detection-hackathon-apt29
detection-hackathon-apt29 copied to clipboard
6.A) Credentials in Files, Credential Dumping, Masquerading
Description
The attacker accesses credentials stored in a local web browser (T1081, T1003) using a tool renamed to masquerade as a legitimate utility (T1036).
6.A.1 Credentials in Files
Procedure: Read the Chrome SQL database file to extract encrypted credentials Criteria: accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\
No detection capability demonstrated for this procedure. However, with a SACL on %APPDATALOCAL%\Google\chrome\user data\default, it would generate an event ;)
6.A.2 Credential Dumping
Procedure: Executed the CryptUnprotectedData API call to decrypt Chrome passwords Criteria: accesschk.exe executing the CryptUnprotectedData API
No detection capability demonstrated for this procedure.
6.A.3 Masquerading
Procedure: Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool Criteria: Evidence that accesschk.exe is not the legitimate Sysinternals tool
Sysmon
SELECT Message
FROM apt29Host h
INNER JOIN (
SELECT f.ProcessGuid
FROM apt29Host f
INNER JOIN (
SELECT d.ProcessGuid, d.ParentProcessGuid
FROM apt29Host d
INNER JOIN (
SELECT a.ProcessGuid, a.ParentProcessGuid
FROM apt29Host a
INNER JOIN (
SELECT ProcessGuid
FROM apt29Host
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
AND EventID = 1
AND LOWER(Image) LIKE "%control.exe"
AND LOWER(ParentImage) LIKE "%sdclt.exe"
) b
ON a.ParentProcessGuid = b.ProcessGuid
WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
AND a.EventID = 1
AND a.IntegrityLevel = "High"
) c
ON d.ParentProcessGuid= c.ProcessGuid
WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
AND d.EventID = 1
AND d.Image LIKE '%powershell.exe'
) e
ON f.ParentProcessGuid = e.ProcessGuid
WHERE f.Channel = "Microsoft-Windows-Sysmon/Operational"
AND f.EventID = 1
AND LOWER(f.Image) LIKE '%accesschk%'
) g
ON h.ProcessGuid = g.ProcessGuid
WHERE h.Channel = "Microsoft-Windows-Sysmon/Operational"
AND EventID = 7
AND LOWER(ImageLoaded) LIKE '%accesschk%'
Results
Image loaded:
RuleName: -
UtcTime: 2020-05-02 03:04:34.959
ProcessGuid: {47ab858c-e342-5eac-d703-000000000400}
ProcessId: 9204
Image: C:\Program Files\SysinternalsSuite\accessChk.exe
ImageLoaded: C:\Program Files\SysinternalsSuite\accessChk.exe
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
Hashes: SHA1=691E81A8FA152F68FB8ACEFE8F59EA41DC995880,MD5=44F96457ADEB95AFD3F5457082D44538,SHA256=3247D21BC9BBBD8DF670A82E24BE754A2D58D2511EE64AFF0A1E3756CD288236,IMPHASH=8A672B6C29F8A80FC01C6E44A3CDEE82
Signed: false
Signature: -
SignatureStatus: Unavailable
VirusTotal: https://www.virustotal.com/gui/file/3247d21bc9bbbd8df670a82e24be754a2d58d2511ee64aff0a1e3756cd288236/detection