6.A) Credentials in Files, Credential Dumping, Masquerading

[Cyb3rWard0g]

Description

The attacker accesses credentials stored in a local web browser (T1081, T1003) using a tool renamed to masquerade as a legitimate utility (T1036).

[Cyb3rWard0g]

6.A.1 Credentials in Files

Procedure: Read the Chrome SQL database file to extract encrypted credentials Criteria: accesschk.exe reading files within %APPDATALOCAL%\Google\chrome\user data\default\

[Cyb3rWard0g]

No detection capability demonstrated for this procedure. However, with a SACL on %APPDATALOCAL%\Google\chrome\user data\default\, it would generate an event ;)

[Cyb3rWard0g]

6.A.2 Credential Dumping

Procedure: Executed the CryptUnprotectedData API call to decrypt Chrome passwords Criteria: accesschk.exe executing the CryptUnprotectedData API

[Cyb3rWard0g]

No detection capability demonstrated for this procedure.

[Cyb3rWard0g]

6.A.3 Masquerading

Procedure: Masqueraded a Chrome password dump tool as accesscheck.exe, a legitimate Sysinternals tool Criteria: Evidence that accesschk.exe is not the legitimate Sysinternals tool

[Cyb3rWard0g]

Sysmon

SELECT Message
FROM apt29Host h
INNER JOIN (
    SELECT f.ProcessGuid
    FROM apt29Host f
    INNER JOIN (
      SELECT d.ProcessGuid, d.ParentProcessGuid
      FROM apt29Host d
      INNER JOIN (
        SELECT a.ProcessGuid, a.ParentProcessGuid
        FROM apt29Host a
        INNER JOIN (
          SELECT ProcessGuid
          FROM apt29Host
          WHERE Channel = "Microsoft-Windows-Sysmon/Operational"
              AND EventID = 1
              AND LOWER(Image) LIKE "%control.exe"
              AND LOWER(ParentImage) LIKE "%sdclt.exe"
        ) b
        ON a.ParentProcessGuid = b.ProcessGuid
        WHERE a.Channel = "Microsoft-Windows-Sysmon/Operational"
          AND a.EventID = 1
          AND a.IntegrityLevel = "High"
      ) c
      ON d.ParentProcessGuid= c.ProcessGuid
      WHERE d.Channel = "Microsoft-Windows-Sysmon/Operational"
        AND d.EventID = 1
        AND d.Image LIKE '%powershell.exe'
    ) e
    ON f.ParentProcessGuid = e.ProcessGuid
    WHERE f.Channel = "Microsoft-Windows-Sysmon/Operational"
      AND f.EventID = 1
      AND LOWER(f.Image) LIKE '%accesschk%'
) g
ON h.ProcessGuid = g.ProcessGuid
WHERE h.Channel = "Microsoft-Windows-Sysmon/Operational"
    AND EventID = 7
    AND LOWER(ImageLoaded) LIKE '%accesschk%'

Results

Image loaded:
RuleName: -
UtcTime: 2020-05-02 03:04:34.959
ProcessGuid: {47ab858c-e342-5eac-d703-000000000400}
ProcessId: 9204
Image: C:\Program Files\SysinternalsSuite\accessChk.exe
ImageLoaded: C:\Program Files\SysinternalsSuite\accessChk.exe
FileVersion: -
Description: -
Product: -
Company: -
OriginalFileName: -
Hashes: SHA1=691E81A8FA152F68FB8ACEFE8F59EA41DC995880,MD5=44F96457ADEB95AFD3F5457082D44538,SHA256=3247D21BC9BBBD8DF670A82E24BE754A2D58D2511EE64AFF0A1E3756CD288236,IMPHASH=8A672B6C29F8A80FC01C6E44A3CDEE82
Signed: false
Signature: -
SignatureStatus: Unavailable

VirusTotal: https://www.virustotal.com/gui/file/3247d21bc9bbbd8df670a82e24be754a2d58d2511ee64aff0a1e3756cd288236/detection