2022-09-06

Detections for Infamous Threats: Encoding, Scheduling, and A LOLBin

Leverage detection logic for trending threats to help prioritize detections, develop an up-to-date defensive strategy, and assist overwhelmed detection engineers

Make it easier on yourself: See how to stay away from code-hogging compute resources

Our threat research team, Anvilogic Forge, spends their time observing trending threats and wants to share threat actor techniques and provide you with sample detection logic. Why do you ask? Because we know detection engineering can be difficult and want to help! And frankly, we don’t think detection engineers should deal with expectations like, “just find the evil”; we sadly know this all too well. The “Just find it” strategy leads to ugly blobs of scheduled code-hogging compute resources; hard not to imagine Jabba the Hutt taking away the budget for a security team’s BlackHat/DefCon vacation, no security summer camp - say it isn’t so!

To identify active threats, teams should use threat research, so the intelligence gathered can help drive detection engineering efforts, enable threat prioritization and provide a rationale for code deployment. Starting this series, we’ll examine encoded PowerShell, scheduled tasks, and regsvr32 and offer our recommendations for detection logic. Alerts should focus on prominent threats to ensure efficient use of resources, so defenders can chase that pie-in-the-sky, elusive goal: finding cost savings for the company.

#1 Hiding with Encoded PowerShell Commands

PowerShell is one of the most popular tools available on Windows offering extensive command-line capabilities (also making them necessarily incredibly noisy, see how we bring together threat identifiers to create a high fidelity alert). PowerShell comes as a native binary since Windows 7 and Windows Server 2012 R2. Microsoft designed it to allow users to automate tasks and configuration management. With such robust features, threat actors commonly leverage its versatility for command execution. PowerShell allows the command to be obfuscated/encoded, providing attackers with a useful defense evasion mechanism. Detections identifying encoded commands can be helpful, as its usage should not be as common and worth investigative review. Network administrators rarely need to obfuscate their commands/scripts. Unlike threat actors, notable threat activity leveraging this technique includes BlueSky ransomware, Mikubot, and Gootkit.

‍Threat Actors using Encoded PowerShell Technique

Black Basta Ransomware: This new ransomware strain appeared in the first quarter of 2022, likely operating as early as February 2022 based on compilation times of the malware. By June 2022, the ransomware gang had compromised nearly 50 victims. The ransomware group has not displayed a penchant for specific industries; however, all victims have been from English-speaking countries. The ransomware gang operators use an encoded PowerShell command to deploy their ransomware.
LockBit Ransomware: Recently updated with LockBit 3.0, the ransomware as a service (RaaS) has impacted many organizations in the first half of 2022, as evident from telemetry by SEKOIA.IO and The Record. Documented in SEKOIA.IO’s first half of 2022, pulse LockBit was identified as the most active group as they’ve claimed at least 439 victims and account for 32.52% of all ransomware campaigns. LockBit’s toolset has commonly leveraged base64 encoded PowerShell scripts.
Threat Actor UAC-0056: Tracking by Malwarebytes Labs and CERT-UA, the threat group UAC-0056 has repeatedly launched phishing campaigns against the Ukraine government to be attributed to the threat actor group, UAC-0056 (AKA UNC2589, TA471). While the phishing themes have changed to reflect the state of the war and humanitarian issues, the attacker's tactics, techniques, and procedures (TTPs) stayed consistent, using the same VBA macro to demonstrate a common attack schema. Following the macro execution, the attacker's malware payload establishes persistence in the run registry, and an encoded PowerShell script sets the stage for Cobalt Strike.

Forge Detection to Find Encoded PowerShell

PowerShell Logging: PowerShell logging can provide abundant visibility to blue team defenders. Activity from encoded PowerShell commands can be identified from 4103 events, or the raw deobfuscated command can be identified with PowerShell script block logging enabled with 4104 events. Tuning considerations can include observing the PowerShell command’s path or calculating how many times the command has been observed.

Windows Event Logs:

Process creation events with windows event logs can identify command line parameters using encoded flags.

‍#2 Threats Are Sticking Around with Scheduled Tasks‍

MITRE Engenuity’s Sights ecosystem reported data analytics in February 2022 and has identified Scheduled Task/Job as the most commonly observed tactic and technique. An essential tool for persistence, threat actors have commonly looked to schtasks.exe to maintain access or to ensure code execution is recurring. The latest round of threats leveraging schtasks task includes Chinese espionage group TA428, Amadey Bot, and GoMet backdoor.

MITRE Engenutiy, Center for Threat Informed Defense Sights Ecosystem

You don’t have to go home, but you can’t stay here - Threat Groups Who Don’t Want to Leave using Schtasks

Evilnum APT group: This threat group has been active since the start of 2022. With campaigns primarily focused on financial service organizations, specifically those associated with trading and compliance. Zscaler researchers have also observed the group’s interest in targeting an Intergovernmental organization involved with international migration services in March 2022. Evilnum APT group's network infrastructure has not been identified by security vendors demonstrating the group's proficiency in operating stealthily. The threat actor leverages scheduled tasks to establish persistence.
APT29: Associated with Russia's Foreign Intelligence Service (SVR), the threat group has been operating since 2008. The group’s motives align with the goals of the Russian government, targeting various entities in North America, Europe, Asia, and the Middle East. Most notably, APT29 has been attributed to the SolarWinds supply chain compromise in September 2019. Scheduled tasks are used by the group for persistence, as the group’s SUNSPOT malware utilized scheduled tasks to maintain persistence during the SolarWinds intrusion. Additionally, new tasks created on remote hosts facilitate lateral movement.
APT41: A Chinese state-sponsored espionage group, APT41 operates in the interest of the Chinese government, with any operations conducted outside of the control of the state to be financially motivated. APT41 targets public and private entities. In early 2022, Mandiant observed the group exploiting many public-facing applications using zero-day vulnerabilities. Compromised systems from APT41 also leverage scheduled tasks for persistence.

‍Forge Detection for Pesky Persistence

Using Windows Event Logs, process creation events can be leveraged to identify the creation and modification of schtasks.

Additional events codes related to scheduled tasks includes:

4698 - Creation of a scheduled task
4700 - When a scheduled task has been enabled
4702 - An update to a scheduled task

#3 A Helpful Native, regsvr32

Attacks with living-off-the-land binaries (LOLBins) are increasingly prominent as threat actors are taking advantage of binaries local to the system to achieve post-exploitation objectives. Many Microsoft signed binaries such as rundll32, mshta, certutil, PowerShell, and others are prevalent. For our trending threat example, we highlight the command-line utility regsvr32 commonly used to register DLLs, a valuable capability for many threat actors. The latest threats utilizing regsvr32 include initial access with LNK files, Conti during their attack against the Costa Rica government, and Qakbot/Qbot.

Threat Groups Taking Advantage of This Trusted Binary

APT32: Active since 2014, APT32 a suspected Vietnam-based threat group conducts operations based on the interests of Vietnam. Threat activity has included espionage operations against private companies, foreign governments, and journalists. Geographically the group has often targeted Southeast Asian countries. The group has utilized Regsvr32 during their initial infection process.
Kimsuky: An espionage group based in North Korea, Kimsuky has been active since 2012, focusing on intelligence collection. Notable targets have included South Korean government entities, think tanks, and experts in specific fields. Geographically the Kimsuky has targeted organizations in the United States, Europe, Japan, South Korea, and Russia. The intelligence of interest to the group involves topics associated with foreign policy and national security issues. Kimsuky has used regsvr32 to execute malware.
Lazarus: A North Korean advanced persistent threat group, active since 2009. Lazarus has gained notoriety from high-profile breaches, including hacks against Sony Pictures in 2014 and the Bangladesh Bank in 2016. The group is also responsible for the spread of WannaCry ransomware in 2017. Lazarus has also used regsvr32 to execute their malware.

Forge Detection For the LOLBin

Process creation, events from Windows can identify when regsvr32 has been spawned. A filter can be added to increase rule fidelity to identify results in which regsvr32 was executed in a command line.

All Together Now - Piece together Indicators For A Behavioral-based Detection Scenario

The techniques listed above are worthwhile indicators on their own however, we can increase their viability by sequencing them together to detect threat behaviors. Using intelligence documented by Cybereason involving an attack with Qakbot/Qbot to launch Cobalt strike we observe the threat actor utilizing all three described techniques with regsvr32, scheduled tasks to create persistence, and encoded PowerShell commands. To this point, we’ve only provided alerting for pieces of the attack, however, the data can be leveraged one step further.

Using the Anvilogic scenario builder, we can sequence threat indicators based on the attack chain to create a high-fidelity threat scenario for detection. Identifying specific techniques can only offer a partial picture of threat actor activity. Whereas sequencing threat identifiers with Anvilogic’s no-code scenario builder enables detection engineers to recreate an attack chain easily and maximize their content inventory.

Anvilogic Threat Scenario: Qakbot/Qbot & Cobalt Strike

Detection engineering is an essential component of an organization’s cybersecurity program with a difficult mission. Balancing the development of detections based on the organization’s needs while avoiding analyst fatigue doesn’t lead to many happy hour invites. In order to support objectives for detection teams, intelligence gathered from threat research should be used to consistently provide feedback to the team to ensure they are implementing and prioritizing relevant content in their environment for alerting.

Our research presented three threat indicators encoded PowerShell, schtasks, and regsvr32 as strong candidates for an organization’s alert library based on activity trending in cyberspace. Maintaining a pulse on the erratic realm of cybercrime helps bring clarity to developing an up-to-date defensive strategy. By actioning reports, defenders can immediately implement response capabilities to alert on active threats. The Forge team offers an extensive library of readily available threat identifiers, scenarios, and intelligence reporting to ensure organizations are aware of the latest trending threats.

About the team

‍The Anvilogic Forge is a team of security professionals dedicated to tracking threats and crafting reliable detection strategies for our trusted clients while contributing to our peers in the security industry. Our mission is to assess the operational behaviors of all threats to provide the community, and our customers, with actionable information and enterprise-ready detections to defend themselves in an ever-changing threat landscape.

“We’re a team of people devoted to the defense of the cybersecurity community and overcoming the challenges of cyberattacks. We work tirelessly into the night, tracking and responding to invisible threats. We follow dangerous paths and light the way forward with the glow of the Forge to take security out of the dark.”

About the Forge Author

Kevin Lo is a threat researcher for the Anvilogic Forge team, where he is responsible for threat research and intelligence.

Prior to Anvilogic, Kevin was a cybersecurity analyst at a US financial institution serving roles in digital forensics, cybersecurity operations, and detection engineering. Kevin currently resides in Albany, NY. He holds a Bachelor's degree from Syracuse University in Information Management & Technology with a concentration in Information Security. Kevin holds several cybersecurity certifications with GIAC and MITRE ATT&CK.

References