Hunt 4 Zloader Trojan – DNS Tunneling

Name:
Hunt 4 Zloader Trojan – DNS Tunneling

TTP:
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, T1562.001 Impair Defenses: Disable or Modify Tools, T1490 Inhibit System Recovery

Hypothesis:

Attackers are using hidden files and directories to evade detection and maintain persistence within the environment.

Campaign Type:
Hybrid

Data Sources:

• Endpoint detection and response (EDR) telemetry
• File system logs
• Windows Registry
• Sysmon
• Windows Security Event Logs

Tools:

• The HELK (Hunting ELK) is a cybersecurity framework that provides a pre-built environment for threat hunting and incident response. It includes Elasticsearch, Logstash, Kibana (ELK) stack, along with other security tools like Sysmon and Wazuh.
   
• CyberChef is a web-based platform that offers a variety of tools for analyzing and decoding data. It can be used for tasks like converting timestamps, decoding encoded data, and extracting information from network traffic.
   
• The SANS SIFT Workstation is a virtual machine environment designed for digital forensics and incident response tasks. It includes a variety of tools for analyzing data, including timeline creation, file carving, and memory analysis tools.
• Eric Zimmerman’s tools are a collection of command-line tools that can be used for analyzing data, including parsing event logs, extracting registry data, and examining network traffic.

Scenario:

• Initial Access: Attacker gains initial access through a phishing email containing a malicious attachment. (T1566 – Phishing)
   
• Defense Evasion: The malicious attachment uses hidden files and directories to evade detection by antivirus software. (T1562.001)
   
• Persistence: The malware creates a hidden file in the Startup folder to execute automatically upon system restart. (T1547.001)
   
• Impact: The malware modifies the Windows Registry to prevent the system from creating restore points, hindering recovery efforts. (T1490)

Hunting Strategy:

• Analyze EDR telemetry for any unusual file system activity, particularly file creation or modification events in sensitive directories.
   
• Examine file system logs for evidence of files with hidden attributes being created or accessed.
   
• Review Windows Registry entries for suspicious modifications, especially in autorun keys or locations associated with system recovery.
   
• Utilize Sysmon and Windows Security Event Logs to identify processes interacting with hidden files or making suspicious Registry modifications.
   
• Correlate events across multiple data sources to identify patterns and potential malicious activity.
   
• Investigate outliers and suspicious events further, potentially using manual analysis or additional security tools.
   
• Validate potential threats by analyzing the behavior of identified files or processes.
   
• Remediate threats by removing malicious files, restoring Registry settings, and implementing necessary security updates.
   
• Report findings and recommendations to relevant stakeholders, including IT management and security teams.

False Positive Consideration:

• Legitimate system processes or applications may use hidden files or directories for routine operations.
• System administrators may occasionally make manual modifications to the Windows Registry for maintenance or troubleshooting purposes.
• Some software installations may alter system recovery settings as part of their configuration.

Recommendations:

• Implement strict access controls on sensitive directories and files.
• Regularly audit file system activity and Registry modifications for suspicious changes.
• Monitor for unusual process behavior and investigate any deviations from the baseline.
• Maintain up-to-date antivirus definitions and security patches to mitigate known threats.
• Educate users about the risks of phishing emails and malicious attachments.

Step 1: Prepare the Environment

• Set up a Windows lab environment with the necessary security monitoring tools installed, such as Sysmon, an EDR agent, and a centralized log management system (e.g., HELK).
• Enable relevant auditing policies for the operating system and applications to ensure comprehensive logging of events.
• Configure the log management system to collect and store security events from all relevant sources.

Step 2: Emulate the Attack Techniques

• Simulate the initial access vector, such as a phishing email with a malicious attachment.
• Use a tool like attrib.exe to create hidden files and directories within the file system.
  Bash

   

  attrib +h <filename>
  attrib +h <directory_name>
  

• Modify the Windows Registry to create a Run key or Startup folder entry that points to the hidden malicious file.
  Bash

   

  reg add "HKCUSoftwareMicrosoftWindowsCurrentVersionRun" /v "Malicious_File" /t REG_SZ /d "<path_to_hidden_file>" /f
  

• Disable system restore points by modifying the relevant Registry keys.
  Bash

   

  reg add "HKLMSOFTWAREPoliciesMicrosoftWindows NTSystemRestore" /v "DisableSR" /t REG_DWORD /d "1" /f
  

Step 3: Emulate Post-Compromise Activities

• Simulate additional post-compromise activities, such as privilege escalation, lateral movement, and data exfiltration, to generate corresponding security events.
• Use appropriate tools and techniques for each activity, ensuring they align with the overall attack scenario.

Step 4: Collect and Analyze Logs

• Collect the generated security event logs from the centralized log management system.
• Use analysis tools (e.g., Kibana, EDR console) to search for events related to the emulated attack techniques.
• Filter events based on relevant criteria, such as process names, command-line parameters, network connections, and registry activity.
  • Example Kibana query:

    process.name: "attrib.exe" AND process.args: "+h"
    

Step 5: Refine Detections

• Analyze the collected logs to identify patterns and refine your detection rules.
• Consider using threat detection frameworks like YARA or SIGMA to create more robust detection rules.
  • Example YARA rule:
    Code snippet

     

    rule hidden_file_creation
    {
      strings:
        $re1 = /attrib.exe.*+h/
      condition:
        $re1
    }
    

• Document your analysis and findings to improve future threat hunting efforts.

Note: This is a basic example, and the specific steps and tools may vary depending on the environment and the complexity of the attack scenario.

D3 Diagram: