The intrusion in this case began with a link to a google domain,. TimelineĪnalysis and reporting completed by Initial Access We also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs including Sysmon, Kape packages, and more, under our Security Researcher and Organization services. More information on this service and others can be found here. We offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt Strike, BumbleBee, Covenant, Metasploit, Empire, PoshC2, etc. As far as impact, one Domain Controller was left broken causing authentication failures across the domain. ![]() We assess with medium confidence this intrusion was related to pre-ransomware activity due to the tool set and techniques the actors displayed. The threat actors were evicted from the environment and no further impact was observed. A Cobalt Strike Beacon DLL was then written over SMB to another Domain Controller and executed via a service. After successfully exploiting the Domain controller, the threat actors used Pass the Hash to begin working in the context of a user who was a member of the Domain Admins group.įrom the beachhead host, Invoke-Sharefinder was executed with the output being written to disk. These were executed via remote services, but appeared to be there for redundant connections as the threat actors continued to perform their actions on the beachhead workstation.Īfter a pause of about three hours, 19 hours since initial access, the threat actors launched an exploit against the primary domain controller targeting the Zerologon ( CVE 2020 1472) vulnerability. Lateral movement was then performed over SMB, to transfer a Cobalt Strike Beacon DLL’s to other workstation’s C$\\ProgramData\. Then, the threat actors executed reg.exe to save a copy of the SAM, Security, and Software registry hives on the beachhead host. The Sysinternals tool ProcDump64 was written to disk and used to dump lsass on the beachhead host. AdFind, nltest, net, and systeminfo were used to facilitate this activity. ![]() The Cobalt Strike Beacon was utilized to perform a second round of reconnaissance and to access credentials. Now in the SYSTEM context, this Meterpreter agent executed a Cobalt Strike Beacon DLL. Once UAC was bypassed, Meterpreter’s getsystem command was successfully employed. Finally, the threat actors succeeded on their final attempt, using the WSReset method. Several failed attempts to bypass UAC occurred, utilizing the WSReset method, followed by a failed attempt to bypass UAC utilizing the slui hijacking method. Upon migrating to the svchost process, there were attempts to bypass UAC and launch a Meterpreter executable. About 37 minutes after launching ImagingDevices.exe, the Meterpreter agent migrated to svchost.exe. This process then utilized nltest, net, tasklist, and whoami to perform reconnaissance. Initially, contact was made with BumbleBee command and control servers but little other early activity was observed.Īpproximately 12 hours later, ImagingDevices.exe was launched via WmiPrivse.exe and a Meterpreter agent was injected into the process, like we have observed in previous reports. When the LNK is double-clicked, the BumbleBee DLL is executed via rundll32. The ISO contains a LNK file and a DLL file. A zip file is then downloaded to the victim machine and once unzipped the user is presented with an ISO file. Upon the user clicking the link, they arrive at a “Google” storage site on. It then encourages the recipient to download a file showing the purported violation. The contact form gets filled out by the threat actor with a Copyright notice, purporting a violation of the Digital Millennium Copyright Act (DMCA). This campaign took place in May, and appears to have run as late as June 2022, based on OSINT data related to similar delivery fingerprints. ![]() ![]() It has been reported that this delivery method has been in use for intrusions since at least 2020. The intrusion started with a contact form on a website. They then performed reconnaissance, used two different UAC bypass techniques, dumped credentials, escalated privileges using a ZeroLogon exploit, and moved laterally through the environment. The threat actors leveraged BumbleBee to load a Meterpreter agent and Cobalt Strike Beacons. The intrusion began with the delivery of an ISO file that contained an LNK and a DLL. We have previously reported on two BumbleBee intrusions ( 1, 2), and this report is a continuation of a series of reports uncovering multiple TTPs seen by BumbleBee post exploitation operators. In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |