Try in Splunk Security Cloud

Description

Iranian State Actors Conduct Cyber Operations Against the Government of Albania.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint
  • Last Updated: 2022-09-22
  • Author: Michael Haag, Splunk
  • ID: bc7056a5-c3b0-4b83-93ce-5f31739305c8

Narrative

The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint Cybersecurity Advisory to provide information on recent cyber operations against the Government of Albania in July and September. This advisory provides a timeline of activity observed, from initial access to execution of encryption and wiper attacks. Additional information concerning files used by the actors during their exploitation of and cyber attack against the victim organization is provided in Appendices A and B. In September 2022, Iranian cyber actors launched another wave of cyber attacks against the Government of Albania, using similar TTPs and malware as the cyber attacks in July. These were likely done in retaliation for public attribution of the cyber attacks in July and severed diplomatic ties between Albania and Iran.

Detections

Name Technique Type
Attacker Tools On Endpoint Match Legitimate Name or Location, Masquerading, OS Credential Dumping, Active Scanning TTP
Deleting Shadow Copies Inhibit System Recovery TTP
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
Detect Webshell Exploit Behavior Server Software Component, Web Shell TTP
Dump LSASS via comsvcs DLL LSASS Memory, OS Credential Dumping TTP
Excessive Usage Of Taskkill Disable or Modify Tools, Impair Defenses Anomaly
Exchange PowerShell Module Usage Command and Scripting Interpreter, PowerShell TTP
W3WP Spawning Shell Server Software Component, Web Shell TTP
WevtUtil Usage To Clear Logs Indicator Removal, Clear Windows Event Logs TTP
Windows DisableAntiSpyware Registry Disable or Modify Tools, Impair Defenses TTP
Windows Event Log Cleared Indicator Removal, Clear Windows Event Logs TTP
Windows Exchange PowerShell Module Usage Command and Scripting Interpreter, PowerShell TTP
Windows Possible Credential Dumping LSASS Memory, OS Credential Dumping TTP
Windows Raw Access To Disk Volume Partition Disk Structure Wipe, Disk Wipe Anomaly
Windows Raw Access To Master Boot Record Drive Disk Structure Wipe, Disk Wipe TTP
Windows System File on Disk Exploitation for Privilege Escalation Hunting

Reference

source | version: 1