This micro emulation plan targets remote exploitation activity. Exploitation of vulnerabilities (especially those that enable remote code execution) are very often abused to enable TA0001 Initial Access (e.g., T1190 Exploit Public-Facing Application), but may also be included in post-compromise activity (e.g., T1210 Exploitation of Remote Services as part of TA0008 Lateral Movement).
You can access the binary for this micro plan as part of the latest release.
Table Of Contents:
What are we doing? This module provides an easy-to-execute tool that:
- Installs and starts a vulnerable web server (
Apache 2.4) - Exploits the web server (
CVE-2021-41773) to execute arbitrary commands - Cleans up the vulnerable web server and any associated artifacts
Why should you care? Exploitation of vulnerabilities in applications and services is very often abused as a means to enable adversary TA0001 Initial Access (e.g., T1190 Exploit Public-Facing Application), but may also be included in post-compromise activity (e.g., T1210 Exploitation of Remote Services as part of TA0008 Lateral Movement).
This problem continually evolves and is exaggerated by the growing diversity and complexity of technologies within network environments. Risks from vulnerabilities in exposed applications can not always be remediated in time to prevent exploitation from adversaries. This micro plan uses CVE-2021-41773 as a medium to broadly emulate remote code execution (RCE) exploitation, where an adversary leverages a vulnerability to execute arbitrary code/commands/scripts.
This module has been compiled into an easy-to-execute tool and is designed to execute on one host. The source code for this module is also provided if you wish to further customize and rebuild.
The standalone ApacheEmu.exe tool coordinates setup, exploitation, and cleanup of the vulnerable web server.
Default parameters are set to enable simple execution requiring no user inputs (i.e. double click), but the tool can also be run from the command-line in an reactive session with the -r option.
With no arguments, the tool will exploit the web server, then execute three commands (whoami, systeminfo, ipconfig /all) using malicious HTTP requests.
The reactive session created with -r will setup the vulnerable web server, at which point the user can:
- Type
setupto exploit the server - Provide a series of arbitrary commands to be executed
- Type
exitto terminate the session (this is required to guarantee proper cleanup)
There are potentially multiple opportunities to detect exploitation activity, including pre-exploitation enumeration. Network and/or application logs may highlight potential malicious scanning activity such as T1595.002 Active Scanning: Vulnerability Scanning and T1046 Network Service Discovery.
These same logs may also help identify attempted exploitation activity. It may vary by the specific vulnerability, but analysis of exploit chains may reveal detectable indicators. For example, CVE-2021-41773 used for this emulation may be signatured using specific URI strings and resulting server status codes.
detection:
selection:
cs-uri-query|contains:
- '/cgi-bin/.%2e/'
- '/icons/.%2e/'
- '/cgi-bin/.%%32%65/'
- '/icons/.%%32%65/'
- '/cgi-bin/.%%%25%33'
- '/icons/.%%%25%33'
sc-status:
- 200
- 301
condition: selectionCode excerpted from github.com/SigmaHQ/sigma
Exploitation of applications may also be detectable through behavioral analytics highlighting:
- unusual process activity (such as commands and other processes spawning from server applications such as
httpd.exe,tomcat.exe,w3wp.exe.) - anomalous activity performed by user accounts associated with applications/services
- abnormal file activity in directories associated with these services
Update and patch vulnerabilities as soon as possible. When updating software and patching vulnerabilities is not feasible, risks associated with remote exploitation may be reduced by considering:
- Isolating vulnerable applications (as well as filtering data flowing to/from these services), both at the network (segmentation) and host (application sandboxing) levels
- Limiting the privileges and accesses of application accounts to only those needed
- Applying vulnerability-specific fixes, such as hardening filesystem directory permissions in the case of
CVE-2021-41773