Analytics Story: CISA AA22-277A

Date: 2022-10-05 ID: db408f93-e915-4215-9962-5fada348bdd7 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization's enterprise network. During incident response activities, multiple utilities were utilized.

Why it matters

CISA uncovered that likely multiple APT groups compromised the organization's network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
CertUtil Download With URLCache and Split Arguments Ingress Tool Transfer TTP
Cmdline Tool Not Executed In CMD Shell Command and Scripting Interpreter, JavaScript TTP
Create or delete windows shares using net exe Indicator Removal, Network Share Connection Removal TTP
Detect Renamed WinRAR Archive via Utility, Archive Collected Data Hunting
Excessive Usage Of Taskkill Disable or Modify Tools, Impair Defenses Anomaly
Exchange PowerShell Module Usage Command and Scripting Interpreter, PowerShell TTP
Impacket Lateral Movement Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement smbexec CommandLine Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Impacket Lateral Movement WMIExec Commandline Parameters Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Network Discovery Using Route Windows App System Network Configuration Discovery, Internet Connection Discovery Hunting

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1