I have suspicious activity detected when SAP B1 was being connected to the SQL Server. Three rules have been triggered during this activity in the following order:
- Decode - Deobfuscate/Decode Files or Information - Defense Evasion
- A Mimikatz command has been detected. - This is the tactic for Credential Access
- A New Service Via PowerShell has been created for Privilege Escalation. Below is the code for the new service which was created.
[
{
"script_data": "# import -----------------------------------------------------------------------
. \"$PSScriptRoot/WizardUtils_system.ps1\"
# ------------------------------------------------------------------------------
# global variables -------------------------------------------------------------
$LICENSE_ROOT = \"${env:USER_INSTALL_DIR}\\SAP Business One ServerTools\\License Service\"
#-------------------------------------------------------------------------------
function License::NamingService::Create() {
New-Service -Name 'TAO_NT_Naming_Service' `
-DisplayName 'TAO NT Naming Service (64-bit)' `
-Description 'TAO NT Naming Service (64-bit) for SAP Business One License Manager (64-bit)' `
-BinaryPathName \"${LICENSE_ROOT}\\service\\TAO_NT_CosNaming.exe\"`
-StartupType 'Manual'
}
function License::NamingService::Remove() {
if (Get-Service -Name 'TAO_NT_Naming_Service' -ErrorAction Ignore) {
SystemService::Stop -Name 'TAO_NT_Naming_Service' -Timeout '00:10:00' -ErrorAction SilentlyContinue
SystemService::Remove -Name 'TAO_NT_Naming_Service'
}
}
function License::NamingService::Start() {
SystemService::Start -Name 'TAO_NT_Naming_Service' -Timeout '00:10:00'
}
function License::NamingService::Stop() {
SystemService::Stop -Name 'TAO_NT_Naming_Service' -Timeout '00:10:00' -ErrorAction SilentlyContinue
}
function License::LicenseService::Create() {
New-Service -Name \"B1LicenseService\" `
-DisplayName \"SAP Business One License Manager (64-bit)\" `
-Description \"SAP Business One License Manager (64-bit)\" `
-BinaryPathName \"${LICENSE_ROOT}\\service\\B1_License.exe\" `
-StartupType 'Manual' `
-DependsOn 'TAO_NT_Naming_Service'
}
function License::LicenseService::Remove() {
if (Get-Service -Name 'B1LicenseService' -ErrorAction Ignore) {
SystemService::Stop -Name 'B1LicenseService' -Timeout '00:10:00' -ErrorAction SilentlyContinue
SystemService::Remove -Name 'B1LicenseService'
}
}
function License::LicenseService::Start() {
SystemService::Start -Name 'B1LicenseService' -Timeout '00:10:00'
}
function License::LicenseService::Stop() {
SystemService::Stop -Name 'B1LicenseService' -Timeout '00:10:00' -ErrorAction SilentlyContinue
}
",
"script_path": "C:\\USERS\\ADMINISTRATOR\\APPDATA\\LOCAL\\TEMP\\B1-ZNHFNJRPDVHHPQTQLZSC\\SUPPORT\\BIN\\LICENSEMANAGER_SERVICE.PS1",
"timestamp": "10/24/2022 1:30:45 PM"
},
{
"script_data": "# import -----------------------------------------------------------------------
. \"$PSScriptRoot/WizardUtils_system.ps1\"
# ------------------------------------------------------------------------------
# global variables -------------------------------------------------------------
$LICENSE_ROOT = \"${env:USER_INSTALL_DIR}\\SAP Business One ServerTools\\License Service\"
#-------------------------------------------------------------------------------
function License::NamingService::Create() {
New-Service -Name 'TAO_NT_Naming_Service' `
-DisplayName 'TAO NT Naming Service (64-bit)' `
-Description 'TAO NT Naming Service (64-bit) for SAP Business One License Manager (64-bit)' `
-BinaryPathName \"${LICENSE_ROOT}\\service\\TAO_NT_CosNaming.exe\"`
-StartupType 'Manual'
}
function License::NamingService::Remove() {
if (Get-Service -Name 'TAO_NT_Naming_Service' -ErrorAction Ignore) {
SystemService::Stop -Name 'TAO_NT_Naming_Service' -Timeout '00:10:00' -ErrorAction SilentlyContinue
SystemService::Remove -Name 'TAO_NT_Naming_Service'
}
}
function License::NamingService::Start() {
SystemService::Start -Name 'TAO_NT_Naming_Service' -Timeout '00:10:00'
}
function License::NamingService::Stop() {
SystemService::Stop -Name 'TAO_NT_Naming_Service' -Timeout '00:10:00' -ErrorAction SilentlyContinue
}
function License::LicenseService::Create() {
New-Service -Name \"B1LicenseService\" `
-DisplayName \"SAP Business One License Manager (64-bit)\" `
-Description \"SAP Business One License Manager (64-bit)\" `
-BinaryPathName \"${LICENSE_ROOT}\\service\\B1_License.exe\" `
-StartupType 'Manual' `
-DependsOn 'TAO_NT_Naming_Service'
}
function License::LicenseService::Remove() {
if (Get-Service -Name 'B1LicenseService' -ErrorAction Ignore) {
SystemService::Stop -Name 'B1LicenseService' -Timeout '00:10:00' -ErrorAction SilentlyContinue
SystemService::Remove -Name 'B1LicenseService'
}
}
function License::LicenseService::Start() {
SystemService::Start -Name 'B1LicenseService' -Timeout '00:10:00'
}
function License::LicenseService::Stop() {
SystemService::Stop -Name 'B1LicenseService' -Timeout '00:10:00' -ErrorAction SilentlyContinue
}
",
"script_path": "C:\\USERS\\ADMINISTRATOR\\APPDATA\\LOCAL\\TEMP\\B1-ZNHFNJRPDVHHPQTQLZSC\\SUPPORT\\BIN\\LICENSEMANAGER_SERVICE.PS1",
"timestamp": "10/24/2022 1:30:09 PM"
}
]
The process path was C:\USERS\ADMINISTRATOR\APPDATA\LOCAL\TEMP\B1-ZNHFNJRPDVHHPQTQLZSC\SAPJVM_8\JRE\BIN\JAVAW.EXE
Can anyone answer this question? Please feel free to ask me if anything more is required.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.