FortiEDR
FortiEDR automates the protection against advanced threats, pre and post-execution, with real time orchestrated incident response functionality.
gthirugnanasa
Article Id 202517

Introduction

The FortiGuard Responder team has observed attempts to employ a proxy execution technique that uses the Microsoft MSBuild to deploy Cobalt Strike beacons throughout customer environments. This technique was also observed and reported by Renato Marinho from Morphus Labs. The C2 infrastructure associated with this activity has also been linked to log4j exploitation earlier in the month although this TTP itself has not been linked with log4j. This article will demonstrate how FortiEDR protects against the use of this proxy execution technique and will analyze a sample observed in the wild that is readily available to validate the protections offered by FortiEDR.

 

At the time of detection, several samples that employed this proxy execution technique continue to have a very low detection rate on Virus Total with only 6/57 vendors detecting it as malicious and only one correctly identifying the Cobalt Strike implant. Similar samples, to be analyzed later in the article, are more than 6 months old and still have less than 3/57 vendor detection rate.

 

gthirugnanasa_0-1641315119021.png

 

Figure 1: Sample has a very low detection rate through AV vendors.

 

The sample above (and the one analyzed in this article) is a project file, which is an XML schema designed to be used to control the creation of an executable. Functionality within the MSBuild process called ‘Tasks’ allows for the execution of arbitrary code alongside the build process to provide flexibility for end users, likely to support the integration of MSBuild in automated build processes. This functionality has been used in the case of the analyzed sample, for proxy execution of a Cobalt Strike beacon.

 

The sample observed by the FortiGuard Responder team was delivered through an RDP connection then executed directly through GUI access to the ‘Developer Command Prompt’. Whilst overt, this technique would at first glance be indistinguishable from standard activity, especially in environments where software development tools are standard.

 

Analyzing the sample.

 

A project file has several key components of note in this sample; Target Name, TaskName and the Task itself. The target name defines the target for the build, in the case of all samples analyzed by the FortiGuard Responder team this had a value of ‘Debug’. The TaskName is the name of a particular task and is references in the Target definition, in the case of all samples analyzed by the FortiGuard Responder team this had a value of ‘ClassExample’. These two sections can be observed in Figure 2 below.

 

gthirugnanasa_1-1641315119026.png

Figure 2: Target Name and TaskName variables common between samples.

 

The final component is the Task section. The task section defines the task to be executed alongside the build process. In the case of the samples analyzed by the FortiGuard Responder team the Task was the largest section of the project file. The observed tasks were written in C# and contain code to decode, reflectively load and then execute a Cobalt Strike beacon payload. The Cobalt Strike payload is stored in a variable called ‘buff’ and is byte-wise XORed with a 5-8 byte key stored in variable called ‘key_code’. Code snippets of these variables from the proj file can be observed in Figure 3 below.

 

gthirugnanasa_0-1641315757992.png

Figure 3: ‘buff’ and ‘key_code’ byte arrays storing encoded Cobalt Strike beacon and decode key respectively. Note that the ‘buff’ variable takes up the majority of the file contents and has been truncated in the figure.

 

As the proj file is ‘built’ the ‘ClassExample’ task is executed. This task decodes the ‘buff’ variable to a memory stream which is then reflectively loaded into the hosting MSBuild process, then executed. The section of code responsible for this decode, reflective loading, and execution is shown below in Figure 4.

 

gthirugnanasa_1-1641315799097.png

Figure 4: This code snippet shows how each byte of the ‘buff’ array is XORed against a byte in the ‘key_code’ array in a loop then loaded into memory and executed.

 

On execution, the Cobalt Strike beacon will reach out to its C2 server per its embedded configuration. The configuration of the beacon can be extracted from the decoded beacon executable using the fantastic Cobalt Strike config parser (https://github.com/Sentinel-One/CobaltStrikeParser). The config extracted from the above-analyzed sample is a simple configuration as shown below in Figure 5, with a single IP as a C2Server and minimal use of additional Cobalt Strike features. A full analysis of a Cobalt Strike configuration is outside the scope of this article and there are already great resources in the Cyber Security community on the topic, but the following article provides a starting point for those wanting to go deeper into extracting and understanding IOCs from this artifact (https://www.mandiant.com/resources/defining-cobalt-strike-components) .

 

gthirugnanasa_2-1641315825589.pngFigure 5: Config file extracted from embedded Cobalt Strike beacon. Note single IP C2 server.

 

Detecting and Mitigating with FortiEDR

 

FortiEDR effectively detects and blocks MSBuild proxy execution of malicious payloads like the Cobalt Strike beacon analyzed above out of the box (OOTB) using behavioral detections that form part of its default ruleset. FortiEDR does not whitelist all behavior associated with the process so easily detects anomalous behavior such as network connections and reflective loading, despite the MSBuild executable being known, signed Microsoft executable. In the emulated attack below the sample analyzed above was executed through the Developer Command Prompt whilst FortiEDR was set to ‘Log Only’. In this mode FortiEDR only logs events, it would normally block allowing the sample to execute fully giving us the opportunity to observe the full range of behaviors detected by FortiEDR.

 

Execution of this sample generated two events from three rules, each triggered by suspicious/malicious behavior that would have been stopped, thwarting this attack if FortiEDR actions had been set to block. These events can be seen below in Figure 6 below.

 

gthirugnanasa_3-1641315956637.png

Figure 6: Events detected by FortiEDR related to MSBuild proxy execution of the malicious proj file analyzed above containing a Cobalt Strike beacon.

 

The first event above was triggered by the ‘Connection Attempt from a Suspicious Application’ rule in the Exfiltration Prevention Policy. This rule flags on network connections associated with applications that don’t normally create network connections or that have been known to be exploited by adversaries. Exceptions can be made to allow legitimate usage where required. In the case of this events the event was classified as ‘Suspicious’ as FortiGuard Labs threat intelligence feeds flagged the IP address (23.227.178[.]115) as suspicious. FortiEDR’s integration with FortiGuard Labs threat intelligence resources is part of the default configuration.

 

The second event flagged two behavioral rules both from the Exfiltration Prevention Policy; ‘Dynamic Code – Malicious Runtime Generated Code Detected’ and ‘Unmapped Executable – Executable File without a Corresponding File on Disk’. The first of these rules (Dynamic Code) flagged on the decoded Cobalt Strike beacon being generated in memory at runtime failing file verification. This can be seen in the FortiEDR ‘Stacks View’ within the Forensics tab as shown below in Figure 7.

 

gthirugnanasa_4-1641315994722.png

Figure 7: FortiEDR Stacks View showing the Dynamic Code rule exception related to the decoding of the Cobalt Strike beacon

 

The second rule (Unmapped Executable) flagged on the Cobalt Strike beacon being reflectively loaded into the MSBuild process. The memory allocated to this unmapped executable can be observed through the ‘Stacks View’ of the Forensics tab as shown in Figure 8 below. FortiEDR can be used to dump the executable from memory for further analysis if required. This is an alternative way of getting the decoded Cobalt Strike beacon rather than decoding the proj file directly.

 

gthirugnanasa_5-1641316032006.png

Figure 8: FortiEDR Stacks View showing the Unmapped Executable rule exception related to the reflective loading of the Cobalt Strike beacon

 

Threat Hunting with VT

 

Taking common indicators from the analyzed sample, the FortiGuard Responder team identified a number of similar samples in VirusTotal. Samples go back as far as July 2021 and appear to come in two variants defined by the decoded contents of the ‘buff’ variable; variant one containing a version of BEACON (Cobalt Strike) matching the one analyzed in this article and variant two which contains a Metasploit Meterpreter stager that calls back to adversary C2 to download a Cobalt Strike beacon. Infrastructure (domains and IPs) and TTP (user agent, URL, profile) crossover can be observed between the two variants including over the same time period indicating activity is likely the same actor. Additionally all exported Cobalt Strike payloads share the same product watermark (426352781).

 

Conclusion

 

This article has demonstrated how FortiEDR protects against MSBuild based proxy execution of malicious Cobalt Strike beacons and Meterpreter loaders using default rules, policies, and configurations. Generic telemetry-based threat hunting is difficult for this TTP without an understanding of the prevalence of MSBuild usage inside an environment so no Threat Hunting queries have been provided as part of this article.

IOCs for the BEACON payloads have been extracted from the config files using the process outlined above. IOCs for the Meterpreter stagers have been extracted from the shellcode dumped following decoding of the embedded ‘buff’ variables. The majority of the IOCs are known but have been collated and made available at the end of this article for completeness.

 

gthirugnanasa_6-1641316126871.png

Figure 9: Observed host visits for the “hxxp://64.44.139[.]51:8080/safebrowsing/nuzhx/BPxxUS7rqSgy34UkChZ3LrTW1WV91WFfhglLRiDK” webpage for the last three months. Taken from Fortinet Central Threat System (CTS)

 

It should also be noted that despite some of the IOCs being first observed in October 2021, FortiGuard Labs threat intelligence feeds indicate that the C2 is still being contacted regularly by victims across the globe. Some of this activity is as recent as 28 December 2021 with a significant spike in activity beginning in mid-December from endpoints in India, the US and Europe, as observed in Figure 9 above.

 

MITRE ATT&CK

 

TA0002 - Execution

Technique ID

Technique Description

Observed Activity

T1106

Native API

Observed MSBuild projects analyzed in this article uses direct API calls to reflectively load and execute malicious Cobalt Strike and Meterpreter payloads.

 

TA0005 – Defensive Evasion

Technique ID

Technique Description

Observed Activity

T1127.001

Trusted Developer Utilities Proxy Execution: MSBuild

This article is based on analyzing the exploitation of MSBuild ‘tasks’ feature to perform proxy execution. The identified proj files don’t result in a built application and only exist to exploit this functionality

 

Technique ID

Technique Description

Observed Activity

T1620

Reflective Code Loading

Encoded Cobalt Strike and Meterpreter loaders are decoded and loaded into the MSBuild process directly from memory using .NET functionality (System.Reflection).

 

TA0011 – Command and Control

Technique ID

Technique Description

Observed Activity

T1071.001

Application Layer Protocol: Web Protocols

Both Cobalt Strike and Meterpreter payloads used predominantly HTTP and HTTPS to communicate back to C2

 

Technique ID

Technique Description

Observed Activity

T1071.004

Application Layer Protocol: DNS

One of the Cobalt Strike beacon configurations identified the use of HTTP DNS beacon type which results in DNS traffic.

 

 

IOCs

 

Indicator Description   

Indicator

Indicator Type

Associated Tactic    

Notes

Malicious proj file

641a82576ce3b0e41d70607ec7178ecf43405385

SHA1

Execution

MSBuild project file containing encoded Meterpreter payload

Malicious proj file

08919748beaf4b1ee29cb3a74cd58a4bbdec5bd1

SHA1

Execution

MSBuild project file containing encoded Meterpreter payload

Malicious proj file

6a1788a84da831d700229702c9ce2d901b505dd1

SHA1

Execution

MSBuild project file containing encoded Meterpreter payload

Malicious proj file

ae68d5f64ba92f8c1740ed32663edbda97dd9472

SHA1

Execution

MSBuild project file containing encoded Cobalt Strike beacon

Malicious proj file

c184668996d03b83c15da389cce3f3bde20a09aa

SHA1

Execution

MSBuild project file containing encoded Cobalt Strike beacon

Malicious proj file

4e862cc6d6f6f623e91e2774b1a8ebdbc89668c3

SHA1

Execution

MSBuild project file containing encoded Cobalt Strike beacon

Malicious proj file

572d9e9e2b0893cd5f0bf8952fa55aabc1acb546

SHA1

Execution

MSBuild project file containing encoded Cobalt Strike beacon

Malicious proj file

2e0b32bb9bb62a4e4449828db216611f4a95b262

SHA1

Execution

MSBuild project file containing encoded Cobalt Strike beacon

Malicious proj file

6900c8336b20c1e0a0453d2bc243d4937c6b7b09

SHA1

Execution

MSBuild project file containing encoded Cobalt Strike beacon. Note this sample contained a config that uses Hybrid HTTP DNS

Malicious proj file

8495925dc51357b58f9a9cc3eb37c7bd33e8d7bd

SHA1

Execution

MSBuild project file containing encoded Cobalt Strike beacon

Malicious proj file

25533cc5796a2013296aae200ce7e35027f6775e

SHA1

Execution

MSBuild project file containing encoded Cobalt Strike beacon

Malicious proj file

8d5908a1ae3d7fd5b534700f37694a782fa8d20f

SHA1

Execution

MSBuild project file containing encoded Cobalt Strike beacon

Malicious proj file

1606bb73020c41dfb1256ca4dc57368e89543f21

SHA1

Execution

MSBuild project file containing encoded Cobalt Strike beacon

User-Agent String

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; BOIE9;ESES)

User Agent String

Command and Control

Extracted from Meterpreter payload in 641a82576ce3b0e41d70607ec7178ecf43405385

C2 IP

23.227.178[.]115

IP Address

Command and Control

Extracted from Meterpreter payload in 641a82576ce3b0e41d70607ec7178ecf43405385

User-Agent String

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; ; NCLIENT50_AAPCDA5841E333)

User Agent String

Command and Control

Extracted from Meterpreter payload in 08919748beaf4b1ee29cb3a74cd58a4bbdec5bd1

C2 IP

176.121.14[.]47

IP Address

Command and Control

Extracted from Meterpreter payload in 08919748beaf4b1ee29cb3a74cd58a4bbdec5bd1

User-Agent String

Windows-Update-Agent/10.0.10011.16384 Client-Protocol/1.40

User Agent String

Command and Control

Extracted from Meterpreter payload in 6a1788a84da831d700229702c9ce2d901b505dd1 and Cobalt Strike config in  c184668996d03b83c15da389cce3f3bde20a09aa, 4e862cc6d6f6f623e91e2774b1a8ebdbc89668c3, 2e0b32bb9bb62a4e4449828db216611f4a95b262, 2ff25d6014acced3941831759357321ec6d37fef

C2 IP

88.119.161[.]120

IP Address

Command and Control

Extracted from Meterpreter payload in 6a1788a84da831d700229702c9ce2d901b505dd1

User Agent String

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0; MAAU; NP08)

User Agent String

Command and Control

Extracted from Cobalt Strike config in 8495925dc51357b58f9a9cc3eb37c7bd33e8d7bd

User Agent String

Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)

User Agent String

Command and Control

Extracted from Cobalt Strike config in 1606bb73020c41dfb1256ca4dc57368e89543f21. User agent corresponds to Internet Explorer on Windows XP so anomalous.

C2 URL

64.44.139[.]51/safebrowsing/nuzhx/BPxxUS7rqSgy34UkChZ3LrTW1WV91WFfhglLRiDK

URL

Command and Control

Extracted from Cobalt Strike config in ae68d5f64ba92f8c1740ed32663edbda97dd9472 and 25533cc5796a2013296aae200ce7e35027f6775e

C2 URL

mediaprotectxs[.]org/safebrowsing/nuzhx/BPxxUS7rqSgy34UkChZ3LrTW1WV91WFfhglLRiDK

URL

Command and Control

Extracted from Cobalt Strike config in ae68d5f64ba92f8c1740ed32663edbda97dd9472 and 25533cc5796a2013296aae200ce7e35027f6775e

C2 URL

64.44.139[.]51/safebrowsing/qHiUGdv/HnMBjBNdYHDBZBhoscowAdNMzizR8zC

URL

Command and Control

Extracted from Cobalt Strike config in ae68d5f64ba92f8c1740ed32663edbda97dd9472 and 25533cc5796a2013296aae200ce7e35027f6775e

C2 URL

mediaprotectxs[.]org/safebrowsing/qHiUGdv/HnMBjBNdYHDBZBhoscowAdNMzizR8zC

URL

Command and Control

Extracted from Cobalt Strike config in ae68d5f64ba92f8c1740ed32663edbda97dd9472 and 25533cc5796a2013296aae200ce7e35027f6775e

C2 URL

akametric[.]co/c/msdownload/update/others/2020/10/29136388_

URL

Command and Control

Extracted from Cobalt Strike config in c184668996d03b83c15da389cce3f3bde20a09aa, 4e862cc6d6f6f623e91e2774b1a8ebdbc89668c3, 2e0b32bb9bb62a4e4449828db216611f4a95b262, 2ff25d6014acced3941831759357321ec6d37fef

C2 URL

88.119.175[.]251/c/msdownload/update/others/2020/10/29136388_

URL

Command and Control

Extracted from Cobalt Strike config in c184668996d03b83c15da389cce3f3bde20a09aa, 4e862cc6d6f6f623e91e2774b1a8ebdbc89668c3, 2e0b32bb9bb62a4e4449828db216611f4a95b262, 2ff25d6014acced3941831759357321ec6d37fef

C2 URL

akametric[.]co/c/msdownload/update/others/2020/10/28986731_

URL

Command and Control

Extracted from Cobalt Strike config in c184668996d03b83c15da389cce3f3bde20a09aa, 4e862cc6d6f6f623e91e2774b1a8ebdbc89668c3, 2e0b32bb9bb62a4e4449828db216611f4a95b262, 2ff25d6014acced3941831759357321ec6d37fef

C2 URL

88.119.175[.]251/c/msdownload/update/others/2020/10/28986731_

URL

Command and Control

Extracted from Cobalt Strike config in c184668996d03b83c15da389cce3f3bde20a09aa, 4e862cc6d6f6f623e91e2774b1a8ebdbc89668c3, 2e0b32bb9bb62a4e4449828db216611f4a95b262, 2ff25d6014acced3941831759357321ec6d37fef

C2 URL

mftanalytics[.]cloud/messages/u5gmePQBEiwBnYZAtso1aMIsD

URL

Command and Control

Extracted from Cobalt Strike config in 572d9e9e2b0893cd5f0bf8952fa55aabc1acb546 and 8d5908a1ae3d7fd5b534700f37694a782fa8d20f

C2 URL

91.234.254[.]184/messages/u5gmePQBEiwBnYZAtso1aMIsD

URL

Command and Control

Extracted from Cobalt Strike config in 572d9e9e2b0893cd5f0bf8952fa55aabc1acb546 and 8d5908a1ae3d7fd5b534700f37694a782fa8d20f

C2 URL

mftanalytics[.]cloud/messages/kw1ExXHpLDVRhhi8NSRr7Z0-o-c6

URL

Command and Control

Extracted from Cobalt Strike config in 572d9e9e2b0893cd5f0bf8952fa55aabc1acb546 and 8d5908a1ae3d7fd5b534700f37694a782fa8d20f

C2 URL

91.234.254[.]184/messages/kw1ExXHpLDVRhhi8NSRr7Z0-o-c6

URL

Command and Control

Extracted from Cobalt Strike config in 572d9e9e2b0893cd5f0bf8952fa55aabc1acb546 and 8d5908a1ae3d7fd5b534700f37694a782fa8d20f

C2 URL

alpha.sync.akamaistats[.]com/c/msdownload/update/others/2020/10/29136388_

URL

Command and Control

Extracted from Cobalt Strike config in 6900c8336b20c1e0a0453d2bc243d4937c6b7b09

C2 URL

beta.sync.akamaistats.com/c/msdownload/update/others/2020/10/29136388_

URL

Command and Control

Extracted from Cobalt Strike config in 6900c8336b20c1e0a0453d2bc243d4937c6b7b09

C2 URL

omega.sync.akamaistats[.]com,/c/msdownload/update/others/2020/10/29136388_

URL

Command and Control

Extracted from Cobalt Strike config in 6900c8336b20c1e0a0453d2bc243d4937c6b7b09

C2 URL

23.227.178[.]115/dpixel

URL

Command and Control

Extracted from Cobalt Strike config in 8495925dc51357b58f9a9cc3eb37c7bd33e8d7bd

C2 URL

23.227.178[.]115/submit.php

URL

Command and Control

Extracted from Cobalt Strike config in 8495925dc51357b58f9a9cc3eb37c7bd33e8d7bd and 1606bb73020c41dfb1256ca4dc57368e89543f21

C2 URL

23.227.178[.]115/__utm.gif

URL

Command and Control

Extracted from Cobalt Strike config in 1606bb73020c41dfb1256ca4dc57368e89543f21

 

Contributors