Try in Splunk Security Cloud
Description
Leverage searches that allow you to detect and investigate unusual activities that might relate to the Azorult malware including firewall modification, icacl execution, spawning more process, botnet c2 communication, defense evasion and etc. The AZORULT malware was first discovered in 2016 to be an information stealer that steals browsing history, cookies, ID/passwords, cryptocurrency information and more. It can also be a downloader of other malware. A variant of this malware was able to create a new, hidden administrator account on the machine to set a registry key to establish a Remote Desktop Protocol (RDP) connection. Exploit kits such as Fallout Exploit Kit (EK) and phishing mails with social engineering technique are one of the major infection vectors of the AZORult malware. The current malspam and phishing emails use fake product order requests, invoice documents and payment information requests. This Trojan-Spyware connects to Command And Control (C&C) servers of attacker to send and receive information.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2022-06-09
- Author: Teoderick Contreras, Splunk
- ID: efed5343-4ac2-42b1-a16d-da2428d0ce94
Narrative
Adversaries may use this technique to maximize the impact on the target organization in operations where network wide availability interruption is the goal.
Detections
| Name |
Technique |
Type |
| Allow Inbound Traffic By Firewall Rule Registry |
Remote Desktop Protocol, Remote Services |
TTP |
| Allow Operation with Consent Admin |
Abuse Elevation Control Mechanism |
TTP |
| Attempt To Stop Security Service |
Disable or Modify Tools, Impair Defenses |
TTP |
| CHCP Command Execution |
Command and Scripting Interpreter |
TTP |
| CMD Carry Out String Command Parameter |
Windows Command Shell, Command and Scripting Interpreter |
Hunting |
| Create local admin accounts using net exe |
Local Account, Create Account |
TTP |
| Detect Use of cmd exe to Launch Script Interpreters |
Command and Scripting Interpreter, Windows Command Shell |
TTP |
| Disable Defender BlockAtFirstSeen Feature |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Defender Enhanced Notification |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Defender Spynet Reporting |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Defender Submit Samples Consent Feature |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disable Show Hidden Files |
Hidden Files and Directories, Disable or Modify Tools, Hide Artifacts, Impair Defenses |
TTP |
| Disable Windows Behavior Monitoring |
Disable or Modify Tools, Impair Defenses |
TTP |
| Disabling Remote User Account Control |
Bypass User Account Control, Abuse Elevation Control Mechanism |
TTP |
| Excessive Attempt To Disable Services |
Service Stop |
Anomaly |
| Excessive Usage Of Cacls App |
File and Directory Permissions Modification |
Anomaly |
| Excessive Usage Of Net App |
Account Access Removal |
Anomaly |
| Excessive Usage Of SC Service Utility |
System Services, Service Execution |
Anomaly |
| Excessive Usage Of Taskkill |
Disable or Modify Tools, Impair Defenses |
Anomaly |
| Executables Or Script Creation In Suspicious Path |
Masquerading |
Anomaly |
| Firewall Allowed Program Enable |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
| Hide User Account From Sign-In Screen |
Disable or Modify Tools, Impair Defenses |
TTP |
| Hiding Files And Directories With Attrib exe |
File and Directory Permissions Modification, Windows File and Directory Permissions Modification |
TTP |
| Icacls Deny Command |
File and Directory Permissions Modification |
TTP |
| Net Localgroup Discovery |
Permission Groups Discovery, Local Groups |
Hunting |
| Network Connection Discovery With Net |
System Network Connections Discovery |
Hunting |
| Non Firefox Process Access Firefox Profile Dir |
Credentials from Password Stores, Credentials from Web Browsers |
Anomaly |
| Office Document Executing Macro Code |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Spawn CMD Process |
Phishing, Spearphishing Attachment |
TTP |
| Office Product Spawning MSHTA |
Phishing, Spearphishing Attachment |
TTP |
| Processes launching netsh |
Disable or Modify System Firewall, Impair Defenses |
Anomaly |
| Registry Keys Used For Persistence |
Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution |
TTP |
| Sc exe Manipulating Windows Services |
Windows Service, Create or Modify System Process |
TTP |
| Scheduled Task Deleted Or Created via CMD |
Scheduled Task, Scheduled Task/Job |
TTP |
| Suspicious Process File Path |
Create or Modify System Process |
TTP |
| Suspicious Scheduled Task from Public Directory |
Scheduled Task, Scheduled Task/Job |
Anomaly |
| Windows Application Layer Protocol RMS Radmin Tool Namedpipe |
Application Layer Protocol |
TTP |
| Windows Defender Exclusion Registry Entry |
Disable or Modify Tools, Impair Defenses |
TTP |
| Windows DisableAntiSpyware Registry |
Disable or Modify Tools, Impair Defenses |
TTP |
| Windows Gather Victim Network Info Through Ip Check Web Services |
IP Addresses, Gather Victim Network Information |
Hunting |
| Windows ISO LNK File Creation |
Spearphishing Attachment, Phishing, Malicious Link, User Execution |
Hunting |
| Windows Impair Defense Add Xml Applocker Rules |
Disable or Modify Tools, Impair Defenses |
Hunting |
| Windows Impair Defense Deny Security Software With Applocker |
Disable or Modify Tools, Impair Defenses |
TTP |
| Windows Modify Registry DisAllow Windows App |
Modify Registry |
TTP |
| Windows Modify Registry Disable Toast Notifications |
Modify Registry |
Anomaly |
| Windows Modify Registry Disable Win Defender Raw Write Notif |
Modify Registry |
Anomaly |
| Windows Modify Registry Disable Windows Security Center Notif |
Modify Registry |
Anomaly |
| Windows Modify Registry Disabling WER Settings |
Modify Registry |
TTP |
| Windows Modify Registry Regedit Silent Reg Import |
Modify Registry |
Anomaly |
| Windows Modify Registry Suppress Win Defender Notif |
Modify Registry |
Anomaly |
| Windows Phishing Recent ISO Exec Registry |
Spearphishing Attachment, Phishing |
Hunting |
| Windows Powershell Import Applocker Policy |
PowerShell, Command and Scripting Interpreter, Disable or Modify Tools, Impair Defenses |
TTP |
| Windows Remote Access Software RMS Registry |
Remote Access Software |
TTP |
| Windows Remote Service Rdpwinst Tool Execution |
Remote Desktop Protocol, Remote Services |
TTP |
| Windows Remote Services Allow Rdp In Firewall |
Remote Desktop Protocol, Remote Services |
Anomaly |
| Windows Remote Services Allow Remote Assistance |
Remote Desktop Protocol, Remote Services |
Anomaly |
| Windows Remote Services Rdp Enable |
Remote Desktop Protocol, Remote Services |
TTP |
| Windows Service Stop By Deletion |
Service Stop |
TTP |
| Windows Valid Account With Never Expires Password |
Service Stop |
TTP |
| Wmic NonInteractive App Uninstallation |
Disable or Modify Tools, Impair Defenses |
Hunting |
Reference
source | version: 1