Copied the ntds.dit database to the web server via xcopy, compressed the database as a multi-volume password-protected archive via 7-Zip, and saved the volumes to a public-facing directory on the same server with legitimate-sounding filenames and a.This command creates a copy of the ntds.dit AD database for credential attacks such as pass the hash or offline password hash cracking.įigure 4. Used Windows Management Instrumentation (WMI) to execute the Ntdsutil Active Directory (AD) management tool on the domain controller (see Figure 4). Secureworks incident responders observed BRONZE SILHOUETTE using the AuditReport.jspx web shell to perform the following tasks on the first web server: Snippet from the C# web shell deployed by BRONZE SILHOUETTE. The threat actors copied the web shell to a second web server in the environment and used it to gather system information via the ‘whoami' and ‘tasklist' commands.įigure 3. The iisstart.aspx file is a C# web shell that is likely a derivative of the Awen web shell and is used for remote command execution (see Figure 3). Web shell written to disk, decoded, and copied to remote web server. (Source: Secureworks)īRONZE SILHOUETTE then wrote Base64-encoded text to C:\Windows\Temp\ntuser.ini and decoded it to C:\Windows\Temp\iisstart.aspx via the certutil command (see Figure 2).įigure 2. Reconnaissance commands issued through Java-based web shell. Secureworks incident responders observed the threat actors execute a series of reconnaissance commands via the web shell (see Figure 1).įigure 1. BRONZE SILHOUETTE moved laterally to another web server and dropped a simple Java-based web shell (AuditReport.jspx). It is unclear how the threat actors obtained these credentials. June 2021 IR engagementĭuring a June 2021 engagement, Secureworks incident responders discovered that BRONZE SILHOUETTE had gained initial access to the compromised organization's single-factor Citrix environment via a domain administrator account. The threat group has demonstrated careful consideration for operational security such as the use of preinstalled binaries to “ live off the land,” incorporation of defense evasion techniques, and reliance on compromised infrastructure to prevent detection and attribution of its intrusion activity, and to blend in with legitimate network activity. The tactics, techniques, and procedures (TTPs) and victimology observed during Secureworks incident response (IR) engagements suggest BRONZE SILHOUTTE targets organizations for intelligence-gathering purposes that are in alignment with the requirements of the PRC. Secureworks® Counter Threat Unit™ (CTU) researchers attribute this activity to BRONZE SILHOUETTE (referred to in the advisory as Volt Typhoon) and have observed the threat group conducting network intrusion operations against U.S government and defense organizations since 2021. National Security Agency (NSA) issued a joint cybersecurity advisory highlighting a cluster of activity it attributes to a People's Republic of China (PRC) state-sponsored threat group.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |