How To Detect And Eliminate Persistent Malware Before It Wreaks Havoc
Thumbnail
This article provides an in-depth analysis of an intrusion investigation conducted by security professionals, focusing on the methods and techniques used to unravel a complex attack. It details how the threat actor gained initial access, performed credential theft, and executed lateral movement within a network. The findings highlight the challenges of gathering complete telemetry during such investigations. Affected: VPN appliance, Veeam Backup & Replication service

Keypoints :

  • Analysts investigate intrusions from an investigative standpoint, rather than a linear timeline.
  • The intrusion initially involved an alert related to lateral movement in a network.
  • Indicators of compromise included user creation, registry modification, and privilege escalation.
  • Parent-child process relationships were crucial in identifying the techniques used by the threat actor.
  • Exploitation of the Veeam service led to further credential theft and lateral movement.
  • The investigation revealed a suspected VPN compromise as the initial access vector.
  • Known malicious workstation names were associated with successful brute force attacks against user accounts.
  • Challenges in collecting complete telemetry complicate the analysis of such intrusions.

MITRE Techniques :

  • T1133 – VPN Compromise: Compromise of a VPN appliance to gain initial access to the network.
  • T1595 – Active Scanning: Use of nmap scanning tool to discover vulnerable services within the network.
  • T1110 – Brute Force: Execution of brute force attacks on user accounts to gain unauthorized access.
  • T1021.006 – Remote Services: Windows Remote Management: Utilization of WinRM for lateral movement within the network.
  • T1203 – Exploitation for Client Execution: Exploitation of the outdated Veeam service to execute malicious payloads.
  • T1098 – Account Manipulation: Adding a local user to the Remote Desktop Users group for persistence purposes.
  • T1112 – Modify Registry: Registry modifications made to enable further lateral movement via Remote Desktop Protocol (RDP).

Indicator of Compromise :

  • [Domain] maliciousworkstationname
  • [IP Address] internal.ip.address (associated with brute force attack)
  • [IP Address] suspicious.vpn.appliance.ip (related to VPN compromise)
  • [Hash Type – SHA-256] d7f312e622d8fec6bc0a41900a71ef5badc4730eaf49f4b659c93e61ef6b406b
  • [Email Address] [email protected]

Full Story: https://huntress.com/blog/untold-tales-from-tactical-response