Anatomy of a Server Attack

Bit9’s Chris Lord gives us an inside glimpse and forensic analysis of a server attack thwarted by Bit9 Parity.

I often assist my colleagues in incident response and forensic reconstruction. Not long ago we had a customer engage us after they detected an attack on a server that Bit9 successfully prevented. Servers are frequent targets of APTs because they are gatekeepers, keymasters or IP (intellectual property) asset vaults. As Michael Bilancieri discussed in his blog about servers, we see server-based attacks increasing across many different companies. In this case, the attack was against a domain controller and the attacker was after domain credentials.

In this post, I’ll share a high-level reconstruction of the timeline from the point of exploit through to termination. I have altered all customer-identifiable data, but the rest of the details are accurate in their entirety. First, let’s take a little digression into how this reconstruction is possible.

Time Machine

The Bit9 solution acts as both a passive sensor on the endpoint as well as an active enforcer of policy, depending on configuration. As a sensor, it has built-in record and replay capabilities that enable you to look back in time to see past process, file, registry and memory activity as well as policy auditing and enforcement actions—a DVR for the endpoint. The level of detail recorded varies over time. Sticking with the DVR analogy, the frame rate is highest for activity in the recent past since information resides in caches (hours), in persistent message queues (days), persistent state (weeks), and in the event and file activity reported to the server (months). When captured within days, the fidelity of this recording makes it possible to construct a fairly complete picture of what happened.

The Usual Suspects

The attack targeted a Microsoft Windows Server 2008 R2 x64 domain controller using a combination of built-in tools including at.exe, sc.exe, reg.exe, and winrs.exe and prebuilt hack tools. These all were initiated from an already compromised system with local (but not domain) administrative rights and under the interactive control of an attacker. The attack is consistent with an attempt to convert local administrative rights into domain administrative rights and obtain additional account information that can sustain a much larger and more damaging attack. Pentestmonkey has a nice summary of the approaches and tools that are often used, including some used here.

full report

A Peek into the Past

This reconstruction was based only on Bit9 data obtained off the targeted system within a week of the attack. At the time, I did not have access to the target system, firewall or server logs, the files involved in the attack or other information that would have helped provide an even more detailed and comprehensive picture.


There are three key observations from this unsuccessful attempt obtain domain account information:

  1. Interactive. This attack is interactive with a real person sitting at the other end. You can see this in the timing and occasional typos and extra spaces in commands. You can also sense the increase in frustration as the attack progresses—or rather, fails to progress. The total attack took close to an hour, after which the attacker probably moved on to a different target. But it is safe to assume that if the compromised system remained in place, the attacker would try again after analyzing this failure. That’s the very real persistent in advanced persistent threat.
  2. Admin Rights. What I like about this case in particular is the attacker already had access as a local administrator on the compromised system and yet was still thwarted in his attempt to migrate to the domain controller. Removing administrative rights is an effective means to reduce exposure to vulnerabilities and improve endpoint security but it isn’t always practical, which is why security solutions that are effective despite administrative rights are necessary.
  3. Unsophisticated. Marketing aside, there isn’t often an advanced in advanced persistent threat. Attacks are only as advanced as needed—and what is needed is generally not that sophisticated. The attacker here was using prebuilt tools that have been widely available for years, a dropper that had been employed in previous attacks, and standard built-in administration tools.

Just because the attempt was unsuccessful doesn’t mean there aren’t things we can learn. Here are two:

  1. Indications of compromise aren’t always tricky correlations. Sometimes all you need is an alert on a specific unexpected event. Servers—particularly domain controllers—are like fixed function systems. There is a class of events that are indicators of compromise with very little additional context. For example, the appearance of any new unapproved file on a server is almost always a bad sign.
  2. Use caution in delegating security decisions to end users. Security products—including those from Bit9—provide the ability to let users make the decision to run unapproved or unknown software. This permission is frequently granted to power users or administrators on the assumption that such users know what they are doing and will exercise good judgment—but that isn’t always the case. If these accounts are compromised, then an attacker may be able to run unapproved software.

Security is never a game that is won or a job that is done. It is about increasing the stakes for attackers by preventing and containing damage and shedding light where it might otherwise not shine. Bit9 helps you do that.

Get your free 5 day trial of the Bit9 Parity Suite and leverage the power of threat protection.

Anatomy of a Server Attack | Bit9 Blog.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of the author. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided "as-is". The author shall not be liable for any damages whatsoever arising out of the content or use of this blog.
%d bloggers like this: