Page cover

Detecting CONTI CobaltStrike Lateral Movement Techniques - Part 1

Detection opportunities on lateral movement techniques used by CONTI ransomware group using CobaltStrike.

Introduction:

In an attempt to contribute to the defensive capabilities of security teams regarding the increase of CobaltStrike usage by threat actors (TA) and in a joined effort with @MichalKoczwara, a series of articles will be released on CobaltStrike's TTP detections related to the CONTI leak.

For the first part of this blog post, I will cover detection opportunities for lateral movement (LM) techniques used by the TA CONTI via CobaltStrike. Keep in mind that I tried to boil it down to analytics that can be used for other lateral movements variation and not just specific to CONTI Group or CobaltStrike (CS).

Definition:

MITRE ATT&CK defines lateral movement as :

Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.

Looking in the CobaltStrike documentation we can find some built-in modules for Lateral Movement defined in the table bellow which were included in the leaked documentation:

Jump Module
Arch
Description

psexec

x86

Use a service to run a Service EXE artifact

psexec64

x64

Use a service to run a Service EXE artifact

psexec_psh

x86

Use a service to run a PowerShell one-liner

winrm

x86

Run a PowerShell script via WinRM

winrm64

x64

Run a PowerShell script via WinRM

Other capabilities are used by the group like Remote-Exec command, PTH module, RDP and SHELL command to remotely execute commands using WMIC.EXE utility. I will go through these TTPs in the second part.

Remote-Exec Module
Description

psexec

Remote execute via Service Control Manager

winrm

Remote execute via WinRM (PowerShell)

wmi

Remote execute via WMI (PowerShell)

Simulation Setup

  • CobaltStrike

  • Zeek

  • Elastic Stack (Winlogbeat + Filebeat)

  • Sysmon Configuration Blacksmith OTRF

  • VICTIM Windows 10 user machine (Initial Access)

  • DC_ATLAS Domain Controller Windows Server 2016 (Lateral Movement Target)

T1021.006 Remote Services: Windows Remote Management

A primer to WinRM

WinRM is the Microsoft implementation of WS-Management protocol which is an open source standard for constructing XML messages following the standards of Simple Object Access Protocol (SOAP) messages.

This great blog explain in simple steps a typical WinRM based conversation for invoking commands:

  1. Send a Create Shell message and get the shell id from the response

  2. Create a command in the shell sending the command and any arguments and grab the command id from the response

  3. Send a request for output on the command id which may return streams (stdout and/or stderr) containing base64 encoded text.

  4. Keep requesting output until the command state is done and examine the exit code.

  5. Send a command termination signal

  6. Send a delete shell message

I will go more in depth about WinRM from a defensive perspective during lateral movement in a separate blog but for more details I recommend checking the official documentation [MS-WSMV]. However, a couple of things we should keep in mind when it come to the limitations of WinRM and why PowerShell Remoting Protocol (PSRP) is much better choice to go with.

The default value of a SOAP message size 512KB and a maximum of 8192KB. This attribute can be modified with the following command : winrm set winrm/config/winrs '@{<Quota>="<Value>"}'.

WinRM also doesn't have a built-in functionality for file transfer. We will learn in the next section that PowerShell Remoting Protocol (PSRP) is much better alternative.

Windows Built-in WinRM tools

In order to understand CobaltStrike WinRM beacon capabilities, first, I tried to see normal behavior of some of the tools that can be used in a legitimate way. There are 3 main ways to execute command remotely using WinRM:

WinRS:

Windows Remote Shell built-in tool is a pure implementation of remote command execution via WinRM. Upon executing a command using winrs.exe utility via the command winrs -r:dc_atlas "ipconfig" the following telemetry was recorded on the destination:

  • svchost.exe spawns winrshost.exe with the parent command line C:\\Windows\\system32\\svchost.exe -k DcomLaunch

  • The winrshost.exe then invokes cmd.exe instance and execute the command within its context.

After finishing the execution of the command these processes are terminated because winrs.exe doesn't support persistent sessions so every time you execute a command remotely this behavior repeats itself.

winrs process tree

Invoke-Command & Enter-PSSession :

These PowerShell cmdlets use the PowerShell Remoting Protocol [MS-PSRP] which is a separate protocol that runs over WinRM. PSRP supports many message types to execute commands and retrieve their outputs and its main difference from WSMV specs is its message fragmentation handling process which makes it more reliable vis-à-vis WinRM message size limitations.

While testing these cmdlets, the following telemetry was recorded on the destination:

  • svchost.exe spawns wsmprovhost.exe with the parent command line C:\Windows\system32\svchost.exe -k DcomLaunch

Executing nslookup command via Enter-PSSession
Executing ipconfig via Invoke-Command
  • Invoke-Command & Enter-PSSession both run commands within the context of wsmprovhost.exe

The difference between these two cmdlets is that Invoke-Command will terminate wsmprovhost.exe process after receiving the output while the Enter-PSSession will establish a persistent session.

Invoke-Command & Enter-PSSession process tree

Now that we have established what telemetry can be left behind by using Windows built-in tools we can distinguish suspicious process behavior. lets see in the following section how CS default configurations for lateral movement behave.

CobaltStrike jump winrm

First, lets discover the telemetry that will be generated from source and destination for every attempt to use WinRM remotely:

  • On the source:

EID
Action
Provider
Comment
6
WSMan Session Creation
Microsoft-Windows-WinRM

Creating WSMan Session. This event will give you the PID that initiated the connection

31
WSMan Session Creation
Microsoft-Windows-WinRM

WSMan Session Created Successfully

3
Network Connection
Microsoft-Windows-Sysmon
  • Network Direction: egress

  • Infected Source Process Name

  • Destination port : 5985 or 5986

  • On the destination:

EID
Action
Provider
Comment
1
WSMan Session Creation
Microsoft-Windows-Sysmon
  • Process Name : wsmprovhost.exe

  • Process CMD : C:\Windows\system32\wsmprovhost.exe -Embedding

  • Process Parent Name : svchost.exe

  • Process Parent CMD : C:\Windows\system32\svchost.exe -k DcomLaunch

3
WSMan Session Creation
Microsoft-Windows-Sysmon
  • Network Direction: ingress

  • Process Name: System

  • Destination port : 5985 or 5986

  • User : NT AUTHORITY\SYSTEM

17
Pipe Created
Microsoft-Windows-Sysmon
  • Network Direction: egress

  • Infected Source Process Name

  • Destination port : 5985 or 5986

    • Pipe Name : \PSHost.[%NUMBERS%].[%PID%].DefaultAppDomain.wsmprovhost

    • Process Name : wsmprovhost.exe

4656
Process Access
Microsoft-Windows-Security-Auditing
  • Object Server : WS-Management Listener

  • Process Name : C:\Windows\System32\svchost.exe

400
PowerShell Session Start
PowerShell
  • Host Name = ServerRemoteHost (Remote PowerSehll Session)

  • Engine Version (Good for Downgrading PS attacks)

  • Host Application : C:\Windows\system32\wsmprovhost.exe -Embedding

91
WSMan Session Creation
Microsoft-Windows-WinRM

31
WSMan Session Creation
Microsoft-Windows-WinRM

WSMan Session Created Successfully

142
WSMan Operation Failure
Microsoft-Windows-WinRM

Helpful when WinRM is not enabled on the targeted host

Other events are generated on the destination side but these in the previous table are the most relevant to remote WinRM activity. You can use them according to your collection and correlation strategy. Obviously, EID 1, EID 91 and EID 4656 have much higher event decisiveness than the rest. I will be releasing a Mindmap that groups all this telemetry in one place at the end of this blog post series.

Now jumping to jump winrm command and some first differences in process tree behavior were observed at execution time:

  • jump winrm command generated the same telemetry as in previous observations except that the beacon runs under the context of a PowerShell instance invoked by wsmprovhost.exe. This is not something we can normally observe by using winrs, Invoke-Command or Enter-PSSession except if the command invoked powershell.exe itself then PowerShell cmdlets would produce this behavior.

  • By default the powershell.exe instance run via the command line : "c:\windows\syswow64\windowspowershell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile

  • CobalStrike provides a shell command to interact with the beacon and execute command. The shell command spawns a cmd.exe instance from the invoked powershell.exe process for every executed command

Executing systeminfo command via jump winrm beacon.

A general diagram of process tree observed during the execution of this CS module is illustrated bellow:

jump winrm process tree diagram

CobaltStrike jump winrm64

Here are the main differences from jump winrm command :

  • Like Enter-PSSession, jump winrm64 executes commands within the context of a wsmprovhost.exe instance. The session is persistent no termination of the wsmprovhost.exe process was observed.

Executing ipconfig and hostname command via a jump winrm64 shell
Jump winrm64 process tree diagram

Evidence of Execution

In the previous sections we have established some key observations regarding remote command execution via WinRM. However, during the demo, I used a stageless beacon. The script first decodes the Base64 encoded payload then it uses the .Net API to call Windows API function in memory using assemblies. The script then allocates some memory and copies the payload in the allocated memory space. The payload was a 64-bits DLL and technique used was DLL Reflective Loading.

The payload strings contained by default:

  • "beacon.dll"

  • "beacon.x86.dll"

  • "beacon.x64.dll"

This yara rule can be effective in detecting default usage of CS stageless beacons.

The following PowerShell events were observed on the target:

  • EID 4104 Script Block Logging:

    • This event can be considered noisy, so be careful during you detection engineering process and consider its verbosity.

    • Script blocks exceeding the maximum length of an event log message are fragmented into multiple entries.

    • Unlike EID 4103, this event doesn't record the output of the script

  • EID 4103 Module Logging:

    • Generates a large volume of events

    • Records the output of the executed commands

Keep in mind that these event are not enabled by default.

Sigma Rules

Detection Validation

In order to validate your detection rules against WinRM being used for remote command execution, Atomic Red Team provides a great guide bellow:

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1021.006/T1021.006.md
# T1021.006 - Remote Services: Windows Remote Management
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1021/006)
<blockquote>

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the `winrm` command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM  can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)

</blockquote>

## Atomic Tests

- [Atomic Test #1 - Enable Windows Remote Management](#atomic-test-1---enable-windows-remote-management)

- [Atomic Test #2 - Remote Code Execution with PS Credentials Using Invoke-Command](#atomic-test-2---remote-code-execution-with-ps-credentials-using-invoke-command)

- [Atomic Test #3 - WinRM Access with Evil-WinRM](#atomic-test-3---winrm-access-with-evil-winrm)


<br/>

## Atomic Test #1 - Enable Windows Remote Management
Powershell Enable WinRM

Upon successful execution, powershell will "Enable-PSRemoting" allowing for remote PS access.

**Supported Platforms:** Windows


**auto_generated_guid:** 9059e8de-3d7d-4954-a322-46161880b9cf






#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 


```powershell
Enable-PSRemoting -Force
```






<br/>
<br/>

## Atomic Test #2 - Remote Code Execution with PS Credentials Using Invoke-Command
Simulate lateral movement with PowerShell Remoting on the local host. 
Upon successful execution, PowerShell will execute `whoami` using `Invoke-Command`, targeting the 
local machine as remote target.

**Supported Platforms:** Windows


**auto_generated_guid:** 5295bd61-bd7e-4744-9d52-85962a4cf2d6






#### Attack Commands: Run with `powershell`! 


```powershell
Enable-PSRemoting -Force
Invoke-Command -ComputerName $env:COMPUTERNAME -ScriptBlock {whoami}
```

#### Cleanup Commands:
```powershell
Disable-PSRemoting -Force
```





<br/>
<br/>

## Atomic Test #3 - WinRM Access with Evil-WinRM
An adversary may attempt to use Evil-WinRM with a valid account to interact with remote systems that have WinRM enabled

**Supported Platforms:** Windows


**auto_generated_guid:** efe86d95-44c4-4509-ae42-7bfd9d1f5b3d





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| user_name | Username | string | Domain&#92;Administrator|
| destination_address | Remote Host IP or Hostname | string | Target|
| password | Password | string | P@ssw0rd1|


#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 


```powershell
evil-winrm -i #{destination_address} -u #{user_name} -p #{password}
```




#### Dependencies:  Run with `powershell`!
##### Description: Computer must have Ruby Installed
##### Check Prereq Commands:
```powershell
try {if (ruby -v) {exit 0} else {exit 1}} catch {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest  -OutFile "PathToAtomicsFolder\..\ExternalPayloads\rubyinstaller-2.7.1-1-x64.exe" https://github.com/oneclick/rubyinstaller2/releases/download/RubyInstaller-2.7.1-1/rubyinstaller-2.7.1-1-x64.exe
$file1= "PathToAtomicsFolder\..\ExternalPayloads\rubyinstaller-2.7.1-1-x64.exe"
Start-Process $file1 /S;
```
##### Description: Computer must have Evil-WinRM installed
##### Check Prereq Commands:
```powershell
try {if (evil-winrm -h) {exit 0} else {exit 1}} catch {exit 1}
```
##### Get Prereq Commands:
```powershell
gem install evil-winrm
```




<br/>

DFIR

In DFIR engagements these events can be good source of information to get the right attack attributions:

  • EID 142 WSMan operation CreateShell failed (Helpful when WinRM is not enabled on the target host)

  • EID 169 User Authenticated Successfully (The user who was connected remotely)

  • EID 81 Processing Client Request for Operation CreateShell (Start of remoting activity)

  • EID 134 Sending Response for Operation DeleteShell (End of remoting activity)

  • EID 403 Engine state is changed from Available to Stopped (This event records the completion of a PowerShell activity)

The command Get-WSManInstance -ComputerName localhost -ResourceURI Shell -Enumerate lists all currently active remote WinRM sessions and provides useful information :

  • Owner : Username that opened the remote session

  • ClientIP: Source IP from where the attacker attempted to move laterally.

  • ProcessID: In this case it is wsmprovhost.exe where the executed commands will be invoked from.

  • ChildPocesses: Number of child processes it opened.

  • MemoryUsed: Can be good indicator since winrm64 CS module used more than twice the memory used by Enter-PSSession for the same command.

PS C:\\Users\\Administrator> Get-WSManInstance -ComputerName localhost -ResourceURI Shell -Enumerate

rsp             : <http://schemas.microsoft.com/wbem/wsman/1/windows/shell>
lang            : en-US
ShellId         : 04E49AF8-1CA8-4ACC-9135-6A3269115F3E
Name            : WinRM1
ResourceUri     : <http://schemas.microsoft.com/powershell/Microsoft.PowerShell>
Owner           : ATLAS\\Administrator
ClientIP        : 10.10.10.30
ProcessId       : 2844
IdleTimeOut     : PT7200.000S
InputStreams    : stdin pr
OutputStreams   : stdout
MaxIdleTimeOut  : PT2147483.647S
Locale          : en-US
DataLocale      : en-US
CompressionMode : XpressCompression
ProfileLoaded   : Yes
Encoding        : UTF8
BufferMode      : Block
State           : Connected
ShellRunTime    : P0DT0H4M32S
ShellInactivity : P0DT0H1M28S
MemoryUsed      : 134MB
ChildProcesses  : 2

A good idea would be to generate an event with the output of this command every time the process wsmprovhost.exe is created using scheduled tasks.

T1570 : Lateral Transfer Tool

CobaltStrike jump psexec & psexec64

I love going through ZEEK logs first and look for network related telemtery specially for lateral movement techniques. When using CS psexec or psexec64 modules for lateral movement I observed remote service creation.

These modules use named pipes (RPC/NP) method to interact with the service control manager (SCM) RPC server. The server interface is identified by UUID 367ABB81-9844-35F1-AD32-98F038001003 and uses RPC endpoint \\PIPE\\svcctl.

The following ZEEK event logs were recorded :

  • ZEEK DCE-RPC event was generated with DCE-RPC endpoint SVCCTL and operation CreateServiceWoW64A

Zeek DCE-RPC Telemtry for Service Creation
  • On the target EID 5145 A network share object was checked to see whether client can be granted desired access will be generated with Relative Target Name defined as SVCCTL and Share Name \*\IPC$

  • A service is then created with a random name and Image Path calling the process via the command \\127.0.0.1\ADMIN$\[SERVICE_RANDOM_NAME].exe. This will generate EID 7045 New Service Was Installed and EID 4697 A Service Was Installed in the System

  • Then \\127.0.0.1\ADMIN$\[SERVICE_RANDOM_NAME].exe is executed and it invokes a rundll32.exe instance with no arguments which is very suspicious.

  • Interacting with the beacon via SHELL command invokes a CMD instance

Exeecuting Net command via jump psexec installed beacon

The following table is a summary of the observed telemetry relevant to this lateral movement technique.

EID
Action
Provider
Comment
5145
Network Share Access
Microsoft-Windows-Security-Auditing
  • Relative Target Name : svcctl

  • Share Name : \*\IPC$

7045
Service Creation
System
  • Service File Name: \\127.0.0.1\ADMIN$\[SERVICE_RANDOM_NAME].exe

4697
Service Creation
Microsoft-Windows-Security-Auditing
  • Service File Name: \\127.0.0.1\ADMIN$\[SERVICE_RANDOM_NAME].exe

1
Process Creation
Microsoft-Windows-Sysmon
  • Command Line : \\127.0.0.1\ADMIN$\[SERVICE_RANDOM_NAME].exe

  • Parent Command Line : C:\Windows\System32\services.exe

1
Process Creation
Microsoft-Windows-Sysmon
  • Command Line : C:\Windows\System32\rundll32.exe

  • Arguments count : 0

  • Parent Image : \\127.0.0.1\ADMIN$\[SERVICE_RANDOM_NAME].exe

13
Registry Value Set
Microsoft-Windows-Sysmon
  • Image Path : \\127.0.0.1\ADMIN$\[SERVICE_RANDOM_NAME].exe

CobaltStrike jump psexec_psh

CobaltStrike can laverage a PowerShell version of PsExec using the built-in module psexec_psh with everything being executed in memory via a one-liner.

  • As previously noticed an interaction with SCM RPC server in order to create a service remotely was observed. Bellow are the ZEEK DCE-RPC event logs with the same operation as psexec & psexec64 CreateServiceWOW64A

  • Followed by creation of a new service which generated EID 7045/4697 with %COMSPEC% and powershell in the Service File Name field.

  • PowerShell's EID 400 can be used as a detection opportunity where HostApplication contains powershell -nop -w hidden -encodedcommand.

  • Pipe creation with regex pattern status_[0-9a-f]{2} was also observed. I provided bellow a gist with several regex pattern to detect hard coded named pipes in CobaltStrike modules. Bellow is a EID 5145 that can be used for this purpose but I encourage you to sysmon instead for it high event traceability quality.

Cobalt Strike Named Pipe Regex.csv
  • Interacting with the beacon via the CS shell command would invoke a cmd.exe instance.

Executing commands via psexec_psh module

This pattern alone is very suspicious and can be a good detection opportunity for default usage of psexec_psh command.

The following are the event logs I observed during the demos:

EID
Action
Provider
Comment
5145
Network Share Access
Microsoft-Windows-Security-Auditing
  • Relative Target Name : status_[0-9a-f]{2}

  • Share Name : \*\IPC$

7045
Service Creation
System
  • Service File Name contains : %COMSPEC% or powershell

4697
Service Creation
Microsoft-Windows-Security-Auditing
  • Service File Name contains : %COMSPEC% or powershell

17
Pipe Created
Microsoft-Windows-Sysmon
  • Command Line : \\127.0.0.1\ADMIN$\[SERVICE_RANDOM_NAME].exe

  • Parent Command Line : C:\Windows\System32\services.exe

18
Pipe Connected
Microsoft-Windows-Sysmon
  • Image Path : \\127.0.0.1\ADMIN$\[SERVICE_RANDOM_NAME].exe

1
Process Creation
Microsoft-Windows-Sysmon
  • Command Line Arguments : powershell, -nop, hidden, -encodedcommand

  • Process Name : powershell.exe

  • Parent Process Name : cmd.exe

Sigma Rules

Detection Validation

Atomic Red Team provides a good start to validate your detection against some of these attack techniques:

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1569.002/T1569.002.md
# T1569.002 - System Services: Service Execution
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1569/002)
<blockquote>

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).

[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and <code>sc.exe</code> can accept remote servers as arguments and may be used to conduct remote execution.

Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.

</blockquote>

## Atomic Tests

- [Atomic Test #1 - Execute a Command as a Service](#atomic-test-1---execute-a-command-as-a-service)

- [Atomic Test #2 - Use PsExec to execute a command on a remote host](#atomic-test-2---use-psexec-to-execute-a-command-on-a-remote-host)

- [Atomic Test #3 - psexec.py (Impacket)](#atomic-test-3---psexecpy-impacket)

- [Atomic Test #4 - BlackCat pre-encryption cmds with Lateral Movement](#atomic-test-4---blackcat-pre-encryption-cmds-with-lateral-movement)

- [Atomic Test #5 - Use RemCom to execute a command on a remote host](#atomic-test-5---use-remcom-to-execute-a-command-on-a-remote-host)

- [Atomic Test #6 - Snake Malware Service Create](#atomic-test-6---snake-malware-service-create)

- [Atomic Test #7 - Modifying ACL of Service Control Manager via SDET](#atomic-test-7---modifying-acl-of-service-control-manager-via-sdet)

- [Atomic Test #8 - Pipe Creation - PsExec Tool Execution From Suspicious Locations](#atomic-test-8---pipe-creation---psexec-tool-execution-from-suspicious-locations)


<br/>

## Atomic Test #1 - Execute a Command as a Service
Creates a service specifying an arbitrary command and executes it. When executing commands such as PowerShell, the service will report that it did not start correctly even when code executes properly.

Upon successful execution, cmd.exe creates a new service using sc.exe that will start powershell.exe to create a new file `art-marker.txt`

[BlackCat Ransomware (ALPHV)](https://www.varonis.com/blog/blackcat-ransomware)  
[Cybereason vs. BlackCat Ransomware](https://www.cybereason.com/blog/cybereason-vs.-blackcat-ransomware)

**Supported Platforms:** Windows


**auto_generated_guid:** 2382dee2-a75f-49aa-9378-f52df6ed3fb1





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| service_name | Name of service to create | string | ARTService|
| executable_command | Command to execute as a service | string | %COMSPEC% /c powershell.exe -nop -w hidden -command New-Item -ItemType File C:&#92;art-marker.txt|


#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


```cmd
sc.exe create #{service_name} binPath= "#{executable_command}"
sc.exe start #{service_name}
sc.exe delete #{service_name}
```

#### Cleanup Commands:
```cmd
del C:\art-marker.txt >nul 2>&1
```





<br/>
<br/>

## Atomic Test #2 - Use PsExec to execute a command on a remote host
Requires having Sysinternals installed, path to sysinternals is one of the input input_arguments
Will start a process on a remote host.

Upon successful execution, cmd will utilize psexec.exe to spawn calc.exe on a remote endpoint (default:localhost).

**Supported Platforms:** Windows


**auto_generated_guid:** 873106b7-cfed-454b-8680-fa9f6400431c





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_host | Remote hostname or IP address | string | localhost|
| user_name | Username | string | DOMAIN&#92;Administrator|
| password | Password | string | P@ssw0rd1|


#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


```cmd
"PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" \\#{remote_host} -i -u #{user_name} -p #{password} -accepteula "C:\Windows\System32\calc.exe"
```




#### Dependencies:  Run with `powershell`!
##### Description: PsExec tool from Sysinternals must exist in the ExternalPayloads directory
##### Check Prereq Commands:
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") { exit 0} else { exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force
```




<br/>
<br/>

## Atomic Test #3 - psexec.py (Impacket)
Will execute a command on the remote host with Impacket psexec.py script.

**Supported Platforms:** Linux


**auto_generated_guid:** edbcd8c9-3639-4844-afad-455c91e95a35





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_host | Remote hostname or IP address | string | 127.0.0.1|
| username | Username | string | Administrator|
| domain | Target domain | string | |
| password | Password | string | P@ssw0rd1|
| command | Command to execute in target computer | string | whoami|


#### Attack Commands: Run with `bash`! 


```bash
psexec.py '#{domain}/#{username}:#{password}@#{remote_host}' '#{command}'
```




#### Dependencies:  Run with `bash`!
##### Description: psexec.py (Impacket)
##### Check Prereq Commands:
```bash
if [ -x "$(command -v psexec.py)" ]; then exit 0; else exit 1; fi;
```
##### Get Prereq Commands:
```bash
sudo pip3 install impacket
```




<br/>
<br/>

## Atomic Test #4 - BlackCat pre-encryption cmds with Lateral Movement
This atomic attempts to emulate the unique behavior of BlackCat ransomware prior to encryption and during Lateral Movement attempts via PsExec on Windows. Uses bundled PsExec like BlackCat

**Supported Platforms:** Windows


**auto_generated_guid:** 31eb7828-97d7-4067-9c1e-c6feb85edc4b





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| targethost | Target hostname to attempt psexec connection to for emulation of lateral movement. | string | $ENV:COMPUTERNAME|


#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 


```powershell
cmd.exe /c "wmic 	csproduct 	get UUID" 
cmd.exe /c "fsutil behavior 	set SymlinkEvaluation R2L:1" 
cmd.exe /c "fsutil behavior set 	SymlinkEvaluation R2R:1"
reg    add    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters    /v MaxMpxCt /d 65535 /t REG_DWORD /f      
copy "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" $env:temp
cmd.exe /c "$env:temp\psexec.exe  -accepteula  \\#{targethost} cmd.exe  /c echo "--access-token""
```

#### Cleanup Commands:
```powershell
reg delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters /v MaxMpxCt /f
cmd.exe /c "fsutil behavior set SymlinkEvaluation R2L:0" 
cmd.exe /c "fsutil behavior set SymlinkEvaluation R2R:0"
rm $env:temp\psexec.exe
```



#### Dependencies:  Run with `powershell`!
##### Description: PsExec must exist on disk at "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe"
##### Check Prereq Commands:
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip"
Expand-Archive "PathToAtomicsFolder\..\ExternalPayloads\PsTools.zip" "PathToAtomicsFolder\..\ExternalPayloads\PsTools" -Force
New-Item -ItemType Directory (Split-Path "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe") -Force | Out-Null
Copy-Item "PathToAtomicsFolder\..\ExternalPayloads\PsTools\PsExec.exe" "PathToAtomicsFolder\..\ExternalPayloads\PsExec.exe" -Force
```




<br/>
<br/>

## Atomic Test #5 - Use RemCom to execute a command on a remote host
Requires having RemCom installed, path to RemCom is one of the input input_arguments
Will start a process on a remote host.
Upon successful execution, cmd will utilize RemCom.exe to spawn calc.exe on a remote endpoint (default:localhost).

**Supported Platforms:** Windows


**auto_generated_guid:** a5d8cdeb-be90-43a9-8b26-cc618deac1e0





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| remote_host | Remote hostname or IP address | string | localhost|
| user_name | Username | string | Administrator|
| password | Password | string | P@ssw0rd1|


#### Attack Commands: Run with `command_prompt`! 


```cmd
"PathToAtomicsFolder\..\ExternalPayloads\remcom.exe" \\#{remote_host} /user:#{user_name} /pwd:#{password} cmd.exe
```




#### Dependencies:  Run with `powershell`!
##### Description: RemCom tool must exist on disk in the ExternalPayloads folder
##### Check Prereq Commands:
```powershell
if (Test-Path "PathToAtomicsFolder\..\ExternalPayloads\remcom.exe") { exit 0} else { exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://github.com/kavika13/RemCom/raw/master/bin/Release/RemCom.exe" -OutFile "PathToAtomicsFolder\..\ExternalPayloads\remcom.exe"
```




<br/>
<br/>

## Atomic Test #6 - Snake Malware Service Create
The following Atomic Test will create a new service named WerFaultSvc with a binary path of WinSxS\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\WerFault.exe.
This was recently seen in the Snake Malware report. 
Upon execution, sc.exe will create a new service named WerFaultSvc with a bin path \WinSxS\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\WerFault.exe and a display name of WerFault Service.
[Snake Malware - CISA](https://media.defense.gov/2023/May/09/2003218554/-1/-1/0/JOINT_CSA_HUNTING_RU_INTEL_SNAKE_MALWARE_20230509.PDF)

**Supported Platforms:** Windows


**auto_generated_guid:** b8db787e-dbea-493c-96cb-9272296ddc49






#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


```cmd
sc.exe create "WerFaultSvc" binPath= "$env:windir\WinSxS\x86_microsoft-windows-errorreportingfaults_31bf3856ad364e35_4.0.9600.16384_none_a13f7e283339a050\WerFault.exe" DisplayName= "WerFault Service" start= auto
```

#### Cleanup Commands:
```cmd
sc.exe delete "WerFaultSvc"
```





<br/>
<br/>

## Atomic Test #7 - Modifying ACL of Service Control Manager via SDET
Modify permissions of Service Control Manager via SDSET. This allows any administrative user to escalate privilege and create a service with SYSTEM level privileges.Restart is required.
[Blog](https://0xv1n.github.io/posts/scmanager/)

**Supported Platforms:** Windows


**auto_generated_guid:** bf07f520-3909-4ef5-aa22-877a50f2f77b






#### Attack Commands: Run with `command_prompt`!  Elevation Required (e.g. root or admin) 


```cmd
sc.exe sdset scmanager D:(A;;KA;;;WD)
```






<br/>
<br/>

## Atomic Test #8 - Pipe Creation - PsExec Tool Execution From Suspicious Locations
Requires PsExec tool installed. BlackCat Ransomeware tried to propagate by creating pipe using PsExec process executing from suspicious locations (In the particular case the legitimate PsExec executable is embedded within the Windows variant and is dropped in the victim’s %TEMP% directory). pon successful execution, PsExec will be executed from suspicious location and create a new pipe to execute CMD.

**Supported Platforms:** Windows


**auto_generated_guid:** 004a5d68-627b-452d-af3d-43bd1fc75a3b






#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 


```powershell
cd C:\Users\Public\Temp\ 
.\PsExec.exe -i -s cmd  -accepteula
```




#### Dependencies:  Run with `powershell`!
##### Description: PsExec tool from Sysinternals must exist in the '\Users\Public\Temp\' directory
##### Check Prereq Commands:
```powershell
if (Get-ChildItem -Path C:\ -Include *psexec* -File -Recurse -ErrorAction SilentlyContinue) {exit 0} else {exit 1}
```
##### Get Prereq Commands:
```powershell
New-Item -Type Directory "C:\Users\Public\Temp\" -ErrorAction Ignore -Force | Out-Null
Invoke-WebRequest "https://download.sysinternals.com/files/PSTools.zip" -OutFile "C:\Users\Public\Temp\PSTools.zip"
Expand-Archive "C:\Users\Public\Temp\PsTools.zip" "C:\Users\Public\Temp\" -Force
```




<br/>

DFIR

  • You can use the following CyberChef recipe to decode and extract shellcode information executed by psexec_psh command.

https://github.com/SophosRapidResponse/CyberChef/blob/main/Cobalt%20Strike%20recipe%20for%20JABz.txt
From_Base64('A-Za-z0-9+/=',true)
Remove_null_bytes()
Regular_expression('User defined','[a-zA-Z0-9+/=]{30,}',true,true,false,false,false,false,'List matches')
From_Base64('A-Za-z0-9+/=',true)
Gunzip()
Regular_expression('User defined','[a-zA-Z0-9+/=]{30,}',true,true,false,false,false,false,'List matches')
From_Base64('A-Za-z0-9+/=',true)
XOR({'option':'Decimal','string':'35'},'Standard',false)
  • You can list created pipes using Get-ChilItem PowerShell cmdlets

Get-ChildItem \\\\.\\pipe\\
  • Systinternal has a dedicated tool that also can be leveraged for the same purpose.

Closing thoughts

This blog post series of Detecting CONTI CobaltStrike Lateral Movement Techniques is focused on default usage of CS built-in capabilities meaning that sophisticated attacker will be able to change these settings and evade detections based on them thanks to CobalStrike modularity. My hope is to increase awareness at least about the telemetry that needs to be audited and qualified, how to correlate it and how to respond to relevant attacks in order to increase the time, effort and skills an APT has to invest in order to compromise your assets.

You can read my previous post on Detection Engineering Dimensions Analytics part where I discuss analytic resilience.

Last updated