Analytics Story: DHS Report TA18-074A

Date: 2020-01-22 ID: 0c016e5c-88be-4e2c-8c6c-c2b55b4fb4ef Author: Rico Valdez, Splunk Product: Splunk Enterprise Security

Description

Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.

Why it matters

The frequency of nation-state cyber attacks has increased significantly over the last decade. Employing numerous tactics and techniques, these attacks continue to escalate in complexity. There is a wide range of motivations for these state-sponsored hacks, including stealing valuable corporate, military, or diplomatic dataѿall of which could confer advantages in various arenas. They may also target critical infrastructure. One joint Technical Alert (TA) issued by the Department of Homeland and the FBI in mid-March of 2018 attributed some cyber activity targeting utility infrastructure to operatives sponsored by the Russian government. The hackers executed spearfishing attacks, installed malware, employed watering-hole domains, and more. While they caused no physical damage, the attacks provoked fears that a nation-state could turn off water, redirect power, or compromise a nuclear power plant. Suspicious activities--spikes in SMB traffic, processes that launch netsh (to modify the network configuration), suspicious registry modifications, and many more--may all be events you may wish to investigate further. While the use of these technique may be an indication that a nation-state actor is attempting to compromise your environment, it is important to note that these techniques are often employed by other groups, as well.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
First time seen command line argument PowerShell, Windows Command Shell Hunting
Create local admin accounts using net exe Local Account, Create Account TTP
Detect New Local Admin account Local Account, Create Account TTP
Detect PsExec With accepteula Flag Remote Services, SMB/Windows Admin Shares TTP
Detect Renamed PSExec System Services, Service Execution Hunting
Malicious PowerShell Process - Execution Policy Bypass Command and Scripting Interpreter, PowerShell TTP
Processes launching netsh Disable or Modify System Firewall, Impair Defenses Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution TTP
Sc exe Manipulating Windows Services Windows Service, Create or Modify System Process TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Single Letter Process On Endpoint User Execution, Malicious File TTP
Suspicious Reg exe Process Modify Registry Anomaly
Detect Outbound SMB Traffic File Transfer Protocols, Application Layer Protocol TTP
SMB Traffic Spike SMB/Windows Admin Shares, Remote Services Anomaly
SMB Traffic Spike - MLTK SMB/Windows Admin Shares, Remote Services Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 12 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4720 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4732 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 2