7.B) Data from Local System, Data Compressed, Data Encrypted, Exfiltration Over Alternative Protocol #17
Comments
|
All of my analytics are using this tool set (https://github.com/idaholab/Malcolm) Can I find Compressed files leaving my network ? Another starting point could be zeek_http.orig_mime_types == *compressed
Is 192.168.0.4 expected to be in my network? Is the User-agent of Microsoft-WebDAV-MiniRedir/10.0.18362 Normal for my network/that host?
of the compressed files, what HTTP methods are there?
What files are associated with the PUT method?
|
|
That's awesome @DarthRaki ! Is that something that can be queried with Zeek logs too? |
|
I think so, let me double check ill post some screen shots either way. |
|
Thank you @DarthRaki , if it is possible, it would be good to have something similar to the Sigma queries that @neu5ron and @patrickstjohn are putting together! it would be awesome! Example: #48 (comment) Folder to add rules: https://github.com/OTRF/detection-hackathon-apt29/tree/master/rules |
|
Okay my First ever sigma rule! this was fun title: Data from Local System, Data Compressed, Data Encrypted, Exfiltration Over Alternative Protocol
author: Greg Howell
date: 2020/04/05
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/17
tags:
- attack.data_exfiltration
- attack.t1002
- attack.t1005
- attack.t1022
logsource:
product: zeek
service: files
service: http
detection:
selection1:
uri:
- '*.7z'
- '*.zip'
- '*.rar'
selection2:
mime_types: '*compressed'
selection3:
filetype: '*compressed'
selection4:
http.bodyMagic: '*compressed'
condition: selection1 and selection2 or selection3 or selection4
falsepositives:
- nothing observed so far
level: high |
|
Unfortunately I don’t have Zeek in my environment - I’m attempting to accomplish something similar with Palo Alto Firewalls data (using their ‘file’ logs which leverage file decoders). We get false positives on zip files as any Modern Office documents are classified as ‘zip’ |
|
nice work! what are your thoughts? |
|
I thought of using PUT but if you look at this tatic they also use PROPPATCH, which according to the interwebs "The PATCH method is used to apply partial modifications to a resource." The PUT method would work for some items but may not catch all. I would rather filter out the FP than miss one. |
|
that makes sense, see where your coming from. |
|
and the proprpatch is more for acknowledgment than it is a part of the actual compressed exfil - if that makes sense |
|
So I have this one. which will only hit on things that are external Dst. then I made this one for the PUT method |
|
niceeeee! Thank you for sharing @DarthRaki ! Would it be good to add the external dest filter also to the second one? maybe? merge both? We are talking about exfiltration and the external destination filter fits that correct? |
|
you could add it, however if they are staging inside your network and using it as means to gather the data before exfil this would also catch that. |
|
niceee thank you @DarthRaki . if those two are final rules, would you mind adding them to this folder https://github.com/OTRF/detection-hackathon-apt29/tree/master/rules and push a PR? It would be great to keep everything in one folder so that we can push all the final rules from that folder to SIGMA at the end. ;) |
7.B.1 Data from Local SystemProcedure: Read data in the user's Downloads directory using PowerShell |
7.B.2 Data CompressedProcedure: Compressed data from the user's Downloads directory into a ZIP file (OfficeSupplies.7z) using PowerShell |
|
Sysmon Logs Results |
7.B.3 Data EncryptedProcedure: Encrypted data from the user's Downloads directory using PowerShell Sysmon Logs Security Results |
7.B.4 Exfiltration Over Alternative ProtocolProcedure: Exfiltrated collection (OfficeSupplies.7z) to WebDAV network share using PowerShell |
|
Sysmon + PowerShell Logs Results Security + PowerShell Logs |
|
Another way to simply identify activity of the webclient used for webdav connections via host telemetry is by looking for the execution of rundll32 with command arguments like Sysmon Logs Results |
|
This is my first network rule ever created with Zeek logs LOL title: WebDav Put Request
id: 705072a5-bb6f-4ced-95b6-ecfa6602090b
status: experimental
description: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/17
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
tags:
- attack.exfiltration
- attack.t1048
logsource:
product: zeek
service: http
detection:
selection:
user_agent|contains: 'WebDAV'
method: 'PUT'
filter:
id_resp_h:
- 192.168.0.0/16
- 172.16.0.0/12
- 10.0.0.0/8
condition: selection and not filter
falsepositives:
- unknown
level: mediumMaybe @neu5ron ? LOL idk if it makes sense :) |
|
yeah it makes sense. so whole rule would be title: WebDav Put Request
id: 705072a5-bb6f-4ced-95b6-ecfa6602090b
status: experimental
description: A General detection for WebDav user-agent being used to PUT files on a WebDav network share. This could be an indicator of exfiltration.
references:
- https://github.com/OTRF/detection-hackathon-apt29/issues/17
author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research)
date: 2020/05/02
tags:
- attack.exfiltration
- attack.t1048
logsource:
category: proxy
detection:
selection:
c-useragent|contains: 'WebDAV'
cs-method: 'PUT'
class_a:
dst_ip|startswith: 10.
class_b:
dst_ip|re: '(172\.1[6-9]\.)|(172\.2[0-9]\.)|(172\.3[0-1]\.)'
class_c|startswith: 192.168.
condition: selection and not 1 of class_*
falsepositives:
- unknown
level: medium |
|
Thank you very much @neu5ron ! One quick question. so only translate Zeek HTTP to proxy right? |
|
yeah zeek http to proxy. |
The attacker then collects files (T1005), which are compressed (T1002) and encrypted (T1022), before being exfiltrated to an attacker-controlled WebDAV share (T1048).
The text was updated successfully, but these errors were encountered: