Analytics Story: DHS Report TA18-074A

Date: 2020-01-22 ID: 0c016e5c-88be-4e2c-8c6c-c2b55b4fb4ef Author: Rico Valdez, Splunk Product: Splunk Enterprise Security

Description

Monitor for suspicious activities associated with DHS Technical Alert US-CERT TA18-074A. Some of the activities that adversaries used in these compromises included spearfishing attacks, malware, watering-hole domains, many and more.

Why it matters

The frequency of nation-state cyber attacks has increased significantly over the last decade. Employing numerous tactics and techniques, these attacks continue to escalate in complexity. There is a wide range of motivations for these state-sponsored hacks, including stealing valuable corporate, military, or diplomatic dataѿall of which could confer advantages in various arenas. They may also target critical infrastructure. One joint Technical Alert (TA) issued by the Department of Homeland and the FBI in mid-March of 2018 attributed some cyber activity targeting utility infrastructure to operatives sponsored by the Russian government. The hackers executed spearfishing attacks, installed malware, employed watering-hole domains, and more. While they caused no physical damage, the attacks provoked fears that a nation-state could turn off water, redirect power, or compromise a nuclear power plant. Suspicious activities--spikes in SMB traffic, processes that launch netsh (to modify the network configuration), suspicious registry modifications, and many more--may all be events you may wish to investigate further. While the use of these technique may be an indication that a nation-state actor is attempting to compromise your environment, it is important to note that these techniques are often employed by other groups, as well.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Create local admin accounts using net exe Local Account TTP
First time seen command line argument PowerShell, Windows Command Shell Hunting
Detect New Local Admin account Local Account TTP
Detect PsExec With accepteula Flag SMB/Windows Admin Shares TTP
Detect Renamed PSExec Service Execution Hunting
Malicious PowerShell Process - Execution Policy Bypass PowerShell Anomaly
Processes launching netsh Disable or Modify System Firewall Anomaly
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
Sc exe Manipulating Windows Services Windows Service TTP
Scheduled Task Deleted Or Created via CMD Scheduled Task TTP
Single Letter Process On Endpoint Malicious File TTP
Suspicious Reg exe Process Modify Registry Anomaly
Windows Create Local Administrator Account Via Net Local Account Anomaly
Detect Outbound SMB Traffic File Transfer Protocols TTP
SMB Traffic Spike SMB/Windows Admin Shares Anomaly
SMB Traffic Spike - MLTK SMB/Windows Admin Shares Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4720 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4732 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 2