MalwareAnalysisSeries

This repository contains the analysis reports, technical details or any tools created for helping in malware analysis. Additionally, the repo contains extracted TTPs with code along with the detection rules

Project maintained by shaddy43 Hosted on GitHub Pages — Theme by mattgraham

MedusaLocker: Persistence

MedusaLocker Image

MedusaLocker uses a different way of achieving persistence. It uses official Microsoft Documented Code for achieving persistence by scheduling a task with repetition of 15 minutes indefinitely. Typically, malware uses either at.exe or schtasks.exe which are Windows apps for scheduling tasks, but in this case the malware scheduled task programmatically in c/c++ using official code from MSDN page of Microsoft.

The malware creates a copy of itself with the name of “svhost.exe” in %APPDATA% of the system and registers itself in task scheduler to be executed after every 15 minutes indefinitely.

Detection Indicators

The detection indicators that seems interesting to me in the persistence TTP of MedusaLocker Ransomware are:

Task name: svhost
Task repitition trigger: 15 minutes indefinitely
Task command: ‘\AppData\Roaming\svhost.exe’

Log Sources

I have configured multiple log sources in my detection lab. I am using Azure Sentinel as my SIEM solution. The following logs are injested into SIEM:

Microsoft Defender XDR logs
Windows Security Audit logs
Sysmon Logs with sysmon-moduler configuration

Detection Engineering with Defender XDR

The following query is looking for newly created scheduled tasks that contains a task name either medusa (used in my code) or svhost (used in actual malware). The second condition is looking for the keywords of PT15M (Trigger) and AppData\Roaming\svhost (command).

DeviceEvents
| where ActionType == "ScheduledTaskCreated" 
and AdditionalFields.TaskName has_any ('Medusa', 'svhost') 
or (AdditionalFields.TaskContent contains "PT15M" 
and AdditionalFields.TaskContent contains "svhost")

detection rule1

Detection Engineering with Security Audit logs

In the Security Audit Logs, most of the data is logged as RAW xml in EventData column. The event id for task scheduling is 4698. So for detecting in Audit logs, only search target keywords in EventData column.

SecurityEvent
| where EventID == 4698 and EventData has_all ('svhost', 'medusa', 'PT15M')

detection rule2

Detection Engineering with Sysmon

In sysmon logs, there is no EventID that directly records Task scheduling, but there are other ways of detecting malicious tasks using the Event ID of FileCreate which is 11. The registered tasks create a file in the system32\Tasks folder. Along with this, the svhost file that is created in %AppData% could also be detected with the file created events.

Sysmon
| where EventID == 11 and EventData.TargetFilename has_any ('medusa', 'svhost')

detection rule3

Detection Engineering with SIGMA Rule

Following SIGMA rule hunts for the known task scheduling events generated by the MedusaLocker ransomware

title: MedusaLocker ransomware persistence
id: 55d5e853-8bc8-4426-aa85-47000eca4fbc
status: experimental
description: Hunts for known task events generated by MedusaLocker ransomware
author: Shayan Ahmed Khan (shaddy43)
references:
    - https://www.seqrite.com/blog/medusalocker-ransomware-an-in-depth-technical-analysis-and-prevention-strategies/#:~:text=Fig%3A%20Hardcoded%20commands-,Persistence,-Medusa%20Locker%20ransomware
date: 2023/08/07
tags:
    - attack.persistence
logsource:
    product: windows
    service: security
    definition:
detection:
    selection:
        EventID: 4698
        EventData|contains:
            - 'svhost'
            - 'svchostt'
    selection2:
        EventData|contains:
            - 'PT15M'
    condition: all of selection*
falsepositives:
    - Unknown
level: medium