Quick Look at a Novel Technique Used by Darkbit Ransomware

-

 

 

I'm very aware that in infosec we tend to be like magpies, distracted by new and shiny objects while sometimes underestimating the impact of the boring tried and true techniques that hackers use day in and day out because they just work.

Having said that, I'm only human and when I see something I haven't seen before it piques my curiosity.

That was the case with this tweet by Jazi, a Fortinet threat intel researcher, talking about a Darkbit payload.



Before we get into the content of that tweet though let's have a quick look at Darkbit, as there are so many ransomware groups now, and the smaller ones can start to blur together as there are only so many adjectives that they seem to favour.


 

Darkbit are not a very active ransomware group, from what I can tell they have had one high profile victim, the Technion - Israel Institute of Technology. The group heavily implies that they are a disgruntled former tech worker, the further implication is that they may have worked or had dealings with Technion.

 


Darkbit also position themselves as being motivated politically or ideologically, as ransomware hacktivists as it were, although we must remember threat actors make a lot of spurious claims for reasons of their own.

Now that we've discussed Darkbit a little, let's get back to that tweet about PrintBrm.exe, which is a Windows native backup/recovery/migration tool for print queues that can be found at %Windir%\System32\spool\tools\printbrm.exe

There are so many LOLBins that it is easy to lose track, but this is not one I was familiar with before. What's interesting about PrintBrm though is that it can be used to compress and decompress files. If you think about file collection for exfiltration on Windows systems you'll know there are a limited number of command-line utilities, especially native, that can interact with compressed files.

In this case Darkbit has placed a zip file with their next stage payload into an ISO and then used PrintBrm to treat that zip as a backup and unpack it into a temp directory.

PrintBrm.exe -r -f HR-Update.zip -d Temp\unzip

The flag "-r" equates to "Restore the configuration in the file to the server", "-f" is the "backup" file name (in this case "HR-Update.zip") and "-d" is used to "Unpack the backup file to the directory (with -r)". You can find a full break down on the command line arguments for PrintBrm here.

I would not expect to see PrintBrm used as part of normal activity in most Windows estates, if it was being used I imagine it would be as part of automated administrative activity or activity carried out directly by admins.

If I had to align this to ATT&CK I'd say T1027, Obfuscated Files or Information, it's a little bit clumsy mapping wise in my opinion but that's what we have.

I'm not going to leave you all without a chance to see what this all look like from EventID 4688:


Note that because PrintBrm is not normally in the Windows path, I had to specify the full path to the executable.

Splunk SPL is going to look something like:

index=winlogs EventCode=4688 New_Process_Name="*\\PrintBrm.exe" (Process_Command_Line="*-f*" AND Process_Command_Line="*-r*" AND Process_Command_Line="*-d*")

Happy hunting, etc.

Popular posts from this blog

Fastening the Seatbelt on.. Threat Hunting for Seatbelt

-
Image
  Quick blog entry on detections for the Ghostpack discovery/reconnaissance tool Seatbelt . This entry will focus on looking at command line parameters that can be caught even if the executable itself is renamed, if I have time we can delve into other event log artefacts another time. From the Seatbelt github repo: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. So essentially what the tool does is retrieve local system information that might have security or safety implications. In terms of commands that can be tacked on to Seatbelt there are a literal ton of options. But what we are going to focus on here are the command groups, which break the many, many available commands down into categories, so we have: All, User, System, Slack, Chromium, Remote, Misc. The groups above are invoked like this, if you wanted to run all checks: Seatbelt.exe -group=all And so
read more »

Capturing Pcap driver installations

-
Image
Today we're looking at Network Sniffing , ATT&CK technique T1040. This is very much a signature based rule but if you are ingesting WinEventlog:Security (and of course you are, right?) and specifically EventCode 4697 ("A service was installed in the system") then you can take the barebones splunk SPL from below and make it work for you. So how are we going to detect network sniffing on Windows endpoints? The installation of the drivers for the various Pcap variants. index=win10 sourcetype="wineventlog:security" EventCode=4697 AND Service_File_Name IN ("*pcap*", "*npcap*", "*npf*", "*nm3*", "*ndiscap*", "*nmnt*", "*windivert*", "*USBPcap*", "*pktmon*") | table _time Account_Name Computer_Name Originating_Computer Service_Name Service_File_Name   The Service_File_Name list is derived from looking at the names of .sys files associated with the most popular packet capture o
read more »

Microsoft Defender, Find User Ignored Threats With Splunk

-
Image
  Today we're looking at "vanilla" Microsoft Defender and some SPL to find "severe" or "high" categories of detected threat severity that have subsequently been "ignored" by a user. EventID 1117 gives us our detection, categorization and severity of the threat found and EventID 5007 gives us a log of user changes made, including ignored threats. EventID 5007 logs changes enacted by users to how threats are handled with a field called "New_value", it will look something like this: New value: HKLM\SOFTWARE\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\2147742972 = 0x6 It is a registry value, the string of numbers at the end is the same ID assigned recorded in EventID 1117, the "0x6" at the end signifies that this is an ignored threat. A little bit of regex retrieves our 5007 newly created "ThreatID" field and we can then compare this to our 1117 ID value to see if they match. We achieve this without reco
read more »