Threat Research

NetSupport Intrusion Results in Domain Compromise

TheDFIR

An extensive NetSupport RAT intrusion in January 2023 shows attackers using phishing to deliver a malicious JavaScript loader, which then deployed a PowerShell payload to install NetSupport and establish persistence. The operation progressed to domain compromise via OpenSSH, reverse SSH tunneling, discovery with Impacket, NTDS.DIT dumps, and credential access attempts before defenders evicted the intruders. #NetSupport #NTDS.DIT #Impacket #OpenSSH #WDAGUtilityAccount2 #SSH_Tunneling #RDP

Keypoints

  • Initial Access occurred via a ZIP file delivered by email that led to a malicious JavaScript execution and a PowerShell-based NetSupport deployment.
  • Persistence was established through registry Run keys and scheduled tasks, with OpenSSH server enabling remote access and a reverse SSH tunnel for C2.
  • Active reconnaissance followed using Windows utilities (whoami, systeminfo) and Privileged Group/Domain discovery via Impacket tools (atexec.py, wmiexec.py).
  • Lateral movement included firewall modification, SMB-based file transfer, and remote execution of NetSupport components with new C2 endpoints.
  • Domain controller compromise featured NTDS.DIT dumps, 7-zip archiving, and credential access streams (LSASS via ProcDump, event log exfiltration potential).
  • Defense evasion focused on Defender checks/exclusions, disabling Defender features, and masquerading NetSupport binaries (mswow86.exe) as legitimate components.

MITRE Techniques

  • [T1566.001] Phishing – ‘Initial Access began with a ZIP file delivered to a victim through email.’
  • [T1059.001] Windows Command Shell – ‘cmd.exe’ executions and inline command usage during discovery and deployment.
  • [T1059.001] PowerShell – ‘PowerShell script was responsible for deploying NetSupport onto the system’
  • [T1547.001] Registry Run Keys/Startup Folder – ‘establishing persistence using registry run keys.’
  • [T1053.005] Scheduled Task – ‘a scheduled task for persistence on remote hosts and for OpenSSH server configuration.’
  • [T1021.004] SSH – ‘OpenSSH server on the beachhead to facilitate persistence to the machine and network.’
  • [T1572] Protocol Tunneling – ‘reverse SSH tunnel from the beachhead to their own server’
  • [T1090] Proxy – ‘SSH tunnel to proxy connections through the beachhead host to domain controllers.’
  • [T1047] Windows Management Instrumentation – ‘Impacket’s atexec.py and wmiexec.py used for discovery and movement.’
  • [T1082] System Information Discovery – ‘whoami, systeminfo’
  • [T1033] System Owner/User Discovery – ‘discovery of privileged groups and domain joined computers.’
  • [T1069.002] Domain Groups – ‘discovery related to domain groups (Domain Admins, etc.).’
  • [T1003.003] NTDS.DIT – ‘dump NTDS.dit on domain controllers.’
  • [T1003.001] LSASS Memory – ‘dump LSASS on domain controllers using ProcDump.’
  • [T1560.001] Archive Collected Data – ‘7-zip to compress the dumped data (NTDS.dit, logs).’
  • [T1550.002] Pass the Hash – ‘NIM-based tooling used to authenticate via pass-the-hash.’
  • [T1136.001] Create Account – ‘attempt to create a backdoor/local admin account (WDAGUtilityAccount2).
  • [T1021.002] SMB/Windows Admin Shares – ‘SMB-based file transfers to remote hosts and domain controllers.’
  • [T1562.001] Disable or Modify Tools – ‘disable Microsoft Defender and attempt to add exclusions.’
  • [T1036.004] Masquerade – ‘NetSupport components masqueraded as legitimate Windows components (e.g., mswow86.exe).’
  • [T1040] Exfiltration Over C2 Channel – ‘assessed exfiltration of the NTDS.DIT archive over C2 channels (medium confidence).

Indicators of Compromise

  • [Domain] NetSupport C2 Domains – npinmclaugh11[.]com, npinmclaugh14[.]com, and 2 more domains
  • [IP] C2 IPs – 127.0.0.127, 89.185.85.44, and 1 more IP (79.137.206.37)
  • [File] NetSupport components – mswow86.exe, netscan64.exe, and 2 more files
  • [File] NTDS.DIT – nt ds.dit (NTDS.DIT)
  • [File] Logs/Artifacts – mf.txt, start.bat, install.bat, presentationhost.exe
  • [Domain] Additional C2 domains – wsus-isv-local[.]tech, wsus-isv-internal[.]tech
  • [File] Credential/Tooling artifacts – NSM.ini, NSM.lic, client32.ini
  • [URL] Initial C2 URL – http://1otal.com/index/index.php

Read more: https://thedfirreport.com/2023/10/30/netsupport-intrusion-results-in-domain-compromise/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint