Hunt 4 Glutton PHP Backdoor and Round

Name:
Hunt 4 Glutton PHP Backdoor and Round

TTP:
T1555.003 Credentials from Password Stores: Credentials from Web Browsers, T1555.005 Credentials from Password Stores: Password Managers, T1041 Exfiltration Over C2 Channel, T1068 Exploitation for Privilege Escalation, T1592 Gather Victim Host Information, T1027 Obfuscated Files or Information, T1082 System Information Discovery

Hypothesis:

The attacker may have used the malware to check for antivirus-related processes running in the system.

Campaign Type:
Data Driven

Data Sources:

• Windows Security Event Log (Process Creation, Process Termination)
• Sysmon Event Log (Process Creation, Process Access)

Tools:

• PowerShell
• Splunk or any other log management tool
• Sysmon

Scenario:

• Defense Evasion – Attacker uses obfuscation or encryption to evade detection.
• Discovery – Attacker uses the malware to check for antivirus-related processes running in the system.
• Credential Access – The attacker uses the malware to steal sensitive information, including browser data and cryptocurrency wallet credentials.
• Command and Control – The attacker uses the malware to communicate with command-and-control (C2) servers using encrypted channels.
• Persistence – The attacker uses the malware to achieve persistence on the victim’s machine by injecting malicious PHP code into legitimate PHP files.
• Privilege Escalation – The attacker uses the malware to download and execute a malicious ELF file, which is a Linux backdoor that allows the attacker to gain root privileges on the victim’s machine.
• Lateral Movement – The attacker uses the malware to collect sensitive information from the victim’s machine, including system information, browser data, and cryptocurrency wallet credentials.
• Exfiltration – The attacker exfiltrates sensitive data.
• Impact – Attacker causes disruption or damage to the organization.

 

Hunting Strategy:

1. Analyze Windows Security Event Log and Sysmon Event Log for any process creation or process access events related to the malware.
2. Correlate the events and identify any patterns or anomalies.
3. Investigate any outliers or suspicious events.
4. Validate potential threats by checking for known malicious IP addresses, domain names, or file hashes.
5. Remediate by removing the attacker’s access and patching any vulnerabilities that were exploited.
6. Report findings and recommendations to the organization.

Recommendations:

• Implement strong password policies and multi-factor authentication.
   
• Monitor for any unauthorized access to sensitive data.
• Keep systems and applications up-to-date with the latest security patches.

Step-by-Step Guide to Emulate a Threat Hunt

Prepare the Environment

1. Set up a test environment with necessary security monitoring tools installed.
2. Enable relevant auditing policies for the operating system and applications.
3. Configure a centralized log management system for collecting and storing security events.

Emulate the Attack Techniques

1. Execute commands and actions that simulate the suspected attack techniques.
2. Use relevant attack tools or scripts to generate representative security events.

Emulate Post-Compromise Activities

1. Simulate post-compromise activities, such as privilege escalation, lateral movement, and data exfiltration, to generate corresponding security events.
2. Use appropriate tools and techniques to emulate these activities in a controlled manner.

Collect and Analyze Logs

1. Collect the generated security event logs from your centralized log management system.
2. Use analysis tools to search for events related to the emulated attack techniques.
3. Filter events based on relevant criteria, such as process names, command-line parameters, network connections, and registry activity.

Refine Detections

1. Analyze the collected logs to identify patterns and refine your detection rules.
2. Consider using threat detection frameworks like YARA or SIGMA to create more robust detection rules.
3. Document your analysis and findings to improve future threat hunting efforts.

False Positive Consideration:

• Some applications may exhibit similar behavior to the malware.

D3 Diagram: