Try in Splunk Security Cloud
Description
CISA and the FBI have identified an APT activity where the adversary gained initial access via Log4Shell via a unpatched VMware Horizon server. From there the adversary moved laterally and continued to its objective.
Narrative
From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.
Detections
| Name |
Technique |
Type |
| Add or Set Windows Defender Exclusion |
Disable or Modify Tools, Impair Defenses |
TTP |
| Detect Mimikatz Using Loaded Images |
LSASS Memory, OS Credential Dumping |
TTP |
| Detect Mimikatz With PowerShell Script Block Logging |
OS Credential Dumping, PowerShell |
TTP |
| Detect PsExec With accepteula Flag |
Remote Services, SMB/Windows Admin Shares |
TTP |
| Detect Renamed PSExec |
System Services, Service Execution |
Hunting |
| Enable WDigest UseLogonCredential Registry |
Modify Registry, OS Credential Dumping |
TTP |
| GetAdComputer with PowerShell Script Block |
Remote System Discovery |
Hunting |
| Hunting for Log4Shell |
Exploit Public-Facing Application, External Remote Services |
Hunting |
| Log4Shell CVE-2021-44228 Exploitation |
Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services |
Correlation |
| Log4Shell JNDI Payload Injection Attempt |
Exploit Public-Facing Application, External Remote Services |
Anomaly |
| Log4Shell JNDI Payload Injection with Outbound Connection |
Exploit Public-Facing Application, External Remote Services |
Anomaly |
| Malicious PowerShell Process - Encoded Command |
Obfuscated Files or Information |
Hunting |
| Mimikatz PassTheTicket CommandLine Parameters |
Use Alternate Authentication Material, Pass the Ticket |
TTP |
| Ngrok Reverse Proxy on Network |
Protocol Tunneling, Proxy, Web Service |
Anomaly |
| Powershell Windows Defender Exclusion Commands |
Disable or Modify Tools, Impair Defenses |
TTP |
| Suspicious Driver Loaded Path |
Windows Service, Create or Modify System Process |
TTP |
| Suspicious Powershell Command-Line Arguments |
PowerShell |
TTP |
| Windows Driver Load Non-Standard Path |
Rootkit, Exploitation for Privilege Escalation |
TTP |
| Windows Drivers Loaded by Signature |
Rootkit, Exploitation for Privilege Escalation |
Hunting |
| Windows Mimikatz Binary Execution |
OS Credential Dumping |
TTP |
| Windows Ngrok Reverse Proxy Usage |
Protocol Tunneling, Proxy, Web Service |
Anomaly |
| Windows Service Create Kernel Mode Driver |
Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation |
TTP |
| XMRIG Driver Loaded |
Windows Service, Create or Modify System Process |
TTP |
Reference
source | version: 1