In today's post we are hunting some malware that has infected a Windows 10 virtual machine in Azure. In order to learn about malware analysis I am not using any anti-virus or malware software and Defender is turned off on the victim machine. All I have in terms of software is Splunk. This post will begin with a University assignment question and then my answers.
TASK 1
Delete malware and prevent it from recurring
After the Windows 10 operating system has started, note the simulated malware file (23ffgg.exe) running as a process in task manager. You should locate the malware file on the storage drive, stop the process, delete the file and then reboot the system to recognise that the malware recurs. You should now take steps to delete the malware and prevent it from recurring.
Describe how you prevented the malware from recurring. Your description must prove that your activity to prevent recurrence has been successful. Include a minimum of screenshots and, all relevant actions, filenames, folders, locations, processes etc to prove success.
ANSWER
1. I Located malicious file in Task Manager, “23ffgg.exe”.
2. I Verified where the file is running from on disk.
3. I ran Splunk and conducted a search for registry keys being added
EventCode=4657 AND Object_Name="*Software\\Microsoft\\Windows\\CurrentVersion*"
4. This search confirmed that a registry key had been added for the file 23ffgg.exe in:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
I checked the MITRE ATT&CK framework for information on mitigating autostart execution and registry run keys.
5. I deleted the file from its execution location:
C:\Windows\App
6. I ran the registry editor from the command line with “regedit.exe”
7. I investigated the following registry locations just to be absolutely sure I am aware of all files that are being executed on Windows startup :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
I located the registry key called “threat” in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
The malicious keys Value Data is C:\Windows\app\23ffgg.exe
8. I deleted the malicious key:
No malicious registry keys were found in :
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
9. Next I checked the startup folders for any sign of a malicious file being set to run when the machine boots, I am aware that I could also check this is Splunk but because I knew the start-up folders I navigated straight to them . I turned on hidden files and folders first. I checked the following folder locations for any files being executed when the machine starts:
C:\Users\user1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
10. Now it was time to ensure any malware was cleaned up and removed from auto starting. I used Autorun64.exe on the desktop to check for startup processes.
I could see that there was a startup process for “23ffgg.exe”, Autoruns confirmed the file could no longer be found. I removed it from Autoruns anyway.
11. Next I checked for scheduled tasks using Splunk:
Eventcode=4698 "Command"
I was able to locate the malware was executing from a scheduled task. The task scheduler was running a process and unzipping a zip file from the command line and executing it with this command :
c:\windows\aa344.zip -C c:\windows\app 23ffgg.exe
12. After deleting the file I opened the Task Scheduler and double checked for malicious scheduled tasks:
13. I opened Splunk and used the following command to search for any new processes matching the file name “23ffgg.exe”
"New_Process_Name" = "*" AND "Process_Command_Line" = "*23ffgg*.exe"
The results show a file named tar.exe being run from C:\Windows\System32\
I am not able to delete this file. I note from research that this is a bsdtar utility that reads and writes archived files and I noted that when I boot the machine a command prompt opens and closes momentarily, suggesting that something is being run on starting the machine still, but not from the startup folders.
14. I enabled Attack Surface Reduction in the Group Policy Editor.
15. I checked Splunk for any exploitation of the command shell and discovered evidence of cmd.exe being exploited through the use of the /Q and /c arguments. These arguments are commonly used by malware authors and threat actors.
I used the search:
EventCode=4688 AND "cmd.exe /Q /C"
16. I ran Task Scheduler and located a suspicious entry for “GoogleUpdate”. This scheduled task is suspicious because Google isn’t an application that is installed on the machine and its being run on Sunday evening which is unusual. I checked the task and found the instruction it is set to run the suspicious tar file from earlier.
17. I removed the task and rebooted the machine.
18. I confirmed the malicious file was not being executed any longer using Task Manager, and Auto Runs and I checked the registry and the scheduled tasks.
TASK 2
Set administration privileges
Create a new user (user5) as a member of the local administrators group his can be via PowerShell commands, net commands or, lusrmgr.msc
Provide a screenshot proving the new user is a member of the administrators group.
Screenshot/s should show the relevant users properties window in Local users and groups manager (lusrmgr.msc).
ANSWER
TASK 3
Detect Threats
When determing threat status you should consider the following scenario for the target. The user of the target PC sometimes utilises a remote desktop client from home to access programs on the target PC at the work premise. The user does not transfer files between work and home using SSH, FTPS or any other similar command line data transfer protocol. The user is not technical ICT staff and is unlikely to need or understand the use of enumeration tools. The user generally conducts work between 9am – 5:30pm Mon to Fri.
After importing the data from the local security log file, carry out the following.
1. Use Splunk search to locate three reliable threat indicators in the Security log data.
2. Provide the exact search query syntax used to locate the threat indicators. Note that multiple queries may be required to confirm a result is actually related to a threat
3. Explain how the results reliably indicate that a threat is present For example, simply citing a failed login attempt is not evidence of a threat. Evidence of a threat could include reference to dates, times, user accounts, system commands, malicous commands, information found via manual search and other factors that together infer that the result could be a threat
Note that the existing recurring threat as detailed in question 1, may be used as one of the three threats. However, the threat must be identified within the security log and be accompanied by an explanation of how the search results reliably indicate a threat is present.
ANSWER
THREAT INDICATOR 1
Using this search term in Splunk I was able to identify failed login attempts outside of normal business hours:
EventCode=4625 earliest=-30d (date_hour < 8 OR date_hour > 17)
The event code 4625 searches for account login failures. The log shows a failed login attempt at 07:55:34 AM on 07/30/23 and another failed login at 06:29:46 PM.
The log shows that either the username or password was bad (incorrect). Most likely the failed login attempt was an incorrect username because the log shows the username used was “User32” when there isn’t a User32 on the system. The failed logins were attempted using a remote desktop protocol (Splunk Logon Type 10).
Using this search query I was able to see successful logons outside of normal business hours:
EventCode=4624 earliest=-30d (date_hour < 8 OR date_hour > 17)
Event code 4624 is used to identify successful logon’s to the machine. There was a successful logon at 07:59:39 by ‘user1’ – despite this being outside of normal work hours.
I then used :
EventCode=4648 earliest=-30d (date_hour < 8 OR date_hour > 17)
Event code 4648 is used to search for logon attempts using explicit credentials. I was able to see the logon at 07:59:39 was made using the account ‘user1’. This would suggest a threat actor had first tried to logon using the account name ‘user32’ which was unsuccessful and then later used ‘user1’ to logon.
THREAT INDICATOR 2
Looking for use of common enumeration techniques under user1 account:
"ipconfig" OR "ver" OR "whoami" OR "netstat" AND Account_Name != "user1"
This search query identifies the use of these common commands used by ICT personnel and threat actors. I can see whoami.exe and WMI have been run on the 4/30/23 at 04:17:18 by user1. As user1 is not part of the ICT team this is suspicious, and I can see that the following command was run in WMI:
cmd.exe /Q /c
Which is often used by threat actors to launch the command prompt silently and close once run. Again this is suspicious activity leading me to believe this is a genuine threat.
I then ran the following search query to see if those commands were being run outside of normal hours:
THREAT INDICATOR 3
There is a suspicious file being run from a registry key. The task can be seen in Task Manager and is named 23ffgg.exe.
I used Autostart to check if the file is being run from the startup folders and it is not.
Right-clicking on the file I can see its being run from C:\Windows\app
I used Splunk to search for any processes that match “23ffgg.exe”:
"New_Process_Name" = "*" AND "Process_Command_Line" = "*23ffgg.exe"
The results show that a new process is being created by command line after executing a .tar file. It looks like when the computer starts a command prompt is launched and a command is run to unpack a .tar file. The tar file unpacks a .zip file to C:\Windows, named aa344.zip which contains an exe file named “23ffgg.exe” the zip file is unzipped the file is copied to C:\windows\app.
I checked if this process or any others were being run C:|Windows\System32:
"svchost" AND Creator_Process_Name != "C:\\Windows\\System32\\*"
No results were found.
Next I used Splunk to search the registry for any added keys:
EventCode=4657 AND Object_Name="*Software\\Microsoft\\Windows\\CurrentVersion*"
I can see from the logs that a new object named “threat” with a key value of :
C:\Windows\app\23ffgg.exe
This confirms that the malicious process that is being run is creating a registry key to place the suspicious portable executable file in C:|Windows\app
Upon removing the key and rebooting, the malware persists, this points to the possibility of a scheduled task running the tar file when the machine starts.
Using the Task Scheduler I was able to locate a suspicious scheduled task named ‘GoogleUpdate’ being run outside of business hours on a Sunday. This task was deleted and on reboot I was able to establish the malware had been deleted.
The nature of the file and the effort used to ensure persistence indicates that this is a legitimate threat.
TASK 4 Mitigate Threats
Threat Indicator 1
· Removed ‘user1’ account, setup new account for this user with a complex password.
· Setup Account Lockout to prevent multiple unauthorised logon attempts.
· Disabled SSH.
Threat Indicator 2
· Use Applocker to deny execution of the command prompt.
· Setup Attack Surface Reduction to prevent execution of scripts and running of certain files.
Threat Indicator 3
· Registry keys removed.
· Deleted scheduled task named ‘GoogleUpdate’ which was set to run a command in CMD.exe.
· Enabled Applocker to deny execution of the command prompt.
· Use Applocker to deny access to Task Scheduler.