
Earth Baku 2.0: Revealing the Advanced Tactics Behind the APT Group’s Next-Gen Cyberespionage Campaign
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
Application Layer Protocol: Web Protocols
ID | Data Source | Data Component | Detects |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). | |||
Monitor for web traffic to/from known-bad or suspicious domains and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
Account Discovery
ID | Data Source | Data Component | Detects |
Monitor logs and other sources of command execution history for actions that could be taken to gather information about accounts, including the use of calls to cloud APIs that perform account discovery. System and network discovery techniques normally occur throughout an operation as an adversary learns the environment, and also to an extent in normal network operations. Therefore discovery data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained. | |||
Monitor access to file resources that contain local accounts and groups information such as /etc/passwd, /Users directories, and the SAM database. If access requires high privileges, look for non-admin objects (such as users or processes) attempting to access restricted file resources. | |||
Monitor for processes that can be used to enumerate user accounts and groups such as net.exe and net1.exe, especially when executed in quick succession.[9] Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. |