
DragonRank Campaign: The Silent Surge of SEO Poisoning
Indicators of Compromise
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1033 - System Owner/User Discovery
ID | Data Source | Data Component | Detects |
Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. [222] [223] [224] Note: Domain controllers may not log replication requests originating from the default domain controller account. [225]. Monitor for replication requests [226] from IPs not associated with known domain controllers. [227] | |||
Monitor executed commands and arguments that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Look for command-lines that invoke AuditD or the Security Accounts Manager (SAM). Remote access tools may contain built-in features or incorporate existing tools like Mimikatz. PowerShell scripts also exist that contain credential dumping functionality, such as PowerSploit's Invoke-Mimikatz module, [228] which may require additional logging features to be configured in the operating system to collect necessary information for analysis. Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on abuse of CMSTP. | |||
Monitor for hash dumpers opening the Security Accounts Manager (SAM) on the local file system (%SystemRoot%/system32/config/SAM). Some hash dumpers will open the local file system as a device and parse to the SAM table to avoid file access defenses. Others will make an in-memory copy of the SAM table before reading hashes. Detection of compromised Valid Accounts in-use by adversaries may help as well. | |||
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Note: Network Analysis frameworks such as Zeek can be used to capture, decode, and alert on network protocols. | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. | |||
Monitor for API calls that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. | |||
Monitor for unexpected processes interacting with lsass.exe.[229] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity. LinuxTo obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/<pid>/maps, where the <pid> directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs. | |||
Monitor for newly executed processes that may be indicative of credential dumping. On Windows 8.1 and Windows Server 2012 R2, monitor Windows Logs for LSASS.exe creation to verify that LSASS started as a protected process. Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of at being created, therefore implying the querying or creation of tasks. If this tools is commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning. Analytic 1 - Suspicious Process Execution (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND Image="*at.exe" | |||
Monitor for the SAM registry key being accessed that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. |
T1082 - System Information Discovery
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. | |||
Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations. | |||
Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. |
T1555 - Credentials from Password Stores
ID | Data Source | Data Component | Detects |
Monitor for API calls and CLI commands that attempt to enumerate and fetch credential material from cloud secrets managers, such as get-secret-value in AWS, gcloud secrets describe in GCP, and az key vault secret show in Azure. Alert on any suspicious usages of these commands, such as an account or service generating an unusually high number of secret requests. | |||
Monitor executed commands and arguments that may search for common password storage locations to obtain user credentials. | |||
Monitor for files being accessed that may search for common password storage locations to obtain user credentials. | |||
Monitor for API calls that may search for common password storage locations to obtain user credentials. | |||
Monitor for processes being accessed that may search for common password storage locations to obtain user credentials. | |||
Monitor newly executed processes that may search for common password storage locations to obtain user credentials. |
T1016 - System Network Configuration Discovery
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users. | |||
Monitor for API calls (such as GetAdaptersInfo() and GetIpNetTable()) that may gather details about the network configuration and settings, such as IP and/or MAC addresses. | |||
Monitor for executed processes (such as ipconfig/ifconfig and arp) with arguments that may look for details about the network configuration and settings, such as IP and/or MAC addresses. Note: The Analytic looks for the creation of ipconfig, route, and nbtstat processes, all of which are system administration utilities that can be used for the purpose of system network configuration discovery. If these tools are commonly used in your environment (e.g., by system administrators) this may lead to false positives and this analytic will therefore require tuning. Analytic 1 - Suspicious Process (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (Image="C:\Windows\System32\ipconfig.exe" OR Image="C:\Windows\System32\route.exe" OR Image="C:\Windows\System32\nbtstat.exe") | |||
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
T1070 - Indicator Removal on Host
ID | Data Source | Data Component | Detects |
Monitor logs for abnormal modifications to application settings, such as the creation of malicious Exchange transport rules. | |||
Monitor executed commands and arguments that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. | |||
Monitor for a file that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. | |||
Monitor for contextual file data that may show signs of deletion or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. | |||
Monitor for changes made to a file may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. | |||
Monitor for changes made to firewall rules, especially unexpected modifications that may potentially be related to allowing and/or cleaning up previous tampering that enabled malicious network traffic. | |||
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). | |||
Monitor for API calls that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. | |||
Monitor for newly executed processes that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. | |||
Monitor for changes made to scheduled jobs that may attempt to remove artifacts on a host system. | |||
Monitor for an attempt by a user to gain access to a network or computing resource, often by providing credentials that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. | |||
Monitor for unexpected deletions of user accounts. Windows event logs may highlight activity associated with an adversary's attempt to remove an account (e.g., Event ID 4726 - A user account was deleted). Alerting on these Event IDs may generate a high degree of false positives, so compare against baseline knowledge for how systems are typically used and correlate account modification events with other indications of malicious activity where possible. | |||
Monitor windows registry keys that may be deleted or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. | |||
Monitor for changes made to windows registry keys or values that may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. |
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for actions that may attempt to get information about running processes on a system. | |||
Monitor for API calls may attempt to get information about running processes on a system. | |||
Monitor for newly executed processes that may attempt to get information about running processes on a system. To be effective in deciphering malicious and benign activity, the full command line is essential. Similarly, having information about the parent process can help with making decisions and tuning to an environment. Because these commands are built in, they may be run frequently by power users or even by normal users. Thus, an analytic looking at this information should have well-defined white- or blacklists, and should consider looking at an anomaly detection approach, so that this information can be learned dynamically.Within the built-in Windows Commands:
Analytic 1 - Host Discovery Commands (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") (Image="C:\Windows\\hostname.exe" OR Image="C:\Windows\\ipconfig.exe" OR Image="C:\Windows\\net.exe" OR Image="C:\Windows\\quser.exe" OR Image="C:\Windows\\qwinsta.exe" OR (Image="C:\Windows\\sc.exe" AND (CommandLine=" query " OR CommandLine=" qc ")) OR Image="C:\Windows\\systeminfo.exe" OR Image="C:\Windows\\tasklist.exe" OR Image="C:\Windows\*\whoami.exe")|stats values(Image) as "Images" values(CommandLine) as "Command Lines" by ComputerName |
ID | Data Source | Data Component | Detects |
Monitor for executed commands and arguments that may attempt to find local system groups and permission settings. | |||
Monitor for logging that may suggest a list of available groups and/or their associated settings has been extracted, ex. Windows EID 4798 and 4799. | |||
Monitor for API calls associated with finding local system groups and permission settings, such as NetLocalGroupEnum. Other API calls relevant to Local Group discovery include NetQueryDisplayInformation and NetGetDisplayInformationIndex. Note: Most EDR tools do not support direct monitoring of API calls due to the sheer volume of calls produced by an endpoint but may have alerts or events that are based on abstractions of OS API calls. Dynamic malware analysis tools (i.e., sandboxes) can be used to trace the execution, including OS API calls, for a single PE binary. | |||
Monitor newly executed processes that may attempt to find local system groups and permission settings. Note: Event IDs are for Sysmon (Event ID 1 - process creation) and Windows Security Log (Event ID 4688 - a new process has been created). The logic in the Analytic looks for any instances of net.exe used for local user/group discovery; although this utility is not normally used for benign purposes, such usage by system administrator actions may trigger false positives. Analytic 1 - Local Permission Group Discovery (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="net.exe" AND ( CommandLine="net user" OR CommandLine="net group" OR CommandLine="net localgroup" OR CommandLine="get-localgroup" OR CommandLine="get-ADPrincipalGroupMembership*" ) |
ID | Data Source | Data Component | Detects |
Monitor for the registration or joining of new device objects in Active Directory. Raise alerts when new devices are registered or joined without using MFA.[18] | |||
Monitor executed commands and arguments for suspicious commands to modify accounts or account settings (including files such as the authorized_keys or /etc/ssh/sshd_config). Monitor executed commands and arguments of suspicious commands (such as Add-MailboxPermission) that may be indicative of modifying the permissions of Exchange and other related service settings. | |||
Monitor for changes made to files related to account settings, such as /etc/ssh/sshd_config and the authorized_keys file for each user on a system. | |||
Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670. | |||
Monitor for newly constructed processes indicative of modifying account settings, such as those that modify authorized_keys or /etc/ssh/sshd_config files. | |||
Monitor events for changes to account objects and/or permissions on systems and the domain, such as event IDs 4738, 4728 and 4670. Monitor for modification of accounts in correlation with other suspicious activity. Changes may occur at unusual times or from unusual systems. Especially flag events where the subject and target accounts differ or that include additional flags such as changing a password without knowledge of the old password. Monitor for unusual permissions changes that may indicate excessively broad permissions being granted to compromised accounts. |
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for actions that are associated with account creation, such as net user or useradd | |||
Monitor newly executed processes associated with account creation, such as net.exe | |||
Monitor for newly constructed user accounts through account audits to detect suspicious accounts that may have been created by an adversary. Collect data on account creation within a network or Windows Event ID 4720 (for when a user account is created on a Windows system and domain controller). |
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for suspicious activity associated with downloading external content. | |||
Monitor for file creation and files transferred into the network | |||
Monitor for newly constructed network connections that are sent or received by untrusted hosts or creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious. | |||
Monitor network traffic content for files and other potentially malicious content, especially data coming in from abnormal/unknown domain and IPs. | |||
Monitor network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
T1021.001 - Remote Desktop Protocol
ID | Data Source | Data Component | Detects |
Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10). Other factors, such as access patterns (ex: multiple systems over a relatively short period of time) and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere. Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista. Note: This analytic looks for user logon events and filters out the top 30 account names to reduce the occurrence of noisy service accounts and the like. It is meant as a starting point for situational awareness around such events. This is liable to be quite noisy and will need tweaking, especially in terms of the number of top users filtered out. Analytic 1 source="*WinEventLog:Security" EventCode IN (4624, 4634, 4647, 4778)|search user NOT IN top limit=30 | |||
Monitor authentication logs and analyze for unusual access patterns. A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary. Analytic 1 source="WinEventLog:Security" EventCode="4624" AND LogonType="10" AND AuthenticationPackageName="Negotiate" AND TargetUserName="Admin") | |||
Monitor for newly constructed network connections (typically over port 3389) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP. | |||
Monitor network traffic for uncommon data flows that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary’s perspective, RDP provides a means to laterally move to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise.Remote Desktop can be detected in several ways
Analytic 1 source="Zeek:" AND (port="3389") AND LogonType="10" | |||
Monitor for newly executed processes (such as mstsc.exe) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions that spawn additional processes as the logged-on user. |