Threat Hunting for the Most Common MITRE ATT&CK Techniques (Part 4)
T1121 Execution — Regsvcs/Regasm
The .NET framework is a powerful and effective tool that can also be used for malicious purposes. Recently, the Axon Technologies research team observed that some new malware techniques rely on the .NET framework to execute payloads through signed, trusted Windows utilities. The following article will explore and explain these techniques.
Since it is available by default in most Windows installations, the .NET framework has become the de-facto standard for software development. During our research, we found many different methods to test our simulated attacks using regasm (Assembly Registration Tool) and regsvcs (.NET Services Installation Tool). Before starting our attack testing, we found that it is possible to manipulate the functionality of these executables in order to run malicious code. The only requirement is that assembly files must be signed with strong name (sn.exe) which Microsoft released as part of visual studio and .NET framework.
At the beginning, we must generate a private and public key pair; these values are written to a key file with a .snk extension. Type the following command into the .NET framework command prompt:
To manipulate code execution, we will use code released by Casey Smith to run our C# shellcode. We use msfvenmo to generate a Meterpreter C# shellcode.
Next, copy the content of generated C# shellcode and place it on suitable space as shown below:
After modifying the content of the C# shell, we use CSC to compile. CSC is a legitimate software component of the Microsoft .NET framework signed by Microsoft (CSC stands for visual C# Command-Line Complier).
Once the compiling process has finished, our malicious Dynamic Link Library (DLL) file is created on the current working directory. We recommend compiling with administrative permissions. With the successful generation of the DLL file, we can now execute it. We call it through the regasm or regsvcs tool by typing the direct name of the file with the path as the command argument.
Extending Attack vector with T1102 Command and Control — Web Service
Use the following steps to write our sample dropper and reproduce the attack vector:
A. The dropper will download the malicious DLL from a remote host (T1102)
B. The dropper will use the regasm process to execute the saved DLL from the following path c:\tmp\{DLL}
C. The attacker will successfully receive a reverse shell.
The demonstration of the attack vector requires the interaction of users to execute the malicious dropper. The execution of the DLL through regasm comes after downloading the targeted DLL and saving it in a temporary location. If you want to reproduce and test on your own, the attack source code of the dropper is written with Pascal, and you can find it by following Axon Technologies’ github link.
Analysis and Recommendation
Targeted malicious campaigns and advanced persistent threats are announced on a daily basis. It is extremely difficult to recognize all attacking scenarios; the .NET framework, for instance, comes as a default part of Windows Operation Systems. It is impossible to detect these attacks without analyzing incidents that have already happened.
Looking at the Carbon Black Analysis diagram, we find that a dropper is downloading a remote file with remote active connection on port 80, and we save it into a specific path C:\tmp\{NAMEOFFILE}
While analyzing RegASM process, I figured out malicious commands being executed to run a piece of code from DLL file.
Indicators of Compromise (IOC) and Detection of the Attack
Axon Technologies has developed its own IOC to detect this type of attack in Carbon Black EDR. Development of IOCs requires deep analyses to avoid false positives and to ensure that the IOC detects the exact attack technique used. Detection of this specific attack technique in Carbon Black EDR requires creation of a watch alert with the following IOC query:
cb.urlver=1&q=(process_name:regasm.exe AND modload:mswsock.dll)
cb.urlver=1&q=(process_name:regasm.exe AND cmdline:.dll)
cb.urlver=1&q=(process_name :regasm.exe AND cmdline:/U)
cb.urlver=1&q=(process_name:regsvcs.exe AND modload:mswsock.dll)
cb.urlver=1&q=(process_name:regsvcs.exe AND cmdline:.dll)
cb.urlver=1&q=(process_name :regsvcs.exe AND cmdline:/U)
Axon Technologies proactively and continuously develops IOC queries that are posted on our Github page (Link).
