Segui 
Detection stack
- AIDR
- Alert
- ETL
- Query
Sommario
Profero IRT ha identificato un backdoor .NET 8 chiamato WindowsAudit.exe che utilizza Discord come principale canale di comando e controllo, supportando anche MQTT e Telegram come percorsi di comunicazione di riserva. Il malware opera come un servizio di Windows, crea una copia di backup di se stesso, stabilisce diversi meccanismi di persistenza e svolge attività di furto di credenziali, abuso di Active Directory e evasione della difesa. Configura anche tunnel WireGuard per supportare lo spostamento laterale nascosto all’interno dell’ambiente. La tattica complessiva suggerisce che gli attaccanti potrebbero stare preparando le reti colpite per una successiva fase ransomware.
Indagine
Gli investigatori hanno ottenuto il WindowsAudit binario, confermato che era un trojan di accesso remoto C# modulare e ingegnerizzato al contrario il componente DLL incorporato. La loro analisi ha dettagliato le tecniche di persistenza del malware, l’architettura di comunicazione, le capacità di estrazione di credenziali e i metodi di evasione, inclusa la patching di AMSI ed ETW. Il team ha anche esaminato un dropper correlato chiamato WinSATSvcche sembrava progettato per ripristinare il malware se rimosso. Da questo lavoro, i ricercatori hanno estratto un set di indicatori di compromissione per supportare la caccia e il rilevamento.
Mitigazione
I rilevamenti consigliati includono il monitoraggio per la creazione del WindowsAudit servizio, le voci chiave Run associate, il GlobalWindowsAuditSingleInstance mutex e le esecuzioni sospette Add-MpPreference . I difensori dovrebbero anche bloccare o segnalare il traffico TLS su Discord e l’infrastruttura HiveMQ, pur mantenendo l’attenzione per bcdedit cambiamenti di avvio sicuro e la creazione sospetta di attività pianificate. Qualsiasi configurazione di tunnel WireGuard legata al malware dovrebbe essere rimossa e tutti i meccanismi di persistenza stabiliti dal backdoor dovrebbero essere disabilitati.
Risposta
Le organizzazioni dovrebbero immediatamente cercare gli indicatori di compromissione pubblicati, isolare i sistemi colpiti e fermare il WindowsAudit servizio. Dovrebbero essere raccolti immagini di memoria e disco per una revisione forense, i binari dannosi dovrebbero essere rimossi, e qualsiasi credenziale compromessa dovrebbe essere reimpostata. I team di sicurezza dovrebbero anche verificare che le esclusioni non autorizzate dell’EDR siano state rimosse, confermare che i cambiamenti nella configurazione di modalità sicura siano stati annullati, e continuare a monitorare per la reinstallazione o la ricreazione dei componenti malware.
"graph TB %% Class definitions classDef technique fill:#ffcc99 classDef tool fill:#cccccc classDef malware fill:#ff9999 classDef process fill:#99ff99 classDef operator fill:#ff9900 %% Nodes u2013 Techniques and Tools exploit_remote_services["<b>Technique</b> – <b>T1210 Exploitation of Remote Services</b><br/>Copy malicious binary to remote hosts via SMB and start it with sc.exe"] class exploit_remote_services technique lateral_smb["<b>Technique</b> – <b>T1080 Lateral Movement via Shared Content</b><br/>Spread using SMB shares and execute remote commands"] class lateral_smb technique wmi_event_sub["<b>Technique</b> – <b>T1546.003 Windows Management Instrumentation Event Subscription</b><br/>Register WMI event that triggers payload for persistence"] class wmi_event_sub technique scheduled_task["<b>Technique</b> – <b>T1053 Scheduled Task/Job</b><br/>Create task that runs in Safe Mode to remove EDR and reu2011arm malware after reboot"] class scheduled_task technique defender_exclusion["<b>Technique</b> – <b>T1564.012 Hide Artifacts: File Path Exclusions</b><br/>Add Windows Defender exclusion for install path and executable"] class defender_exclusion technique safe_mode_boot["<b>Technique</b> – <b>T1562.009 Safe Mode Boot</b><br/>Boot into Safe Mode to reinstall components"] class safe_mode_boot technique vpn_proxy["<b>Technique</b> – <b>T1090 Proxy</b> and <b>T1572 Protocol Tunneling</b><br/>Deploy WireGuard VPN and SOCKS5 proxy to tunnel traffic"] class vpn_proxy technique c2_discord["<b>Technique</b> – <b>T1102.002 Web Service: Discord</b><br/>Use Discord as primary command and control channel"] class c2_discord technique c2_mqtt["<b>Technique</b> – <b>T1102 Web Service (MQTT)</b><br/>Secondary C2 via MQTT broker"] class c2_mqtt technique c2_fallback["<b>Technique</b> – <b>T1008 Fallback Channels</b><br/>Switch to MQTT or Telegram when Discord unavailable"] class c2_fallback technique rat["<b>Malware</b> – Remote Access Tool (RAT)"] class rat malware os_cred_dump["<b>Technique</b> – <b>T1003 OS Credential Dumping</b><br/>Dump LSASS memory with MiniDumpWriteDump"] class os_cred_dump technique shadow_copy["<b>Technique</b> – <b>T1003.007 Volume Shadow Copy</b><br/>Extract SAM and SYSTEM hives via shadow copies"] class shadow_copy technique browser_passwords["<b>Technique</b> – <b>T1555.003 Credentials from Web Browsers</b><br/>Decrypt saved passwords using DPAPI"] class browser_passwords technique cred_manager["<b>Technique</b> – <b>T1555.004 Credentials from Windows Credential Manager</b><br/>Extract stored credentials"] class cred_manager technique golden_ticket["<b>Technique</b> – <b>T1558.001 Golden Ticket</b><br/>Create forged Kerberos TGT for domain admin"] class golden_ticket technique silver_ticket["<b>Technique</b> – <b>T1558.002 Silver Ticket</b><br/>Forge service tickets for targeted services"] class silver_ticket technique pass_hash["<b>Technique</b> – <b>T1550.002 Pass the Hash</b><br/>Reuse NTLM hash to authenticate"] class pass_hash technique pass_ticket["<b>Technique</b> – <b>T1550.003 Pass the Ticket</b><br/>Reuse Kerberos ticket for lateral movement"] class pass_ticket technique dc_sync["<b>Technique</b> – <b>T1003.006 DCSync</b><br/>Force domain controller to replicate password data"] class dc_sync technique dc_auth["<b>Technique</b> – <b>T1556.001 Domain Controller Authentication</b><br/>Modify authentication process on DC"] class dc_auth technique process_hollowing["<b>Technique</b> – <b>T1055.012 Process Hollowing</b><br/>Inject code into elevated process"] class process_hollowing technique apc_injection["<b>Technique</b> – <b>T1055.004 Asynchronous Procedure Call</b><br/>Inject code via APC"] class apc_injection technique clear_event_logs["<b>Technique</b> – <b>T1070.001 Clear Windows Event Logs</b><br/>Remove evidence of activity"] class clear_event_logs technique screen_capture["<b>Technique</b> – <b>T1113 Screen Capture</b><br/>Capture screenshots"] class screen_capture technique video_capture["<b>Technique</b> – <b>T1125 Video Capture</b><br/>Record video of desktop"] class video_capture technique audio_capture["<b>Technique</b> – <b>T1123 Audio Capture</b><br/>Record microphone audio"] class audio_capture technique keylogging["<b>Technique</b> – <b>T1056.001 Keylogging</b><br/>Capture keystrokes"] class keylogging technique exfil_discord["<b>Technique</b> – <b>T1041 Exfiltration Over Command and Control Channel</b><br/>Upload data as Discord attachments"] class exfil_discord technique exfil_mqtt["<b>Technique</b> – <b>T1041 Exfiltration Over Command and Control Channel</b><br/>Send data via MQTT messages"] class exfil_mqtt technique %% Logical operators (optional) op_and1(("AND")) class op_and1 operator %% Connections u2013 Attack Flow exploit_remote_services –>|copies binary via SMB| lateral_smb lateral_smb –>|executes remote command with sc.exe| wmi_event_sub wmi_event_sub –>|provides persistence| scheduled_task scheduled_task –>|runs in safe mode| safe_mode_boot safe_mode_boot –>|reu2011arms malware| vpn_proxy vpn_proxy –>|tunnels traffic| c2_discord c2_discord –>|primary C2 channel| rat rat –>|collects credentials| os_cred_dump os_cred_dump –>|gets LSASS dump| shadow_copy os_cred_dump –>|feeds| browser_passwords os_cred_dump –>|feeds| cred_manager os_cred_dump –>|enables| golden_ticket os_cred_dump –>|enables| silver_ticket golden_ticket –>|provides domain admin access| pass_hash silver_ticket –>|provides service access| pass_ticket rat –>|uses| pass_hash rat –>|uses| pass_ticket rat –>|uses| dc_sync rat –>|uses| dc_auth rat –>|elevates via| process_hollowing rat –>|elevates via| apc_injection rat –>|clears logs| clear_event_logs rat –>|captures| screen_capture rat –>|captures| video_capture rat –>|captures| audio_capture rat –>|captures| keylogging screen_capture –>|exfiltrates via| exfil_discord video_capture –>|exfiltrates via| exfil_discord audio_capture –>|exfiltrates via| exfil_discord keylogging –>|exfiltrates via| exfil_discord exfil_discord –>|fallback to| exfil_mqtt c2_discord –>|fallback to| c2_fallback c2_fallback –>|uses| c2_mqtt c2_mqtt –>|receives exfiltrated data| exfil_mqtt "
Attack Flow
Detections
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Possible IP Lookup Domain Communications Attempted (via dns)
View
Suspicious Bcdedit Execution (via cmdline)
View
Windows Defender Preferences Suspicious Changes (via powershell)
View
Possible Abuse Discord as a C2 Channel (via dns_query)
View
Detection of WindowsAudit RAT Single Instance Mutex [Windows Sysmon]
View
WindowsAudit Backdoor Command and Control Communication [Windows Network Connection]
View
Detection of WindowsAudit Backdoor and Associated Activities [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands:
An attacker has deployed the WindowsAudit backdoor on the victim host. To retrieve commands, the backdoor performs DNS lookups to the Discord CDN (gateway.discord.gg) and to a malicious MQTT broker hosted on*.hivemq.cloud. These lookups are issued via native Windows APIs (no external tools) to stay low‑profile. The DNS queries are the sole observable artifact used by the Sigma rule for detection. -
Regression Test Script:
# WindowsAudit C2 DNS beacon simulation # Generates the exact DNS queries the Sigma rule watches for. $c2Endpoints = @( "gateway.discord.gg", "malicious1.hivemq.cloud", "malicious2.hivemq.cloud" ) foreach ($fqdn in $c2Endpoints) { try { # Use the native Windows DNS resolver Resolve-DnsName -Name $fqdn -Type A -ErrorAction Stop | Out-Null Write-Host "[+] Queried $fqdn" } catch { Write-Warning "Failed to resolve $fqdn (simulated C2)" } Start-Sleep -Seconds 5 # mimic realistic beacon interval } -
Cleanup Commands:
# Flush the DNS cache to remove traces of the simulated queries ipconfig /flushdns Write-Host "[*] DNS cache cleared."