In this intrusion from May 2022, the threat actors used BumbleBee as the initial access vector from a Contact Forms campaign. We have previously reported on two BumbleBee intrusions (1, 2), and this report is a continuation of a series of reports uncovering multiple TTPs seen by BumbleBee post exploitation operators.
The intrusion began with the delivery of an ISO file that contained an LNK and a DLL. The threat actors leveraged BumbleBee to load a Meterpreter agent and Cobalt Strike Beacons. They then performed reconnaissance, used two different UAC bypass techniques, dumped credentials, escalated privileges using a ZeroLogon exploit, and moved laterally through the environment.
Case Summary
The intrusion started with a contact form on a website. It has been reported that this delivery method has been in use for intrusions since at least 2020. This campaign took place in May, and appears to have run as late as June 2022, based on OSINT data related to similar delivery fingerprints. The contact form gets filled out by the threat actor with a Copyright notice, purporting a violation of the Digital Millennium Copyright Act (DMCA). It then encourages the recipient to download a file showing the purported violation.
Upon the user clicking the link, they arrive at a “Google” storage site on storage.googleapis.com. A zip file is then downloaded to the victim machine and once unzipped the user is presented with an ISO file. The ISO contains a LNK file and a DLL file. When the LNK is double-clicked, the BumbleBee DLL is executed via rundll32. Initially, contact was made with BumbleBee command and control servers but little other early activity was observed.
Approximately 12 hours later, ImagingDevices.exe was launched via WmiPrivse.exe and a Meterpreter agent was injected into the process, like we have observed in previous reports. This process then utilized nltest, net, tasklist, and whoami to perform reconnaissance. About 37 minutes after launching ImagingDevices.exe, the Meterpreter agent migrated to svchost.exe. Upon migrating to the svchost process, there were attempts to bypass UAC and launch a Meterpreter executable.
Several failed attempts to bypass UAC occurred, utilizing the WSReset method, followed by a failed attempt to bypass UAC utilizing the slui hijacking method. Finally, the threat actors succeeded on their final attempt, using the WSReset method. Once UAC was bypassed, Meterpreter’s getsystem command was successfully employed. Now in the SYSTEM context, this Meterpreter agent executed a Cobalt Strike Beacon DLL.
The Cobalt Strike Beacon was utilized to perform a second round of reconnaissance and to access credentials. AdFind, nltest, net, and systeminfo were used to facilitate this activity. The Sysinternals tool ProcDump64 was written to disk and used to dump lsass on the beachhead host. Then, the threat actors executed reg.exe
to save a copy of the SAM
, Security
, and Software
registry hives on the beachhead host. Lateral movement was then performed over SMB, to transfer a Cobalt Strike Beacon DLL’s to other workstation’s C$ProgramData. These were executed via remote services, but appeared to be there for redundant connections as the threat actors continued to perform their actions on the beachhead workstation.
After a pause of about three hours, 19 hours since initial access, the threat actors launched an exploit against the primary domain controller targeting the Zerologon (CVE 2020 1472) vulnerability. After successfully exploiting the Domain controller, the threat actors used Pass the Hash to begin working in the context of a user who was a member of the Domain Admins group.
From the beachhead host, Invoke-Sharefinder was executed with the output being written to disk. A Cobalt Strike Beacon DLL was then written over SMB to another Domain Controller and executed via a service.
The threat actors were evicted from the environment and no further impact was observed. We assess with medium confidence this intrusion was related to pre-ransomware activity due to the tool set and techniques the actors displayed. As far as impact, one Domain Controller was left broken causing authentication failures across the domain.
Services
We offer multiple services including a Threat Feed service which tracks Command and Control frameworks such as Cobalt Strike, BumbleBee, Covenant, Metasploit, Empire, PoshC2, etc. More information on this service and others can be found here.
We also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs including Sysmon, Kape packages, and more, under our Security Researcher and Organization services.
Timeline
Analysis and reporting completed by @0xtornado, @samaritan_o, @RoxpinTeddy
Initial Access
The intrusion in this case began with a link to a google domain, storage.googleapis.com. This delivery method has been observed in both thread hijacked email distribution, as well as contact form campaigns. We assess with medium-high confidence that the one observed in our intrusion was likely from a contact form campaign, as the initial access URL was spotted in the wild across various sites, impersonating various companies’ legal teams, trying to entice the user to download and review the malicious files.
After clicking the link, the users end up at what, at first glance, may appear to be a legitimate google download site.
Next, a zip file is downloaded to the victim’s system, which when unzipped reveals the ISO image file StolenImages_Evidence.iso
, once mounted–lures the victim to open a shortcut mimicking a fake documents folder:
The LNK was pointing to the following command, which runs a malicious DLL when the user double clicks on the LNK file:
%windir%system32cmd.exe /c start rundll32.exe mkl2n.dll,kXlNkCKgFC
By extracting LNK metadata using Eric Zimmerman’s LECmd tool, we noticed that the initial BumbleBee payload was generated by the same threat actors reported in our previous BumbleBee report:
Machine ID: desktop-30fdj39
Mac:eb:33:6a:3b:d0:e3
Creation: 2022-02-11 21:22:11
The tracker database block details containing threat actor’s hostname, MAC Address, and other details are the exact same as seen our the last BumbleBee report. However, the payload was slightly modified (name and icon).
Execution
The threat actors dropped and executed multiple payloads reaching out to different C2s. The graph below shows how the threat actors were able to pivot between C2s by either injecting into legitimate processes or dropping and executing new payloads.
Like in our previous BumbleBee report, we see the use of injection into a legitimate Windows executable.
C:Program FilesWindows Photo ViewerImagingDevices.exe
And likewise, we see BumbleBee spawning these new processes using WmiPrvSE.exe.
The graphic below shows all payloads dropped, executed, or injected by the threat actors. Both Meterpreter and Cobalt Strike payloads were used during this intrusion.
Privilege Escalation
The getsystem module was used to elevate access on the beachhead host.
cmd.exe /c echo wafrms > .pipewafrms C:Windowssystem32cmd.exe /c echo dec8f35bcbf > .pipe7fd13a
On the second day, a Netlogon spike was observed from the beachhead host to a domain controller.
This spike was made up of various netlogon requests (NetrServerReqChallenge, NetrServerAuthenticate2, NetrServerPasswordSet2) from the beachhead host to the primary domain controller.
A view of the traffic reveals that the threat actors had exploited CVE 2020 1472, otherwise known as ZeroLogon. In the PCAP below, we can see the packet where the exploit succeeds in resetting the credential to all zeros.
On the domain controller, a 4742 event was generated showing the beachhead host changing the password on the domain controller, matching the timestamps to the network data.
After exploiting Zerologon, the threat actors were also seen using Pass the Hash to begin working in the context of a user, who was a member of the Domain Admins group.
Defense Evasion
Process Injection
ImagingDevices.exe injection into “svchost.exe -k UnistackSvcGroup -s WpnUserService” using NtAllocateVirtualMemoryRemoteApiCall. Several other processes were injected into as seen below:
.Pid | .ProcessName | .CommandLine | .Rule |
576 | winlogon.exe | winlogon.exe | win_cobalt_strike_auto |
836 | svchost.exe | C:Windowssystem32svchost.exe -k DcomLaunch -p | win_cobalt_strike_auto |
616 | winlogon.exe | winlogon.exe | win_cobalt_strike_auto |
1132 | svchost.exe | C:WindowsSystem32svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService | win_cobalt_strike_auto |
6876 | svchost.exe | C:Windowssystem32svchost.exe -k UnistackSvcGroup | win_cobalt_strike_auto |
9828 | svchost.exe | C:Windowssystem32svchost.exe -k UnistackSvcGroup | win_cobalt_strike_auto |
UAC Bypass
The threat actors were observed bypassing UAC via WSReset and DelegateExecute, spawning new processes at a High integrity level.
While executing this UAC bypass, the threat actors seemed to be running into some kind of trouble during execution, which required them to try the technique several times and tried to kill one of their processes from a prior attempt.
In addition to the WSReset UAC bypass, the threat actors tried a method using slui.exe. The data points to use of the Meterpreter implementation here.[1]
Indicator Removal on Host
The threat actors were also seen deleting a number of their tools which were previously dropped to perform various tactics:
Named Pipe Usage
Throughout the intrusion, the injected Cobalt Strike Processes utilized various named pipes for inter-process communications. Many of these pipes used default Cobalt Strike pipe patterns.
Known Cobalt Strike pipes used:
postex_002d postex_67cc postex_731d postex_a4c1 postex_c69e postex_b6fd postex_5a0d postex_d43a postex_a820
We also saw the unusual named pipes coming from ImagingDevices.exe which was injected with Meterpreter below:
4ae13d6c2cd672aepipespoolss 029482318be6784 uwjjqz vllyad
Credential Access
LSASS Dump
The threat actor dropped the Sysinternals executable procdump64.exe
, which they then used to dump the lsass
process. The command observed was:
procdump64.exe -accepteula -ma lsass.exe C:ProgramDatalsass.dmp
Registry Hives Dump
Using the Cobalt Strike beacon, injected in a svchost.exe process, the threat actors dumped SAM
, SECURITY
, and SYSTEM
hives using the native reg.exe
utility. Below are the commands that were used:
C:Windowssystem32cmd.exe /C reg.exe save hklmsam c:ProgramDatasam.hive C:Windowssystem32cmd.exe C:Windowssystem32cmd.exe /C reg.exe save hklmsecurity c:ProgramDatasecurity.save C:Windowssystem32cmd.exe /C reg.exe save hklmsecurity c:ProgramDatasecurity.save C:Windowssystem32cmd.exe C:Windowssystem32cmd.exe /C reg.exe save hklmsystem c:ProgramDatasystem.save C:Windowssystem32cmd.exe /C reg.exe save hklmsystem c:ProgramDatasystem.save
Discovery
The Discovery phase was carried out in this case using both native Windows tools, and external tools such as AdFind and PowerSploit. Initial discovery was performed using various Windows utilities. After dumping the lsass.exe
process on the beachhead machine, the threat actors then launched af.exe
(AdFind) to find all user objects and computers in the domain.
af.exe -f "(objectcategory=person)" > ad_users.txt af.exe -f "objectcategory=computer" > ad_computers.txt
System utilities used for discovery included:
nltest /dclist:DOMAIN net view /all net group "Domain Computers" /domain net group "domain Admins" /domain whoami whoami /groups echo %USERDOMAIN% ping -n 1 DOMAINCONTROLLER systeminfo tasklist
Throughout the intrusion, the threat actor kept on trying to view a file named sh.txt.
The file appears to have been the intended output for execution of the Invoke-ShareFinder
command. Execution of the command was visible in the PowerShell 4103 and 4104 logs.
Invoke-Sharefoinder
is a module in the PowerSploit
framework. This command, in particular, can find (non-standard) shares on hosts in the local domain.
Lateral Movement
The threat actors used the SMB
protocol to move laterally after compromising the beachhead. They specifically copied the n23.dll
(Cobalt Strike) file to the C:ProgramData
path and then ran it.
We can confirm that the file was copied and then launched via the new service by examining the various host’s system logs for event id 7045.
cmd.exe /c rundll32.exe C:ProgramDatan23.dll,AddProgram
Command and Control
Threat actors used multiple command and control servers to interact with the compromised environment.
BumbleBee C2
45.153.243.93:443 JA3: 0c9457ab6f0d6a14fc8a3d1d149547fb JA3s: 61be9ce3d068c08ff99a857f62352f9d subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd tls.issuerdn : C=AU, ST=Some-State, O=Internet Widgits Pty Ltd tls.notbefore: May 3, 2022 @ 08:04:39.000 tls.notafter: May 3, 2023 @ 08:04:39.000 213.232.235.199:443 JA3: 0c9457ab6f0d6a14fc8a3d1d149547fb JA3s: 61be9ce3d068c08ff99a857f62352f9d subject: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd tls.issuerdn : C=AU, ST=Some-State, O=Internet Widgits Pty Ltd tls.notbefore: May 2, 2022 @ 19:09:22.000 tls.notafter: May 2, 2023 @ 19:09:22.000
Cobalt Strike
cevogesu[.]com at 172.93.201.12:443 JA3: a0e9f5d64349fb13191bc781f81f42e1 JA3s: ae4edc6faf64d08308082ad26be60767 subject: CN=titojukus.com tls.issuerdn: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA tls.notbefore: Apr 22, 2022 @ 00:00:00.000 tls.notafter: Apr 22, 2023 @ 23:59:59.000 titojukus[.]com at 23.106.215.100:443 JA3: a0e9f5d64349fb13191bc781f81f42e1 JA3s: ae4edc6faf64d08308082ad26be60767 subject: CN=titojukus.com tls.issuerdn: C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA tls.notbefore: Apr 22, 2022 @ 00:00:00.000 tls.notafter: Apr 22, 2023 @ 23:59:59.000
Cobalt Strike Server Config:
{ "x64": { "sha1": "fa9597b87f78c667cc006aaa1c647d539aa9b827", "md5": "ea2c1fa8668812852a77737c4f712ba2", "config": { "C2 Server": "cevogesu.com,/eo.html,titojukus.com,/eo.html", "Polling": 5000, "C2 Host Header": "", "HTTP Method Path 2": "/fam_newspaper", "Watermark": 1580103814, "Method 1": "GET", "Spawn To x64": "%windir%sysnativerundll32.exe", "Jitter": 23, "Spawn To x86": "%windir%syswow64rundll32.exe", "Method 2": "POST", "Port": 443, "Beacon Type": "8 (HTTPS)" }, "sha256": "da3c4e2b7768d66ecb6c0e74c6d45e2bcfbc6203b76c7163909bd2061603cef5", "time": 1651717062232.1, "uri_queried": "/DhpA" }, "x86": { "sha1": "785b660537506501e695e46875b02260649b23f7", "md5": "5d2a8724dbce65eefb7e74fbb0eceda9", "config": { "C2 Server": "cevogesu.com,/cs.html,titojukus.com,/cs.html", "Polling": 5000, "C2 Host Header": "", "HTTP Method Path 2": "/posting", "Watermark": 1580103814, "Method 1": "GET", "Spawn To x64": "%windir%sysnativerundll32.exe", "Jitter": 23, "Spawn To x86": "%windir%syswow64rundll32.exe", "Method 2": "POST", "Port": 443, "Beacon Type": "8 (HTTPS)" }, "sha256": "f7bfde050c81d47d79febdb170f307f447e76253715859727beff889d2a91694", "time": 1651717054821.8, "uri_queried": "/BiLe" } }
Meterpreter
ec2-3-16-159-37.us-east-2.compute.amazonaws[.]com at 3.16.159.37:80/443 JA3: ce5f3254611a8c095a3d821d44539877, a0e9f5d64349fb13191bc781f81f42e1 JA3s: ec74a5c51106f0419184d0dd08fb05bc subject: C=US, ST=DE, O=Hackett LLC, OU=calculate, CN=hackett.llc.com, [email protected] tls.issuerdn: C=US, ST=DE, O=Hackett LLC, OU=calculate, CN=hackett.llc.com, [email protected] tls.ja3.hash tls.notbefore: Sep 13, 2020 @ 21:43:47.000 tls.notafter: Sep 12, 2027 @ 21:43:47.000
Impact
After exploiting Zerologon on the domain controller, the threat actor tried a few more things and then took a break from the hands on keyboard portion of the intrusion. The threat actor was then evicted from the environment. During IR, it was found that the primary domain controller was unresponsive to domain authentication due to the exploit run against it, resulting in domain authentication breaking around the environment.
Indicators
Network
BumbleBee C2 45.153.243.93:443 213.232.235.199:443 CobaltStrike cevogesu[.]com at 172.93.201.12:443 titojukus[.]com at 23.106.215.100:443 Meterpreter ec2-3-16-159-37.us-east-2.compute.amazonaws[.]com at 3.16.159.37:80 and 3.16.159.37:44
Files
documents.lnk EE7AD5FE821FB9081380DBBF40C4F062 38EEF0CDAA8FAA27C9E2CEDEAFCFE842E2E0E08E 3C600328E1085DC73D672D068F3056E79E66BEC7020BE6AE907DD541201CD167 mkl2n.dll AEFF99611BABD41D79C3BA7930F00BC1 FA3649B0472BA7FD9B31A22C904B2DE4C008F540 F7C1D064B95DC0B76C44764CD3AE7AEB21DD5B161E5D218E8D6E0A7107D869C1 n23.dll B3E68AEBE05DC652EC65099E0E98B94E 52D4C0CB9A93E7BC5F1E0C386DCCA3E0AC41B966 65A9B1BCDE2C518BC25DD9A56FD13411558E7F24BBDBB8CB92106ABBC5463ECF StolenImages_Evidence.iso FBCAA31456F39F996950511705461639 759688D1245AACD0ED067B0F0388786E911AAF28 4BB67453A441F48C75D41F7DC56F8D58549AE94E7AEAB48A7FFEC8B78039E5CC wSaAHJzLLT.exe BD5C8EA8C231BF2775B9C0BA3F7EA867 CCC9E1559B877B04B1D0E7F8920A64B4E35136DA DF63149EEC96575D66D90DA697A50B7C47C3D7637E18D4DF1C24155ABACBC12
Detections
Network
ET POLICY OpenSSL Demo CA - Internet Widgits Pty (O) ET POLICY SMB2 NT Create AndX Request For a DLL File - Possible Lateral Movement ET RPC DCERPC SVCCTL - Remote Service Control Manager Access ET POLICY SMB Executable File Transfer ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection
Sigma
Abused Debug Privilege by Arbitrary Parent Processes
AdFind Usage Detection
Bypass UAC Using DelegateExecute
Bypass UAC via WSReset.exe
UAC Bypass WSReset
Cobalt Strike Named Pipe
Correct Execution of Nltest.exe
Cred Dump Tools Dropped Files
LSASS Memory Access by Tool Named Dump
LSASS Memory Dumping
Malicious PowerView PowerShell Commandlets
Meterpreter or Cobalt Strike Getsystem Service Installation
Meterpreter or Cobalt Strike Getsystem Service Start
Mimikatz Detection LSASS Access
Registry Dump of SAM Creds and Secrets
Shell Open Registry Keys Manipulation
Successful Overpass the Hash Attempt
Suspicious PowerShell Invocations – Specific
Suspicious PowerShell Keywords
Suspicious Rundll32 Without Any CommandLine Params
Suspicious Service Installation
Suspicious Use of Procdump
Suspicious Use of Procdump on LSASS
Yara
/* YARA Rule Set Author: The DFIR Report Date: 2022-11-13 Identifier: Case 13842 Bumblebee Reference: https://thedfirreport.com/ */ /* Rule Set ----------------------------------------------------------------- */ rule bumblebee_13842_documents_lnk { meta: description = "BumbleBee - file documents.lnk" author = "The DFIR Report via yarGen Rule Generator" reference = "https://thedfirreport.com" date = "2022-11-13" hash1 = "3c600328e1085dc73d672d068f3056e79e66bec7020be6ae907dd541201cd167" strings: $x1 = "$........WindowsSystem32cmd.exe*/c start rundll32.exe mkl2n.dll,kXlNkCKgFC"%systemroot%system32imageres.dll" fullword wide $x2 = "C:WindowsSystem32cmd.exe" fullword ascii $x3 = "%windir%system32cmd.exe" fullword ascii $x4 = "Gcmd.exe" fullword wide $s5 = "desktop-30fdj39" fullword ascii condition: uint16(0) == 0x004c and filesize < 4KB and 1 of ($x*) and all of them } rule bumblebee_13842_StolenImages_Evidence_iso { meta: description = "BumbleBee - file StolenImages_Evidence.iso" author = "The DFIR Report via yarGen Rule Generator" reference = "https://thedfirreport.com" date = "2022-11-13" hash1 = "4bb67453a441f48c75d41f7dc56f8d58549ae94e7aeab48a7ffec8b78039e5cc" strings: $x1 = "$........WindowsSystem32cmd.exe*/c start rundll32.exe mkl2n.dll,kXlNkCKgFC"%systemroot%system32imageres.dll" fullword wide $x2 = "C:WindowsSystem32cmd.exe" fullword ascii $x3 = "%windir%system32cmd.exe" fullword ascii $x4 = "Gcmd.exe" fullword wide $s5 = "pxjjqif723uf35.dll" fullword ascii $s6 = "tenant unanimously delighted sail databases princess bicyclelist progress accused urge your science certainty dalton databases h" ascii $s7 = "mkl2n.dll" fullword wide $s8 = "JEFKKDJJKHFJ" fullword ascii /* base64 encoded string '$AJ(2I(qI' */ $s9 = "KFFJJEJKJK" fullword ascii /* base64 encoded string '(QI$BJ$' */ $s10 = "JHJGKDFEG" fullword ascii /* base64 encoded string '$rF(1D' */ $s11 = "IDJIIDFHE" fullword ascii /* base64 encoded string ' 2H 1G' */ $s12 = "JHJFIHJJI" fullword ascii /* base64 encoded string '$rE rI' */ $s13 = "EKGJKKEFHKFFE" fullword ascii /* base64 encoded string '(bJ(AG(QD' */ $s14 = "FJGJFKGFF" fullword ascii /* base64 encoded string '$bE(aE' */ $s15 = "IFFKJGJFK" fullword ascii /* base64 encoded string ' QJ$bE' */ $s16 = "FKFJDIHJF" fullword ascii /* base64 encoded string '(RC rE' */ $s17 = "EKFJFdHFG" fullword ascii /* base64 encoded string '(REtqF' */ $s18 = "HJFJJdEdEIDK" fullword ascii /* base64 encoded string '$RItGD 2' */ $s19 = "KFJHKDJdIGF" fullword ascii /* base64 encoded string '(RG(2] a' */ $s20 = "documents.lnk" fullword wide condition: uint16(0) == 0x0000 and filesize < 13000KB and 1 of ($x*) and 4 of them } rule bumblebee_13842_mkl2n_dll { meta: description = "BumbleBee - file mkl2n.dll" author = "The DFIR Report via yarGen Rule Generator" reference = "https://thedfirreport.com" date = "2022-11-13" hash1 = "f7c1d064b95dc0b76c44764cd3ae7aeb21dd5b161e5d218e8d6e0a7107d869c1" strings: $s1 = "pxjjqif723uf35.dll" fullword ascii $s2 = "tenant unanimously delighted sail databases princess bicyclelist progress accused urge your science certainty dalton databases h" ascii $s3 = "JEFKKDJJKHFJ" fullword ascii /* base64 encoded string '$AJ(2I(qI' */ $s4 = "KFFJJEJKJK" fullword ascii /* base64 encoded string '(QI$BJ$' */ $s5 = "JHJGKDFEG" fullword ascii /* base64 encoded string '$rF(1D' */ $s6 = "IDJIIDFHE" fullword ascii /* base64 encoded string ' 2H 1G' */ $s7 = "JHJFIHJJI" fullword ascii /* base64 encoded string '$rE rI' */ $s8 = "EKGJKKEFHKFFE" fullword ascii /* base64 encoded string '(bJ(AG(QD' */ $s9 = "FJGJFKGFF" fullword ascii /* base64 encoded string '$bE(aE' */ $s10 = "IFFKJGJFK" fullword ascii /* base64 encoded string ' QJ$bE' */ $s11 = "FKFJDIHJF" fullword ascii /* base64 encoded string '(RC rE' */ $s12 = "EKFJFdHFG" fullword ascii /* base64 encoded string '(REtqF' */ $s13 = "HJFJJdEdEIDK" fullword ascii /* base64 encoded string '$RItGD 2' */ $s14 = "KFJHKDJdIGF" fullword ascii /* base64 encoded string '(RG(2] a' */ $s15 = "magination provided sleeve governor earth brief favourite setting trousers phone calamity ported silas concede appearance abate " ascii $s16 = "wK}zxspyuvqswyK" fullword ascii $s17 = "stpKspyq~sqJvvvJ" fullword ascii $s18 = "ntribute popped monks much number practiced dirty con mid nurse variable road unwelcome rear jeer addition distract surgeon fall" ascii $s19 = "uvzrquxrrwxur" fullword ascii $s20 = "vvvxvsqrs" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 9000KB and 8 of them } rule bumblebee_13842_n23_dll { meta: description = "BumbleBee - file n23.dll" author = "The DFIR Report via yarGen Rule Generator" reference = "https://thedfirreport.com" date = "2022-11-13" hash1 = "65a9b1bcde2c518bc25dd9a56fd13411558e7f24bbdbb8cb92106abbc5463ecf" strings: $x1 = "scratched echo billion ornament transportation heedless should sandwiches hypothesis medicine strict thus sincere fight nourishm" ascii $s2 = "omu164ta8.dll" fullword ascii $s3 = "eadlight hours reins straightforward comfortable greeting notebook production nearby rung oven plus applet ending snapped enquir" ascii $s4 = "board blank convinced scuba mean alive perry character headquarters comma diana ornament workshop hot duty victorious bye expres" ascii $s5 = " compared opponent pile sky entitled balance valuable list ay duster tyre bitterly margaret resort valuer get conservative contr" ascii $s6 = "ivance pay clergyman she sleepy investigation used madame rock logic suffocate pull stated comparatively rowing abode enclosed h" ascii $s7 = " purple salvation dudley gaze requirement headline defective waiter inherent frightful night diary slang laurie bugs kazan annou" ascii $s8 = "nced apparently determined among come invited be goodwill tally crowded chances selfish duchess reel five peaceful offer spirits" ascii $s9 = "scratched echo billion ornament transportation heedless should sandwiches hypothesis medicine strict thus sincere fight nourishm" ascii $s10 = "s certificate breeze temporary according peach effected excuse preceding reaction channel bring short beams scheme gosh endless " ascii $s11 = "rtificial poke reassure diploma potentially " fullword ascii $s12 = "led spree confer belly rejection glide speaker wren do create evenings according cultivation concentration overcoat presume feed" ascii $s13 = "EgEEddEfhkdddEdfkEeddjgjehdjidhkdkeiekEeggdijhjidgkfigEgggdjkhkjkedEigifefdfhEjgghgEhjkeihifdhEEdgifefgkkEfEijhkhkhidddEdhgidfkE" ascii $s14 = "kgfjjjEEgkdiehfeEjihkfEeididdeEjhggEjedhdfEjiddgEgghejEidEfEEfgfjfhdghfddfihfidfEedikfdfjkiffkjiijiiijdhgghekhkegkidkgfjijhkiigg" ascii $s15 = "eekgEeideheghidkkEkkfkjikhiEhiefggdkhifdgEhhdEkkEkgjdEjjeEjhjhihfdgEdEidigefhhikdgdfEEdjEeggiEdfkdEdiEffdddkgikhhkihigEhjEdehieh" ascii $s16 = "eddEfefEEd" ascii $s17 = "hiefgfgkdfhgEdhEEgfhfegiiekgkdheihfjjhdeediefEkekdgeihhdfhhgjjiddjehgEhigEkEiEghejfidgjkdjidfkkfjEkfidfdiihkkEdEkEjjkEghfEdiihgE" ascii $s18 = "kfifkfkgdgdfhefdfejjdjigEhghidiiEekeEidEhghijgfkgkkedeeiggeEdhddkdhgigdjEihjiEjkgjjEefedfhidjkEjfghfjfdfdEjhkjjddjEfdgkEEikifdhE" ascii $s19 = "dedkdeeeeefgdEgfkkiEEfidikkffgighgEfiEEidgehdeiEhhjhjgiEdfkjihEgdgdefgkEfigdfedijhejEgdhkEdifEehifgdhddhfjghjfiifdhiigedggEdikeE" ascii $s20 = "efigfkfkkkfkdifiEhkhjkiejjidgkEfhEfehidhEfekgejgefEjEgdgefgidjjfdkjEfgfEigijhidideEEffjefkkkjjeeigggiighdddEddgegjEfEffjjjiddiEk" ascii condition: uint16(0) == 0x5a4d and filesize < 200KB and 1 of ($x*) and 4 of them } rule bumblebee_13842_wSaAHJzLLT_exe { meta: description = "BumbleBee - file wSaAHJzLLT.exe" author = "The DFIR Report via yarGen Rule Generator" reference = "https://thedfirreport.com" date = "2022-11-13" hash1 = "df63149eec96575d66d90da697a50b7c47c3d7637e18d4df1c24155abacbc12e" strings: $s1 = "ec2-3-16-159-37.us-east-2.compute.amazonaws.com" fullword ascii $s2 = "PAYLOAD:" fullword ascii $s3 = "AQAPRQVH1" fullword ascii $s4 = "AX^YZAXAYAZH" fullword ascii $s5 = "/bIQRfeCGXT2vja6Pzf8uZAWzlUMGzUHDk" fullword ascii $s6 = "SZAXM1" fullword ascii $s7 = "SYj@ZI" fullword ascii $s8 = "@.nbxi" fullword ascii $s9 = "Rich}E" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 20KB and all of them
}
MITRE
Malicious File – T1204.002
Windows Command Shell – T1059.003
PowerShell – T1059.001
Process Injection – T1055
File Deletion – T1070.004
LSASS Memory – T1003.001
Exploitation for Privilege Escalation – T1068
Lateral Tool Transfer – T1570
Valid Accounts – T1078
Service Execution – T1569.002
SMB/Windows Admin Shares – T1021.002
Remote System Discovery – T1018
Process Discovery – T1057
Domain Groups – T1069.002
Rundll32 – T1218.011
Domain Account – T1087.002
System Information Discovery – T1082
Security Account Manager – T1003.002
Network Share Discovery – T1135
Pass the Hash – T1550.002
Mark-of-the-Web Bypass – T1553.005
Bypass User Account Control – T1548.002
Web Protocols – T1071.001
Spearphishing Link – T1566.002
Masquerading – T1036
Internal case #13842
Source: https://thedfirreport.com/2022/11/14/bumblebee-zeros-in-on-meterpreter/