Hunting Evil with the MITRE Engenuity Calculator, Atomic Red Team and Sysmon

SIMKRA
8 min readJan 28, 2023

--

TinyTurla backdoor Sysmon vs. Windows Event Viewer

In this article I will describe who Turla is, why I’m testing the backdoor TinyTurla and the side-effects of using Sysmon to verify the results versus Windows Event Viewer. It started with a Sysmon configuration test to understand the behavior for the top 10 techniques ransomware techniques if you take the Top Technique Calculator to weight the monitoring for processes and files. You can do this by label them as low regarding the maturity of the monitoring.

If you’ve read the article about the Top Technique Calculator developed by the team of Lex Crumpton - the Technical Lead for Top ATT&CK Techniques as well as the Defensive Lead for MITRE ATT&CK- you will get a deeper understanding of where to start hunting evil ransomware techniques by evaluating the top techniques for your company or environment. If you focus is for e.g the monitoring of processes and files, because it’s still low implemented you can chose the calculator to determine which techniques and sub-techniques would be best for you to harden your systems against ransomware. The goal is to rapidly find weaknesses, mitigate, detect and prevent future ransomware attacks.

MITRE Engenuity Top 10 Calculator Assessment — File and Process Monitoring Components

And this is exactly what I’ve done. One of the sub-techniques is T1543.003. MITRE ATT&CK description of the technique is, that adversaries may create or modify Windows Services to repeatedly execute malicious payloads as part of persistence.

Identification of Relevant Security Events — Picture https://github.com/mitre-attack/attack-datasources

A way how also Turla gain access to the victim’s system. Talos Intelligence has therefore an excellent blog, what TinyTurla is and who the group Turla operates:

Turla has many names in the information security industry — it is also known as Snake, Venomous Bear, Uroburos and WhiteBear. It is a notorious Russian-based and espionage-focused Advanced Persistent Threat (APT) group that’s been active since at least 2004.

Over the years, they developed and maintained a huge set of offensive tools to attack victims all over the world, from different European government entities, to targets in the U.S., Ukraine or Arabic countries.

Turla likes to use compromised web servers and hijacked satellite connections for their command and control (C2) infrastructure. In some operations, they also do not directly communicate to the C2 server. Instead, they use a compromised system inside the targeted network as a proxy, which forwards the traffic to the real C2 server.

Well-known malware like Crutch or Kazuar are attributed to Turla. Lately, we have also seen research that has shown potential links between the Sunburst backdoor and Turla. Not every campaign run by Turla can clearly be attributed to them. However, over the years, the security industry has closely monitored the different Russian actors and technical evidence combined with tactics, techniques and procedures (TTPs). By tracking these plus political interests, it’s often possible to attribute certain campaigns and toolsets to this actor.

Know your enemy — Test TinyTurla Backdoor

Now that we know which techniques are relevant for us we can start to test our defense. As we know, EDR, IDS and other great security tools are very good detection solutions but notorious threat actors like Turla find always a way with such a backdoor like TinyTurla to get persistence without being even detected. So how can we hunt the evil? Another great tool as a backup if adversaries for example disable other security tools is Sysmon. One of the worlds best detection engineers Olaf Hartong has developed sysmon-modular for free and you can get it here, where he also mentions several other great Sysmon solutions like the one from TrustedSec or SwiftOnSecurity.

To understand how the backdoor is working I would like to take again the definition of Talos Intelligence:

Due to this backdoor’s limited functionality and simple coding style, it is not easy for anti-malware systems to detect it as malware. We found evidence in our telemetry that this software has been used by adversaries since at least 2020.

This malware specifically caught our eye when it targeted Afghanistan prior to the Taliban’s recent takeover of the government there and the pullout of Western-backed military forces. Based on forensic evidence, Cisco Talos assesses with moderate confidence that this was used to target the previous Afghan government.This is a good example of how easy malicious services can be overlooked on today’s systems that are clouded by the myriad of legit services running in the background at all times. It’s often difficult for an administrator to verify that all running services are legitimate. It is important to have software and/or automated systems detecting unknown running services and a team of skilled professionals who can perform a proper forensic analysis on potentially infected systems.

This malware contacts the C2 every five seconds. A good defense system would detect this anomaly in the network traffic and raise an alarm, showing a great example of how important it is to incorporate network behavior-based detection into your security approach. Turla is well-known and closely monitored by the security industry. Nevertheless, they managed to use this backdoor for almost two years. This clearly shows that there is room for improvement on the defensive side.

With Atomic Red Team, especially with Invoke-Atomic you can test the backdoor on your system while using Sysmon and the Event Viewer.

Executing TinyTurla backdoor service w64time

Before you can test the backdoor adequately, make sure that you’ve executed the Invoke-Atomic T1543.003 -TestNumbers -GetPrereqs command. This is very often required and should be done before you start testing. In the test you will execute with Invoke-Atomic following commands:

copy C:\AtomicRedTeam\atomics\T1543.003\bin\w64time.dll %systemroot%\system32\
sc create W64Time binPath= "c:\Windows\System32\svchost.exe -k TimeService" type= share start=auto
sc config W64Time DisplayName= "Windows 64 Time"
sc description W64Time "Maintain date and time synch on all clients and services in the network"
reg add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /t REG_MULTI_SZ /d "W64Time" /f
reg add "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /t REG_EXPAND_SZ /d "%systemroot%\system32\w64time.dll" /f
sc start W64Time

And don’t forget: after the test you should cleanup the commands:

sc stop W64Time
sc.exe delete W64Time
del %systemroot%\system32\w64time.dll
reg delete "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Svchost" /v TimeService /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Services\W64Time\Parameters" /v ServiceDll /f

After the execution of all commands automatically by Invoke-Atomic or manually by you, you will find the registry key for W64Time in Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost.

Registry Windows NT Current Version Svchost TimeService W64Time

More interesting is what Sysmon detects and the side-effects. There are several event ID that you will find in Sysmon but it also depends on your configuration. What you see in the Windows Event Viewer is not the expected T1543.003 but the execution of the commands with PowerShell and the processes and services that have been created. In my config for example I find with the MITRE ATT&CK technique T1059.001 the TinyTurla process creation in the current directory of Atomic.

Process create Atomic Red Team

You can also see the T1055.001 as Dynamic Link Library Injection with PowerShell ISE. This time it’s the Event 10 of Sysmon. Again, it depends how you’re Sysmon is configured.

Event 10 process accessed

With Event 1 you can see the Atomic Red Team whoami execution. This execution is always part of the tests you’re running.

Sysmon Event 1 “whoami” Atomic Tests

With Event 11 you can see the file that is now created W64Time.dll.

Event 11 target filename — file created

And last but not least the Event 1 Sysmon for the service creation:

Event 1, Sysmon Time Service types hare starts auto

If you would not have Sysmon the detection without any other security solution or an adequate detection rule is much harder.

You can see with the Windows Event ID 7045 that a service was installed and which service.

Event Viewer a service was installed with the service name W64Time

And with the Windows Event ID 7023 that the service was terminated with an error (the module could not be found).

Error logging with the Event Viewer if a service was terminated

You will find in PowerShell Operational for 24578 the Event ID 24578 (Power Shell Microsoft-Windows-Powershell) that PowerShell ISE has started to run an user-selected script.

PowerShell Event 24578 user selected script has started to run

I’ve checked additionally the Event Viewer for Windows PowerShell and there was an Event ID 600 but you will not get enough information to really know what happened. It could be an indicator for compromise, but regarding the amount of alerts an investigator is dealing with it is very unlikely that he or she would find the backdoor because of this Event ID showing a PowerShell execution of a file XYZ. The bigger the environment it is, the more scripts are running, some of them are generic created and automatically running as a background job.

This is the reason why it’s important to have several solutions detecting actions on objectives — like living off the land binaries or the creation of services with registry keys. It is much harder to detect such backdoors like TinyTurla than to detect Cobalt Strike, mimikatz or Sliver beacons who are very known and common.

Talos Intelligence also mentioned several products and how to mitigate rapidly and prevent such a backdoor. A way to hunt evil like Tiny Turla backdoors is to use Talos IOCs:

Files:
%SYSTEMROOT%\system32\w64time.dll

Hash:
030cbd1a51f8583ccfc3fa38a28a5550dc1c84c05d6c0f5eb887d13dedf1da01

YARA:
import "pe"
rule TinyTurla {
meta:
author = "Cisco Talos"
description = "Detects Tiny Turla backdoor DLL"
strings:
$a = "Title:" fullword wide
$b = "Hosts" fullword wide
$c = "Security" fullword wide
$d = "TimeLong" fullword wide
$e = "TimeShort" fullword wide
$f = "MachineGuid" fullword wide
$g = "POST" fullword wide
$h = "WinHttpSetOption" fullword ascii
$i = "WinHttpQueryDataAvailable" fullword ascii

condition:
pe.is_pe and
pe.characteristics & pe.DLL and
pe.exports("ServiceMain") and
all of them
}

For further information please visit their blog or the MITRE Att&CK website to read more about Turla and which software the group uses.

Conclusion: Atomic Red Team and Sysmon in combination with the Top Techniques Calculator is a powerful combination of tools to harden systems and hunting evil regarding ransomware and payloads. Sysmon detects the backdoor, but not necessarily the techniques that the attackers use. The more you understand about the action on objective the better you’re able to find outlier and detect suspicious C2 connections or backdoors. Therefore experienced Red Teamer and Detection Engineers are required to understand how attackers think and to find the outlier in the systems. Not everything can be automated, you need both humans and machines.

To study TinyTurla in depth please visit also MITRE Engenuity.

--

--

Responses (1)