Clearing Fog of War

A malicious actor might be leveraging MSHTA for defense evasion and utilizing various techniques for OS credential dumping within the environment.

Name:
Clearing Fog of War

TTP:
T1003 OS Credential Dumping, T1003.001 OS Credential Dumping: LSASS Memory, T1218.005 System Binary Proxy Execution: Mshta

Hypothesis:

A malicious actor might be leveraging MSHTA for defense evasion and utilizing various techniques for OS credential dumping within the environment.

Campaign Type:
Hybrid

Data Sources:

  • Sysmon Event ID 1: Process Creation
  • Sysmon Event ID 7: Image Loaded
  • Windows Security Event ID 4688: Process Creation
  • Windows Security Event ID 4663: Object Queried

Tools:

  • PowerShell Arsenal
  • Mimikatz    
  • ProcDump    
  • Task Manager    
  • Out-Minidump    
  • PSReflect-Functions (OpenProcess)

Scenario:

  1. Initial Access: An attacker gains a foothold in the environment, potentially through phishing or exploiting a vulnerability.
  2. Defense Evasion: The attacker utilizes MSHTA to execute malicious code and bypass application control solutions.
  3. Credential Access: The attacker leverages various techniques for OS credential dumping, including:
    • LSASS Memory Dumping: Using tools like Mimikatz or ProcDump to extract credentials from LSASS memory.
    • Other Techniques: Potentially targeting the Security Account Manager (SAM), NTDS, LSA secrets, cached domain credentials, or the Proc filesystem.
  4. Lateral Movement: The attacker uses stolen credentials to move laterally within the network, accessing sensitive systems and data.
  5. Exfiltration: The attacker exfiltrates sensitive data, such as the SHIV Soda recipe.

Hunting Strategy:

  1. Data Analysis: Analyze Sysmon and Windows Security event logs for suspicious MSHTA activity, focusing on unusual command-line parameters and loaded DLLs.
  2. Correlation: Correlate MSHTA events with other suspicious activities, such as process access to LSASS memory or registry key modifications related to credential dumping.
  3. Investigation: Investigate outliers and suspicious events, utilizing PowerShell Arsenal and other tools to analyze process behavior and identify malicious code.
  4. Validation: Validate potential threats by analyzing process memory, network connections, and file system artifacts.
  5. Remediation: Isolate compromised systems, remove malware, and reset compromised credentials.
  6. Reporting: Document findings and recommendations, including suggestions for improving data quality, enhancing detection capabilities, and strengthening security controls.

False Positive Consideration:

  • System administrators and software developers often perform actions similar to attackers.
  • The hunting team’s own activities might trigger alerts.
  • Insider threats could generate similar events.

Analysts should be trained to differentiate between benign and malicious activity based on context and behavioral patterns.

D3 Diagram:

Leave a Reply