Try in Splunk Security Cloud
Description
From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to advanced persistent threat (APT) activity on a Defense Industrial Base (DIB) Sector organization’s enterprise network. During incident response activities, multiple utilities were utilized.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Endpoint
- Last Updated: 2022-10-05
- Author: Michael Haag, Splunk
- ID: db408f93-e915-4215-9962-5fada348bdd7
Narrative
CISA uncovered that likely multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.
Detections
Name |
Technique |
Type |
CertUtil Download With URLCache and Split Arguments |
Ingress Tool Transfer |
TTP |
Cmdline Tool Not Executed In CMD Shell |
Command and Scripting Interpreter, JavaScript |
TTP |
Create or delete windows shares using net exe |
Indicator Removal, Network Share Connection Removal |
TTP |
Detect Renamed WinRAR |
Archive via Utility, Archive Collected Data |
Hunting |
Excessive Usage Of Taskkill |
Disable or Modify Tools, Impair Defenses |
Anomaly |
Exchange PowerShell Module Usage |
Command and Scripting Interpreter, PowerShell |
TTP |
Impacket Lateral Movement Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Impacket Lateral Movement WMIExec Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Impacket Lateral Movement WMIExec Commandline Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Impacket Lateral Movement smbexec CommandLine Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Impacket Lateral Movement smbexec CommandLine Parameters |
Remote Services, SMB/Windows Admin Shares, Distributed Component Object Model, Windows Management Instrumentation, Windows Service |
TTP |
Network Connection Discovery With Netstat |
System Network Connections Discovery |
Hunting |
Network Discovery Using Route Windows App |
System Network Configuration Discovery, Internet Connection Discovery |
Hunting |
Reference
source | version: 1