The sixth most prevalent threat across Red Canary monitored environments in 2022, SocGholish has been on our radar for a while and continues to wreak havoc. We’ve compiled the most useful Atomic Red Team tests for you to validate your ability to observe and detect behaviors similar to those leveraged by this threat.
First, a disclaimer
The following tests are based on threat intelligence from a variety of sources, both from Red Canary and other community members, often from a specific point in time, and are not designed to emulate threats with complete accuracy. Detector logic is provided as a starting point, not as a final use case. You should not assume that any given test or detector has been updated with the very latest developments in adversary tradecraft. Further, this emulation exercise is constrained by the availability of tests in Atomic Red Team.
Also note that tests will result in behaviors that may be actioned in different ways, including observing if you have the telemetry to see them, detecting them as suspicious or malicious, and/or mitigating them. Whether you choose to observe, escalate, or respond to the behaviors resulting from these tests is often based on context from your environment. Ultimately, detecting the broader threat is more important than ensuring that you’re able to alert on each individual test.
What is SocGholish?
SocGholish is a somewhat seasoned character on the scene of drive-by download malware, having been active since at least April 2018. Making our number 6 spot in the annual Threat Detection Report for 2022, it had a significant spike of activity in February 2022, almost tripling in total detection volume. It also spiked in activity in January and March 2023. It has maintained a solid foothold in overall traffic across Red Canary-monitored environments and ranked ranked 5th overall for 2023.
This malware family commonly gains initial access when an unsuspecting user visits a compromised website and downloads a malicious file. SocGholish then relies on social engineering to gain execution, tricking users into running a malicious JavaScript payload. Historically this JavaScript file was delivered within a ZIP file masquerading as a browser update, though other lures have posed as direct JavaScript file updates to Adobe Flash or Microsoft Teams.
Javascript payloads delivered by SocGholish collect data on the infected machine and ferry this information back to SocGholish infrastructure. This connection can also retrieve secondary payloads like Cobalt Strike or NetSupport. Most of the SocGholish activity that Red Canary detects has been reconnaissance-based, and we’re often able to identify the infected endpoints and isolate them before any later stage activity has a chance to occur.
Emulating SocGholish with Atomic Red Team
Red Canary has multiple custom detection analytics that look for variations of the activity described above. We previously shared versions of three such analytics in the SocGholish section of the 2023 Threat Detection Report. Our most effective detection analytics for SocGholish focus on early-stage activity relating to payload retrieval and execution and subsequent discovery actions. As such, the bulk of this article will focus on emulating and detecting or observing the following behaviors:
- browsers spawning the Windows Scripting Host (
wscript.exe
) process - running the
whoami
command and redirecting the output to a file - domain trust discovery checks with
nltest
and related commands
As is often the case, the pseudo-detectors we’re about to share are a great starting point for hunts or detection analytics but may require additional tuning—either by broadening the scope of the detection logic or narrowing it—to limit the occurrence of false positives or more accurately detect threats.
Browsers spawning the Windows Scripting Host process
Detection opportunity 1: wscript
executes .js
file
SocGholish often arrives in the form of a .js
file. The victim downloads the file and, when they double click it, Windows executes the file with wscript.exe
.
Note that this may be a browser spawning wscript.exe
as a child process, and the malicious file is not always within a zipped archive. Though not included here, another good component for this detection is a parent process of a commonly used browser.
process == ('wscript' || 'cscript')
&&
command_includes ('.js', '.zip')
&&
command_includes ('users', 'temp')
&&
has_child_process == true
Atomic test T1059.007 #2: JavaScript Execution
The test most aligned with the JavaScript detector logic above focuses on a method of collecting machine data using JavaScript.
As SocGholish’s primary activity is mostly reconnaissance-based and can be somewhat quiet, this is an important test to verify that machine data collection isn’t occurring in the background.
The tests first require prerequisites in the form of a binary published to the technique src
folder. This binary is a .js
file that pulls the machine domain, name, manufacturer, and model into a text file in the TEMP
folder.
Note: This test does not have an origin from the browser. Any detectors that rely on the process parent being the browser will not alert on this activity. If desired, the binary downloaded in this command can be modified to include a quick ping out to a domain defined by the user.
jscript="PathToAtomicsFolder\T1059.007\src\sys_info.js"
New-Item -ItemType Directory (Split-Path "#{jscript}") -Force | Out-Null
Invoke-WebRequest "https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.007/src/sys_info.js" -OutFile "#{jscript}"
wscript "#{jscript}" > %tmp%\T1059.007.out.txt
Running whoami
and redirecting the output to a file
Detection opportunity 2: whoami
SocGholish has an especially interesting bit of activity that can set it apart from other malicious activity. This malware strain runs the command whoami /all
to pull user data, and redirects the output to a .tmp
file for exfiltration.
Detecting this activity is relatively simple, the detector logic below specifically looks for Windows Scripting Host as the parent process for cmd.exe
instances that are running whoami /all
and sending the results to a file via command redirection.
parent_process == wscript.exe
&&
process == cmd.exe
&&
command_includes ('whoami /all >>')
Atomic test T1033 #6: SocGholish whoami
The whoami
activity generated by SocGholish was a common historical marker of its activity. This catered test, added in March, runs the whoami /all
command in cmd.exe
and outputs the content to a .tmp
file. Following the addition of this test to Atomic Red Team, we have not observed this behavior as frequently in SocGholish infections, but we still believe it’s a great and worthy test.
As SocGholish is often seen generating a random filename in the naming convention of rad<5-hex-chars>.tmp
, this test generates a similar filename to test detectors that may look for this naming convention.
This particular test should be put in a script, modified as desired, and run through command prompt.
output_path = $env:temp
$TokenSet = @{
U = [Char[]]'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
N = [Char[]]'0123456789'
}
$Upper = Get-Random -Count 5 -InputObject $TokenSet.U
$Number = Get-Random -Count 5 -InputObject $TokenSet.N
$StringSet = $Upper + $Number
$rad = (Get-Random -Count 5 -InputObject $StringSet) -join ''
$file = "rad" + $rad + ".tmp"
cmd.exe /c " whoami.exe /all >> #{output_path}\$file"
Uncovering domain trust with nltest
Detection opportunity 3: Domain discovery with nltest
Left unchecked, SocGholish may eventually perform domain trust discovery. Domain discovery can allow for lateral movement between other machines in the same domain or to identify misconfigurations. The nltest
command-line tool is used to list domain controllers and enumerate domain trusts—in the case of SocGholish, the latter.
This type of behavior is often a precursor to ransomware activity, and should be quickly quelled to prevent further progression of the threat. In this detector logic, alerts fire on the nltest.exe
process being called with /domain_trusts
or /all_trusts
flags.
process == nltest.exe
&&
command_includes ('/domain_trusts' || '/all_trusts')
Atomic test T1482 #2: Discover domain trusts with nltest
In order to run nltest
, the Windows Remote Server Administration Tools must be installed. This test is as simple as running nltest
with the concerning flags.
nltest /domain_trusts
nltest /trusted_domains
Happy testing!
The above SocGholish tests provide a good overall picture of how this threat works and how it can be detected. Using the Atomic Red Team tests on their own or any of the other tools built on the Atomic Red Team project, you can use this open-source library to prepare against a multitude of threats. Happy testing!
For convenience sake, you can find a round-up of all the tests included in this article in the following list: