Digital Forensics Tips&Tricks: How to Find an Intruder's Lucky Coin

    As you know, some people throw a coins into a fountain or sea for a luck or for come back to this place later.

    image

    So, cyber attackers are do the same thing — they often hide some little malware agents in the IT Infrastructure to keep a possibility to come back again.

    You know some of these methods:

    • create a new scheduled task to rerun a malware beacon periodically;
    • create a new autorun key in the system registry;
    • create a new system service with autostart property;

    But there is one more method to save the high-privileged permissions for further using the infected IT infrastructure — changing AdminSDholder permissions.

    To understand the theoretical part of AdminSDholder you can check any article from Internet. As example try this one.
    In short — there is a periodically run process in Active Directory Services which can give the permissions to a User/Group for changing security groups (e.g. Domain Admins, Schema Admins etc.) membership. To do this an attacker just need to add a User/Group to the AdminSDHolder ACL.

    So, if an attacker has got a sufficient permissions to change the AdminSDHolder ACL, he can create a new User account and add this account name to the AdminSDHolder ACL.

    From the article I mentioned above, you know how to check AD for this thing using Powershell.
    But there is another method using YARA rule.

    Every time when someone changes the AdminSDHolder ACL, a specific event 4662 being created in the Domain Controllers Security event log:

    image

    Now we can use the information from this event to create a YARA rule.

    Here is it:

    rule adminSDholder
    { 
    	meta:
    		maltype = "LuckyCoin"
    		reference = "https://habr.com/ru/users/volnodumcev/"
    		date = "17.05.2019"
    		description = "YARA rule to find AdminSDholder being changed by a bad guy"
    	strings:
    		$hexEventID={ 36 12 00 00 00 00 00 00 20 80 }
    		$object={ 7b 00 35 00 37 00 35 00 36 00 62 00 36 00 65 00 65 00 2d 00 65 00 62 00 61 00 31 00 2d 00 34 00 30 00 32 00 37 00 2d 00 38 00 32 00 39 00 64 00 2d 00 39 00 31 00 39 00 37 00 33 00 36 00 37 00 35 00 64 00 63 00 35 00 32 00 7d }
    		$operation={ 7b 00 62 00 66 00 39 00 36 00 37 00 61 00 38 00 62 00 2d 00 30 00 64 00 65 00 36 00 2d 00 31 00 31 00 64 00 30 00 2d 00 61 00 32 00 38 00 35 00 2d 00 30 00 30 00 61 00 61 00 30 00 30 00 33 00 30 00 34 00 39 00 65 00 32 }
    	condition:
        		$hexEventID and $object and $operation
    }
    

    So, you can use this rule with Rekall/Volatility, as example, to scan the memory dump.

    Thank you again for attention! I'll be back soon with a new good stuff!

    Also popular now: