B
Brian Skotch
I am starting to see a new pattern of Screenconnect style attacks (via phishing) that always leaves some automatic remediations unable to complete. The components of this are twofold, and am hoping that maybe with this feedback, it can become more automated in the future.
These issues always seem to manifest as a permissions-related issue with deleting the infected folders. This occurs for one of two reasons:
  • The permissions are truly locked down on the folder and have to be forcefully re-added to a local administrator so deletion can occur. In both cases I have seen, I have had to use the following commands to allow deletion:
takeown /f "
insert path to folder/file here
" /r /d y
icacls "
insert path to folder/file here
" /grant Administrators:F /t /c /q
Sometimes though, this is not even enough, and the reason for it is worrisome. These screenconnect attacks have gone so far as to modify a key registry value that injects a malicious dll file upon boot, even in safe mode. The path to the key is:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Lsa\Authentication Packages
Normally, this key only reads "msv1_0" however in an infected machine, it will have the path to a malicious dll appended to the end. Subsequently the dlls cannot be deleted until this appended path is removed, and system is rebooted.
I suspect that if the automated response is aware of these needed changes, it might be able to be removed without our direct intervention.