Investigating a compromised system on-premises

For the first scenario, we will use a machine that got compromised after the end user opened a phishing email that looks like following:

This end user was located in the Brazilian branch office, hence the email in Portuguese. The content of this email is a bit concerning, since it talks about an ongoing law process, and the user was curious to see if he really had anything to do with it. After poking around within the email, he noticed that nothing apparently happened. He ignored and continued working. A couple of days later, he receiving an automated report from IT saying that he accessed a suspicious site and he should call support to follow up on this ticket.

He called support and explained that the only suspicious activity that he remembers was to open an odd email, he than presented this email as evidence. When questioned about what he did, he explained that he clicked the image that was apparently attached in the email thinking that he could download it, but nothing came in, only a glimpse of an opening window that quickly disappeared and nothing more.

The first step of the investigation was to validate the URL that was linked to the image in the email. The quickest way to validate is by using VirusTotal, which in this case returned the following value (test performed on November 15, 2017):

This was already a strong indication that this site was malicious, the question at that point was: what did it download onto the user's system that the antimalware installed in the local box didn't find? When there is no indication of compromise from the antimalware and there are indications that a malicious file was successfully downloaded in the system, reviewing the event logs is usually the next step.

Using Windows Event Viewer, we filtered the security event for event ID 4688 and started looking into each single event until the following one was found:

Log Name:      Security 
Source:        Microsoft-Windows-Security-Auditing 
Event ID:      4688 
Task Category: Process Creation 
Level:         Information 
Keywords:      Audit Success 
User:          N/A 
Computer:      BRANCHBR 
Description: 
A new process has been created. 
 
Creator Subject: 
   Security ID:            BRANCHBRJose 
   Account Name:           Jose 
   Account Domain:         BRANCHBR 
   Logon ID:         0x3D3214 
 
Target Subject: 
   Security ID:            NULL SID 
   Account Name:           - 
   Account Domain:         - 
   Logon ID:         0x0 
 
Process Information: 
   New Process ID:         0x1da8 
   New Process Name: C:tempToolsmimix64mimikatz.exe 
   Token Elevation Type:   %%1937 
   Mandatory Label:        Mandatory LabelHigh Mandatory Level 
   Creator Process ID:     0xd88 
   Creator Process Name:   C:WindowsSystem32cmd.exe 
   Process Command Line:

As you can see, this is the infamous mimikatz. It is widely used for credential theft attack, such as Pass-the-Hash. Further analysis shows that this user shouldn't be able to run this program since he didn't have administrative privileges in the machine. Following this rationale, we started looking to other tools that were potentially executed prior to this one and we found the following ones:

Process Information: 
   New Process ID:         0x510 
   New Process Name: C:tempToolsPSExecPsExec.exe

PsExec tool is commonly used by attackers to launch a command prompt (cmd.exe) with elevated (system) privileges; later on, we also found another 4688 event:

Process Information: 
   New Process ID:         0xc70 
   New Process Name: C:tempToolsProcDumpprocdump.exe

ProcDump tool is commonly used by attackers to dump the credentials from the lsass.exe process. It was still not clear how Jose was able to gain privileged access and one of the reasons is because we found event ID 1102, which shows that, at some point prior to executing these tools, he cleared the log on the local computer:

Log Name:      Security 
Source:        Microsoft-Windows-Eventlog 
Event ID:      1102 
Task Category: Log clear 
Level:         Information 
Keywords:      Audit Success 
User:          N/A 
Computer:      BRANCHBR 
Description: 
The audit log was cleared. 
Subject: 
   Security ID:      BRANCHBRJose 
   Account Name:     BRANCHBR 
   Domain Name:      BRANCHBR 
   Logon ID:   0x3D3214

Upon further investigation of the local system, it was possible to conclude:

  • Everything started with a phishing email
  • This email had an embedded image that had a hyperlink to a site that was compromised
  • A package was downloaded an extracted in the local system, this package contained many tools, such as mimikatz, procdump, and psexec
  • This computer was not part of the domain, so only local credentials were compromised
Attacks against Brazilian accounts are growing; by the time we were writing this chapter, Talos Threat Intelligence identified a new attack. The blog Banking Trojan Attempts To Steal Brazillion$ at http://blog.talosintelligence.com/2017/09/brazilbanking.html describes a sophisticated phishing email that used a legitimate VMware digital signature binary.
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.66.241