detection-hackathon-apt29 icon indicating copy to clipboard operation
detection-hackathon-apt29 copied to clipboard

Published 20 hours ago verified publisher icon OTRF

10.A) Service Execution

Open Cyb3rWard0g opened this issue 4 years ago • 2 comments

Description

The original victim is rebooted and the legitimate user logs in, emulating ordinary usage and a passage of time. This activity triggers the previously established persistence mechanisms, namely the execution of the new service (T1035) and payload in the Windows Startup folder (T1060).

Cyb3rWard0g avatar May 02 '20 10:05 Cyb3rWard0g

Working on this from network perspective. Same username on TH Slack if you want to collaborate.

0xtf avatar May 02 '20 14:05 0xtf

10.A.1 Service Execution

Procedure: Executed persistent service (javamtsup) on system startup Criteria: javamtsup.exe spawning from services.exe

Sysmon

SELECT Message
FROM apt29Host
WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
  AND EventID = 1
  AND ParentImage LIKE '%services.exe'
  AND Image LIKE '%javamtsup.exe'

Results

Process Create:
RuleName: -
UtcTime: 2020-05-02 03:19:14.118
ProcessGuid: {47ab858c-e6b2-5eac-4d00-000000000500}
ProcessId: 3296
Image: C:\Windows\System32\javamtsup.exe
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
CommandLine: C:\Windows\System32\javamtsup.exe
CurrentDirectory: C:\windows\system32\
User: NT AUTHORITY\SYSTEM
LogonGuid: {47ab858c-e6ad-5eac-e703-000000000000}
LogonId: 0x3E7
TerminalSessionId: 0
IntegrityLevel: System
Hashes: SHA1=FF57080E5B19C3DCF62A00EA4037330F78B228CB,MD5=1B94BED747B7539280C9762C9C1B27EB,SHA256=8BE07818317849B36C2097E799DA9719471BA1D4DD9C60A97E31CA7CEDC6E992,IMPHASH=A6D0283F95584F8785C65A050B4C2A6B
ParentProcessGuid: {47ab858c-e6ad-5eac-0b00-000000000500}
ParentProcessId: 736
ParentImage: C:\Windows\System32\services.exe
ParentCommandLine: C:\windows\system32\services.exe

Security

SELECT Message
FROM apt29Host
WHERE LOWER(Channel) = "security"
  AND EventID = 4688
  AND ParentProcessName LIKE '%services.exe'
  AND NewProcessName LIKE '%javamtsup.exe'

Results

A new process has been created.

Creator Subject:
	Security ID:		S-1-5-18
	Account Name:		SCRANTON$
	Account Domain:		DMEVALS
	Logon ID:		0x3E7

Target Subject:
	Security ID:		S-1-0-0
	Account Name:		-
	Account Domain:		-
	Logon ID:		0x0

Process Information:
	New Process ID:		0xce0
	New Process Name:	C:\Windows\System32\javamtsup.exe
	Token Elevation Type:	%%1936
	Mandatory Label:		S-1-16-16384
	Creator Process ID:	0x2e0
	Creator Process Name:	C:\Windows\System32\services.exe
	Process Command Line:	C:\Windows\System32\javamtsup.exe

Cyb3rWard0g avatar May 17 '20 05:05 Cyb3rWard0g