In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools.
This article provides an in-depth analysis of a cyber intrusion that occurred in a corporate environment in October 2022. The threat actor used a combination of legitimate Remote Monitoring and Management (RMM) services, as well as malicious tooling such as Cobalt Strike and Metasploit, to gain access to the network. The actor used ScreenConnect and Atera to gain System-level permissions, process injection to masquerade the real origin of malicious actions, and deleted artifacts to cover their tracks. The actor also accessed LSASS to dump credentials, and used nltest commands, a bash script, netping, and Netscan to identify devices and perform an RDP scan. The actor then used Remote Desktop Protocol and Impacket's WMIEXEC class to perform lateral movement, and was seen manually browsing folders on the file server.
Once access was gained, the threat actor exfiltrated several files over SFTP to 190.2.146[.]96:22. The exfiltration could easily be spotted from a network perspective in controlled environments since the amount of exfiltrated data is very high compared to the usual traffic. The actor then changed the administrator account’s password, and one hour later, they started deploying ransomware. As part of the encryption, the ransomware inhibited system recovery by deleting all shadow copies and altering boot settings. To achieve domain-wide impact, the threat actor attempted to deploy a Group Policy Object (GPO).
The article also provides information on artifacts found on a system, including a ScreenConnect Installer, ScreenConnect Scripts, a Trojanized ApacheBench, an Atera Installer, Mimikatz, adcomp.bat, an Rclone, Netscan, Metasploit, Hive Ransomware, and a Scheduled Task GPO. The article also provides detections for each of the artifacts, as well as the Sigma, JoeSecurity, YARA, MITRE, and DFIR Report Tracking repositories. These repositories contain rules for detecting malicious activity such as Atera Agent Installation, CobaltStrike Named Pipe, Credential Dumping Tools Accessing LSASS Memory, Rare GrantedAccess Flags on LSASS Access, DNS Query To Remote Access Software Domain, HackTool - Potential Impacket Lateral Movement Activity, Persistence and Execution at Scale via GPO Scheduled Task, PowerShell Base64 Encoded IEX Cmdlet, PowerShell Download and Execution Cradles, PUA - Rclone Execution, Remote Access Tool - ScreenConnect Execution
📓 From ScreenConnect to Hive Ransomware in 61 hours
👉🏽 In 2022, The DFIR Report observed an increase in the adversarial usage of Remote Management and Monitoring (RMM) tools. 👉🏽 In-depth analysis of a cyber intrusion in a corporate environment in October 2022. 👉🏽 Use of legitimate Remote Monitoring and Management (RMM) services and malicious tooling. 👉🏽 Gain network access through ScreenConnect and Atera. 👉🏽 Masquerade the origin of malicious actions and cover tracks by deleting artifacts. 👉🏽 Access LSASS to dump credentials and use nltest commands, bash script, netping, and Netscan. 👉🏽 Perform lateral movement using Remote Desktop Protocol and Impacket's WMIEXEC class. 👉🏽 Exfiltrate files over SFTP to specific IP address. 👉🏽 Change administrator account's password and deploy ransomware. 👉🏽 Inhibit system recovery by deleting shadow copies and altering boot settings. 👉🏽 Attempt to deploy a Group Policy Object (GPO) for domain-wide impact.
#CyberIntrusion #ThreatActor #MaliciousTooling #Exfiltration #Ransomware