GitHub Repo

Analytics Story: CISA AA22-277A

Updated Date: 2026-05-13 ID: db408f93-e915-4215-9962-5fada348bdd7 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization's enterprise network. During incident response activities, multiple utilities were utilized.

Why it matters

CISA uncovered that likely multiple APT groups compromised the organization's network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim's sensitive data.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Exchange PowerShell Module Usage PowerShell TTP
Detect Renamed WinRAR Archive via Utility Hunting
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Network Discovery Using Route Windows App Internet Connection Discovery Hunting
Impacket Lateral Movement WMIExec Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Windows File Download Via CertUtil Ingress Tool Transfer TTP
Excessive Usage Of Taskkill Disable or Modify Tools Anomaly
Impacket Lateral Movement smbexec CommandLine Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Create or delete windows shares using net exe Network Share Connection Removal TTP
Impacket Lateral Movement Commandline Parameters SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service TTP
Windows Cmdline Tool Execution From Non-Shell Process JavaScript Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable

References

Source: GitHub | Version: 2