By Splunk Threat Research Team August 31, 2018
Last month, in unveiling his new “get-tough-on-cybercrime” plan, Deputy Attorney General (DAG) Rod Rosenstein remarked that Russian interference in the 2016 election was not going to be a one-time issue; that it had been going on for years and was likely to get worse as technology evolves. Events this summer—such as those of reports of continued Russian election interference, Chinese cloud hacks, and the re-emergence of the Emotet malware—underscore the DAG’s point: the need for effective cyberdefense is increasing and the threats are becoming progressively more dangerous.
As always, the best way to keep your organization protected is to be proactive—study attack techniques and monitor for signs that bad actors are using these methods to compromise your environment. Because the Splunk Security Research Team’s goal is to make you look like the cyberdeity you are, we’ve included Analytic Stories in our August releases to monitor for two such attack techniques: credential dumping and suspicious MSHTA activities.
Find out more below and update your Splunk Enterprise Security Content Update app today!
Preventing Credential Dumping
Credential dumping—obtaining hashed or clear-text passwords for nefarious purposes—is a tried-and-true attack technique that enables lateral movement, potentially providing bad actors with access to confidential information or an opportunity to install malware.
Regardless of the motivation, the threat actors use a variety of sources and techniques to extract the stolen credentials, including the Security Accounts Manager (SAM), Local Security Authority (LSA) Secrets, NTDS from Domain Controller, or the Group Policy Preference (GPP) Files.
A new detection search released in this month’s Analytic Story on credential dumping monitors for the process reg.exe with the ”save” parameter, which specifies a binary export from the registry. In addition, it looks for the keys that contain the hashed credentials, which attackers may retrieve and use for brute-force attacks in order to harvest legitimate credentials.
You can implement other precautions against credential dumping in your environment, as well: change default passwords, don’t share credentials with those who don’t require them (Principle of Least Privilege), consider limiting password access to specific machines/IP addresses, and implement MFA.
Stay Alert to Suspicious MSHTA Activity
Another common adversary tactic is to bypass application whitelisting solutions via the mshta.exe process, which executes Microsoft HTML applications with the .hta suffix. These applications work the same way as regular web applications, only outside of the browser. In these attacks, threat actors use the trusted Windows utility to eproxy execution of malicious files, whether an .hta application, javascript, or VBScript.
One example of a notable mshta.exe attack was the Kovter malware that has been implicated in both ransomware and click-fraud attacks. Kovter utilized .hta to execute a series of javascript commands, each progressively more dangerous. According to the MITRE Partnership Network, FIN7 has leveraged mshta.exe, as has the MuddyWater group, who used it to execute its POWERSTATS payload (which then used the utility to execute additional payloads).
It's important to note that .hta files are by no means the only file extension that bad actors may leverage when trying to obfuscate their presence in your environment. That said, MSHTA attacks remain a formidable threat.
An August ESCU release included an Analytic Story that can help you monitor for and detect techniques used by attackers who leverage the mshta.exe process to execute malicious code. We invite you to try it out and give us feedback, either via email or via the Feedback Center link in the ESCU App.
Install the Latest Version of ESCU
The Security Research group at Splunk sleeps better when we know that you're protected against the latest threats and vulnerabilities. So download the Splunk ESCU app today!