Tales from the SOC – Command and Management


Tales from the SOC is a weblog collection that describes current real-world safety incident investigations performed and reported by the AT&T SOC analyst workforce for AT&T Managed Prolonged Detection and Response prospects.

Government abstract

As soon as a malicious actor has gained preliminary entry to an inside asset, they might try and conduct command and management exercise. The ‘Command and Management’ (C&C) tactic, as recognized by the MITRE ATT&CK© Framework, consists “of methods that adversaries could use to speak with techniques below their management inside a sufferer community.” Cobalt Strike is an efficient adversary simulation device utilized in safety assessments however has been abused by malicious actors for Command and Management of sufferer networks. If configured by attackers, it may be used to deploy malicious software program, execute scripts, and extra.

This investigation started when the Managed Prolonged Detection and Response (MXDR) analyst workforce obtained a number of alarms involving the detection of Cobalt Strike on an inside buyer asset. Inside ten minutes of this exercise, the attacker launched a Meterpreter reverse shell and efficiently put in distant entry instruments Atera and Splashtop Streamer on the asset. These actions allowed the attacker to ascertain a number of channels of command and management. In response, the MXDR workforce created an investigation and knowledgeable the client of this exercise. The client decided that an endpoint detection and response (EDR) agent was not working on this asset, which might have prevented this assault from occurring. This menace was remediated by isolating the asset and scanning it with SentinelOne to take away indicators of compromise. Moreover, Cobalt Strike, Atera, and Splashtop Streamer have been added to SentinelOne’s blacklist to forestall unauthorized execution of this software program within the buyer atmosphere.

See also  It’s World Backup Day! Right here’s How You Can Protect Your Information

Investigation

Preliminary alarm evaluate

Indicators of Compromise (IOC)

An preliminary alarm was triggered by a Home windows Defender detection of Cobalt Strike on an inside buyer asset. The related log was offered to USM Wherever utilizing NXLog and was detected utilizing a Home windows Defender signature. A number of processes associated to Cobalt Strike have been connected to this alarm.

Cobalt Strike, as talked about beforehand, is a respectable safety device that may be abused by malicious actors for Command and Management of compromised machines. On this occasion, a Cobalt Strike beacon was put in on the compromised asset to speak with the attacker’s infrastructure. Home windows Defender took motion to forestall these processes from working.

Instantly following the Cobalt Strike detection, a further alarm was triggered for a Meterpreter reverse shell.

Meterpreter

A Meterpreter reverse shell is a element of the Metasploit Framework and requires the attacker to arrange a distant ‘listener’ on their very own infrastructure that ‘listens’ for connections. Upon profitable exploitation, the sufferer machine connects to this distant listener, establishing a channel for the attacker to ship malicious instructions. A Meterpreter reverse shell can be utilized to permit an attacker to add recordsdata to the sufferer machine, report consumer keystrokes, and extra. On this occasion, Home windows Defender additionally took motion to forestall this course of from working.

Expanded investigation

Occasions search

Throughout post-exploitation, an attacker could leverage scheduled duties to run periodically, disable antivirus, or configure malicious purposes to execute throughout startup. To question for this exercise, particular occasion names, equivalent to ‘Home windows Autostart Location’, ‘New Scheduled Job’, and occasions containing ‘Home windows Defender’, have been added to a filter in USM Wherever. A further filter was utilized to show occasions occurring within the final 24 hours. This expanded occasion search offered context into attacker exercise across the time of the preliminary Cobalt Strike and Meterpreter alarms.

See also  What the FBI Needs You to Know Concerning the Newest Phishing Scheme

context for Cobalt Strike

Occasion deep dive

Simply after the Cobalt Strike and Meterpreter detections, a scheduled process was created named “Monitoring Restoration.” This process is recognized by Home windows Occasion ID 106:

log Cobalt Strike

This scheduled process was used to put in two distant monitoring and administration (RMM) purposes: Atera and Splashtop Streamer.

Shortly after this process was created and executed, an occasion was obtained indicating “AteraAgent.exe” was added as a Home windows auto-start service.

AlteraAgent

AteraAgent.exe is related to Atera, a respectable laptop administration utility that enables for distant entry, administration, and monitoring of laptop techniques, however has been abused by attackers for command and management of compromised techniques.

This variation was adopted by an occasion involving “SRService.exe” being added as a Home windows auto-start service on this asset:
SRServer
SRService.exe is related to Splashtop Streamer Service, a distant entry utility generally utilized by IT assist, additionally abused by attackers for C&C communications.
At this level, the attacker tried to create a number of channels for command and management utilizing Cobalt Strike, Meterpreter, Atera, and Splashtop Streamer. Whereas the Cobalt Strike and Meterpreter classes have been terminated by Home windows Defender, Atera and Spashtop Streamer have been efficiently added as startup duties. This allowed the attacker to ascertain persistence within the buyer atmosphere. Persistence, as recognized by the MITRE ATT&CK framework, permits the attacker to keep up “entry to techniques throughout restarts, modified credentials, and different interruptions that might reduce off their entry.”

Response

Constructing the investigation

All alarms and occasions have been fastidiously recorded in an investigation created in USM Wherever. The client was instantly contacted relating to this compromise, which result in an ‘all-hands-on-deck’ name to remediate this menace. This compromise was escalated to the client’s Risk Hunter, in addition to administration and Tier 2 analysts.

See also  Consultants Warn of Rise in ChromeLoader Malware Hijacking Customers' Browsers

Buyer interplay

The MXDR workforce labored immediately with the client to include and remediate this menace. This asset was quarantined from the client community the place it was scanned for malicious indicators utilizing SentinelOne. The client put in the SentinelOne EDR agent on this asset to guard it from any present threats. Moreover, the unauthorized purposes Cobalt Strike, Meterpreter, Atera, and Splashtop Streamer have been added to SentinelOne’s blacklist to forestall future execution of those packages within the buyer atmosphere.

Limitations and alternatives

Limitations

Whereas this compromise was rapidly detected and contained, the client lacked the safety required to forestall the purposes Atera and Splashtop Steamer from being put in and added as Home windows auto-start packages.

Alternatives

To guard an enterprise community from present threats, a multi-layered method should be taken, in any other case referred to as ‘Protection in Depth.’ This entails a number of layers of safety, together with Endpoint Detection and Response, implementation of a SIEM (Safety Data and Occasion Administration System), and extra safety controls. With the addition of an EDR agent put in on this asset, this malicious conduct would have been prevented. AT&T’s Managed Endpoint Safety (MES) gives endpoint detection and response and may be utilized together with USM Wherever to actively detect, stop, and notify the client of malicious exercise of their atmosphere.

Leave a Reply