Analytics Story: Azorult

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Azorult malware including firewall modification, icacl execution, spawning more process, botnet c2 communication, defense evasion and etc. The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. It can also be a downloader of other malware. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establish a Remote Desktop Protocol (RDP) connection. Exploit kits such as Fallout Exploit Kit (EK) and phishing mails with social engineering technique are one of the major infection vectors of the AZORult malware. The current malspam and phishing emails use fake product order requests, invoice documents and payment information requests. This Trojan-Spyware connects to Command And Control (C&C) servers of attacker to send and receive information.

Why it matters

Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*Cmdline Tool Not Executed In CMD Shell*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Net Localgroup Discovery*", "*Create local admin accounts using net exe*", "*Local Account Discovery with Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Allow Inbound Traffic By Firewall Rule Registry Remote Desktop Protocol, Remote Services TTP
Allow Operation with Consent Admin Abuse Elevation Control Mechanism TTP
Attempt To Stop Security Service Disable or Modify Tools, Impair Defenses TTP
CHCP Command Execution Command and Scripting Interpreter TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Create local admin accounts using net exe Local Account, Create Account TTP
Detect Use of cmd exe to Launch Script Interpreters Command and Scripting Interpreter, Windows Command Shell TTP
Disable Defender BlockAtFirstSeen Feature Disable or Modify Tools, Impair Defenses TTP
Disable Defender Enhanced Notification Disable or Modify Tools, Impair Defenses TTP
Disable Defender Spynet Reporting Disable or Modify Tools, Impair Defenses TTP
Disable Defender Submit Samples Consent Feature Disable or Modify Tools, Impair Defenses TTP
Disable Show Hidden Files Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry Anomaly
Disable Windows Behavior Monitoring Disable or Modify Tools, Impair Defenses TTP
Disabling Remote User Account Control Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Excessive Attempt To Disable Services Service Stop Anomaly
Excessive Usage Of Cacls App File and Directory Permissions Modification Anomaly
Excessive Usage Of Net App Account Access Removal Anomaly
Excessive Usage Of SC Service Utility System Services, Service Execution Anomaly
Excessive Usage Of Taskkill Disable or Modify Tools, Impair Defenses Anomaly
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Firewall Allowed Program Enable Disable or Modify System Firewall, Impair Defenses Anomaly
Hide User Account From Sign-In Screen Disable or Modify Tools, Impair Defenses TTP
Hiding Files And Directories With Attrib exe File and Directory Permissions Modification, Windows File and Directory Permissions Modification TTP
Icacls Deny Command File and Directory Permissions Modification TTP
Net Localgroup Discovery Permission Groups Discovery, Local Groups Hunting
Network Connection Discovery With Net System Network Connections Discovery Hunting
Non Firefox Process Access Firefox Profile Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Office Document Executing Macro Code Phishing, Spearphishing Attachment TTP
Office Product Spawn CMD Process Phishing, Spearphishing Attachment TTP
Office Product Spawning MSHTA Phishing, Spearphishing Attachment TTP
Processes launching netsh Disable or Modify System Firewall, Impair Defenses Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Sc exe Manipulating Windows Services Windows Service, Create or Modify System Process TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
Windows Application Layer Protocol RMS Radmin Tool Namedpipe Application Layer Protocol TTP
Windows Defender Exclusion Registry Entry Disable or Modify Tools, Impair Defenses TTP
Windows DisableAntiSpyware Registry Disable or Modify Tools, Impair Defenses TTP
Windows Gather Victim Network Info Through Ip Check Web Services IP Addresses, Gather Victim Network Information Hunting
Windows Impair Defense Add Xml Applocker Rules Disable or Modify Tools, Impair Defenses Hunting
Windows Impair Defense Deny Security Software With Applocker Disable or Modify Tools, Impair Defenses TTP
Windows ISO LNK File Creation Spearphishing Attachment, Phishing, Malicious Link, User Execution Hunting
Windows Modify Registry Disable Toast Notifications Modify Registry Anomaly
Windows Modify Registry Disable Win Defender Raw Write Notif Modify Registry Anomaly
Windows Modify Registry Disable Windows Security Center Notif Modify Registry Anomaly
Windows Modify Registry Disabling WER Settings Modify Registry TTP
Windows Modify Registry DisAllow Windows App Modify Registry TTP
Windows Modify Registry Regedit Silent Reg Import Modify Registry Anomaly
Windows Modify Registry Suppress Win Defender Notif Modify Registry Anomaly
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment, Phishing Hunting
Windows Powershell Import Applocker Policy PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses TTP
Windows Remote Access Software RMS Registry Remote Access Software TTP
Windows Remote Service Rdpwinst Tool Execution Remote Desktop Protocol, Remote Services TTP
Windows Remote Services Allow Rdp In Firewall Remote Desktop Protocol, Remote Services Anomaly
Windows Remote Services Allow Remote Assistance Remote Desktop Protocol, Remote Services Anomaly
Windows Remote Services Rdp Enable Remote Desktop Protocol, Remote Services TTP
Windows Service Stop By Deletion Service Stop TTP
Windows Valid Account With Never Expires Password Service Stop TTP
Wmic NonInteractive App Uninstallation Disable or Modify Tools, Impair Defenses Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References


Source: GitHub | Version: 1