Try in Splunk Security Cloud

Description

NOBELIUM, also known as APT29, The Dukes, Cozy Bear, CozyDuke, Blue Kitsune, and Midnight Blizzard, is a sophisticated nation-state threat actor, reportedly associated with Russian intelligence. Active since at least 2008, this group primarily targets government networks in Europe and NATO member countries, along with research institutes and think tanks. Their operations typically involve advanced persistent threats (APT), leveraging techniques like spear-phishing, malware deployment, and long-term network compromise to achieve information theft and espionage. Notably, APT29 has been implicated in significant cyber espionage incidents, including the 2015 breach of the Pentagon’s Joint Staff email system and attacks on the Democratic National Committee in 2016. Their advanced tactics and persistent approach underscore the serious nature of threats posed by this group to global cybersecurity.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Traffic, Web
  • Last Updated: 2020-12-14
  • Author: Patrick Bareiss, Michael Haag, Mauricio Velazco, Splunk
  • ID: 758196b5-2e21-424f-a50c-6e421ce926c2

Narrative

This Analytic Story groups detections designed to trigger on a comprehensive range of Tactics, Techniques, and Procedures (TTPs) leveraged by the NOBELIUM Group, with a focus on their methods as observed in well-known public breaches.

Detections

Name Technique Type
Anomalous usage of 7zip Archive via Utility, Archive Collected Data Anomaly
Anomalous usage of Archive Tools Archive via Utility, Archive Collected Data Anomaly
Azure AD Admin Consent Bypassed by Service Principal Additional Cloud Roles TTP
Azure AD FullAccessAsApp Permission Assigned Additional Email Delegate Permissions, Additional Cloud Roles TTP
Azure AD High Number Of Failed Authentications From Ip Brute Force, Password Guessing, Password Spraying TTP
Azure AD Multi-Source Failed Authentications Spike Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing Hunting
Azure AD Multiple Service Principals Created by SP Cloud Account Anomaly
Azure AD Multiple Service Principals Created by User Cloud Account Anomaly
Azure AD Privileged Graph API Permission Assigned Security Account Manager TTP
Azure AD Privileged Role Assigned Account Manipulation, Additional Cloud Roles TTP
Azure AD Privileged Role Assigned to Service Principal Account Manipulation, Additional Cloud Roles TTP
Azure AD Service Principal Authentication Cloud Accounts TTP
Azure AD Service Principal Created Cloud Account TTP
Azure AD Service Principal New Client Credentials Account Manipulation, Additional Cloud Credentials TTP
Azure AD Service Principal Owner Added Account Manipulation TTP
Azure AD Tenant Wide Admin Consent Granted Account Manipulation, Additional Cloud Roles TTP
Detect Outbound SMB Traffic File Transfer Protocols, Application Layer Protocol TTP
Detect Prohibited Applications Spawning cmd exe Command and Scripting Interpreter, Windows Command Shell Hunting
Detect Rundll32 Inline HTA Execution System Binary Proxy Execution, Mshta TTP
First Time Seen Running Windows Service System Services, Service Execution Anomaly
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
O365 Added Service Principal Cloud Account, Create Account TTP
O365 Application Registration Owner Added Account Manipulation TTP
O365 ApplicationImpersonation Role Assigned Account Manipulation, Additional Email Delegate Permissions TTP
O365 FullAccessAsApp Permission Assigned Additional Email Delegate Permissions, Additional Cloud Roles TTP
O365 Multi-Source Failed Authentications Spike Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing Hunting
O365 Multiple Mailboxes Accessed via API Remote Email Collection TTP
O365 Multiple Service Principals Created by SP Cloud Account Anomaly
O365 Multiple Service Principals Created by User Cloud Account Anomaly
O365 Multiple Users Failing To Authenticate From Ip Compromise Accounts, Cloud Accounts, Brute Force, Password Spraying, Credential Stuffing TTP
O365 OAuth App Mailbox Access via EWS Remote Email Collection TTP
O365 OAuth App Mailbox Access via Graph API Remote Email Collection TTP
O365 Privileged Graph API Permission Assigned Security Account Manager TTP
O365 Service Principal New Client Credentials Account Manipulation, Additional Cloud Credentials TTP
O365 Tenant Wide Admin Consent Granted Account Manipulation, Additional Cloud Roles TTP
Sc exe Manipulating Windows Services Windows Service, Create or Modify System Process TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task, Scheduled Task/Job TTP
Schtasks scheduling job on remote system Scheduled Task, Scheduled Task/Job TTP
Sunburst Correlation DLL and Network Event Exploitation for Client Execution TTP
Supernova Webshell Web Shell, External Remote Services TTP
TOR Traffic Proxy, Multi-hop Proxy TTP
Windows AdFind Exe Remote System Discovery TTP
Windows Rundll32 Inline HTA Execution System Binary Proxy Execution, Mshta TTP

Reference

source | version: 3