Undermining the trust boundary: Investigating a stealthy intrusion through third-party compromise
A sophisticated threat actor compromised a third-party IT services provider to abuse legitimate HPE Operations Agent infrastructure, enabling stealthy execution and discovery. The attackers established persistence and harvested credentials using malicious network provider and password filter DLLs on domain controllers, while utilizing web shells and ngrok tunnels to maintain long-term, undetected access.
Authors: Microsoft Incident Response, Microsoft Threat Intelligence
Source:
Microsoft
- filenameC:\ProgramData\WindowsUpdateService\UpdateDir\IpdFile path used by the malicious password filter DLL to store double-encoded captured credentials.
- filenameC:\Users\Public\Music\abc123c.dFile path used by the malicious network provider DLL to store captured cleartext credentials.
Detection / HunterGoogle
What Happened
Attackers broke into a company's network by first hacking the outside IT service provider that manages their systems. Once inside, they used the company's own trusted management tools to secretly steal passwords and set up hidden backdoors. This allowed the attackers to move around the network and maintain access for months without setting off alarms. Organizations should closely monitor the tools used by their IT vendors and ensure strict security controls are in place to catch unusual behavior.
Key Takeaways
- Threat actors compromised a third-party IT service provider to abuse legitimate HPE Operations Agent (OA) infrastructure for stealthy execution.
- Credential harvesting was achieved by registering malicious network provider and password filter DLLs to capture cleartext passwords during authentication events.
- Persistence was maintained via web shells on internet-facing servers and ngrok tunnels to facilitate inbound RDP access.
- The attack avoided custom malware and exploits, relying heavily on living-off-the-land (LotL) techniques and implicit trust relationships.
- Stolen credentials were double-encoded and staged in disguised files (e.g., icon02.jpeg) for exfiltration via SMB or SMTP.
Affected Systems
- Windows Server
- Active Directory Domain Controllers
- HPE Operations Agent (OA)
- HPE Operations Manager (HPOM)
Attack Chain
The threat actor gained initial access by compromising a third-party IT provider, using HPE Operations Manager to deploy discovery VBScripts (abc003.vbs). They established persistence on web servers using web shells (Errors.aspx, ghost.inc) and deployed ngrok to tunnel RDP traffic for lateral movement. To harvest credentials, they registered malicious network provider (mslogon.dll) and password filter (passms.dll) DLLs on Domain Controllers, capturing cleartext passwords during authentication events. Finally, a custom module (msupdate.dll) was used to encode and stage the stolen credentials into disguised files (icon02.jpeg) for exfiltration.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: Yes
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: Microsoft Defender XDR
The article provides KQL advanced hunting queries for Microsoft Defender XDR to detect unsigned or unverified DLLs configured as LSA notification packages or network providers.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions have strong visibility into registry modifications for LSA and Network Providers, unsigned DLL loads in LSASS, and anomalous child processes from web servers. Network Visibility: Medium — ngrok tunnels encrypt traffic, hiding the RDP payload, but the initial ngrok connection and DNS requests to known malicious domains can be detected. Detection Difficulty: Moderate — The use of legitimate IT management tools (HPE OA) and trusted relationships makes initial access hard to detect. However, the registry modifications for password filters and network providers are well-known persistence mechanisms that are highly detectable.
Required Log Sources
- Windows Security Event Log (Event ID 4657 - Registry value modified)
- Sysmon Event ID 7 (Image loaded)
- Sysmon Event ID 11 (File Create)
- Sysmon Event ID 1 (Process Creation)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for unsigned or unverified DLLs being loaded by LSASS or registered in the LSA Notification Packages registry key. | Registry modification events and Image Load events. | Credential Access | Low |
| Search for unexpected modifications to the NetworkProvider Order registry key pointing to unsigned DLLs. | Registry modification events. | Credential Access | Low |
| Identify web server processes (e.g., w3wp.exe) writing executable files (.inc, .aspx) to temporary directories or modifying existing application files. | File creation and modification events. | Persistence | Medium |
| Detect the execution of ngrok or similar tunneling tools originating from internal servers, especially followed by inbound RDP connections. | Process creation and network connection events. | Command and Control | Medium |
Control Gaps
- Lack of EDR on internet-facing web servers
- Implicit trust in third-party management tools without behavioral validation
- Permissive outbound network access allowing ngrok tunnels
Key Behavioral Indicators
- Unsigned DLLs in C:\Windows\System32\ loaded by LSASS
- Cleartext credentials written to unusual paths like C:\Users\Public\Music\
- PowerShell loading DLLs via System.Reflection.Assembly::LoadFrom
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Deploy EDR to all endpoints, especially internet-facing servers.
- Review LSA Notification Packages and Network Provider registry keys for unauthorized DLLs.
- Search for and remove unauthorized web shells and tunneling tools like ngrok.
Infrastructure Hardening
- Implement a default-deny egress filtering model to block unauthorized outbound connections.
- Remove unnecessary software and tools from servers to reduce the attack surface.
- Implement the enterprise access model to contain privilege escalation.
User Protection
- Enforce MFA for all administrative access, including third-party service providers.
- Monitor and restrict RDP access, ensuring it is only allowed from authorized management jump boxes.
Security Awareness
- Train SOC analysts to monitor trusted third-party management tools for anomalous behavior.
- Establish strict validation and monitoring policies for third-party IT service providers.
MITRE ATT&CK Mapping
- T1199 - Trusted Relationship
- T1505.003 - Server Software Component: Web Shell
- T1556.002 - Modify Authentication Process: Password Filter DLL
- T1056.002 - Input Capture: GUI Input Capture
- T1572 - Protocol Tunneling
- T1021.001 - Remote Services: Remote Desktop Protocol
- T1047 - Windows Management Instrumentation
Additional IOCs
- Domains:
dREDEACTEDe[.]net- Redacted malicious domain used for discovery and command-and-control communication.
- Registry Keys:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages- Registry key modified to load the malicious password filter DLL (passms.dll).HKLM\SYSTEM\CurrentControlSet\Control\NetworkProvider\Order\ProviderOrder- Registry key modified to register the malicious network provider DLL.
- File Paths:
C:\Windows\System32\mslogon.dll- Path to the malicious network provider DLL.C:\Windows\temp\ghost.inc- Path to the secondary web shell.C:\Windows\System32\Com\msupdate.dll- Path to the custom module used for encoding and exfiltrating credentials.C:\Users\Public\ng.exe- Path to the ngrok executable used for tunneling RDP connections.
- Command Lines:
- Purpose: Load and execute the msupdate.dll module via PowerShell reflection to process stolen credentials. | Tools:
powershell.exe,msupdate.dll| Stage: Exfiltration
- Purpose: Load and execute the msupdate.dll module via PowerShell reflection to process stolen credentials. | Tools:
- Other:
icon02.jpeg- File used to store encoded credentials over SMB to blend with legitimate image assets.abc003.vbs- VBScript deployed via HPE Operations Manager for system and Active Directory discovery.