Analytics Story: CISA AA23-347A

Date: 2023-12-14 ID: 257a2f28-fcbe-4226-8d1f-957880098331 Author: Teoderick Contreras, Rod Soto, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might be related to the SVR cyber activity tactics and techniques. While SVR followed a similar playbook in each compromise, they also adjusted to each operating environment and not all presented steps or actions below were executed on every host.

Why it matters

SVR cyber operations pose a persistent threat to public and private organizations' networks globally. Since 2013, cybersecurity companies and governments have reported on SVR operations targeting victim networks to steal confidential and proprietary information. A decade later, the authoring agencies can infer a long-term targeting pattern aimed at collecting, and enabling the collection of, foreign intelligence, a broad concept that for Russia encompasses information on the politics, economics, and military of foreign states; science and technology; and foreign counterintelligence. The SVR also conducts cyber operations targeting technology companies that enable future cyber operations. The SVR's recent operation has targeted networks hosting TeamCity servers, further underscoring its persistent focus on technology companies. By leveraging CVE-2023-42793, a vulnerability within a software development program, the SVR seeks to gain access to victims, potentially compromising numerous software developers' networks. JetBrains responded to this threat by issuing a patch in mid-September 2023, limting the SVR's ability to exploit Internet-accessible TeamCity servers lacking the necessary updates. Despite this mitigation, the SVR has yet to utilize its acquired access to software developers' networks for breaching customer systems. It appears that the SVR is still in the preparatory stages of its operation.

1| tstats `security_content_summariesonly` min(_time) as firstTime max(_time) as lastTime sum(All_Risk.calculated_risk_score) as risk_score, count(All_Risk.calculated_risk_score) as risk_event_count, values(All_Risk.annotations.mitre_attack.mitre_tactic_id) as annotations.mitre_attack.mitre_tactic_id, dc(All_Risk.annotations.mitre_attack.mitre_tactic_id) as mitre_tactic_id_count, values(All_Risk.annotations.mitre_attack.mitre_technique_id) as annotations.mitre_attack.mitre_technique_id, dc(All_Risk.annotations.mitre_attack.mitre_technique_id) as mitre_technique_id_count, values(All_Risk.tag) as tag, values(source) as source, dc(source) as source_count from datamodel=Risk.All_Risk where source IN ("*Cmdline Tool Not Executed In CMD Shell*", "*Windows System Network Config Discovery Display DNS*", "*Local Account Discovery With Wmic*", "*Net Localgroup Discovery*", "*Create local admin accounts using net exe*", "*Local Account Discovery with Net*", "*Icacls Deny Command*", "*ICACLS Grant Command*", "*Windows Proxy Via Netsh*", "*Processes launching netsh*", "*Disabling Firewall with Netsh*", "*Windows System Network Connections Discovery Netsh*", "*Network Connection Discovery With Arp*", "*Windows System Discovery Using ldap Nslookup*", "*Windows System Shutdown CommandLine*") by All_Risk.risk_object All_Risk.risk_object_type All_Risk.annotations.mitre_attack.mitre_tactic | `drop_dm_object_name(All_Risk)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | where source_count >= 4 | `windows_common_abused_cmd_shell_risk_behavior_filter`

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Access LSASS Memory for Dump Creation LSASS Memory, OS Credential Dumping TTP
AdsiSearcher Account Discovery Domain Account, Account Discovery TTP
Attempted Credential Dump From Registry via Reg exe Security Account Manager, OS Credential Dumping TTP
CMD Carry Out String Command Parameter Windows Command Shell, Command and Scripting Interpreter Hunting
Cmdline Tool Not Executed In CMD Shell Command and Scripting Interpreter, JavaScript TTP
Detect Credential Dumping through LSASS access LSASS Memory, OS Credential Dumping TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
Disable AMSI Through Registry Disable or Modify Tools, Impair Defenses TTP
Disable Defender BlockAtFirstSeen Feature Disable or Modify Tools, Impair Defenses TTP
Disable Defender Enhanced Notification Disable or Modify Tools, Impair Defenses TTP
Disable Defender Spynet Reporting Disable or Modify Tools, Impair Defenses TTP
Disable Defender Submit Samples Consent Feature Disable or Modify Tools, Impair Defenses TTP
Disable ETW Through Registry Disable or Modify Tools, Impair Defenses TTP
Disable Logs Using WevtUtil Indicator Removal, Clear Windows Event Logs TTP
Disable Security Logs Using MiniNt Registry Modify Registry TTP
Disable UAC Remote Restriction Bypass User Account Control, Abuse Elevation Control Mechanism TTP
Disable Windows Behavior Monitoring Disable or Modify Tools, Impair Defenses TTP
Disable Windows SmartScreen Protection Disable or Modify Tools, Impair Defenses TTP
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Disabling FolderOptions Windows Feature Disable or Modify Tools, Impair Defenses TTP
Domain Controller Discovery with Nltest Remote System Discovery TTP
ETW Registry Disabled Indicator Blocking, Trusted Developer Utilities Proxy Execution, Impair Defenses TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Extraction of Registry Hives Security Account Manager, OS Credential Dumping TTP
Get ADUser with PowerShell Domain Account, Account Discovery Hunting
Get ADUser with PowerShell Script Block Domain Account, Account Discovery Hunting
Get ADUserResultantPasswordPolicy with Powershell Password Policy Discovery TTP
Get ADUserResultantPasswordPolicy with Powershell Script Block Password Policy Discovery TTP
Get DomainUser with PowerShell Domain Account, Account Discovery TTP
Get DomainUser with PowerShell Script Block Domain Account, Account Discovery TTP
Mimikatz PassTheTicket CommandLine Parameters Use Alternate Authentication Material, Pass the Ticket TTP
Network Connection Discovery With Netstat System Network Connections Discovery Hunting
Non Chrome Process Accessing Chrome Default Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Password Stores, Credentials from Web Browsers Anomaly
PowerShell 4104 Hunting Command and Scripting Interpreter, PowerShell Hunting
PowerShell Domain Enumeration Command and Scripting Interpreter, PowerShell TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Remote Process Instantiation via WMI Windows Management Instrumentation TTP
Remote WMI Command Attempt Windows Management Instrumentation TTP
Rubeus Command Line Parameters Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting TTP
Rubeus Kerberos Ticket Exports Through Winlogon Access Use Alternate Authentication Material, Pass the Ticket TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Services Escalate Exe Abuse Elevation Control Mechanism TTP
Services LOLBAS Execution Process Spawn Create or Modify System Process, Windows Service TTP
Short Lived Scheduled Task Scheduled Task TTP
Suspicious Process File Path Create or Modify System Process TTP
Suspicious Scheduled Task from Public Directory Scheduled Task, Scheduled Task/Job Anomaly
Suspicious wevtutil Usage Clear Windows Event Logs, Indicator Removal TTP
System User Discovery With Whoami System Owner/User Discovery Hunting
Unload Sysmon Filter Driver Disable or Modify Tools, Impair Defenses TTP
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token, Access Token Manipulation Anomaly
Windows Account Discovery for None Disable User Account Account Discovery, Local Account Hunting
Windows Account Discovery for Sam Account Name Account Discovery Anomaly
Windows Account Discovery With NetUser PreauthNotRequire Account Discovery Hunting
Windows Archive Collected Data via Powershell Archive Collected Data Anomaly
Windows Credentials from Password Stores Chrome Extension Access Query Registry Anomaly
Windows Disable Notification Center Modify Registry Anomaly
Windows Disable Windows Event Logging Disable HTTP Logging Disable Windows Event Logging, Impair Defenses, Server Software Component, IIS Components TTP
Windows Disable Windows Group Policy Features Through Registry Modify Registry Anomaly
Windows DisableAntiSpyware Registry Disable or Modify Tools, Impair Defenses TTP
Windows DISM Remove Defender Disable or Modify Tools, Impair Defenses TTP
Windows Domain Account Discovery Via Get-NetComputer Account Discovery, Domain Account Anomaly
Windows Excessive Disabled Services Event Disable or Modify Tools, Impair Defenses TTP
Windows Hunting System Account Targeting Lsass LSASS Memory, OS Credential Dumping Hunting
Windows Impair Defenses Disable Win Defender Auto Logging Disable or Modify Tools, Impair Defenses Anomaly
Windows Known GraphicalProton Loaded Modules DLL Side-Loading, Hijack Execution Flow Anomaly
Windows LSA Secrets NoLMhash Registry LSA Secrets TTP
Windows Mimikatz Binary Execution OS Credential Dumping TTP
Windows Mimikatz Crypto Export File Extensions Steal or Forge Authentication Certificates Anomaly
Windows Modify Registry Disable Restricted Admin Modify Registry TTP
Windows Modify Registry Disable Win Defender Raw Write Notif Modify Registry Anomaly
Windows Modify Registry Disable WinDefender Notifications Modify Registry TTP
Windows Modify Registry Disable Windows Security Center Notif Modify Registry Anomaly
Windows Modify Registry DisableSecuritySettings Modify Registry TTP
Windows Modify Registry Disabling WER Settings Modify Registry TTP
Windows Modify Registry No Auto Update Modify Registry Anomaly
Windows Modify Registry Suppress Win Defender Notif Modify Registry Anomaly
Windows Non-System Account Targeting Lsass LSASS Memory, OS Credential Dumping TTP
Windows Possible Credential Dumping LSASS Memory, OS Credential Dumping TTP
Windows PowerView Constrained Delegation Discovery Remote System Discovery TTP
Windows PowerView SPN Discovery Steal or Forge Kerberos Tickets, Kerberoasting TTP
Windows PowerView Unconstrained Delegation Discovery Remote System Discovery TTP
Windows Process Commandline Discovery Process Discovery Hunting
Windows Query Registry Reg Save Query Registry Hunting
Windows Remote Create Service Create or Modify System Process, Windows Service Anomaly
Windows Scheduled Task Created Via XML Scheduled Task, Scheduled Task/Job TTP
Windows Scheduled Task with Highest Privileges Scheduled Task/Job, Scheduled Task TTP
Windows Service Created with Suspicious Service Path System Services, Service Execution TTP
Windows Service Creation on Remote Endpoint Create or Modify System Process, Windows Service TTP
Windows Service Creation Using Registry Entry Services Registry Permissions Weakness TTP
Windows Service Initiation on Remote Endpoint Create or Modify System Process, Windows Service TTP
Windows Service Stop Win Updates Service Stop Anomaly
Windows System User Privilege Discovery System Owner/User Discovery Hunting
Windows WMI Process Call Create Windows Management Instrumentation Hunting
WinEvent Scheduled Task Created Within Public Path Scheduled Task, Scheduled Task/Job TTP
WinRM Spawning a Process Exploit Public-Facing Application TTP
JetBrains TeamCity RCE Attempt Exploit Public-Facing Application TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Suricata N/A suricata suricata
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4699 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4703 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log System 7040 Windows icon Windows xmlwineventlog XmlWinEventLog:System
Windows Event Log System 7045 Windows icon Windows xmlwineventlog XmlWinEventLog:System

References

Source: GitHub | Version: 2