This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject

NetWitness Community

  • Home
  • Products
    • NetWitness Platform
      • Advisories
      • Documentation
        • Platform Documentation
        • Known Issues
        • Security Fixes
        • Hardware Documentation
        • Threat Content
        • Unified Data Model
        • Videos
      • Downloads
      • Integrations
      • Knowledge Base
    • NetWitness Cloud SIEM
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Detect AI
      • Advisories
      • Documentation
      • Knowledge Base
    • NetWitness Investigator
    • NetWitness Orchestrator
      • Advisories
      • Documentation
      • Knowledge Base
      • Legacy NetWitness Orchestrator
        • Advisories
        • Documentation
  • Community
    • Blog
    • Discussions
    • Events
    • Idea Exchange
  • Support
    • Case Portal
      • Create New Case
      • View My Cases
      • View My Team's Cases
    • Community Support
      • Getting Started
      • News & Announcements
      • Community Support Forum
      • Community Support Articles
    • Product Life Cycle
    • Support Information
    • General Security Advisories
  • Training
    • Blog
    • Certification Program
    • Course Catalog
    • New Product Readiness
    • On-Demand Subscriptions
    • Student Resources
    • Upcoming Events
  • Technology Partners
  • Trust Center
Sign InRegister Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Announcement Banner

Users are unable to open Netwitness Support Cases via email. Please open support cases via portal or by phone

View Details
  • NetWitness Community
  • Blog
  • Detecting LOLBAS tactics with the RSA NetWitness Platform - Regasm/Regsvcs

Detecting LOLBAS tactics with the RSA NetWitness Platform - Regasm/Regsvcs

MarcoMeli
Occasional Contributor MarcoMeli Occasional Contributor
Occasional Contributor
Options
  • Subscribe to RSS Feed
  • Mark as New
  • Mark as Read
  • Bookmark
  • Subscribe
  • Email to a Friend
  • Printer Friendly Page
  • Report Inappropriate Content
‎2021-06-15 05:24 AM

What are LOLBAS tactics?

As I wrote on this previous articleDetecting Living-Off-The-Land tactics with the RSA NetWitness Platform about mshta.exe, LOLBAS (Living Off The Land Binaries and Scripts) tactics are those that involve the use of legitimate Windows tools for malicious purposes. This is an old concept but a recent growing trend among threat actors because these types of techniques are very difficult to detect considering that the tools used are whitelisted most of the time. A good list of applications that can be used for these type of tactics can be found at LOLBAS (Windows) and GTFOBins (UNIX).

Intro

Although both Regasm and Regsvcs are versy similar and can both be leveraged for the same purpose,  Regasm.exe (https://lolbas-project.github.io/lolbas/Binaries/Regasm/) will be studied on this demo. As we will see, adversaries can proxy execution of code through this trusted Windows utilities to perform malicious activities. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft (https://attack.mitre.org/techniques/T1218/009/) .

Scenario

The attackers build a phishing campaign where they mass-distribute emails with a MS Word attachment containing macro code which calls a remote malicious payload.

The document is disguised as an invoice:

MarcoMeli_0-1623058628550.png

the victim, curious about the invoice, opens the attachment:

MarcoMeli_1-1623058695364.png

the victim does not see any content therefore decides to click on "Enable Content" which will eventually trigger the payload.

The payload is a meterpreter DLL which resides on a remore HTTP/WebDav server and it is executed through Regasm.exe. Once it is executed the attackers receive a reverse meterpreter https session on the victim machine which becomes part of the attackers' C2:

MarcoMeli_0-1623244918052.png

MarcoMeli_2-1623244935875.png

As shown above, some meterpreter enumeration commands are launched: sysinfo, ipconfig, getuid, ps

 

Detection with Netwitness

The traditional approach has been for companies to focus mainly on preventive controls such as firewalls, IPSs, anti-virus, and the like. Malware is constantly evolving and is already able to get around these type of measures. This is why today is vital to adopt an Assume-Breach approach where you accept and plan for WHEN, not IF, an attack will happen on your environment.

Following this concept, the analyst starts his hunting session assuming the environment has been compromised. Specifically the analyst assumes the traffic generated by the attack in question is blending in with the HTTPS protocol.

Using Netwitness Network the analyst places the filter "service=443" and performs an investigation:

MarcoMeli_3-1623245070149.png

Since the payload is nearly all cipher text, the SSL CA and SSL Subject are the only places to go digging into SSL/TLS. Interesting metadata is observed within the Service Analysis and the Session Analysis meta keys, which could be sign of something fishy going on.

 
Details on these meta keys can be found on our hunting guide here: https://community.rsa.com/t5/rsa-netwitness-platform-threat/rsa-netwitness-hunting-guide/ta-p/564743.

 

Let's quickly review some of them:

  • hostname consecutive consonants:  A regex looking for five or more consecutive consonants or numerals, or two groups of four consecutive consonants or numerals, useful for discovering a DGA (domain generation algorithm).
  • ssl certificate missing subject organizational name: Subject section of a certificate does not have an ON attribute. Could indicate presence of certificates programmatically generated by malware.
  • tunnel service: may indicate tunnel services are being used.
  • first carve not dns: indicates non-DNS sessions that had a payload, originated from within the organization, and whose destination was the internet.

Filtering on the above metadata the analyst reduces the traffic quite significantly:

MarcoMeli_1-1623246970742.png

the sessions obtained all look very similar, in that they have same source IP/hostname (192.168.16.179/WinEP1), same destination hostname (3fa2825bf3f0.ngrok.io), although the destination IP varies. Each session contains a big amount of Request/Response pairs indicating potential C2 communication. This is also backed by the fact that ngrok.io is a popular tunneling service often (ab)used within the hacking community.

MarcoMeli_3-1623248362626.png

Additionally, because the Netwitness endpoint agent is installed in the host that has initiated the communication (WinEP1), the analyst gets information about a process (RegAsm.exe) and a user name (user) being used within the same session.

Moving to the "Host" tab the analyst is able to get more information related to the endpoint:

MarcoMeli_2-1623251614846.png

and by clicking on the graph symbol next to the process the whole processes chain is shown:

MarcoMeli_3-1623251814177.png

It is clear from the above picture that winword.exe (MS word) was opened from outlook.exe (MS Outlook ) which triggered RegAsm.exe which in turn executed a DLL (regsvcs.dll) located remotely at simulation.pagekite.me

From the same page the event view section shows more details. The MS word document that triggered the DLL via RegAsm.exe is invoice-27899.doc:

MarcoMeli_6-1623254138928.png

Further investigating with Netwitness Endpoint on the same time frame the analyst notices the run rundll32 with http argument metadata is populated under the Behavior of Compromise meta key:

MarcoMeli_0-1623254774461.png

This explains that, when RegAsm.exe invoked regsvcs.dll, under the hood the WebClient service (svchost.exe -k LocalService -p -s WebClient) has created the davclnt.dll process which then executed the remote DLL.

 
The WebClient service is responsible for the communication with the remote location, that is a HTTP/WebDav server:

 

MarcoMeli_1-1623256192996.png

Digging into other Endpoint sessions the analyst confirms:

  • svchost.exe making a connection to the site where the DLL resides from WinEP1

MarcoMeli_3-1623256757618.png

  • RegAsm.exe making a connection to the ngrok site:

MarcoMeli_2-1623256686216.png

  • svchost.exe writing the DLL on disk on a temp directory:

MarcoMeli_4-1623256853095.png

Although the analyst could not see the content of the communication, being encrypted, it is pretty clear that this is something out of place and the behavior looks similar to other C2 infections. The analyst then decides to isolate the affected host from the network:

MarcoMeli_0-1623317555837.png

 

Despite the fact that the run rundll32 with http argument metadata was populated under the Behavior of Compromise meta key and eventually pointed the analyst to right direction, the following App Rule would help detecting execution of remote DLLs via RegAsm faster:

MarcoMeli_0-1623747884169.png

 

This would be the result:

MarcoMeli_1-1623336273282.png

MarcoMeli_2-1623336334052.png

 

 

Post Detection Activities

The attachment file can be requested by the analyst for further investigation. Tools such as ViperMonkey can be used to extract and de-obfuscate macros from the word document:

MarcoMeli_1-1623320449673.png

MarcoMeli_0-1623320384022.png

The above picture shows an obfuscated macro which does not make lot of sense. However, below we see the final result with the de-obfuscated content:

MarcoMeli_2-1623320548803.png

 

Similarly the analyst can request the DLL and perform additional malware analysis where required:

MarcoMeli_3-1623320653246.png

MarcoMeli_0-1623320957072.png

 

Conclusion

To be able to identify anomalies, analysts must learn what regular traffic looks like within their environments. It is also imperative to properly understand how major protocols such as HTTP, SSL/TLS work in order to be able to establish the presence of programmatic and structured behavior typical of malware. The Netwitness Hunting Guide is a great starting point.

It is important to note the synergy of Netwitness Network & Endpoint when used together and the advantages they provide. Netwitness Network helped identifying the potential C2 communication but the integration with Endpoint allowed the analyst to instantly detect the LOLBAS tactic, drastically reducing the response time.

 

 

 

 

 

 

 

 

 

 

  • dfir
  • EDR
  • ir
  • LOLBAS
  • Netwitnes Endpoint
  • threat hunting
2 Likes
Share

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

  • Comment
Latest Articles
  • Agent Tesla: The Information Stealer
  • Threat Analysis: Detecting “Follina” (CVE-2022-30190) RCE Vulnerability with Netwitness Endpoint
  • Introducing NetWitness Vision XDR
  • Introducing NetWitness Platform XDR v12.0
  • Atlassian Confluence Zero-day Vulnerability (0-Zero) CVE-2022-26134: What You Need To Know
  • ‘Follina’ CVE-2022-30190 0-Day: What You Need To Know
  • CVE-2022-1388: BIG-IP iControl REST RCE Vulnerability
  • Ragnar Locker Ransomware: The Rampage Continues…
  • Ransomware Email Attacks: Beware of BazarLoader
  • Detecting Impacket with Netwitness Endpoint
Labels
  • Announcements 54
  • Events 2
  • Features 9
  • Integrations 6
  • Resources 57
  • Tutorials 21
  • Use Cases 21
  • Videos 116
Powered by Khoros
  • Blog
  • Events
  • Discussions
  • Idea Exchange
  • Knowledge Base
  • Case Portal
  • Community Support
  • Product Life Cycle
  • Support Information
  • About the Community
  • Terms & Conditions
  • Privacy Statement
  • Acceptable Use Policy
  • Employee Login
© 2022 RSA Security LLC or its affiliates. All rights reserved.