In the third and final chapter of our ‘Threat Hunting with MITRE’s ATT&CK Framework’ series, I’d like to focus on some of the more critical threat signatures that can be used for hunting retroactively in your environment. These particular techniques I’d consider to be higher fidelity and should ultimately be constructed into alarms for immediate response. However, looking back in time is highly recommended to ensure nothing has been missed if these haven’t been in place for detection.

If you missed Part 1, read it here. Part 2 is here.

Macro Execution & Command Obfuscation

This particular attack spans across five MITRE detection techniques within three separate phases. At DG, we incorporate the MITRE phases as a Tag within the rule. Analysts have the option of triaging by Tag or by Alarm Name. Personally, seeing an alarm named ‘Obfuscated Files or Information,' which is one of the MITRE techniques, just visually looks weird to me. So we decided to modify them a bit with the naming convention in the alarms (ie. ATP – Command Obfuscation)

The process tree below shows a string of malicious behavior derived from a malicious email attachment that was opened within Outlook.exe. Once the attachment was clicked, a macro was executed which spawned cmd.exe and powershell.exe.

Looking at the obfuscated command that generated the alarm… clearly not legitimate. So how do we proactively detect, and even better yet prevent this in the future? Creating signatures for this particular technique is highly advised and will yield almost zero false positives. I’ve included the detection below.

[Detection Signatures]

ATP – Command Obfuscation

_{^{Note: The term ‘matches’ as the Operator is regex.}}

ATP – Macro Execution

_{^{Note: This will detect macro execution via WMI}}

Wscript Executing JavaScript

In this particular attack, we see Windows Script Host (wscript) being leveraged to execute malicious javascript on the endpoint. Very low hanging fruit with a rule looking for Process = wscript.exe and Command Line contains jscript.

To take it a step further, we can pull back some additional forensics such as the file that is being executed ‘nomo.txt’ within the ProgramData directory to see how this piece of malware operates.

The file above shows entrenched malicious code that is being called via wscript. Additionally, the persistence mechanism for this malware runs off a scheduled job every three hours.

[Detection Signature]

Regsvr32 Bypassing AppLocker Restrictions

The windows feature AppLocker was initially introduced to allow admins the ability to prevent execution of executables, scripts, etc, but it didn’t last long for attackers to weaponize a vulnerability that was discovered in order to bypass. Allow me to introduce you to Regsvr32. Regsvr32 is a legitimate command line program that is used to register/unregister .dll files into the registry. Unfortunately, arbitrary code can be executed via this utility through .sct files, either local or remote, which ultimately bypasses AppLocker’s pre-defined rules. Alerting on this activity is critical because it’s either an adversary or some lame penetration tester. Below is an example of this activity occurring.

The commands that were executed here are below in sequence. Regsvr32.exe will execute the JavaScript contained within the ‘abcw.sct’ file which will then randomly select from a listing of 52 domains in abcw.sct’s code and generate a unique URL to download a dropper file. The dropper file is an HTML Application (HTA) file which is then executed by mshta.exe and blah, blah, blah... more bad stuff happens. See below how to detect!

[Detection Signatures]

ATP - Regsvr32 AppLocker Bypass Local

ATP - Microsoft HTA Abuse Activity

And there you have it. I hope this blogpost series has armed you with some additional intel to hit the ground running so you can be the ultimate savior of your organization’s network from those who clearly have zero ethical bounds. I know it can be difficult conducting threat hunting on a day to day basis. Typically security folks are required to wear every hat in their closet but carving out the time to do this as much as possible is imperative and may even one day assist in beefing up your budget if you discover something really juicy! MITRE’s ATT&CK framework lends an extremely helpful hand in mapping out where to spend your focus with great examples from prior threat actor campaigns and malware sample references.

As Yoda would say, “Patience you must have... smaller in number are we, but larger in mind” ...May the threat hunting forces be with you …