Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
Resources Blog Intelligence Insights

Intelligence Insights: January 2023

End-of-year testing boosts Mimikatz & BloodHound, and ProxyNotShell is on the rise in this month’s edition of Intelligence Insights

The Red Canary Team

Each month, the Intel team provides Red Canary customers with an analysis of trending, emerging, or otherwise important threats that we’ve encountered in confirmed threat detections, intelligence reporting, and elsewhere over the preceding month. We call this report our “Intelligence Insights” and share a public version of it with the broader infosec community.

Highlights

To track pervasiveness over time, we identify the number of unique customer environments in which we observed a given threat and compare it to what we’ve seen in previous months.

Here’s how the numbers shook out for December 2022:

Last month's rankThreat nameThreat description
Last month's rank:

1

Threat name:Threat description :

Open source tool that dumps credentials using various techniques

Last month's rank:

2

Threat name:Threat description :

Open source tool used to identify attack paths and relationships in Active Directory

Last month's rank:

3

Threat name:Threat description :

Activity cluster using a worm spread by external drives that leverages Windows Installer to download a malicious DLL

Last month's rank:

4*

Threat name:Threat description :

Malware family used as part of a botnet. Some variants are worms and frequently spread via infected USB drives

Last month's rank:

4*

Threat name:Threat description :

Banking trojan focused on stealing user data and banking credentials; delivered through phishing, existing Emotet infections, and malicious Windows Installer (MSI) packages

Last month's rank:

6

Threat name:Threat description :

Collection of Python classes to construct/manipulate network protocols

Last month's rank:

7*

Threat name:Threat description :

Dropper/downloader, often distributed through search engine redirects

Last month's rank:

7*

Threat name:Threat description :

Dropper/downloader that uses compromised WordPress sites to redirect users to adversary infrastructure posing as necessary browser updates to trick users into running malicious code

Last month's rank:

9*

Threat name:Threat description :

Penetration testing tool that integrates functionality from multiple offensive security projects, can extend its functionality with a native scripting language

Last month's rank:

9*

Threat name:Threat description :

Information stealer used to siphon credentials and other information including credit card data, cryptocurrency wallets, and browser data

Last month's rank:

9*

Threat name:Threat description :

MacOS malware family associated with ad fraud activity through the distribution of adware applications

= trending up from previous month
= trending down from previous month
➡ = no change in rank from previous month

*Denotes a tie

Observations on trending threats

Here at Red Canary, we saw our customers doing a lot of testing in December. In September 2022, we started removing customer-reported testing from our top 10 trending threat lists to help reduce error and white noise. However, some testing is not explicitly marked as such by our customers, so it does not get removed from the trending threat numbers. We think these unmarked tests are reflected in December’s top 10 list. While Mimikatz and BloodHound are also leveraged by adversaries, we assess their place as the top 2 threats is likely due to unreported testing as opposed to a recent increase in their malicious use. Other trends to note include Zloader, Emotet, and Remote Utilities dropping out of the top 10, replaced by Cobalt Strike, Raccoon, and Shlayer.

ProxyNotShell exploitation of Exchange servers

Red Canary observed increasing exploitation of CVE-2022-41040 and CVE-2022-41082 in November and December 2022. In September 2022, security researchers identified variations of the Microsoft Exchange server ProxyShell vulnerability being exploited with limited scope. These new variations became known collectively as ProxyNotShell.” We assess that the recent increase in exploitation is likely due to the public release of proof-of-concept (POC) code on November 16, as outlined by BleepingComputer.

 

Red Canary observed exploitation incorporating the following characteristics:

 

  • Web shell files named iisstart.aspx and logout.aspx being written to inetpub\wwwroot\aspnet_client and exchange server\v15\frontend\httpproxy\ecp\auth
  • Activity initiated from w3wp.exe with a command line containing MSExchangePowerShellAppPool. Based on Red Canary testing, the activity we saw, and other researchers’ observations, malicious activity spawning from a w3wp.exe process with this command line is an indicator of potential ProxyNotShell exploitation.
  • We observed execution of Visual Basic Scripts (.vbs) from the windows\temp folder writing a malicious Meterpreter executable and subsequently making network connections. The executable’s internal file name, ab.exe, is the default metadata used by Meterpreter for its payloads.
  • In a separate intrusion, the malicious executable written to the windows\temp folder was a Cobalt Strike beacon.
  • A malicious .NET binary designed to rewrite the aforementioned web shells.

 

Based on historic exploitation of previous Exchange vulnerabilities as well as the follow-on activity seen by ourselves and other researchers, we assess a high likelihood of domain-wide compromise if ProxyNotShell activity is not remediated early. We recommend all organizations remediate CVE-2022-41040 and CVE-2022-41082 by following Microsoft’s guidance to update Exchange to the latest version. 

There are many behavior-based detection opportunities available during ProxyNotShell exploitation. One of those opportunities is keeping an eye on dynamic link library (DLL) files executing from the Windows Temp directory. Adversaries like to drop payloads in windows\temp because it’s typically available to all users in a system with read/write privileges enabled by default.

 


Detection opportunity: Rundll32 executing DLL files located in the Windows Temp directory

The following pseudo-detection analytic identifies instances of the Windows Rundll32 process loading code from DLL files located in the Windows Temp directory. It’s possible that some enterprise software in your environment will execute DLLs from windows\temp, so additional investigation may be needed to determine if the behavior is malicious.

process == (rundll32)

&&

command_line_includes == (windows\temp)

&&

command_line_does_not_include  ==  (*)

Note: * is a placeholder for approved software in your environment that loads legitimate DLLS from windows\temp

 

Intelligence Insights: December 2022

 

Intelligence Insights: November 2022

 

Intelligence Insights: October 2022

 

Intelligence Insights: September 2022

Subscribe to our blog

 
 
Back to Top