Name:
Sea Turtle
TTP:
T1583.001 Acquire Infrastructure: Domains, T1595.001 Active Scanning: Scanning IP Blocks, T1595.002 Active Scanning: Vulnerability Scanning, T1595.003 Active Scanning: Wordlist Scanning, T1584.001 Compromise Infrastructure: Domains, T1589.002 Gather Victim Identity Information: Email Addresses
Hypothesis:
The attacker is actively scanning the internet for vulnerable hosts, and then compromising those hosts for future malicious activity.
Campaign Type:
TTP Driven
Data Sources:
- Network Traffic
- Process Monitoring
- Process Command-Line Parameters
- SSL/TLS Inspection
- Web Proxy
- Packet Capture
Tools:
- Suricata
- Zeek
- Wireshark
- tcpdump
Scenario:
- Initial Access: The attacker gains initial access to a host.
- Discovery: The attacker performs reconnaissance of the network to identify potential targets.
- Lateral Movement: The attacker moves laterally through the network to gain access to additional systems.
- Exfiltration: The attacker exfiltrates data from the network.
- Impact: The attacker causes an impact to the organization, such as data loss or disruption of operations.
Hunting Strategy:
- Analyze network traffic for signs of scanning activity.
- Correlate scanning activity with other events, such as process creation and network connections.
- Investigate outliers and suspicious events.
- Validate potential threats by analyzing the attacker’s tools and techniques.
- Remediate the threat by blocking the attacker’s access to the network and removing any malware that has been installed.
- Report the findings of the threat hunt to the organization’s security team.
False Positive Consideration:
- Scanning activity may be conducted by security researchers or penetration testers.
- Network traffic may be encrypted, making it difficult to detect scanning activity.
Recommendations:
- Implement network security monitoring tools to detect scanning activity.
- Block all unsolicited inbound traffic.
- Keep systems up to date with the latest security patches.
D3 Diagram: