In this blog post we are going to outline a new exciting technology we have recently built. The technology enables analysts to analyze malware fully automated or manually via live interaction on a Windows 10 analyzer which is fully joined to a domain and has full access to a domain controller.
Why is this technology so exciting?
Dynamic malware analysis systems and sandboxes typically analyze samples on a Windows system which is completely isolated and only has access to the Internet.
This setup is not really reflecting the real word. A business laptop or PC is usually part of a larger network with connections to other devices such as PCs, laptops, printers, domain controllers etc.:
This interconnectivity is often used to move laterally to gain higher privileges.
Sandbox Evasion with DC Check
The difference between the sandbox network and the real world network is big and malware authors have figured this fact since years. Therefore, we see more and more samples which try to detect sandboxes based on these differences. Rather than scanning the network, these evasive samples usually check if the system is joined to a domain. A Windows endpoint joined to a domain controller is a good indicator for a real computer and not a sandbox analyzer.
Some samples directly compare the environment variables userdomain and logonserver:
Other samples perform active directory (AD) checks in VBA via WMI inside malicious Microsoft office documents:
And some samples directly use Windows APIs for the check:
Since the analyzer is not joined to a domain, the malware won't execute the real payload and so the sandbox fails to detect the sample:
In order to bypass those evasions, we have developed a new feature for Joe Sandbox which allows our customers to analyze a sample on a Windows 10 machine connected to a real domain controller (Windows Server 2019). Some readers might think it would be also possible to directly fake API results (like NetGetJoinInformation). Alas, there are a ton of different ways to check for a domain controller and many of them are undocumented. To win this cat and mouse game it is best to have a real setup with a real domain controller:
Joe Sandbox completely captures all the network traffic between the main analyzer (Windows 10) and the domain controller.
Running the sample from above now results in full execution of the payload and correct detection:
Besides bypassing malware with AD checks, the new feature has another big benefit. It enables our customers to dynamically analyze lateral movement. Lateral movement refers to the techniques that cybercriminals use, after gaining initial access, to move deeper into a network in search of sensitive data and other high-value assets. This often includes gaining root access on a domain controller.
Deep Analysis of lateral Movement
Joe Sandbox performs extensive behavior monitoring on the main analyzer (Windows 10) and we extended that coverage also to the associate analyzer (Windows Server 2019). As a result, analysis reports now contain combined detection results.
Here is an attack using latest Windows exploits CVE-2021-42287 and CVE-2021-42278 to gain root access on the domain controller from a standard user account:
The Sigma signature results originate from Sysmon and System event logs on the domain controller. We see detections for abnormal behavior from the attacker system (Windows 10):
and the same for the exploit behavior on the domain controller:
Joe Sandbox customers can download all analysis results of the domain controller, including all event logs in EVTX format:
Customer can also upload their own Sigma and Yara rules. By default all open source Sigma rules can be easily loaded into Joe Sandbox:
Sigma has already some great rules to detect that a domain controller is compromised:
Note that the domain controller also offers access to a public share. Ransomware can access and encrypt it:
Again this is fully monitored by Joe Sandbox:
Thanks to the associated analyzer, Joe Sandbox cannot be evaded by using AD checks anymore. Analysis is done on a Windows 10 analyzer which is connected to a real domain controller with Windows Server 2019. AD checks will be successful and the full malware payload is executed.
Analysts can deeply analyze and understand lateral movement (including zero days) from a Windows 10 workstation to a Windows domain controller.
Sigma and Yara rules are applied to data from the workstation as well as the domain controller. This enables automated detection of tools for lateral movement and exploits on the domain controller side.