Threat Hunting for the Most Common MITRE ATT&CK Techniques (Part 2)
T1180 Persistence — Screensaver
Screensavers are programs that execute after a configurable time of user inactivity. They consist of Portable Executable (PE) files with a .scr file extension. The Axon Technologies team demonstrated an attack that uses this technique to ensure persistent access to the targeted machine; the payload is executed as a Screensaver Program Configuration.
PowerShell Offensive Scripting
PowerShell is an excellent post-exploitation tool as it can execute payloads arbitrarily and commit file-less attacks. We have often observed interesting documents that were delivered through advanced phishing campaigns; these campaigns were dropping backdoors written in PowerShell whereas previous incidents used Command & Control (C2C) communication and data exfiltration. The PowerShell scripts are not simple droppers, but rather they remain on the system while they regularly load the embedded executable into the memory.
Fetching Remote PowerShell Script as Executable
Generally, one delivers malicious PowerShell scripts by embedding execution procedures via VBA Macros in multiple stages through Base64 encoding, and then, afterwards, decoding and executing the scripts. One similar sample of this malware variant is MuddyWater which calls multiple other functions embedded in the document in order to ultimately run a PowerShell command; these malware samples have the potential to compromise many machines. They are considered multi-stage droppers because they call and execute PowerShell functions after first delivering the malicious package in Word, PDF, and other formats.
Building an Executable PowerShell Payload
First, we retrieve the content of the PowerShell functions and embed malware into the PowerShell process handler. Then, we execute it directly as one single PowerShell script. Using this method, there is no need to download the script as a file into a specific location and then execute it. The Axon Technologies modified PowerShell Script will run two functions: one for persistence technique (T1180) and the other for reverse shell.
T1180 Screen Saver Persistence Attack Technique
To achieve persistence, we modify the SCRNSAVE.EXE value in registry HKCU\Control Panel\Desktop\ and change its data to point to any malicious file.
New-ItemProperty -Path ‘HKCU:\Control Panel\Desktop\’ -Name ‘SCRNSAVE.EXE’ -Value ‘c:\tmp\shell.exe’
We insert the above line of code into the beginning of our PowerShell Payload to point screen saver configuration to our malicious file. Our final PowerShell Payload will be as follows:
Compiling our Executable Using Lazarus
Lazarus is a Delphi compatible cross-platform IDE for Rapid Application Development that uses Free Pascal Compiler (FPC). In our demonstration, the code will be released with Lazarus; you can also port the code into other languages.
Lazarus is packed with many components that make it easier to do what you want using fewer code lines. By using process unit, we called a PowerShell process directly, bypassing the use of payload content as a command parameter. Concurrently, the executable fetches the content of uploaded PowerShell backdoor from Pastebin.
Analysis and Recommendation
Malware that evades security product hooks is increasing, and we therefore need to be able to embed such techniques in our projects. PowerShell scripts can be executed directly from PowerShell Process or by sending the function as a command Parameter. Our testing covered these different possibilities; we started by analyzing both types of script execution. During our analysis, we observed that PowerShell reverse shell requires a module library loaded from System32 directory called WS2_32.dll. To avoid false positives, we determined whether there was any active connection sent back to the attacker machine with the netconn module. If there was, then we know that an incident of compromise occurred.
When executing the PowerShell payload function from the executable, we observed which commands were in use while starting the payload.
We also discovered modification of Screen Saver Configuration on System Registry by navigating into the regmod module tab.
We want to go further than that — to be in control of everything. We have thus developed our IOC to detect more than 70% of PowerShell Reverse Shells.
Indicators of Compromise (IOC) and Detection of the Attack
Axon Technologies has developed its own IOC to detect this type of attack in Carbon Black EDR. Development of IOCs requires deep analyses to avoid false positives and to ensure that the IOC detects the exact attack technique used. Detection of this specific attack technique in Carbon Black EDR requires creation of a watch alert with the following IOC query:
cb.urlver=1&q=(process_name:powershell.exe AND modload:WS2_32.dll AND netconn_count:[1 TO *])
cb.urlver=1&q=(process_name:powershell.exe AND netconn_count:[1 TO *] and *ReceiveBufferSize
Axon Technologies proactively and continuously develops IOC queries that are posted on our Github page (Link).
