Name:
Hunting Pygmy Goat communication
TTP:
T1001.003 Data Obfuscation: Protocol or Service Impersonation, T1053.003 Scheduled Task/Job: Cron
Hypothesis:
The attacker is using a malicious scheduled task to connect back to a C2 server.
Campaign Type:
Data Driven
Data Sources:
- Process Monitoring
- Process Command-Line Parameters
- File Monitoring
- Windows Registry
Tools:
- Sysmon
- Powershell
Scenario:
- Initial Access: Attacker gains initial access through a Sophos XG firewall device.
- Persistence: Attacker sets the LD_PRELOAD environment variable on boot to maintain persistence.
- Privilege Escalation: Attacker uses the malware to hook the accept function and gain elevated privileges.
- Network Sniffing: Attacker uses the malware to start a packet capture and collect network traffic.
- Encrypted Channel: Attacker uses a hardcoded embedded CA certificate to establish a TLS connection with the C2 server.
- Protocol Tunneling: Attacker creates a reverse SOCKS proxy server to route traffic through the firewall.
- Data Obfuscation: Attacker uses a fake SSH handshake to obfuscate C2 communications.
Hunting Strategy:
- Analyze process monitoring logs for any suspicious scheduled tasks or cron jobs.
- Correlate scheduled task events with network connections to identify any connections to known C2 servers.
- Investigate any outliers or suspicious events, such as tasks running at odd hours or with unusual command-line parameters.
- Validate potential threats by analyzing the task’s script or program for any malicious activity.
- Remediate by terminating the malicious task and removing any associated malware.
- Report the incident, including details about the attacker’s TTPs and the compromised systems.
False Positive Consideration:
System administrators may use scheduled tasks for legitimate purposes, such as system maintenance or software updates.
Some applications may use cron jobs for routine tasks, such as log rotation or data backups.
Recommendations:
Regularly review and audit scheduled tasks and cron jobs for any suspicious activity. Implement application control solutions to prevent unauthorized tasks from running. Monitor network traffic for any connections to known C2 servers. Educate users and system administrators about the risks of scheduled tasks and cron jobs and how to identify suspicious activity.
D3 Diagram: