Analytics Story: Seashell Blizzard

Date: 2025-03-24 ID: 72d9b847-0600-4cb6-8f70-516cc662a55c Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Seashell Blizzard is a threat actor known for targeting organizations globally through a sophisticated campaign leveraging Exchange Server vulnerabilities, custom tools, and living-off-the-land techniques for persistent access and data collection.

Why it matters

Seashell Blizzard operates through a multi-stage attack chain that begins with Exchange Server exploitation and progresses to establishing persistent access through various techniques. The group's initial access typically involves the exploitation of Exchange Server vulnerabilities including ProxyShell and ProxyNotShell, followed by web shell deployment through compromised Exchange paths and credential harvesting using renamed system tools and Task Manager UI. The threat actor maintains persistence by deploying scheduled tasks, installing OpenSSH with custom keys, and making registry modifications for automatic execution. Their command and control infrastructure leverages Tor hidden services (ShadowLink) alongside legitimate remote access tools and custom tunneling utilities for covert communications. For lateral movement and data collection, Seashell Blizzard extensively abuses Exchange PowerShell for mailbox access while conducting NTLM credential theft and systematic enumeration of network resources. The group demonstrates sophisticated operational security, often using legitimate system tools and living-off-the-land binaries to blend in with normal system operations. Their focus appears to be on long-term persistence and data collection, with particular emphasis on email data and network credentials. Detection strategies focus on identifying suspicious Exchange Server activity, monitoring for unusual PowerShell commands, tracking scheduled task creation, and identifying anomalous system tool usage in sensitive contexts. The group's ability to maintain long-term access while evading detection makes them a significant threat to organizations globally.

Correlation Search

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.analyticstories) as analyticstories values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count dc(All_Risk.analyticstories) as dc_analyticstories from datamodel=Risk.All_Risk where All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell") OR (All_Risk.analyticstories IN ("ProxyNotShell","ProxyShell") AND All_Risk.analyticstories="Cobalt Strike") All_Risk.risk_object_type="system" by _time span=1h All_Risk.risk_object All_Risk.risk_object_type | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`| where source_count >=5 | `proxyshell_proxynotshell_behavior_detected_filter`

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
ConnectWise ScreenConnect Path Traversal	Exploit Public-Facing Application	TTP
ConnectWise ScreenConnect Path Traversal Windows SACL	Exploit Public-Facing Application	TTP
Creation of lsass Dump with Taskmgr	LSASS Memory	TTP
Detect Exchange Web Shell	External Remote Services, Exploit Public-Facing Application, Web Shell	TTP
Detect PsExec With accepteula Flag	SMB/Windows Admin Shares	TTP
Detect Remote Access Software Usage File	Remote Access Software	Anomaly
Detect Remote Access Software Usage FileInfo	Remote Access Software	Anomaly
Detect Remote Access Software Usage Process	Remote Access Software	Anomaly
Detect Remote Access Software Usage Registry	Remote Access Software	Anomaly
Dump LSASS via procdump	LSASS Memory	TTP
Exchange PowerShell Abuse via SSRF	Exploit Public-Facing Application, External Remote Services	TTP
Scheduled Task Initiation on Remote Endpoint	Scheduled Task	TTP
Windows Scheduled Task with Suspicious Command	Scheduled Task	TTP
Windows Sensitive Registry Hive Dump Via CommandLine	Security Account Manager	TTP
Windows SQL Server xp_cmdshell Config Change	SQL Stored Procedures	TTP
ConnectWise ScreenConnect Authentication Bypass	Exploit Public-Facing Application	TTP
Nginx ConnectWise ScreenConnect Authentication Bypass	Exploit Public-Facing Application	TTP
Windows Exchange Autodiscover SSRF Abuse	Exploit Public-Facing Application, External Remote Services	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Nginx Access	N/A	`nginx:plus:kv`	`/var/log/nginx/access.log`
Suricata	N/A	`suricata`	`suricata`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 12	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Application 15457	Windows	`XmlWinEventLog`	`XmlWinEventLog:Application`
Windows Event Log Security 4663	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4698	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4700	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4702	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows IIS	Windows	`IIS:Configuration:Operational`	`IIS:Configuration:Operational`

References

Source: GitHub | Version: 1