
GeoServer Flaw Powers Earth Baxia's Espionage Campaign in APAC
Indicators of Compromise
APT Groups1
Earth Baxia is identified as a Chinese cyber-espionage group that has been actively exploiting vulnerabilities in GeoServer to target APAC nations, primarily for espionage purposes. Their operations include sophisticated spear-phishing campaigns and malware deployment.
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION
T1218.011 - System Binary Proxy Execution: Rundll32
ID | Data Source | Data Component | Detects |
Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Typical command-line usage of rundll32.exe is "rundll32.exe DllFile,EntryPoint" where DllFile is the name of the DLL file being called and EntryPoint the name of the entry point in the DLL file. DLLs stored on SMB shares can similarly be called using the syntax of "rundll32.exe \\DllFile,EntryPoint" where is the IPv4 address of the host of the SMB share. Rundll32 can also be used to execute arbitrary Javascript using the syntax "rundll32.exe javascript:<code_block>"where <code_block> is a string defining the Javascript code to be executed. | |||
Analyze contextual data about executed DLL files, which may include information such as name, the content (ex: signature, headers, or data/media), age, user/owner, permissions, etc. | |||
Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls. Static Portable Executable (PE) analysis tools can be used to examine and dump the exports of a particular DLL. | |||
Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. When monitoring for all instances of Rundll32 execution, as defined by the logic in the Detection Pseudocode, it is imperative to also investigate the full set of command-line parameters used. These parameters contain key information about the DLL payload, including the name, entry point, and optional arguments. Note: Event IDs are for Sysmon (Event ID 10 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for any instances of rundll32.exe but does no other filtering, which may result in false positives. Therefore, we recommend tuning any such analytics by including additional logic (e.g., testing the name of the user that created the process) that helps reduce false positives. Analytic 1 - RunDLL32.exe Monitoring (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image= "rundll32.exe" |
T1071.004 - DNS
ID | Data Source | Data Component | Detects |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for DNS over TLS (DoT) and DNS over HTTPS (DoH), that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). | |||
Monitor for DNS traffic to/from known-bad or suspicious domains and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
T1587.003 - Digital Certificates
ID | Data Source | Data Component | Detects |
Consider use of services that may aid in the tracking of certificates in use on sites across the Internet. In some cases it may be possible to pivot on known pieces of certificate information to uncover other adversary infrastructure.[5]Detection efforts may be focused on related behaviors, such as Web Protocols , Asymmetric Cryptography , and/or Install Root Certificate . |
T1587.001 - Malware
ID | Data Source | Data Component | Detects |
Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time. | |||
Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle. |
T1573.001 - Symmetric Cryptography
ID | Data Source | Data Component | Detects |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
T1566.001 - Spearphishing Attachment
ID | Data Source | Data Component | Detects |
Monitor for third-party application logging, messaging, and/or other artifacts that may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[255][256] Anti-virus can potentially detect malicious documents and attachments as they're scanned to be stored on the email server or on the user's computer. Monitor for suspicious descendant process spawning from Microsoft Office and other productivity software.[257] | |||
Monitor for newly constructed files from a spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. | |||
Monitor and analyze SSL/TLS traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[255][256] | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
T1140 - Deobfuscate/Decode Files or Information
ID | Data Source | Data Component | Detects |
Monitor for changes made to files for unexpected modifications that attempt to hide artifacts. On Windows, Event ID 4663 (Security Log - An attempt was made to access an object) can be used to alert on suspicious file accesses (e.g., attempting to write to a file which shouldn’t be further modified) that may coincide with attempts to hide artifacts. | |||
Monitor for newly executed processes that attempt to hide artifacts of an intrusion, such as common archive file applications and extensions (ex: Zip and RAR archive tools), and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior. CertUtil.exe may be used to encode and decode a file, including PE and script code. Encoding will convert a file to base64 with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Malicious usage will include decoding an encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - encodehex and decodehex. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis. Analytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The analytic is oriented around the creation of CertUtil.exe processes, which may be used to encode and decode files, including PE and script code. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Analytic 1 - CertUtil with Decode Argument (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="C:\Windows\System32\certutil.exe" AND CommandLine= decode ) | |||
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. |
T1190 - Exploit Public-Facing Application
ID | Data Source | Data Component | Detects |
Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation. | |||
Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection strings or known payloads. For example, monitor for successively chained functions that adversaries commonly abuse (i.e. gadget chaining) through unsafe deserialization to exploit publicly facing applications for initial access.[83] |
T1055 - Process Injection
ID | Data Source | Data Component | Detects |
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc. | |||
Monitor for changes made to files that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. | |||
Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Look for DLLs that are not recognized or not normally loaded into a process. | |||
Monitoring Windows API calls indicative of the various types of code injection may generate a significant amount of data and may not be directly useful for defense unless collected under specific circumstances for known bad sequences of calls, since benign use of API functions may be common and difficult to distinguish from malicious behavior. Windows API calls such as CreateRemoteThread, SuspendThread/SetThreadContext/ResumeThread, QueueUserAPC/NtQueueApcThread, and those that can be used to modify memory within another process, such as VirtualAllocEx/WriteProcessMemory, may be used for this technique.[86] Monitoring for Linux specific calls such as the ptrace system call should not generate large amounts of data due to their specialized nature, and can be a very effective method to detect some of the common process injection methods.[87] [88] [89] [90] | |||
Monitor for processes being viewed that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. | |||
Monitor for process memory inconsistencies, such as checking memory ranges against a known copy of the legitimate module.[91] | |||
Monitor for changes made to processes that may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. |
T1547.009 - Shortcut Modification
ID | Data Source | Data Component | Detects |
Monitor for LNK files created with a Zone Identifier value greater than 1, which may indicate that the LNK file originated from outside of the network.[36] Analysis should attempt to relate shortcut creation events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections. | |||
Since a shortcut's target path likely will not change, modifications to shortcut files that do not correlate with known software changes, patches, removal, etc., may be suspicious. Analysis should attempt to relate shortcut file change events to other potentially suspicious events based on known adversary behavior such as process launches of unknown executables that make network connections. | |||
Monitor for newly executed processes that may create or edit shortcuts to run a program during system boot or user login. |
T1071.003 - Mail Protocols
ID | Data Source | Data Component | Detects |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). | |||
Monitor and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |
T1588.001 - Malware
ID | Data Source | Data Component | Detects |
Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific MaaS offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.[19] | |||
Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle. |
T1036.004 - Masquerade Task or Service
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments that may attempt to manipulate the name of a task or service to make it appear legitimate or benign. | |||
Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc. | |||
Monitor for changes made to scheduled jobs for unexpected modifications to execution launch | |||
Monitor for newly constructed services/daemons. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement. | |||
Monitor for changes made to services for unexpected modifications to names, descriptions, and/or start types |
T1059.001 - PowerShell
ID | Data Source | Data Component | Detects |
If proper execution policy is set, adversaries will likely be able to define their own execution policy if they obtain administrator or system access, either through the Registry or at the command line. This change in policy on a system may be a way to detect malicious use of PowerShell. If PowerShell is not used in an environment, then simply looking for PowerShell execution may detect malicious activity. It is also beneficial to turn on PowerShell logging to gain increased fidelity in what occurs during execution (which is applied to .NET invocations). [273] PowerShell 5.0 introduced enhanced logging capabilities, and some of those features have since been added to PowerShell 4.0. Earlier versions of PowerShell do not have many logging features.[274] An organization can gather PowerShell execution details in a data analytic platform to supplement it with other data. PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe For this to work, certain registry keys must be set, and the WinRM service must be enabled. The PowerShell command Enter-PSSession -ComputerName \<RemoteHost> creates a remote PowerShell session. | |||
Monitor for loading and/or execution of artifacts associated with PowerShell specific assemblies, such as System.Management.Automation.dll (especially to unusual process names/locations).[3][4] Analytic 1 - Processes loading PowerShell assemblies source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="7" | where ModulePath LIKE "%system.management.automation%" OR FileDescription LIKE "%system.management.automation%" | |||
Monitor for newly executed processes that may abuse PowerShell commands and scripts for execution. PowerShell is a scripting environment included with Windows that is used by both attackers and administrators. Execution of PowerShell scripts in most Windows versions is opaque and not typically secured by antivirus which makes using PowerShell an easy way to circumvent security measures. This analytic detects execution of PowerShell scripts. Powershell can be used to hide monitored command line execution such as: net usesc start Note: - The logic for Analytic 1 is based around detecting on non-interactive Powershell sessions (i.e., those not launched by a user through explorer.exe). This may lead to false positives when used in a production environment, so we recommend tuning any such analytics by including additional logic (e.g., looking for suspicious parent processes) that helps filter such events.- The logic for Analytic 2 is based around detecting on remote Powershell sessions. PowerShell can be used over WinRM to remotely run commands on a host. When a remote PowerShell session starts, svchost.exe executes wsmprovhost.exe. Analytic 1 - Non-interactive Powershell Sessions (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="powershell.exe" AND ParentImage!="explorer.exe" Analytic 2 - Remote Powershell Sessions (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="wsmprovhost.exe" AND ParentImage="svchost.exe" Analytic 3 - Powershell Execution (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") Image="C:\Windows\\powershell.exe" ParentImage!="C:\Windows\explorer.exe"|stats values(CommandLine) as "Command Lines" values(ParentImage) as "Parent Images" by ComputerName | |||
Consider monitoring for Windows event ID (EID) 400, which shows the version of PowerShell executing in the EngineVersion field (which may also be relevant to detecting a potential Downgrade Attack) as well as if PowerShell is running locally or remotely in the HostName field. Furthermore, EID 400 may indicate the start time and EID 403 indicates the end time of a PowerShell session.[275] | |||
Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent. Analytic 1 - Script Block Logging Events (source=WinEventLog:"Microsoft-Windows-PowerShell/Operational" EventID="4104" AND Image="powershell.exe" AND (CommandLine="-enc" OR CommandLine="-ep bypass" OR CommandLine="-noni*") |
T1588.002 - Tool
ID | Data Source | Data Component | Detects |
Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. In some cases, malware repositories can also be used to identify features of tool use associated with an adversary, such as watermarks in Cobalt Strike payloads.[114]Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle. |
T1584.006 - Web Services
ID | Data Source | Data Component | Detects |
Once adversaries leverage the abused web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.[3]Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control Web Service or Exfiltration Over Web Service . |
T1027 - Obfuscated Files or Information
ID | Data Source | Data Component | Detects |
Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., ^). Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding. | |||
Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system). | |||
Monitor for contextual data about a file, which may include information such as name, the content (ex: signature, headers, or data/media), user/owner, permissions, etc. File-based signatures may be capable of detecting code obfuscation depending on the methods used.[177][178][179] | |||
Monitoring module loads, especially those not explicitly included in import tables, may highlight obfuscated code functionality. Dynamic malware analysis may also expose signs of code obfuscation.[178] | |||
Monitor and analyze calls to functions such as GetProcAddress() that are associated with malicious code obfuscation.[177] | |||
Monitor for newly executed processes that may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. | |||
Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., ^). Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters. | |||
Monitor for the creation of Registry values that may highlight storage of malicious data such as commands or payloads. | |||
Monitor for the creation of WMI Objects and values that may highlight storage of malicious data such as commands or payloads. |
T1102.002 - Bidirectional Communication
ID | Data Source | Data Component | Detects |
Monitor for newly constructed network connections that are sent or received by untrusted hosts. | |||
Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). | |||
Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. |
T1071.001 - Web Protocols
ID | Data Source | Data Component | Detects |
Monitor and analyze traffic patterns and packet inspection associated to protocol(s), leveraging SSL/TLS inspection for encrypted traffic, that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). | |||
Monitor for web traffic to/from known-bad or suspicious domains and analyze traffic flows that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, or gratuitous or anomalous traffic patterns). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)). |