Rule Digest. APT & Malware: Content Released This Week
This week, the rules to detect malware and APT activity from both our team and the participants of the SOC Prime Threat Bounty Program got into the spotlight. In digests, we try to draw your attention to interesting rules published over the past week.
APT StrongPity by Ariel Millahuel
https://tdm.socprime.com/tdm/info/lC2OEeruDxdg/fos3nHEB1-hfOQir9NI-/?p=1
StrongPity APT (aka Promethium) abuses poisoned installers of legitimate software to infect victims, and this exclusive rule helps to uncover such behavior. The APT group conducted cyber espionage campaigns since at least 2012 attacking targets primarily in Europe and North Africa. StrongPity espionage APT activity is extremely difficult to track, in their attacks, adversaries use signed modular malware, also, they are known for exploiting zero-day vulnerabilities.
Possible Malicious LNK File with Double Extension (via cmdline) by SOC Prime Team
https://tdm.socprime.com/tdm/info/lwTxvspCLlJF/Mwm5vHEBAq_xcQY4MuED/?p=1
We have highlighted a similar rule under the heading Rule of the week, and we believe that the abuse of double extensions is a serious threat to Windows users. This one uncovers suspicious use of LNK extension which is used for malicious purposes as often as the EXE. The LNK file is less suspicious for antivirus solutions, and if the user opens it, a remotely downloaded script could be run, and this is one of the most economical ways for adversaries to infect their victim.
Suspicious Process Access (via sysmon) by SOC Prime Team
https://tdm.socprime.com/tdm/info/S34YfAqmYUYv/oIstvXEB1-hfOQiro-2_/?p=1
This rule tracks suspicious access from unusual places to system processes that may indicate malicious activity on the system. Such activity should be investigated; to avoid falsepositives, it is necessary to check every event and build a whitelist.
Possible Active Directory Enumeration with AD Module without RSAT or Admin Privileges (via powershell) by SOC Prime Team https://tdm.socprime.com/tdm/info/dsqELFx5ckXR/OsJb0G0BEiSx7l0HXZMS/?p=1
Adversaries can just grab the DLL from the system with RSAT and drop it on the system we want to enumerate from (that does not have RSAT installed) and simply import that DLL as a module. With this rule, you can detect this in a timely manner and uncover cyber attacks on the early stages.
Chthonic Banking Trojan by Ariel Millahuel
https://tdm.socprime.com/tdm/info/LBnEPGjxVeGO/j-bEwHEBv8lhbg_ijYGH/?p=1
The rule detects a fresh instance of Chthonic that is a variant of Zeus and the Trojan is apparently an evolution of ZeusVM, although it has undergone a number of significant changes. Chthonic uses the same encryptor as Andromeda bots, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.
The rules from this collection have translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, Logpoint, Humio, RSA NetWitness
EDR: Windows Defender ATP, Carbon Black, CrowdStrike, Elastic Endpoint
NTA: Corelight
The rules are linked to the following Tactics and Techniques of MITRE ATT&CK:
Tactics: Initial Access, Execution, Privilege Escalation, Defense Evasion, Discovery.
Techniques: Spearphishing Attachment (T1193), Modify Registry (T1112), Process Injection (T1055), Account Discovery (T1087), Command-Line Interface (T1059)
Also, we want to remind you that this week there was a major update to the Threat Detection Marketplace, including the addition of support for two new platforms – Humio and CrowdStrike – and translations for them. To date, the number of available rules on the platform has exceeded 57,000!