CISA AA22-277A

Try in Splunk Security Cloud

Description

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization’s enterprise network. During incident response activities, multiple utilities were utilized.

• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Endpoint
• Last Updated: 2022-10-05
• Author: Michael Haag, Splunk
• ID: db408f93-e915-4215-9962-5fada348bdd7

Narrative

CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.

Detections

Name	Technique	Type
CertUtil Download With URLCache and Split Arguments	Ingress Tool Transfer	TTP
Cmdline Tool Not Executed In CMD Shell	Command and Scripting Interpreter, JavaScript	TTP
Create or delete windows shares using net exe	Indicator Removal, Network Share Connection Removal	TTP
Detect Renamed WinRAR	Archive via Utility, Archive Collected Data	Hunting
Excessive Usage Of Taskkill	Disable or Modify Tools, Impair Defenses	Anomaly
Exchange PowerShell Module Usage	Command and Scripting Interpreter, PowerShell	TTP
Impacket Lateral Movement Commandline Parameters	Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
Impacket Lateral Movement WMIExec Commandline Parameters	Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
Impacket Lateral Movement smbexec CommandLine Parameters	Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service	TTP
Network Connection Discovery With Netstat	System Network Connections Discovery	Hunting
Network Discovery Using Route Windows App	System Network Configuration Discovery, Internet Connection Discovery	Hunting

Reference

• https://www.cisa.gov/uscert/ncas/alerts/aa22-277a
• https://www.cisa.gov/uscert/sites/default/files/publications/aa22-277a-impacket-and-exfiltration-tool-used-to-steal-sensitive-information-from-defense-industrial-base-organization.pdf

source | version: 1