Unrestricted Old Version Of Termsrv Dll
Emelina Gilpin
Review the alert in question. If necessary, rebuild the host from a known, good source and have the user change their password. Additionally, review the users in privileged groups within Active Directory and remove unexpected or unknown members.
This detection identifies the cmdlet 'Get-ManagementRoleAssignment' being passed to 'PowerShell.exe' through the command line. This technique is used by malicious actors to obtain access to privileged user mailboxes for exfiltration.
Investigate the command that is being scheduled to run. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
This detection identifies execution of 'msedge.exe' spawning 'net.exe' or 'net1.exe' command. The technique is used by malicious actors, in particular the Bazarloader malware, to inject into the Edge browser process and before spawning net commands.
Examine the parent process that spawned the process in question. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
This detection identifies command line activity associated with blacklisted user accounts that Rapid7 has observed during past and/or present campaigns. Some techniques used by malicious actors include common account name reuse. Malicious actors could use the account name and/or password across multiple intrusions.
This detection identifies the modification and execution of existing service 'wercplsupport' to execute a malicious DLL, a behavior identified in the Blue Mockingbird malware. Blue Mockingbird is known to persist by leveraging Windows services, and deploys a Monero cryptominer. It can also masquerade an XMRig payload with file 'wersupporte.dll' as a legitimate 'wersupport.dll' file.
Investigate the DLL file that is being executed. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
This detection identifies 'cmd.exe' attempting to execute '.exe' files from within a recycle bin. This technique is used by malicious actors as a method of hiding the location of their staging directory.
Review the process activity on the host to identify other suspicious behavior. Retrieve the binary in question and perform analysis on its behavior if the hash is unknown. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
Determine if the process being launched is expected or otherwise benign behavior. Investigate the accessed site and whether it serves a business use. If necessary, rebuild the host from a known, good source and have the user change their password.
This detection identifies child processes of the ScreenConnect Client to identify commands executed by malicious actors. ScreenConnect is a legitimate remote access tool used by malicious actors to maintain persistence in a target environment.
This detection identifies the use of the archiving tool known as 7zip being used to create an archive containing a users mailbox. This technique is used by malicious actors in order to compress and stage data for later exfiltration.
Investigate the process execution history on the host in question to determine if the account creation is authorized and expected within the client network. If necessary, delete the created user account and reset the password of the user that performed the action.
Investigate the process execution history on the host in question to determine the root cause of this execution. If malware is identified during the investigation process, isolate the system and restore it from a validated known, good baseline image.
Determine whether the user deleting the key had a legitimate reason for doing so. Investigate any RDP activity to or from the host in the timeframe prior to the command being run. The source or destination hosts from any RDP activity should also be investigated for any signs of suspicious activity.
This detection identifies the use of various services that display the source IP address a request originates from. This technique is used by malicious actors to identify the source IP address of an endpoint, which provides geographic location and network owner information.
This detection identifies the technique of using the Windows command "dir" in searching for files containing the string "ssh" in their filenames. This has been observed in use by malicious actors, to exfiltrate SSH credentials that can be possibly used for further attacks on the system.
Examine the parent process that spawned the process in question, and anything that the process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
This detection identifies the execution of a legitimate "msra.exe", Microsoft Remote Assistance process. This process is spawned as a result of process injection by a DLL using "regsvr32.exe" or "rundll32.exe" as its parent process. The activity was observed in Qbot infection.
This detection identifies the execution of a suspicious DLL to inject into process mobsync.exe. Malicious actors have been observed with this activity to perform process injection consistent with the QBot malware family.
Determine whether this is part of authorized administrator activity. Examine the parent process that spawned the command, and anything else that process may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
This detection identifies the '\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL' key being passed to 'reg.exe' to enable the NULL cipher on the system, which can allow data transmission in cleartext. This technique is used by malicious actors to remove the protection provided by SSL encryption, which makes the network communications vulnerable to eavesdropping and Man-in-the-Middle attacks.
This detection identifies WinRar being used to create a password protected archive containing a user's mailbox. This technique is used by malicious actors to compress and stage data for later exfiltration.
This detection identifies the execution of binaries from the 'windows\system32' directory where the command line contains a subdirectory followed by directory traversal using '..'. This technique is used by attackers in an attempt to bypass detections looking for specific paths to standard Windows binaries.
Determine whether this usage of RSync is normal authorized activity. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
This detection identifies the export of the 'SECURITY' or 'SAM' registry hives through the 'reg.exe' binary. This technique is used by malicious actors and penetration testers to obtain hashes or credentials stored in the Windows registry.
This detection identifies the use of 'AppInstaller.exe' to download and execute an arbitrary executable. This technique is used by malicious actors in order to proxy the execution of malicious code hosted on a remote system.
Malicious actors will often try to dump the contents of the LSASS process memory in an attempt to access credentials. To do so, they will have to locate the PID of the process. Often this will be done using built-in command line tools such as the findstr utility or PowerShell's Get-Process.
Determine if this was authorized testing or is activity related to a security tool. Otherwise, there is little to no reason for this activity to be occurring, and the host should be quarantined and investigated immediately.
This detection identifies FSUtil being used to enable Windows to recognize symbolic links. This has been observed in the BlackCat/Noberus Ransomware as a way to follow "Shortcut" files that are pointing to a remote location in the network to perform encryption.
Examine the parent process that spawned the process in question, and any process that it may have spawned. If this activity is not benign or expected, consider rebuilding the host from a known, good source and having the user change their password.
This detection identifies the execution of 'NTDSUtil.exe', which is the command utility used when working with the 'NTDS.dit' Active Directory database and the enabled IFM set creation for DCPromo. The Install From Media (IFM) set is a copy of the 'NTDS.dit', and if it is not properly secured or configured, a malicious actor could use the snapshot taken during this process to extract credential data.
Investigate the parent process and process activity to determine if the activity is authorized and expected within the environment. If necessary, rebuild the host from a known, good source and have the user change their password.
7fc3f7cf58