Name:
Game of Emperor
TTP:
T1564.001 Hide Artifacts: Hidden Files and Directories, T1562.001 Impair Defenses: Disable or Modify Tools, T1027 Obfuscated Files or Information, T1218.005 System Binary Proxy Execution: Mshta, T1218.011 System Binary Proxy Execution: Rundll32
Hypothesis:
The threat actor has gained initial access and is utilizing various defense evasion techniques to avoid detection while establishing persistence and maintaining control.
Campaign Type:
Hybrid
Data Sources:
- Process Monitoring
- Process Command-Line Parameters
- File Monitoring
- Windows Registry
- Network Protocol Analysis
- Loaded DLLs
Tools:
- Sysmon
- Windows Security Events
- Network Sniffing
- Process Monitoring Tools
- Registry Auditing Tools
Scenario:
Initial Access: The attacker gains initial access through a phishing email containing a malicious attachment or link.
Defense Evasion: The attacker uses various techniques to evade detection, such as obfuscating files or information, employing signed binary proxy execution (mshta.exe, rundll32.exe), hiding artifacts in hidden files and directories, and disabling or modifying security tools.
Persistence: The attacker establishes persistence using scheduled tasks, registry keys, or other means to maintain access to the compromised system.
Privilege Escalation: The attacker attempts to escalate privileges to gain higher-level access and control over the system.
Lateral Movement: The attacker moves laterally within the network, compromising other systems and expanding their control.
Exfiltration: The attacker exfiltrates sensitive data from the compromised systems to their own servers or infrastructure.
Impact: The attacker’s actions may result in data breaches, financial losses, reputational damage, or disruption of critical services.
Hunting Strategy:
- Analyze process monitoring logs for suspicious processes, such as mshta.exe or rundll32.exe executing obfuscated scripts or binaries.
- Examine process command-line parameters for evidence of defense evasion techniques, such as obfuscation or attempts to disable security tools.
- Monitor file system activity for the creation or modification of files in hidden directories or with unusual extensions.
- Audit Windows Registry for suspicious modifications or additions, such as new persistence mechanisms or attempts to disable security features.
- Analyze network traffic for unusual protocols, connections to suspicious IP addresses, or attempts to exfiltrate data.
- Correlate events from different data sources to identify patterns and potential indicators of compromise.
- Investigate outliers and suspicious events using threat intelligence and your knowledge of the MITRE ATT&CK framework.
- Validate potential threats through in-depth analysis and investigation.
- Implement appropriate remediation steps, such as isolating compromised systems, removing malware, and patching vulnerabilities.
- Report findings and recommendations to relevant stakeholders, including security teams, management, and incident response teams.
False Positive Consideration:
- Legitimate use of scripting tools or system administration utilities.
- Software updates or installations.
- Automated tasks or scripts.
- Normal network traffic or system activity.
Recommendations
- Implement robust security controls, such as application whitelisting, network segmentation, and multi-factor authentication.
- Regularly update security software and patches to mitigate vulnerabilities.
- Conduct security awareness training to educate users about phishing and other social engineering tactics.
- Enhance logging and monitoring capabilities to improve visibility into system and network activity.
- Develop and maintain comprehensive incident response plans to effectively handle security incidents.
D3 Diagram: