested in hearing more about our services, or would like to talk about a free trial, please reach out using the Contact Us page. We look forward to hearing from you.
如果您有兴趣了解更多关于我们服务的信息,或者想谈谈免费试用,请使用“联系我们”页面与我们联系。我们期待您的回音。
Analysts 分析师
Analysis and reporting completed by @yatinwad
@yatinwad完成的分析和报告
Initial Access 初始访问
The initial access occurred via a brute-force attack, where the threat actors mainly targeted the System Admin (“sa”) account.
最初的访问是通过暴力攻击发生的,其中威胁行为者主要针对系统管理员 (“sa”) 帐户。
During the intrusion, we observed over 10,000 failed attempts before successful login.
在入侵期间,我们观察到超过 10,000 次失败的尝试才成功登录。
SQL Server event ID 18456 Failure Audit Events in the Windows application logs:
SQL Server 事件 ID 18456 Windows 应用程序日志中的失败审核事件:
Successful Login: 成功登录:
Execution 执行
In the next attack stage, the threat actors established a command shell via Extended SQL Stored Procedure (xp_cmdshell). This process allows you to issue operating system commands directly to the Windows command shell. To do this they enabled the feature the MSSQL configuration:
在下一个攻击阶段,威胁参与者通过扩展 SQL 存储过程 (xp_cmdshell) 建立了命令 shell。此过程允许您直接向 Windows 命令行界面发出操作系统命令。为此,他们启用了MSSQL配置功能:
The threat actor then executed a Cobalt Strike beacon and a PowerShell script that has previously been identified by Sophos as used in campaigns to deploy Tor2Mine malware.
然后,威胁行为者执行了 Cobalt Strike 信标和 PowerShell 脚本,该脚本之前已被 Sophos 识别为用于部署 Tor2Mine 恶意软件的活动。
The overall execution events are depicted in the below diagram:
整体执行事件如下图所示:
The first PowerShell script executed a command to download a Cobalt Strike beacon.
This was followed by a second PowerShell execution for:
随后,对以下各项执行了第二次 PowerShell:
A connection was then established with the following Tor2Mine server and URIs:
然后与以下 Tor2Mine 服务器和 URI 建立连接:
Tor2Mine uses a PowerShell script checking.ps1 to perform variety of operations. The script first sets a variable named $priv and $osver to check whether the active user is an administrator and the operating system version respectively, in the first few lines.
Tor2Mine 使用 PowerShell 脚本 checking.ps1 执行各种操作。该脚本首先在前几行中设置一个名为 $priv 和 $osver 的变量,以分别检查活动用户是否为管理员和操作系统版本。
It then attempts to pull down an additional script named kallen.ps1, a PowerShell version of mimikatz from the Tor2Mine server.
然后,它尝试从 Tor2Mine 服务器拉取一个名为 kallen.ps1 的附加脚本,这是 mimikatz 的 PowerShell 版本。
It also consists of a function named “StopAV”, where it tries to disable antivirus solutions – in this case, MalwareBytes, Sophos and Windows Defender.
它还包含一个名为“StopAV”的功能,它试图禁用防病毒解决方案——在本例中为 MalwareBytes、Sophos 和 Windows Defender。
Depending upon the result of the $priv variable, there are 2 routes for the script: Privileged ”PrivTrue()“ and Non-Privileged “PrivFalse()”.
根据 $priv 变量的结果,脚本有 2 个路由:特权“PrivTrue()”和非特权“PrivFalse()”。
If the user is a privileged user, it first checks for the OS architecture, then downloads appropriate version (in our case, x64) of the miner and installs it as java.exe, in the “C:\ProgramData\Oracle\Java” directory. It also installs a driver named WinRing0x64.sys.
The function also creates multiple scheduled tasks and services which have references to Tor2Mine miner java.exe, encoded PowerShell commands and .hta files hosted on Tor2Mine servers.
In the case of the non-privileged function “PrivFalse()”, it executes a batch script “PrivFalse.bat” as scheduled tasks and also sets up schtasks as seen in the “PrivTrue()” function.
In the last section, a script named del.ps1 is downloaded and executed on the host as a scheduled task. The del.ps1 script has been explored further in the Defense Evasion section.
Depending upon the output of the $priv variable, the execution flow is as follows:
As the mimi function is commented, we didn’t observe any artifacts related to kallen.ps1 script.
由于对 mimi 函数进行了注释,因此我们没有观察到任何与 kallen.ps1 脚本相关的伪影。
Persistence 坚持
To establish persistence in the network, multiple scheduled tasks and Windows services were created on the beachhead and one of the domain controllers. They reference the files dropped on the compromised hosts and Tor2Mine servers.
为了在网络中建立持久性,在滩头阵地和其中一个域控制器上创建了多个计划任务和 Windows 服务。它们引用受感染主机和 Tor2Mine 服务器上丢弃的文件。
Privilege Escalation 权限提升
The threat actor was seen injecting code into legitimate process winlogon.exe via CreateRemoteThread which can be detected using Sysmon event ID 8.
看到威胁参与者通过 CreateRemoteThread 将代码注入合法进程 winlogon.exe,可以使用 Sysmon 事件 ID 8 检测到该进程。
During the intrusion the threat actor deployed XMrig miner which loaded the driver WinRing0. This driver is deployed to assist the miner in operations and has been in use since at least version 5.3.0.
在入侵期间,威胁行为者部署了 XMrig 矿工,该矿工加载了驱动程序 WinRing0。该驱动程序用于协助矿工操作,并且至少从 5.3.0 版本开始使用。
Defense Evasion
The Windows Defender AV Real-Time Monitoring was disabled on the beachhead and one of the domain controllers using Set-MpPreference cmdlet.
The PowerShell script, checking.ps1, is explained in the Execution section which contained other ways to disable AV, including registry modifications and service disabling.
A PowerShell script named del.ps1 attempts to terminate system utilities such as Process Explorer, Task Manager, Process Monitor, and Daphne Task Manager.
In the script checking.ps1 the threat actor created 16 different tasks on the hosts where Tor2Mine was deployed. These tasks were named in a manner to try and blend in with various Windows tasks that on the hosts:
\Microsoft\Windows\MUI\LPupdate \Microsoft\Windows\RamDiagnostic\Error Diagnostic \Microsoft\Windows\.NET Framework\.NET Framework Cache Optimization Files-S-3-5-21-2236678156-433529325-2142214268-1138 \Microsoft\Windows\.NET Framework\.NET Framework Cache Optimization Files-S-3-5-21-2236678155-433529325-2142214968-1138 \Microsoft\Windows\.NET Framework\.NET Framework Cache Optimization" \Microsoft\Windows\Registry\RegBackup \Microsoft\Windows\DiskCleanup\SlientDefragDisks \Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.50319 Critical \Microsoft\Windows\EDP\EDP App Update Cache \Microsoft\Windows\EDP\EDP App Lock Task \Microsoft\Windows\UPnP\UPnPClient Task \Microsoft\Windows\UPnP\UPnPHost \Microsoft\Windows\Shell\WinShell \Microsoft\Windows\Shell\WindowsShellUpdate \Microsoft\Windows\Bluetooth\UpdateDeviceTask \Microsoft\Windows\.NET Framework\.NET Framework Cache Optimization
Credential Access 凭据访问
Tor2Mine was used to access the LSASS memory space and the access granted was 0x1010.
Tor2Mine 用于访问 LSASS 内存空间,授予的访问权限0x1010。
On the beachhead, we observed the execution of credential dumping utility Invoke-PowerDump.
在滩头阵地上,我们观察到凭据转储实用程序 Invoke-PowerDump 的执行。
Discovery 发现
During the course of the intrusion, we observed port discovery (port 445) activity from the beachhead. We attribute this to the invocation of the PowerShell command Invoke-SMBExec. This was likely executed as part of the Invoke-TheHash framework based on other PowerShell modules observed.
在入侵过程中,我们从滩头阵地观察到港口发现(港口445)活动。我们将其归因于对 PowerShell 命令 Invoke-SMBExec 的调用。这可能是作为基于观察到的其他 PowerShell 模块的 Invoke-TheHash 框架的一部分执行的。
Looking at the traffic from a network perspective we observed the activity making DCE\RPC calls to the svcctl endpoint and the named pipe \pipe\ntsvcs using the OpenSCManagerW operation.
This appeared to be how they profiled the network layout and remote hosts.
The threat actor was observed running whoami from the Tor2Mine PowerShell process on the beachhead.
"C:\Windows\system32\whoami.exe" /user
Lateral Movement
The threat actors moved laterally toward the domain controllers and file shares using Remote Service creation. The pattern “%COMSPEC% /C “cmd /c powershell.exe” is associated with the Cobalt Strike “psexec_psh” jump module.
Decoding the command we can see the same PowerShell download and execute as observed on the beachhead. The hexadecimal value 0x53611451 corresponds to the IP address 83.97.20[.]81 which was the command and control server for the Tor2Mine malware.
Command and Control
Tor2Mine Server:
{
destination: { [-]
address: 83.97.20.81
as: { [-]
number: 9009
organization: { [-]
name: M247 Europe SRL
}
}
geo: { [-]
city_name: Bucharest
continent_name: Europe
country_iso_code: RO
country_name: Romania
location: { [+]
}
region_iso_code: RO-B
region_name: Bucuresti
}
ip: 83.97.20.81
port: 443
}
network.direction: outbound
tls: { [-]
cipher: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
client: { [-]
ja3: c12f54a3f91dc7bafd92cb59fe009a35
}
curve: x25519
established: true
resumed: false
server: { [-]
ja3s: ec74a5c51106f0419184d0dd08fb05bc
}
version: 1.2
version_protocol: tls
}
Cobalt Strike C2:
IP Address: 5.188.86.237
Connection to the following URIs was observed:
Cobalt Strike Server Config:
{
"beacontype": [
"HTTPS"
],
"sleeptime": 120000,
"jitter": 12,
"maxgetsize": 1398924,
"spawnto": "AAAAAAAAAAAAAAAAAAAAAA==",
"license_id": 1580103824,
"cfg_caution": false,
"kill_date": null,
"server": {
"hostname": "5.188.86.237",
"port": 443,
"publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnCZHWnYFqYB/6gJdkc4MPDTtBJ20nkEAd3tsY4tPKs8MV4yIjJb5CtlrbKHjzP1oD/1AQsj6EKlEMFIKtakLx5+VybrMYE+dDdkDteHmVX0AeFyw001FyQVlt1B+OSNPRscKI5sh1L/ZdwnrMy6S6nNbQ5N5hls6k2kgNO5nQ7QIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
},
"host_header": "",
"useragent_header": null,
"http-get": {
"uri": "/functionalStatus/2JYbAmfY5gYNj7UrgAte5p1jXx2V",
"verb": "GET",
"client": {
"headers": null,
"metadata": null
},
"server": {
"output": [
"print",
"append 8 characters",
"append 8 characters",
"append 10 characters",
"append 6 characters",
"append 11 characters",
"append 33 characters",
"append 69 characters",
"append 55 characters",
"append 67 characters",
"append 27 characters",
"append 15 characters",
"append 25 characters",
"append 32 characters",
"append 72 characters",
"prepend 16 characters",
"prepend 17 characters",
"prepend 11 characters",
"prepend 31 characters",
"prepend 80 characters",
"prepend 60 characters",
"prepend 54 characters",
"prepend 69 characters",
"prepend 38 characters",
"prepend 8 characters",
"base64url"
]
}
},
"http-post": {
"uri": "/rest/2/meetings2JYbAmfY5gYNj7UrgAte5p1jXx2V",
"verb": "GET",
"client": {
"headers": null,
"id": null,
"output": null
}
},
"tcp_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"crypto_scheme": 0,
"proxy": {
"type": null,
"username": null,
"password": null,
"behavior": "Use IE settings"
},
"http_post_chunk": 96,
"uses_cookies": false,
"post-ex": {
"spawnto_x86": "%windir%\\syswow64\\auditpol.exe",
"spawnto_x64": "%windir%\\sysnative\\auditpol.exe"
},
"process-inject": {
"allocator": "NtMapViewOfSection",
"execute": [
"CreateThread 'ntdll.dll!RtlUserThreadStart'",
"NtQueueApcThread-s",
"SetThreadContext",
"CreateRemoteThread",
"CreateThread 'kernel32.dll!LoadLibraryA'",
"RtlCreateUserThread"
],
"min_alloc": 40263,
"startrwx": true,
"stub": "IiuPJ9vfuo3dVZ7son6mSA==",
"transform-x86": [
"prepend '\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90'"
],
"transform-x64": [
"prepend '\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90'"
],
"userwx": false
},
"dns-beacon": {
"dns_idle": null,
"dns_sleep": null,
"maxdns": null,
"beacon": null,
"get_A": null,
"get_AAAA": null,
"get_TXT": null,
"put_metadata": null,
"put_output": null
},
"pipename": null,
"smb_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"stage": {
"cleanup": true
},
"ssh": {
"hostname": null,
"port": null,
"username": null,
"password": null,
"privatekey": null
}
}
Impact
The BlueSky ransomware binary named vmware.exe was dropped on the beachhead, which upon execution, resulted in network wide ransomware. This was accomplished using SMB with the ransomware connecting to host over port 445 to encrypt files.
The files were renamed with the file extension .bluesky and a ransom note file named # DECRYPT FILES BLUESKY #.txt was dropped on the host and opened to reveal the ransom note.
On the beachhead server, the time of encryption was visible as the MSSQL service stopped functioning after execution of vmware.exe :
在滩头服务器上,加密时间是可见的,因为MSSQL服务在执行以下命令 vmware.exe 后停止运行:
The whole intrusion after initial access lasted only around 30 minutes with limited discovery and no exfiltration observed.
初次访问后的整个入侵仅持续了大约 30 分钟,发现有限,没有观察到渗透。
Timeline 时间线
Diamond Model 钻石模型
Indicators 指标
Atomic 原子
hxxp://0x53611451/win/clocal hxxp://qlqd5zqefmkcr34a[.]onion[.]sh/win/checking[.]hta hxxps://asq[.]d6shiiwz[.]pw/win/hssl/d6[.]hta hxxp://83[.]97[.]20[.]81/win/checking[.]hta hxxp://83[.]97[.]20[.]81/win/update[.]hta hxxps://asd[.]s7610rir[.]pw/win/checking[.]hta hxxps://asq[.]r77vh0[.]pw/win/hssl/r7[.]hta hxxp://asq[.]r77vh0[.]pw/win/checking[.]hta hxxp://5[.]188[.]86[.]237/vmware[.]exe
Computed 计算
java.exe md5: 9e88c287eb376f3c319a5cb13f980d36 sha1: 501af977080d56a55ff0aeba66b58e7f3d1404ea sha256: 74b6d14e35ff51fe47e169e76b4732b9f157cd7e537a2ca587c58dbdb15c624f vmware.exe md5: 7b68bc3dd393c2e5273f180e361f178a sha1: 07610f11d3b8ccb7b60cc8ad033dda6c7d3940c4 sha256: d4f4069b1c40a5b27ba0bc15c09dceb7035d054a022bb5d558850edfba0b9534 WinRing0x64.sys md5: 0c0195c48b6b8582fa6f6373032118da sha1: d25340ae8e92a6d29f599fef426a2bc1b5217299 sha256: 11bd2c9f9e2397c9a16e0990e4ed2cf0679498fe0fd418a3dfdac60b5c160ee5 del.ps1 md5: bfd36fd6a20ccd39f5c3bb64a5c5dd8b sha1: e938646862477e598fcda20d0b7551863f8b651c sha256: 35b95496b243541d5ad3667f4aabe2ed00066ba8b69b82f10dd1186872ce4be2 checking.ps1 md5: 08bdf000031bbad1a836381f73adace5 sha1: 3dff4ae3c421c9143978f8fc9499dca4aed0eac5 sha256: f955eeb3a464685eaac96744964134e49e849a03fc910454faaff2109c378b0b Invoke-PowerDump.ps1 md5: 42a80cc2333b612b63a859f17474c9af sha1: e7be97fb2200eb99805e39513304739a7a28b17e sha256: 3b463c94b52414cfaad61ecdac64ca84eaea1ab4be69f75834aaa7701ab5e7d0
Detections 检测
Network 网络
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Executable Download from dotted-quad Host ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO PowerShell Hidden Window Command Common In Powershell Stagers M2 ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M2 ET POLICY PE EXE or DLL Windows file download HTTP ET HUNTING Generic Powershell DownloadFile Command ET HUNTING Generic Powershell DownloadString Command ET HUNTING Generic Powershell Launching Hidden Window ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response ET INFO Executable Download from dotted-quad Host ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download ET INFO PS1 Powershell File Request ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M1 ET INFO PowerShell Base64 Encoded Content Command Common In Powershell Stagers M2 ET INFO PowerShell DownloadFile Command Common In Powershell Stagers ET INFO PowerShell DownloadString Command Common In Powershell Stagers ET INFO PowerShell Hidden Window Command Common In Powershell Stagers M2 ET INFO PowerShell NoProfile Command Received In Powershell Stagers ET INFO PowerShell NonInteractive Command Common In Powershell Stagers ET INFO Powershell Base64 Decode Command Inbound ET MALWARE JS/Nemucod requesting EXE payload 2016-02-01 ET MALWARE JS/Nemucod.M.gen downloading EXE payload ETPRO MALWARE Likely Evil Request for Invoke-Mimikatz ETPRO MALWARE PS/Deathhm Script Inbound via HTTP ET DNS Query to a *.pw domain - Likely Hostile ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
Sigma 西格马
Search rules on detection.fyi or sigmasearchengine.com
detection.fyi 或 sigmasearchengine.com 上的搜索规则
Sigma Repo: Sigma 存储库:
Suspicious Scheduled Task Creation - 3a734d25-df5c-4b99-8034-af1ddb5883a4 PowerShell Scripts Installed as Services - a2e5019d-a658-4c6a-92bf-7197b54e2cae Potentially Suspicious AccessMask Requested From LSASS - 4a1b6da0-d94f-4fc3-98fc-2d9cb9e5ee76 Powershell Defender Disable Scan Feature - 1ec65a5f-9473-4f12-97da-622044d6df21 Windows Defender Exclusions Added - 1321dc4e-a1fe-481d-a016-52c45f0c8b4f CobaltStrike Service Installations System - 5a105d34-05fc-401e-8553-272b45c1522d CobaltStrike Service Installations in Registry - 61a7697c-cb79-42a8-a2ff-5f0cdfae0130 Suspicious Child Process Of SQL Server - 869b9ca7-9ea2-4a5a-8325-e80e62f75445 Whoami.EXE Execution Anomaly - 8de1cbe8-d6f5-496d-8237-5f44a721c7a0 Malicious PowerShell Commandlets PoshModule - 7d0d0329-0ef1-4e84-a9f5-49500f9d7c6c Malicious PowerShell Commandlets ScriptBlock - 89819aa4-bbd6-46bc-88ec-c7f7fe30efa6 PowerShell Base64 Encoded IEX Cmdlet - 88f680b8-070e-402c-ae11-d2914f2257f1 MSSQL Server Failed Logon - 218d2855-2bba-4f61-9c85-81d0ea63ac71 MSSQL XPCmdshell Suspicious Execution - 7f103213-a04e-4d59-8261-213dddf22314 MSSQL XPCmdshell Option Change - d08dd86f-681e-4a00-a92c-1db218754417 MSSQL Server Failed Logon From External Network - ebfe73c2-5bc9-4ed9-aaa8-8b54b2b4777d Vulnerable WinRing0 Driver Load - 1a42dfa6-6cb2-4df9-9b48-295be477e835
Yara 扎卡
https://github.com/The-DFIR-Report/Yara-Rules/blob/main/19208/19208.yar
MITRE 主教
Valid Accounts - T1078 Brute Force - T1110 Scheduled Task - T1053.005 Windows Command Shell - T1059.003 PowerShell - T1059.001 Disable or Modify Tools - T1562.001 Process Injection - T1055 LSASS Memory - T1003.001 System Owner/User Discovery - T1033 Network Share Discovery - T1135 Data Encrypted for Impact - T1486 SMB/Windows Admin Shares - T1021.002 Web Protocols - T1071.001 Service Execution - T1569.002 Modify Registry - T1112 Obfuscated Files or Information - T1027 Windows Service - T1543.003 Masquerade Task or Service - T1036.004
原文始发于Real Attackers:SQL Brute Force Leads to BlueSky Ransomware
相关文章
