Community Night Presentation SANS Secure Australia 2023

Detecting & Hunting

Ransomware Operator Tools:
It’s Easier Than You Think!

Ryan Chapman
Author | FOR528: Ransomware for Incident Responders
About Me – Ryan Chapman | @rj_chap

• 11 years DFIR experience

• SANS Author
• FOR528: Ransomware for Incident Responders
• SANS Instructor
• FOR610: Reverse Engineering Malware
• $dayJob = IR Consultant
• Sponsor Liaison
• .com

incidentresponse.training

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 2

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 3
Tonight’s Agenda

Ransomware Sucks! (a.k.a. About Ransomware)

Ransomware Operator Tooling

All Hail the King: PsExec

Data Access & Exfiltration

General Hunting
Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 4
Ransomware Sucks!

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 5

Title page

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course

Ransomware Evolution (2015+)

Human-Operated Ransomware (HUMOR)

• Attacks conducted via hands on keyboard
• Enables enterprise-wide distribution

Ransomware-as-a-Service (RaaS)
• Enables anyone to become an affiliate

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 7

Ransomware-as-a-Service (RaaS)

“Affiliate” programs established – it’s a business, literally

Subscription-based Strong business models Operators split profits

leasing program for & multi-faceted with affiliates
ransomware hierarchies (e.g., 30/70 split)

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 8

RaaS Business Model – Roles and Participation

Each role is critical to the success of the “business”

Northwave Security, 2022

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 9

Types of Extortion

Data Data Multi-

Encryption Exfiltration Extortion
• Deploys an • Exfiltrates your • Carrying out DDoS
encryptor payload data and threatens attacks on victim
to encrypt data and to release the data networks
disable network to the public or sell • Contacting
services. it on the darknet if suppliers/partners
you do not pay the • Contacting
requested ransom regulatory bodies
• Calling VIPs/board
and/or investors

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 10

Courtesy of Allan Liska
Twitter: @uuallan
Compromised Real C2 Extortion
Redirect Infrastructure Infrastructure Site

Minutes Hours to Weeks Days to Months

cmd.exe
at.exe lsass.exe
net.exe ping.exe
AdRecon Endpoints Test ransomware
nltest.exe powershell.exe StealBIT
schtasks.exe taskmgr.exe WMIC
Phishing winrm.exe whoami.exe
winrm.exe Publish stolen files
MetaSploit Linux Servers to extortion site
7-Zip Deploy ransomware: Domain
AdFind
Controller, SCCM, .bat files,
GPO, PSExec, or SMB
Lazagne
Cobalt ESXi
Web Shell Bloodhound WinSCP/
Credential Strike FileZilla
Stuffing/Re-use or Loader Expanded extortion
RDP PowerSploit ecosystem
Delete Shadow Delete
Mimikatz Windows Copies Backups
PSExec Servers
Rclone
LOLBins
Entry Point
Advanced
GMER
IP Scanner Cover tracks: remove or
ProcessHacker Domain Sell stolen data
MEGASync roll over logs
Exploitation TDSSKiller Controller

Initial Access Remote control: RDP, TeamViewer, AnyDesk, Splashtop, Atera, ScreenConnect, etc. Extortion
Recon & Lateral Movement Exfiltration Deployment

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 11

Ransomware Operator Tooling

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 12

A Paradigm Shift

TAs have moved to readily available tools.

• Free and open source (FOSS)
• GitHub is now the TA’s best friend
• Scripting – TA’s steal one another’s scripts ☺
• Living off the land binaries and scripts (for528.com/lolbas)
• Red team / Emulation / Simulation tools
• Malware-as-a-Service (MaaS)
• Remote Monitoring & Maintenance (RMM) tools

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 13

Bring Your Own Tools (BYOT)

Block/alert on these!
• File sharing sites
• anonfiles.com
• dropmefiles.com
• file.io
• mega.io | mega.nz
• qaz.im
• temp.sh
• termbin.com
• transfer.sh
• ufile.io
• See the LOTS project:
• for528.com/lots

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 14

Bring Your Own Tools (BYOT) – DNS Lookups

Alert on DNS/network traffic

7zip • https://www.7-zip.org/download.html

AdFind • https://www.joeware.net/freetools/tools/adfind/index.htm

Advanced IP Scanner • https://www.advanced-ip-scanner.com/download/

Angry IP Scanner • https://angryip.org/download/#windows

AnyDesk • https://anydesk.com/en/downloads/

Process Hacker • https://processhacker.sourceforge.io/downloads.php

rclone • https://rclone.org/downloads/

WinSCP • https://winscp.net/eng/download.php

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 15

Identifying Renamed Executables

Threat actors do not always rename executables

• E.g., mimikatz_trunk.zip → mimikatz.exe

When they do rename, they often ignore VERSIONINFO

• Description
• Product
• Company
• OriginalFileName

Example OriginalFileName values

• for528.com/exeoriginalname
• for528.com/binaryrename

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 16

Common Bypass Tools & Techniques

Security tool
Advanced LOLBAS
disablers
• GMER | gmer.exe • Bring Your Own • sc/net
Vulnerable Driver
• HitmanPro.exe (BYOVD) • tasklist/taskkill
• for528.com/byovd
• for528.com/byovd2
• PCHunter.exe • Get-Service/ Stop-
Service
• DLL Hijacking
• ProcessHacker.exe
• for528.com/hijack • Get-Process/ Stop-
Process

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 17

Remote Monitoring and Management (RMM)

Commercial RMM products used often  easy to find!

Usually registered in Add/Remove Programs!
• Ensure you have an approved list!
• Whatever is not approved → BLOCK & HUNT!

Commonly seen RMM tools:

• AnyDesk
• Atera
• LogMeIn
• ConnectWise (formerly ScreenConnect)
• Splashtop
• TeamViewer
• Various VNC variations

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 18

RMM Tool Logs

AnyDesk
•%APPDATA%\AnyDesk\ad.trace
•%PROGRAMDATA%\AnyDesk\connection_trace.txt
•%PROGRAMDATA%\AnyDesk\ad_svc.trace

ConnectWise/ScreenConnect
•%SYSTEMROOT%\temp\screenconnect\[version]\
•%PROGRAMDATA%\ScreenConnect Client ([fingerprint])\
•%PROGRAMFILES(x86)%\ScreenConnect Client ([fingerprint])\
•%USERPROFILE%\Documents\ConnectWiseControl\Files\
•%USERPROFILE%\Documents\ConnectWiseControl\captures\
• Scripts written to: %SYSTEMROOT%\temp

TeamViewer
•C:\Program Files\TeamViewer\Connections_incoming.txt
•C:\Program Files\TeamViewer\TeamViewer15_Logfile.log
•C:\Program Files\TeamViewer\TVNetwork.log
•%APPDATA%\TeamViewer\TeamViewer15_Logfile.log
•%LOCALAPPDATA%\Temp\TeamViewer\TV15Install.log

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 19

Additional RMM Hunting Fun

Check out these fantastic presentations to learn more!

• See Fernando Tomlinson’s “Establishing Connection -

Illuminating Remote Access Artifacts in Windows”
presentation from the SANS DFIR Summit 2022
https://for528.com/illuminating

• See Théo Letailleur’s “Legitimate RATS: A Comprehensive

Forensic Analysis of the Usual Suspects” article
https://for528.com/usual-suspects

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 20

All Hail the King: PsExec

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 21

PsExec (SysInternals) – The King of Lateral Movement & Deployment!

Remote system requirements

• SMB service must be enabled.
• File and Print Sharing must be enabled.
• Simple File Sharing must be disabled.
• Administrative Shares must be enabled.

Actual process for running processes remotely

• Opens an SMB session from client to target.
• Accesses the target’s ADMIN$ share & uploads PSEXESVC.exe.
• Opens a handle to named pipe \\client\pipe\svcctl to talk to the
Service Control Manager (SCM).
• Calls CreateService using the newly uploaded PSEXESVC.exe as ImageFile.
• Calls StartService to run the service.

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 22

PsExec Process Flow

Stamatoukos, 2020

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 23

PsExec Network Activity (1/2)

Context Information Security, 2018

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 24

PsExec Network Activity (2/2)

Context Information Security, 2018

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 25

PsExec Deployment Examples

• Deployment via PsExec often relies on the @file parameter, which

designates a list of target hosts (a .txt file containing IPs or hostnames):
psexec.exe -accepteula @C:\Windows\Temp\trgt.txt -u SAMARAN\
AdminPerz0n -p x86OpcodesAreGR@tefuN123 cmd /c copy
"\\127.0.0.1\c$\Windows\Temp\x.exe" "C:\Windows\Temp"

start PsExec.exe -d @\\127.0.0.1\c$\Windows\Temp\trgt.txt -u

SAMARAN\AdminPerz0n -p x86OpcodesAreGR@tefuN123 cmd /c
c:\windows\temp\x.exe

• You may also see standard copy or xcopy commands run to copy the
binaries followed by PsExec or WMIC invocation.

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 26

Detecting & Hunting PsExec – Examples

May need tuning if your org uses PsExec legitimately!

• Process creation Event IDs 4688/4689 | Sysmon Event IDs 1 / 5
• File creations : File creations (e.g., Sysmon Event ID 11) for:
• Source: PSEXEC.exe | Dest: PSEXESVC.exe
• Event IDs 7045 / 7036 / 4697 for service: PSEXESVC
• [7045 / 0x1b85] Source Name: Service Control Manager Strings: ['PSEXESVC',
'%SystemRoot%\\PSEXESVC.exe', 'user mode service', 'demand start',
'LocalSystem'] Computer Name: samaran-exch.samaranpro.com
• Registry key that stores End-User License Agreement (EULA) acceptance
• HKEY_CURRENT_USER\Software\Sysinternals\PsExec\EulaAccepted
• Command line strings: -accepteula | @
• Pipe creations: psexesvc*

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 27

Data Access & Exfiltration

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 28

WinZip and 7zip Artifacts

WinZip & 7zip maintain archive data in the registry.

NTUSER.DAT\Software\Nico Mak
Computing\WinZip\

NTUSER.DAT\Software\7-Zip\

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 29

WinRAR’s Archive History

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 30

Cloud-Based File Sharing

This may sound ridiculous, because it IS!

• Ransomware actors may literally open a web browser, sign in to a cloud-
sharing site, and upload victim data.

Common sites – BLOCK anything not approved!

• MEGA
• SendSpace
• WeTransfer
• Google Drive | Dropbox | Box | OneDrive
• Cloud-based storage/buckets: AWS | GCP | Azure

Again, see LOTS project: for528.com/lots

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 31

Example LSASS Dump Exfiltration

The Monti ransomware group used DropMeFiles for exfil.

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 32

FileZilla and WinSCP – Common Exfil Tools

FileZilla log locations:

• %APPDATA%\FileZilla\filezilla.xml
• %APPDATA%\FileZilla\recentservers.xml
• %APPDATA%\FileZilla\trustedcerts.xml
• %APPDATA%\FileZilla\sitemanager.xml
• %APPDATA%\FileZilla\*.sqlite3

WinSCP Registry data:

• Username & Remote IP address --
• HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\CDCache
• Log File (may or may not exist) --
• HKCU\Software\Martin Prikryl\WinSCP 2\Configuration\Logging
• Local and Remote directories:
• HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\History\LocalTarget
• HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Configuration\History\RemoteTarget

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 33

MEGAsync: MEGA’s First-Party Synchronization Agent

MEGAsync is found in many ransomware cases.

OriginalFileName value: MEGAsync.exe

Scheduled task: \MEGA\MEGAsync Update Task

%LOCALAPPDATA%\Mega Limited
Executable location:
%LOCALAPPDATA%\MEGAsync

%LOCALAPPDATA%\Mega
Log files located in:
Limited\MEGAsync\logs\

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 34

General Hunting

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 35

Looking for PEs in All the Wrong RIGHT Places

• %AppData% | %ProgramData% | %TEMP% leveraged often

• C:\Users\Public\ & C:\Perflogs\ commonly used for staging

• Monitor for suspicious EXEs in %APPDATA% & %LOCALAPPDATA%

C:\\Users\\.+\\AppData\\(Roaming|Local)\\.*\.exe

• Monitor for EXEs dropped into these directories:

C:\\ProgramData\\.+\.exe
C:\\Users\\Public\\.*\.exe

• Silly %UserProfile% locations

%USERPROFILE%\\(Videos|Music|Pictures)\\.+\.(exe|dll|bat|ps1)

• See also WinSxS, $Recycle Bin & Temporary Internet Files

directories

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 36

%COMSPEC% and Named Pipes – A Match Made in DARKNESS

• %COMSPEC% points to the CLI interpreter (i.e., cmd.exe)

• Note: /c and /k parameters designate commands to run:
%COMSPEC% /c [command]

• Named pipes are part of Interprocess Communication (IPC)

• Check for the following pattern used by Cobalt Strike:
%COMSPEC% /c echo 5f133503c8d > \\.\pipe\c73645

• Regex: ^.*COMSPEC.*echo.*pipe.*$
• General: "\%COMSPEC\%" AND echo AND pipe

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 37

 COURSE RESOURCES AND CONTACT INFORMATION

AUTHOR CONTACT
SANS INSTITUTE
Ryan Chapman
11200 Rockville Pike, Suite 200
rchapman@sans.org
N. Bethesda, MD 20852
Twitter: @rj_chap
301.654.SANS(7267)
linkedin.com/in/ryanjchapman/

SANS EMAIL
DFIR RESOURCES GENERAL INQUIRIES: info@sans.org
digital-forensics.sans.org REGISTRATION: registration@sans.org
Twitter: @sansforensics TUITION: tuition@sans.org
PRESS/PR: press@sans.org

Learn more in FOR528: Ransomware for Incident Responders | for528.com/course 38