
Quad7 Botnet: A Stealth Network for Credential Theft and Router Exploitation
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1003-OS Credential Dumping
ID | Data Source | Data Component | Detects |
Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. [31] [32] [33] Note: Domain controllers may not log replication requests originating from the default domain controller account. [34]. Monitor for replication requests [35] from IPs not associated with known domain controllers. [21] Analytic 1 - Suspicious Replication Requests sourcetype=WinEventLog:Security EventCode="4662" AND AccessMask= "0x100" AND (guid= "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" OR guid= "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" OR guid= "9923a32a-3607-11d2-b9be-0000f87a36b2" OR guid= "89e95b76-444d-4c62-991a-0facbeda640c") | |||
Monitor executed commands and arguments that may attempt to dump credentials using tools like Mimikatz, ProcDump, NTDSUtil, or accessing /proc, /etc/passwd, and /etc/shadow. Analytic 1 - Suspicious command execution involving credential dumping tools.(index=security sourcetype="WinEventLog:Security" EventCode=4688 Image IN ("mimikatz.exe", "procdump.exe", "ntdsutil.exe", "powershell.exe") CommandLine IN ("Invoke-Mimikatz", "Invoke-CachedCredentials", "Invoke-LSADump", "Invoke-SAMDump"))OR(index=security sourcetype="linux_secure" Command IN ("cat /etc/passwd", "cat /etc/shadow", "grep -E '^[0-9a-f-] r' /proc//maps"))OR(index=security sourcetype="macOS:UnifiedLog" process IN ("cat", "grep") message IN ("/etc/passwd", "/etc/shadow", "/var/db/shadow/hash/*", "/private/etc/master.passwd")) | |||
Monitor file accesses that may indicate attempts to dump credential data from various storage locations such as LSASS memory, SAM, NTDS.dit, LSA secrets, cached domain credentials, proc filesystem, /etc/passwd, and /etc/shadow. Analytic 1 - Unauthorized access to credential storage files. (index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("\config\SAM", "\ntds.dit", "\policy\secrets", "\cache"))OR (index=security sourcetype="auditd" (key="path" (value IN ("/etc/passwd", "/etc/shadow")) OR key="proctitle" value IN ("cat", "strings", "grep", "awk", "cut", "sed", "sort", "uniq", "head", "tail", "less", "more")))OR(index=security sourcetype="macOS:UnifiedLog" (process IN ("cat", "grep", "awk", "cut", "sed", "sort", "uniq", "head", "tail", "less", "more") OR message IN ("/etc/passwd", "/etc/shadow", "/var/db/shadow/hash/*", "/private/etc/master.passwd"))) | |||
Monitor for the unexpected creation of memory dump files for processes that may contain credentials. Analytic 1 - Unexpected memory dump file creation. (index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("lsass.dmp", "\config\SAM", "\ntds.dit", "\policy\secrets", "\cache"))OR (index=security sourcetype="linux_secure" (key="path" value IN ("/etc/passwd", "/etc/shadow")))OR (index=security sourcetype="macOS:UnifiedLog" message IN ("/var/db/shadow/hash/*", "/private/etc/master.passwd")) | |||
Monitor for network protocols [31] [36] and other replication requests [35] from IPs not associated with known domain controllers. [21] Analytic 1 - Anomalous network traffic content related to credential managers index=network sourcetype="stream:tcp" dest_port=389 NOT [| inputlookup known_dc_ip_addresses | fields ip]| eval SourceIP = src_ip, DestinationIP = dest_ip, Protocol = proto| search (content="LDAPSearchRequest") OR (content="LDAPModifyRequest") OR (content="bindRequest") OR (content="searchResEntry") OR (content="NTDS.dit") | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analytic 1 - Unusual network communication patterns. index=network sourcetype="stream:tcp" dest_port=389 NOT [| inputlookup known_dc_ip_addresses | fields ip] | |||
Monitor for API calls that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. | |||
Monitor for unexpected processes interacting with lsass.exe.[37] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity. LinuxTo obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/<pid>/maps, where the <pid> directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs. Analytic 1 - Unauthorized access to credential managers. (index=security sourcetype="WinEventLog:Security" EventCode=10 TargetImage="lsass.exe" SourceImage IN ("mimikatz.exe", "procdump.exe"))OR (index=security sourcetype="linux_secure" (key="path" value IN ("/etc/passwd", "/etc/shadow")) (key="cmdline" value IN ("mimikatz", "procdump")))OR(index=security sourcetype="macOS:UnifiedLog" message IN ("/var/db/shadow/hash/", "/private/etc/master.passwd") process IN ("mimikatz", "procdump")) | |||
Monitor for newly executed processes that may be indicative of credential dumping. Analytic 1 - Unexpected process creation related to credential dumping. (index=security sourcetype="WinEventLog:Security" EventCode=4688 Image="procdump.exe" CommandLine IN (" -ma lsass"))OR (index=security sourcetype="linux_secure" (key="cmdline" value IN ("procdump -ma /proc/$(pgrep lsass)")) (key="exe" value="procdump"))OR(index=security sourcetype="macOS:UnifiedLog" process="procdump" command=" -ma /proc/$(pgrep lsass)") | |||
Monitor for the SAM registry key being accessed that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Analytic 1 - Unauthorized registry access to SAM key. index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="*\SAM" | where ProcessName IN ("mimikatz.exe", "procdump.exe", "reg.exe", "powershell.exe", "wmic.exe", "schtasks.exe", "cmd.exe") |
T1090-Proxy
ID | Data Source | Data Component | Detects |
Monitor for newly constructed network connections that are sent or received by untrusted hosts. | |||
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
T1219-Remote Access Software
ID | Data Source | Data Component | Detects |
Monitor for newly constructed network connections that are sent or received by untrusted hosts. | |||
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. | |||
Monitor for applications and processes related to remote admin software. Correlate activity with other suspicious behavior that may reduce false positives if this type of software is used by legitimate users and administrators. Domain Fronting may be used in conjunction to avoid defenses. Adversaries will likely need to deploy and/or install these remote software to compromised systems. It may be possible to detect or prevent the installation of this type of software with host-based solutions. |
T1041-Exfiltration Over C2 Channel
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may steal data by exfiltrating it over an existing command and control channel. | |||
Monitor for suspicious files (i.e. .pdf, .docx, .jpg, etc.) viewed in isolation that may steal data by exfiltrating it over an existing command and control channel. | |||
Monitor for newly constructed network connections that are sent or received by untrusted hosts. Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on TCP network connection creation. | |||
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |