Threat Research

Qbot and Zerologon Lead To Full Domain Compromise

Securonix

In a November 2021 intrusion, threat actors gained a foothold with Qbot (Quakbot) and used Zerologon to elevate to domain admin, enabling Cobalt Strike deployment and broader network compromise. They conducted AD discovery, exfiltrated sensitive documents, and were evicted after achieving full-domain access through a chained sequence of exploits and pivots. #Quakbot #Zerologon #CobaltStrike #ActiveDirectory

Keypoints

  • Initial access came from executing a malicious Qbot DLL, followed shortly by C2 connectivity and persistence on the beachhead.
  • A scheduled task ran every 30 minutes to launch a base64-encoded PowerShell PowerShell/Cobalt Strike beacon from the registry, establishing persistence.
  • Network and AD discovery (e.g., mapping topology, group membership, file shares) was conducted to understand the environment and privileges.
  • The Zerologon CVE-2020-1472 exploit was used to reset a Domain Controller password, enabling extraction of the Domain Admin hash and installation of a DC service to sustain AD operations.
  • Over-pass-the-hash was used to obtain a TGT, enabling Cobalt Strike beacons on a file server and domain controller to pivot to other hosts.
  • Exfiltration occurred over an encrypted C2 channel (HTTPS) with interest in financial and payroll documents.
  • QBot employed defense‑evasion techniques (process hollowing and DLL injection into explorer.exe) and leveraged RDP, SMB/Named pipes, and remote services for lateral movement.

MITRE Techniques

  • [T1068] Exploitation for Privilege Escalation – Thirty minutes after gaining initial access, the threat actors ran an executable file on the beachhead to exploit CVE-2020-1472. “Thirty minutes after gaining initial access, the threat actors ran an executable file on the beachhead to exploit CVE-2020-1472, Zerologon.”
  • [T1569.002] Service Execution – Deployed Cobalt Strike Beacons on a file server and another domain controller to enable pivoting. “deploying Cobalt Strike Beacons on a file server and another domain controller, which allowed them to pivot to those servers.”
  • [T1053.005] Scheduled Task – Created a scheduled task to run a base64-encoded PowerShell beacon every 30 minutes. “The scheduled task’s primary purpose was to execute a (base64-encoded) PowerShell Cobalt Strike beacon every 30 minutes.”
  • [T1027] Obfuscated Files or Information – Used obfuscated/encoded payloads and a base64-encoded PowerShell script referenced by the scheduled task. “obfuscated PowerShell script that is referenced by the scheduled task”
  • [T1059.001] PowerShell – PowerShell beacon used as part of the base64-encoded payloads. “PowerShell Cobalt Strike beacon every 30 minutes.”
  • [T1059.003] Windows Command Shell – The Zerologon/privilege escalation sequence used cmd.exe to launch the exploit (cool.exe). “C:WindowsSystem32cmd.exe /C cool.exe [DC IP ADDRESS] [DOMAIN NAME] Administrator -c ‘taskkill /f /im explorer.exe’.”
  • [T1018] Remote System Discovery – AD discovery with tools like nltest, net, and ADFind to map the environment. “mapping out the Active Directory environment using tools such as Nltest, net and ADFind.”
  • [T1135] Network Share Discovery – Discovery of network shares and privileges, including mapping topology and shares. “map the network topology, retrieve local group member information, and list available file shares/privileges of the infected user.”
  • [T1069.002] Domain Groups – Enumerating domain/group information during discovery. (Referenced as Domain Groups in the MITRE mapping.)
  • [T1021] Remote Services – Lateral movement via remote services and RDP, including interactive sessions. “interactive administrative RDP sessions and pivoted to different hosts…”
  • [T1518.001] Security Software Discovery – Discovery of installed security software via WMI. “discovered installed security software through WMI.”
  • [T1033] System Owner/User Discovery – Enumerating user/system information during discovery phases. (Implied by AD/domain enumeration steps in the case.)
  • [T1482] Domain Trust Discovery – Discovery-related activity to understand trust relationships (Domain/AD enumeration context).

Indicators of Compromise

  • [IP] 24.229.150.54 – QBot C2 IP; 41.228.22.180 – C2 IP/Domains; 5.255.98.144 – Cobalt Strike server IPs
  • [Domain] avlhestito.us, xrhm.info, dxabt.com – C2 domains and cert hosts
  • [Hash] Initial QBot DLL MD5: 53510e20efb161d5b71c4ce2800c1a8d; SHA1: 2268178851d0d0debb9ab457d73af8a5e50af168; SHA2: e2bc969424adc97345ac81194d316f58da38621aad3ca7ae27e40a8fae582987
  • [Hash] QBot DLL (registry) MD5: 312e52b4109741893f17bc524084100f; SHA1: 7ca650945223eab088f43fd472e3592be2ed9d32; SHA256: cannot display fully here
  • [Hash] cool.exe – MD5: 59E7F22D2C290336826700F05531BD30; SHA1: 3B2A0D2CB8993764A042E8E6A89CBBF8A29D47D1; SHA256: F63E17FF2D3CFE75CF3BB9CF644A2A00E50AAFFE45C1ADF2DE02D5BD0AE35B0
  • [File/Path] QBot payloads stored in registry and dropped to %APPDATA%RoamingMicrosoftFdopitcu
  • [C2/Channel] Cobalt Strike encrypted C2 channel (HTTPS) used for exfiltration
  • [Certificate/Domain] Certificates for avlhestito.us and xrhm.info observed in C2-related communications
  • [Event/Technique] Scheduled Task Created (schtasks.exe) with base64 PowerShell payload in registry
  • [Other] Base64-encoded QBot payload and eight-character hex strings observed in registry config

Read more: https://thedfirreport.com/2022/02/21/qbot-and-zerologon-lead-to-full-domain-compromise/