![poolmon.exe security warning poolmon.exe security warning](https://www.itprotoday.com/sites/itprotoday.com/files/uploads/2008/12/error595x335_0.jpg)
- Poolmon.exe security warning software#
- Poolmon.exe security warning plus#
- Poolmon.exe security warning download#
![poolmon.exe security warning poolmon.exe security warning](https://i.stack.imgur.com/3TwME.jpg)
NET program that launches cmd.exe with an argument and sends any output back to the controller.įigure 2: The Base64-encoded ccc.exe contained inside the IIS module backdoorīelow is an example command from w3wp.exe process after ccc.exe is dropped:
![poolmon.exe security warning poolmon.exe security warning](https://andymorgan.files.wordpress.com/2012/03/warning.png)
If this module receives the command “ccc,” it drops a file c:\windows\temp\ccc.exe. The module also observes incoming authentication credentials and captures them it then encodes these and writes them to the following path:Ĭ:\ProgramData\Microsoft\Crypto\RSA\key.dat
Poolmon.exe security warning download#
It also provides DEV-0322 with the ability to direct download and upload of files to and from a compromised IIS web server. The custom IIS module supports execution for cmd.exe and PowerShell commands. This module hooks into the BeginRequest IIS http event and looks for custom commands and arguments being passed via the Cookies field of the HTTP header.įigure 1: Encoded request from the controller to the victim machine AppCmd.exe is a command line tool included in IIS 7+ installations used for server management. The gac.exe binary installs ScriptModule.dll into the Global Assembly Cache before using AppCmd. They typically called this tool elrs.exe, and below is an example of how they would call it:Īfter gaining credentials, DEV-0322 was observed moving laterally to other systems on the network and dropping a custom IIS module with the following command: Next, their tool would collect domains, usernames, and IP addresses and write them to the file elrs.txt.
![poolmon.exe security warning poolmon.exe security warning](https://i.imgur.com/6e7Kkeq.png)
In this campaign, DEV-0322 was observed performing credential dumping using the following commands:ĭEV-0322 also occasionally deployed a tool to specifically read security event logs and look for Event ID 4624 events. Following initial exploitation of CVE-2021-40539 on a targeted system, DEV-0322 performed several activities including credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network. MSTIC first observed the latest DEV-0322 campaign on September 22, 2021, with activity against targets that appear to be in the Defense Industrial Base, higher education, consulting services, and information technology sectors. Once it meets defined criteria, a DEV group is converted to a named actor. MSTIC uses DEV-# designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. We have not observed any exploit of Microsoft products in this activity. This blog shares what Microsoft has observed in the latest DEV-0322 campaign and inform our customers of protections in place through our security products. We would also like to thank our partners in Black Lotus Labs at Lumen Technologies for their contributions to our efforts to track and mitigate this threat. We thank Unit 42 for their collaboration as industry partners and ongoing efforts to protect customers. Our colleagues at Palo Alto Unit 42 have also highlighted this activity in their recent blog. As with any observed nation-state actor activity, Microsoft notifies customers that have been targeted or compromised, providing them with the information they need to help secure their accounts.
Poolmon.exe security warning software#
MSTIC previously highlighted DEV-0322 activity related to attacks targeting the SolarWinds Serv-U software with 0-day exploit. Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed infrastructure, victimology, tactics, and procedures.
Poolmon.exe security warning plus#
Microsoft has detected exploits being used to compromise systems running the ZOHO ManageEngine ADSelfService Plus software versions vulnerable to CVE-2021-40539 in a targeted campaign. SSO solution: Secure app access with single sign-on.Identity & access management Identity & access management.App & email security App & email security.