Track Common Adversary Tasks Performed Using AuditCred

 



To know more about it, you can go through my detailed document by clicking here










Overview

The Lazarus group employed the malicious DLL AuditCred in their 2018 attacks. This malware is capable of doing simple operations including searching through the system's files, deleting files, opening a reverse shell to conduct commands, and using a proxy for communication. It can also simply inject code from files into other processes that are currently operating. It uses XOR and RC4 to perform code decryption activities and can be installed as a new service on your computer.

Capabilities

The following are some of the tasks that AuditCred is capable of:
  • It can quickly search through your files for specific information, inject code into running processes, and delete files, all of which can facilitate easy access to memory, system resources, elevated rights, etc.

  • It can misuse the Windows Command Shell to move tools or other files into a compromised environment.

  • With the use of obfuscated files, it can also conceal the artifacts of an incursion from any type of forensic investigation.

  • It can falter the Windows services in order to execute malicious payload repeatedly to establish persistence.

  • In order to repeatedly execute a malicious payload to achieve persistence, it can cause the Windows services to malfunction.

  • By deciding how to route network data across systems, it can also take advantage of the connection proxy.

 Prevention

The techniques listed below can assist in protecting your network from this malware:
  • Monitor any known and unknown deletion tools that are not on the systems already in a business network, or monitor the Windows API calls that may signal any type of code injection, and safeguard them.

  • By only inspecting the packet contents, it is possible to identify communications that don't behave according to the expected protocol behavior.

  • Keep track of the files that are created and moved throughout the network.

  • Identify and keep an eye out for scripts, system utilities, and service binary routes that might be   acting maliciously.

  • Examine the network data for any odd data flows of any kind.










To know more about it, you can go through my detailed document by clicking here





Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Deployment (Part 2)