TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

OWASSRF Explained | Huntress

2022-12-29 · Read original ↗

ATT&CK techniques detected

10 predictions
T1059.001PowerShell
99%
", it serves solely as an example and was not observed in huntress telemetry. palo alto ’ s unit42 has reported that attackers using the owassrf vulnerability commonly use the powershell reverse shell payload named silverarrow for post - exploitation as seen in figure 4. figure 4 …"
T1059.001PowerShell
91%
"native windows utilities rundll32. exe and msiexec. exe to install what appears to have been a rogue screenconnect instance. following these detections, no other post - exploit activity was observed. in this instance, huntress observed multiple exploit attempts spanning two weeks…"
T1190Exploit Public-Facing Application
81%
"owassrf explained | huntress we simply couldn ’ t end the year 2022 on a calm note — hackers made sure of that with their latest microsoft exchange exploit. on december 22, huntress observed a significant increase in malicious powershell executions delivering a connectwise contro…"
T1059.001PowerShell
64%
", our analysts leveraged alerts from managed antivirus ( i. e., windows defender ) to identify neutralized attempts to deploy the proxynotshell variant. indicators of compromise the table below illustrates the exploit and post - exploit indicators of compromise ( iocs ) huntress …"
T1505.004IIS Components
63%
"native windows utilities rundll32. exe and msiexec. exe to install what appears to have been a rogue screenconnect instance. following these detections, no other post - exploit activity was observed. in this instance, huntress observed multiple exploit attempts spanning two weeks…"
T1055.001Dynamic-link Library Injection
53%
"##2f2d1c0840229c, 6db95d58cdf0a1a3 huntress observed three screenconnect instance ids associated with rogue installs across multiple systems while huntress has observed post - exploitation activity on a number of systems since december 6, several of those systems were found to ha…"
T1059.001PowerShell
50%
"] org / owa / auth / current / themes / 6. css ’ ‘ c : \ windows \ temp \ c. msi ’ ) base64 - encoded powershell running as a child process of the web server ( w3wp. exe ) post - exploit # 2 system event log source : service control manager system event log id : “ 7045 ” look for…"
T1505.004IIS Components
46%
"##2f2d1c0840229c, 6db95d58cdf0a1a3 huntress observed three screenconnect instance ids associated with rogue installs across multiple systems while huntress has observed post - exploitation activity on a number of systems since december 6, several of those systems were found to ha…"
T1197BITS Jobs
44%
"\ system with only the credentials of an unprivileged user. it ’ s important to note that while we have not seen metasploit being used in the wild, we showcased it in this example because it ’ s a commonly available framework that ’ s both flexible and easily captured in video fo…"
T1078Valid Accounts
35%
"to inhibiting or even obviating attacks. while threat actors moved to using “ new ” methods ( i. e., owassrf ) to gain access to organizations via ms exchange servers, their post - exploit activities were visible and familiar to our analysts, allowing huntress to detect, respond …"

Summary

Huntress' analysis of a new exploit chain (called OWASSRF) that can lead to critical remote code execution on unpatched Exchange hosts.