HP — CraftedSignal Threat Feed

Persistence via Windows Installer (Msiexec)

hello@craftedsignal.io — Thu, 05 Sep 2024 14:17:05 +0000

The Windows Installer (msiexec.exe) is a legitimate system tool used for installing, updating, and removing software on Windows systems. Adversaries can abuse msiexec.exe to establish persistence mechanisms by creating malicious scheduled tasks or modifying registry run keys. This allows them to execute arbitrary code during system startup or user logon. This technique is attractive to attackers due to msiexec.exe being a trusted Windows binary, potentially evading detection by security solutions that focus on flagging unknown or suspicious processes. The use of msiexec.exe for persistence can be difficult to detect without specific monitoring rules, as it is a common and legitimate system process. This activity can be observed across various Windows versions and is frequently integrated into automated attack frameworks and scripts.

Attack Chain

An attacker gains initial access to a compromised system, potentially through phishing, exploitation of a vulnerability, or stolen credentials.
The attacker leverages msiexec.exe to create a new scheduled task using the schtasks.exe command, setting it to execute a malicious script or binary.
Alternatively, the attacker uses msiexec.exe in conjunction with reg.exe or PowerShell to modify registry keys under HKLM\Software\Microsoft\Windows\CurrentVersion\Run or HKCU\Software\Microsoft\Windows\CurrentVersion\Run, adding a pointer to their malicious executable.
The created scheduled task or registry entry points to a malicious payload, such as a reverse shell or a downloader.
The system is restarted, or the user logs on, triggering the execution of the newly created scheduled task or the malicious binary through the modified registry run key.
The malicious payload executes, establishing a persistent foothold for the attacker on the compromised system.
The attacker can now perform further actions, such as data exfiltration, lateral movement, or deployment of ransomware.

Impact

Successful exploitation allows the adversary to maintain persistent access to the compromised system. This can lead to data theft, system compromise, deployment of ransomware, or use of the system as a staging point for further attacks within the network. A single compromised system can be used to pivot and compromise additional systems, leading to a widespread security breach. The impact can include financial losses, reputational damage, and disruption of business operations.

Recommendation

Monitor process creation events for msiexec.exe spawning schtasks.exe or reg.exe to create scheduled tasks or modify registry run keys (reference: rules in this brief).
Implement and tune the Sigma rules provided in this brief to detect suspicious msiexec.exe activity related to persistence mechanisms.
Review and audit existing scheduled tasks and registry run keys for any suspicious entries or anomalies.
Enable file integrity monitoring (FIM) on critical system directories, including the Windows Task Scheduler directory and registry run key locations (reference: event.category == “file” and file.path … and event.category == “registry” and registry.path … in the rule query).
Implement application control policies to restrict the execution of unauthorized or unknown executables (reference: rule query).

WMI Incoming Lateral Movement

hello@craftedsignal.io — Wed, 03 Jan 2024 12:00:00 +0000

This threat brief focuses on the detection of lateral movement within a Windows environment via Windows Management Instrumentation (WMI). WMI, a core Windows feature, is often exploited by adversaries to remotely execute processes, bypassing traditional security measures. This activity is detected by monitoring network connections and process executions, while filtering out common false positives associated with legitimate administrative use, security tools, and system processes. The goal is to highlight potential threats indicative of unauthorized lateral movement.

Attack Chain

An attacker gains initial access to a system within the network.
The attacker uses WMI to initiate a connection to a remote host on port 135.
The svchost.exe process on the target host accepts an incoming RPC connection from the attacker-controlled system.
WmiPrvSE.exe, the WMI provider host process, spawns a new process based on the attacker’s WMI command.
The spawned process executes the attacker’s payload or command on the remote host.
The attacker leverages the executed process for further actions, such as data exfiltration or establishing persistence.

Impact

Successful exploitation and lateral movement via WMI can lead to unauthorized access to sensitive data, compromise of critical systems, and propagation of malware throughout the network. While specific victim counts or sector targeting data are unavailable, the broad applicability of WMI across Windows environments makes this a relevant threat for a wide range of organizations.

Recommendation

Enable Sysmon Event ID 1 (Process Creation) and Event ID 3 (Network Connection) logging to provide necessary data for the rules below.
Deploy the Sigma rules provided in this brief to your SIEM to detect suspicious WMI activity and tune them for your environment.
Review and create exceptions for known administrative accounts or specific IP addresses used by IT staff to reduce false positives, as mentioned in the overview.
Isolate any affected host from the network to prevent further lateral movement if suspicious WMI activity is detected.
Monitor network connections with destination port 135 for unusual activity.

Suspicious Microsoft HTML Application Child Process

hello@craftedsignal.io — Tue, 02 Jan 2024 12:00:00 +0000

Mshta.exe (Microsoft HTML Application Host) is a Windows utility used to execute HTML Applications (.hta files). Adversaries often abuse Mshta to execute malicious scripts and evade detection, as it is a signed Microsoft binary and can bypass application whitelisting. This activity typically involves Mshta spawning other processes like cmd.exe or powershell.exe to perform malicious actions. This behavior has been observed across various attack campaigns and is a common tactic used to deliver payloads, establish persistence, or perform lateral movement within a network. Defenders need to monitor Mshta.exe process creations and child processes to detect and prevent potential threats. The detection logic focuses on identifying specific child processes commonly associated with malicious activities, while excluding legitimate uses of Mshta, such as those related to HP printer software.

Attack Chain

An attacker gains initial access via an unspecified method (e.g., phishing, drive-by download) that delivers a malicious HTA file.
The user executes the HTA file, which launches Mshta.exe to interpret and execute the embedded script.
The script within the HTA file spawns a suspicious child process, such as cmd.exe or powershell.exe, using CreateProcess.
The spawned process executes malicious commands or scripts to download additional payloads or perform reconnaissance.
Certutil.exe may be used to decode encoded payloads.
The attacker may use bitsadmin.exe to download files from remote servers.
PowerShell is used to execute malicious code directly in memory, bypassing file-based detections.
The attacker achieves their objective, such as establishing persistence, stealing credentials, or deploying ransomware.

Impact

Successful exploitation can lead to a range of consequences, including malware infection, data theft, and system compromise. The impact can vary depending on the attacker’s objectives, but it can result in significant financial losses, reputational damage, and disruption of business operations. While specific numbers of victims are not listed, this technique is widely used and can affect any organization that does not adequately monitor and restrict the use of Mshta.exe. The sectors targeted are broad, as this is a general-purpose technique applicable to various environments.

Recommendation

Enable process creation logging and monitor for Mshta.exe spawning suspicious child processes to enable the “Suspicious Microsoft HTML Application Child Process” rule.
Implement the provided Sigma rule to detect Mshta.exe spawning cmd.exe, powershell.exe, certutil.exe, bitsadmin.exe, curl.exe, msiexec.exe, schtasks.exe, reg.exe, wscript.exe, or rundll32.exe to detect potential defense evasion.
Examine process.command_line and process.parent.command_line for suspicious arguments and file paths to further investigate potential malicious use of Mshta.
Monitor for executables running from user directories using the Sigma rule provided to identify potentially malicious processes spawned by Mshta.exe.
Investigate the parent process of Mshta.exe to determine the initial source of the HTA execution, focusing on browsers, email clients, and other potential delivery mechanisms.
Tune the provided Sigma rules for your environment to reduce false positives and ensure accurate detection of malicious activity.