Microsoft recommends proactively looking for behaviors that precede ransomware and hardening the network to prevent impact. This incident also showed that an attacker can have a long dwell time on a network before bringing their ransomware to run. In this blog post, the Microsoft team detailed the step-by-step approach to infiltrate the system and then take root. Disabling the antivirus products on the victims' network ensured that the ransomware could spread without quarantining or preventing the malware. This service was used by the actor to disable victims' antivirus products through kernel permissions. He then started the service with "sc start aswSP-ArPot2". In the current case, the attacker installed the driver with the "sc" command, enabling kernel-level permissions. I had documented a similar case for Defender in the blog post Lockbit attackers abuse Windows Defender to load Cobalt Strike. Unit 42 recently published a blog post about how Cuba ransomware groups used this driver to disable antivirus software before deploying the Cuba ransomware. The attacker used an anti-rootkit driver from Avast to gain appropriate privileges. By deploying a backdoor on a domain controller, the attacker was able to bypass common recovery measures, such as resetting compromised accounts, to respond to an incident and remain on the network. Previously, they had gained access to highly privileged credentials.īecause the attacker created these tasks and services on a domain controller, they were able to easily access domain administrator accounts thanks to local SYSTEM access. When analyzing the compromised systems, the Microsoft team found several scheduled tasks and services that were created by the attackers to permanently infiltrate the system. If malicious code succeeds in gaining access to services or is able to create tasks, this enables its execution with highly privileged access. Services and scheduled tasks have the option to run as NT AUTHORITY\System. However, it is also commonly used by real attackers such as APT groups or ransomware gangs. If an attacker manages to access these binaries, he can gain their permissions.Ĭobalt Strike is a software with flexible features to simulate industrial espionage on one's network, test defensive measures and increase one's computer security. dll files or drivers from Windows or applications that are run by the system with appropriate permissions. Living-off-the-land means that the attackers misuse binaries that already exist on a system. This allowed attackers to maintain access to the network after resetting passwords of compromised accounts. To gain persistence on the network, Cobalt Strike software was used with NT AUTHORITY/SYSTEM (local SYSTEM) privileges. This attack used a number of standard tools and techniques, such as the use of living-off-the-land binaries, to spread its malicious code. The article describes the findings from a recent ransomware incident. I came across the issue the other day via the following tweet, which the Microsoft Detection and Response Team (DART) disclosed in the article Defenders beware: A case for post-ransomware investigations.
0 Comments
Leave a Reply. |