Users:
“ User activity is one of the investigation’s most critical and pivotal parts. ”
Enumerating all users can help us detect and identify new and unexpected accounts in the system.
Adversaries can create new accounts (ATT&CK ID: T1136)
or
manipulate the existing accounts (ATT&CK IDs: T1098 and T1078) to maintain or elevate their access in the victim system.
Therefore, identifying these anomalies is essential to track and map adversarial activities conducted or lurking under different user profiles.
- Something is just off with having multiple Admin accounts and One in particular does not spell right …
- “Guest” user’s password attributes don’t look promising, especially since not requiring a password is highly suspicious.
- Look at the details again; the descriptions of “Admin*” accounts are identical; there is no doubt of having an anomaly with a confident rate of ending as IoC.
we have the account’s last logon time and security identifier (SID), which we can use during timeline and event correlation steps.
- Guest SID:
- Suspecious Account SID:
Wins of the procedures implemented in this task:
- Local users are identified
- Local groups and members are identified
- Active user sessions are identified
Collected low-hanging fruits:
- Local Admin and Guest account activation and usage
- New account with a subtle difference to impersonate a local Admin
- User group membership modifications
- Active user session
Action points for objective-driven and in-depth investigation:
- Discovering the login, execution, process and other user activities of user accounts
- Identifying the malicious (and abused) accounts and user groups
- Identifying and mapping the activities done through discovered accounts
- Planning additional workforce to investigate the additional user spaces starting from the active one
- Considering the secondary active user session in the following steps, especially in the process, service and log analysis
Known changes:
- Dump data files stored in the toolbox folder
- Logs
Active Ports and Connections:
Active ports and connections have a crucial value in identifying vital aspects of malicious activity such as:
Pivoting (lateral movement, ATT&CK ID: TA008).
C2 connection (ATT&CK ID: TA0011).
Exfiltration (ATT&CK ID: TA0010).
or
Active session.
“ malware may hide, but it will run. “
We can consider this principle Above while hunting procedures for:
Execution.
Persistence.
and
Action on objectives tactics.
The anomaly observed here is significant for anomaly detection and confirmation and for detecting the malicious instance’s hiding path, executable and associated system resources.
Let’s quickly review the active ports and connections for TCP:
An overview of the active TCP connections and bound and listening TCP ports.
We can also observe the:
Current process name.
Executable path.
Parent process name.
and
Observe the UDP connections.
we have the base information similar to those in the TCP section (address, port, process details) to allow us to dig deeper and correlate the findings.
Starting from the active connections and then with the listening ports according to the known threat indicators, baselines and system administrator feedback.
There are some connection attempts and open ports linked with AnyDesk.
According to the baselines, this application shouldn’t be running by default. That’s why we are marking this finding as suspicious for further checks.
The port information also looks odd
Network Shares:
Network shares are another location that could contain artefacts on pivoting and also spot configuration mistakes on file sharing and shared path access controls.
While misconfigurations can lead to data exposure out of the decided scope, they can also used to spread malicious stagers through a network. Additionally, granting executive rights leads to being vulnerable to uploading and executing arbitrary files on the remote host through a shared folder (ATT&CK IDs: T1039, T1570, T1021, T1080).
Port information alone might not be enough to mark it suspicious or malicious if the baselines cover any of the legitimate use cases of the port.
Last but not least, there are multiple instances of SSH executable, which is also suspicious. We are moving to the UDP findings by marking these details in our notes.
While this requires a strong understanding of the baselines and communications with the responsible system administrators, we can still spot suspicious activities and anomalies.
An open port for tunnelling service also needs deeper checks as the baseline doesn’t cover tunnelling/VPN implementation.
Also, a connection attempt originates from a process launched from a temporary path.
Firewall (Network):
The firewall is another gold mine of information that is tedious to evaluate manually but provides pinpoint results.
Identifying rules that enable generic ports used in security assessment and by some threat profiles, such as 4444, is relatively easy.
“ A strong knowledge of adversarial TTPs. “
Output and notable records such as:
Multiple entries.
Third-party applications.
Path differences.
and
Port, application and service-related anomalies.
One of the first suspicious record contexts is on the “AnyDesk” application, which has two path rules pointing to separate drives.
Also, some rules enable OS sharing and remoting features, which we need to verify later.
Lastly, two rules are tagged with the LMV Co. label, which also needs attention.
Investigation Notes:
In this phase, we focused on identifying the network-level details. Below are the quick wins of the procedures implemented in this task.
- Active ports and connections are identified.
- Network shares and locations are identified.
- Firewall rules are identified.
Collected low-hanging fruits:
- Connection request originated from a process launched from a temporary path.
- SSH connection requests.
- Firewall rules for remote connection and shares.
- Firewall rule for LMV Co.
Action points for objective-driven and in-depth investigation:
- Considering the processes that create suspicious connections in the following phases.
- Considering the identified share locations in the following phases.
- Identifying and mapping the activities linked with processes that create. connections and have firewall exceptions.
Known changes:
- Dump data files stored in the toolbox folder.
- Logs.
Policies:
Policies are valuable sources of information as they can cause system-wide modifications that can lead to implementing various persistence and impact techniques and procedures (ATT&CK ID: T1484.001).
Therefore, tracking modifications provides valuable context for creating accurate hypotheses and implementing required investigation and hunting procedures.
Let’s quickly create a report on implemented policy settings.
If you skipped using the safe PowerShell profile and executed the default one, the below command will fail as the report generation uses the event log service, which is trapped to stop by the default profile file.
