This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Detecting PoshC2 With Netwitness

bahrawey
New Contributor New Contributor
New Contributor

‎2024-10-22 02:46 PM

Introduction:

 

PoshC2, a powerful post-exploitation framework, has become a popular tool for adversaries to maintain persistence and execute various malicious activities within compromised networks. This blog post will delve into a simulated PoshC2 attack that traverses multiple MITRE ATT&CK tactics, from payload creation to establishing persistence. We will then explore how a Security Operations Center (SOC) analyst can effectively detect and mitigate such threats using Netwitness, leveraging its advanced capabilities in log analysis, Endpoint Detection and Response (EDR), and Network Detection and Response (NDR).

 

Attack Scenario:

 

This blog post will examine a real-world scenario where a Security Operations Center (SOC) was alerted to suspicious encrypted traffic originating from an agent host and an unknown malicious IP address. Upon further investigation, it became evident that the host had already been compromised by a Command and Control (C2) attack. We will explore how Netwitness, with its advanced log analysis, Endpoint Detection and Response (EDR), and Network Detection and Response (NDR) capabilities, played a crucial role in detecting and mitigating this threat.

 

Red Team Tools:

  • PoshC2
  • Python3.12

Blue Team Tools:

  • Sysmon logs
  • Netwitness EDR
  • Netwitness NDR
  • VirusTotal

Link for resources:

 

 

 

Additional Considerations:

It is important to emphasize that this blog post is intended for educational purposes only. Any actions described in this post should not be attempted on unauthorized systems. Always adhere to ethical and legal guidelines when conducting security investigations.

The Attack:

              

bahrawey_0-1729622189379.png

Red Team Activity:

 

Resource Development

T1588.002: Obtain Capabilities: Tool

In this phase of the PoshC2 attack, the adversary focuses on acquiring the necessary tools and resources to establish and maintain persistence within the compromised environment. This aligns with the MITRE ATT&CK technique T1588.002.

A custom payload was crafted to connect to the attacker's machine via an encrypted HTTPS channel. PoshC2 offers a versatile range of payload options, including batch files, HTA files, and raw PowerShell commands, allowing attackers to select the most suitable delivery method based on the target environment and desired level of stealth.

For this lab, we utilized a batch file payload (payload.bat) as a representative example. The batch file contains the necessary instructions to establish the initial connection with the attacker's command and control server and execute subsequent malicious actions.

 

bahrawey_1-1729622217019.png

 

Delivery

T1189: Exploit Public-Facing Application: Web Server

The next phase of the attack involves delivering the malicious payload to the target system. This aligns with the MITRE ATT&CK technique T1189.

A straightforward delivery method was employed in this scenario. A web server was configured to host the payloads created in the previous step, making them accessible to potential victims. The attacker would then wait for unsuspecting users to visit the malicious website and download the infected file. This technique leverages the widespread use of web servers and the trust that users often place in online content to trick victims into executing malicious code.

 

bahrawey_2-1729622236315.png

 

  • Execution
  • T1204: Execute PowerShell Commands

 

  • Once the victim downloads and executes the malicious batch file, the attack enters the execution phase, aligning with the MITRE ATT&CK technique T1204.

 

The batch file immediately launches a PowerShell script that establishes communication with the attacker's machine. This communication channel is encrypted using base64 encoding to obfuscate the malicious activity and evade detection by security systems. The PowerShell script acts as a bridge between the compromised victim machine and the attacker's command and control server, enabling the adversary to remotely execute commands and maintain persistence.

 

 

bahrawey_3-1729622263753.png

 

 

Persistence

T1136.001: Create Accounts

 

To maintain long-term access to the compromised system, the attacker establishes persistence. This aligns with the MITRE ATT&CK technique T1136.001.

A local account named "backdoor" is created on the infected host. This account provides the attacker with a privileged backdoor into the system, allowing them to bypass authentication mechanisms and execute malicious commands even after the initial infection vector has been removed. The persistence mechanism ensures that the attacker can regain control of the compromised system at any time, making it difficult to eradicate the threat.

 

 

bahrawey_4-1729622280337.png

 

 

Detection:

 

  • An Incident was created Alerting that a possible C2 Beaconing is happening
  • Upon checking the alerts and investigating further, found that connection between local machine and other IP with fixed interval of 30 sec
  • A huge number of source port used with only 2 events for each port
  • It looks like malicious https traffic, seems like a keepalive behavior,

 

bahrawey_5-1729622299134.png

 

bahrawey_6-1729622307980.png

 

 

  • Lets collect all the logs related to attacker IP
  • After checking we found that all the events related to this ip has event id 3
  • This indicates network connection was established

 

bahrawey_7-1729622325320.png

 

 

 

  • Digging deeper into one of those events we noticed that the process source responsible for this connection is powershell with pid 9032
  • This connection is using port 443 as encrypted channel

 

bahrawey_8-1729622337557.png

 

 

  • Shifting our focus to powershell process to learn more about what maybe the command executed
  • Found that command was encoded by base64.
  • Let use Netwitness decode feature to understand further the command construction
  • After decode the command, It looks like this is double layer encoded command

 

bahrawey_9-1729622355471.png

 

 

  • For same event lets check the ppid responsible for starting powershell.
  • Cmd command was ran batch file named payload.bat
  • Checking the process behind running payload.bat, found that explorer.exe
  • It seems that user intentionally executed the batch file

 

bahrawey_10-1729622371825.png

 

 

  • Tracing payload.bat to have the full picture of the source of this incident
  • Found that payload.bat was downloaded by msedge

 

bahrawey_11-1729622386292.png

 

 

NDR

 

Analyzing NDR to check the web traffic as we can learn more about the source of this payload.bat.

 

  • We can see the GET request towards the web server where the payload.bat was downloaded
  • It seems like there were another maliocues files hosted on the same web server
  • Also there was anther GET request to download one of those files to this machine
  • After investigating it seems that the other maliouce file downloaded was not executed

 

bahrawey_12-1729622401583.png

 

bahrawey_13-1729622407639.png

 

 

bahrawey_14-1729622416080.png

 

EDR

 

  • Switching to EDR to have more information of the process tree of this incident
  • Starting from explorer.exe which executed the powershell command

 

bahrawey_15-1729622435564.png

 

 

  • Focusing on CMD.exe to list all the processes that it ran
  • We found that 2 main processes powershell & conhost
  • This is mainly the first process ran after executing the payload.bat
  • After selecting the cmd.exe we can indeed see that it was executing the main powershell command ran.

 

bahrawey_16-1729622447662.png

 

  • Skipping conhost as we already know that communication channel was established
  • We can move to powershell process to learn more about what commands that maybe executed during this channel
  • It seems that attacker gained ran some commands to gain more information of his current privilege such as whoami, net user …etc
  • Also it seems that they created a new user account named backdoor, and assigned this user account administrator privilege

 

bahrawey_17-1729622465779.png

 

 

  • Switching to EDR host alerts to verify the previous findings
  • Found many alerts sourced by powershell process, such as creating user, enumeration of local groups …etc

 

bahrawey_18-1729622481078.png

 

  • Utilize EDR feature to lookup payload.bat on virustotal
  • We couldn’t find any similar files with same hash

 

bahrawey_19-1729622507225.png

 

 

  • Moving to eradication part, lets connect to the infected machine
  • Confirm the payload.bat is still present and remove it
  • Confirm powershell process is running and kill it
  • Remove the backdoor account created
  • Keep this machine under close monitoring
  • Update SOC playbook with the incident artifacts

 

bahrawey_20-1729622528797.png

 

bahrawey_21-1729622528801.png

 

bahrawey_22-1729622528802.png

 

 

Attack timeline:

  • User Downloaded payload.bat and another malicious file using msedge
  • After downloading the execution was done by explorer.exe (manual execution)
  • After bat file was executed powershell started running encoded commands
  • This series of commands seems to be C2 connection.
  • Those commands resulted in creating new account called backdoor with admin privileges

 

Conclusion:

This case study demonstrates the effectiveness of utilizing multiple data sources for comprehensive threat investigation and confirmation. By combining log analysis, EDR, and NDR capabilities within Netwitness, security teams can gain a deeper understanding of malicious activities and respond more effectively to incidents like PoshC2 attacks.

0 Likes
0 REPLIES 0
© 2022 RSA Security LLC or its affiliates. All rights reserved.