
Chameleon Unleashed: The Silent Predator of Mobile Banking Earth Baku began using tools like Cobalt Strike, Crosswalk, and Metasploit in their cyber espionage campaigns.
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1055-Process Injection
ID | Data Source | Data Component | Detects |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc. | |||
Monitor for changes made to files that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. | |||
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. | |||
Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[86] Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.[87] [88] [89] [90] | |||
Monitor for processes being viewed that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. | |||
Monitor for process memory inconsistencies, such as checking memory ranges against a known copy of the legitimate module.[91] | |||
Monitor for changes made to processes that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. |
T1562 - Impair Defenses
ID | Data Source | Data Component | Detects |
Monitor logs for API calls to disable logging. In AWS, monitor for: StopLogging and DeleteTrail.[5] In GCP, monitor for: google.logging.v2.ConfigServiceV2.UpdateSink.[6] In Azure, monitor for az monitor diagnostic-settings delete.[7] Additionally, a sudden loss of a log source may indicate that it has been disabled. | |||
Monitor changes made to cloud services for unexpected modifications to settings and/or data. | |||
Monitor executed commands and arguments that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. | |||
Monitor for unusual/suspicious driver activity, especially regarding EDR and drivers associated with security tools as well as those that may be abused to disable security products. | |||
Monitor for missing log files hosts and services with known active periods. | |||
Monitor changes made to configuration files that contain settings for logging and defensive tools. | |||
Monitor for changes in the status of the system firewall such as Windows Security Auditing events 5025 (The Windows firewall service has been stopped) and 5034 (The Windows firewall driver was stopped). | |||
Monitor for changes made to firewall rules for unexpected modifications to allow/block specific network traffic that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. | |||
Monitor for the abnormal execution of API functions associated with system logging. | |||
Monitor newly executed processes that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. | |||
Using another process or third-party tools, monitor for modifications or access to system processes associated with logging. | |||
Monitor for unexpected deletions of a running process (ex: Sysmon EID 5 or Windows EID 4689) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. | |||
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. | |||
Monitor logging, messaging, and other artifacts highlighting the health of host sensors (ex: metrics, errors, and/or exceptions from logging applications) that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. Lack of log events may be suspicious. | |||
Monitor contextual data about a service/daemon, which may include information such as name, service executable, start type that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. | |||
Monitor for changes to account settings associated with users/tenants that may impact defensive logging capabilities, such as the Update User and Change User License events in the Azure AD audit log.[8] | |||
Monitor for unexpected deletion of windows registry keys that that may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. | |||
Monitor Registry edits for modifications to services and startup programs that correspond to security tools. |
T1566 - Phishing
ID | Data Source | Data Component | Detects |
Monitor for third-party application logging, messaging, and/or other artifacts that may send phishing messages to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[14][15] URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link. Monitor call logs from corporate devices to identify patterns of potential voice phishing, such as calls to/from known malicious phone numbers. Correlate these records with system events. | |||
Monitor for newly constructed files from a phishing messages to gain access to victim systems. | |||
Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[14][15] | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious |
T1059 - Command and Scripting Interpreter
ID | Data Source | Data Component | Detects |
Monitor command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script. Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. | |||
Monitor for events associated with scripting execution, such as the loading of modules associated with scripting languages (ex: JScript.dll or vbscript.dll). | |||
Monitor log files for process execution through command-line and scripting activities. This information can be useful in gaining additional insight to adversaries' actions through how they use native processes or custom tools. Also monitor for loading of modules associated with specific languages. | |||
Monitor contextual data about a running process, which may include information such as environment variables, image name, user/owner, or other information that may reveal abuse of system features. For example, consider monitoring for Windows Event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[52] | |||
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
T1056 - Input Capture
ID | Data Source | Data Component | Detects |
Monitor for unusual kernel driver installation activity | |||
Monitor for changes made to files for unexpected modifications to access permissions and attributes | |||
Monitor for API calls to SetWindowsHook, GetKeyState, and GetAsyncKeyState [7] | |||
Monitor for newly executed processes conducting malicious activity | |||
Verify integrity of live processes by comparing code in memory to that of corresponding static binaries, specifically checking for jumps and other instructions that redirect code flow. | |||
Monitor for changes made to windows registry keys or values for unexpected modifications |
T1406 - Obfuscated Files or Information
ID | Data Source | Data Component | Detects |
Dynamic analysis, when used in application vetting, may in some cases be able to identify malicious code in obfuscated or encrypted form by detecting the code at execution time (after it is deobfuscated or decrypted). Some application vetting techniques apply reputation analysis of the application developer and can alert to potentially suspicious applications without actual examination of application code. |
T1409 - Access Stored Application Data
ID | Data Source | Data Component | Detects |
Application vetting services could detect when applications store data insecurely, for example, in unprotected external storage. |
T1417 - Input Capture
ID | Data Source | Data Component | Detects |
Application vetting services can look for applications requesting the permissions granting access to accessibility services or application overlay. | |||
The user can view and manage installed third-party keyboards. |
T1517-Access Notifications
ID | Data Source | Data Component | Detects |
Application vetting services can look for applications requesting the BIND_NOTIFICATION_LISTENER_SERVICE permission in a service declaration. | |||
The user can also inspect and modify the list of applications that have notification access through the device settings (e.g. Apps & notification -> Special app access -> Notification access). |