{ "Event": { "analysis": "2", "date": "2017-02-13", "extends_uuid": "", "info": "OSINT - Fileless attacks against enterprise networks", "publish_timestamp": "1487003184", "published": true, "threat_level_id": "3", "timestamp": "1487003097", "uuid": "58a1dcbc-4d5c-4267-995a-498b950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": "0", "name": "tlp:white", "relationship_type": "" }, { "colour": "#6edb00", "local": "0", "name": "circl:topic=\"finance\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1487002829", "to_ids": false, "type": "text", "uuid": "58a1dccd-daf4-4847-aea2-4516950d210f", "value": "During incident response, a team of security specialists needs to follow the artefacts that attackers have left in the network. Artefacts are stored in logs, memories and hard drives. Unfortunately, each of these storage media has a limited timeframe when the required data is available. One reboot of an attacked computer will make memory acquisition useless. Several months after an attack the analysis of logs becomes a gamble because they are rotated over time. Hard drives store a lot of needed data and, depending on its activity, forensic specialists may extract data up to a year after an incident. That\u00e2\u20ac\u2122s why attackers are using anti-forensic techniques (or simply SDELETE) and memory-based malware to hide their activity during data acquisition. A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That\u00e2\u20ac\u2122s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers. Cybercriminals (like Carbanak or GCMAN) may use PLINK for that. Duqu2 used a special driver for that. Now you may understand why we were very excited and impressed when, during an incident response, we found that memory-based malware and tunnelling were implemented by attackers using Windows standard utilities like \u00e2\u20ac\u0153SC\u00e2\u20ac\u009d and \u00e2\u20ac\u0153NETSH\u00e2\u20ac\u0153." }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1487002918", "to_ids": false, "type": "link", "uuid": "58a1dcd8-3694-48b8-bf09-1736950d210f", "value": "https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/", "Tag": [ { "colour": "#00223b", "local": "0", "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#086200", "local": "0", "name": "admiralty-scale:source-reliability=\"c\"", "relationship_type": "" } ] }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1487002870", "to_ids": true, "type": "yara", "uuid": "58a1dcf6-b3b8-486a-92a0-4409950d210f", "value": "rule msf_or_tunnel_in_registry\r\n{\r\nstrings:\r\n $port_number_in_registry = \u00e2\u20ac\u0153/4444\u00e2\u20ac\u009d\r\n $hidden_powershell_in_registry = \u00e2\u20ac\u0153powershell.exe -nop -w hidden\u00e2\u20ac\u009d wide \r\ncondition:\r\n\tuint32(0)==0x66676572 and any of them\r\n}" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1487002942", "to_ids": false, "type": "text", "uuid": "58a1dd3e-6e5c-49cc-8633-4e9a950d210f", "value": "MEM:Trojan.Win32.Cometer" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1487002943", "to_ids": false, "type": "text", "uuid": "58a1dd3f-2958-4b90-bbe9-466d950d210f", "value": "MEM:Trojan.Win32.Metasploit" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1487002943", "to_ids": false, "type": "text", "uuid": "58a1dd3f-27b8-4e77-a37c-4b53950d210f", "value": "Trojan.Multi.GenAutorunReg.c" }, { "category": "Antivirus detection", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1487002944", "to_ids": false, "type": "text", "uuid": "58a1dd40-2d50-4602-8cc5-41ad950d210f", "value": "HEUR:Trojan.Multi.Powecod" }, { "category": "Artifacts dropped", "comment": "In unallocated space in the Windows registry, the following artefacts might be found:", "deleted": false, "disable_correlation": false, "timestamp": "1487003018", "to_ids": true, "type": "pattern-in-file", "uuid": "58a1dd8a-27c0-48aa-bc97-4f4a950d210f", "value": "powershell.exe -nop -w hidden -e" }, { "category": "Artifacts dropped", "comment": "In unallocated space in the Windows registry, the following artefacts might be found:", "deleted": false, "disable_correlation": false, "timestamp": "1487003019", "to_ids": true, "type": "pattern-in-file", "uuid": "58a1dd8b-9f78-4e2c-bd9c-450b950d210f", "value": "10.10.1.12/8080" }, { "category": "Artifacts dropped", "comment": "In unallocated space in the Windows registry, the following artefacts might be found:", "deleted": false, "disable_correlation": false, "timestamp": "1487003020", "to_ids": true, "type": "pattern-in-file", "uuid": "58a1dd8c-c65c-4794-a21a-4a38950d210f", "value": "10.10.1.11/4444" }, { "category": "Artifacts dropped", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1487003097", "to_ids": false, "type": "text", "uuid": "58a1ddd9-4a80-400e-94b3-4c00950d210f", "value": "To find the host used by an attacker using the technique described for remote connections and password collection, the following paths in the Windows registry should be analyzed:\r\n\r\nHKLM\\SYSTEM\\ControlSet001\\services\\ \u00e2\u20ac\u201c path will be modified after using the SC utility\r\nHKLM\\SYSTEM\\ControlSet001\\services\\PortProxy\\v4tov4\\tcp \u00e2\u20ac\u201c path will be modified after using the NETSH utility" } ] } }