Hunting For Stuxbot With The Elastic Stack
Platforms in the Crosshairs:
Microsoft WindowsThreatened Entities:
Windows UsersPotential Impact:
Complete takeover of the victim's computer / Domain escalationRisk Level:
Critical
In summary, the attack sequence for the initially compromised device can be laid out as follows:
Our forensic investigation into these attacks revealed that the link directs to a OneNote file, which has consistently been hosted on a file hosting service (e.g., Mega.io or similar platforms).
This OneNote file masquerades as an invoice featuring a 'HIDDEN' button that triggers an embedded batch file. This batch file, in turn, fetches PowerShell scripts, representing stage 0 of the malicious payload.
RAT Characteristics
The RAT deployed in these attacks is modular, implying that it can be augmented with an infinite range of capabilities. While only a few features are accessible once the RAT is staged, we have noted the use of tools that capture screen dumps, execute Mimikatz, provide an interactive CMD shell on compromised machines, and so forth.
Persistence
All persistence mechanisms utilized to date have involved an EXE file deposited on the disk.
Lateral Movement
So far, we have identified two distinct methods for lateral movement:
Leveraging the original, Microsoft-signed PsExec
Using WinRM
Indicators of Compromise (IOCs)
The following provides a comprehensive inventory of all identified IOCs to this point.
OneNote File:
https://transfer.sh/get/kNxU7/invoice.one
https://mega.io/dl9o1Dz/invoice.one
Staging Entity (PowerShell Script):
https://pastebin.com/raw/AvHtdKb2
https://pastebin.com/raw/gj58DKz
Command and Control (C&C) Nodes:
91.90.213.14:443
103.248.70.64:443
141.98.6.59:443
Cryptographic Hashes of Involved Files (SHA256):
226A723FFB4A91D9950A8B266167C5B354AB0DB1DC225578494917FE53867EF2
C346077DAD0342592DB753FE2AB36D2F9F1C76E55CF8556FE5CDA92897E99C7E
018D37CBD3878258C29DB3BC3F2988B6AE688843801B9ABC28E6151141AB66D4
The Task
Our task centers around a threat intelligence report concerning a malicious software known as "Stuxbot". We're expected to use the provided Indicators of Compromise (IOCs) to investigate whether there are any signs of compromise in our organization.
Launch Elastic @ http://10.129.212.67:5601
serach event.code:15 AND file.name:*invoice.one
event.code:11 AND file.name:invoice.one*
event.code:3 AND host.hostname:WS001
search zeek logs serach fileld: dns.question.name:*
source.ip:192.168.28.130 AND dns.question.name:*
Navigate to http://[Target IP]:5601 and follow along as we hunt for Stuxbot. In the part where default.exe is under investigation, a VBS file is mentioned. Enter its full name as your answer, including the extension.
Solution:
Add a file.path column to filter files
file name = XceGuhkzaTrOy.vbs and
path = C:\Users\svc-sql1\AppData\Local\Temp\XceGuhkzaTrOy.vbs
Stuxbot uploaded and executed mimikatz. Provide the process arguments (what is after .\mimikatz.exe, ...) as your answer.
Solution:
A quick search for mimikaz shows 3 hits
using process.arg column filter:
the first result on the list shows
process.name: mimikatz.exe
process.args: .\mimikatz.exe, lsadump::dcsync /domain:eagle.local /all /csv, exit
answer = lsadump::dcsync /domain:eagle.local /all /csv, exit
Some PowerShell code has been loaded into memory that scans/targets network shares. Leverage the available PowerShell logs to identify from which popular hacking tool this code derives. Answer format (one word): P____V___
Solution:
According to this article https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon, powershell logs can be fultered using event ID : 4104\
add file using : powershell.file.script_block_text: P* V* using hint from the answer P____V___
Scrolling through logs events on Mar 27, 2023 @ 23:28:59.038
powershell.file.script_block_text column contains a script
<#
PowerSploit File: PowerView.ps1
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None#>
winlog.computer_name: WS001.eagle.local
host.name: WS001.eagle.local
user.name: bob
answer = PowerView
Last updated