Analytics Story: Azorult

Date: 2022-06-09 ID: efed5343-4ac2-42b1-a16d-da2428d0ce94 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to the Azorult malware including firewall modification, icacl execution, spawning more process, botnet c2 communication, defense evasion and etc. The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. It can also be a downloader of other malware. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establish a Remote Desktop Protocol (RDP) connection. Exploit kits such as Fallout Exploit Kit (EK) and phishing mails with social engineering technique are one of the major infection vectors of the AZORult malware. The current malspam and phishing emails use fake product order requests, invoice documents and payment information requests. This Trojan-Spyware connects to Command And Control (C&C) servers of attacker to send and receive information.

Why it matters

Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*Windows Cmdline Tool Execution From Non-Shell Process*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Windows Group Discovery Via Net*", "*Windows Create Local Administrator Account Via Net*", "*Windows User Discovery Via Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Attempt To Stop Security Service Disable or Modify Tools TTP
Create local admin accounts using net exe Local Account TTP
Excessive Usage Of Net App Account Access Removal Anomaly
Net Localgroup Discovery Local Groups Hunting
Network Connection Discovery With Net System Network Connections Discovery Hunting
Office Document Executing Macro Code Spearphishing Attachment TTP
Office Product Spawn CMD Process Spearphishing Attachment TTP
Office Product Spawning MSHTA Spearphishing Attachment TTP
Suspicious Process File Path Create or Modify System Process TTP
Windows Valid Account With Never Expires Password Service Stop TTP
Allow Inbound Traffic By Firewall Rule Registry Remote Desktop Protocol TTP
Allow Operation with Consent Admin Abuse Elevation Control Mechanism TTP
CHCP Command Execution Command and Scripting Interpreter TTP
CMD Carry Out String Command Parameter Windows Command Shell Hunting
Detect Use of cmd exe to Launch Script Interpreters Windows Command Shell TTP
Disable Defender BlockAtFirstSeen Feature Disable or Modify Tools TTP
Disable Defender Enhanced Notification Disable or Modify Tools TTP
Disable Defender Spynet Reporting Disable or Modify Tools TTP
Disable Defender Submit Samples Consent Feature Disable or Modify Tools TTP
Disable Show Hidden Files Modify Registry, Disable or Modify Tools, Hidden Files and Directories Anomaly
Disable Windows Behavior Monitoring Disable or Modify Tools TTP
Disabling Remote User Account Control Bypass User Account Control TTP
Excessive Attempt To Disable Services Service Stop Anomaly
Excessive Usage Of Cacls App File and Directory Permissions Modification Anomaly
Excessive Usage Of SC Service Utility Service Execution Anomaly
Excessive Usage Of Taskkill Disable or Modify Tools Anomaly
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Firewall Allowed Program Enable Disable or Modify System Firewall Anomaly
Hide User Account From Sign-In Screen Disable or Modify Tools TTP
Hiding Files And Directories With Attrib exe Windows File and Directory Permissions Modification TTP
Icacls Deny Command File and Directory Permissions Modification TTP
Non Firefox Process Access Firefox Profile Dir Credentials from Web Browsers Anomaly
Processes launching netsh Disable or Modify System Firewall Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Sc exe Manipulating Windows Services Windows Service TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task TTP
Suspicious Scheduled Task from Public Directory Scheduled Task Anomaly
Windows Application Layer Protocol RMS Radmin Tool Namedpipe Application Layer Protocol TTP
Windows Attempt To Stop Security Service Disable or Modify Tools TTP
Windows Create Local Administrator Account Via Net Local Account Anomaly
Windows Defender Exclusion Registry Entry Disable or Modify Tools TTP
Windows DisableAntiSpyware Registry Disable or Modify Tools TTP
Windows Excessive Usage Of Net App Account Access Removal Anomaly
Windows Gather Victim Network Info Through Ip Check Web Services IP Addresses Hunting
Windows Group Discovery Via Net Local Groups, Domain Groups Hunting
Windows Impair Defense Add Xml Applocker Rules Disable or Modify Tools Hunting
Windows Impair Defense Deny Security Software With Applocker Disable or Modify Tools TTP
Windows ISO LNK File Creation Malicious Link, Spearphishing Attachment Hunting
Windows Modify Registry Disable Toast Notifications Modify Registry Anomaly
Windows Modify Registry Disable Win Defender Raw Write Notif Modify Registry Anomaly
Windows Modify Registry Disable Windows Security Center Notif Modify Registry Anomaly
Windows Modify Registry Disabling WER Settings Modify Registry TTP
Windows Modify Registry DisAllow Windows App Modify Registry TTP
Windows Modify Registry Regedit Silent Reg Import Modify Registry Anomaly
Windows Modify Registry Suppress Win Defender Notif Modify Registry Anomaly
Windows Network Connection Discovery Via Net System Network Connections Discovery Hunting
Windows Office Product Loading VBE7 DLL Spearphishing Attachment Anomaly
Windows Office Product Spawned Uncommon Process Spearphishing Attachment TTP
Windows Phishing Recent ISO Exec Registry Spearphishing Attachment Hunting
Windows Powershell Import Applocker Policy PowerShell, Disable or Modify Tools TTP
Windows Remote Access Software RMS Registry Remote Access Software TTP
Windows Remote Service Rdpwinst Tool Execution Remote Desktop Protocol TTP
Windows Remote Services Allow Rdp In Firewall Remote Desktop Protocol Anomaly
Windows Remote Services Allow Remote Assistance Remote Desktop Protocol Anomaly
Windows Remote Services Rdp Enable Remote Desktop Protocol TTP
Windows Service Stop By Deletion Service Stop TTP
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Name or Location TTP
Wmic NonInteractive App Uninstallation Disable or Modify Tools Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 18 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1