This is a Linux based tool that would be difficult to detect unless you are monitoring processes or bash history. Ldapsearch was used to enumerate information in the enterprise domain.
USE OSQUERY TO CHECK AUDIT LOGGING POLICY CODE
looking for base64 encoded code within HTTP GET and POST requests, in the ‘data’ field.monitoring HTTP POST requests to remote IP addresses with encrypted binary blobs this generally includes information about the compromised host such as its hostname.monitoring ‘ESTABLISHED’ connections to remote IP addresses to detect C2 beaconing.The red team used Cobalt Strike’s Command and Control (C2) protocol to establish their foothold. MIME or content types can be filtered to those commonly used for phishing campaigns like ‘application/zip’, ‘application/pdf’, ‘application/msword’, and ‘application/vnd.openxmlformats/%’.HTTP GET request to the malicious document downloaded to the victim’s machine.HTTP GET request to the malicious link that was embedded in the email.The Zeek http.log will also capture important data on files traversing the network, such as 'resp_filenames’ and ‘resp_mime_types’. If your organisation is capturing network traffic via Zeek, files.log will be able to detect any files being downloaded with common phishing extensions like. Endpoint Detection and Response (EDR) and Anti-Virus signature and behavioural alerts for downloading a malicious document, clicking a malicious link, and the activity that followed.In this case study, one set of emails contained an embedded link to a malicious file hosted on the internet, and the other had a malicious file attached to the email. This will mostly look at endpoint and network signatures that we can detect from the IT side of the environment, as these will not, due to their nature, generally be available in OT infrastructure. ParaFlare’s operations team has dissected the case study’s lifecycle into useful detections that we are using to protect our customers, and provide a head start for organisations who are susceptible to similar breaches.
USE OSQUERY TO CHECK AUDIT LOGGING POLICY SERIES
There is a clear path to the OT environment, but this requires a series of successfully executed activities before completing their mission all of which is detectable within your IT environment. Threat actors with clear motives will live off the land and use already existing tools, or those that are publicly available, to further compromise a network whether it be in the IT or OT space.Īttack Lifecycle In FireEye Mandiant’s case study, the following graphic was provided to demonstrate what phases of the attack lifecycle are conducted in which part of an organisation’s network. Regardless of whether your organisation deals with OT or not, the detections explored within this article relate to commonly found tools or techniques used against an IT environment, such as phishing emails, Remote Desktop Protocol (RDP), mimikatz, and Cobalt Strike. ParaFlare is expanding on this research to provide useful detection and response methods to those responsible for securing a technology-enabled environment.
Digital Forensics & Incident Response Consultant at ParaFlareįireEye Mandiant released a red teaming case study in April 2021 that explores the tactics, techniques, and procedures (TTPs) used to penetrate an information technology (IT) network and ultimately gain access to the operational technology (OT) network.
0 kommentar(er)
