【DFIR报告翻译】Quantum 勒索软件

【DFIR报告翻译】Quantum 勒索软件
2023-5-5 08:2:41 Author: Desync InfoSec(查看原文) 阅读量:20 收藏

摘要

这是我们遇到过的入侵最快的勒索软件案例，攻击者从边界突破到部署域范围的勒索软件只用了大约4个小时。攻击者通过邮件钓鱼投递IcedID恶意软件成功突破了网络边界。以下是我们遇到过的其他勒索组织在边界突破阶段投递IcedID恶意软件的案例：

XingLocker – 24小时从部署IcedID到XingLocker勒索
Conti – “照片被盗”钓鱼引发的Conti勒索软件和 Conti 勒索软件
REvil – Sodinokibi（又名 REvil）勒索软件

IcedID恶意软件被执行后约2小时，攻击者开始手动执行攻击活动。部署Cobalt Strike，使用RDP进行横向移动并使用WMI和PsExec部署Quantum勒索软件。整个入侵过程从入侵到部署勒索软件时间仅为3小时44分。

技术汇总

攻击者通过投递包含IcedID恶意软件的ISO镜像文件获取了一台用户终端的权限。我们怀疑ISO文件来自于钓鱼邮件，但是我们没有证据。ISO文件包含了一个DLL文件，并通过一个LNK快捷方式运行它。当用户双击ISO镜像文件后，只能看到一个名为ducument的快捷方式。双击快捷方式，便会执行DLL文件。

IcedID DLL文件被执行后，开始执行一连串地信息收集任务。例如执行Windows系统命令ipconfig、systeminfo、nltest、net、chcp。同时创建一个计划任务进行权限维持。

大约2小时后，攻击者利用傀儡进程和进程注入技术加载了Cobalt Strike载荷。攻击者开始手动攻击，使用名为ns.bat的批处理脚本调用AdFind扫描网络内的域控结构。之后，攻击者通过Cobalt Strike访问LSASS进程内存，窃取了用户的系统登录凭证。过了几分钟，开始尝试在一台服务器上远程执行WMI进行网络探测。直到窃取的凭证成功用于WMI后，攻击者通过RDP服务登录到服务器并尝试部署Cobalt Strike DLL载荷。但是执行失败了，于是攻击者打开cmd命令行并运行了PowerShell加载Cobalt Strike载荷，成功连接到了C2服务器。

接下来的一个小时，攻击者通过RDP又登录到了其他几台服务器。当攻击者接触到域控，便开始通过C$共享文件夹传递名为ttsel.exe的二进制勒索软件程序。并使用WMI和PsExec两种方式运行勒索软件。整个攻击活动不超过4小时。

尽管勒索组织声称盗取了数据，我们并没有发现数据泄漏的痕迹。但是不能排除攻击者通过IcedID或Cobalt Strike向外传输敏感文件的可能。

时间线

攻击路径分析

边界突破

攻击者通过钓鱼邮件投递包含IcedID恶意软件的ISO镜像文件名为docs_invoice_173.iso，我们可以通过Microsoft-Windows-VHDMP-Operational.evtx日志中Eventi ID为12的事件确认用户挂载过虚拟磁盘的记录。

挂载ISO文件后，可以得到两个文件：

document.lnk
dar.dll (默认隐藏)

正常的用户打开之后看到的应该是这样的：

这个快捷方式document.lnk会执行IcedID DLL

执行恶意代码

document.lnk快捷方式指向的文件和启动命令如下：

C:\Windows\System32\rundll32.exe dar.dll,DllRegisterServer

通过LECmd.exe工具，我们可以得到LNK文件的更多信息，例如创建者的MAC地址和计算机名

通过Event ID 4663的日志，我们可以确定用户何时双击的ducument.lnk并触发了上述命令执行和进程创建。

在Sysmon日志中可以找到可执行文件的启动命令、文件路径等信息。

这个进程很快创建了许多子进程，用于进行权限维持和网络扫描。

包括创建C:\Windows\SysWOW64\cmd.exe用于傀儡进程和进程注入Cobalt Strike载荷。有许多标示攻击者的行为特征，如cmd.exe进程派生子进程rundll32.exe，rundll32.exe创建了名为postex_304a的命名管道。rundll32.exe和postex_[0-9a-f]{4}特征，是Cobalt Strike 4.2以上版本的默认特征。了解更多信息点击Cobalt Strike防护指南

通过分析进程内存，我们可以解析出Cobalt Strike的beacon配置信息。攻击者也在其他服务器上使用了PowerShell形式的Cobalt Strike载荷，如下：

载荷使用Cobalt Strike默认XOR 35编码，可以使用CyberChef解码：

使用scdbg可以分析出Windows API调用shellcode的执行信息：

攻击者尝试执行上传的p227.dll但是未知原因执行失败。随后使用PowerShell载荷执行成功。

权限维持

在初始执行 IcedID 恶意软件后，它在 AppData 目录中创建恶意软件 (Ulfefi32.dll) 的副本，并创建一个每小时执行一次的计划任务。任务 \kajeavmeva_{B8C1A6A8-541E-8280-8C9A-74DF5295B61A} 是使用以下执行操作创建的：

防护绕过

在一台失陷主机中我们观察到IcedID和Cobalt Strike使用了进程注入技术，注入的目标进程为winlogon

Cobalt Strike进程是通过Yara 扫描发现的

{  "Pid": 7248,  "ProcessName": "cmd.exe",  "CommandLine": "C:\\Windows\\SysWOW64\\cmd.exe",  "Detection": [    "win_cobalt_strike_auto",    "cobaltstrike_beacon_4_2_decrypt"  ]}{  "Pid": 584,  "ProcessName": "winlogon.exe",  "CommandLine": "winlogon.exe",  "Detection": [    "win_cobalt_strike_auto",    "cobaltstrike_beacon_4_2_decrypt"  ]}{  "Pid": 5712,  "ProcessName": "powershell.exe",  "CommandLine": "\"c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe\" -Version 5.1 -s -NoLogo -NoProfile",  "Detection": [    "win_cobalt_strike_auto",    "cobaltstrike_beacon_4_2_decrypt"  ]}

使用Volatility工具可以发现winlogon进程的内存空间权限被修改成PAGE_EXECUTE_READWRITE，在进程内存空间中也发现了MZ 头部，符合进程注入的特征。

从进程日志中可以发现Cobalt Strike对外发起的网络连接行为。

凭证窃取

我们发现攻击者使用两种方式转储LSASS进程内存，Windows 任务管理器和rundll32.exe（Cobalt Strike进程），如下图所示：

攻击者获取系统凭证并横向移动到AD域中。

内网探测

在执行阶段IcedID恶意软件自动化执行如下命令进行信息收集：

cmd.exe /c chcp >&2
WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
ipconfig /all
systeminfo
net config workstation
nltest /domain_trusts
nltest /domain_trusts /all_trusts
net view /all /domain
net view /all
net group "Domain Admins" /domain

攻击者投递如下文件到C:\Windows\Temp目录并通过cmd执行脚本文件

7.exe (7zip)
adfind.exe (AdFind)
adfind.bat (如下图)

攻击者使用AD域控枚举工具AdFind收集域内用户、计算机和子网等信息。文件 ad.7z 是上述 AdFind 命令的结果输出。之后，创建了一个额外的批处理脚本，ns.bat，它用nslookup 枚举了域中的所有主机名，以识别主机的IP 地址。

在从跳板机进行第一次横向移动之前，攻击者使用 WMI 测试凭据并从目标远程服务器收集信息

C:\Windows\system32\cmd.exe, /C, wmic, /node:X.X.X.X, /user:administrator, /password:*****, os, get, caption

横向移动

Remote Desktop Protocol

攻击者使用 RDP 横向移动到关键主机。特别是使用管理员帐户的多台 RDP 机器。此入侵中的攻击者从名为 TERZITERZI 的工作站发起 RDP 连接。请参见下面的屏幕截图：

攻击者使用跳板机作为代理，证据是RDP连接从Cobalt Strike进程发起，

WMI

在整个入侵过程中，攻击者还使用 WMIC 执行横向活动，通过以 /node:IP 地址开头的 WMIC 命令远程执行命令，包括远程发现操作和远程启动勒索软件。

PsExec

PsExec 用于远程启动勒索软件。攻击者利用 PsExec 中的“-r”选项来定义在目标主机上创建的远程服务的自定义名称 (mstdc)（默认情况下为 PSEXESVC）。

远程控制

IcedID

整个入侵过程中我们观潮到dar.dll外联的域名和IP如下

dilimoretast[.]com
138[.]68.42.130:443

Ja3: a0e9f5d64349fb13191bc781f81f42e1Ja3s: ec74a5c51106f0419184d0dd08fb05bcCertificate: [3e:f4:e9:d6:3e:47:e3:ce:51:2e:2a:91:e5:48:41:54:5e:53:54:e2 ]Not Before: 2022/03/22 09:34:53 UTC Not After: 2023/03/22 09:34:53 UTC Issuer Org: Internet Widgits Pty Ltd Subject Common: localhost Subject Org: Internet Widgits Pty Ltd Public Algorithm: rsaEncryption

antnosience[.]com
157[.]245.142.66:443

JA3: a0e9f5d64349fb13191bc781f81f42e1Ja3s: ec74a5c51106f0419184d0dd08fb05bcCertificate: [0c:eb:c1:4b:0d:a1:b6:9d:7d:60:ed:c0:30:56:b7:48:10:d1:b1:6c ]Not Before: 2022/03/19 09:22:57 UTC Not After: 2023/03/19 09:22:57 UTC Issuer Org: Internet Widgits Pty Ltd Subject Common: localhost Subject Org: Internet Widgits Pty Ltd Public Algorithm: rsaEncryption

oceriesfornot[.]top
188[.]166.154.118:80

Cobalt Strike

185.203.118[.]227
Watermark: 305419776

Ja3: 72a589da586844d7f0818ce684948eeaJa3s: f176ba63b4d68e576b5ba345bec2c7b7Certificate: [72:a1:ac:20:97:a0:cb:4f:b5:41:db:6e:32:fb:f5:7b:fd:43:9b:4b ]Not Before: 2022/03/21 22:16:04 UTC Not After: 2023/03/21 22:16:04 UTC Issuer Org: Google GMail Subject Common: gmail.com Subject Org: Google GMail Public Algorithm: rsaEncryption

{  "beacontype": [    "HTTPS"  ],   "sleeptime": 60000,  "jitter": 15,  "maxgetsize": 1049376,  "spawnto": "AAAAAAAAAAAAAAAAAAAAAA==",  "license_id": 305419776,  "cfg_caution": false,  "kill_date": "2022-04-22",  "server": {    "hostname": "185.203.118.227",    "port": 443,    "publickey": "MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCnOM3nXx+7HBhkbDd+AwFrFisSunK999w2tM0uTpuuEiBalcJhcL+QgQWtf6S7zPp5hjImG+2YcPl18geU4f5JlSPXHwilbK4DFb/ePWyKFjhrA7emVRqhM21QMlo1ANsn14rY/RO2pzuft8P7TXoIjjI/B2GGVuzYNZX6X4I2EwIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="  },  "host_header": "",  "useragent_header": null,  "http-get": {    "uri": "/_/scs/mail-static/_/js/",    "verb": "GET",    "client": {      "headers": null,      "metadata": null    },    "server": {      "output": [        "print",        "append 375 characters",        "append 250 characters",        "prepend 4 characters",        "prepend 28 characters",        "prepend 36 characters",        "prepend 18 characters",        "prepend 4 characters",        "prepend 28 characters",        "prepend 36 characters",        "prepend 17 characters",        "prepend 4 characters"      ]    }  },  "http-post": {    "uri": "/mail/u/0/",    "verb": "POST",    "client": {      "headers": null,      "id": null,      "output": null    }  },  "tcp_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",  "crypto_scheme": 0,  "proxy": {    "type": null,    "username": null,    "password": null,    "behavior": "Use IE settings"  },  "http_post_chunk": 0,  "uses_cookies": true,  "post-ex": {    "spawnto_x86": "%windir%\\syswow64\\rundll32.exe",    "spawnto_x64": "%windir%\\sysnative\\rundll32.exe"  },  "process-inject": {    "allocator": "VirtualAllocEx",    "execute": [      "CreateThread",      "SetThreadContext",      "CreateRemoteThread",      "RtlCreateUserThread"    ],    "min_alloc": 0,    "startrwx": true,    "stub": "tUr+Aexqde3zXhpE+L05KQ==",    "transform-x86": null,    "transform-x64": null,    "userwx": true  },  "dns-beacon": {    "dns_idle": null,    "dns_sleep": null,    "maxdns": null,    "beacon": null,    "get_A": null,    "get_AAAA": null,    "get_TXT": null,    "put_metadata": null,    "put_output": null  },  "pipename": null,  "smb_frame_header": "AAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=",  "stage": {    "cleanup": false  },  "ssh": {    "hostname": null,    "port": null,    "username": null,    "password": null,    "privatekey": null  }}

窃取数据

尽管勒索组织声称盗取了数据，我们并没有发现数据泄漏的痕迹。但是不能排除攻击者通过IcedID或Cobalt Strike向外传输敏感文件的可能。

达成目的

只用了不到四个小时，攻击者便达成了最终目的——成功部署域范围的勒索软件。攻击者从其中一台域控服务器使用PsExec和WMI在其他域内主机中远程运行勒索软件。

攻击者首先将勒索软件程序ttsel.exe上传到目标主机的C$共享下

C:\Windows\system32\cmd.exe /K copy ttsel.exe \\<IP>\c$\windows\temp\

攻击者利用 PsExec 中的“-r”选项来定义在目标主机上创建的远程服务的自定义名称（“mstdc”）（默认为 PSEXESVC）。

psexec.exe  \\<IP ADDRESS> -u <DOMAIN>\Administrator -p "<PASSWORD>" -s -d -h -r mstdc -accepteula -nobanner c:\windows\temp\ttsel.exe

这样在执行 PsExec 时目标主机上就创建了文件 C:\Windows\mstdc.exe。

攻击者使用的备用方案是 WMI 调用，以在目标主机上启动远程进程。

wmic /node:"<IP ADDRESS>" /user:"<DOMAIN>\Administrator" /password:"<PASSWORD>" process call create "cmd.exe /c c:\windows\temp\ttsel.exe"

Quantum勒索软件开始加密域内所有主机上的文件，并生成勒索信 README_TO_DECRYPT.html

Quantum勒索软件提供了唯一标示作为在线聊天的密码

登录成功后的聊天窗口如下：

钻石模型

IoCs

docs_invoice_173.iso

e051009b12b37c7ee16e810c135f1fef

415b27cd03d3d701a202924c26d25410ea0974d7

5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b

dar.dll

4a6ceabb2ce1b486398c254a5503b792

08a1c43bd1c63bbea864133d2923755aa2f74440

4a76a28498b7f391cdc2be73124b4225497232540247ca3662abd9ab2210be36

document.lnk

adf0907a6114c2b55349c08251efdf50

aa25ae2f9dbe514169f4526ef4a61c1feeb1386a

3bb2f8c2d2d1c8da2a2051bd9621099689c5cd0a6b12aa8cb5739759e843e5e6

adf.bat

ebf6f4683d8392add3ef32de1edf29c4

444c704afe4ee33d335bbdfae79b58aba077d10d

2c2513e17a23676495f793584d7165900130ed4e8cccf72d9d20078e27770e04

Ulfefi32.dll

49513b3b8809312d34bb09bd9ea3eb46

445294080bf3f58e9aaa3c9bcf1f346bc9b1eccb

6f6f71fa3a83da86d2aba79c92664d335acb9d581646fa6e30c35e76cf61cbb7

license.dat

e9ad8fae2dd8f9d12e709af20d9aefad

db7d1545c3c7e60235700af672c1d20175b380cd

84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238

ttsel.exe

b1eff4fffe66753e5f4265bc5332f72e

da2caf36b52d81a0d983407ab143bef8df119b8d

b6c11d4a4af4ad4919b1063184ee4fe86a5b4b2b50b53b4e9b9cc282a185afda

p227.dll

350f82de99b8696fea6e189fcd4ca454

deea45010006c8bde12a800d73475a5824ca2e6f

c140ae0ae0d71c2ebaf956c92595560e8883a99a3f347dfab2a886a8fb00d4d3

dilimoretast[.]com

antnosience[.]com

oceriesfornot[.]top

138[.]68.42.130:443

157[.]245.142.66:443

188[.]166.154.118:80

Cobalt Strike

C2/IP: 185.203.118[.]227:443

Watermark: 305419776

C2/IP: 185.203.118[.]227:443

Watermark: 305419776

ET MALWARE Observed Malicious SSL Cert (Fake Gmail Self Signed - Possible Cobalt Stirke)

ET POLICY SMB2 NT Create AndX Request For an Executable File In a Temp Directory

ET MALWARE Win32/IcedID Request Cookie

ET POLICY PE EXE or DLL Windows file download HTTP

ET POLICY PsExec service created

ET RPC DCERPC SVCCTL - Remote Service Control Manager Access

ET POLICY SMB2 NT Create AndX Request For an Executable File

ET DNS Query to a *.top domain - Likely Hostile

ET INFO HTTP Request to a *.top domain

ET POLICY SMB Executable File Transfer

https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/PSEXEC%20Custom%20Named%20Service%20Binary

https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/CHCP%20CodePage%20Locale%20Lookup

https://github.com/SigmaHQ/sigma/blob/071bcc292362fd3754a2da00878bba4bae1a335f/rules/windows/process_creation/proc_creation_win_ad_find_discovery.yml

https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_trust_discovery.yml

https://github.com/SigmaHQ/sigma/blob/dfdaecc52ca385c66d1b16971ce867e81bdce82e/rules/windows/pipe_created/pipe_created_psexec_pipes_artifacts.yml

https://github.com/SigmaHQ/sigma/blob/625f05df3c477c4cd7a22e2a7a19742615da1eb5/rules/windows/file/file_event/file_event_win_tool_psexec.yml

https://github.com/SigmaHQ/sigma/blob/c5263039ae6e28a09192b4be2af40fea59a06b08/rules/windows/process_creation/proc_creation_win_wmic_remote_command.yml

https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_susp_wmi_execution.yml

https://github.com/SigmaHQ/sigma/blob/7f490d958aa7010f7f519e29bed4a45ecebd152e/rules/windows/process_creation/proc_creation_win_susp_powershell_enc_cmd.yml

https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_susp_systeminfo.yml

https://github.com/SigmaHQ/sigma/blob/d459483ef6bb889fb8da1baa17a713a4f1aa8897/rules/windows/file_event/file_event_win_iso_file_recent.yml

https://github.com/SigmaHQ/sigma/blob/8bb3379b6807610d61d29db1d76f5af4840b8208/rules/windows/process_creation/proc_creation_win_rundll32_not_from_c_drive.yml

https://github.com/SigmaHQ/sigma/blob/04f72b9e78f196544f8f1331b4d9158df34d7ecf/rules/windows/builtin/security/win_iso_mount.yml

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/proc_creation_win_susp_copy_lateral_movement.yml

YARA Rule Set

Author: The DFIR Report

Date: 2022-04-24

Identifier: Quantum Case 12647

Reference: https://thedfirreport.com

/* Rule Set ----------------------------------------------------------------- */

import "pe"

rule docs_invoice_173 {

meta:

description = "IcedID - file docs_invoice_173.iso"

author = "The DFIR Report"

reference = "https://thedfirreport.com"

date = "2022-04-24"

hash1 = "5bc00ad792d4ddac7d8568f98a717caff9d5ef389ed355a15b892cc10ab2887b"

strings:

$x1 = "dar.dll,DllRegisterServer!%SystemRoot%\\System32\\SHELL32.dll" fullword wide

$x2 = "C:\\Windows\\System32\\rundll32.exe" fullword ascii

$s3 = "C:\\Users\\admin\\Desktop\\data" fullword wide

$s4 = "Desktop (C:\\Users\\admin)" fullword wide

$s5 = "AppPolicyGetProcessTerminationMethod" fullword ascii

$s6 = "1t3Eo8.dll" fullword ascii

$s7 = ")..\\..\\..\\..\\Windows\\System32\\rundll32.exe" fullword wide

$s8 = "DAR.DLL." fullword ascii

$s9 = "dar.dll:h" fullword wide

$s10 = "document.lnk" fullword wide

$s11 = "DOCUMENT.LNK" fullword ascii

$s12 = "6c484a379420bc181ea93528217b7ebf50eae9cb4fc33fb672f26ffc4ab464e29ba2c0acf9e19728e70ef2833eb4d4ab55aafe3f4667e79c188aa8ab75702520" ascii

$s13 = "03b9db8f12f0242472abae714fbef30d7278c4917617dc43b61a81951998d867efd5b8a2ee9ff53ea7fa4110c9198a355a5d7f3641b45f3f8bb317aac02aa1fb" ascii

$s14 = "d1e5711e46fcb02d7cc6aa2453cfcb8540315a74f93c71e27fa0cf3853d58b979d7bb7c720c02ed384dea172a36916f1bb8b82ffd924b720f62d665558ad1d8c" ascii

$s15 = "7d0bfdbaac91129f5d74f7e71c1c5524690343b821a541e8ba8c6ab5367aa3eb82b8dd0faee7bf6d15b972a8ae4b320b9369de3eb309c722db92d9f53b6ace68" ascii

$s16 = "89dd0596b7c7b151bf10a1794e8f4a84401269ad5cc4af9af74df8b7199fc762581b431d65a76ecbff01e3cec318b463bce59f421b536db53fa1d21942d48d93" ascii

$s17 = "8021dc54625a80e14f829953cc9c4310b6242e49d0ba72eedc0c04383ac5a67c0c4729175e0e662c9e78cede5882532de56a5625c1761aa6fd46b4aefe98453a" ascii

$s18 = "24ed05de22fc8d3f76c977faf1def1d729c6b24abe3e89b0254b5b913395ee3487879287388e5ceac4b46182c2072ad1aa4f415ed6ebe515d57f4284ae068851" ascii

$s19 = "827da8b743ba46e966706e7f5e6540c00cb1205811383a2814e1d611decfc286b1927d20391b22a0a31935a9ab93d7f25e6331a81d13db6d10c7a771e82dfd8b" ascii

$s20 = "7c33d9ad6872281a5d7bf5984f537f09544fdee50645e9846642206ea4a81f70b27439e6dcbe6fdc1331c59bf3e2e847b6195e8ed2a51adaf91b5e615cece1d3" ascii

condition:

uint16(0) == 0x0000 and filesize < 600KB and

1 of ($x*) and 4 of them

}

rule quantum_license {

meta:

description = "IcedID - file license.dat"

author = "The DFIR Report"

reference = "https://thedfirreport.com"

date = "2022-04-24"

hash1 = "84f016ece77ddd7d611ffc0cbb2ce24184aeee3a2fdbb9d44d0837bc533ba238"

strings:

$s1 = "W* |[h" fullword ascii

$s2 = "PSHN,;x" fullword ascii

$s3 = "ephu\"W" fullword ascii

$s4 = "LwUw9\\" fullword ascii

$s5 = "VYZP~pN," fullword ascii

$s6 = "[email protected]" fullword ascii

$s7 = "urKuEqR" fullword ascii

$s8 = "1zjWa{`!" fullword ascii

$s9 = "YHAV{tl" fullword ascii

$s10 = "bwDU?u" fullword ascii

$s11 = "SJbW`!W" fullword ascii

$s12 = "BNnEx1k" fullword ascii

$s13 = "SEENI3=" fullword ascii

$s14 = "Bthw?:'H*" fullword ascii

$s15 = "NfGHNHC" fullword ascii

$s16 = "xUKlrl'>`" fullword ascii

$s17 = "gZaZ^;Ro2" fullword ascii

$s18 = "JhVo5Bb" fullword ascii

$s19 = "OPta)}$" fullword ascii

$s20 = "cZZJoVB" fullword ascii

condition:

uint16(0) == 0x44f8 and filesize < 1000KB and

8 of them

}

rule quantum_p227 {

meta:

description = "Cobalt Strike - file p227.dll"

author = "The DFIR Report"

reference = "https://thedfirreport.com"

date = "2022-04-24"

hash1 = "c140ae0ae0d71c2ebaf956c92595560e8883a99a3f347dfab2a886a8fb00d4d3"

strings:

$s1 = "Remote Event Log Manager4" fullword wide

$s2 = "IIdRemoteCMDServer" fullword ascii

$s3 = "? ?6?B?`?" fullword ascii /* hex encoded string 'k' */

$s4 = "<*=.=2=6=<=\\=" fullword ascii /* hex encoded string '&' */

$s5 = ">'?+?/?3?7?;???" fullword ascii /* hex encoded string '7' */

$s6 = ":#:':+:/:3:7:" fullword ascii /* hex encoded string '7' */

$s7 = "2(252<2[2" fullword ascii /* hex encoded string '"R"' */

$s8 = ":$;,;2;>;F;" fullword ascii /* hex encoded string '/' */

$s9 = ":<:D:H:L:P:T:X:\\:`:d:h:l:p:t:x:|:" fullword ascii

$s10 = "%IdThreadMgr" fullword ascii

$s11 = "AutoHotkeys<mC" fullword ascii

$s12 = "KeyPreview0tC" fullword ascii

$s13 = ":dmM:\\m" fullword ascii

$s14 = "EFilerErrorH" fullword ascii

$s15 = "EVariantBadVarTypeErrorL" fullword ascii

$s16 = "IdThreadMgrDefault" fullword ascii

$s17 = "Set Size Exceeded.*Error on call Winsock2 library function %s&Error on loading Winsock2 library (%s)" fullword wide

$s18 = "CopyMode0" fullword ascii

$s19 = "TGraphicsObject0" fullword ascii

$s20 = "THintWindow8" fullword ascii

condition:

uint16(0) == 0x5a4d and filesize < 2000KB and

( pe.imphash() == "c88d91896dd5b7d9cb3f912b90e9d0ed" or 8 of them )

}

rule Ulfefi32 {

meta:

description = "IcedID - file Ulfefi32.dll"

author = "The DFIR Report"

reference = "https://thedfirreport.com"

date = "2022-04-24"

hash1 = "6f6f71fa3a83da86d2aba79c92664d335acb9d581646fa6e30c35e76cf61cbb7"

strings:

$s1 = "WZSKd2NEBI.dll" fullword ascii

$s2 = "3638df174d2e47fbc2cdad390fdf57b44186930e3f9f4e99247556af2745ec513b928c5d78ef0def56b76844a24f50ab5c3a10f6f0291e8cfbc4802085b8413c" ascii

$s3 = "794311155e3d3b59587a39e6bdeaac42e5a83dbe30a056a059c59a1671d288f7a7cdde39aaf8ce26704ab467e6e7db6da36aec8e1b1e0a6f2101ed3a87a73523" ascii

$s4 = "ce37d7187cf033f0f9144a61841e65ebe440d99644c312f2a7527053f27664fc788a70d4013987f40755d30913393c37067fb1796adece94327ba0d8dfb63c10" ascii

$s5 = "bacefbe356ece5ed36fa3f3c153e8e152cb204299243eba930136e4a954e8f6e4db70d7d7084822762c17da1d350d97c37dbcf226c5d4faa7e78765fd5aa20f8" ascii

$s6 = "acee4914ee999f6158bf7aa90e2f9640d51e2b046c94df4301a6ee1658a54d44e423fc0a5ab3b599d6be74726e266cdb71ccd0851bcef3bc5f828eab7e736d81" ascii

$s7 = "e2d7e82b0fe30aa846abaa4ab85cb9d47940ec70487f2d5fb4c60012289b133b44e8c244e3ec8e276fa118a54492f348e34e992da07fada70c018de1ff8f91d4" ascii

$s8 = "afd386d951143fbfc89016ab29a04b6efcefe7cd9d3e240f1d31d59b9541b222c45bb0dc6adba0ee80b696b85939ac527af149fdbfbf40b2d06493379a27e16b" ascii

$s9 = "3bb43aa0bbe8dee8d99aaf3ac42fbe3ec5bd8fa68fb85aea8a404ee1701aa8b2624bf8c5254e447818057b7f987a270103dd7beceb3103a66d5f34a2a6c48eed" ascii

$s10 = "a79e1facc14f0a1dfde8f71cec33e08ed6144aa2fd9fe3774c89b50d26b78f4a516a988e412e5cce5a6b6edb7b2cded7fe9212505b240e629e066ed853fb9f6b" ascii

$s11 = "69f9b12abc44fac17d92b02eb254c9dc0cfd8888676a9e59f0cb6d630151daccea40e850d615d32d011838f8042a2d6999fab319f49bed09e43f9b6197bf9a66" ascii

$s12 = "cfda9d35efe288ebc6a63ef8206cd3c44e91f7d968044a8a5b512c59e76e937477837940a3a6c053a886818041e42f0ce8ede5912beab0b9b8c3f4bae726d5b2" ascii

$s13 = "a8a404ee1701aa8b2624bf8c5254e447818057b7f987a270103dd7beceb3103a66d5f34a2a6c48eedc90afe65ba742c395bbdb4b1b12d96d6f38de96212392c3" ascii

$s14 = "900796689b72e62f24b28affa681c23841f21e2c7a56a18a6bbb572042da8717abc9f195340d12f2fae6cf2a6d609ed5a0501e34d3b31f8151f194cdb8afc85e" ascii

$s15 = "35560790835fe34ed478758636d3b2b797ba95c824533318dfb147146e2b5debb4f974c906dce439d3c97e94465849c9b42e9cb765a95ff42a7d8b27e62d470a" ascii

$s16 = "0b3d20f3cf0f6b3a53c53b8f50f9116edd412776a8f218e6b0d921ccfeeb34875c4674072f84ac612004d8162a6b381f5a3d1f6d70c03203272740463ff4bcd5" ascii

$s17 = "72f69c37649149002c41c2d85091b0f6f7683f6e6cc9b9a0063c9b0ce254dddb9736c68f81ed9fed779add52cbb453e106ab8146dab20a033c28dee789de8046" ascii

$s18 = "f2b7f87aa149a52967593b53deff481355cfe32c2af99ad4d4144d075e2b2c70088758aafdabaf480e87cf202626bde30d32981c343bd47b403951b165d2dc0f" ascii

$s19 = "9867f0633c80081f0803b0ed75d37296bac8d3e25e3352624a392fa338570a9930fa3ceb0aaee2095dd3dcb0aab939d7d9a8d5ba7f3baac0601ed13ffc4f0a1e" ascii

$s20 = "3d08b3fcfda9d35efe288ebc6a63ef8206cd3c44e91f7d968044a8a5b512c59e76e937477837940a3a6c053a886818041e42f0ce8ede5912beab0b9b8c3f4bae" ascii

condition:

uint16(0) == 0x5a4d and filesize < 100KB and

( pe.imphash() == "81782d8702e074c0174968b51590bf48" and ( pe.exports("FZKlWfNWN") and pe.exports("IMlNwug") and pe.exports("RPrWVBw") and pe.exports("kCXkdKtadW") and pe.exports("pLugSs") and pe.exports("pRNAU") ) or 8 of them )

}

rule quantum_ttsel {

meta:

description = "quantum - file ttsel.exe"

author = "The DFIR Report"

reference = "https://thedfirreport.com"

date = "2022-04-24"

hash1 = "b6c11d4a4af4ad4919b1063184ee4fe86a5b4b2b50b53b4e9b9cc282a185afda"

strings:

$s1 = "DSUVWj ]" fullword ascii

$s2 = "[email protected]]@" fullword ascii

$s3 = "expand 32-byte k" fullword ascii /* Goodware String - occured 1 times */

$s4 = "E4PSSh" fullword ascii /* Goodware String - occured 2 times */

$s5 = "tySjD3" fullword ascii

$s6 = "@]_^[Y" fullword ascii /* Goodware String - occured 3 times */

$s7 = "0`0h0p0" fullword ascii /* Goodware String - occured 3 times */

$s8 = "tV9_<tQf9_8tKSSh" fullword ascii

$s9 = "Vj\\Yj?Xj:f" fullword ascii

$s10 = "1-1:1I1T1Z1p1w1" fullword ascii

$s11 = "8-999E9U9k9" fullword ascii

$s12 = "8\"8)8H8i8t8" fullword ascii

$s13 = "8\"[email protected]" fullword ascii

$s14 = "3\"3)3>3F3f3m3t3}3" fullword ascii

$s15 = "3\"3(3<3]3o3" fullword ascii

$s16 = "9 9*909B9" fullword ascii

$s17 = "9.979S9]9a9w9" fullword ascii

$s18 = "txf9(tsf9)tnj\\P" fullword ascii

$s19 = "5!5'5-5J5Y5b5i5~5" fullword ascii

$s20 = "<2=7=>=E={=" fullword ascii

condition:

uint16(0) == 0x5a4d and filesize < 200KB and

( pe.imphash() == "68b5e41a24d5a26c1c2196733789c238" or 8 of them )

}

T1204 - User Execution

T1614.001 - System Location Discovery: System Language Discovery

T1218.011 - Signed Binary Proxy Execution: Rundll32

T1059.001 - Command and Scripting Interpreter: PowerShell

T1059.003 - Command and Scripting Interpreter: Windows Command Shell

T1055 - Process Injection

T1055.012 - Process Injection: Process Hollowing

T1003.001 - OS Credential Dumping: LSASS Memory

T1486 - Data Encrypted for Impact

T1482 - Domain Trust Discovery

T1021.002 - Remote Services: SMB/Windows Admin Shares

T1083 - File and Directory Discovery

T1518.001 - Software Discovery: Security Software Discovery

T1047 - Windows Management Instrumentation

T1087.002 - Account Discovery: Domain Account

T1082 - System Information Discovery

T1018 - Remote System Discovery

T1053.005 - Scheduled Task/Job: Scheduled Task

T1071.001 - Web Protocols

S0029 - PsExec

S0039 - Net

S0100 - ipconfig

S0359 - Nltest

S0483 - IcedID

S0552 - AdFind

S0154 - Cobalt Strike

文章来源: http://mp.weixin.qq.com/s?__biz=MzkzMDE3ODc1Mw==&mid=2247486051&idx=1&sn=12b1743a1adea249f3bc2afae0d8f2d9&chksm=c27f79cdf508f0db37933f62fdaa9ed8d2abd17babacf760edcbe9bde5acb651d7018dc52e08#rd
如有侵权请联系:admin#unsafe.sh