Ransomware Batchfiles in the Belfry, Detections for Lockbit Black .bat Files

-

 

Following on from reading an unSafe.sh post about recent Lockbit ransomware gang activity, aka the new "Lockbit Black", I decided to look into a file that was posted along with the analysis, "123.bat".

 

You can view or grab a gist of the batch file below:


We're going to run this batch file on a test VM and have a look at the resulting logs for some detection ideas, I'll be giving examples in Splunk SPL but I am certain with a little SIEM magic you can adapt the content to elastic, Sentinel or Defender Advanced Hunting queries instead.

Lets get to it.


The first questions we have to ask though, are around log availability and log visibility. 

Are you ingesting Windows EventID 4688 and command line parameters along with that? How about logs from Powershell? If you are still running an older version of Powershell in your estate and finding motivation to update to 5+ is tough then here's your driver, better security and better logs that you can bung into your SIEM for better detections. 

Some of the detections here aren't going to be the most complex or elegant but we can also look at what the TAs in this case were looking to achieve with this batch file.

Also worth noting Defender on my test VM caught this batch file, pay attention to your AV/EDR alerts on batch files even if they are remediated, those scripts got on your box somehow.

Our first few lines revolve around the Windows Instrumentation command-line interface (WMIC) stopping Sophos AV both as a service and a running process.

I should add here I'm assuming that Sophos features heavily in this .bat because the TAs had already reconned the targeted enterprise estate and knew they were a Sophos shop.

 
 


Detections here would be around the name of your AV or EDR of choice appearing in a command line with wmic and process terminate or service delete.

Nestled in among the various Sophos specific commands is a command to uninstall "Microsoft Security Client" which is part of "Microsoft Security Essentials", basically Microsoft's legacy antivirus which was end of serviced by MS on January 14th, 2020 but still receives signature updates until next year.


 We can catch a massive chunk of this kind of activity with some fairly simple SPL:

index=winlogs EventCode=4688 New_Process_Name=*\\WMIC.exe (Process_Command_Line=*uninstall* AND Process_Command_Line=*nointeractive)

| stats min(_time) AS earliest max(_time) AS latest count(Process_Command_Line) AS Count values(Process_Command_Line) AS Process_Command_Line BY Creator_Process_Name New_Process_Name ComputerName Account_Name

| convert ctime(earliest) ctime(latest)

| table earliest latest ComputerName Account_Name Creator_Process_Name New_Process_Name Process_Command_Line

 Our results, based around 123.bat execution, will look like this:


 

On lines 14 and 15 we have the TAs trying to stop Sophos AV again, this time via Powershell, in case wmic didn't cut it I suppose.

These events will look like this, through the lens of EventID 4688

If you want to know more about "stop-service" here's the Microsoft page. The parameter that stands out above is -force, which as MS describes it, "forces the cmdlet to stop a service even if that service has dependent services".

And we can capture this activity with some simple SPL again.

index=winlogs EventCode=4688 New_Process_Name=*\\powershell.exe Process_Command_Line=*stop-service*

| stats min(_time) AS earliest max(_time) AS latest count(Process_Command_Line) AS Count values(Process_Command_Line) AS Process_Command_Line BY Creator_Process_Name New_Process_Name ComputerName Account_Name

| convert ctime(earliest) ctime(latest)

| table earliest latest ComputerName Account_Name Creator_Process_Name New_Process_Name Process_Command_Line
 
Next blog post I'll wrap up looking at this batch file with a few extra interesting commands and detections along with them.
 
Happy hunting!
 


Popular posts from this blog

Fastening the Seatbelt on.. Threat Hunting for Seatbelt

-
Image
  Quick blog entry on detections for the Ghostpack discovery/reconnaissance tool Seatbelt . This entry will focus on looking at command line parameters that can be caught even if the executable itself is renamed, if I have time we can delve into other event log artefacts another time. From the Seatbelt github repo: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. So essentially what the tool does is retrieve local system information that might have security or safety implications. In terms of commands that can be tacked on to Seatbelt there are a literal ton of options. But what we are going to focus on here are the command groups, which break the many, many available commands down into categories, so we have: All, User, System, Slack, Chromium, Remote, Misc. The groups above are invoked like this, if you wanted to run all checks: Seatbelt.exe -group=all And so
read more »

Capturing Pcap driver installations

-
Image
Today we're looking at Network Sniffing , ATT&CK technique T1040. This is very much a signature based rule but if you are ingesting WinEventlog:Security (and of course you are, right?) and specifically EventCode 4697 ("A service was installed in the system") then you can take the barebones splunk SPL from below and make it work for you. So how are we going to detect network sniffing on Windows endpoints? The installation of the drivers for the various Pcap variants. index=win10 sourcetype="wineventlog:security" EventCode=4697 AND Service_File_Name IN ("*pcap*", "*npcap*", "*npf*", "*nm3*", "*ndiscap*", "*nmnt*", "*windivert*", "*USBPcap*", "*pktmon*") | table _time Account_Name Computer_Name Originating_Computer Service_Name Service_File_Name   The Service_File_Name list is derived from looking at the names of .sys files associated with the most popular packet capture o
read more »

Microsoft Defender, Find User Ignored Threats With Splunk

-
Image
  Today we're looking at "vanilla" Microsoft Defender and some SPL to find "severe" or "high" categories of detected threat severity that have subsequently been "ignored" by a user. EventID 1117 gives us our detection, categorization and severity of the threat found and EventID 5007 gives us a log of user changes made, including ignored threats. EventID 5007 logs changes enacted by users to how threats are handled with a field called "New_value", it will look something like this: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147742972 = 0x6 It is a registry value, the string of numbers at the end is the same ID assigned recorded in EventID 1117, the "0x6" at the end signifies that this is an ignored threat. A little bit of regex retrieves our 5007 newly created "ThreatID" field and we can then compare this to our 1117 ID value to see if they match. We achieve this without reco
read more »