文章前言
在我们之前观察到的速度最快的勒索案例之一中,在不到四个小时的时间里攻击者就从初始访问变成了域范围内的勒索,而且该初始访问向量是通过电子邮件传递的IcedID有效负载,我们已经观察到IcedID恶意软件被各种勒索软件团体用作初始访问,我们以前的一些案例包括:
最初的IcedID有效载荷被执行后的大约2小时后攻击者似乎就开始实施攻击操作,在使用WMI和PsExec部署Quantum Ransomware之前首先使用了CS和RDP来进行横向移动,这一案例仅用了3小时44分钟的极短时间(TTR)
时间序列
初始访问
攻击者通过常见的恶意软件IcedID获得了初始访问权限,有效载荷是在一个ISO文件(docs _ invoice _ 173.iso)中交付的,交付方式是通过电子邮件,用户打开并执行恶意软件后,我们能够使用事件ID确定用户装载了ISO12在Microsoft-Windows-VHDMP-Operational.evtx,具体如下图所示:
挂载时ISO包含两个文件:
打开ISO文件后的典型用户视角如下:
文件document.lnk是快捷方式或lnk文件,并且dar.dll是IcedID的有效载荷
命令执行
快速浏览document.lnk的属性可以从中看到启动时执行的命令行:
C:\Windows\System32\rundll32.exe dar.dll,DllRegisterServer
但是我们可以用.lnk文件获取更多细节,例如:下面是通过执行LECmd.exe工具的部分输出,可以看到当用在文件document.lnk上时,它会解析出元数据信息,比如:快捷方式文件是什么时候创建的,创建它的设备的主机名和MAC地址,甚至创建它的用户的目录路径
我们能够确定用户何时点击了lnk文件,以及何时用上面提到的命令行创建了一个新进程,事件ID 4663在Security.evtx中突出显示是explorer.exe访问document.lnk:
此外执行位置和父流程的上下文也可用于跟踪用户执行流程
有效负载执行后不久,产生了几个创建持久性的子进程并开始在主机上发现
这包括一个实例C:\Windows\SysWOW64\cmd.exe,IcedID恶意软件曾将它挖空,然后注入CS攻击Beacon,我们还观察到了其他几个CS的迹象,以证实威胁行动者利用了这些迹象,其中cmd.exe进程产生了的可疑实例rundll32.exe,该进程没有命令行参数,另一个迹象是rundll32.exe创建命名管道postex_304a,rundll32.exe和匹配postex_[0-9a-f]{4}的命名管道的这种行为是CS 4.2+后期使用的默认行为
当我们回顾这个过程时,我们能够确认当我们成功提取的Beacon实际上是Cobalt Strike的,同时攻击者还在一些服务器上执行了PowerShell Cobalt Strike有效负载:
该有效载荷使用默认的CS Obfuscation混淆方案(XOR 35),并且可以容易地使用CyberChef进行解密:
https://gist.github.com/0xtornado/69d12572520122cb9bddc2d6793d97ab
之后可以使用scdbg来分析输出,以突出显示Windows API调用shellcode所生成的内容:
在使用PowerShell Beacon之前,攻击者还在服务器上放置了一个DLL Beacon(p227.dll ),但由于未知原因,该操作似乎失败了,之后攻击者成功通过PowerShell执行了Beacon
权限维持
IcedID恶意软件首次执行后,它通过在受影响用户的AppData目录中创建恶意软件(Ulfefi32.dll)的副本来建立持久性,并创建了一个每小时执行一次的计划任务:\kajeavmeva_{B8C1A6A8-541E-8280-8C9A-74DF5295B61A},改计划任务是通过以下执行操作创建的
免杀绕过
在IcedID和CS的入侵过程中有观察到进程注入,攻击者注入到了winlogon进程中,这一项我们可以通过Yara扫描确定:
https://malpedia.caad.fkie.fraunhofer.de/yara/win.cobalt_strike
{
"Pid": 7248,
"ProcessName": "cmd.exe",
"CommandLine": "C:\\Windows\\SysWOW64\\cmd.exe",
"Detection": [
"win_cobalt_strike_auto",
"cobaltstrike_beacon_4_2_decrypt"
]
}
{
"Pid": 584,
"ProcessName": "winlogon.exe",
"CommandLine": "winlogon.exe",
"Detection": [
"win_cobalt_strike_auto",
"cobaltstrike_beacon_4_2_decrypt"
]
}
{
"Pid": 5712,
"ProcessName": "powershell.exe",
"CommandLine": "\"c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe\" -Version 5.1 -s -NoLogo -NoProfile",
"Detection": [
"win_cobalt_strike_auto",
"cobaltstrike_beacon_4_2_decrypt"
]
}
Volatility Malfind输出显示了winlogon进程中嵌入的MZ标头,其设置为页面执行读写内存空间的保护设置,这是进程注入的一个常见属性
在进程日志中还观察到winlogon通过网络连接到Cobalt Strike服务器
凭证获取
LSASS访问
在这次入侵中我们观察到对LSASS进程内存的可疑访问,如下图所示,这些访问都是使用Windows任务管理器和rundll32.exe,该rundll32.exe初步被评估为CS临时Beacon(如执行图所示):
攻击者设法窃取管理员帐户凭据,从而允许他们在AD域中横向移动
相关发现
正如在执行部分中提到的,IcedID进程运行了几个初始发现命令,这些命令向攻击者提供了有关主机、网络和域的环境信息,考虑到这些命令的时间紧接在IcedID执行之后,我们相信这些命令是在签入时自动执行的
cmd.exe /c chcp >&2
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
ipconfig /all
systeminfo
net config workstation
nltest /domain_trusts
nltest /domain_trusts /all_trusts
net view /all /domain
net view /all
net group "Domain Admins" /domain
Acmd.exe从IcedID派生的进程运行了其他的服务和主机发现查询,攻击者删除了C:\Windows\Temp目录中的以下文件:
参与者使用了活动目录枚举工具AdFind收集域中的用户、计算机和子网等信息,文件ad.7z是上面的AdFind命令的结果输出,之后创建了一个额外的批处理脚本ns.bat,它用枚举域中的所有主机名网络管理命令行工具来识别主机的IP地址
在从主机进行第一次横向移动之前,威胁参与者使用WMI测试凭据并从目标远程服务器收集信息
C:\Windows\system32\cmd.exe, /C, wmic, /node:X.X.X.X, /user:administrator, /password:*****, os, get, caption
后渗透类
远程桌面
威胁者利用RDP横向移动到关键主机,我们有证据表明RDP在多台机器上使用了管理员帐户,这次入侵中的攻击者从一个名为TERZITERZI的工作站启动了RDP连接,见下面截图:
RDP连接是从运行信标的Cobalt Strike进程建立的,这意味着攻击者利用主机上的代理来实现RDP链接
PsExec
PsExec被用来实现勒索软件的执行,攻击者利用PsExec中的"-r"选项来定义自定义名称(分布式事务管理)在目标主机上创建的远程服务(默认情况下是PSEXESVC)
WMI
在整个入侵过程中我们还观察到攻击者使用WMIC执行横向活动,包括远程发现操作,以及作为第二种选择,确保所有远程主机成功执行最终勒索软件有效负载,WMIC命令以/node:IP地址允许威胁参与者在远程主机上运行命令
命令控制
IcedID
正如我们从执行部分看到的,dar.dll用于联系以下域:
dilimoretast.com
138.68.42.130:443
antnosience.com
157.245.142.66:443
oceriesfornot.top
188.166.154.118:80
Cobalt Strike
185.203.118.227
Watermark: 305419776
{
"beacontype": [
"HTTPS"
],
"sleeptime": 60000,
"jitter": 15,
"maxgetsize": 1049376,
"spawnto": "AAAAAAAAAAAAAAAAAAAAAA==",
"license_id": 305419776,
"cfg_caution": false,
"kill_date": "2022-04-22",
"server": {
"hostname": "185.203.118.227",
"port": 443,
"publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="
},
"host_header": "",
"useragent_header": null,
"http-get": {
"uri": "/_/scs/mail-static/_/js/",
"verb": "GET",
"client": {
"headers": null,
"metadata": null
},
"server": {
"output": [
"print",
"append 375 characters",
"append 250 characters",
"prepend 4 characters",
"prepend 28 characters",
"prepend 36 characters",
"prepend 18 characters",
"prepend 4 characters",
"prepend 28 characters",
"prepend 36 characters",
"prepend 17 characters",
"prepend 4 characters"
]
}
},
"http-post": {
"uri": "/mail/u/0/",
"verb": "POST",
"client": {
"headers": null,
"id": null,
"output": null
}
},
"tcp_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"crypto_scheme": 0,
"proxy": {
"type": null,
"username": null,
"password": null,
"behavior": "Use IE settings"
},
"http_post_chunk": 0,
"uses_cookies": true,
"post-ex": {
"spawnto_x86": "%windir%\\syswow64\\rundll32.exe",
"spawnto_x64": "%windir%\\sysnative\\rundll32.exe"
},
"process-inject": {
"allocator": "VirtualAllocEx",
"execute": [
"CreateThread",
"SetThreadContext",
"CreateRemoteThread",
"RtlCreateUserThread"
],
"min_alloc": 0,
"startrwx": true,
"stub": "tUr+Aexqde3zXhpE+L05KQ==",
"transform-x86": null,
"transform-x64": null,
"userwx": true
},
"dns-beacon": {
"dns_idle": null,
"dns_sleep": null,
"maxdns": null,
"beacon": null,
"get_A": null,
"get_AAAA": null,
"get_TXT": null,
"put_metadata": null,
"put_output": null
},
"pipename": null,
"smb_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",
"stage": {
"cleanup": false
},
"ssh": {
"hostname": null,
"port": null,
"username": null,
"password": null,
"privatekey": null
}
}
数据窃取
虽然勒索信指出威胁者窃取了数据,但我们没有观察到任何公开的数据泄露,然而有可能威胁行动者使用IcedID或Cobalt Strike来传输敏感数据
影响说明
入侵开始不到四个小时,攻击者者就开始实施他们的最终目标,即在全域部署勒索软件,通过其中一个域控制器,攻击者使用PsExec和WMI的组合来远程执行勒索软件
他们首先复制了有效载荷ttsel.exe到网络上每台主机的C$共享
C:\Windows\system32\cmd.exe /K copy ttsel.exe \\<IP>\c$\windows\temp\
之后攻击者利用PsExec中的"-r"选项来定义在目标主机上创建的远程服务的自定义名称("mstdc")(默认为PSEXESVC)
psexec.exe \\<IP ADDRESS> -u <DOMAIN>\Administrator -p "<PASSWORD>" -s -d -h -r mstdc -accepteula -nobanner c:\windows\temp\ttsel.exe
从而导致了文件C:\Windows\mstdc.exe在执行PsExec时在目标端点上创建
WMI
攻击者采用的另一种执行方法是WMI调用,以在目标主机上启动远程进程
wmic /node:"<IP ADDRESS>" /user:"<DOMAIN>\Administrator" /password:"<PASSWORD>" process call create "cmd.exe /c c:\windows\temp\ttsel.exe"
Quantum勒索软件开始加密环境中所有主机上的文件,然后发出以下勒索信:README_TO_DECRYPT.html
Quanntum门户网站有一个独特的选项来创建和设置协商聊天的密码
通过身份验证后它会显示威胁参与者的聊天窗口
Diamond Model
案例总结
当用户终端被ISO映像中包含的IcedID有效负载破坏时,攻击者能够进入网络,这个有效载荷是通过电子邮件发送的,但是我们无法确定发送电子邮件
在ISO包含了一个DLL文件(IcedID恶意软件)和一个执行它的LNK快捷方式,最终用户在点击进入ISO文件后,只能看到一个名为"document"的文件,这是一个隐藏在ISO中的DLL的LNK快捷方式。当用户点击LNK文件时IcedID DLL就会被执行
在执行IcedID DLL时我们发现在这个过程中使用了内置的Windows实用程序(例如:ipconfig、systeminfo、nltest、net和chcp)执行了一系列信息收集任务,与此同时IcedID恶意软件还创建了一个计划任务,作为在主机上持久化的一种方式
大约两个小时后,攻击者在CS上使用进程注入技术,这标志着攻击者开始了"动手敲键盘"的活动,攻击者通过AdFind获取了目标组织目录结构信息,之后通过运行一个名为ns.bat的批处理文件来获取主机信息
然后Cobalt Strike进程继续访问LSASS内存以提取凭据,几分钟后该凭据经过测试可在服务器上远程执行WMI,在确认他们的凭证适用于WMI操作后,攻击者继续进入开启RDP的服务器,并试图在该服务器上丢弃和执行CS DLL Beacon,不过这似乎失败了,所以攻击者打开cmd,并继续执行PowerShell运行CS Baccon载荷,之后这个Beacon成功地连接到了CS
在接下来的一个小时里,攻击者继续通过RDP连接到环境中的其他服务器,一旦攻击者掌握了域的布局,他们就准备通过复制勒索软件(名为ttsel.exe)发送到每台主机的C$共享文件夹,他们使用了两种远程执行的方法来引爆勒索病毒二进制文件,WMI和PsExec,这一勒索软件部署从最初的IcedID执行不到四个小时就结束了,虽然勒索信指出威胁者窃取了数据,但我们没有观察到任何公开的数据泄露,然而有可能威胁行动者使用IcedID或Cobalt Strike来传输敏感数据
相关指标
FIles:
docs_invoice_173.iso
e051009b12b37c7ee16e810c135f1fef
415b27cd03d3d701a202924c26d25410ea0974d7
5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b
dar.dll
4a6ceabb2ce1b486398c254a5503b792
08a1c43bd1c63bbea864133d2923755aa2f74440
4a76a28498b7f391cdc2be73124b4225497232540247ca3662abd9ab2210be36
document.lnk
adf0907a6114c2b55349c08251efdf50
aa25ae2f9dbe514169f4526ef4a61c1feeb1386a
3bb2f8c2d2d1c8da2a2051bd9621099689c5cd0a6b12aa8cb5739759e843e5e6
adf.bat
ebf6f4683d8392add3ef32de1edf29c4
444c704afe4ee33d335bbdfae79b58aba077d10d
2c2513e17a23676495f793584d7165900130ed4e8cccf72d9d20078e27770e04
Ulfefi32.dll
49513b3b8809312d34bb09bd9ea3eb46
445294080bf3f58e9aaa3c9bcf1f346bc9b1eccb
6f6f71fa3a83da86d2aba79c92664d335acb9d581646fa6e30c35e76cf61cbb7
license.dat
e9ad8fae2dd8f9d12e709af20d9aefad
db7d1545c3c7e60235700af672c1d20175b380cd
84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238
ttsel.exe
b1eff4fffe66753e5f4265bc5332f72e
da2caf36b52d81a0d983407ab143bef8df119b8d
b6c11d4a4af4ad4919b1063184ee4fe86a5b4b2b50b53b4e9b9cc282a185afda
p227.dll
350f82de99b8696fea6e189fcd4ca454
deea45010006c8bde12a800d73475a5824ca2e6f
c140ae0ae0d71c2ebaf956c92595560e8883a99a3f347dfab2a886a8fb00d4d3
NetWork:
A、IcedID
dilimoretast[.]com
antnosience[.]com
oceriesfornot[.]top
138[.]68.42.130:443
157[.]245.142.66:443
188[.]166.154.118:80
B、Cobalt Strike
C2/IP: 185.203.118[.]227:443
Watermark: 305419776
入侵检测
Network:
ET MALWARE Observed Malicious SSL Cert (Fake Gmail Self Signed - Possible Cobalt Stirke)
ET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory
ET MALWARE Win32/IcedID Request Cookie
ET POLICY PE EXE or DLL Windows file download HTTP
ET POLICY PsExec service created
ET RPC DCERPC SVCCTL - Remote Service Control Manager Access
ET POLICY SMB2 NT Create AndX Request For an Executable File
ET DNS Query to a *.top domain - Likely Hostile
ET INFO HTTP Request to a *.top domain
ET POLICY SMB Executable File Transfer
Sigma:
https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/PSEXEC%20Custom%20Named%20Service%20Binary
https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/CHCP%20CodePage%20Locale%20Lookup
https://github.com/SigmaHQ/sigma/blob/071bcc292362fd3754a2da00878bba4bae1a335f/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml
https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_trust_discovery.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/pipe_created/pipe_created_tool_psexec.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/file_event/file_event_win_tool_psexec.yml
https://github.com/SigmaHQ/sigma/blob/c5263039ae6e28a09192b4be2af40fea59a06b08/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml
https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml
https://github.com/SigmaHQ/sigma/blob/7f490d958aa7010f7f519e29bed4a45ecebd152e/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml
https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml
https://github.com/SigmaHQ/sigma/blob/d459483ef6bb889fb8da1baa17a713a4f1aa8897/rules/windows/file_event/file_event_win_iso_file_recent.yml
https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml
https://github.com/SigmaHQ/sigma/blob/04f72b9e78f196544f8f1331b4d9158df34d7ecf/rules/windows/builtin/security/win_iso_mount.yml
https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml
Yara
/*
YARA Rule Set
Author: The DFIR Report
Date: 2022-04-24
Identifier: Quantum Case 12647
Reference: https://thedfirreport.com
*/
/* Rule Set ----------------------------------------------------------------- */
import "pe"
rule docs_invoice_173 {
meta:
description = "IcedID - file docs_invoice_173.iso"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-04-24"
hash1 = "5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b"
strings:
$x1 = "dar.dll,DllRegisterServer!%SystemRoot%\\System32\\SHELL32.dll" fullword wide
$x2 = "C:\\Windows\\System32\\rundll32.exe" fullword ascii
$s3 = "C:\\Users\\admin\\Desktop\\data" fullword wide
$s4 = "Desktop (C:\\Users\\admin)" fullword wide
$s5 = "AppPolicyGetProcessTerminationMethod" fullword ascii
$s6 = "1t3Eo8.dll" fullword ascii
$s7 = ")..\\..\\..\\..\\Windows\\System32\\rundll32.exe" fullword wide
$s8 = "DAR.DLL." fullword ascii
$s9 = "dar.dll:h" fullword wide
$s10 = "document.lnk" fullword wide
$s11 = "DOCUMENT.LNK" fullword ascii
$s12 = "6c484a379420bc181ea93528217b7ebf50eae9cb4fc33fb672f26ffc4ab464e29ba2c0acf9e19728e70ef2833eb4d4ab55aafe3f4667e79c188aa8ab75702520" ascii
$s13 = "03b9db8f12f0242472abae714fbef30d7278c4917617dc43b61a81951998d867efd5b8a2ee9ff53ea7fa4110c9198a355a5d7f3641b45f3f8bb317aac02aa1fb" ascii
$s14 = "d1e5711e46fcb02d7cc6aa2453cfcb8540315a74f93c71e27fa0cf3853d58b979d7bb7c720c02ed384dea172a36916f1bb8b82ffd924b720f62d665558ad1d8c" ascii
$s15 = "7d0bfdbaac91129f5d74f7e71c1c5524690343b821a541e8ba8c6ab5367aa3eb82b8dd0faee7bf6d15b972a8ae4b320b9369de3eb309c722db92d9f53b6ace68" ascii
$s16 = "89dd0596b7c7b151bf10a1794e8f4a84401269ad5cc4af9af74df8b7199fc762581b431d65a76ecbff01e3cec318b463bce59f421b536db53fa1d21942d48d93" ascii
$s17 = "8021dc54625a80e14f829953cc9c4310b6242e49d0ba72eedc0c04383ac5a67c0c4729175e0e662c9e78cede5882532de56a5625c1761aa6fd46b4aefe98453a" ascii
$s18 = "24ed05de22fc8d3f76c977faf1def1d729c6b24abe3e89b0254b5b913395ee3487879287388e5ceac4b46182c2072ad1aa4f415ed6ebe515d57f4284ae068851" ascii
$s19 = "827da8b743ba46e966706e7f5e6540c00cb1205811383a2814e1d611decfc286b1927d20391b22a0a31935a9ab93d7f25e6331a81d13db6d10c7a771e82dfd8b" ascii
$s20 = "7c33d9ad6872281a5d7bf5984f537f09544fdee50645e9846642206ea4a81f70b27439e6dcbe6fdc1331c59bf3e2e847b6195e8ed2a51adaf91b5e615cece1d3" ascii
condition:
uint16(0) == 0x0000 and filesize < 600KB and
1 of ($x*) and 4 of them
}
rule quantum_license {
meta:
description = "IcedID - file license.dat"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-04-24"
hash1 = "84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238"
strings:
$s1 = "W* |[h" fullword ascii
$s2 = "PSHN,;x" fullword ascii
$s3 = "ephu\"W" fullword ascii
$s4 = "LwUw9\\" fullword ascii
$s5 = "VYZP~pN," fullword ascii
$s6 = "eRek?@" fullword ascii
$s7 = "urKuEqR" fullword ascii
$s8 = "1zjWa{`!" fullword ascii
$s9 = "YHAV{tl" fullword ascii
$s10 = "bwDU?u" fullword ascii
$s11 = "SJbW`!W" fullword ascii
$s12 = "BNnEx1k" fullword ascii
$s13 = "SEENI3=" fullword ascii
$s14 = "Bthw?:'H*" fullword ascii
$s15 = "NfGHNHC" fullword ascii
$s16 = "xUKlrl'>`" fullword ascii
$s17 = "gZaZ^;Ro2" fullword ascii
$s18 = "JhVo5Bb" fullword ascii
$s19 = "OPta)}$" fullword ascii
$s20 = "cZZJoVB" fullword ascii
condition:
uint16(0) == 0x44f8 and filesize < 1000KB and
8 of them
}
rule quantum_p227 {
meta:
description = "Cobalt Strike - file p227.dll"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-04-24"
hash1 = "c140ae0ae0d71c2ebaf956c92595560e8883a99a3f347dfab2a886a8fb00d4d3"
strings:
$s1 = "Remote Event Log Manager4" fullword wide
$s2 = "IIdRemoteCMDServer" fullword ascii
$s3 = "? ?6?B?`?" fullword ascii /* hex encoded string 'k' */
$s4 = "<*=.=2=6=<=\\=" fullword ascii /* hex encoded string '&' */
$s5 = ">'?+?/?3?7?;???" fullword ascii /* hex encoded string '7' */
$s6 = ":#:':+:/:3:7:" fullword ascii /* hex encoded string '7' */
$s7 = "2(252<2[2" fullword ascii /* hex encoded string '"R"' */
$s8 = ":$;,;2;>;F;" fullword ascii /* hex encoded string '/' */
$s9 = ":<:D:H:L:P:T:X:\\:`:d:h:l:p:t:x:|:" fullword ascii
$s10 = "%IdThreadMgr" fullword ascii
$s11 = "AutoHotkeys<mC" fullword ascii
$s12 = "KeyPreview0tC" fullword ascii
$s13 = ":dmM:\\m" fullword ascii
$s14 = "EFilerErrorH" fullword ascii
$s15 = "EVariantBadVarTypeErrorL" fullword ascii
$s16 = "IdThreadMgrDefault" fullword ascii
$s17 = "Set Size Exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)" fullword wide
$s18 = "CopyMode0" fullword ascii
$s19 = "TGraphicsObject0" fullword ascii
$s20 = "THintWindow8" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 2000KB and
( pe.imphash() == "c88d91896dd5b7d9cb3f912b90e9d0ed" or 8 of them )
}
rule Ulfefi32 {
meta:
description = "IcedID - file Ulfefi32.dll"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-04-24"
hash1 = "6f6f71fa3a83da86d2aba79c92664d335acb9d581646fa6e30c35e76cf61cbb7"
strings:
$s1 = "WZSKd2NEBI.dll" fullword ascii
$s2 = "3638df174d2e47fbc2cdad390fdf57b44186930e3f9f4e99247556af2745ec513b928c5d78ef0def56b76844a24f50ab5c3a10f6f0291e8cfbc4802085b8413c" ascii
$s3 = "794311155e3d3b59587a39e6bdeaac42e5a83dbe30a056a059c59a1671d288f7a7cdde39aaf8ce26704ab467e6e7db6da36aec8e1b1e0a6f2101ed3a87a73523" ascii
$s4 = "ce37d7187cf033f0f9144a61841e65ebe440d99644c312f2a7527053f27664fc788a70d4013987f40755d30913393c37067fb1796adece94327ba0d8dfb63c10" ascii
$s5 = "bacefbe356ece5ed36fa3f3c153e8e152cb204299243eba930136e4a954e8f6e4db70d7d7084822762c17da1d350d97c37dbcf226c5d4faa7e78765fd5aa20f8" ascii
$s6 = "acee4914ee999f6158bf7aa90e2f9640d51e2b046c94df4301a6ee1658a54d44e423fc0a5ab3b599d6be74726e266cdb71ccd0851bcef3bc5f828eab7e736d81" ascii
$s7 = "e2d7e82b0fe30aa846abaa4ab85cb9d47940ec70487f2d5fb4c60012289b133b44e8c244e3ec8e276fa118a54492f348e34e992da07fada70c018de1ff8f91d4" ascii
$s8 = "afd386d951143fbfc89016ab29a04b6efcefe7cd9d3e240f1d31d59b9541b222c45bb0dc6adba0ee80b696b85939ac527af149fdbfbf40b2d06493379a27e16b" ascii
$s9 = "3bb43aa0bbe8dee8d99aaf3ac42fbe3ec5bd8fa68fb85aea8a404ee1701aa8b2624bf8c5254e447818057b7f987a270103dd7beceb3103a66d5f34a2a6c48eed" ascii
$s10 = "a79e1facc14f0a1dfde8f71cec33e08ed6144aa2fd9fe3774c89b50d26b78f4a516a988e412e5cce5a6b6edb7b2cded7fe9212505b240e629e066ed853fb9f6b" ascii
$s11 = "69f9b12abc44fac17d92b02eb254c9dc0cfd8888676a9e59f0cb6d630151daccea40e850d615d32d011838f8042a2d6999fab319f49bed09e43f9b6197bf9a66" ascii
$s12 = "cfda9d35efe288ebc6a63ef8206cd3c44e91f7d968044a8a5b512c59e76e937477837940a3a6c053a886818041e42f0ce8ede5912beab0b9b8c3f4bae726d5b2" ascii
$s13 = "a8a404ee1701aa8b2624bf8c5254e447818057b7f987a270103dd7beceb3103a66d5f34a2a6c48eedc90afe65ba742c395bbdb4b1b12d96d6f38de96212392c3" ascii
$s14 = "900796689b72e62f24b28affa681c23841f21e2c7a56a18a6bbb572042da8717abc9f195340d12f2fae6cf2a6d609ed5a0501e34d3b31f8151f194cdb8afc85e" ascii
$s15 = "35560790835fe34ed478758636d3b2b797ba95c824533318dfb147146e2b5debb4f974c906dce439d3c97e94465849c9b42e9cb765a95ff42a7d8b27e62d470a" ascii
$s16 = "0b3d20f3cf0f6b3a53c53b8f50f9116edd412776a8f218e6b0d921ccfeeb34875c4674072f84ac612004d8162a6b381f5a3d1f6d70c03203272740463ff4bcd5" ascii
$s17 = "72f69c37649149002c41c2d85091b0f6f7683f6e6cc9b9a0063c9b0ce254dddb9736c68f81ed9fed779add52cbb453e106ab8146dab20a033c28dee789de8046" ascii
$s18 = "f2b7f87aa149a52967593b53deff481355cfe32c2af99ad4d4144d075e2b2c70088758aafdabaf480e87cf202626bde30d32981c343bd47b403951b165d2dc0f" ascii
$s19 = "9867f0633c80081f0803b0ed75d37296bac8d3e25e3352624a392fa338570a9930fa3ceb0aaee2095dd3dcb0aab939d7d9a8d5ba7f3baac0601ed13ffc4f0a1e" ascii
$s20 = "3d08b3fcfda9d35efe288ebc6a63ef8206cd3c44e91f7d968044a8a5b512c59e76e937477837940a3a6c053a886818041e42f0ce8ede5912beab0b9b8c3f4bae" ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and
( pe.imphash() == "81782d8702e074c0174968b51590bf48" and ( pe.exports("FZKlWfNWN") and pe.exports("IMlNwug") and pe.exports("RPrWVBw") and pe.exports("kCXkdKtadW") and pe.exports("pLugSs") and pe.exports("pRNAU") ) or 8 of them )
}
rule quantum_ttsel {
meta:
description = "quantum - file ttsel.exe"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2022-04-24"
hash1 = "b6c11d4a4af4ad4919b1063184ee4fe86a5b4b2b50b53b4e9b9cc282a185afda"
strings:
$s1 = "DSUVWj ]" fullword ascii
$s2 = "WWVh@]@" fullword ascii
$s3 = "expand 32-byte k" fullword ascii /* Goodware String - occured 1 times */
$s4 = "E4PSSh" fullword ascii /* Goodware String - occured 2 times */
$s5 = "tySjD3" fullword ascii
$s6 = "@]_^[Y" fullword ascii /* Goodware String - occured 3 times */
$s7 = "0`0h0p0" fullword ascii /* Goodware String - occured 3 times */
$s8 = "tV9_<tQf9_8tKSSh" fullword ascii
$s9 = "Vj\\Yj?Xj:f" fullword ascii
$s10 = "1-1:1I1T1Z1p1w1" fullword ascii
$s11 = "8-999E9U9k9" fullword ascii
$s12 = "8\"8)8H8i8t8" fullword ascii
$s13 = "8\"868@8M8W8" fullword ascii
$s14 = "3\"3)3>3F3f3m3t3}3" fullword ascii
$s15 = "3\"3(3<3]3o3" fullword ascii
$s16 = "9 9*909B9" fullword ascii
$s17 = "9.979S9]9a9w9" fullword ascii
$s18 = "txf9(tsf9)tnj\\P" fullword ascii
$s19 = "5!5'5-5J5Y5b5i5~5" fullword ascii
$s20 = "<2=7=>=E={=" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 200KB and
( pe.imphash() == "68b5e41a24d5a26c1c2196733789c238" or 8 of them )
}
MITRE
T1204 - User Execution
T1614.001 - System Location Discovery: System Language Discovery
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1059.001 - Command and Scripting Interpreter: PowerShell
T1059.003 - Command and Scripting Interpreter: Windows Command Shell
T1055 - Process Injection
T1055.012 - Process Injection: Process Hollowing
T1003.001 - OS Credential Dumping: LSASS Memory
T1486 - Data Encrypted for Impact
T1482 - Domain Trust Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1083 - File and Directory Discovery
T1518.001 - Software Discovery: Security Software Discovery
T1047 - Windows Management Instrumentation
T1087.002 - Account Discovery: Domain Account
T1082 - System Information Discovery
T1018 - Remote System Discovery
T1053.005 - Scheduled Task/Job: Scheduled Task
T1071.001 - Web Protocols
S0029 - PsExec
S0039 - Net
S0100 - ipconfig
S0359 - Nltest
S0483 - IcedID
S0552 - AdFind
S0154 - Cobalt Strike