Tales from the SOC is a weblog collection that describes latest real-world safety incident investigations carried out and reported by the AT&T SOC analyst group for AT&T Managed Prolonged Detection and Response prospects.
Government abstract
As soon as a malicious actor has gained preliminary entry to an inside asset, they could try and conduct command and management exercise. The ‘Command and Management’ (C&C) tactic, as recognized by the MITRE ATT&CK© Framework, consists “of strategies that adversaries might use to speak with techniques underneath their management inside a sufferer community.” Cobalt Strike is an efficient adversary simulation software utilized in safety assessments however has been abused by malicious actors for Command and Management of sufferer networks. If configured by attackers, it may be used to deploy malicious software program, execute scripts, and extra.
This investigation started when the Managed Prolonged Detection and Response (MXDR) analyst group obtained a number of alarms involving the detection of Cobalt Strike on an inside buyer asset. Inside ten minutes of this exercise, the attacker launched a Meterpreter reverse shell and efficiently put in distant entry instruments Atera and Splashtop Streamer on the asset. These actions allowed the attacker to determine a number of channels of command and management. In response, the MXDR group created an investigation and knowledgeable the shopper of this exercise. The client decided that an endpoint detection and response (EDR) agent was not operating on this asset, which may have prevented this assault from occurring. This menace was remediated by isolating the asset and scanning it with SentinelOne to take away indicators of compromise. Moreover, Cobalt Strike, Atera, and Splashtop Streamer have been added to SentinelOne’s blacklist to forestall unauthorized execution of this software program within the buyer atmosphere.
Investigation
Preliminary alarm assessment
Indicators of Compromise (IOC)
An preliminary alarm was triggered by a Home windows Defender detection of Cobalt Strike on an inside buyer asset. The related log was offered to USM Anyplace utilizing NXLog and was detected utilizing a Home windows Defender signature. A number of processes associated to Cobalt Strike have been connected to this alarm.
Cobalt Strike, as talked about beforehand, is a legit safety software that may be abused by malicious actors for Command and Management of compromised machines. On this occasion, a Cobalt Strike beacon was put in on the compromised asset to speak with the attacker’s infrastructure. Home windows Defender took motion to forestall these processes from operating.
Instantly following the Cobalt Strike detection, an extra alarm was triggered for a Meterpreter reverse shell.
A Meterpreter reverse shell is a element of the Metasploit Framework and requires the attacker to arrange a distant ‘listener’ on their very own infrastructure that ‘listens’ for connections. Upon profitable exploitation, the sufferer machine connects to this distant listener, establishing a channel for the attacker to ship malicious instructions. A Meterpreter reverse shell can be utilized to permit an attacker to add information to the sufferer machine, file person keystrokes, and extra. On this occasion, Home windows Defender additionally took motion to forestall this course of from operating.
Expanded investigation
Occasions search
Throughout post-exploitation, an attacker might leverage scheduled duties to run periodically, disable antivirus, or configure malicious functions to execute throughout startup. To question for this exercise, particular occasion names, similar to ‘Home windows Autostart Location’, ‘New Scheduled Activity’, and occasions containing ‘Home windows Defender’, have been added to a filter in USM Anyplace. An extra filter was utilized to show occasions occurring within the final 24 hours. This expanded occasion search offered context into attacker exercise across the time of the preliminary Cobalt Strike and Meterpreter alarms.
Occasion deep dive
Simply after the Cobalt Strike and Meterpreter detections, a scheduled process was created named “Monitoring Restoration.” This process is recognized by Home windows Occasion ID 106:
This scheduled process was used to put in two distant monitoring and administration (RMM) functions: Atera and Splashtop Streamer.
Shortly after this process was created and executed, an occasion was obtained indicating “AteraAgent.exe” was added as a Home windows auto-start service.
AteraAgent.exe is related to Atera, a legit pc administration utility that permits for distant entry, administration, and monitoring of pc techniques, however has been abused by attackers for command and management of compromised techniques.
This alteration was adopted by an occasion involving “SRService.exe” being added as a Home windows auto-start service on this asset:
SRService.exe is related to Splashtop Streamer Service, a distant entry utility generally utilized by IT help, additionally abused by attackers for C&C communications.
At this level, the attacker tried to create a number of channels for command and management utilizing Cobalt Strike, Meterpreter, Atera, and Splashtop Streamer. Whereas the Cobalt Strike and Meterpreter periods have been terminated by Home windows Defender, Atera and Spashtop Streamer have been efficiently added as startup duties. This allowed the attacker to determine persistence within the buyer atmosphere. Persistence, as recognized by the MITRE ATT&CK framework, permits the attacker to keep up “entry to techniques throughout restarts, modified credentials, and different interruptions that might reduce off their entry.”
Response
Constructing the investigation
All alarms and occasions have been fastidiously recorded in an investigation created in USM Anyplace. The client was instantly contacted relating to this compromise, which result in an ‘all-hands-on-deck’ name to remediate this menace. This compromise was escalated to the shopper’s Menace Hunter, in addition to administration and Tier 2 analysts.
Buyer interplay
The MXDR group labored straight with the shopper to include and remediate this menace. This asset was quarantined from the shopper community the place it was scanned for malicious indicators utilizing SentinelOne. The client put in the SentinelOne EDR agent on this asset to guard it from any present threats. Moreover, the unauthorized functions Cobalt Strike, Meterpreter, Atera, and Splashtop Streamer have been added to SentinelOne’s blacklist to forestall future execution of those applications within the buyer atmosphere.
Limitations and alternatives
Limitations
Whereas this compromise was rapidly detected and contained, the shopper lacked the safety required to forestall the functions Atera and Splashtop Steamer from being put in and added as Home windows auto-start applications.
Alternatives
To guard an enterprise community from present threats, a multi-layered method have to be taken, in any other case referred to as ‘Protection in Depth.’ This entails a number of layers of safety, together with Endpoint Detection and Response, implementation of a SIEM (Safety Data and Occasion Administration System), and extra safety controls. With the addition of an EDR agent put in on this asset, this malicious conduct would have been prevented. AT&T’s Managed Endpoint Safety (MES) supplies endpoint detection and response and will be utilized together with USM Anyplace to actively detect, stop, and notify the shopper of malicious exercise of their atmosphere.