Dell SecureWorks Counter Threat Unit™ (CTU) analysts were recently engaged with a client thought to have been compromised by a threat group CTU researchers have named Threat Group-0416 (TG-0416)[i]. Various artifacts from the initial phases of the incident provided strong indications of the existence of this particular threat group within the client's infrastructure.
TG-0416 is a stealthy and extremely successful Advanced Persistent Threat (APT) group known to target a broad range of verticals since at least 2009, including technology, industrial, manufacturing, human rights groups, government, pharmaceutical, and medical technology.
The threat actors achieved an initial foothold into the infrastructure via phishing email that convinced victims to install the Xyligan remote access trojan (RAT) on a system. The threat actors then installed the hcdLoader RAT, which installs as a Windows service and provides command line access to the compromised system.
Using host-based digital forensic analysis, CTU analysts observed the intruders using the native ‘at.exe’ Windows task scheduler tool to move laterally within the infrastructure. Many threat groups use lateral movement techniques, but this engagement allowed CTU analysts to not only further validate indicators of lateral movement, but also to look a bit closer at those indicators and expand the cluster of indicators surrounding the use of at.exe for lateral movement within the infrastructure.
There are multiple methods that allow intruders to move laterally between systems within a compromised infrastructure and perform tasks such as mapping shares and using the freely available PSExec.exe tool to run commands on remote systems. Many of these methods use the command line, and each method leaves a particular set of indicators on both the source and destination systems.
Two command line tools native to Windows 7 systems can be used to create scheduled tasks on remote systems: schtasks.exe and at.exe. Each tool has its own command line syntax and options. Observations by CTU analysts indicate that at.exe is more popular when threat actors want to move laterally within an infrastructure using scheduled tasks.
Lateral movement within an infrastructure involves two endpoints: the source and destinations hosts. Indicators differ between these endpoints, as well as between the versions of the compromised Windows operating system. In this engagement, both the source and destination hosts were Windows 7 Enterprise Service Pack 1 systems.
Threat actors accessed the source host via the hcdLoader RAT. The sole indicator on the source host that at.exe had been run was an application Prefetch file (C:\Windows\Prefetch\AT.EXE-BB02E639.pf) that was created when the tool was executed. Beyond the file system metadata for the Prefetch file (creation and last modification times) and the last execution time within the file metadata, CTU analysts did not observe any indicators of value on the source host.
Indicators of lateral movement via at.exe on the destination host are much more prolific than on the source host. When the destination host receives a scheduled task, the first created indicator is a login event in the Windows event log, specifically the security event log. The login event is recorded as identifier (ID) 4672 with the source listed as Microsoft-Windows-Security-Auditing. The record is for a type 3 login (access to resources such as shares or printers), and it contains the login credentials as well as either the name or IP address of the source host from which the command originated. Following this event, the scheduled task is registered on the destination host; indicators of this activity are Microsoft-Windows-TaskScheduler event records with event IDs 140 and 106. Both of these event records contain a reference to the task file itself (i.e., \At1) as well as the credentials used to submit the task for processing.
Two files are created for the task at approximately the same time: C:\Windows\System32\Tasks\At1 and C:\Windows\Tasks\At1.job. The first file is an Extensible Markup Language (XML) file that can be opened and viewed in a text editor. The second file follows a decodable binary format.
The operating system also creates a registry key within the software registry hive that is specifically associated with the creation of the scheduled task on the destination host: Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\At1. The Task Scheduler service names the tasks, so subsequent tasks are named At2, At3, and so on. Analysis of the software registry hive from another system within the infrastructure revealed that six tasks had been created within 24 hours, as the TaskCache\Tree key contained subkeys named “At1” through “At7” (there was no “At6” subkey visible).
The value of these indicators is in their number and persistence. Targeted threat actors often delete the files that they use; in this case, the tools scheduled to be launched by the tasks were deleted, and there was evidence that batch files were also used and deleted from the system. However, the observed cluster of artifacts persisted on the destination host even after the used files were deleted. The cluster included indicators from several data sources on the destination system, so even if the intruder removed one of those data sources, the others would still persist. Obviating all of them would require additional effort from the threat actor, which would potentially raise alarms of suspicious activity on the system and within the infrastructure.
[i] The CTU research team tracks threat groups by assigning them four-digit randomized numbers (0416 in this case), and compiles information from external sources and from first-hand incident response observations.