In the screenshot below, malware can be seen executing from the g$ local file share, then accessing the Security Access Manager ( samlib.dll), a library associated with authentication and security on Windows devices to gain the permissions needed to modify the Windows registry. (Note: this is the same hash as the exucsfq.exe file above.) Once there, it wrote an exclusion path for the malware, then created a startup link to maintain persistence.Ī similar pattern was observed as the malware modified the reporting ability for Windows Defender. In the screenshot below, the malware executable called cowvtvec.exe was written into the “tech” user’s directory. The malware continued to write copies of itself into user directories, then utilized the registry to create exclusion paths. This effectively prevented the submission of new malware samples to Microsoft for analysis from this endpoint ( T1089). In the following screenshot, the malware utilized the Windows registry to make changes to Microsoft’s AntiMalware SpyNet software by modifying it to have a value of “0” reporting capabilities. Malicious binaries were observed creating modifications to antivirus and anti-malware software reporting mechanisms. Chapter 7: Disabling Windows SpyNet and Defender If you missed the backstory, be sure to check out Part 1 to get insight on the steps that the malware took to persist. Chapter 11: Masquerading as Windows Binaries.Chapter 10: The Likely Delivery Mechanism – Weaponized Document.Chapter 8: Accessing Windows Credential Libraries.Chapter 7: Disabling Windows SpyNet and Defender.Our observations have once again been split into chapters: This was likely one of the initial vectors however, because Red Canary was not deployed in the environment prior to the breach, we do not have the endpoint data to determine root cause with certainty.Īs in the previous post, we will show numerous threats mapped to the MITRE ATT&CK™ framework, referencing the related technique with the following format: Txxxx. This post will dive into steps the malware took to evade defenses as it disabled security tools, masqueraded as Windows binaries, accessed credential management libraries, and moved laterally across the network. A weaponized document was also observed executing obfuscated payloads in the environment late in the compromise assessment. In Part 1, we covered steps taken to establish persistence in the environment. This is Part 2 in a two-part series that examines actions taken by adversaries in a breach.
0 Comments
Leave a Reply. |