[ad_1]
Govt abstract
On April twenty first, 2023, AT&T Managed Prolonged Detection and Response (MXDR) investigated an tried ransomware assault on considered one of our shoppers, a house enchancment enterprise. The investigation revealed the attacker used AuKill malware on the shopper’s print server to disable the server’s put in EDR answer, SentinelOne, by brute forcing an administrator account and downgrading a driver to a weak model.
AuKill, first recognized by Sophos X-Ops researchers in June 2021, is a complicated malware designed to focus on and neutralize particular EDR options, together with SentinelOne and Sophos. Distributed as a dropper, AuKill drops a weak driver named PROCEXP.SYS (from Course of Explorer launch model 16.32) into the system’s C:WindowsSystem32drivers folder. This malware has been noticed within the wild, utilized by ransomware teams to bypass endpoint safety measures and successfully unfold ransomware variants reminiscent of Medusa Locker and Lockbit on weak programs.
On this case, SentinelOne managed to isolate a lot of the malicious information earlier than being disabled, stopping a full-scale ransomware incident. In consequence, AT&T MXDR discovered no proof of knowledge exfiltration or encryption. Regardless of this, the shopper opted to rebuild the print server as a precautionary measure. This research supplies an in-depth evaluation of the assault and provides suggestions to mitigate the chance of future assaults.
Investigating the primary part of the assault
Preliminary intrusion
The focused asset was the print server, which we discovered uncommon. Nonetheless, upon additional investigation we concluded the attacker misidentified the asset as a Area Controller (DC), because it had not too long ago been repurposed from a DC to a print server. The attacker wanted each native administrator credentials and kernel-level entry to efficiently run AuKill and disable SentinelOne on the asset. To realize these native administrator credentials, the attacker efficiently brute-forced an administrator account. Shortly after the compromise, this account was noticed making unauthorized registry adjustments.
Establishing a beachhead
After compromising the native administrator account, the attackers used the “UsersAdministratorMusicaSentinel” folder as a staging space for subsequent phases of their assault. All AuKill-related binaries and scripts have been executed from this path, with the innocuous “Music” folder title serving to to hide their malicious actions.
AuKill malware has been discovered to function utilizing two Home windows providers named “aSentinel.exe” and “aSentinelX.exe” in its SentinelOne variant. In different variants, it targets completely different EDRs, reminiscent of Sophos, by using corresponding Home windows providers like “aSophos.exe” and “aSophosX.exe”.
Establishing persistence
We additionally found “aSentinel.exe” working from “C:Windowssystem32”, indicating that the attackers tried to determine a foothold on the compromised server. Malware authors continuously goal the system32 folder as a result of it’s a trusted location, and safety software program could not scrutinize information inside it as carefully as these in different places. This might help malware bypass safety measures and stay hidden. It’s seemingly that the malware was initially positioned within the “UsersAdministratorMusicaSentinel” listing and later copied to the system32 listing for persistence.
Community reconnaissance
Our investigation additionally revealed that PCHunter, a publicly accessible utility beforehand exploited in ransomware incidents like Dharma, was working from the “UsersAdministratorMusicaSentinel” listing. This implies that the attackers used PCHunter as a reconnaissance instrument to survey the shopper’s community earlier than deploying the EDR killer malware. Moreover, PCHunter allows menace actors to terminate packages and interface straight with the Home windows kernel, which aligns with the wants of the attacker. We noticed PCHunter producing a number of randomly named .sys information, as illustrated beneath:
Stopping information restoration
We discovered that the attacker deleted shadow quantity copies from the print server. Home windows creates these copies to revive information and folders to earlier variations in case of knowledge loss. By eradicating the shadow copies, the attacker was making an attempt to make it tougher for our shopper to recuperate their information in the event that they have been efficiently encrypted. Though no ransomware was deployed, the deletion of shadow copies reveals the attackers’ intentions. This data, along with the utilization of PCHunter and the staging of the EDR killer malware, paints a extra full image of the attacker’s aims and ways.
Bypassing native Home windows safety
With all these items in place, the attacker final wanted to amass kernel-level entry. Regardless of gaining administrator rights early on, the attacker didn’t have sufficient management over the system to kill SentinelOne right now. EDR options are categorised as important by Home windows and are protected against being turned off by attackers once they escalate privileges. To efficiently circumvent these safeguards, the attacker would want to journey one degree deeper into the working system and achieve kernel-level entry to the machine.
Investigating the second part of the assault
Dropping the weak driver
Our workforce found that AuKill had changed the present Course of Explorer driver, PROCEXP152.sys, with an outdated and weak model named PROCEXP.SYS (from Course of Explorer launch model 16.32), positioned within the C:WindowsSystem32drivers listing. The alarm screenshot beneath demonstrates how AuKill swapped the present driver with this older model, making the system prone to additional exploitation.
Home windows incorporates a safety function known as Driver Signature Enforcement, which ensures that kernel-mode drivers are signed by a sound code signing authority earlier than they will run. To bypass this safety measure, the attackers exploited the insecure PROCEXP.SYS driver, which was produced and signed by Microsoft at an earlier date. As demonstrated within the SentinelOne screenshot beneath, the motive force is signed and verified by Microsoft. Moreover, the originating course of was aSentinel.exe, an executable created to disable SentinelOne.
Buying kernel-level entry
Course of Explorer, a professional system monitoring instrument developed by Microsoft’s Sysinternals workforce, allows directors to look at and handle purposes’ ongoing processes, in addition to their related threads, handles, and DLLs.
Upon startup, Course of Explorer masses a signed kernel-mode driver, facilitating interplay with the system’s kernel, which is liable for managing {hardware} and sources. Usually, that driver is PROCEXP152.sys. The attacker changed the PROCEXP152.sys driver on the print server with the exploitable PROCEXP.SYS, using what is called a BYOVD (Convey Your Personal Susceptible Driver) assault. The attacker used this methodology to take advantage of the now weak kernel mode driver to realize the kernel-level entry they wanted to efficiently kill SentinelOne.
Killing SentinelOne
The kernel-mode driver utilized by Course of Explorer has the distinctive capacity to terminate handles which are inaccessible even to directors. A deal with is an identifier that corresponds to a particular useful resource opened by a course of, reminiscent of a file or a registry key. At this level, AuKill hijacked Course of Explorer’s kernel driver to particularly goal protected handles related to SentinelOne processes working on the print server. The SentinelOne processes have been killed when the protected course of handles have been closed, rendering the EDR powerless. AuKill then generated a number of threads to make sure that these EDR processes remained disabled and didn’t resume. Every thread focused on a sure SentinelOne element and recurrently checked to see if the focused processes have been lively. In the event that they have been, AuKill would terminate them. SentinelOne was out of the best way and now not an impediment to the attacker.
Response
Buyer interplay
At this level, the attacker had gained privileged entry to the asset, deployed their malware, and efficiently killed the endpoint safety answer, SentinelOne. Primarily based on the Cyber Kill Chain methodology developed by Lockheed Martin, we will conclude that the attacker had now efficiently reached the “Command and Management” stage. Nonetheless, the attacker didn’t attain the “Actions on Goals” stage, as SentinelOne managed to disrupt ransomware deployment sufficient earlier than it was killed to stop any further injury.
Any makes an attempt to re-deploy malware or transfer laterally following the disablement of the EDR have been thwarted by our workforce, who swiftly alerted the shopper to the exercise and suggested that the asset be taken offline and remoted from the remainder of the community. Our workforce knowledgeable the shopper that the shadow copies had been deleted and SentinelOne had been turned off on their print server. After having our menace hunters totally evaluate their setting, w e reassured the shopper that no delicate data was exfiltrated or encrypted. In response to the assault, the shopper moved to rebuild their print server and reinstall SentinelOne.
Suggestions
As BYOVD assaults to bypass EDR software program develop into extra widespread, we strongly advise blacklisting outdated drivers with a recognized historical past of exploitation. Moreover, we encourage our shoppers to take care of a list of the drivers put in on their programs, making certain they continue to be present and safe. Lastly, we advocate bolstering the safety of administrator accounts to defend in opposition to brute drive assaults, because the incident detailed on this weblog submit couldn’t have transpired with out the preliminary privileged person compromise.
[ad_2]