Incident #2—Abusing mshta.exe & PowerShell.exe
While at DattoCon 2018, our ThreatOps Team hosted a Hacking Windows Training and gave live demos at the booth. We challenged attendees to discover what was lurking in their own networks and 50+ MSPs & IT Deparments started a trial during the conference (84% found incidents 😉
In one particular incident, the Scheduled Task engine was used to run Microsoft’s HTML Application host (mshta.exe). The arguments passed to mshta.exe executed VBScript code and spawned the Windows Command Shell (cmd.exe). The “/c” argument passed to cmd.exe instructed it run PowerShell with code to download a payload from http://bit[.]ly/2kTzFCQ. Once downloaded, the Invoke-Expression (IEX) cmdlet executed the retreived payload. Needless to say, it’s not surprising this indirection successfully evaded process analysis!
Incident #∞ — Abusing LOLBins & LOLScripts
Incidents like the ones previously described are the new norm. In our research, we’ve already witnessed an escalation in the complexity of indirection that is perfectly highlighted by the half dozen “hops” used in this campaign.
Sharing threat intelligence on publicly abused tradecraft is a great way to help prepare our community to quickly detect and respond to these incidents. If you’re not aware of the Living Off The Land Binaries and Scripts and the MITRE ATT&CK knowledge bases, we highly recommend you check these out (or better yet, participate!). Twitter is another great community to share your research and make a difference.
A Complementary Approach to Process Behavior
Security is all about layering technologies to complement gaps and that’s exactly what we’re doing at Huntress Labs. Rather than focus on the execution of malicious payloads, the Huntress endpoint agent searches for the persistent footholds that attackers use to maintain access to their victims. We’ve discovered this ignored indicator of compromise is an excellent way to uncover evasive threats and breaches.
In the first incident described above, the hackers abused two well-known Windows features that run their payloads every time a user logs into the system.
The second incident used a Scheduled Task to run its payload every 3 hours with SYSTEM privileges — enabling attackers to maintain long term access. These same Scheduled Task algorithms were used to detect the 0-day exploit used against Kaseya’s VSA RMM product to run malicious code on vulnerable clients!
Curious what’s lurking in your networks?
Hundreds of IT Departments and Managed Service Providers use Huntress to discover the advanced attacks that evade their existing security investments. We offer a 21-day trial of Huntress for an unlimited number of computers. Simply deploy our agent, setup a reporting integration into your ticketing system, and we’ll deliver step-by-step remediation procedures for each compromised host we discover. When the trial ends, our team can remotely uninstall our agents with a single click (no extra cleanup). Contact sales[at]huntresslabs.com for demos and more details 🙂
