SolarWinds and Active Directory/M365 Compromise: Detecting


Download SolarWinds and Active Directory/M365 Compromise: Detecting


Preview text

SolarWinds and Active Directory/M365 Compromise: Detecting Advanced Persistent Threat Activity from Known Tactics, Techniques, and Procedures
March 17, 2021 Cybersecurity and Infrastructure Security Agency

TLP:WHITE
Updated April 15, 2021: The U.S. Government attributes this activity to the Russian Foreign Intelligence Service (SVR). Additional information may be found in a statement from the White House. For more information on SolarWinds-related activity, go to https://us-cert.cisa.gov/remediating-apt-compromised-networks and https://www.cisa.gov/supply-chain-compromise.
INTRODUCTION
The advanced persistent threat (APT) actor associated with the SolarWinds Orion supply chain compromise moved laterally to multiple systems—including Microsoft cloud environments—and established difficult-to-detect persistence mechanisms. The Cybersecurity and Infrastructure Security Agency (CISA) is providing this resource to assist network defenders in scoping the intrusion by detecting artifacts from known tactics, techniques, and procedures (TTPs) associated with this activity. Although this resource is tailored to organizations that were compromised via the SolarWinds Orion supply chain compromise, CISA is aware of other initial access vectors and organizations should not assume they are not compromised by this APT actor solely because they have never used affected versions of SolarWinds Orion. Additionally, this resource addresses follow-on activity observed in the Microsoft Azure Active Directory (AD), Office 365 (O365), and M365 environments. Organizations should confirm they have not observed related TTPs described in this resource, and, if they detect related activity, refer to CISA Alert AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations and contact CISA for further assistance. For additional technical information on the SolarWinds Orion supply chain and Active Directory/M365 compromise, refer to uscert.cisa.gov/remediating-apt-compromised-networks. For information on CISA’s response to this activity, refer to cisa.gov/supply-chain-compromise.
Threat Actor Tactics and Techniques
Figure 1 and table 1 identify threat actor tactics and techniques observed by incident responders using the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework, Version 8. See the ATT&CK for Enterprise framework for all referenced threat actor tactics and techniques. Note: Neither figure 1 nor table 1 should be considered exhaustive—not all techniques have been used in every incident, and some techniques may not have been identified.
2 CISA | DEFEND TODAY, SECURE TOMORROW TLP:WHITE

TLP:WHITE

Figure 1: MITRE ATT&CK Techniques Observed
3

CISA | DEFEND TODAY, SECURE TOMORROW TLP:WHITE

TLP:WHITE

Table 1 identifies tactics and techniques observed by incident responders and provides associated detection recommendations.
Table 1: Threat Actor Techniques and Associated Detection Artifacts

Tactic
Credential Access [TA0006]

Technique

Threat Actor Activity

Detection Recommendations

Forge Web Credentials: SAML Tokens [T1606.002]

The threat actor created tokens using compromised Security Assertion Markup Language (SAML) signing certificates.1

Monitor for anomalous logins from on-premises and cloud environments that trust the token signing certificate. Search for logins to service providers using SAML Single Sign On (SSO) that do not have corresponding events 4769, 1200, and 1202.2

Defense Evasion [TA0005]
Lateral Movement [TA0008]

Use Alternate Authentication Material [T1550]

The actor used forged SAML tokens to impersonate existing users in the environment with full authentication.3,4

The users being leveraged are valid users, so the artifacts are behavioral. Look for user accounts, especially privileged and service accounts, behaving abnormally.
Cyber attackers prefer to use compromised credentials, so identifying accounts that use multiple login pathways, geolocations, or virtual private network (VPN) services might lead to discovery of compromised credentials, malicious autonomous systems numbers (ASNs), and suspicious activity.
Internal IP management or scanning capability may show IP addresses switching between default (WIN-*) hostnames and victim’s hostnames.5

Execution [TA0002]

Scheduled Task/Job: Scheduled Task [T1053.005]

The threat actor used scheduler and schtasks to create new tasks on remote hosts as part of lateral movement. The threat actor also manipulated Scheduled Tasks by updating an existing legitimate task to execute their tools and then returned the Scheduled Task to its original configuration.6,7

Audit existing scheduled tasks in the environment and review against known and expected scheduled tasks; MITRE ATT&CK recommends looking “for changes to tasks and services that do not correlate with known software, patch cycles etc.”8 Verify the tasks do what they are intended to do, as this actor is known to alter existing legitimate tasks.
MITRE ATT&CK also recommends monitoring “processes and command-line arguments for actions that could be taken to create tasks or services."9 In Windows 10, monitor process execution from the svchost.exe. In older

4 CISA | DEFEND TODAY, SECURE TOMORROW
TLP:WHITE

TLP:WHITE

Tactic Persistence [TA0003]
Defense Evasion [TA0005]

Technique

Threat Actor Activity

Detection Recommendations

Scheduled Task/Job: Scheduled Task [T1053.005]
Masquerading: Masquerade Task or Service [T1036.004]

The threat actor created a Scheduled Task to maintain SUNSPOT persistence when the host booted.12
The threat actor named tasks \Microsoft\Windows\SoftwareProte ctionPlatform\EventCacheManager in order to appear legitimate.13

versions of Windows, monitor the Windows Task Scheduler taskeng.exe. If you do not observe Scheduled Tasks used for persistence, then the adversary may have removed the task after it was no longer needed.10
Monitor Windows Scheduled Tasks stored in %systemroot%\System32\Tasks. Look for changes related to Scheduled Tasks that do not correlate with known software updates etc.11

Execution [TA0002]
Lateral Movement [TA0008]

Windows

The threat actor used Windows

Management Management Instrumentation (WMI) for

Instrumentation the remote execution of files for lateral

[T1047]

movement.14,15,16

Monitor network traffic for WMI connections. WMI connections in environments that do not usually use WMI may be an indicator of compromise. Capture command-line arguments of wmic via process monitoring and look for commands that are used for remote behavior.17 According to Microsoft, the following was used for lateral movement via WMI: wmic /node:[target] process call create “rundll32 c:\windows\[folder]\[beacon].dll [export]”.18
Note: detecting WMI connections for execution requires detecting it at the time it happens.

Persistence [TA0003]

Event Triggered Execution: Windows Management Instrumentation Event Subscription [T1546.003]

The threat actor used WMI event subscriptions for persistence.19,20

5

CISA | DEFEND TODAY, SECURE TOMORROW TLP:WHITE

TLP:WHITE

Tactic Exfiltration [TA0010]
Defense Evasion [TA0005]
Discovery [TA0007]

Technique

Threat Actor Activity

Detection Recommendations

Exfiltration over C2 Channel [T1041]

The threat actor used HTTP for command and control (C2) and data exfiltration.21 The threat actor’s malware used HTTP PUT or HTTP POST requests when collected data was being exfiltrated to their C2 server.22

Look for unusual outbound HTTP PUT or HTTP POST requests. If the payload is bigger than 10000 bytes, the POST method is used. If the payload is smaller than 10000 bytes, the PUT method is used. All HTTP POST and HTTP PUT requests will have a JavaScript Object Notation (JSON) containing the keys userId, sessionId, and steps. The steps field contains a list of objects with the following keys: Timestamp, Index, EventType, EventName, DurationMs, Succeeded, and Message. The JSON key EventType is hardcoded to the value Orion, and the EventName is hardcoded to EventManager.23

Masquerading: Match Legitimate Name or Location [T1036.005]

The threat actor renamed a version of AdFind to sqlceip.exe or csrss.exe in an attempt to appear as the Structured Query Language (SQL) Server Telemetry Client or Client Service Runtime Process, respectively.24,25

Investigate executables with parameters that do not match their known behavior. Profile expected behavior of binaries, especially code that runs with admin permissions, to identify unusual behavior. Compare the hashes of running versions of executables with the hashes of known legitimate executables. The following resources provide examples of uses of Rundll32 seen.

Signed Binary The threat actor used Rundll32 to Proxy Execution: execute payloads.26,27 Rundll32 [T1218.011]

• Volexity: Dark Halo Leverages SolarWinds Compromise to Breach Organizations
• Microsoft: Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers

Remote System The threat actor used AdFind to

Discovery

enumerate remote systems.28

[T1018]

Look for executables with the following parameters (they may be the AdFind utility renamed): [renamed-adfind].exe -h [internal domain] -sc u:[user] > .\\[machine]\[file].[log|txt].29
Refer to Microsoft: Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop for other uses of this executable. Note: this executable may be renamed to evade detection; refer to MITRE T1036.005 for guidance on detecting renamed files.

6 CISA | DEFEND TODAY, SECURE TOMORROW
TLP:WHITE

TLP:WHITE

Tactic Discovery [TA0007]
Defense Evasion [TA0005]

Technique

Threat Actor Activity

Detection Recommendations

System Information Discovery [T1082]

The threat actor used fsutil to determine if there was sufficient available free space before executing actions that might generate large files on disk.30

Look for the following fsutil command: fsutil

volume

diskfree

c:.31

Indicator Removal on Host: Timestomp [T1070.006]

The threat actor modified timestamps of backdoors to match legitimate Windows files.32

Use forensic techniques to detect files that have had their timestamps modified. Detecting timestomping may be possible by using file modification monitoring that collects information on file handle opens and can compare timestamp values.33

Credential Access [TA0006]

OS Credential Dumping: DCSync [T1003.006]

The actor leveraged privileged accounts to replicate directory service data with domain controllers.34,35,36

MITRE ATT&CK recommends the following: “Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. Also monitor for network protocols and other replication requests from IPs not associated with known domain controllers.”37

Defense Evasion [TA0005]
Defense Evasion [TA0005]

Indicator Removal on Host: File Deletion [T1070.004]

Once remote access was achieved, the threat actor frequently removed their tools, including custom backdoors.38

Monitor command-line deletion functions and compare them with binaries or other files that the threat actor may have dropped and removed. Monitor for known deletion and secure deletion tools that the actor may have introduced to the network.39

Indicator Removal on Host [T1070]

The threat actor removed evidence of email export requests using RemoveMailboxExportRequest. The threat actor temporarily replaced legitimate utilities with their own, executed their payload, and then restored the original file.40,41

Enable command-line parameter monitoring, and look for: C:\Windows\system32\cmd.exe /C powershell.exe -PSConsoleFile exshell.psc1 -Command “Get-MailboxExportRequest -Mailbox [email protected] | Remove-MailboxExportRequest Confirm:$False”.42

7 CISA | DEFEND TODAY, SECURE TOMORROW
TLP:WHITE

TLP:WHITE

Tactic Discovery [TA0007]
Discovery [TA0007]

Technique

Threat Actor Activity

Detection Recommendations

Permission Groups Discovery [T1069]

The threat actor used the GetManagementRoleAssignment PowerShell cmdlet to enumerate Exchange management role assignments through an Exchange Management Shell.43

Enable command-line parameter monitoring, and look for: C:\Windows\system32\cmd.exe /C powershell.exe -PSConsoleFile exshell.psc1 -Command “Get-ManagementRoleAssignment GetEffectiveUsers | select Name,Role,EffectiveUserName,AssignmentMethod,IsValid | ConvertTo-Csv -NoTypeInformation | % {$_ -replace ‘`n’,’_’} | Out-File C:\temp\1.xml”.44

File and Directory Discovery [T1083]

The threat actor obtained information about the configured Exchange virtual directory using GetWebServicesVirtualDirectory.45

Enable command-line parameter monitoring, and look for: C:\Windows\system32\cmd.exe /C powershell.exe -PSConsoleFile exshell.psc1 -Command “Get-WebServicesVirtualDirectory | Format-List”.46

Execution [TA0002]
Execution [TA0002]

Command and Scripting Interpreter: Windows Command Shell [T1059.003]

The threat actor used cmd.exe to execute commands on remote machines.47

Microsoft Windows cmd.exe was used to run powershell.exe, AdFind
(often renamed to a number of other names), and other commands.48 Use process tracking, event logging, and PowerShell monitoring functions to identify use of these command-line tools.

Command and Scripting Interpreter: PowerShell [T1059.001]
Account Discovery [T1087]

The threat actor used PowerShell to create new tasks on remote machines, identify configuration settings, exfiltrate data, and to execute other commands.49
The threat actor obtained a list of users and their roles from an Exchange server using GetManagementRoleAssignment.54,55

Review PowerShell cmdlets that involve adding or changing permissions or roles to existing accounts, applications, and service principals or that use Out-File filenames and unusual locations (such as C:\TEMP).50 Organizations should review these sources and determine if the changes they make are expected and authorized.
Look for PowerShell being used to create Scheduled Tasks on remote machines with command parameters that look like this:
$scheduler = New-Object -ComObject (“Schedule.Service”);$scheduler.Connect($env:COMPUTERNAME);$

8 CISA | DEFEND TODAY, SECURE TOMORROW
TLP:WHITE

TLP:WHITE

Tactic Discovery [TA0007]
Persistence [TA0003]

Technique

Threat Actor Activity

Detection Recommendations

Domain Trust Discovery [T1482]
Account Manipulation: Exchange Email Delegate Permissions [T1098.002]

The threat actor used the GetAcceptedDomain PowerShell cmdlet to enumerate accepted domains through an Exchange Management Shell. They also used AdFind to enumerate domains and to discover trust between federated domains.56
The threat actor added their own devices as allowed identifications (IDs) for active sync using Set-CASMailbox, allowing their devices to obtain copies of victim mailboxes. The actor also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised application or service principals.57

folder = $scheduler.GetFolder(“\Microsoft\Windows\SoftwareProtectionP latform”);$task = $folder.GetTask(“EventCacheManager”);$definition = $task.Definition;$definition.Settings.ExecutionTimeLimit = “PT0S”;$folder.RegisterTaskDefinition($task.Name,$definition ,6,”System”,$null,5);echo “Done”.51
Look for events related to Beacon commands jump psexec and jump psexec_psh—these commands will generate an EventID 7045 (Service Installation) from System.evtx. The additional commands will generate an EventID 400 event log (PowerShell Engine Startup) from Windows PowerShell.evtx.
Since this attacker is adept at PowerShell, CISA recommends enabling PowerShell logging and monitoring use of the tool. Look cmdlets in PowerShell logs, including the following:52
• Get-ManagementRoleAssignment • Get-AcceptedDomain • Get-CASMailbox • Get-Mailbox • Get-OrganizationConfig • Get-OwaVirtualDirectory • Get-Process • Get-WebServicesVirtualDirectory • New-MailboxExportRequest • Remove-MailboxExportRequest • Set-CASMailbox • Export-pfxcertificate • Export-Certificate • Add-AdfsCertificate • Get-AdfsCertificate • Get-AdfsSslCertificate • New-AdfsAzureMfaTenantCertificate • SEt-AdfsCertificate

9 CISA | DEFEND TODAY, SECURE TOMORROW
TLP:WHITE

TLP:WHITE

Tactic
Defense Evasion [TA0005]
Persistence [TA0003]

Technique

Threat Actor Activity

Detection Recommendations
• SEt-AdfsSslCertificate • Update-AdfsCertificate • Set-mppreference • Compress-Archive • Invoke-Command • Invoke-WMIMethod For more information on PowerShell logging, refer to FireEye: Greater Visibility Through PowerShell Logging.
Modification of mail delegation rules and changes to the behavior or frequency of mail traffic being sent may be a sign that a compromised account is being leveraged by threat actors.53

Obfuscated Files or Information [T1027]

The threat actor used encoded PowerShell commands.58

The attacker is known to use PowerShell's built-in ability to take Base64 encoded parameters (the -EncodedCommand parameter).59 There are many ways this can be called, so defenders should familiarize themselves with what this can look like in PowerShell logs using the following resources:
• Palo Alto Networks Unit 42: Pulling Back the Curtains on Encoded Command PowerShell Attacks
• Microsoft: Customer Guidance on Recent Nation State Cyber Attacks

Account

The threat actor added credentials to

Manipulation: Azure service principals/applications

Additional Cloud after gaining access to the Microsoft 365

Credentials

(M365) environment.60,61

[T1098.001]

Look for behavioral artifacts, such as accounts behaving abnormally, and verify information such as IP and/or user agent strings are normal. Identify if credentials have been added to service principals/applications (such as SharePoint and Microsoft Teams) that previously did not have them. Check

10 CISA | DEFEND TODAY, SECURE TOMORROW
TLP:WHITE

Preparing to load PDF file. please wait...

0 of 0
100%
SolarWinds and Active Directory/M365 Compromise: Detecting