Microsoft Threat Protection: going down the rabbit hole
Recently, Microsoft announced the general availability of Microsoft Threat Protection (MTP). The new over-arching solution combines signals from Microsoft Defender ATP (endpoints), Office 365 ATP (email), Azure ATP (identity) and Microsoft Cloud App Security (apps) into one central portal.
Microsoft Threat Protection can automatically block attacks and eliminate their persistence to keep them from starting again, prioritize incidents for investigation and response, auto-heal assets and provides cross-domain hunting.
Unified hunting
Because the modern kill chain is evolving, there is a clear need to unify these signals and be able to see the bigger picture as threats are happening. Attacks are often orchestrated completely in the cloud and can also impact your hybrid environment.
Simulate a cross-product attack
Microsoft offers a sample script to simulate a cross-product attack, so that you can easily try out the new unified capabilities from Microsoft Threat Protection.
The scenario is a fileless PowerShell attack with process injection and SMB reconnaisance. It uses living-off-the-land techniques [1]
Going down the rabbit hole
Let’s use the sample to learn some incident response investigation skills and let’s go down the rabbit hole to understand how the threats work under the cover.
The attack starts with a PowerShell script. The assumption is that a user might get tricked into running the script or that the script might be running from a remote connection to another computer from a previously infected machine — the attacker attempting to move laterally on the network.
When you first look at the PowerShell code, it might underwhelm you. Just one long line of code:
Looking deeper
When we closely examine the code, we see a reference to this URL: https://winatpmanagement.windows.com/client/management/static/MTP_Fileless_Recon.txt. Opening that link will give you a long string:
This is a Base64 encoded string (https://en.wikipedia.org/wiki/Base64), something you will encounter a lot more in your threat hunting career.
OK, what now?
Well, as a starting investigator, you might not have a utility belt full of tools yet. But even if you are an experience professional, you are likely using Cyberchef: https://github.com/gchq/CyberChef
Cyberchef is an open-source tool, released by the UK’s spy agency called GCHQ. The tagline is ‘Cyber Swiss Army Knife — a web app for encryption, encoding, compression and data analysis’.
Loading the Base64 encoded string into Cyberchef and running the decode ‘recipe’ will give you the following result:
Not very human readable, right? Going back to the PowerShell script reveals another clue:
Do you see it? Look closely: $xor, UTF8 and a text string. Aha! Apparently the decoded Base64 string is then parsed in UTF-8 format and XOR’d using a key called WinATP-Intro-Injection.
Let’s add that to the CyberChef recipe and see what we get:
Now we’re getting somewhere! We can finally read what the code is. Or can we? Looking a bit closer and scrolling down the code, reveals another rabbit hole: a long string that starts with s_shellcode and has a lot of 0x characters.
Let’s find that rabbit
The string reveals that it is a byte array because it starts with new byte[]. Let’s go back to our CyberSwiss Army Knife and see if we can decode it.
We get the code to be executed, that is somewhat readable. However if we add the ‘Strings’ and ‘Regular Expression’ function to our recipe we get some more clues:
Bingo! Apparently it uses WinHttp.dll for internet communications. Further down we find the IP address: 204.79.197.203. And we find a suspicious string called MyHovercraftIsFullOfEels.
Apparently somebody is a Monty Python fan in the Microsoft Threat Protection team :-) https://www.urbandictionary.com/define.php?term=My%20hovercraft%20is%20full%20of%20eels
Information on the IP address
Microsoft’s threat intelligence center (MSTIC) released some really nice python-based tools called msticpy last year, and continues to develop and extend these: https://msticpy.readthedocs.io/en/latest/
Two functions from msticpy that are particularly useful for this hunt are GeoIPLookup and TILookup. With the first we get more information on the location of the IP address and who’s behind it. With the latter we can submit the IoC observable to sources such as VirusTotal to understand whether or not it has already been flagged as rogue.
At the time of writing only one engine classifies the IP address as Malware. We also see that the IP address lives on network AS8068 from Microsoft corp: https://www.peeringdb.com/net/7472
My Hovercraft is Full of Eels
Opening up the IP address in a browser shows a “maintenance” message. However, if we look more closely, we find a weird string at the end of the HTML:
We can safely assume that this is the command and control (C2) IP address and that the MyHovercraftIsFullOfEels string is used to signal that it is the payload “calling”.
Challenge: can you find out how the C2 channel works? Post your clues and/or solution in the comments below, and win a Microsoft Threat Protection sticker.
PRO TIP: Be careful with using VirusTotal and directly opening URL’s. During a real attack the adversary might learn that you are on to them. My good friend Marcus Bakker has written a blog about this: https://www.mbsecure.nl/blog/2018/9/opsec-for-blue-teams-part-1. As an analyst you can also approach this with dynamic analysis (i.e. sandbox), to quickly and effectively get information.
Active Directory
Going back to the decoded main PowerShell script, we find another piece of the puzzle: scanning of Active Directory. The script gets the current domain of the user:
[System.Directoryservices.Activedirectory.Domain]::GetCurrentDomain()It then queries each of the domain controllers using the NetSessionEnum function in Netapi32.dll:
Process Injection
In the main script we also find a C# function to inject a process into another process. It first launches the original process (notepad.exe in this example) and then injects it with the shellcode we saw earlier:
Conclusion
As you can see, incident response investigation can behard, quite laborious, you need to persevere and then put all the pieces of the puzzle back together to understand the bigger picture. And we haven’t talked about mapping the attack vectors back to the MITRE ATT&CK framework, researching what (if any) data was stolen and if that is sensitive information.
Luckily, Microsoft Threat Protection (MTP) does this for us. Azure ATP will see the domain reconnaissance, Microsoft Defender ATP will see the C2 communication and process injection and with the information from Cloud App Security, MTP is able to instantly paint a picture of data being exfiltrated.
And diving deeper into the alerts gives us the detailed information:
Happy hunting!
— Maarten Goet, MVP & RD
