OTRF/detection-hackathon-apt29

10.B) Registry Run Keys / Startup Folder

Cyb3rWard0g opened this issue · 3 comments

Description

The payload in the Startup folder executes a follow-on payload using a stolen token (T1106, T1134).

10.B.1 Registry Run Keys / Startup Folder

Procedure: Executed LNK payload (hostui.lnk) in Startup Folder on user login
Criteria: Evidence that the file hostui.lnk (which executes hostui.bat as a byproduct) was executed from the Startup Folder

10.B.2 Execution through API

Procedure: Executed PowerShell payload via the CreateProcessWithToken API
Criteria: hostui.exe executing the CreateProcessWithToken API

No Evidence showing that specific API. However, we can see a few events around the secondary logon service

SELECT Message
FROM apt29Host
WHERE Channel = "Microsoft-Windows-Sysmon/Operational" 
    AND LOWER(Message) LIKE '%seclogon%'

Results

 Message | Registry value set:
RuleName: -
EventType: SetValue
UtcTime: 2020-05-02 03:19:49.376
ProcessGuid: {47ab858c-e6ad-5eac-0b00-000000000500}
ProcessId: 736
Image: C:\windows\system32\services.exe
TargetObject: HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\4\52C64B7E\@%SystemRoot%\system32\seclogon.dll,-7001
Details: Secondary Logon                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                
---------
 Message | Process Create:
RuleName: -
UtcTime: 2020-05-02 03:21:27.646
ProcessGuid: {47ab858c-e737-5eac-fd00-000000000500}
ProcessId: 8552
Image: C:\Windows\System32\svchost.exe
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
Description: Host Process for Windows Services
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: svchost.exe
CommandLine: C:\windows\system32\svchost.exe -k netsvcs -p -s seclogon
CurrentDirectory: C:\windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {47ab858c-e6ad-5eac-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=75C5A97F521F760E32A4A9639A653EED862E9C61,MD5=9520A99E77D6196D0D09833146424113,SHA256=DD191A5B23DF92E12A8852291F9FB5ED594B76A28A5A464418442584AFD1E048,IMPHASH=247B9220E5D9B720A82B2C8B5069AD69
ParentProcessGuid: {47ab858c-e6ad-5eac-0b00-000000000500}
ParentProcessId: 736
ParentImage: C:\Windows\System32\services.exe
ParentCommandLine: C:\windows\system32\services.exe                                                                                                                                                                               
---------
 Message | Image loaded:
RuleName: -
UtcTime: 2020-05-02 03:21:27.728
ProcessGuid: {47ab858c-e737-5eac-fd00-000000000500}
ProcessId: 8552
Image: C:\Windows\System32\svchost.exe
ImageLoaded: C:\Windows\System32\seclogon.dll
FileVersion: 10.0.18362.1 (WinBuild.160101.0800)
Description: Secondary Logon Service DLL
Product: Microsoft® Windows® Operating System
Company: Microsoft Corporation
OriginalFileName: SECLOGON.EXE
Hashes: SHA1=727438B3F418A35750711DAE7E067F1281B7A2D5,MD5=512FD6039A256324A745DF4FA01D5D02,SHA256=5EDDB6B714C2D35085D09BFDA3FED3365385B949DD62C6A405EC161C9F9AC2EA,IMPHASH=B4CC945C4478763CC6A46E35E4598994
Signed: true
Signature: Microsoft Windows
SignatureStatus: Valid                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    
---------
 Message | Process accessed:
RuleName: -
UtcTime: 2020-05-02 03:21:27.837
SourceProcessGUID: {47ab858c-e737-5eac-fd00-000000000500}
SourceProcessId: 8552
SourceThreadId: 8580
SourceImage: C:\windows\system32\svchost.exe
TargetProcessGUID: {47ab858c-e737-5eac-fa00-000000000500}
TargetProcessId: 8452
TargetImage: C:\Windows\System32\hostui.exe
GrantedAccess: 0x14C0
CallTrace: C:\windows\SYSTEM32\ntdll.dll+9c584|C:\windows\System32\KERNELBASE.dll+2732e|c:\windows\system32\seclogon.dll+128f|c:\windows\system32\seclogon.dll+10a0|C:\windows\System32\RPCRT4.dll+76953|C:\windows\System32\RPCRT4.dll+da036|C:\windows\System32\RPCRT4.dll+37a4c|C:\windows\System32\RPCRT4.dll+548c8|C:\windows\System32\RPCRT4.dll+2c921|C:\windows\System32\RPCRT4.dll+2c1db|C:\windows\System32\RPCRT4.dll+1a86f|C:\windows\System32\RPCRT4.dll+19d1a|C:\windows\System32\RPCRT4.dll+19301|C:\windows\System32\RPCRT4.dll+18d6e|C:\windows\System32\RPCRT4.dll+169a5|C:\windows\SYSTEM32\ntdll.dll+3346d|C:\windows\SYSTEM32\ntdll.dll+341c2|C:\windows\System32\KERNEL32.DLL+17bd4|C:\windows\SYSTEM32\ntdll.dll+6ced1                                                                                                              
------
 Message | Process accessed:
RuleName: -
UtcTime: 2020-05-02 03:21:27.853
SourceProcessGUID: {47ab858c-e737-5eac-fd00-000000000500}
SourceProcessId: 8552
SourceThreadId: 8580
SourceImage: C:\windows\system32\svchost.exe
TargetProcessGUID: {47ab858c-e737-5eac-fe00-000000000500}
TargetProcessId: 8588
TargetImage: C:\windows\System32\WindowsPowerShell\v1.0\powershell.exe
GrantedAccess: 0x1FFFFF
CallTrace: C:\windows\SYSTEM32\ntdll.dll+9d934|C:\windows\System32\KERNELBASE.dll+5f42a|C:\windows\System32\KERNELBASE.dll+5b4d3|C:\windows\System32\KERNEL32.DLL+1c9af|c:\windows\system32\seclogon.dll+17fd|c:\windows\system32\seclogon.dll+10a0|C:\windows\System32\RPCRT4.dll+76953|C:\windows\System32\RPCRT4.dll+da036|C:\windows\System32\RPCRT4.dll+37a4c|C:\windows\System32\RPCRT4.dll+548c8|C:\windows\System32\RPCRT4.dll+2c921|C:\windows\System32\RPCRT4.dll+2c1db|C:\windows\System32\RPCRT4.dll+1a86f|C:\windows\System32\RPCRT4.dll+19d1a|C:\windows\System32\RPCRT4.dll+19301|C:\windows\System32\RPCRT4.dll+18d6e|C:\windows\System32\RPCRT4.dll+169a5|C:\windows\SYSTEM32\ntdll.dll+3346d|C:\windows\SYSTEM32\ntdll.dll+341c2|C:\windows\System32\KERNEL32.DLL+17bd4|C:\windows\SYSTEM32\ntdll.dll+6ced1

10.B.3 Access Token Manipulation

Procedure: Manipulated the token of the PowerShell payload via the CreateProcessWithToken API
Criteria: hostui.exe manipulating the token of powershell.exe via the CreateProcessWithToken API OR powershell.exe executing with the stolen token of explorer.exe