Hunt for Termite

The threat actor gains initial access, likely via phishing or exploitation, then moves laterally to encrypt files on the network.

Name:
Hunt for Termite

TTP:
T1486 Data Encrypted for Impact, T1083 File and Directory Discovery, T1070.004 Indicator Removal: File Deletion, T1490 Inhibit System Recovery, T1135 Network Share Discovery

Hypothesis:

The threat actor gains initial access, likely via phishing or exploitation, then moves laterally to encrypt files on the network.

Campaign Type:
TTP Driven

Data Sources:

  • Process Monitoring
  • Process Command-Line Parameters
  • File Monitoring
  • Windows Registry
  • Network Protocol Analysis
  • Windows Event Logs

Tools:

  • PowerShell
  • Sysmon
  • Process Monitor

Scenario:

  • Initial Access: Attacker gains initial access, likely via phishing or exploitation.
  • Defense Evasion: The attacker uses various techniques to avoid detection, such as deleting files and removing indicators.
  • Persistence: The attacker establishes persistence on the system to maintain access.
  • Privilege Escalation: The attacker may attempt to gain elevated privileges.
  • Discovery: The attacker performs reconnaissance to gather information about the network and systems.
  • Lateral Movement: The attacker moves laterally to other systems on the network.
  • Data Encrypted for Impact: The attacker encrypts files on the network.
  • Inhibit System Recovery: The attacker may attempt to prevent system recovery by deleting backups or disabling recovery features.

Hunting Strategy:

  • Analyze process monitoring logs for suspicious processes, such as those with unusual command-line parameters or those that access sensitive files.
     
  • Correlate process creation and termination events with file system activity and network connections.
     
  • Analyze file monitoring logs for unusual file system activity, such as mass file encryption or deletion.
     
  • Analyze Windows Registry logs for suspicious modifications or additions.
     
  • Analyze network protocol analysis logs for unusual network traffic patterns, such as mass data exfiltration.
     
  • Analyze Windows Event Logs for suspicious events, such as those related to service creation or modification.
     
  • Investigate outliers and suspicious events using additional tools and techniques, such as YARA or Process Monitor.
  • Validate potential threats by correlating events across multiple data sources and by conducting additional analysis.
     
  • Remediate threats by isolating affected systems, removing malware, and restoring backups.
     
  • Report findings and recommendations to stakeholders.

False Positive Consideration:

  • System administrators and other authorized users may perform actions that trigger some of the detection rules.
     
  • Automated processes, such as software updates or backups, may generate events that trigger some of the detection rules.
     
  • Misconfigured systems or applications may generate events that trigger some of the detection rules.

Recommendations:

  • Implement robust data quality controls to ensure the accuracy and completeness of the data.
     
  • Develop and maintain a comprehensive data dictionary to ensure consistency in data definitions.
     
  • Standardize data across different sources to facilitate analysis and correlation.
     
  • Implement a robust detection engineering process to develop and refine detection rules.
     
  • Use threat detection frameworks like YARA or SIGMA to create more robust detection rules.
     
  • Conduct regular threat hunting exercises to test and improve detection capabilities.
     
  • Educate users and system administrators about security best practices and how to identify suspicious activity.
     
  • Implement a strong security awareness training program to help users identify and avoid phishing attacks.
     
  • Keep systems and applications up-to-date with the latest security patches.
  • Implement a robust incident response plan to ensure a timely and effective response to security incidents.

Step-by-Step Guide to Emulate a Threat Hunt

1. Prepare the Environment

  • Set up a test environment with necessary security monitoring tools installed. This may include Sysmon, an EDR agent, and a centralized log management system.
     
  • Enable relevant auditing policies for the operating system and applications. For example, enable auditing for process creation, file access, and registry modifications.
     
  • Configure a centralized log management system for collecting and storing security events. This could be a SIEM tool like QRadar, Azure Sentinel, or ELK.
     

2. Emulate the Attack Techniques

  • Execute commands and actions that simulate the suspected attack techniques. For example, if the suspected technique is process injection, use a tool like Process Hacker to inject a DLL into another process.
  • Use relevant attack tools or scripts to generate representative security events. For example, if the suspected attack involves PowerShell, use PowerShell scripts to emulate the attacker’s actions.
  • Emulate post-compromise activities, such as privilege escalation, lateral movement, and data exfiltration, to generate corresponding security events. Use appropriate tools and techniques to emulate these activities in a controlled manner.
     

3. Collect and Analyze Logs

  • Collect the generated security event logs from your centralized log management system.
  • Use analysis tools to search for events related to the emulated attack techniques. Filter events based on relevant criteria, such as process names, command-line parameters, network connections, and registry activity.
     

4. Refine Detections

  • Analyze the collected logs to identify patterns and refine your detection rules.
  • Consider using threat detection frameworks like YARA or SIGMA to create more robust detection rules.
  • Document your analysis and findings to improve future threat hunting efforts.

D3 Diagram:

Leave a Reply