One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 2473257 |
| Date de publication | 2021-03-12 11:00:00 (vue: 2021-03-12 11:05:36) |
| Titre | Stories from the SOC – DNS recon + exfiltration |
| Texte |
Stories from the SOC is a blog series that describes recent real-world security incident investigations conducted and reported by the AT&T SOC analyst team for AT&T Managed Threat Detection and Response customers.
Executive summary
Our Managed Threat Detection and Response team responded to an Alarm indicating that suspicious reconnaissance activity was occurring internally from one of our customer's scanners. This activity was shortly followed by escalating activity involving brute force activity, remote code execution attempts, and exfiltration channel probing attempts all exploiting vulnerable DNS services on the domain controllers. The analyst was able to alert the customer to the activity before any successful exfiltration activity had taken place and the customer was able to confirm that it was a planned red team exercise.
Investigation
Initial alarm review
The initial alarm came from an Event in Microsoft® Advanced Threat Analytics that detected possible reconnaissance and discovery activity coming from an asset with a naming convention that indicated it was an enterprise scanner. Scanners frequently have external exposure, are typically easier to brute force against, and host multiple legitimate services like DNS, SMTP, SMB, that can be used to hide malicious activity.
Expanded investigation
Soon after this, brute force activity and remote code execution attempts were reported involving Windows® Management Instrumentation (WMI) exploitation coming from a compromised service account that shared a naming convention with the scanner’s hostname, indicating the scanner and service account were compromised and now pivoting activity was occurring with the attacker attempting to gain further entry into the network.
These remote code execution (RCE) attempts were flagged with behavior associated with a DNS service vulnerability that had known patches available. Vulnerabilities in DNS Server Could Allow Remote Code Execution (2562485)
Vulnerability Reference: https://docs.microsoft.com/en-us/security-updates/securitybulletins/2011/ms11-058
After the WMI RCE attempts were flagged, multiple assets with naming conventions that matched domain controllers generated alarms by attempting to contact well known external DNS servers. However this activity was also flagged as suspicious since these assets were not configured for DNS services or had previously been associated with DNS activity.
This, combined with the firewall events denying external traffic over port 53, indicated that these servers were not authorized to perform DNS services and that this activity was likely a probing attempt to find methods of exfiltration, such as DNS tunneling.
Response
The customer was alerted to the activity by the analyst and was able to confirm that it was part of a planned red team exercise. While this particular example was an internal effort, the customer commended our efforts at detecting the threat and responding quickly.
  |
| Envoyé | Oui |
| Condensat | 058 2562485 able account activity advanced after against alarm alarms alert alerted all allow also analyst analytics any are asset assets associated at&t attacker attempt attempting attempts authorized available been before behavior blog brute came can channel code com/en combined coming commended compromised conducted configured confirm contact controllers convention conventions could customer customer's customers denying describes detected detecting detection discovery dns domain easier effort efforts enterprise entry escalating event events example execution executive exercise exfiltration expanded exploitation exploiting exposure external find firewall flagged followed force frequently from further gain generated had have hide host hostname however https://docs incident indicated indicating initial instrumentation internal internally investigation investigations involving known legitimate like likely malicious managed management matched methods microsoft microsoft® multiple naming network not now occurring one over part particular patches perform pivoting place planned port possible previously probing quickly rce real recent recon reconnaissance red reference: remote reported responded responding response review scanner scanner’s scanners security series server servers service services shared shortly since smb smtp soc soon stories successful such summary suspicious taken team these threat traffic tunneling typically updates/securitybulletins/2011/ms11 us/security used vulnerabilities vulnerability vulnerable well windows® wmi world |
| Tags | Vulnerability Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.