Symantec discovered an intrusion on April 11, 2024, involving suspicious Windows Management Instrumentation commands and registry dumps, using PowerShell to query Active Directory for services.

Symantec discovered an intrusion on April 11, 2024, involving suspicious Windows Management Instrumentation commands and registry dumps. The attackers used PowerShell to query Active Directory for service principal names and Kerberos tokens, known as 'Kerberoasting.' They then moved to a second machine and used FileZilla for data exfiltration. They infected two additional machines, using WMI for network connectivity testing and PsExec for domain group queries. A fifth machine was compromised on June 13, allowing the attackers to sideload a malicious DLL. The attack involved distinct roles and a structured approach.

Initial Compromise (April 11, 2024):

The attackers initiated their attack by executing suspicious Windows Management Instrumentation (WMI) commands and executing registry dumps, potentially collecting system configuration and credential information.

Progression to Other Systems: The attackers hacked a system, then moved to a second machine and used a renamed FileZilla component for data exfiltration, likely evading security systems' detection.

Additional Infections:

• The attackers infected two more machines, possibly in an attempt to expand their access within the network.

• WMI was again used to query Windows Event Logs, likely to gather additional information on system activities, logs, and security measures.

• PowerShell was employed to test network connectivity, potentially mapping out the network infrastructure.

• PsExec was used to query domain groups, which suggests that the attackers were attempting to gather information on users and administrators with access to various resources on the network.

Malicious DLL Sideloading

A malicious DLL was sideloaded on the fifth machine, a technique where a legitimate application loads a malicious library without user knowledge, potentially for persistence or further actions.

The attackers aimed to gather intelligence by collecting sensitive data like email communications and system configurations, potentially gaining access to high-level administrative functions within the organization's network.

Indicators of Compromise (IOCs):

Compromise indicators include suspicious WMI commands, registry dumps, renamed components like FileZilla, PowerShell scripts, PsExec activity, and malicious DLL files sideloaded into legitimate applications.

Recommendations for Mitigation:

• Review and Audit Logs: Ensure that Windows Event Logs, especially those related to WMI and PowerShell activity, are closely reviewed to spot signs of suspicious behavior.

• Endpoint Detection and Response (EDR): Use advanced EDR tools to detect abnormal behaviors such as renamed executables and the execution of malicious DLLs.

• Network Segmentation: If not already in place, network segmentation can prevent attackers from easily moving laterally between systems.

• Patch Management: Regularly patch Exchange Servers and other critical systems to reduce the risk of exploitation by attackers using known vulnerabilities.

• Credential Security: Implement stronger credential management practices, such as multi-factor authentication and regular password changes, to reduce the risk of attackers gaining unauthorized access.