{ "name": "Red Canary October 2020 Incident", "versions": { "attack": "8", "navigator": "4.0", "layer": "4.0" }, "domain": "enterprise-attack", "description": "This layer identifies the techniques observed during an October 2020 incident detected by Red Canary involving Bazar and Cobalt Strike. The details of this incident are available at https://redcanary.com/blog/. Techniques/sub-techniques that were used have a score of 1 and have a comment describing each procedure. Some techniques/sub-techniques have multiple procedures, which are separated with a dashed line. ", "filters": { "platforms": [ "Linux", "macOS", "Windows", "Office 365", "Azure AD", "AWS", "GCP", "Azure", "SaaS", "PRE", "Network" ] }, "sorting": 0, "layout": { "layout": "side", "showID": false, "showName": true }, "hideDisabled": false, "techniques": [ { "techniqueID": "T1087", "tactic": "discovery", "color": "", "comment": "", "enabled": true, "metadata": [], "showSubtechniques": true }, { "techniqueID": "T1087.002", "tactic": "discovery", "score": 1, "color": "", "comment": "We saw the adversary attempting to enumerate Windows domain administrator accounts, a behavior that we commonly associate with ransomware operators. In particular, we find it useful to look for `net group \"domain admins\" /dom` and `net group \"domain admins\" /domain`.\n----------\nWe observed the adversaries enumerating enterprise administrator accounts. We recommend looking for the command line `net group \"enterprise admins\" /domain`, which we observed in this incident, and also helps us catch other evil.\n----------\nAround the time of `regsvr32.exe` execution, the operators also executed Sharphound or Bloodhound (we aren’t sure which) as code injected into `regsvr32.exe`. This tool performs a massive amount of reconnaissance of networks hosting Windows systems to find privileged accounts to target. We often detect Sharphound/Bloodhound activity by hunting for many SMB connections over port 445 originating from a single process. ", "enabled": true, "metadata": [], "showSubtechniques": false }, { "techniqueID": "T1059", "tactic": "execution", "color": "", "comment": "", "enabled": true, "metadata": [], "showSubtechniques": true }, { "techniqueID": "T1059.003", "tactic": "execution", "score": 1, "color": "", "comment": "A Cobalt Strike binary was dropped on the endpoint as a `.dll` file and executed by `rundll32.exe`. With that, the intrusion began spreading laterally via Cobalt Strike. The operators used Windows Management Instrumentation (WMI) in their lateral movement attempt. WMI spawned `cmd.exe`, which subsequently spawned PowerShell with an encoded command line. This encoded PowerShell creates another Cobalt Strike Beacon. We’ve found that looking for encoded PowerShell is a great way to catch this specific evil and a lot of other evil, too.", "enabled": true, "metadata": [], "showSubtechniques": false }, { "techniqueID": "T1482", "tactic": "discovery", "score": 1, "color": "", "comment": "Specifically, we observed the adversary using `nltest.exe` to make domain trust determinations. While you probably can’t disable `nltest.exe`, looking for instances of it executing with a command line that includes `/dclist:`, `/domain_trusts` or `/all_trusts` has proven to be a very high-fidelity analytic for us to catch both Bazar (in this incident) as well as TrickBot (in past incidents).", "enabled": true, "metadata": [], "showSubtechniques": false }, { "techniqueID": "T1570", "tactic": "lateral-movement", "score": 1, "color": "", "comment": "We observed successful lateral movement using Cobalt Strike’s SMB PsExec module. `services.exe` executed the previously-dropped Beacon payload with a child process of `rundll32.exe`. `rundll32.exe` had no command line arguments and performed multiple network connections over SMB (TCP port 445) to other systems on the network. The `admin$` share was used in each instance. To detect this the way we did, we recommend looking for `rundll32.exe` executing without any command-line parameters and also establishing network connections. Additionally, looking in the Windows System Event Log for events with ID 7045 could also give you the opportunity to detect this.", "enabled": true, "metadata": [], "showSubtechniques": false }, { "techniqueID": "T1003", "tactic": "credential-access", "color": "", "comment": "", "enabled": true, "metadata": [], "showSubtechniques": true }, { "techniqueID": "T1003.001", "tactic": "credential-access", "score": 1, "color": "", "comment": "We observed the adversaries obtaining credentials. We aren’t sure whether they were using Mimikatz, but we can say they used an lsass cross-process from `regsvr32.exe`, which is something Mimikatz does.", "enabled": true, "metadata": [], "showSubtechniques": false }, { "techniqueID": "T1027", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "Cobalt Strike uses the same structure for beacon payloads, consisting of an outer layer of Base64 encoding that contains within it another Base64 string, which is gzip-compressed. Once you’ve unzipped this compressed data you’ll see a more standard structure underneath. The string `IEX $DoIt` inside the gzip data is a dead-ringer that you’re looking at Cobalt Strike, but for quick detection purposes, looking for the entire string above in a command line can help you identify suspicious PowerShell activity.", "enabled": true, "metadata": [], "showSubtechniques": false }, { "techniqueID": "T1069", "tactic": "discovery", "color": "", "comment": "", "enabled": true, "metadata": [], "showSubtechniques": true }, { "techniqueID": "T1069.002", "tactic": "discovery", "score": 1, "color": "", "comment": "Less than an hour after the initial execution, we observed the operators downloading and executing `adfind.exe` for reconnaissance purposes. `adfind.exe` is an open source tool that extracts information from Active Directory. You could try looking for any use of `adfind.exe`—or disallowing it from your environment completely—but if that’s too noisy, here’s the specific commands we saw used that you could detect on: \n\nAdFind.exe -f \"(objectcategory=computer)\"\nAdFind.exe -f \"(objectcategory=group)\" \nAdFind.exe -f \"(objectcategory=organizationalUnit)\"\nAdFind.exe -f \"(objectcategory=person)\"\nAdFind.exe -subnets -f \"(objectCategory=subnet)\" \nAdFind.exe -sc trustdmp \nAdFind.exe -gcb -sc trustdmp\n", "enabled": true, "metadata": [], "showSubtechniques": false }, { "techniqueID": "T1566", "tactic": "initial-access", "score": 1, "color": "", "comment": "Initial access came by way of a phishing email containing a PDF attachment. The user opened this attachment and clicked on a link in the PDF, which connected to Google Drive and downloaded a file named `Report[mm]-[dd].exe` (for example, the file name would be `Report10-29.exe` if the email was delivered on October 29). This `.exe` is known as Bazar, which has different components known by the community as BazaLoader, BazarLoader, and BazarBackdoor.", "enabled": true, "metadata": [], "showSubtechniques": false }, { "techniqueID": "T1055", "tactic": "defense-evasion", "color": "", "comment": "", "enabled": true, "metadata": [], "showSubtechniques": true }, { "techniqueID": "T1055", "tactic": "privilege-escalation", "color": "", "comment": "", "enabled": true, "metadata": [], "showSubtechniques": true }, { "techniqueID": "T1055.012", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "This `.exe` file used process hollowing techniques to inject into `cmd.exe`. You can identify this process hollowing, as we did, by looking for instances of the Windows Command prompt (`cmd.exe`) executing without any command-line parameters and establishing a network connection.\n----------\nWe also saw the adversary use process hollowing with both `explorer.exe` and `svchost.exe`. We observed `explorer.exe` spawning `svchost.exe`—this isn’t normal, so you should look for that in your environment. More broadly, you can look for `svchost.exe` processes where the parent is not `services.exe` to identify this and other malicious activity. (If you’ve never checked it out, we highly recommend looking at the SANS Hunt Evil poster!)\n----------\nAround the time of `regsvr32.exe` execution, the operators also executed Sharphound or Bloodhound (we aren’t sure which) as code injected into `regsvr32.exe`.", "enabled": true, "metadata": [], "showSubtechniques": false }, { "techniqueID": "T1055.012", "tactic": "privilege-escalation", "score": 1, "color": "", "comment": "This `.exe` file used process hollowing techniques to inject into `cmd.exe`. You can identify this process hollowing, as we did, by looking for instances of the Windows Command prompt (`cmd.exe`) executing without any command-line parameters and establishing a network connection.\n----------\nWe also saw the adversary use process hollowing with both `explorer.exe` and `svchost.exe`. We observed `explorer.exe` spawning `svchost.exe`—this isn’t normal, so you should look for that in your environment. More broadly, you can look for `svchost.exe` processes where the parent is not `services.exe` to identify this and other malicious activity. (If you’ve never checked it out, we highly recommend looking at the SANS Hunt Evil poster!)\n----------\nAround the time of `regsvr32.exe` execution, the operators also executed Sharphound or Bloodhound (we aren’t sure which) as code injected into `regsvr32.exe`.", "enabled": true, "metadata": [], "showSubtechniques": false }, { "techniqueID": "T1021", "tactic": "lateral-movement", "color": "", "comment": "", "enabled": true, "metadata": [], "showSubtechniques": true }, { "techniqueID": "T1021.002", "tactic": "lateral-movement", "score": 1, "color": "", "comment": "We observed successful lateral movement using Cobalt Strike’s SMB PsExec module. `services.exe` executed the previously-dropped Beacon payload with a child process of `rundll32.exe`. `rundll32.exe` had no command line arguments and performed multiple network connections over SMB (TCP port 445) to other systems on the network. The `admin$` share was used in each instance. To detect this the way we did, we recommend looking for `rundll32.exe` executing without any command-line parameters and also establishing network connections. Additionally, looking in the Windows System Event Log for events with ID 7045 could also give you the opportunity to detect this.\n----------\nAround the time of `regsvr32.exe` execution, the operators also executed Sharphound or Bloodhound (we aren’t sure which) as code injected into `regsvr32.exe`. This tool performs a massive amount of reconnaissance of networks hosting Windows systems to find privileged accounts to target. We often detect Sharphound/Bloodhound activity by hunting for many SMB connections over port 445 originating from a single process. ", "enabled": true, "metadata": [], "showSubtechniques": false }, { "techniqueID": "T1018", "tactic": "discovery", "score": 1, "color": "", "comment": "Around the time of `regsvr32.exe` execution, the operators also executed Sharphound or Bloodhound (we aren’t sure which) as code injected into `regsvr32.exe`. This tool performs a massive amount of reconnaissance of networks hosting Windows systems to find privileged accounts to target. We often detect Sharphound/Bloodhound activity by hunting for many SMB connections over port 445 originating from a single process.", "enabled": true, "metadata": [], "showSubtechniques": false }, { "techniqueID": "T1218", "tactic": "defense-evasion", "color": "", "comment": "", "enabled": true, "metadata": [], "showSubtechniques": true }, { "techniqueID": "T1218.011", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "A Cobalt Strike binary was dropped on the endpoint as a `.dll` file and executed by `rundll32.exe`. With that, the intrusion began spreading laterally via Cobalt Strike. The operators used Windows Management Instrumentation (WMI) in their lateral movement attempt. WMI spawned `cmd.exe`, which subsequently spawned PowerShell with an encoded command line. This encoded PowerShell creates another Cobalt Strike Beacon. We’ve found that looking for encoded PowerShell is a great way to catch this specific evil and a lot of other evil, too.\n----------\nWe then observed successful lateral movement using Cobalt Strike’s SMB PsExec module. `services.exe` executed the previously-dropped Beacon payload with a child process of `rundll32.exe`. `rundll32.exe` had no command line arguments and performed multiple network connections over SMB (TCP port 445) to other systems on the network. The `admin$` share was used in each instance. To detect this the way we did, we recommend looking for `rundll32.exe` executing without any command-line parameters and also establishing network connections. Additionally, looking in the Windows System Event Log for events with ID 7045 could also give you the opportunity to detect this.", "enabled": true, "metadata": [], "showSubtechniques": false }, { "techniqueID": "T1218.010", "tactic": "defense-evasion", "score": 1, "color": "", "comment": "We observed the adversaries obtaining credentials. We aren’t sure whether they were using Mimikatz, but we can say they used an lsass cross-process from `regsvr32.exe`, which is something Mimikatz does.\n----------\nAround the time of `regsvr32.exe` execution, the operators also executed Sharphound or Bloodhound (we aren’t sure which) as code injected into `regsvr32.exe`. This tool performs a massive amount of reconnaissance of networks hosting Windows systems to find privileged accounts to target. We often detect Sharphound/Bloodhound activity by hunting for many SMB connections over port 445 originating from a single process. ", "enabled": true, "metadata": [], "showSubtechniques": false }, { "techniqueID": "T1569", "tactic": "execution", "color": "", "comment": "", "enabled": true, "metadata": [], "showSubtechniques": true }, { "techniqueID": "T1569.002", "tactic": "execution", "score": 1, "color": "", "comment": "We observed successful lateral movement using Cobalt Strike’s SMB PsExec module. `services.exe` executed the previously-dropped Beacon payload with a child process of `rundll32.exe`. `rundll32.exe` had no command line arguments and performed multiple network connections over SMB (TCP port 445) to other systems on the network. The `admin$` share was used in each instance. To detect this the way we did, we recommend looking for `rundll32.exe` executing without any command-line parameters and also establishing network connections. Additionally, looking in the Windows System Event Log for events with ID 7045 could also give you the opportunity to detect this.", "enabled": true, "metadata": [], "showSubtechniques": false }, { "techniqueID": "T1204", "tactic": "execution", "score": 1, "color": "", "comment": "Initial access came by way of a phishing email containing a PDF attachment. The user opened this attachment and clicked on a link in the PDF, which connected to Google Drive and downloaded a file named `Report[mm]-[dd].exe` (for example, the file name would be `Report10-29.exe` if the email was delivered on October 29). This `.exe` is known as Bazar, which has different components known by the community as BazaLoader, BazarLoader, and BazarBackdoor.", "enabled": true, "metadata": [], "showSubtechniques": true }, { "techniqueID": "T1047", "tactic": "execution", "score": 1, "color": "", "comment": "A Cobalt Strike binary was dropped on the endpoint as a `.dll` file and executed by `rundll32.exe`. With that, the intrusion began spreading laterally via Cobalt Strike. The operators used Windows Management Instrumentation (WMI) in their lateral movement attempt. WMI spawned cmd.exe, which subsequently spawned PowerShell with an encoded command line. This encoded PowerShell creates another Cobalt Strike Beacon. We’ve found that looking for encoded PowerShell is a great way to catch this specific evil and a lot of other evil, too.", "enabled": true, "metadata": [], "showSubtechniques": false } ], "gradient": { "colors": [ "#ff6666", "#ffe766", "#8ec843" ], "minValue": 0, "maxValue": 100 }, "legendItems": [], "metadata": [], "showTacticRowBackground": false, "tacticRowBackground": "#dddddd", "selectTechniquesAcrossTactics": true, "selectSubtechniquesWithParent": false }