DONOT Hunt Me

A threat actor is utilizing spearphishing emails with malicious attachments to gain initial access, establish persistence via scheduled tasks, and exfiltrate data over HTTP.

Name:
DONOT Hunt Me

TTP:
T1071.001 Application Layer Protocol: Web Protocols, T1059.003 Command and Scripting Interpreter: Windows Command Shell, T1041 Exfiltration Over C2 Channel, T1566.001 Phishing: Spearphishing Attachment, T1053.005 Scheduled Task/Job: Scheduled Task

Hypothesis:

A threat actor is utilizing spearphishing emails with malicious attachments to gain initial access, establish persistence via scheduled tasks, and exfiltrate data over HTTP.

Campaign Type:
TTP Driven

Data Sources:

  • Email security gateway logs
  • Endpoint security logs (e.g., Sysmon, EDR)
  • Network traffic logs
  • Scheduled task logs

Tools:

  • SIEM (e.g., QRadar, Azure Sentinel, ELK)
  • Network traffic analysis tool
  • Endpoint analysis tool

Scenario:

  1. Initial Access: An attacker sends a spearphishing email containing a malicious Office document exploiting CVE-2017-11882 (T1566).
  2. Execution: The victim opens the document, triggering the exploit and executing a command that launches cmd.exe or powershell.exe (T1059.003).
  3. Persistence: The attacker creates a scheduled task named “Schedule” to execute a malicious DLL via rundll32.exe every 5 minutes (T1053.005).
  4. Command and Control: The scheduled task establishes communication with the attacker’s C2 server using HTTP (T1071.001).
  5. Exfiltration: The attacker sends commands and exfiltrates data over the established C2 channel (T1041).

Hunting Strategy:

  1. Analyze email security gateway logs for emails containing suspicious attachments, focusing on Office documents.
  2. Correlate email activity with endpoint security logs to identify potential exploit attempts related to CVE-2017-11882.
  3. Investigate suspicious process execution originating from Office applications, particularly those involving cmd.exe, powershell.exe, or rundll32.exe.
  4. Examine scheduled task logs for newly created tasks with suspicious names or execution patterns, such as the “Schedule” task executing every 5 minutes.
  5. Analyze network traffic logs for connections to known C2 servers or suspicious domains, particularly over HTTP.
  6. Correlate network activity with endpoint activity to identify potential data exfiltration attempts.
  7. Validate potential threats by analyzing suspicious files and network traffic for malicious behavior.

Emulate the Attack Techniques:

  1. Craft a spearphishing email with a malicious Office document (or a benign document for initial testing).
  2. Deliver the email to a user account in the test environment.
  3. (If using a malicious document) Observe the exploit execution and subsequent command execution.
  4. Create a scheduled task named “Schedule” to execute a benign script or program (for initial testing).
  5. Configure the scheduled task to run every 5 minutes.
  6. Establish a connection from the test environment to a controlled server (acting as a C2 server) using HTTP.
  7. Transfer a small amount of benign data to the controlled server.

Collect and Analyze Logs:

  1. Collect the generated security event logs from your SIEM.
  2. Use the SIEM’s search and filtering capabilities to identify events related to the emulated attack techniques.
  3. Focus on events involving winword.exe (or other Office applications), cmd.exe, powershell.exe, rundll32.exe, schtasks.exe, and network connections over HTTP.

Refine Detections:

  1. Analyze the collected logs to identify patterns and refine your detection rules.
  2. Create YARA or SIGMA rules to detect the specific behaviors observed during the emulation.
  3. Test the detection rules against both benign and malicious activity to minimize false positives.

Document your analysis and findings to improve future threat hunting efforts.

False Positive Consideration:

  • Legitimate use of cmd.exe, powershell.exe, and rundll32.exe
  • Scheduled tasks for legitimate software updates or maintenance
  • Normal HTTP traffic to legitimate websites

Recommendations:

  • Implement email filtering and sandboxing to prevent malicious attachments from reaching users.
  • Deploy endpoint detection and response (EDR) solutions to monitor for suspicious process execution and scheduled tasks.
  • Utilize network traffic analysis (NTA) tools to detect suspicious network connections and communications with known C2 servers.
  • Educate users about spearphishing attacks and the risks of opening suspicious attachments.
  • Regularly review and update security controls to address emerging threats and vulnerabilities.

D3 Diagram:

Leave a Reply