What is the Lockheed Martin's Cyber Chain (LCKC) [1]
It is a model for understanding and responding to cyberattacks. It outlines the seven stages of a cyberattack, from reconnaissance to actions on objectives, and provides a structured approach to investigation and response. The LCKC is a valuable tool that can be used to improve cybersecurity incident investigation and response. By adopting the LCKC framework, organizations can better understand cyberattacks, prioritize their investigation efforts, develop more effective response plans, and identify and track trends in cyberattacks.
What is Splunk Boss of SOC
Splunk Boss of the SOC (BOTS) is a blue-team, jeopardy-style, capture-the-flag-esque (CTF) activity where participants leverage Splunk's Security Suite to answer a variety of questions about the type of real-world incidents that security analysts face regularly.
What is the objective of this write up
The purpose of this write up is to illustrate how the LCKC framework can be adopted to better understand and respond to a cyber attack. This will be done by mapping the cyber attack activities in one of the BOTs ransomware scenario [2] and logs to the stages in the LCKC model.
BOTS Ransomware Scenario Preview Information
There was an unattended "critical" ticket in the incident ticking queue on an incident on 24th August 2016 involving user "Bob Smith" using a Windows 10 workstation named we8105desk. Bob Smith had reported that when he came back to his desk after working-out, he found that his desktop speakers were blaring (click below to listen). In addition, his desktop image had changed and his files were inaccessible. Bob Smith also mentioned that he found a USB drive in the parking lot previously which he had plugged into his desktop, and opened a word document called "Miranda_Tate_unveiled.dotm".
The ticket contains 2 artefacts; 1.) A MP3 file with an audio recording that says "Attention ! your documents, photos, databases and other important files have been encrypted" and 2.) A screenshot of a Ransomware note.
Quick Triage
Windows security event logs showed that Bob Smith did logon (EventID 462) to workstation we8105desk, and the source IP address i 192.168.250.100.
index=botsv1 Workstation_Name=we8105desk Account_Name != "ANONYMOUS LOGON" sourcetype=WinEventLog:Security EventCode=4624 earliest=08/24/2016:00:00:00 latest=08/24/2016:23:59:59 | table _time WorkstationName Account_Domain Account_Name Authentication_Package EventCode Impersonation_Level Keywords LogName Logon_Process Logon_Type OpCode Security_ID SourceName Source_Network_Address TaskCategory action dest severity signature src_ip status subject user | sort _time |
BOTS Ransomware Scenario V.S. Cyber Kill Chain
The cyber kill chain stages may not follow in sequence, and not all stages will be mapped.
Reconnaissance. Not Information
Exploitation. No information
Command and Control. No information
Weaponization. A USB storage device was used to store a decoy document. The attacks used a decoy document loaded with malicious macro code to download the Cerber malware to user’s workstation. When the decoy document was opened, it dropped a VBScript file (.vbs). The VBScript file was launched using wscript.exe, which downloaded an image file named “mhtr.jpg.” The jpeg image would either be downloaded from URL "solidaritedeproximite[.]org/mhtr.jpg" or "92.222.104[.]182/mhtr.jpg". If the file is not fetched from visiting solidaritedeproximite[.]org, it will be fetched from 92.222.104[.]182 [3]. While the jpeg image file might look benign, it had steganographically embedded Cerber malware.
Delivery. [24/08/2016 16:42:17] A USB drive named "MIRANDA_PRI" was inserted into workstation we8105desk.
index=botsv1 usbstor earliest=08/24/2016:00:00:00 latest=08/24/2016:23:59:59 sourcetype=WinRegistry friendlyname | table _time host dest eventstatus process_image registry_path registry_type registry_value_data registry_value_name |
Installation. [24/08/2016 16:43:XX] A word document called "Miranda_Tate_unveiled.dotm" was opened. It then dropped a VBScript file (.vbs) with a random name in the format “%APPDATA%\%RANDOM%.vbs.” The VBScript file is then launched using wscript.exe, which downloads an image file named “mhtr.jpg.”
index=botsv1 "winword.exe" "Miranda_Tate_unveiled.dotm" earliest=08/24/2016:00:00:00 latest=08/24/2016:23:00:00 sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" | table _time host CommandLine EventCode EventDescription Image ParentCommandLine ParentImage User action cmdline dest direction parentprocess parent_process_id process process_id | sort _time |
index=botsv1 .vbs wscript.exe earliest=08/24/2016:00:00:00 latest=08/24/2016:23:00:00 sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" | table _time host CommandLine EventCode EventDescription Image ParentCommandLine ParentImage User action cmdline dest direction parentprocess parentprocess_id process process_id | sort _time |
Delivery. [24/08/2016 16:48:12] - Around the time which the VBScript file was launched via wscript.exe, victim was directed to a suspicious domain "solidaritedeproximite[.]org" observed to be a media sharing site. Sourcetypes containing suspicious domain are "suricata", "stream:dns", "fgt_utm" and "stream:http". HTTP connection to the suspicious domain which attempted to get a file "mhtr.jpg" appeared to be blocked (404). Consequently, there was sanother HTTP connection to another site "92.222.104[.]182 to get the file "mhtr.jpg" which was observed to be a malware based on firewall detection. This requested was allowed (206), and this may be indicative that the malware "mhtr.jpg" was downloaded. Packet capture is required in order to determine if the malware is indeed downloaded.
index=botsv1 src_ip=192.168.250.100 sourcetype="stream:dns" earliest=08/24/2016:16:43:00 latest=08/24/2016:23:59:59 NOT query IN ("*-addr.arpa" , "*waynecorpinc.local" , "*bing*", "*microsoft*", "*wpad*" , "*FHFAEBEECACACACACACACACACACACAAA*", "*FHEFDJDADEDBFDFCFGCACACACACACAAA*", "*FHEFDJDADEDBFDFCFGCACACACACACACA*", "*dns*" , "*info.io*", "*FHEBFJEOEFEDEPFCFAEJEOEDCACACABL*", "*shell.windows.com*", "*isatap*", "*EJFDEBFEEBFACACACACACACACACACAAA*") query!="" | table time srcip src_port dest_ip dest_port query bytes bytes_in bytes_out protocol record_type message_type tag | sort _time |
index=botsv1 solidaritedeproximite.org earliest=08/24/2016:16:48:11 latest=08/24/2016:23:59:59 sourcetype=stream:http | table _time action bytes bytesin bytes_out src_ip src_port dest_ip dest_port http_method http_user_agent site url status |
index=botsv1 mhtr.jpg earliest=08/24/2016:16:48:00 latest=08/24/2016:23:59:59 sourcetype=stream:http | table _time action bytes bytesin bytesout src_ip src_port dest_ip dest_port http_method http_user_agent site url status | sort _time |
index=botsv1 mhtr.jpg earliest=08/24/2016:16:48:13 latest=08/24/2016:23:53:00 sourcetype=suricata http.status!=404 | table _time bytes srcip srcport dest_ip dest_port http.hostname http.http_method http.http_user_agent http.status http.url | sort _time |
index=botsv1 mhtr.jpg earliest=08/24/2016:16:48:13 latest=08/24/2016:16:53:13 sourcetype=fgt_utm | table _time action bytes bytesin bytes_out src src_port dest dest_port direction file_path http_method http_user_agent msg severity site tag url user vendor_url | sort _time |
Installation. Based on timeline, after the GET request for the malware "mhtr.jpg", there were other suspicious activities observed. In these suspicious activities, a suspicious file "121214.tmp" was identified. Malware analysis might be required to understand how "121214.tmp" might be related to "mhtr.jpg". Nevertheless, "# DECRYPT MY FILES #.vbs" in the commandline at 2016-08-24 17:15:12 is indicative of the presence of ransomware. Furthermore, there was a IDS detection for "Cerber" which is a ransomware variant based on the suricata logs.
index=botsv1 .vbs wscript.exe earliest=08/24/2016:00:00:00 latest=08/24/2016:23:00:00 sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" | table _time host CommandLine EventCode EventDescription Image ParentCommandLine ParentImage User action cmdline dest direction parentprocess parent_process_id process process_id | sort _time |
index=botsv1 sourcetype=suricata earliest=08/24/2016:16:48:21 latest=08/24/2016:16:53:21 signature!="" 192.168.250.100 TROJAN | table _time src_ip src_port dest_ip dest_port dns.id dns.rrname dns.rrtype event_type eventtype message_type query tag transport signature alert.signature_id | sort _time |
Actions on Objectives. See below for the activities observed in the logs:
a. [24/08/2016 16:49:55] - First instance which victim host was connected to a file server. The IP address of the file server was 192[.]168.250.20.
index=botsv1 we8105desk OR 192.168.250.100 dest_port=445 sourcetype=stream:smb earliest=08/24/2016:16:48:21 latest=08/24/2016:16:53:21 | stats values(dest_ip) by src_ip dest_port tag |
index=botsv1 we8105desk OR 192.168.250.100 dest_port=445 sourcetype=stream:smb earliest=08/24/2016:16:48:21 latest=08/24/2016:16:53:21 | stats earliest(_time) AS Earliest, latest(_time) AS Latest | eval FirstEvent=strftime(Earliest,"%+") | eval LastEvent=strftime(Latest,"%+") |
index=botsv1 we8105desk OR 192.168.250.100 192.168.250.20 dest_port=445 earliest=08/24/2016:16:48:21 latest=08/24/2016:16:53:21 sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" | table time srcip src_port dest_ip dest_port host DestinationHostname EventCode EventDescription action | sort _time |
[24/08/2016 16:56:13] - Cerber Ransomware first attempt to access protected resource in preparation to encrypt PDF files in fileshare. Event ID 5145 does not necessarily indicate that ransomware is encrypting files. It is a general security event that is logged when a user attempts to access a protected resource without the necessary permissions. This event can be triggered by a variety of factors, including ransomware, other malware, or even legitimate user activity.
index=botsv1 EventCode=5145 earliest=08/24/2016:16:49:55 latest=08/24/2016:23:59:59 Source_Address=192.168.250.100 "*.pdf*" sourcetype=WinEventLog:Security | table time host source sourcetype Accesses AccountDomain Account_Name ComputerName EventCode Object_Type Relative_Target_Name Share_Name Share_Path Source_Address Source_Port TaskCategory dest signature status user | sort _time |
c. [24/08/2016 17:04:31] - Cerber Ransomware first modified file creation time in preparation possibly to encrypt text files in the victim workstation. Sysmon Event ID 2 captures changes to a file's creation time by a process. While this event alone might not explicitly indicate ransomware activity, it can be part of a broader set of indicators that suggest potential ransomware encryption.
index=botsv1 "*bob*smith*" "*.txt" earliest=08/24/2016:16:49:55 latest=08/24/2016:23:59:59 sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" | table time host CommandLine TargetFilename Computer CurrentDirectory EventCode EventDescription MD5 ParentCommandLine ParentImage ParentProcessId ProcessId SHA1 SHA256 User cmdline dest direction parentprocess parent_process_id process process_id | sort _time |
d. [24/08/2016 17:15:12] - Victim host was directed to fully qualified domain name (FQDN) "cerberhhyed5frqa.xmfir0[.]win" at the end of the encryption phase. This could be a site where the victim is expected to pay to get the decryption key or something similar
index=botsv1 sourcetype=suricata Cerber OR cerber earliest=08/24/2016:00:00:00 latest=08/24/2016:23:59:59 | table time srcip src_port dest_ip dest_port dns.id dns.rrname dns.rrtype event_type eventtype message_type query tag transport signature alert.signature_id | sort _time |
index=botsv1 earliest=08/24/2016:16:42:00 latest=08/24/2016:23:59:59 cerberhhyed5frqa.xmfir0.win sourcetype="stream:dns" | table _time src_ip src_port dest_ip dest_port query bytes bytes_in bytes_out protocol record_type message_type tag | sort _time |
Conclusion
Not all stages of the LCKC were mapped because information were limited to the logs available in BOTS Ransomware scenario. Nevertheless, the LCKC model is still useful to aid the attack investigation. Thanks for taking time to read this write up, hope the information are useful.
References
תגובות