Campaigns
LODEINFO: The Secret Weapon of Cyber Espionage

LODEINFO: The Secret Weapon of Cyber Espionage

LODEINFOAPT10EarthKasha
​​LODEINFO is a stealthy backdoor used by Earth Kasha, linked to APT10, in targeted cyber espionage campaigns. It exploits spear-phishing tactics to infiltrate and exfiltrate sensitive data from Japan-based organizations. Advanced evasion techniques make it a significant threat to modern cybersecurity defenses.

Indicators of Compromise

ns1.tlsart.com
tw8sl.com
srmbr.com
earth.hopto.org

APT Groups1

MirrorFaceChina

<p><b>Summary of Actor</b>:MirrorFace is a cyber espionage group believed to be linked to a nation-state actor. They primarily target entities in East Asia, with a particular focus on Japan. The group's activities have been observed since at least 2018, and they are known for conducting both cyber-espionage and information-stealing operations.</p><p><b>General Features</b>:MirrorFace is known for its sophisticated spear-phishing campaigns and use of custom malware. They often employ social engineering tactics to lure victims and typically focus on gathering intelligence from targeted organizations.</p><p><b>Related Other Groups</b>: APT10,APT31</p><p><b>Indicators of Attack (IoA)</b>:<ul><li>Spear-phishing emails</li><li>Use of custom malware such as LODEINFO</li><li>Social engineering tactics</li></ul></p><p><b>Recent Activities and Trends</b>:<ul><li><b>Latest Campaigns </b>: In 2023, MirrorFace launched a spear-phishing campaign targeting governmental and defense sectors in Japan, using COVID-19 themed lures.</li><li><b>Emerging Trends </b>: The group has been increasingly using Zero-Day vulnerabilities in their attacks and encrypting their malware to evade detection by traditional security solutions.</li></ul></p>

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION

T1053.005 Scheduled Task


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor for commands being executed via schtasks or other utilities related to task scheduling.

Analytic 1 - Look for schtasks.exe execution with arguments indicative of task creation/modification.

sourcetype=WinEventLog:Powershell (EventCode=4104 OR command="schtasks.exe")| stats count by user host process_name command_line| where Image="schtasks.exe" OR command_line="schtasks"

DS0022

File

File Creation

Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:\Windows\Tasks (legacy) or C:\Windows\System32\Tasks. Accordingly, this analytic looks for the creation of task files in these two locations.

Analytic 1 - Look for new task files in %systemroot%\System32\Tasks.

((source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="11") OR (sourcetype=WinEventLog:Security EventCode=4663)) (TargetFilename= "C:\Windows\System32\Tasks\" OR TargetFilename "C:\Windows\Tasks\*") AND Image!= "C:\WINDOWS\system32\svchost.exe"



File Modification

Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.

Analytic 1 - Look for task file modifications with unusual parameters.

sourcetype=WinEventLog:Security (EventCode=4663 OR file_path="C:\Windows\System32\Tasks\*")| stats count by user host file_path action| where action="Write" OR action="Create"

DS0029

Network Traffic

Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Look for RPC traffic after being mapped, which implies a destination port of at least 49152. If network inspection is available via packet captures or a NIDS, then traffic through the ITaskSchedulerService interface can be detected. Microsoft has a list of the possible methods that are implemented for the ITaskSchedulerService interface, which may be useful in differentiating read and query operations from creations and modifications.

When scheduled tasks are created remotely, Windows uses RPC (135/tcp) to communicate with the Task Scheduler on the remote machine. Once an RPC connection is established, the client communicates with the Scheduled Tasks endpoint, which runs within the service group netsvcs. With packet capture and the right packet decoders or byte-stream based signatures, remote invocations of these functions can be identified.Certain strings can be identifiers of the schtasks, by looking up the interface UUID of ITaskSchedulerService in different formats

  • UUID 86d35949-83c9-4044-b424-db363231fd0c (decoded)

  • Hex 49 59 d3 86 c9 83 44 40 b4 24 db 36 32 31 fd 0c (raw)

  • ASCII IYD@$621 (printable bytes only)

This identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement an analytic.

Analytic 1 - Look for RPC traffic with ITaskSchedulerService interface usage.

sourcetype=Netflow OR sourcetype=PacketCapture OR sourcetype=WinEventLog:Security EventCode=5156 | search (dest_port=135 OR dest_port=5985 OR dest_port=5986) AND (protocol="tcp" OR protocol="udp") AND (Image="taskeng.exe" OR Image="schtasks.exe")| stats count by src_ip dest_ip dest_port| where count > threshold

DS0009

Process

Process Creation

Monitor for newly constructed processes and/or command-lines that execute from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. [221] If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Look for instances of schtasks.exe running as processes. The command_line field is necessary to disambiguate between types of schtasks commands. These include the flags /create , /run, /query, /delete, /change, and /end.

Detection of the creation or modification of Scheduled Tasks with a suspicious script, extension or user writable path. Attackers may create or modify Scheduled Tasks for the persistent execution of malicious code. This detection focuses at the same time on EventIDs 4688 and 1 with process creation (SCHTASKS) and EventID 4698, 4702 for Scheduled Task creation/modification event log.

Analytic 1 - New processes whose parent processes are svchost.exe or taskeng.exe

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") AND (ParentImage="svchost.exe" OR ParentImage="taskeng.exe")

Analytic 2 - Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths

( (source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") CommandLine="SCHTASKS" (CommandLine="/CREATE" OR CommandLine="/CHANGE") ) ( ( CommandLine=".cmd" OR CommandLine=".ps1" OR CommandLine=".vbs" OR CommandLine=".py" OR CommandLine=".js" OR CommandLine=".exe" OR CommandLine=".bat" ) OR ( CommandLine="javascript" OR CommandLine="powershell" OR CommandLine="wmic" OR CommandLine="rundll32" OR CommandLine="cmd" OR CommandLine="cscript" OR CommandLine="wscript" OR CommandLine="regsvr32" OR CommandLine="mshta" OR CommandLine="bitsadmin" OR CommandLine="certutil" OR CommandLine="msiexec" OR CommandLine="javaw" ) OR ( CommandLine="%APPDATA%" OR CommandLine="\AppData\Roaming" OR CommandLine="%PUBLIC%" OR CommandLine="C:\Users\Public" OR CommandLine="%ProgramData%" OR CommandLine="C:\ProgramData" OR CommandLine="%TEMP%" OR CommandLine="\AppData\Local\Temp" OR CommandLine="\Windows\PLA\System" OR CommandLine="\tasks" OR CommandLine="\Registration\CRMLog" OR CommandLine="\FxsTmp" OR CommandLine="\spool\drivers\color" OR CommandLine="\tracing" ) )

DS0003

Scheduled Job

Scheduled Job Creation

Monitor for newly constructed scheduled jobs by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. [222] Several events will then be logged on scheduled task activity, including Event ID 106 on Windows 7 and Server 2008 R2 for scheduled task registration. For Windows 10 and Server 2016, the relevant events are also logged in the Windows Security event channel after enabling the auditing of other object access events. These include:

  • Event ID 4698: A scheduled task was created.

  • Event ID 4699: A scheduled task was deleted.

  • Event ID 4700: A scheduled task was enabled.

  • Event ID 4701: A scheduled task was disabled.

  • Event ID 4702: A scheduled task was updated.

Note: Detection of the creation or modification of Scheduled Tasks with a suspicious script, extension or user writable path. Attackers may create or modify Scheduled Tasks for the persistent execution of malicious code. This detection focuses at the same time on EventIDs 4688 and 1 with process creation (SCHTASKS) and EventID 4698, 4702 for Scheduled Task creation/modification event log.

Analytic 1 - New schedule tasks whose content includes suspicious scripts, extensions or user writable path

(source="*WinEventLog:Security" EventCode IN (4698, 4702, 4699, 4700, 4701)) | where(JobContent LIKE '%.cmd%' OR JobContent LIKE '%.ps1%' OR JobContent LIKE '%.vbs%' OR JobContent LIKE '%.py%' OR JobContent LIKE '%.js%' OR JobContent LIKE '%.exe%' OR JobContent LIKE '%.bat%' OR JobContent LIKE '%javascript%' OR JobContent LIKE '%powershell%' OR JobContent LIKE '%wmic%' OR JobContent LIKE '%rundll32%' OR JobContent LIKE '%cmd%' OR JobContent LIKE '%cscript%' OR JobContent LIKE '%wscript%' OR JobContent LIKE '%regsvr32%' OR JobContent LIKE '%mshta%' OR JobContent LIKE '%bitsadmin%' OR JobContent LIKE '%certutil%' OR JobContent LIKE '%msiexec%' OR JobContent LIKE '%javaw%' OR JobContent LIKE '%[%]APPDATA[%]%' OR JobContent LIKE '%\AppData\Roaming%' OR JobContent LIKE '%[%]PUBLIC[%]%' OR JobContent LIKE '%C:\Users\Public%' OR JobContent LIKE '%[%]ProgramData[%]%' OR JobContent LIKE '%C:\ProgramData%' OR JobContent LIKE '%[%]TEMP[%]%' OR JobContent LIKE '%\AppData\Local\Temp%' OR JobContent LIKE '%\Windows\PLA\System%' OR JobContent LIKE '%\tasks%' OR JobContent LIKE '%\Registration\CRMLog%' OR JobContent LIKE '%\FxsTmp%' OR JobContent LIKE '%\spool\drivers\color%' OR JobContent LIKE '%\tracing%')

DS0024

Windows Registry

Windows Registry Key Creation

Monitor for newly constructed registry keys upon creation of new task. Deletion of values/keys in the registry may further indicate malicious activity.

Analytic 1 - Suspicious Creations under Schedule Registry Key

((source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="12") OR (sourcetype=WinEventLog:Security EventCode=4657) | search (registry_path="HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\" OR registry_path="HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\*")


T1003 - OS Credential Dumping


ID

Data Source

Data Component

Detects

DS0026

Active Directory

Active Directory Object Access

Monitor domain controller logs for replication requests and other unscheduled activity possibly associated with DCSync. [31] [32] [33] Note: Domain controllers may not log replication requests originating from the default domain controller account. [34]. Monitor for replication requests [35] from IPs not associated with known domain controllers. [21]

Analytic 1 - Suspicious Replication Requests

sourcetype=WinEventLog:Security EventCode="4662" AND AccessMask= "0x100" AND (guid= "1131f6ad-9c07-11d1-f79f-00c04fc2dcd2" OR guid= "1131f6aa-9c07-11d1-f79f-00c04fc2dcd2" OR guid= "9923a32a-3607-11d2-b9be-0000f87a36b2" OR guid= "89e95b76-444d-4c62-991a-0facbeda640c")

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to dump credentials using tools like Mimikatz, ProcDump, NTDSUtil, or accessing /proc, /etc/passwd, and /etc/shadow.

Analytic 1 - Suspicious command execution involving credential dumping tools.(index=security sourcetype="WinEventLog:Security" EventCode=4688 Image IN ("mimikatz.exe", "procdump.exe", "ntdsutil.exe", "powershell.exe") CommandLine IN ("Invoke-Mimikatz", "Invoke-CachedCredentials", "Invoke-LSADump", "Invoke-SAMDump"))OR(index=security sourcetype="linux_secure" Command IN ("cat /etc/passwd", "cat /etc/shadow", "grep -E '^[0-9a-f-] r' /proc//maps"))OR(index=security sourcetype="macOS:UnifiedLog" process IN ("cat", "grep") message IN ("/etc/passwd", "/etc/shadow", "/var/db/shadow/hash/*", "/private/etc/master.passwd"))

DS0022

File

File Access

Monitor file accesses that may indicate attempts to dump credential data from various storage locations such as LSASS memory, SAM, NTDS.dit, LSA secrets, cached domain credentials, proc filesystem, /etc/passwd, and /etc/shadow.

Analytic 1 - Unauthorized access to credential storage files.

(index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("\config\SAM", "\ntds.dit", "\policy\secrets", "\cache"))OR (index=security sourcetype="auditd" (key="path" (value IN ("/etc/passwd", "/etc/shadow")) OR key="proctitle" value IN ("cat", "strings", "grep", "awk", "cut", "sed", "sort", "uniq", "head", "tail", "less", "more")))OR(index=security sourcetype="macOS:UnifiedLog" (process IN ("cat", "grep", "awk", "cut", "sed", "sort", "uniq", "head", "tail", "less", "more") OR message IN ("/etc/passwd", "/etc/shadow", "/var/db/shadow/hash/*", "/private/etc/master.passwd")))



File Creation

Monitor for the unexpected creation of memory dump files for processes that may contain credentials.

Analytic 1 - Unexpected memory dump file creation.

(index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName IN ("lsass.dmp", "\config\SAM", "\ntds.dit", "\policy\secrets", "\cache"))OR (index=security sourcetype="linux_secure" (key="path" value IN ("/etc/passwd", "/etc/shadow")))OR (index=security sourcetype="macOS:UnifiedLog" message IN ("/var/db/shadow/hash/*", "/private/etc/master.passwd"))

DS0029

Network Traffic

Network Traffic Content

Monitor for network protocols [31] [36] and other replication requests [35] from IPs not associated with known domain controllers. [21]

Analytic 1 - Anomalous network traffic content related to credential managers

index=network sourcetype="stream:tcp" dest_port=389 NOT [| inputlookup known_dc_ip_addresses | fields ip]| eval SourceIP = src_ip, DestinationIP = dest_ip, Protocol = proto| search (content="LDAPSearchRequest") OR (content="LDAPModifyRequest") OR (content="bindRequest") OR (content="searchResEntry") OR (content="NTDS.dit")



Network Traffic Flow

Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.

Analytic 1 - Unusual network communication patterns.

index=network sourcetype="stream:tcp" dest_port=389 NOT [| inputlookup known_dc_ip_addresses | fields ip]

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.



Process Access

Monitor for unexpected processes interacting with lsass.exe.[37] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details are stored. Credential dumpers may also use methods for reflective Process Injection to reduce potential indicators of malicious activity.

Linux

To obtain the passwords and hashes stored in memory, processes must open a maps file in the /proc filesystem for the process being analyzed. This file is stored under the path /proc/<pid>/maps, where the <pid> directory is the unique pid of the program being interrogated for such authentication data. The AuditD monitoring tool, which ships stock in many Linux distributions, can be used to watch for hostile processes opening this file in the proc file system, alerting on the pid, process name, and arguments of such programs.

Analytic 1 - Unauthorized access to credential managers.

(index=security sourcetype="WinEventLog:Security" EventCode=10 TargetImage="lsass.exe" SourceImage IN ("mimikatz.exe", "procdump.exe"))OR (index=security sourcetype="linux_secure" (key="path" value IN ("/etc/passwd", "/etc/shadow")) (key="cmdline" value IN ("mimikatz", "procdump")))OR(index=security sourcetype="macOS:UnifiedLog" message IN ("/var/db/shadow/hash/", "/private/etc/master.passwd") process IN ("mimikatz", "procdump"))



Process Creation

Monitor for newly executed processes that may be indicative of credential dumping.

Analytic 1 - Unexpected process creation related to credential dumping.

(index=security sourcetype="WinEventLog:Security" EventCode=4688 Image="procdump.exe" CommandLine IN (" -ma lsass"))OR (index=security sourcetype="linux_secure" (key="cmdline" value IN ("procdump -ma /proc/$(pgrep lsass)")) (key="exe" value="procdump"))OR(index=security sourcetype="macOS:UnifiedLog" process="procdump" command=" -ma /proc/$(pgrep lsass)")

DS0024

Windows Registry

Windows Registry Key Access

Monitor for the SAM registry key being accessed that may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software.

Analytic 1 - Unauthorized registry access to SAM key.

index=security sourcetype="WinEventLog:Security" EventCode=4663 ObjectName="*\SAM" | where ProcessName IN ("mimikatz.exe", "procdump.exe", "reg.exe", "powershell.exe", "wmic.exe", "schtasks.exe", "cmd.exe")


T1133 - External Remote Services


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.

DS0028

Logon Session

Logon Session Metadata

Follow best practices for detecting adversary use of Valid Accounts for authenticating to remote services. Collect authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours.

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections that may use Valid Accounts to access and/or persist within a network using External Remote Services. Use of External Remote Services may be legitimate depending on the environment and how it’s used. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior using External Remote Services.



Network Traffic Content

Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).



Network Traffic Flow

Monitor for network traffic originating from unknown/unexpected hardware devices. Local network traffic metadata (such as source MAC addressing) as well as usage of network management protocols such as DHCP may be helpful in identifying hardware.


T1543.003-Windows Service


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor processes and command-line arguments for actions that could create or modify services. Command-line invocation of tools capable of adding or modifying services may be unusual, depending on how systems are typically used in a particular environment. Services may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data. Also collect service utility execution and service binary path arguments used for analysis. Service binary paths may even be changed to execute commands or scripts.

DS0027

Driver

Driver Load

Monitor for new service driver installations and loads (ex: Sysmon Event ID 6) that are not part of known software update/patch cycles.

Note: Sysmon Event ID 6 (driver load) provides information on whether the loaded driver was signed with a valid signature (via the Signature and SignatureStatus fields). As such, one way to help reduce the volume of alerts and false positives associated with this event is to filter and exclude any driver load events signed by common and legitimate publishers like Microsoft.

DS0022

File

File Metadata

Adversaries may modify the binary file for an existing service to achieve Persistence while potentially Defense Evasion. If a newly created or modified runs as a service, it may indicate APT activity. However, services are frequently installed by legitimate software. A well-tuned baseline is essential to differentiating between benign and malicious service modifications. Look for events where a file was created and then later run as a service. In these cases, a new service has been created or the binary has been modified. Many programs, such as msiexec.exe, do these behaviors legitimately and can be used to help validate legitimate service creations/modifications.

DS0029

Network Traffic

Network Traffic Flow

Monitor for several ways that code can execute on a remote host. One of the most common methods is via the Windows Service Control Manager (SCM), which allows authorized users to remotely create and modify services. Several tools, such as PsExec, use this functionality.

When a client remotely communicates with the Service Control Manager, there are two observable behaviors. First, the client connects to the RPC Endpoint Mapper over 135/tcp. This handles authentication, and tells the client what port the endpoint—in this case the SCM—is listening on. Then, the client connects directly to the listening port on services.exe. If the request is to start an existing service with a known command line, the the SCM process will run the corresponding command.

This compound behavior can be detected by looking for services.exe receiving a network connection and immediately spawning a child process.

DS0009

Process

OS API Execution

Monitor for API calls that may create or modify Windows services (ex: CreateServiceW()) to repeatedly execute malicious payloads as part of persistence.



Process Creation

Suspicious program execution through services may show up as outlier processes that have not been seen before when compared against historical data. Look for abnormal process call trees from known services and for execution of other commands that could relate to Discovery or other adversary techniques. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Windows runs the Service Control Manager (SCM) within the process services.exe. Windows launches services as independent processes or DLL loads within a svchost.exe group. To be a legitimate service, a process (or DLL) must have the appropriate service entry point SvcMain. If an application does not have the entry point, then it will timeout (default is 30 seconds) and the process will be killed.

To survive the timeout, adversaries and red teams can create services that direct to cmd.exe with the flag /c, followed by the desired command. The /c flag causes the command shell to run a command and immediately exit. As a result, the desired program will remain running and it will report an error starting the service. This analytic will catch that command prompt instance that is used to launch the actual malicious executable. Additionally, the children and descendants of services.exe will run as a SYSTEM user by default.

Note: Create a baseline of services seen over the last 30 days and a list of services seen today. Remove services in the baseline from services seen today, leaving a list of new services. Returns all processes named cmd.exe that have services.exe as a parent process. Because this should never happen, the /c flag is redundant in the search.

Analytic 2 - Services launching CMD

(sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode="1") OR (sourcetype=WinEventLog:Security EventCode="4688") Image="cmd.exe" and ParentImage="services.exe"

DS0019

Service

Service Creation

Creation of new services may generate an alterable event (ex: Event ID 4697 and/or 7045 [157][158]), especially those associated with unknown/abnormal drivers. New, benign services may be created during installation of new software.

Analytic 1 - Creation of new services with unusual directory paths such as temporal files in APPDATA

(sourcetype=WinEventLog:Security EventCode="4697") OR (sourcetype=WinEventLog:System EventCode="7045") | where ServiceFilePath LIKE "%APPDATA%" OR ServiceImage LIKE "%PUBLIC%"



Service Modification

Monitor for changes made to Windows services to repeatedly execute malicious payloads as part of persistence.

DS0024

Windows Registry

Windows Registry Key Creation

Monitor for new constructed windows registry keys that may create or modify Windows services to repeatedly execute malicious payloads as part of persistence.

Analytic 1 - Creation of the HKLM\System\CurrentControlSet\Services Registry key

sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode="12" TargetObject="HKLM\System\CurrentControlSet\Services*"



Windows Registry Key Modification

Look for changes to service Registry entries that do not correlate with known software, patch cycles, etc. Service information is stored in the Registry at HKLM\SYSTEM\CurrentControlSet\Services. Changes to the binary path and the service startup type changed from manual or disabled to automatic, if it does not typically do so, may be suspicious. Tools such as Sysinternals Autoruns may also be used to detect system service changes that could be attempts at persistence.[159]

Analytic 1 - Modification of the HKLM\System\CurrentControlSet\Services Registry key

(sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode IN (13, 14) EventType= "SetValue" TargetObject="HKLM\System\CurrentControlSet\Services*" | where RegistryKeyPath LIKE "%ImagePath%" OR RegistryKeyPath LIKE "%Type%" OR RegistryKeyPath LIKE "%DisplayName%" OR RegistryKeyPath LIKE "%Objectname%"


T1082 - System Information Discovery


ID

Data Source

Data Component

Detects

DS0017

Command

Command Execution

Monitor executed commands and arguments that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. For network devices, monitor executed commands in AAA logs, especially those run by unexpected or unauthorized users.

DS0009

Process

OS API Execution

Monitor for API calls that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.



Process Creation

Monitor newly executed processes that may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.


T1140 - Deobfuscate/Decode Files or Information


ID

Data Source

Data Component

Detects

DS0022

File

File Modification

Monitor for changes made to files for unexpected modifications that attempt to hide artifacts. On Windows, Event ID 4663 (Security Log - An attempt was made to access an object) can be used to alert on suspicious file accesses (e.g., attempting to write to a file which shouldn’t be further modified) that may coincide with attempts to hide artifacts.

DS0009

Process

Process Creation

Monitor for newly executed processes that attempt to hide artifacts of an intrusion, such as common archive file applications and extensions (ex: Zip and RAR archive tools), and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

CertUtil.exe may be used to encode and decode a file, including PE and script code. Encoding will convert a file to base64 with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags. Malicious usage will include decoding an encoded file that was downloaded. Once decoded, it will be loaded by a parallel process. Note that there are two additional command switches that may be used - encodehex and decodehex. Similarly, the file will be encoded in HEX and later decoded for further execution. During triage, identify the source of the file being decoded. Review its contents or execution behavior for further analysis.

Analytic Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The analytic is oriented around the creation of CertUtil.exe processes, which may be used to encode and decode files, including PE and script code. Malicious usage will include decoding a encoded file that was downloaded. Once decoded, it will be loaded by a parallel process.

Analytic 1 - CertUtil with Decode Argument

(source="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="WinEventLog:Security" EventCode="4688") Image="C:\Windows\System32\certutil.exe" AND CommandLine= decode )

DS0012

Script

Script Execution

Monitor for any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.


T1190 - Exploit Public-Facing Application


ID

Data Source

Data Component

Detects

DS0015

Application Log

Application Log Content

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Web Application Firewalls may detect improper inputs attempting exploitation. Web server logs (e.g., var/log/httpd or /var/log/apache for Apache web servers on Linux) may also record evidence of exploitation.

DS0029

Network Traffic

Network Traffic Content

Use deep packet inspection to look for artifacts of common exploit traffic, such as SQL injection strings or known payloads. For example, monitor for successively chained functions that adversaries commonly abuse (i.e. gadget chaining) through unsafe deserialization to exploit publicly facing applications for initial access.[96] In AWS environments, monitor VPC flow logs and/or Elastic Load Balancer (ELB) logs going to and from instances hosting externally accessible applications.


T1021.001 - Remote Desktop Protocol


ID

Data Source

Data Component

Detects

DS0028

Logon Session

Logon Session Creation

Monitor for user accounts logged into systems associated with RDP (ex: Windows EID 4624 Logon Type 10). Other factors, such as access patterns (ex: multiple systems over a relatively short period of time) and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.

Monitoring logon and logoff events for hosts on the network is very important for situational awareness. This information can be used as an indicator of unusual activity as well as to corroborate activity seen elsewhere.

Could be applied to a number of different types of monitoring depending on what information is desired. Some use cases include monitoring for all remote connections and building login timelines for users. Logon events are Windows Event Code 4624 for Windows Vista and above, 518 for pre-Vista. Logoff events are 4634 for Windows Vista and above, 538 for pre-Vista.

Note: This analytic looks for user logon events and filters out the top 30 account names to reduce the occurrence of noisy service accounts and the like. It is meant as a starting point for situational awareness around such events. This is liable to be quite noisy and will need tweaking, especially in terms of the number of top users filtered out.

Analytic 1

sourcetype="WinEventLog:Security" EventCode IN (4624, 4634, 4647, 4778, 4779)| search LogonType=10 // RDP Interactive Logon| eval is_suspicious=if((user!="expected_users") AND (dest_ip!="expected_servers"), "True", "False")| where is_suspicious="True"



Logon Session Metadata

Monitor authentication logs and analyze for unusual access patterns. A remote desktop logon, through RDP, may be typical of a system administrator or IT support, but only from select workstations. Monitoring remote desktop logons and comparing to known/approved originating systems can detect lateral movement of an adversary.

Analytic 1

sourcetype="WinEventLog:Security" EventCode="4624" AND LogonType="10" AND AuthenticationPackageName="Negotiate" AND TargetUserName="Admin*")

DS0029

Network Traffic

Network Connection Creation

Monitor for newly constructed network connections (typically over port 3389) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user. Other factors, such as access patterns and activity that occurs after a remote login, may indicate suspicious or malicious behavior with RDP.

Analytic 1 - Abnormal RDP Network Connections

sourcetype=zeek | search dest_port=3389 // Default RDP port| stats count by src_ip, dest_ip, dest_port| where src_ip!="trusted_ips" AND dest_ip!="internal_servers"



Network Traffic Flow

Monitor network traffic for uncommon data flows that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP).

The Remote Desktop Protocol (RDP), built in to Microsoft operating systems, allows a user to remotely log in to the desktop of another host. It allows for interactive access of the running windows, and forwards key presses, mouse clicks, etc. Network administrators, power users, and end-users may use RDP for day-to-day operations. From an adversary’s perspective, RDP provides a means to laterally move to a new host. Determining which RDP connections correspond to adversary activity can be a difficult problem in highly dynamic environments, but will be useful in identifying the scope of a compromise.Remote Desktop can be detected in several ways

  • Network connections to port 3389/tcp (assuming use of the default port)

  • Packet capture analysis

  • Detecting network connections from mstsc.exe

  • Execution of the process rdpclip.exe

  • Runs as the clipboard manager on the RDP target if clipboard sharing is enabled

Analytic 1 - Suspicious RDP

sourcetype=netflow LogonType="10"| search dest_port=3389 // Default RDP port| stats count by src_ip, dest_ip, dest_port| where src_ip!="trusted_ips" AND dest_ip!="internal_servers"

DS0009

Process

Process Creation

Monitor for newly executed processes (such as mstsc.exe) that may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions that spawn additional processes as the logged-on user.

Analytic 1 - Unusual processes associated with RDP sessions

sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1 | search (parent_process="mstsc.exe" OR parent_process="rdpclip.exe")| table _time, host, user, process_name, parent_process, command_line| where process_name!="expected_processes"

Observed Countries4

IN (356)
IO (827)
JP (735)
TW (969)