Try in Splunk Security Cloud

Description

CISA and the FBI have identified an APT activity where the adversary gained initial access via Log4Shell via a unpatched VMware Horizon server. From there the adversary moved laterally and continued to its objective.

Narrative

From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch (FCEB) organization where CISA observed suspected advanced persistent threat (APT) activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller (DC), compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence. CISA and the Federal Bureau of Investigation (FBI) assess that the FCEB network was compromised by Iranian government-sponsored APT actors.

Detections

Name Technique Type
Add or Set Windows Defender Exclusion Disable or Modify Tools, Impair Defenses TTP
Detect Mimikatz Using Loaded Images LSASS Memory, OS Credential Dumping TTP
Detect Mimikatz With PowerShell Script Block Logging OS Credential Dumping, PowerShell TTP
Detect PsExec With accepteula Flag Remote Services, SMB/Windows Admin Shares TTP
Detect Renamed PSExec System Services, Service Execution Hunting
Enable WDigest UseLogonCredential Registry Modify Registry, OS Credential Dumping TTP
GetAdComputer with PowerShell Script Block Remote System Discovery Hunting
Hunting for Log4Shell Exploit Public-Facing Application, External Remote Services Hunting
Log4Shell CVE-2021-44228 Exploitation Ingress Tool Transfer, Exploit Public-Facing Application, Command and Scripting Interpreter, External Remote Services Correlation
Log4Shell JNDI Payload Injection Attempt Exploit Public-Facing Application, External Remote Services Anomaly
Log4Shell JNDI Payload Injection with Outbound Connection Exploit Public-Facing Application, External Remote Services Anomaly
Malicious PowerShell Process - Encoded Command Obfuscated Files or Information Hunting
Mimikatz PassTheTicket CommandLine Parameters Use Alternate Authentication Material, Pass the Ticket TTP
Ngrok Reverse Proxy on Network Protocol Tunneling, Proxy, Web Service Anomaly
Powershell Windows Defender Exclusion Commands Disable or Modify Tools, Impair Defenses TTP
Suspicious Driver Loaded Path Windows Service, Create or Modify System Process TTP
Suspicious Powershell Command-Line Arguments PowerShell TTP
Windows Driver Load Non-Standard Path Rootkit, Exploitation for Privilege Escalation TTP
Windows Drivers Loaded by Signature Rootkit, Exploitation for Privilege Escalation Hunting
Windows Mimikatz Binary Execution OS Credential Dumping TTP
Windows Ngrok Reverse Proxy Usage Protocol Tunneling, Proxy, Web Service Anomaly
Windows Service Create Kernel Mode Driver Windows Service, Create or Modify System Process, Exploitation for Privilege Escalation TTP
XMRIG Driver Loaded Windows Service, Create or Modify System Process TTP

Reference

source | version: 1