Thursday, 7 February 2019

Threat Hunting #13 - Detecting CACTUSTORCH using SYSMON


CACTUSTORCH is a  JavaScript and VBScript shellcode launcher. At it's core It makes use of  JavaScript to invoke objects deserialization (bring it back to memory) and load an arbitrary .NET v2/3.5 assembly (base64 encoded within the script itself) from memory then it creates a remote thread to launch execution.

Supported output formats include also vba (can be delivered via office document) and HTA. It supports injecting code into 32 bits binaries only.

When executed, we can see from sysmon event 8 "CreateRemoteThread" the following artifacts:

  • 64 bits binary creates a remote thread in a 32 bits program
  • StartModule/StartFunction is not mapped to an image  




Detection:

IBM AQL hunting query:

select "SourceImage", "TargetImage", "StartModule", "StartFunction" from events where eventid=8 and (SourceImage IMATCHES '(?i)((.*system32\\(cscript.*|.*wscript.*|.*mshta.*))|(.*winword.*|.*excel.*|.*powerpnt.*))') and (TargetImage imatches '.*syswow64.*')

Tested using default CACTUSTORCH script:


For a period of 1 month, this AQL search matched only the events related to our test [12 occurrences - Not Bad :)]

References:

https://github.com/mdsecactivebreach/CACTUSTORCH
https://github.com/tyranid/DotNetToJScript
https://docs.microsoft.com/en-us/dotnet/api/system.runtime.serialization.formatters.binary.binaryformatter?view=netframework-4.7.2
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90008