Analytics Story: Azorult

Date: 2022-06-09 ID: efed5343-4ac2-42b1-a16d-da2428d0ce94 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Azorult malware including firewall modification, icacl execution, spawning more process, botnet c2 communication, defense evasion and etc. The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. It can also be a downloader of other malware. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establish a Remote Desktop Protocol (RDP) connection. Exploit kits such as Fallout Exploit Kit (EK) and phishing mails with social engineering technique are one of the major infection vectors of the AZORult malware. The current malspam and phishing emails use fake product order requests, invoice documents and payment information requests. This Trojan-Spyware connects to Command And Control (C&C) servers of attacker to send and receive information.

Why it matters

Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.

Correlation Search

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*Cmdline Tool Not Executed In CMD Shell*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Net Localgroup Discovery*", "*Create local admin accounts using net exe*", "*Local Account Discovery with Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter`

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Allow Inbound Traffic By Firewall Rule Registry	Remote Desktop Protocol, Remote Services	TTP
Allow Operation with Consent Admin	Abuse Elevation Control Mechanism	TTP
Attempt To Stop Security Service	Disable or Modify Tools, Impair Defenses	TTP
CHCP Command Execution	Command and Scripting Interpreter	TTP
CMD Carry Out String Command Parameter	Windows Command Shell, Command and Scripting Interpreter	Hunting
Create local admin accounts using net exe	Local Account, Create Account	TTP
Detect Use of cmd exe to Launch Script Interpreters	Command and Scripting Interpreter, Windows Command Shell	TTP
Disable Defender BlockAtFirstSeen Feature	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender Enhanced Notification	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender Spynet Reporting	Disable or Modify Tools, Impair Defenses	TTP
Disable Defender Submit Samples Consent Feature	Disable or Modify Tools, Impair Defenses	TTP
Disable Show Hidden Files	Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses, Modify Registry	Anomaly
Disable Windows Behavior Monitoring	Disable or Modify Tools, Impair Defenses	TTP
Disabling Remote User Account Control	Bypass User Account Control, Abuse Elevation Control Mechanism	TTP
Excessive Attempt To Disable Services	Service Stop	Anomaly
Excessive Usage Of Cacls App	File and Directory Permissions Modification	Anomaly
Excessive Usage Of Net App	Account Access Removal	Anomaly
Excessive Usage Of SC Service Utility	System Services, Service Execution	Anomaly
Excessive Usage Of Taskkill	Disable or Modify Tools, Impair Defenses	Anomaly
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Firewall Allowed Program Enable	Disable or Modify System Firewall, Impair Defenses	Anomaly
Hide User Account From Sign-In Screen	Disable or Modify Tools, Impair Defenses	TTP
Hiding Files And Directories With Attrib exe	File and Directory Permissions Modification, Windows File and Directory Permissions Modification	TTP
Icacls Deny Command	File and Directory Permissions Modification	TTP
Net Localgroup Discovery	Permission Groups Discovery, Local Groups	Hunting
Network Connection Discovery With Net	System Network Connections Discovery	Hunting
Non Firefox Process Access Firefox Profile Dir	Credentials from Password Stores, Credentials from Web Browsers	Anomaly
Office Document Executing Macro Code	Phishing, Spearphishing Attachment	TTP
Office Product Spawn CMD Process	Phishing, Spearphishing Attachment	TTP
Office Product Spawning MSHTA	Phishing, Spearphishing Attachment	TTP
Processes launching netsh	Disable or Modify System Firewall, Impair Defenses	Anomaly
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution	TTP
Sc exe Manipulating Windows Services	Windows Service, Create or Modify System Process	TTP
Scheduled Task Deleted Or Created via CMD	Scheduled Task, Scheduled Task/Job	TTP
Suspicious Process File Path	Create or Modify System Process	TTP
Suspicious Scheduled Task from Public Directory	Scheduled Task, Scheduled Task/Job	Anomaly
Windows Application Layer Protocol RMS Radmin Tool Namedpipe	Application Layer Protocol	TTP
Windows Defender Exclusion Registry Entry	Disable or Modify Tools, Impair Defenses	TTP
Windows DisableAntiSpyware Registry	Disable or Modify Tools, Impair Defenses	TTP
Windows Gather Victim Network Info Through Ip Check Web Services	IP Addresses, Gather Victim Network Information	Hunting
Windows Impair Defense Add Xml Applocker Rules	Disable or Modify Tools, Impair Defenses	Hunting
Windows Impair Defense Deny Security Software With Applocker	Disable or Modify Tools, Impair Defenses	TTP
Windows ISO LNK File Creation	Spearphishing Attachment, Phishing, Malicious Link, User Execution	Hunting
Windows Modify Registry Disable Toast Notifications	Modify Registry	Anomaly
Windows Modify Registry Disable Win Defender Raw Write Notif	Modify Registry	Anomaly
Windows Modify Registry Disable Windows Security Center Notif	Modify Registry	Anomaly
Windows Modify Registry Disabling WER Settings	Modify Registry	TTP
Windows Modify Registry DisAllow Windows App	Modify Registry	TTP
Windows Modify Registry Regedit Silent Reg Import	Modify Registry	Anomaly
Windows Modify Registry Suppress Win Defender Notif	Modify Registry	Anomaly
Windows Phishing Recent ISO Exec Registry	Spearphishing Attachment, Phishing	Hunting
Windows Powershell Import Applocker Policy	PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses	TTP
Windows Remote Access Software RMS Registry	Remote Access Software	TTP
Windows Remote Service Rdpwinst Tool Execution	Remote Desktop Protocol, Remote Services	TTP
Windows Remote Services Allow Rdp In Firewall	Remote Desktop Protocol, Remote Services	Anomaly
Windows Remote Services Allow Remote Assistance	Remote Desktop Protocol, Remote Services	Anomaly
Windows Remote Services Rdp Enable	Remote Desktop Protocol, Remote Services	TTP
Windows Service Stop By Deletion	Service Stop	TTP
Windows Valid Account With Never Expires Password	Service Stop	TTP
Wmic NonInteractive App Uninstallation	Disable or Modify Tools, Impair Defenses	Hunting

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Powershell Script Block Logging 4104	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 12	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 17	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 18	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 22	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 7	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4663	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`

References

Source: GitHub | Version: 1