Hunting & Detecting Kaseya - Jupyter Notebook
This Data is from a live Revil-Ransomware Sample that was shipped with Agent.exe for the Kaseya-Supply Chain attack.
The sample was Detonated-studied-reversed in a contained environment to study it.
The Whole analytics is attributed towards simulation-based Threat Hunting Technique.
The aim is to learn and Provide analytics for security Operations folks/Hunts to quickly adapt and test in their environment for the Malware
The companion Blog is Hosted at: https://sakshamtushar.gitbook.io/threat-hunting-on-the-rocks/threat-research-and-analytics/revil-kaseya-supply-chain-attack
if you see an error, need support, have additional Queries reach out to me over Linkedin, My details are at: https://sakshamtushar.gitbook.io/threat-hunting-on-the-rocks/
The List of hunts are as Below :
1.1 - Suspicious File-Write Operations(Unstructured)
1.2 - MsMpEng.exe Binary/ Mpsvc.dll dropped in Temporary Location (Structured)
1.3 - DLL Side-Loading: DLL library Loaded from a temporary Location(Unstructured)
1.4 - Known RegistryKey Value Modification(Structured)
1.5 - Abnormally High Disk Write Operation - Data Encryption(Unstructured)
1.6 - Un-usual Child-Parent Process Relationship(unstructured)
Structred Hunts have highest convertability to Detections, You can Turn them into high fidelity detections for the respective Case study
Importing Libraries¶
In [1]:
from pyspark.sql import SparkSession
spark = SparkSession.builder.getOrCreate()
spark.conf.set("spark.sql.caseSensitive", "true")
from elasticsearch import Elasticsearch
from elasticsearch import RequestsHttpConnection
from elasticsearch_dsl import Search
import pandas as pd
import warnings
warnings.filterwarnings('ignore')In [2]:
Initialize Elasticsearch Client¶
In [3]:
Attack Surface Fabrication¶
Writing a Function to Query Elasticsearch and return us a dataset to work on¶
In [4]:
In [5]:
Unstructured Hunt: Looking for anomalous File Write Operations in Temporary File Directory¶
In [6]:
Suspicious Observation: MsMpEng.exe Binary in temporary Location is Suspicious at first glance, what is MS-defender Binary doing in a temporary location. Also, Agent.exe doesn't seem to be a LOLBIN and seems to be a 3rd party binary.¶
In [7]:
Interestingly we have two entries where file write was performed by Agent.exe, Let's Pull Process Data to Correlate!!¶
In [8]:
Process Hashes of Processess Writing in the Directory :¶
In [9]:
Suspicious Observation: Agent.exe Doesn't seem to have very good Reputation !!!!¶
let's gather Hashes& CommandLines of these Process Executables Create a table of Parent Process, Child Process and Files Written on Disk¶
In [10]:
Now there are enough pieces of information to Chase this Rabbit Hole for Suspicious Agent.exe:¶
Msmgeng.exe written in temporary Location is Suspicious(Reason: What's a defender binary doing in temporary Location)
A non-Windows Process write Defender binary (Reason: the operation is suspicious cause the process tree is like: Explorer.exe -> Agent.exe -> Drop MsMpEng.exe)
A DLL file is also dropped by the same process (Reason: Could be Masquerade, Could be Tampered DLL, Could be payload embedded in DLL Entry Point, Could be DLL Search order hijacking attacks, DLL Side-loading attacks, lots of possibilities)
A sub-hypothesis could be devised at this point to chase this path: Malware Dropped by non-legitimate process and proceed with Investigation, Sample Acquisition, Reverse Engineering, Malware Sandboxing, Detonation.¶
Structured Hunt: MsMpEng.exe & mpsvc.dll Binary dropped in Temporary Location¶
Note: I won't suggest this structured Hunt, although this could be converted into detection in your EDR, This Hunt falls too low on the Pyramid of Pain and although there is a behavior exhibited but is not really a behavioral search hence an attacker could easily pass this Hunt/Detection Technique
In [11]:
Unstructured Hunt: DLL library Loaded from a temporary Location¶
In [12]:
In [13]:
Dropped MsMpEng.exe is performing DLL SideLoading of Dropped DLL mpsvc.dll from a temporary location.¶
Structured Hunt: Known RegistryKey Value Modification¶
In [14]:
In [15]:
Unstructured Hunt: Abnormally High Disk Write Operation - Data Encryption¶
In [17]:
In [18]:
In [19]:
Out[20]:
0
msedge.exe
1866
1
System
788
2
MsMpEng.exe
292
3
svchost.exe
230
4
chrome.exe
151
5
provtool.exe
132
6
SearchUI.exe
62
7
OneDrive.exe
11
8
explorer.exe
10
9
mmc.exe
6
10
osqueryd.exe
6
11
FileCoAuth.exe
6
12
Sysmon64.exe
6
13
smartscreen.exe
4
14
taskhostw.exe
2
15
ruby.exe
2
16
SearchIndexer.exe
2
17
lsass.exe
2
18
Kaseya_agent.exe
2
19
metricbeat.exe
1
20
setup.exe
1
21
filebeat.exe
1
22
osquerybeat.exe
1
In [21]:
Out[21]:
In [22]:
Treat all data points above 75% mark as points of investigation (ignoring below 25% as we are looking for abnormally high values)¶
Unstructured Hunt: Illegal Child-parent Process Relationships¶
In [43]:
Interesting Entries & potential Point of Investigations observed from above table are :¶
Kaseya_agent.exe --> MsMpEng.exe MsMpEng.exe --> MpCmdRun.exe MsMpEng.exe --> netsh.exe cmd.exe --> certutil.exe msedge.exe --> setup.exe
In [52]:
MpCmdRun.exe -> Interesting event where MpCmdRun.exe is trying to disable the Service.
Netsh.exe -> Interesting attempt of turning on Network Discovery using netsh.exe
Certutil.exe ->These are my executions where I was trying to match the hash of a file with the sample I acquired, THese can be Ignored.
Setup.exe -> This is Microsoft edge Installation. for when my windows OS updated.Can be Ignored.
MsMpEng.exe ->Execution from Temporary location, Execution of v4.18.2111 from ProgramData
Netsh.exe execution clearly shows Modification of system configuration for lateral Movement hence could be converted into a detection/Structred Hunt.¶
In [55]:
DLL Side-loading via MsMpEng.exe - Details¶
We saw that the MsMpEng.exe binary was dropped on the machine along with mpsvc.dll which were actually used for malicious intent. We also do understand that mpsvc.dll was sideloaded into MsMpEng.exe, but there are a few questions that we need to find answers to understand what happened.
Why drop MsMpEng.exe, when it is already present on the Machine a Lolbin ???¶
In [65]:
As you can observe there are two hashes for MsMpEng.exe, One is of the original Binary and another one of the Dropped Binary. Correlating data from VirusTotal :
33bc14d231a4afaa18f06513766d5f69d8b88f1e697cd127d24fb4b72ad44c7a(Dropped Binary) hash is also benign and is a signed legitimate binary
a7c1fe30930d982d69cc263076142edb451ae896b67efbca347b54e064c93bb9(Original Binary) is also a legitimate and signed binary, except for the fact that this binary is newer (V4.18) while the dropped one is older (V4.5)
The older MsMpEng.exe was susceptible to DLL Side loading Technique and hence was perfect for targetting and attacking
The Actual Jupyter Notebook is Located Here, Feel free to Download and use.
Last updated
Was this helpful?