Analytics Story: CISA AA22-320A

Date: 2022-11-16 ID: c1fca73d-3a8d-49a6-b9c0-1d5d155f7dd4 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

CISA and the FBI have identified an APT activity where the adversary gained initial access via Log4Shell via a unpatched VMware Horizon server. From there the adversary moved laterally and continued to its objective.

Why it matters

From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where All_Risk.analyticstories="Log4Shell CVE-2021-44228" All_Risk.risk_object_type="system" by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 2 | `log4shell_cve_2021_44228_exploitation_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping TTP
Suspicious Powershell Command-Line Arguments PowerShell TTP
Add or Set Windows Defender Exclusion Disable or Modify Tools, Impair Defenses TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
Detect PsExec With accepteula Flag Remote Services, SMB/Windows Admin Shares TTP
Detect Renamed PSExec System Services, Service Execution Hunting
Enable WDigest UseLogonCredential Registry Modify Registry, OS Credential Dumping TTP
GetAdComputer with PowerShell Script Block Remote System Discovery Hunting
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Mimikatz PassTheTicket CommandLine Parameters Use Alternate Authentication Material, Pass the Ticket TTP
Powershell Windows Defender Exclusion Commands Disable or Modify Tools, Impair Defenses TTP
Suspicious Driver Loaded Path Windows Service, Create or Modify System Process TTP
Windows Driver Load Non-Standard Path Rootkit, Exploitation for Privilege Escalation TTP
Windows Drivers Loaded by Signature Rootkit, Exploitation for Privilege Escalation Hunting
Windows Mimikatz Binary Execution OS Credential Dumping TTP
Windows Ngrok Reverse Proxy Usage Protocol Tunneling, Proxy, Web Service Anomaly
Windows Service Create Kernel Mode Driver Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation TTP
XMRIG Driver Loaded Windows Service, Create or Modify System Process TTP
Ngrok Reverse Proxy on Network Protocol Tunneling, Proxy, Web Service Anomaly
Hunting for Log4Shell Exploit Public-Facing Application, External Remote Services Hunting
Log4Shell JNDI Payload Injection Attempt Exploit Public-Facing Application, External Remote Services Anomaly
Log4Shell JNDI Payload Injection with Outbound Connection Exploit Public-Facing Application, External Remote Services Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Nginx Access N/A nginx:plus:kv /var/log/nginx/access.log
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 6 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References

Source: GitHub | Version: 1