Hunting For Stuxbot With The Elastic Stack

  • Platforms in the Crosshairs: Microsoft Windows

  • Threatened Entities: Windows Users

  • Potential Impact: Complete takeover of the victim's computer / Domain escalation

  • Risk Level: Critical

In summary, the attack sequence for the initially compromised device can be laid out as follows:

Lifecycle

Our forensic investigation into these attacks revealed that the link directs to a OneNote file, which has consistently been hosted on a file hosting service (e.g., Mega.io or similar platforms).

This OneNote file masquerades as an invoice featuring a 'HIDDEN' button that triggers an embedded batch file. This batch file, in turn, fetches PowerShell scripts, representing stage 0 of the malicious payload.

RAT Characteristics

The RAT deployed in these attacks is modular, implying that it can be augmented with an infinite range of capabilities. While only a few features are accessible once the RAT is staged, we have noted the use of tools that capture screen dumps, execute Mimikatz, provide an interactive CMD shell on compromised machines, and so forth.

Persistence

All persistence mechanisms utilized to date have involved an EXE file deposited on the disk.

Lateral Movement

So far, we have identified two distinct methods for lateral movement:

  • Leveraging the original, Microsoft-signed PsExec

  • Using WinRM

Indicators of Compromise (IOCs)

The following provides a comprehensive inventory of all identified IOCs to this point.

OneNote File:

  • https://transfer.sh/get/kNxU7/invoice.one

  • https://mega.io/dl9o1Dz/invoice.one

Staging Entity (PowerShell Script):

  • https://pastebin.com/raw/AvHtdKb2

  • https://pastebin.com/raw/gj58DKz

Command and Control (C&C) Nodes:

  • 91.90.213.14:443

  • 103.248.70.64:443

  • 141.98.6.59:443

Cryptographic Hashes of Involved Files (SHA256):

  • 226A723FFB4A91D9950A8B266167C5B354AB0DB1DC225578494917FE53867EF2

  • C346077DAD0342592DB753FE2AB36D2F9F1C76E55CF8556FE5CDA92897E99C7E

  • 018D37CBD3878258C29DB3BC3F2988B6AE688843801B9ABC28E6151141AB66D4

The Task

Our task centers around a threat intelligence report concerning a malicious software known as "Stuxbot". We're expected to use the provided Indicators of Compromise (IOCs) to investigate whether there are any signs of compromise in our organization.

Launch Elastic @ http://10.129.212.67:5601

serach event.code:15 AND file.name:*invoice.one

event.code:11 AND file.name:invoice.one*

event.code:3 AND host.hostname:WS001

search zeek logs serach fileld: dns.question.name:*

source.ip:192.168.28.130 AND dns.question.name:*

Navigate to http://[Target IP]:5601 and follow along as we hunt for Stuxbot. In the part where default.exe is under investigation, a VBS file is mentioned. Enter its full name as your answer, including the extension.

Solution:

Add a file.path column to filter files

file name = XceGuhkzaTrOy.vbs and

path = C:\Users\svc-sql1\AppData\Local\Temp\XceGuhkzaTrOy.vbs

Stuxbot uploaded and executed mimikatz. Provide the process arguments (what is after .\mimikatz.exe, ...) as your answer.

Solution:

A quick search for mimikaz shows 3 hits

using process.arg column filter:

the first result on the list shows

process.name: mimikatz.exe

process.args: .\mimikatz.exe, lsadump::dcsync /domain:eagle.local /all /csv, exit

answer = lsadump::dcsync /domain:eagle.local /all /csv, exit

Some PowerShell code has been loaded into memory that scans/targets network shares. Leverage the available PowerShell logs to identify from which popular hacking tool this code derives. Answer format (one word): P____V___

Solution:

According to this article https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon, powershell logs can be fultered using event ID : 4104\

add file using : powershell.file.script_block_text: P* V* using hint from the answer P____V___

Scrolling through logs events on Mar 27, 2023 @ 23:28:59.038

powershell.file.script_block_text column contains a script

<#

PowerSploit File: PowerView.ps1
Author: Will Schroeder (@harmj0y)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None

#>

winlog.computer_name: WS001.eagle.local

host.name: WS001.eagle.local

user.name: bob

answer = PowerView

Last updated