One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8370627 |
| Date de publication | 2023-08-16 10:00:00 (vue: 2023-08-16 10:06:51) |
| Titre | Histoires du SOC - dévoiler les tactiques furtives du malware aukill Stories from the SOC - Unveiling the stealthy tactics of Aukill malware |
| Texte | Executive summary
On April 21st, 2023, AT&T Managed Extended Detection and Response (MXDR) investigated an attempted ransomware attack on one of our clients, a home improvement business. The investigation revealed the attacker used AuKill malware on the client\'s print server to disable the server\'s installed EDR solution, SentinelOne, by brute forcing an administrator account and downgrading a driver to a vulnerable version.
AuKill, first identified by Sophos X-Ops researchers in June 2021, is a sophisticated malware designed to target and neutralize specific EDR solutions, including SentinelOne and Sophos. Distributed as a dropper, AuKill drops a vulnerable driver named PROCEXP.SYS (from Process Explorer release version 16.32) into the system\'s C:\Windows\System32\drivers folder. This malware has been observed in the wild, utilized by ransomware groups to bypass endpoint security measures and effectively spread ransomware variants such as Medusa Locker and Lockbit on vulnerable systems.
In this case, SentinelOne managed to isolate most of the malicious files before being disabled, preventing a full-scale ransomware incident. As a result, AT&T MXDR found no evidence of data exfiltration or encryption. Despite this, the client opted to rebuild the print server as a precautionary measure. This study provides an in-depth analysis of the attack and offers recommendations to mitigate the risk of future attacks.
Investigating the first phase of the attack
Initial intrusion
The targeted asset was the print server, which we found unusual. However, upon further investigation we concluded the attacker misidentified the asset as a Domain Controller (DC), as it had recently been repurposed from a DC to a print server. The attacker needed both local administrator credentials and kernel-level access to successfully run AuKill and disable SentinelOne on the asset. To gain those local administrator credentials, the attacker successfully brute-forced an administrator account. Shortly after the compromise, this account was observed making unauthorized registry changes.
Establishing a beachhead
After compromising the local administrator account, the attackers used the "\Users\Administrator\Music\aSentinel" folder as a staging area for subsequent phases of their attack. All AuKill-related binaries and scripts were executed from this path, with the innocuous "Music" folder name helping to conceal their malicious activities.
AuKill malware has been found to operate using two Windows services named "aSentinel.exe" and "aSentinelX.exe" in its SentinelOne variant. In other variants, it targets different EDRs, such as Sophos, by utilizing corresponding Windows services like "aSophos.exe" and "aSophosX.exe".
Establishing persistence
We also discovered "aSentinel.exe" running from "C:\Windows\system32", indicating that the attackers attempted to establish a foothold on the compromised server. Malware authors frequently target the system32 folder because it is a trusted location, and security software may not scrutinize files within it as closely as those in other locations. This can help malware bypass security measures and remain hidden. It is likely that the malware was initially placed in the "\Users\Administrator\Music\aSentinel" direct |
| Envoyé | Oui |
| Condensat | “actions 2021 2023 21st ability access accessible account accounts acquire acquiring active activities activity actors additional additionally administrator administrators advise advised after against alarm alerted aligns all also although analysis any applications’ april are area asentinel asentinelx asophos asophosx asset associated at&t attack attacker attacker’s attackers attacks attempted attempting attempts aukill authority authors based beachhead because become been before being below below: binaries blacklisting blog bolstering both bring brute business byovd bypass bypassing called can case certain chain challenging changes checked circumvent classified client clients closed closely code command complete component compromise compromised compromising conceal concentrated conclude concluded control controller copied copies corresponding corresponds could created creates credentials current customer cyber damage data date deeper defend deleted deletion demonstrated demonstrates deploy deployed deploying deployment depth designed despite detailed detection developed dharma did different directly directory disable disabled disablement discovered disrupt distributed dlls domain downgrading driver drivers dropper dropping drops each earlier early edr edrs effectively employing enables encourage encrypted encryption endpoint enforcement enough ensure ensures ensuring environment escalate essential establish establishing even evidence examine exe executable executed executive summary exfiltrated exfiltration existing exploit exploitable exploitation exploited explorer extended facilitating feature file files first folder folders following foothold force forced forcing found frequently from full further furthermore future gain gained gaining generated generating groups had handle handles hardware has have having help helping hidden hijacked history home how however hunters identified identifier illustrated improvement inaccessible incident incidents including incorporates indicating information informed initial initially innocuous insecure installed intentions interaction interface intrusion inventory investigated investigating investigation isolate isolated its june kernel key kill killed killer killing known last lastly later laterally legitimate level like likely loads local located location locations lockbit locker lockheed longer loss machine maintain make making malicious malware manage managed managing martin may measure measures medusa method methodology microsoft misidentified mitigate mode monitoring more most move moved music mxdr name named native need needed needs network neutralize normally not now objectives objectives” observed obstacle off offers offline older one ongoing opened operate operating ops opted originating other out outdated over own paints path pchunter persistence phase phases picture pieces place placed point post powerless precautionary prevent preventing previous previously print privileged privileges process processes procexp procexp152 produced programs protected protection provides publicly randomly ransomware reach reached reassured rebuild recently recommend recommendations reconnaissance recover recovery registry regularly reinstall related release remain remained removing rendering replaced repurposed researchers resource resources response responsible rest restore result resume revealed reveals review rights risk run running safeguards scale screenshot scripts scrutinize second secure security see sensitive sentinelone server services several shadow shortly signature signed signing soc software solution solutions sophisticated sophos specific specifically spread stage staging startup stealthy stories strongly study subsequent successfully such suggests survey susceptible swapped swiftly sys sysinternals system system32 systems tactics taken target targeted targets team terminate them then these thoroughly those thread threads threat thwarted time together tool transpired travel trusted turned two unauthorized unique unusual unveiling upon usage use |
| Tags | Ransomware Malware Tool Threat Studies |
| Stories | |
| Notes | ★★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.