Analytics Story: CISA AA23-347A

Date: 2024-12-09 ID: 257a2f28-fcbe-4226-8d1f-957880098331 Author: Teoderick Contreras, Rod Soto, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might be related to the SVR cyber activity tactics and techniques. While SVR followed a similar playbook in each compromise, they also adjusted to each operating environment and not all presented steps or actions below were executed on every host.

Why it matters

SVR cyber operations pose a persistent threat to public and private organizations' networks globally. Since 2013, cybersecurity companies and governments have reported on SVR operations targeting victim networks to steal confidential and proprietary information. A decade later, the authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations. The SVR's recent operation has targeted networks hosting TeamCity servers, further underscoring its persistent focus on technology companies. By leveraging CVE-2023-42793, a vulnerability within a software development program, the SVR seeks to gain access to victims, potentially compromising numerous software developers' networks. JetBrains responded to this threat by issuing a patch in mid-September 2023, limiting the SVR's ability to exploit Internet-accessible TeamCity servers lacking the necessary updates. Despite this mitigation, the SVR has yet to utilize its acquired access to software developers' networks for breaching customer systems. It appears that the SVR is still in the preparatory stages of its operation.

Correlation Search

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*Windows Cmdline Tool Execution From Non-Shell Process*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Windows Group Discovery Via Net*", "*Windows Create Local Administrator Account Via Net*", "*Windows User Discovery Via Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter`

Detections

Name ▲▼	Technique ▲▼	Type ▲▼
Attempted Credential Dump From Registry via Reg exe	Security Account Manager	TTP
Cmdline Tool Not Executed In CMD Shell	JavaScript	TTP
Extraction of Registry Hives	Security Account Manager	TTP
Suspicious Process File Path	Create or Modify System Process	TTP
Windows Query Registry Reg Save	Query Registry	Hunting
Access LSASS Memory for Dump Creation	LSASS Memory	TTP
AdsiSearcher Account Discovery	Domain Account	TTP
CMD Carry Out String Command Parameter	Windows Command Shell	Hunting
Detect Credential Dumping through LSASS access	LSASS Memory	TTP
Detect Mimikatz With PowerShell Script Block Logging	OS Credential Dumping, PowerShell	TTP
Disable AMSI Through Registry	Disable or Modify Tools	TTP
Disable Defender BlockAtFirstSeen Feature	Disable or Modify Tools	TTP
Disable Defender Enhanced Notification	Disable or Modify Tools	TTP
Disable Defender Spynet Reporting	Disable or Modify Tools	TTP
Disable Defender Submit Samples Consent Feature	Disable or Modify Tools	TTP
Disable ETW Through Registry	Disable or Modify Tools	TTP
Disable Logs Using WevtUtil	Clear Windows Event Logs	TTP
Disable Security Logs Using MiniNt Registry	Modify Registry	TTP
Disable UAC Remote Restriction	Bypass User Account Control	TTP
Disable Windows Behavior Monitoring	Disable or Modify Tools	TTP
Disable Windows SmartScreen Protection	Disable or Modify Tools	TTP
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser	AS-REP Roasting	TTP
Disabling FolderOptions Windows Feature	Disable or Modify Tools	TTP
Domain Controller Discovery with Nltest	Remote System Discovery	TTP
ETW Registry Disabled	Trusted Developer Utilities Proxy Execution, Indicator Blocking	TTP
Executables Or Script Creation In Suspicious Path	Masquerading	Anomaly
Get ADUser with PowerShell	Domain Account	Hunting
Get ADUser with PowerShell Script Block	Domain Account	Hunting
Get ADUserResultantPasswordPolicy with Powershell	Password Policy Discovery	TTP
Get ADUserResultantPasswordPolicy with Powershell Script Block	Password Policy Discovery	TTP
Get DomainUser with PowerShell	Domain Account	TTP
Get DomainUser with PowerShell Script Block	Domain Account	TTP
Mimikatz PassTheTicket CommandLine Parameters	Pass the Ticket	TTP
Network Connection Discovery With Netstat	System Network Connections Discovery	Hunting
Non Chrome Process Accessing Chrome Default Dir	Credentials from Web Browsers	Anomaly
Non Firefox Process Access Firefox Profile Dir	Credentials from Web Browsers	Anomaly
PowerShell 4104 Hunting	PowerShell	Hunting
PowerShell Domain Enumeration	PowerShell	TTP
Registry Keys Used For Persistence	Registry Run Keys / Startup Folder	TTP
Remote Process Instantiation via WMI	Windows Management Instrumentation	TTP
Remote WMI Command Attempt	Windows Management Instrumentation	TTP
Rubeus Command Line Parameters	Pass the Ticket, Kerberoasting, AS-REP Roasting	TTP
Rubeus Kerberos Ticket Exports Through Winlogon Access	Pass the Ticket	TTP
Scheduled Task Deleted Or Created via CMD	Scheduled Task	TTP
Services Escalate Exe	Abuse Elevation Control Mechanism	TTP
Services LOLBAS Execution Process Spawn	Windows Service	TTP
Short Lived Scheduled Task	Scheduled Task	TTP
Suspicious Scheduled Task from Public Directory	Scheduled Task	Anomaly
Suspicious wevtutil Usage	Clear Windows Event Logs	TTP
System User Discovery With Whoami	System Owner/User Discovery	Hunting
Unload Sysmon Filter Driver	Disable or Modify Tools	TTP
Windows Access Token Manipulation SeDebugPrivilege	Create Process with Token	Anomaly
Windows Account Discovery for None Disable User Account	Local Account	Hunting
Windows Account Discovery for Sam Account Name	Account Discovery	Anomaly
Windows Account Discovery With NetUser PreauthNotRequire	Account Discovery	Hunting
Windows Archive Collected Data via Powershell	Archive Collected Data	Anomaly
Windows Cmdline Tool Execution From Non-Shell Process	JavaScript	Anomaly
Windows Credentials from Password Stores Chrome Extension Access	Query Registry	Anomaly
Windows Disable Notification Center	Modify Registry	Anomaly
Windows Disable Windows Event Logging Disable HTTP Logging	IIS Components, Disable Windows Event Logging	TTP
Windows Disable Windows Group Policy Features Through Registry	Modify Registry	Anomaly
Windows DisableAntiSpyware Registry	Disable or Modify Tools	TTP
Windows DISM Remove Defender	Disable or Modify Tools	TTP
Windows Domain Account Discovery Via Get-NetComputer	Domain Account	Anomaly
Windows Excessive Disabled Services Event	Disable or Modify Tools	TTP
Windows Hunting System Account Targeting Lsass	LSASS Memory	Hunting
Windows Impair Defenses Disable Win Defender Auto Logging	Disable or Modify Tools	Anomaly
Windows Known GraphicalProton Loaded Modules	DLL Side-Loading	Anomaly
Windows LSA Secrets NoLMhash Registry	LSA Secrets	TTP
Windows Mimikatz Binary Execution	OS Credential Dumping	TTP
Windows Mimikatz Crypto Export File Extensions	Steal or Forge Authentication Certificates	Anomaly
Windows Modify Registry Disable Restricted Admin	Modify Registry	TTP
Windows Modify Registry Disable Win Defender Raw Write Notif	Modify Registry	Anomaly
Windows Modify Registry Disable WinDefender Notifications	Modify Registry	TTP
Windows Modify Registry Disable Windows Security Center Notif	Modify Registry	Anomaly
Windows Modify Registry DisableSecuritySettings	Modify Registry	TTP
Windows Modify Registry Disabling WER Settings	Modify Registry	TTP
Windows Modify Registry No Auto Update	Modify Registry	Anomaly
Windows Modify Registry Suppress Win Defender Notif	Modify Registry	Anomaly
Windows Non-System Account Targeting Lsass	LSASS Memory	TTP
Windows Possible Credential Dumping	LSASS Memory	TTP
Windows PowerView Constrained Delegation Discovery	Remote System Discovery	TTP
Windows PowerView SPN Discovery	Kerberoasting	TTP
Windows PowerView Unconstrained Delegation Discovery	Remote System Discovery	TTP
Windows Process Commandline Discovery	Process Discovery	Hunting
Windows Registry Entries Exported Via Reg	Query Registry	Hunting
Windows Remote Create Service	Windows Service	Anomaly
Windows Scheduled Task Created Via XML	Scheduled Task	TTP
Windows Scheduled Task with Highest Privileges	Scheduled Task	TTP
Windows Sensitive Registry Hive Dump Via CommandLine	Security Account Manager	TTP
Windows Service Created with Suspicious Service Name	Service Execution	Anomaly
Windows Service Created with Suspicious Service Path	Service Execution	TTP
Windows Service Creation on Remote Endpoint	Windows Service	TTP
Windows Service Creation Using Registry Entry	Services Registry Permissions Weakness	Anomaly
Windows Service Initiation on Remote Endpoint	Windows Service	TTP
Windows Service Stop Win Updates	Service Stop	Anomaly
Windows Suspicious Process File Path	Create or Modify System Process, Match Legitimate Name or Location	TTP
Windows System User Privilege Discovery	System Owner/User Discovery	Hunting
Windows WMI Process Call Create	Windows Management Instrumentation	Hunting
WinEvent Scheduled Task Created Within Public Path	Scheduled Task	TTP
WinRM Spawning a Process	Exploit Public-Facing Application	TTP
JetBrains TeamCity RCE Attempt	Exploit Public-Facing Application	TTP

Data Sources

Name ▲▼	Platform ▲▼	Sourcetype ▲▼	Source ▲▼
CrowdStrike ProcessRollup2	N/A	`crowdstrike:events:sensor`	`crowdstrike`
Powershell Script Block Logging 4104	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-PowerShell/Operational`
Suricata	N/A	`suricata`	`suricata`
Sysmon EventID 1	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 10	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 11	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 12	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 13	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Sysmon EventID 7	Windows	`xmlwineventlog`	`XmlWinEventLog:Microsoft-Windows-Sysmon/Operational`
Windows Event Log Security 4663	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4688	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4698	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4699	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log Security 4703	Windows	`xmlwineventlog`	`XmlWinEventLog:Security`
Windows Event Log System 7040	Windows	`xmlwineventlog`	`XmlWinEventLog:System`
Windows Event Log System 7045	Windows	`xmlwineventlog`	`XmlWinEventLog:System`

References

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

Source: GitHub | Version: 3