Analytics Story: CISA AA22-264A

Date: 2022-09-22 ID: bc7056a5-c3b0-4b83-93ce-5f31739305c8 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Iranian State Actors Conduct Cyber Operations Against the Government of Albania.

Why it matters

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B. In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping TTP
Attacker Tools On Endpoint Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning TTP
Deleting Shadow Copies Inhibit System Recovery TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
Detect Webshell Exploit Behavior Server Software Component, Web Shell TTP
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Excessive Usage Of Taskkill Disable or Modify Tools, Impair Defenses Anomaly
Exchange PowerShell Module Usage Command and Scripting Interpreter, PowerShell TTP
W3WP Spawning Shell Server Software Component, Web Shell TTP
Windows DisableAntiSpyware Registry Disable or Modify Tools, Impair Defenses TTP
Windows Event Log Cleared Indicator Removal, Clear Windows Event Logs TTP
Windows Possible Credential Dumping LSASS Memory, OS Credential Dumping TTP
Windows Raw Access To Disk Volume Partition Disk Structure Wipe, Disk Wipe Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe, Disk Wipe TTP
Windows System File on Disk Exploitation for Privilege Escalation Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 9 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 1102 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1