Articles written by Adlumin’s Threat Research Team on emerging threats, industry stats, and defense tactics against cyberattacks.

Unraveling Cyber Defense Model Secrets: DCSync Attacks

By: Joshua Beach, Detection Engineer and Andrew Chapin, Threat Researcher

Welcome to the Unraveling Cyber Defense Model Secrets series where we shine a light on Adlumin’s Data Science team and explore the team’s latest detections and learn how to navigate the cyberattack landscape.

DCSync Attacks are hard to protect and used often by cybercriminals who aim to takeover your network. In this blog, we’ll walk you through the methodology, detection and  more, let’s begin:

Domain control is a common intermediate goal in many cyber attack scenarios including Advanced Persistent Threat (APT), Inside Threat, and Ransomware. Executing a Domain Controller Sync (DCSync) attack is a popular method for achieving domain control. Often reliant on the exploit tool Mimikatz, DCSync can also be performed with manual methods.

Methodology

A DCSync attack targets Windows Active Directory (AD).

In this type of attack, a threat actor targets a feature in AD called the domain controller (DC) which allows different parts of the network to share and synchronize data.

The domain controller is a high value target because it stores a secured database that contains sensitive information, such as user account records with usernames and password hashes.

During a DCSync attack, the threat actor attempts to trick the domain controller into sharing the user account information by utilizing the Directory Replication Service Remote (DRSR) protocol. This allows the threat actor to pretend to be another trusted domain controller that is part of the network.

A successful DCSync attack, allows an attacker to steal sensitive account records in the database. The attacker will then try to crack the password hashes and gain unauthorized access to user accounts (including to network admin or super-admin accounts) and gain more control over the network.

Detection

Adlumin has created a detection for DCSync Attacks that can recognize and alert on the methodology used by threat actors described above. This allows for quick mitigation and remediation for clients.

The starting point is to review Directory Replication Service Remote (DRSR) related logs found in the Windows security log. Specifically, events with ID 4662.

Then, logs are filtered to focus on entries where the requesting user possesses the necessary credentials to make domain requests. The logs are examined to identify any suspicious or unauthorized domain requests that may indicate a DCSync attack.

The challenge is to sift through benign activity in this subset of DRSR logs.

The DRSR protocol is primarily used within networks to provide redundancy for multiple domain controllers. Thus, DC to DC replication is considered normal, while DC to host replication is not.

Adlumin will flag any DCSync requests from non-DC hosts as potential malicious activity. A security team can then quickly identify and respond to any potential threats against the domain controllers running on the network.

Remediation View: 

The Problem

The DCSync attack methodology takes advantage of the Directory Replication Service Remote (DRSR) protocol to obtain sensitive information from a domain controller. This functionality is not a bug, but rather is intended activity to provide user friendly redundancy in a multi-DC network.

This technique involves an adversary masquerading as a domain controller (DC) and convincing the authentic DC to synchronize its database to the new rogue DC by issuing a replication request. The results of a successful DCSync attack will provide the adversary with password hashes of the targeted users. In most cases, this will include all users.

The Algorithm

By using the associated logs resulting from actual DCSync attacks, Adlumin is able to filter on their defining characteristics to build detections. A few of these factors include user replication rights, if the requesting machine is a DC or not, and access rights. This rule-based detection scans every 6 hours for any new cases of this occurrence and will alert you for further investigation.

User Actions

When encountering an alert indicating a domain user attempting DCSync requests, the objective is to determine if the alert is an active threat or a false positive. But how?

Let’s remember that attackers rarely perform actions in isolation. Threat actors tend to chain together several steps. Therefore, we can check for other actions in tandem with the DCSync request.

Below is a list of items to check:

Verify User Account and Behavior

Verify authorized creation of the user account and if the DCSync behavior is normal for your network. This detection alerts on DCSync related behavior, but some organizations have been found to back up their domain controller data to non domain controllers. If this behavior is normal and accepted within your network, disregard this alert.

Domain Controller Syncing
Ensure that the host machine of the suspected DCSync attack is NOT a domain controller. Failure to identify it as such may result in a false positive. DCSync activity between Domain controllers is generally benign.

Enumeration of Permissions
The attacker will often check which accounts have the required permissions to perform the DCSync attack before performing the attack. Here is an example command:

Exploit Command
To perform the attack a program must be executed to make the request to the other domain controller. We can check process execution on the machine that was the origin of the attack and search for any suspicious process execution that occurred at the time of the DCSync attack.

Text BoxHere are some example commands:

Persistence
If the attacker has compromised a domain admin account, they may get the permissions required to perform the DCSync attack to another account.
Text BoxHere is an example command:

Network Traffic
The most effective way to discover and identify a DCSync attack is through network monitoring. Confirming whether the attack originated from a DC IP address on your network is much faster and less prone to false positives.

Here are some example Suricata signatures:

  1. Quarantine the DCSync user.
  2. Identify which credentials were compromised.
  3. Reset the credentials.

To make DCSync attacks more difficult, be sure to carefully control the following privileges in Active Directory:

  • Replicating Directory Changes
  • Replicating Directory Changes All
  • Replicating Directory Changes In Filtered Set

Decoding PowerDrop Vulnerability: AI and ML in Adlumin's Threat Hunting

Event details:

Thursday, July 27, 2023
2:00 PM EST

Presenter:

Kevin O’Connor, Director of Threat Research at Adlumin


About this talk:

In the ever-evolving landscape of cybersecurity threats, organizations face the constant challenge of detecting and mitigating sophisticated attacks in a timely manner. Implementing automation and machine learning into a threat hunting strategy is key, but what does that look like in practice?

Join Adlumin’s Director of Threat Research, Kevin O’Connor, as he demonstrates how his team discovered and remediated PowerDrop, an insidious PowerShell script for command and control attacks targeting the U.S. aerospace defense industry.

During Kevin’s live demo, you will learn:

  • How Adlumin’s Threat Research Team used Artificial Intelligence (AI) and Machine Learning (ML) to detect and remediate PowerDrop
  • Daily threat hunting methodologies employed by O’Connor and his team
  • Exploring the advantages of AI and ML in the field of threat hunting

As a thank you for joining our webinar, we’ll send you our new overview guide, The Executive’s Overview to Proactive Cybersecurity: Harnessing the Power of Security Operations. Additionally – one lucky attendee will receive a $200 Amazon gift card.


Navigating the MOVEit Vulnerability: How to Protect Your Organization

MOVEit or lose it: The vulnerability has been taking the industry by storm over the last few weeks. The vulnerability was found in the software, MOVEit Transfer and MOVEit Cloud. The tool is used to securely transfer files and encrypt data as it travels from one organization to another. The exploitation of this flaw could lead to escalated privileges and potential unauthorized access to the environment and then to servers and networks.

The flaw was first made public on June 2, but according to Microsoft, it was first observed on May 27, 2023. A second vulnerability was disclosed on June 15 and patched on June 16. The newest victims include several large financial institutions, educational institutions, SkillSoft and Norton LifeLock.

The Threat Actor Behind the Attacks

According to Microsoft, Lace Tempest is the cyber gang behind the exploitation of MOVEit software. The group is known for its use of Cl0p ransomware malware to attack banking, retail, education, transportation, manufacturing, engineering, automotive, energy, aerospace, telecommunications, professional and legal services, and other sectors.

The Cl0p ransomware gang has claimed responsibility for discovery and use of the associated vulnerabilities in zero-day exploit attacks against hundreds of companies using the publicly facing vulnerable MOVEit software and claims to have begun their operations May 27th, days before the first vulnerability was reported to NIST. 

Adlumin’s Threat Research finds this a rare example but increasingly common example of a severe zero-day vulnerability first being discovered and used by Ransomware-as-a-Service gangs along with gangs increasing migration to data extortion or double extortion as a tactic.

Below are the affected software versions:

  • MOVEit Transfer 2023.0.0 (15.0) 
  • MOVEit Transfer 2022.1.x (14.1) 
  • MOVEit Transfer 2022.0.x (14.0) 
  • MOVEit Transfer 2021.1.x (13.1) 
  • MOVEit Transfer 2021.0.x (13.0) 
  • MOVEit Transfer 2020.1.x (12.1) 
  • MOVEit Transfer 2020.0.x (12.0) or older. 
  • MOVEit Cloud

Block MOVEit through Patching

Progress Software has released patches for the three identified vulnerabilities so far, including for a vulnerability where exploitation has not yet been observed:

  • CVE-2023-35708 
  • CVE-2023-35036 
  • CVE-2023-34362

If you are using any of the above versions, Adlumin recommends that you patch immediately.

How to Protect Your IT Environment

Adlumin’s Threat Research team has looked for indicators of compromise across our customer data. One strong indicator is the existence of the file “human2.aspx” in the folder C:\MOVEitTransfer\wwwroot.

Below are the known IOCs to lookout for:

Web Shell

  • LEMURLOOT Web Shell

*We received these IOCs from a third-party source.

The Adlumin Approach

Adlumin has hunted for the indicators of compromise that have been reported publicly so far across all of our customers’ environments. We have also developed additional detections to monitor follow-on activity by the threat actor. Adlumin’s Threat Research Team will continue to monitor the threat, including the Cl0ps darknet leak site, and will notify customers accordingly.  

PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry

Key Takeaways

  • The Adlumin Threat Research discovered a new malicious PowerShell script called PowerDrop, targeting the U.S. aerospace industry.
  • This novel malware straddles the line between basic a “basic off-the-shelf threat” and tactics used by Advanced Persistent Threat Groups (APTs).
  • PowerDrop uses advanced techniques to evade detection such as deception, encoding, and encryption.
  • Adlumin has not yet identified the threat actor behind the malware, but suspects nation-state aggressors as the discovery comes at time of increased R&D into missile programs as the war in Ukraine continues.
  • Adlumin advises that those in the aerospace defense industry remain vigilant against this new malware. The company recommends running vulnerability scanning at the core of Windows systems and being on the lookout for unusual pinging activity from their networks to the outside.

Introduction

The Adlumin Threat Research Team recently discovered and analyzed a new type of malware targeting the U.S. aerospace defense industry. The discovery comes at a time when more research and investment are put into missile programs as the war in Ukraine continues, and partners around the world remain on high alert.

“PowerDrop” is the name Adlumin researchers have given the malware they found implanted in the network of a domestic aerospace defense contractor in May 2023. The name is derived from the tool, Windows PowerShell, used to concoct the script, and “Drop” from the DROP (DRP) string used in the code for padding.

The threat was detected by Adlumin’s machine learning-based algorithms which analyze PowerShell commands and arguments at run-time.

Upon reverse engineering, Adlumin’s team found that the malware was made up of a new PowerShell and Windows Management Instrumentation (WMI) persisted Remote Access Tool (RAT). The code sends Internet Control Message Protocol (ICMP) echo request messages as a trigger for the malware’s command-and-control (C2), along with similar ICMP ping usage for data exfiltration.

In essence, researchers concluded that the malware is being used to run remote commands against victim networks after gaining initial access, execution, and persistence into servers.

The usage of PowerShell for remote access is not new, nor is WMI-based persistence of PowerShell scripts or ICMP triggering and tunneling, but what is novel about this malware is that another code like it hasn’t surfaced before, and it straddles the line between a basic “off-the-shelf-threat” and the advanced tactics used by Advanced Persistent Threat (APTs) Groups.

Adlumin has not yet identified the threat actor behind the malware, but nation-state aggressors are suspected.

“This latest attack shows the evolution of ‘living off the land’ tactics by threat actors,” said Adlumin’s Vice President of Strategy, Mark Sangster.

“While the core DNA of the threat is not particularly sophisticated, its ability to obfuscate suspicious activity and evade detection by endpoint defenses smacks of more sophisticated threat actors. The fact it targeted an aerospace contractor only confirms the likelihood of nation-state aggressors,” Sangster added.

Kevin O’Connor, who heads Adlumin’s Threat Research Team said that the malware uses triggers and exfil patterns which are easily flagged by intrusion detection systems, but that the malware also appears to be a “custom” development, using advanced techniques to evade detection such as deception, encoding, and encryption.

“Adlumin’s Threat Research Team believes this malware presents a real threat as it has been able to evade detection by some commonly deployed EDR software, likely due to its practice of encoding the PowerShell command line arguments and the use of WMI for persistence,” O’Connor added.

Threat Analysis

Adlumin first identified the PowerDrop malware based on a machine learning detection which looks at the content of executed PowerShell scripts versus the command line arguments typically analyzed by other security software.

“This allowed our detection algorithms to see through the encoded layer enabling machine learning-based detection on the actual content of the script which is acting as a backdoor or RAT,” O’Connor said.

The malware is a PowerShell command that is executed by the WMI service. The “script,” passed as a single command line argument to the native Window’s binary and subsystem. PowerShell is encoded using Base64 and UTF-16 Little Endian and is not persisted on disk as a .ps1 script file.

Sample of Base64 UTF-16LE encoded PowerShell payload:

Execution and Persistence

Adlumin analyzed the PowerShell process execution context to identify that the malicious PowerShell script/implant was being executed by the WMI service using previously registered WMI event filters and consumers.

The WMI event filter and consumer registrations were created by the malware during the initial installation of the PowerDrop implant.

The WMI event filter and consumer registrations are created using the WMI command line tool ‘wmic.exe’ and are executed using the ‘wmic.exe’ command line tool.

PowerDrop registers itself as a WMI event filter and consumer as observed in these Windows Event Logs:

The WMI event filter triggers the PowerShell command queries for updates made to the WMI class Win32_PerfFormattedData_PerfOS_System in the root\cimv2 namespace.

The Win32_PerfFormattedData_PerfOS_System class is the Windows Management Instrumentation (WMI) class that contains performance counters which monitor the performance of the Windows operating system.

The WMI event filter is triggered when the WMI class is updated, which then triggers the execution of the PowerShell script. Triggering by the filter is throttled to once every 120 seconds so long as the WMI class has been updated. In Windows, this WMI class is regularly updated with information such as processes, threads, queue length, and system calls per second, and therefore execution every 120 seconds is reliable and guaranteed on most systems.

WMI filter and consumer registrations for persistence and execution of PowerShell payloads have been seen in many other malware families as has the usage of the PerfOS_System WMI class as a reliable trigger for execution.

The EventFilter and CommandLineEventConsumer are both registered under the name, SystemPowerManager.

The WMI event consumer is a CommandLineEventConsumer which executes the PowerShell command line with the encoded PowerShell script as a command line argument.

We were unable to identify the source of the WMI event filter and consumer registrations, but we believe that the malware is likely using a previously known exploit to gain initial access to the victim’s computer such as a phishing email or drive-by download and execution through wscript.exe and that the command line filter and consumer registrations are created by the malware during the initial installation of the PowerDrop implant through a wmic.exe command line execution.

The Script/Implant

Once decoded the PowerShell script is a single line of PowerShell code made up of multiple statements, functions, and usually static variables.

Analysis of the decoded content shows that the script is a backdoor/RAT, which can execute remote PowerShell commands against the victim computer and exfiltrate the results of those commands.

Initially, PowerDrop attempts to reach out to a hard-coded IP address over an ICMP Echo Request message.

This request is originated by Windows PowerShell and has detectable attributes such as the ICMP Type and Code (8 and 0), the IPv4 Time to Live (TTL) being 128 as natively seen on Windows devices, the ICMP Identification number is set to ‘0x0001’ and the ICMP payload.

The ICMP trigger payload is a UTF16-LE encoded string that is not obfuscated, obscured, or encrypted. Observed examples used the simple string “!” as the trigger for the malware C2 beacon. We believe this simply signifies to the command-and-control infrastructure that this is a malware implant beacon and not a randomly received probe, which are common occurrences against Internet-facing devices.

Once the beacon has been sent, the victim machine waits 60 seconds for a response. This 60-second dwell time is varied from the typical default 10-second request timeout for ICMP Echo Request messages on Windows. This is likely to ensure that the malware can receive a response from the C2 server even if the network is experiencing high latency or packet loss especially given that there is no guaranteed delivery or acknowledgment for the ICMP Echo Request message.

In response to the PowerDrop beacon, the command-and-control server responds with an encrypted payload that is also padded with static data at the beginning and end of the message.

PowerDrop uses AES encryption with a 128-bit key and a 128-bit initialization vector (IV) to encrypt the payload. The AES key and IV are static symmetric keys that are hard coded into the PowerShell script and are not dynamically generated. The AES key and IV are also not obfuscated, obscured, or encrypted beyond the initial PowerShell script encoding.

PowerDrop is using the PowerShell provided interface, “CreatEncryptor” and “TransformFinalBlock” to encrypt and decrypt the payload.

PowerDrop will then receive a response from the C2 server in the form of an encrypted command. The implant will then decrypt the command, strip the prepending and postpending values, and execute the command using the Invoke-Expression cmdlet in PowerShell.

The implant will then take the results of the command and encrypt them using the same scheme used for decryption and send the results back to the C2 server.

Any oversized responses, those greater than 128 bytes, are split into multiple messages. The first message is sent with the first 128 bytes of the response and the subsequent messages are sent with the remaining bytes of the response in 128-bytes chunks. The C2 server is responsible for reassembling the response:

PowerDrop uses the strings “DRP” and “OCD” as prepending and postpending values bookmarking the response content to the C2 server. The prepending and postpending values are used to indicate the start and end of the response content.

If the response is split into multiple messages, then all messages with have the prepending “DRP” value, and only the final message with have both the “DRP” prefix and “ORD” suffix. The prepending and postpending values are not encrypted and are static values in the PowerShell script. Example of the prepending and postpending values:

“PowerDrop’s robust detection evasion characteristics is what makes this interesting,” said Sangster.

“This discovery by the Adlumin Threat Researchers shows that a master chef can make a Michelin-star meal with even the most basic ingredients. Infiltrating a critical aerospace defense contractor only makes this malware all the more appetizing,” he added.

Detections

Adlumin has produced the following detections to help identify potential instances of this malware both on the endpoint and through captured or monitored network traffic.

Snort Detection

This detection can be applied to outbound network traffic and detects instances of PowerDrop malware data exfiltration.

SIGMA

This SIGMA detection identifies PowerShell executions via the PowerShell script block for unencoded and required components of the PowerDrop malware:

Conclusion

Adlumin advises that those in the aerospace defense industry remain vigilant against this new malware that’s making the rounds. The company recommends running vulnerability scanning at the core of Windows systems and being on the lookout for unusual pinging activity from their networks to the outside.

“PowerDrop clearly shows that mixing old tactics with new techniques proves a powerful combination in today’s age,” said Will Ledesma, Director of Adlumin’s Cyber Security Operation Center.

“It highlights the importance of having dedicated 24/7 cybersecurity teams within any operational landscape,” Ledesma added.