Cybersecurity Solutions - Cyber Security Platform | SenseOn

View Original

Unmasking Microsoft's Mystery: When Anomalous Scans Are Just Business as Usual

SenseOn was called in to assist a pre-deployment customer with an alert by another security product, related to anomalous network behaviour. At the time of the incident, the customer had not yet deployed the SenseOn Universal Sensor to their estate.

The customer informed SenseOn that six devices, running Windows, had each scanned ports across eight other random machines, running both MacOS and Windows. Further information by the customer revealed that the scanning occurred in cycles, each lasting between 30 and 45 seconds and targeted a range of ports on these devices. The customer confirmed that there was no overlap with the devices performing the scanning and the devices receiving the scanning requests. This behaviour was of concern as this could suggest a threat actor is enumerating the network to identify further attack vectors.

A SenseOn agent was deployed to their environment quickly and analysts began investigating the telemetry as this was being ingested. In one example we can see a source IP establishing 76 connections to 66 unique ports, all within a one minute timeframe, against the device with SenseOn deployed. The telemetry ingested had been determined by SenseOn as HTTP, this allowed us to view the associated user agent of these connections. An example screenshot of the telemetry observed can be seen below:

The user agent associated with these connections was ‘Msft-NDR’, this looks to be related to Microsoft network discovery software. A user agent is passed within HTTP(S) connections to provide the identity and capabilities of the user's device to servers/applications.

As SenseOn software maps network connections to process names within single lines of telemetry, deploying the agent to devices assists investigations allowing analysts to determine the exact source of a network connection. 

SenseOn began reviewing the wider customer networks and a very similar HTTP connection, with the ‘Msft-NDR’ user agent, had been observed on a range of networks. According to the HTTP telemetry these connections had been established by the process ‘powershell.exe’ executing unusual commands, this can be seen in the screenshot below:

With the SenseOn software we are able to see that over 100 connections are being made to around 67 ports by the same powershell process and command, all the activity is within 1 minute with some of the connections containing the ‘Msft-NDR’.

An example command establishing these connections can be observed below:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -NoProfile -NonInteractive -File "C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\PSScript_{<guid>}.ps1" -ParamsAsBase64 ewogICAgIlNjYW5uZXJBcmdzIjogICJ7XCJJcHNUb1NjYW5cIjogXCI8aXBfbGlzdD4sPGlwX2xpc3Q+XCIsXCJHdWlkXCI6IFwiPGd1aWQ+XCIsXCJNYWNoaW5lSWRcIjogXCI8TWFjaGluZUlkPlwiLFwiTWFjaGluZUNvbm5lY3Rpb25zXCI6W3tcIkRlZmF1bHRHYXRld2F5TWFjXCI6IFwiPE1BQyBBRERSRVNTPlwiLFwiQWRhcHRlcklkXCI6IFwiezxHVUlEPn1cIixcIk5ldHdvcmtOYW1lc1wiOltcIjxkb21haW4+XCJdfV0sXCJTY2FubmVkRGV2aWNlSWRcIjogXCI8c2Nhbm5lcl9kZXZpY2U+XCIsXCJFeHBpcmF0aW9uRGF0ZVRpbWVcIjogXCIyMDI0LTA2LTEzVDE2OjAxOjM2Ljc5NDQxMDhaXCIsXCJDdmVzVG9TY2FuXCI6W10sXCJUYXJnZXRNYWNzXCI6IFwiPG1hY0FkZHJfbGlzdD4sPG1hY0FkZHJfbGlzdD5cIixcIkRldmljZUlkc1RvU2NhblwiOiBcIjxtYWNBZGRyX2xpc3Q++XCJ9IiwKICAgICJDZXJ0IjogCiAgICAiPGNlcnRfc3RyaW5nPg==LDxtYWNBZGRyX2xpc3Q

The base64 encoded data can be decoded to the below:

{

    "ScannerArgs":  "{\"IpsToScan\": \"<ip_list>,<ip_list>\",\"Guid\": \"<guid>\",\"MachineId\": \"<MachineId>\",\"MachineConnections\":[{\"DefaultGatewayMac\": \"<MAC ADDRESS>\",\"AdapterId\": \"{<GUID>}\",\"NetworkNames\":[\"<domain>\"]}],\"ScannedDeviceId\": \"<scanner_device>\",\"ExpirationDateTime\": \"2024-06-13T16:01:36.7944108Z\",\"CvesToScan\":[],\"TargetMacs\": \"<macAddr_list>,<macAddr_list>\",\"DeviceIdsToScan\": \"<macAddr_list>,<macAddr_list>\"}",

    "Cert": 

    "<cert_string>

Based on the JSON string above, it appears that scanning arguments are being passed into a powershell script. These arguments include factors such as CVE numbers, port numbers, IP addresses, and more.

Pivoting over to the wider process telemetry we can see the exact same powershell instance originated from a process named ‘SenseIR.exe’, this can be seen in the telemetry below:

The ‘SenseIR.exe’ process, located in the path ‘C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\’, is related to the legitimate Microsoft Windows Defender Advanced Threat Protection sensor. This is likely performing network discovery to identify vulnerabilities in an environment.

Breaking down this process telemetry, as well as pivoting across to the network telemetry, it appears that the ‘SenseIR.exe’ process was obtaining powershell scripts from the domains ‘winatp-gw-neu3.microsoft[.]com’ and ‘automatedirstrprdneu3.blob.core.windows[.]net’. Both these domains look to be related to legitimate Microsoft services for Defender. A connection to each domain can be seen below:

These scripts look to have been downloaded to the path ‘C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\’ with the script name containing a unique GUID. Once these scripts have been downloaded and before execution, the hash of the file is compared to a legitimate Defender hash to verify that no download interception has occurred.

Analysis of the GUID scripts suggests that this is related to something called ‘UnicastScanner, which is referenced within one the scripts. This looks to be related to the scanning tool, some functions observed show checks are being performed against the system as well as the base64 arguments passed. Whilst reviewing documentation by Microsoft, this appears to match the defender device discovery scripts, its noted that devices will be actively probed by defender (https://learn.microsoft.com/en-us/defender-endpoint/device-discovery-faq)

SenseOn offers a range of detection capabilities for identifying suspicious enumeration activities like the ones observed here. For instance, SenseOn can detect Base64-encoded PowerShell commands within the process telemetry. We’re also able to observe when abnormal processes are conducting large volumes of scanning related behaviour.