Information Security

Digital Forensics Tips&Tricks: How to Find an Intruder's Lucky Coin

As you know, some people throw a coins into a fountain or sea for a luck or for come back to this place later.

image

So, cyber attackers are do the same thing — they often hide some little malware agents in the IT Infrastructure to keep a possibility to come back again.

You know some of these methods:

  • create a new scheduled task to rerun a malware beacon periodically;
  • create a new autorun key in the system registry;
  • create a new system service with autostart property;

But there is one more method to save the high-privileged permissions for further using the infected IT infrastructure — changing AdminSDholder permissions.

To understand the theoretical part of AdminSDholder you can check any article from Internet. As example try this one.
In short — there is a periodically run process in Active Directory Services which can give the permissions to a User/Group for changing security groups (e.g. Domain Admins, Schema Admins etc.) membership. To do this an attacker just need to add a User/Group to the AdminSDHolder ACL.

So, if an attacker has got a sufficient permissions to change the AdminSDHolder ACL, he can create a new User account and add this account name to the AdminSDHolder ACL.

From the article I mentioned above, you know how to check AD for this thing using Powershell.
But there is another method using YARA rule.

Every time when someone changes the AdminSDHolder ACL, a specific event 4662 being created in the Domain Controllers Security event log:

image

Now we can use the information from this event to create a YARA rule.

Here is it:

rule adminSDholder
{ 
	meta:
		maltype = "LuckyCoin"
		reference = "https://habr.com/ru/users/volnodumcev/"
		date = "17.05.2019"
		description = "YARA rule to find AdminSDholder being changed by a bad guy"
	strings:

		$hexEventID={ 36 12 00 00 00 00 00 00 20 80 }
		$object={ 7b 00 35 00 37 00 35 00 36 00 62 00 36 00 65 00 65 00 2d 00 65 00 62 00 61 00 31 00 2d 00 34 00 30 00 32 00 37 00 2d 00 38 00 32 00 39 00 64 00 2d 00 39 00 31 00 39 00 37 00 33 00 36 00 37 00 35 00 64 00 63 00 35 00 32 00 7d }
		$operation={ 7b 00 62 00 66 00 39 00 36 00 37 00 61 00 38 00 62 00 2d 00 30 00 64 00 65 00 36 00 2d 00 31 00 31 00 64 00 30 00 2d 00 61 00 32 00 38 00 35 00 2d 00 30 00 30 00 61 00 61 00 30 00 30 00 33 00 30 00 34 00 39 00 65 00 32 }

	condition:
    		$hexEventID and $object and $operation
}

So, you can use this rule with Rekall/Volatility, as example, to scan the memory dump.

Thank you again for attention! I'll be back soon with a new good stuff!

+6
615 1
Comments 2